From admin at billdrawer.com Sat Mar 1 10:58:16 2014 From: admin at billdrawer.com (BillDrawer Administrator) Date: Sat, 1 Mar 2014 16:58:16 +0100 (CET) Subject: [keycloak-user] Openshift installation Message-ID: <150573500.15826.1393689496525.open-xchange@app1.ox.registrar-servers.com> Hi everybody, I'm trying to install keycloak on openshift but there is some problem: > > The cartridge > 'https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml' > will be downloaded and installed > > Application Options > ------------------- > Domain: billdrawer > Cartridges: > https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml > Gear Size: default > Scaling: no > > Creating application 'keycloak' ... Server returned an unexpected error code: > 504 > I'm developing a project called BillDrawer and I'm going to develop a distributed architecture http://www.asciiflow.com/#Draw1257757860375711949 I just developed the core modules with ApacheShiro https://shiro.apache.org/ and PAC4J https://github.com/bujiio/buji-pac4j as security stack. I would be glad to adopt Keycloak even if is in alpha stage and cotribute as a case study, but I would like to understand: 1- do I need Shiro or PAC4J with Keycloak? 2- is there a pulbic roadmap to evaluate if it can match my schedules and requirements? Best regards, Davide! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140301/43c89bd0/attachment.html From admin at billdrawer.com Sat Mar 1 10:59:39 2014 From: admin at billdrawer.com (BillDrawer Administrator) Date: Sat, 1 Mar 2014 16:59:39 +0100 (CET) Subject: [keycloak-user] Openshift installation Message-ID: <830468032.15832.1393689579429.open-xchange@app1.ox.registrar-servers.com> Hi everybody, I'm trying to install keycloak on openshift but server returned an unexpected error, as follow: > > The cartridge > 'https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml' > will be downloaded and installed > > Application Options > ------------------- > Domain: billdrawer > Cartridges: > https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml > Gear Size: default > Scaling: no > > Creating application 'keycloak' ... Server returned an unexpected error code: > 504 > I'm developing a project called BillDrawer and I'm going to develop a distributed architecture, to give you an idea http://www.asciiflow.com/#Draw1257757860375711949. I just developed the core module of my project but the security is my first concern so now I was using ApacheShiro https://shiro.apache.org/ and PAC4J https://github.com/bujiio/buji-pac4j when I discovered Keycloak. I would be glad to adopt Keycloak even if is in alpha stage and cotribute as a case study. To evaluate the adoption I would like to understand: 1- Do I need Shiro or PAC4J with Keycloa? 2- Is there a pulbic roadmap Best regards, Davide Ungari -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140301/19712f98/attachment.html From bburke at redhat.com Sat Mar 1 11:11:21 2014 From: bburke at redhat.com (Bill Burke) Date: Sat, 01 Mar 2014 11:11:21 -0500 Subject: [keycloak-user] Multi Tenancy In-Reply-To: References: <5309F2B9.5090208@redhat.com> <5309F51F.7020102@redhat.com> <530BF271.5030503@redhat.com> <530CC069.3020104@redhat.com> <530DF079.1080701@redhat.com> <53109817.5040306@redhat.com> Message-ID: <531206A9.90605@redhat.com> I'll work on refactoring the adapters next week to help support this. Maybe if I get things cleaned up enough and provide some bare bones support for multi-tenancy you could take it over to help drive for your requirements? On 2/28/2014 3:57 PM, Travis De Silva wrote: > > On Sat, Mar 1, 2014 at 1:07 AM, Bill Burke > wrote: > > > > On 2/27/2014 11:31 PM, Travis De Silva wrote: > > > As per your future plans, if we can get a stateless keycloak > co-location > option and also enable external config in a DB when you refactor the > adapter code, that should cover the needs of most developers who > want to > go beyond the out of the box solutions. > > BTW, I hope with the above changes it would be possible to > associate one > war with multiple realms and this is not a core keycloak structure > design issue. > > > How soon you need this by? Yesterday? ;) > > > In our project, I was going to build the security model with social > login and was on the verge of using an open source social login library > to start building it when like god sent the keycloak project appeared :) > So I am not the one to demand and happy with the little miracles that > come my way. Having said that, yesterday would be great :) But seriously > if your Jira roadmap is sort of an indicator and beta 1 would be > released end of Match, that timeframe is fine for us :) > > > Like I said earlier, I don't think colocation is necessarily a > requirement if we a) provided an option for public clients (don't > require a client secret) or b) you had a shared secret between > clients for all realms. The adapter would just extract the realm > name from the request, invoke on the keycloak server to get the > public information about the realm (i.e. public key), then cache > this information locally. > > > I guess a shared secret would do. Just wondering why we can't use the > keycloak-admin realm as the top level realm and use it's secret to get > the realm info to be cached locally and from that point onwards, it > falls into the current keycloak flow. > > I am assuming that the individual keycloak realm admins (as per the > change done by Stin on KEYCLOAK-292 > ) will not be able to view > the keycloak-admin realm info. > > Bill > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Sat Mar 1 11:10:11 2014 From: bburke at redhat.com (Bill Burke) Date: Sat, 01 Mar 2014 11:10:11 -0500 Subject: [keycloak-user] Openshift installation In-Reply-To: <830468032.15832.1393689579429.open-xchange@app1.ox.registrar-servers.com> References: <830468032.15832.1393689579429.open-xchange@app1.ox.registrar-servers.com> Message-ID: <53120663.9090202@redhat.com> On 3/1/2014 10:59 AM, BillDrawer Administrator wrote: > Hi everybody, > I'm trying to install keycloak on openshift but server returned an > unexpected error, as follow: > >> The cartridge >> 'https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml' >> will be downloaded and installed >> >> Application Options >> ------------------- >> Domain: billdrawer >> Cartridges: >> https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml >> Gear Size: default >> Scaling: no >> >> Creating application 'keycloak' ... Server returned an unexpected >> error code: 504 >> > I'm developing a project called BillDrawer and I'm going to develop a > distributed architecture, to give you an idea > http://www.asciiflow.com/#Draw1257757860375711949. > I just developed the core module of my project but the security is my > first concern so now I was using ApacheShiro > https://shiro.apache.org/ and PAC4J https://github.com/bujiio/buji-pac4j > when I discovered Keycloak. > > I would be glad to adopt Keycloak even if is in alpha stage and > cotribute as a case study. > To evaluate the adoption I would like to understand: > > 1- Do I need Shiro or PAC4J with Keycloa? Haven't heard of either of these frameworks. Looks like "no" for Shior, maybe for PAC4j. Keycloak alpha2 is an extension of OAuth 2.0, specifically the access token format. We support auth code flow with confidential clients only at the moment. The token grant request also doesn't follow OAuth 2.0 confidential client authentication. BUT... Starting with Alpha 3 (probable release before March 14th), we're shooting for minimal required Open ID Connect compliance. FYI, Open ID Connect is a derivative of OAuth 2.0 as well, so any OAuth 2.0 client adapter should work starting with Alpha 3. What servlet/HTTP container are you deploying to? > 2- Is there a pulbic roadmap > https://issues.jboss.org/browse/KEYCLOAK Its a bit out of sync at the moment with our up-to-date plans, but we have a pretty aggressive schedule and are willing to accommodate as many user requirements as we can. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From davide at billdrawer.com Sat Mar 1 12:50:44 2014 From: davide at billdrawer.com (Davide Ungari) Date: Sat, 1 Mar 2014 12:50:44 -0500 (EST) Subject: [keycloak-user] Openshift installation Message-ID: <1983735870.19288.1393696244492.open-xchange@app1.ox.registrar-servers.com> Hi Bill, thanks for your answers. ? > What servlet/HTTP container are you deploying to? The frontend application is running on Tomcat and I was trying to deploy Keycloak using https://github.com/keycloak/openshift-keycloak-cartridge Davide Ungari, Founder www.billdrawer.com | davide at billdrawer.com Milan, IT From traviskds at gmail.com Sun Mar 2 05:05:14 2014 From: traviskds at gmail.com (Travis De Silva) Date: Sun, 2 Mar 2014 21:05:14 +1100 Subject: [keycloak-user] Multi Tenancy In-Reply-To: <531206A9.90605@redhat.com> References: <5309F2B9.5090208@redhat.com> <5309F51F.7020102@redhat.com> <530BF271.5030503@redhat.com> <530CC069.3020104@redhat.com> <530DF079.1080701@redhat.com> <53109817.5040306@redhat.com> <531206A9.90605@redhat.com> Message-ID: yes that sounds great. Thanks Bill On Sun, Mar 2, 2014 at 3:11 AM, Bill Burke wrote: > I'll work on refactoring the adapters next week to help support this. > Maybe if I get things cleaned up enough and provide some bare bones support > for multi-tenancy you could take it over to help drive for your > requirements? > > > On 2/28/2014 3:57 PM, Travis De Silva wrote: > >> >> On Sat, Mar 1, 2014 at 1:07 AM, Bill Burke > > wrote: >> >> >> >> On 2/27/2014 11:31 PM, Travis De Silva wrote: >> >> >> As per your future plans, if we can get a stateless keycloak >> co-location >> option and also enable external config in a DB when you refactor >> the >> adapter code, that should cover the needs of most developers who >> want to >> go beyond the out of the box solutions. >> >> BTW, I hope with the above changes it would be possible to >> associate one >> war with multiple realms and this is not a core keycloak structure >> design issue. >> >> >> How soon you need this by? Yesterday? ;) >> >> >> In our project, I was going to build the security model with social >> login and was on the verge of using an open source social login library >> to start building it when like god sent the keycloak project appeared :) >> So I am not the one to demand and happy with the little miracles that >> come my way. Having said that, yesterday would be great :) But seriously >> if your Jira roadmap is sort of an indicator and beta 1 would be >> released end of Match, that timeframe is fine for us :) >> >> >> Like I said earlier, I don't think colocation is necessarily a >> requirement if we a) provided an option for public clients (don't >> require a client secret) or b) you had a shared secret between >> clients for all realms. The adapter would just extract the realm >> name from the request, invoke on the keycloak server to get the >> public information about the realm (i.e. public key), then cache >> this information locally. >> >> >> I guess a shared secret would do. Just wondering why we can't use the >> keycloak-admin realm as the top level realm and use it's secret to get >> the realm info to be cached locally and from that point onwards, it >> falls into the current keycloak flow. >> >> I am assuming that the individual keycloak realm admins (as per the >> change done by Stin on KEYCLOAK-292 >> ) will not be able to view >> >> the keycloak-admin realm info. >> >> Bill >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/20c6a82e/attachment-0001.html From davide at billdrawer.com Sun Mar 2 06:20:15 2014 From: davide at billdrawer.com (Davide Ungari) Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST) Subject: [keycloak-user] Openshift installation Message-ID: <155451129.27399.1393759215776.open-xchange@app1.ox.registrar-servers.com> At the end I got it! I followed the instructions of section 4.1 "Create Keycloak instance with the web tool" instead of the command-line tool. Davide Ungari, Founder www.billdrawer.com | davide at billdrawer.com Milan, IT -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c0a7/attachment.html From peterson.dean at gmail.com Tue Mar 4 14:15:31 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Tue, 4 Mar 2014 13:15:31 -0600 Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application Message-ID: Hello, I am trying to find the best way to access the UsersResource.java Rest services outside the keycloak admin application to get a user's information. How do I make a request using just the client's credentials? I currently use something like this but I get a 401 because I am using a user's oauth token and they only have user privileges: SkeletonKeySession session = (SkeletonKeySession) request .getAttribute(SkeletonKeySession.class.getName()); ResteasyClient client = new ResteasyClientBuilder() .trustStore(session.getMetadata().getTruststore()) .hostnameVerification( ResteasyClientBuilder.HostnameVerificationPolicy.ANY) .build(); String username = request.getRemoteUser(); Profile profile = null; try { Response response = client .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/") .path(username) .request() .header(HttpHeaders.AUTHORIZATION, "Bearer " + session.getTokenString()).get(); // Get the existing entry if there is one. Otherwise, just return // the regular // entity retrieved from the remote system. try { profile = profileRepository .findByRegistrationId(member.getId()); } catch (NoResultException e) { // ignore } } finally { client.close(); } Is there a way for the application to make a request directly as an admin without giving the user admin privileges? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/061695ca/attachment.html From bburke at redhat.com Tue Mar 4 15:46:04 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 04 Mar 2014 15:46:04 -0500 Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application In-Reply-To: References: Message-ID: <53163B8C.3060605@redhat.com> On 3/4/2014 2:15 PM, Dean Peterson wrote: > Hello, > > I am trying to find the best way to access the UsersResource.java Rest > services outside the keycloak admin application to get a user's > information. How do I make a request using just the client's credentials? > You just want basic information right? name, email, etc.? Next release (March 13th) we'll have OpenID Connect support. SkeletonKeysession (renamed to KeycloakSecurityContext) will have a reference to an IDToken which can be populated with various user information (claims). Allowed claims are specified per application/oauth client. You can build and use this right now. View the preconfigured/customer-portal examples to see how its being done right If you don't want to build/run from master you can do a POST to /auth/rest/realms/keycloak-admin/tokens/grants/access URL form encoded parameters of: username=admin password=admin-password This will return an access token which you can use to invoke on the admin REST API. *NOTE* we're chaning this particular REST API next release too :( > I currently use something like this but I get a 401 because I am using a > user's oauth token and they only have user privileges: > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > > .target("http://server:8080/auth/rest/admin/realms/myrealm/users/") > .path(username) > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > // Get the existing entry if there is one. Otherwise, just > return > // the regular > // entity retrieved from the remote system. > try { > profile = profileRepository > .findByRegistrationId(member.getId()); > > } catch (NoResultException e) { > // ignore > } > > } finally { > client.close(); > } > > Is there a way for the application to make a request directly as an > admin without giving the user admin privileges? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Wed Mar 5 04:09:35 2014 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST) Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application In-Reply-To: References: Message-ID: <1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com> There's also a Keycloak specific mechanism for accessing the account of the user associated with the token. To do this open the scope mappings for your app/client, and select 'account' in the application roles, select 'view-profile' and click the right-arrow. This will allow your app/client to view the profile of the current user. Then you can make a request (with bearer token) to: /auth/rest/realms/myrealm/account In the future we'll add support to do all account specific things through these REST endpoints to support all operations provided by the account management application. ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 4 March, 2014 7:15:31 PM > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application > > Hello, > > I am trying to find the best way to access the UsersResource.java Rest > services outside the keycloak admin application to get a user's information. > How do I make a request using just the client's credentials? > > I currently use something like this but I get a 401 because I am using a > user's oauth token and they only have user privileges: > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > .path(username) > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > // Get the existing entry if there is one. Otherwise, just return > // the regular > // entity retrieved from the remote system. > try { > profile = profileRepository > .findByRegistrationId(member.getId()); > > } catch (NoResultException e) { > // ignore > } > > } finally { > client.close(); > } > > Is there a way for the application to make a request directly as an admin > without giving the user admin privileges? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From peterson.dean at gmail.com Wed Mar 5 15:28:53 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Wed, 5 Mar 2014 14:28:53 -0600 Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application In-Reply-To: <1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com> References: <1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com> Message-ID: Thank you. I tried what you said. I am able access that REST service on the Keycloak server but it returns an AccountService object. Actually, I get a 406 error response on my end. I think it is because I did not have the keycloak-services dependency in my application's pom. However, when I add it and I try to start the server, I get the error: Could not find constructor for class: org.keycloak.services.resources.RealmsResource. Should I make my own local version of AccountService and not add keycloak-services to my application? What is the best approach? Any ideas why I might be getting a 406 error? SkeletonKeySession session = (SkeletonKeySession) request .getAttribute(SkeletonKeySession.class.getName()); ResteasyClient client = new ResteasyClientBuilder() .trustStore(session.getMetadata().getTruststore()) .hostnameVerification( ResteasyClientBuilder.HostnameVerificationPolicy.ANY) .build(); String username = request.getRemoteUser(); Profile profile = null; try { Response response = client .target(" http://server:8080/auth/rest/realms/myrealm/account") .request() .header(HttpHeaders.AUTHORIZATION, "Bearer " + session.getTokenString()).get(); . . . On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen wrote: > There's also a Keycloak specific mechanism for accessing the account of > the user associated with the token. > > To do this open the scope mappings for your app/client, and select > 'account' in the application roles, select 'view-profile' and click the > right-arrow. This will allow your app/client to view the profile of the > current user. > > Then you can make a request (with bearer token) to: > > /auth/rest/realms/myrealm/account > > In the future we'll add support to do all account specific things through > these REST endpoints to support all operations provided by the account > management application. > > ----- Original Message ----- > > From: "Dean Peterson" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > Application > > > > Hello, > > > > I am trying to find the best way to access the UsersResource.java Rest > > services outside the keycloak admin application to get a user's > information. > > How do I make a request using just the client's credentials? > > > > I currently use something like this but I get a 401 because I am using a > > user's oauth token and they only have user privileges: > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > .path(username) > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > // Get the existing entry if there is one. Otherwise, just return > > // the regular > > // entity retrieved from the remote system. > > try { > > profile = profileRepository > > .findByRegistrationId(member.getId()); > > > > } catch (NoResultException e) { > > // ignore > > } > > > > } finally { > > client.close(); > > } > > > > Is there a way for the application to make a request directly as an admin > > without giving the user admin privileges? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c27824e7/attachment-0001.html From peterson.dean at gmail.com Wed Mar 5 15:41:42 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Wed, 5 Mar 2014 14:41:42 -0600 Subject: [keycloak-user] keycloak-user Digest, Vol 3, Issue 2 In-Reply-To: References: Message-ID: I just saw Bill Burke's response. I will try one of your two approaches. Yes, I just need the basic info so what you suggested will work for me. Thanks! On Wed, Mar 5, 2014 at 2:29 PM, wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Openshift installation (Davide Ungari) > 2. How to access realms/{realm}/users/{user} with Application > (Dean Peterson) > 3. Re: How to access realms/{realm}/users/{user} with > Application (Bill Burke) > 4. Re: How to access realms/{realm}/users/{user} with > Application (Stian Thorgersen) > 5. Re: How to access realms/{realm}/users/{user} with > Application (Dean Peterson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST) > From: Davide Ungari > Subject: [keycloak-user] Openshift installation > To: keycloak user list > Message-ID: > < > 155451129.27399.1393759215776.open-xchange at app1.ox.registrar-servers.com> > > Content-Type: text/plain; charset="utf-8" > > > At the end I got it! > I followed the instructions of section 4.1 "Create Keycloak instance with > the > web tool" instead of the command-line tool. > > Davide Ungari, Founder > www.billdrawer.com | davide at billdrawer.com > Milan, IT > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c0a7/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Tue, 4 Mar 2014 13:15:31 -0600 > From: Dean Peterson > Subject: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: keycloak-user at lists.jboss.org > Message-ID: > 6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > > I am trying to find the best way to access the UsersResource.java Rest > services outside the keycloak admin application to get a user's > information. How do I make a request using just the client's credentials? > > I currently use something like this but I get a 401 because I am using a > user's oauth token and they only have user privileges: > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" > http://server:8080/auth/rest/admin/realms/myrealm/users/") > .path(username) > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > > // Get the existing entry if there is one. Otherwise, just > return > // the regular > // entity retrieved from the remote system. > try { > profile = profileRepository > .findByRegistrationId(member.getId()); > > } catch (NoResultException e) { > // ignore > } > > } finally { > client.close(); > } > > Is there a way for the application to make a request directly as an admin > without giving the user admin privileges? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/061695ca/attachment-0001.html > > ------------------------------ > > Message: 3 > Date: Tue, 04 Mar 2014 15:46:04 -0500 > From: Bill Burke > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: keycloak-user at lists.jboss.org > Message-ID: <53163B8C.3060605 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > On 3/4/2014 2:15 PM, Dean Peterson wrote: > > Hello, > > > > I am trying to find the best way to access the UsersResource.java Rest > > services outside the keycloak admin application to get a user's > > information. How do I make a request using just the client's > credentials? > > > > You just want basic information right? name, email, etc.? Next release > (March 13th) we'll have OpenID Connect support. SkeletonKeysession > (renamed to KeycloakSecurityContext) will have a reference to an IDToken > which can be populated with various user information (claims). Allowed > claims are specified per application/oauth client. > > You can build and use this right now. View the > preconfigured/customer-portal examples to see how its being done right > > If you don't want to build/run from master you can do a POST to > /auth/rest/realms/keycloak-admin/tokens/grants/access > > URL form encoded parameters of: > > username=admin > password=admin-password > > This will return an access token which you can use to invoke on the > admin REST API. *NOTE* we're chaning this particular REST API next > release too :( > > > > > > I currently use something like this but I get a 401 because I am using a > > user's oauth token and they only have user privileges: > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > > > .target("http://server:8080/auth/rest/admin/realms/myrealm/users/") > > .path(username) > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > // Get the existing entry if there is one. Otherwise, just > > return > > // the regular > > // entity retrieved from the remote system. > > try { > > profile = profileRepository > > .findByRegistrationId(member.getId()); > > > > } catch (NoResultException e) { > > // ignore > > } > > > > } finally { > > client.close(); > > } > > > > Is there a way for the application to make a request directly as an > > admin without giving the user admin privileges? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > Message: 4 > Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST) > From: Stian Thorgersen > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: Dean Peterson > Cc: keycloak-user at lists.jboss.org > Message-ID: > <1739218212.20951754.1394010575408.JavaMail.zimbra at redhat.com> > Content-Type: text/plain; charset=utf-8 > > There's also a Keycloak specific mechanism for accessing the account of > the user associated with the token. > > To do this open the scope mappings for your app/client, and select > 'account' in the application roles, select 'view-profile' and click the > right-arrow. This will allow your app/client to view the profile of the > current user. > > Then you can make a request (with bearer token) to: > > /auth/rest/realms/myrealm/account > > In the future we'll add support to do all account specific things through > these REST endpoints to support all operations provided by the account > management application. > > ----- Original Message ----- > > From: "Dean Peterson" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > Application > > > > Hello, > > > > I am trying to find the best way to access the UsersResource.java Rest > > services outside the keycloak admin application to get a user's > information. > > How do I make a request using just the client's credentials? > > > > I currently use something like this but I get a 401 because I am using a > > user's oauth token and they only have user privileges: > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > .path(username) > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > // Get the existing entry if there is one. Otherwise, just return > > // the regular > > // entity retrieved from the remote system. > > try { > > profile = profileRepository > > .findByRegistrationId(member.getId()); > > > > } catch (NoResultException e) { > > // ignore > > } > > > > } finally { > > client.close(); > > } > > > > Is there a way for the application to make a request directly as an admin > > without giving the user admin privileges? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------ > > Message: 5 > Date: Wed, 5 Mar 2014 14:28:53 -0600 > From: Dean Peterson > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: Stian Thorgersen > Cc: keycloak-user at lists.jboss.org > Message-ID: > W3fW3kGV7GRvQxCCpeVC2ULAw at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Thank you. I tried what you said. I am able access that REST service on > the Keycloak server but it returns an AccountService object. Actually, I > get a 406 error response on my end. I think it is because I did not have > the keycloak-services dependency in my application's pom. However, when I > add it and I try to start the server, I get the error: Could not find > constructor for class: org.keycloak.services.resources.RealmsResource. > Should I make my own local version of AccountService and not add > keycloak-services to my application? What is the best approach? Any ideas > why I might be getting a 406 error? > > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" > http://server:8080/auth/rest/realms/myrealm/account") > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > . > . > . > > > > On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen wrote: > > > There's also a Keycloak specific mechanism for accessing the account of > > the user associated with the token. > > > > To do this open the scope mappings for your app/client, and select > > 'account' in the application roles, select 'view-profile' and click the > > right-arrow. This will allow your app/client to view the profile of the > > current user. > > > > Then you can make a request (with bearer token) to: > > > > /auth/rest/realms/myrealm/account > > > > In the future we'll add support to do all account specific things through > > these REST endpoints to support all operations provided by the account > > management application. > > > > ----- Original Message ----- > > > From: "Dean Peterson" > > > To: keycloak-user at lists.jboss.org > > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > > Application > > > > > > Hello, > > > > > > I am trying to find the best way to access the UsersResource.java Rest > > > services outside the keycloak admin application to get a user's > > information. > > > How do I make a request using just the client's credentials? > > > > > > I currently use something like this but I get a 401 because I am using > a > > > user's oauth token and they only have user privileges: > > > SkeletonKeySession session = (SkeletonKeySession) request > > > .getAttribute(SkeletonKeySession.class.getName()); > > > ResteasyClient client = new ResteasyClientBuilder() > > > .trustStore(session.getMetadata().getTruststore()) > > > .hostnameVerification( > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > > .build(); > > > > > > String username = request.getRemoteUser(); > > > > > > Profile profile = null; > > > > > > try { > > > > > > Response response = client > > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > > .path(username) > > > .request() > > > .header(HttpHeaders.AUTHORIZATION, > > > "Bearer " + session.getTokenString()).get(); > > > > > > // Get the existing entry if there is one. Otherwise, just return > > > // the regular > > > // entity retrieved from the remote system. > > > try { > > > profile = profileRepository > > > .findByRegistrationId(member.getId()); > > > > > > } catch (NoResultException e) { > > > // ignore > > > } > > > > > > } finally { > > > client.close(); > > > } > > > > > > Is there a way for the application to make a request directly as an > admin > > > without giving the user admin privileges? > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c27824e7/attachment.html > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 3, Issue 2 > ******************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/62d5f91f/attachment-0001.html From stian at redhat.com Thu Mar 6 06:31:45 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 6 Mar 2014 06:31:45 -0500 (EST) Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application In-Reply-To: References: <1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com> Message-ID: <1694305009.21774704.1394105505453.JavaMail.zimbra@redhat.com> You don't need to add keycloak-services to your application. It doesn't actually return AccountService object, AccountService is JAX-RS sub-resource that handles all requests to 'account'. Assuming that you've looked at the source, have a peak inside AccountService.accountPage that's what actually handles the request. The 406 is caused by missing Accept header. Try adding: .header(HttpHeaders.ACCEPT, "application/json") Cheers, Stian ----- Original Message ----- > From: "Dean Peterson" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, 5 March, 2014 8:28:53 PM > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with Application > > Thank you. I tried what you said. I am able access that REST service on > the Keycloak server but it returns an AccountService object. Actually, I > get a 406 error response on my end. I think it is because I did not have > the keycloak-services dependency in my application's pom. However, when I > add it and I try to start the server, I get the error: Could not find > constructor for class: org.keycloak.services.resources.RealmsResource. > Should I make my own local version of AccountService and not add > keycloak-services to my application? What is the best approach? Any ideas > why I might be getting a 406 error? > > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" > http://server:8080/auth/rest/realms/myrealm/account") > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > . > . > . > > > > On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen wrote: > > > There's also a Keycloak specific mechanism for accessing the account of > > the user associated with the token. > > > > To do this open the scope mappings for your app/client, and select > > 'account' in the application roles, select 'view-profile' and click the > > right-arrow. This will allow your app/client to view the profile of the > > current user. > > > > Then you can make a request (with bearer token) to: > > > > /auth/rest/realms/myrealm/account > > > > In the future we'll add support to do all account specific things through > > these REST endpoints to support all operations provided by the account > > management application. > > > > ----- Original Message ----- > > > From: "Dean Peterson" > > > To: keycloak-user at lists.jboss.org > > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > > Application > > > > > > Hello, > > > > > > I am trying to find the best way to access the UsersResource.java Rest > > > services outside the keycloak admin application to get a user's > > information. > > > How do I make a request using just the client's credentials? > > > > > > I currently use something like this but I get a 401 because I am using a > > > user's oauth token and they only have user privileges: > > > SkeletonKeySession session = (SkeletonKeySession) request > > > .getAttribute(SkeletonKeySession.class.getName()); > > > ResteasyClient client = new ResteasyClientBuilder() > > > .trustStore(session.getMetadata().getTruststore()) > > > .hostnameVerification( > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > > .build(); > > > > > > String username = request.getRemoteUser(); > > > > > > Profile profile = null; > > > > > > try { > > > > > > Response response = client > > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > > .path(username) > > > .request() > > > .header(HttpHeaders.AUTHORIZATION, > > > "Bearer " + session.getTokenString()).get(); > > > > > > // Get the existing entry if there is one. Otherwise, just return > > > // the regular > > > // entity retrieved from the remote system. > > > try { > > > profile = profileRepository > > > .findByRegistrationId(member.getId()); > > > > > > } catch (NoResultException e) { > > > // ignore > > > } > > > > > > } finally { > > > client.close(); > > > } > > > > > > Is there a way for the application to make a request directly as an admin > > > without giving the user admin privileges? > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bburke at redhat.com Thu Mar 6 08:52:47 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 06 Mar 2014 08:52:47 -0500 Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application In-Reply-To: <1694305009.21774704.1394105505453.JavaMail.zimbra@redhat.com> References: <1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com> <1694305009.21774704.1394105505453.JavaMail.zimbra@redhat.com> Message-ID: <53187DAF.3050801@redhat.com> Or build from master or wait until next Thursday and you can get these identity attributes in the token. On 3/6/2014 6:31 AM, Stian Thorgersen wrote: > You don't need to add keycloak-services to your application. It doesn't actually return AccountService object, AccountService is JAX-RS sub-resource that handles all requests to 'account'. Assuming that you've looked at the source, have a peak inside AccountService.accountPage that's what actually handles the request. > > The 406 is caused by missing Accept header. Try adding: > > .header(HttpHeaders.ACCEPT, "application/json") > > Cheers, > Stian > > ----- Original Message ----- >> From: "Dean Peterson" >> To: "Stian Thorgersen" >> Cc: keycloak-user at lists.jboss.org >> Sent: Wednesday, 5 March, 2014 8:28:53 PM >> Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} with Application >> >> Thank you. I tried what you said. I am able access that REST service on >> the Keycloak server but it returns an AccountService object. Actually, I >> get a 406 error response on my end. I think it is because I did not have >> the keycloak-services dependency in my application's pom. However, when I >> add it and I try to start the server, I get the error: Could not find >> constructor for class: org.keycloak.services.resources.RealmsResource. >> Should I make my own local version of AccountService and not add >> keycloak-services to my application? What is the best approach? Any ideas >> why I might be getting a 406 error? >> >> SkeletonKeySession session = (SkeletonKeySession) request >> .getAttribute(SkeletonKeySession.class.getName()); >> ResteasyClient client = new ResteasyClientBuilder() >> .trustStore(session.getMetadata().getTruststore()) >> .hostnameVerification( >> >> ResteasyClientBuilder.HostnameVerificationPolicy.ANY) >> .build(); >> >> String username = request.getRemoteUser(); >> >> Profile profile = null; >> >> try { >> >> Response response = client >> .target(" >> http://server:8080/auth/rest/realms/myrealm/account") >> .request() >> .header(HttpHeaders.AUTHORIZATION, >> "Bearer " + session.getTokenString()).get(); >> >> . >> . >> . >> >> >> >> On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen wrote: >> >>> There's also a Keycloak specific mechanism for accessing the account of >>> the user associated with the token. >>> >>> To do this open the scope mappings for your app/client, and select >>> 'account' in the application roles, select 'view-profile' and click the >>> right-arrow. This will allow your app/client to view the profile of the >>> current user. >>> >>> Then you can make a request (with bearer token) to: >>> >>> /auth/rest/realms/myrealm/account >>> >>> In the future we'll add support to do all account specific things through >>> these REST endpoints to support all operations provided by the account >>> management application. >>> >>> ----- Original Message ----- >>>> From: "Dean Peterson" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Tuesday, 4 March, 2014 7:15:31 PM >>>> Subject: [keycloak-user] How to access realms/{realm}/users/{user} with >>> Application >>>> >>>> Hello, >>>> >>>> I am trying to find the best way to access the UsersResource.java Rest >>>> services outside the keycloak admin application to get a user's >>> information. >>>> How do I make a request using just the client's credentials? >>>> >>>> I currently use something like this but I get a 401 because I am using a >>>> user's oauth token and they only have user privileges: >>>> SkeletonKeySession session = (SkeletonKeySession) request >>>> .getAttribute(SkeletonKeySession.class.getName()); >>>> ResteasyClient client = new ResteasyClientBuilder() >>>> .trustStore(session.getMetadata().getTruststore()) >>>> .hostnameVerification( >>>> ResteasyClientBuilder.HostnameVerificationPolicy.ANY) >>>> .build(); >>>> >>>> String username = request.getRemoteUser(); >>>> >>>> Profile profile = null; >>>> >>>> try { >>>> >>>> Response response = client >>>> .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") >>>> .path(username) >>>> .request() >>>> .header(HttpHeaders.AUTHORIZATION, >>>> "Bearer " + session.getTokenString()).get(); >>>> >>>> // Get the existing entry if there is one. Otherwise, just return >>>> // the regular >>>> // entity retrieved from the remote system. >>>> try { >>>> profile = profileRepository >>>> .findByRegistrationId(member.getId()); >>>> >>>> } catch (NoResultException e) { >>>> // ignore >>>> } >>>> >>>> } finally { >>>> client.close(); >>>> } >>>> >>>> Is there a way for the application to make a request directly as an admin >>>> without giving the user admin privileges? >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From peterson.dean at gmail.com Thu Mar 6 09:50:45 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 6 Mar 2014 08:50:45 -0600 Subject: [keycloak-user] How to access realms/{realm}/users/{user} with Application In-Reply-To: <1694305009.21774704.1394105505453.JavaMail.zimbra@redhat.com> References: <1739218212.20951754.1394010575408.JavaMail.zimbra@redhat.com> <1694305009.21774704.1394105505453.JavaMail.zimbra@redhat.com> Message-ID: Yes, I did realize my stupid mistake right after I sent the e-mail. It is working as you say. Thank you, very much for all the help! On Thu, Mar 6, 2014 at 5:31 AM, Stian Thorgersen wrote: > You don't need to add keycloak-services to your application. It doesn't > actually return AccountService object, AccountService is JAX-RS > sub-resource that handles all requests to 'account'. Assuming that you've > looked at the source, have a peak inside AccountService.accountPage that's > what actually handles the request. > > The 406 is caused by missing Accept header. Try adding: > > .header(HttpHeaders.ACCEPT, "application/json") > > Cheers, > Stian > > ----- Original Message ----- > > From: "Dean Peterson" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Wednesday, 5 March, 2014 8:28:53 PM > > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > > > > Thank you. I tried what you said. I am able access that REST service on > > the Keycloak server but it returns an AccountService object. Actually, I > > get a 406 error response on my end. I think it is because I did not have > > the keycloak-services dependency in my application's pom. However, when > I > > add it and I try to start the server, I get the error: Could not find > > constructor for class: org.keycloak.services.resources.RealmsResource. > > Should I make my own local version of AccountService and not add > > keycloak-services to my application? What is the best approach? Any > ideas > > why I might be getting a 406 error? > > > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > .target(" > > http://server:8080/auth/rest/realms/myrealm/account") > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > . > > . > > . > > > > > > > > On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen > wrote: > > > > > There's also a Keycloak specific mechanism for accessing the account of > > > the user associated with the token. > > > > > > To do this open the scope mappings for your app/client, and select > > > 'account' in the application roles, select 'view-profile' and click the > > > right-arrow. This will allow your app/client to view the profile of the > > > current user. > > > > > > Then you can make a request (with bearer token) to: > > > > > > /auth/rest/realms/myrealm/account > > > > > > In the future we'll add support to do all account specific things > through > > > these REST endpoints to support all operations provided by the account > > > management application. > > > > > > ----- Original Message ----- > > > > From: "Dean Peterson" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} > with > > > Application > > > > > > > > Hello, > > > > > > > > I am trying to find the best way to access the UsersResource.java > Rest > > > > services outside the keycloak admin application to get a user's > > > information. > > > > How do I make a request using just the client's credentials? > > > > > > > > I currently use something like this but I get a 401 because I am > using a > > > > user's oauth token and they only have user privileges: > > > > SkeletonKeySession session = (SkeletonKeySession) request > > > > .getAttribute(SkeletonKeySession.class.getName()); > > > > ResteasyClient client = new ResteasyClientBuilder() > > > > .trustStore(session.getMetadata().getTruststore()) > > > > .hostnameVerification( > > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > > > .build(); > > > > > > > > String username = request.getRemoteUser(); > > > > > > > > Profile profile = null; > > > > > > > > try { > > > > > > > > Response response = client > > > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/") > > > > .path(username) > > > > .request() > > > > .header(HttpHeaders.AUTHORIZATION, > > > > "Bearer " + session.getTokenString()).get(); > > > > > > > > // Get the existing entry if there is one. Otherwise, just return > > > > // the regular > > > > // entity retrieved from the remote system. > > > > try { > > > > profile = profileRepository > > > > .findByRegistrationId(member.getId()); > > > > > > > > } catch (NoResultException e) { > > > > // ignore > > > > } > > > > > > > > } finally { > > > > client.close(); > > > > } > > > > > > > > Is there a way for the application to make a request directly as an > admin > > > > without giving the user admin privileges? > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140306/b3abbd70/attachment.html From delkant at gmail.com Sat Mar 8 00:54:44 2014 From: delkant at gmail.com (Rodrigo Del Canto) Date: Sat, 8 Mar 2014 00:54:44 -0500 Subject: [keycloak-user] External JS AJAX client for jax-rs backend API Message-ID: Hello guys, Congrats on the release of project! I think this is the most useful project for developers in the whole history of internet :D I would like to know if you have any example on how to perform a login from an external JavaScript client? How would you recommend to do this. I heard you have a JS/jQuery lib to do this, where can it be found? Thanks, delkant -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140308/ac8f5270/attachment-0001.html From stian at redhat.com Mon Mar 10 10:34:06 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 10 Mar 2014 10:34:06 -0400 (EDT) Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: References: Message-ID: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> Hi, We have a JS library, it's available at http://localhost:8080/js/keycloak.js. There's no documentation for it yet, and the example needs a bit of TLC, but the example is customer-app-js and will be included in the alpha3 downloads that is due this week. A quick overview to get you started: Keycloak constructor takes a single object with the following properties: * client_id (required) - the name of the application/client in the admin console * client_secret (optional) - not recommended, instead select public client option for your application/client in the admin console * realm (required) * url (optional) - the base url of the server, if not specified it will infer it from the url of the keycloak.js script * onload (optional) - valid options: login-required, check-sso. Login required will redirect to login form when init is called. Check-sso will also redirect to login form, but won't display login form (used to check if user is logged into to sso realm) For example: var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) keycloak.init(function() { alert('authenticated') }, function() { alert('auth failed') } ); Addition methods: * login - redirect to login form * logout - log out * hasRealmRole(role) - returns true if user has the realm role * hasResourceRole(role, resource) - return true if user has the role for the specified resource (application) * loadUserProfile(success, failure) - loads the profile (in the future profile will be retrieved with IDToken from OpenID Connect spec, so this will probably not be required) * onValidAccessToken(success, failure) - invoke methods with a valid token. If the token is expired the refresh token is used to retrieve a new token before invoking the success callback Once authenticated the following properties are available as well: * token - base64 encoded token (use this as the value for the 'Authorization' header, for example "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + keycloak.token)") * tokenParsed - parsed token * authenticated - true if authenticated, false otherwise * subject - userId Please let me know how you get on with it, any feedback would be appreciated. Cheers, Stian ----- Original Message ----- > From: "Rodrigo Del Canto" > To: keycloak-user at lists.jboss.org > Sent: Saturday, 8 March, 2014 5:54:44 AM > Subject: [keycloak-user] External JS AJAX client for jax-rs backend API > > Hello guys, > > Congrats on the release of project! I think this is the most useful project > for developers in the whole history of internet :D > > I would like to know if you have any example on how to perform a login from > an external JavaScript client? > > How would you recommend to do this. I heard you have a JS/jQuery lib to do > this, where can it be found? > > Thanks, > > delkant > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Mar 10 10:38:10 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 10 Mar 2014 10:38:10 -0400 Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> References: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> Message-ID: <531DCE52.4020500@redhat.com> I wrote some docs for it, but won't be published until Alpha 3 On 3/10/2014 10:34 AM, Stian Thorgersen wrote: > Hi, > > We have a JS library, it's available at http://localhost:8080/js/keycloak.js. There's no documentation for it yet, and the example needs a bit of TLC, but the example is customer-app-js and will be included in the alpha3 downloads that is due this week. > > A quick overview to get you started: > > Keycloak constructor takes a single object with the following properties: > > * client_id (required) - the name of the application/client in the admin console > * client_secret (optional) - not recommended, instead select public client option for your application/client in the admin console > * realm (required) > * url (optional) - the base url of the server, if not specified it will infer it from the url of the keycloak.js script > * onload (optional) - valid options: login-required, check-sso. Login required will redirect to login form when init is called. Check-sso will also redirect to login form, but won't display login form (used to check if user is logged into to sso realm) > > For example: > > var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) > keycloak.init(function() { alert('authenticated') }, function() { alert('auth failed') } ); > > Addition methods: > > * login - redirect to login form > * logout - log out > * hasRealmRole(role) - returns true if user has the realm role > * hasResourceRole(role, resource) - return true if user has the role for the specified resource (application) > * loadUserProfile(success, failure) - loads the profile (in the future profile will be retrieved with IDToken from OpenID Connect spec, so this will probably not be required) > * onValidAccessToken(success, failure) - invoke methods with a valid token. If the token is expired the refresh token is used to retrieve a new token before invoking the success callback > > Once authenticated the following properties are available as well: > > * token - base64 encoded token (use this as the value for the 'Authorization' header, for example "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + keycloak.token)") > * tokenParsed - parsed token > * authenticated - true if authenticated, false otherwise > * subject - userId > > Please let me know how you get on with it, any feedback would be appreciated. > > Cheers, > Stian > > > ----- Original Message ----- >> From: "Rodrigo Del Canto" >> To: keycloak-user at lists.jboss.org >> Sent: Saturday, 8 March, 2014 5:54:44 AM >> Subject: [keycloak-user] External JS AJAX client for jax-rs backend API >> >> Hello guys, >> >> Congrats on the release of project! I think this is the most useful project >> for developers in the whole history of internet :D >> >> I would like to know if you have any example on how to perform a login from >> an external JavaScript client? >> >> How would you recommend to do this. I heard you have a JS/jQuery lib to do >> this, where can it be found? >> >> Thanks, >> >> delkant >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From delkant at gmail.com Mon Mar 10 15:28:45 2014 From: delkant at gmail.com (Rodrigo Del Canto) Date: Mon, 10 Mar 2014 15:28:45 -0400 Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: <531DCE52.4020500@redhat.com> References: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> <531DCE52.4020500@redhat.com> Message-ID: Great! I'm looking forward to see keycloak Alpha 3 release :D Thank you guys. Rodrigo. On Mon, Mar 10, 2014 at 10:38 AM, Bill Burke wrote: > I wrote some docs for it, but won't be published until Alpha 3 > > On 3/10/2014 10:34 AM, Stian Thorgersen wrote: > > Hi, > > > > We have a JS library, it's available at > http://localhost:8080/js/keycloak.js. There's no documentation for it > yet, and the example needs a bit of TLC, but the example is customer-app-js > and will be included in the alpha3 downloads that is due this week. > > > > A quick overview to get you started: > > > > Keycloak constructor takes a single object with the following properties: > > > > * client_id (required) - the name of the application/client in the admin > console > > * client_secret (optional) - not recommended, instead select public > client option for your application/client in the admin console > > * realm (required) > > * url (optional) - the base url of the server, if not specified it will > infer it from the url of the keycloak.js script > > * onload (optional) - valid options: login-required, check-sso. Login > required will redirect to login form when init is called. Check-sso will > also redirect to login form, but won't display login form (used to check if > user is logged into to sso realm) > > > > For example: > > > > var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) > > keycloak.init(function() { alert('authenticated') }, function() { > alert('auth failed') } ); > > > > Addition methods: > > > > * login - redirect to login form > > * logout - log out > > * hasRealmRole(role) - returns true if user has the realm role > > * hasResourceRole(role, resource) - return true if user has the role for > the specified resource (application) > > * loadUserProfile(success, failure) - loads the profile (in the future > profile will be retrieved with IDToken from OpenID Connect spec, so this > will probably not be required) > > * onValidAccessToken(success, failure) - invoke methods with a valid > token. If the token is expired the refresh token is used to retrieve a new > token before invoking the success callback > > > > Once authenticated the following properties are available as well: > > > > * token - base64 encoded token (use this as the value for the > 'Authorization' header, for example > "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + > keycloak.token)") > > * tokenParsed - parsed token > > * authenticated - true if authenticated, false otherwise > > * subject - userId > > > > Please let me know how you get on with it, any feedback would be > appreciated. > > > > Cheers, > > Stian > > > > > > ----- Original Message ----- > >> From: "Rodrigo Del Canto" > >> To: keycloak-user at lists.jboss.org > >> Sent: Saturday, 8 March, 2014 5:54:44 AM > >> Subject: [keycloak-user] External JS AJAX client for jax-rs backend API > >> > >> Hello guys, > >> > >> Congrats on the release of project! I think this is the most useful > project > >> for developers in the whole history of internet :D > >> > >> I would like to know if you have any example on how to perform a login > from > >> an external JavaScript client? > >> > >> How would you recommend to do this. I heard you have a JS/jQuery lib to > do > >> this, where can it be found? > >> > >> Thanks, > >> > >> delkant > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140310/7fa58dac/attachment.html From bburke at redhat.com Mon Mar 10 19:41:59 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 10 Mar 2014 19:41:59 -0400 Subject: [keycloak-user] Multi Tenancy In-Reply-To: References: <5309F2B9.5090208@redhat.com> <5309F51F.7020102@redhat.com> <530BF271.5030503@redhat.com> <530CC069.3020104@redhat.com> <530DF079.1080701@redhat.com> <53109817.5040306@redhat.com> <531206A9.90605@redhat.com> Message-ID: <531E4DC7.1010909@redhat.com> Travis. Where are you deploying to? Wildfly? JBoss EAP? Gonna try and work on your extension tomorrow to see if I can get it in by Alpha 3 deadline. On 3/2/2014 5:05 AM, Travis De Silva wrote: > yes that sounds great. Thanks Bill > > > On Sun, Mar 2, 2014 at 3:11 AM, Bill Burke > wrote: > > I'll work on refactoring the adapters next week to help support > this. Maybe if I get things cleaned up enough and provide some bare > bones support for multi-tenancy you could take it over to help drive > for your requirements? > > > On 2/28/2014 3:57 PM, Travis De Silva wrote: > > > On Sat, Mar 1, 2014 at 1:07 AM, Bill Burke > >> wrote: > > > > On 2/27/2014 11:31 PM, Travis De Silva wrote: > > > As per your future plans, if we can get a stateless > keycloak > co-location > option and also enable external config in a DB when you > refactor the > adapter code, that should cover the needs of most > developers who > want to > go beyond the out of the box solutions. > > BTW, I hope with the above changes it would be possible to > associate one > war with multiple realms and this is not a core > keycloak structure > design issue. > > > How soon you need this by? Yesterday? ;) > > > In our project, I was going to build the security model with social > login and was on the verge of using an open source social login > library > to start building it when like god sent the keycloak project > appeared :) > So I am not the one to demand and happy with the little miracles > that > come my way. Having said that, yesterday would be great :) But > seriously > if your Jira roadmap is sort of an indicator and beta 1 would be > released end of Match, that timeframe is fine for us :) > > > Like I said earlier, I don't think colocation is necessarily a > requirement if we a) provided an option for public clients > (don't > require a client secret) or b) you had a shared secret between > clients for all realms. The adapter would just extract the > realm > name from the request, invoke on the keycloak server to get the > public information about the realm (i.e. public key), then > cache > this information locally. > > > I guess a shared secret would do. Just wondering why we can't > use the > keycloak-admin realm as the top level realm and use it's secret > to get > the realm info to be cached locally and from that point onwards, it > falls into the current keycloak flow. > > I am assuming that the individual keycloak realm admins (as per the > change done by Stin on KEYCLOAK-292 > >) will not be > able to view > > the keycloak-admin realm info. > > Bill > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From traviskds at gmail.com Mon Mar 10 23:48:12 2014 From: traviskds at gmail.com (Travis De Silva) Date: Tue, 11 Mar 2014 14:48:12 +1100 Subject: [keycloak-user] Multi Tenancy In-Reply-To: <531E4DC7.1010909@redhat.com> References: <5309F2B9.5090208@redhat.com> <5309F51F.7020102@redhat.com> <530BF271.5030503@redhat.com> <530CC069.3020104@redhat.com> <530DF079.1080701@redhat.com> <53109817.5040306@redhat.com> <531206A9.90605@redhat.com> <531E4DC7.1010909@redhat.com> Message-ID: for now Wildfly would do. It would be great if this can be part of Alpha 3 :) On Tue, Mar 11, 2014 at 10:41 AM, Bill Burke wrote: > Travis. Where are you deploying to? Wildfly? JBoss EAP? Gonna try and > work on your extension tomorrow to see if I can get it in by Alpha 3 > deadline. > > > On 3/2/2014 5:05 AM, Travis De Silva wrote: > >> yes that sounds great. Thanks Bill >> >> >> On Sun, Mar 2, 2014 at 3:11 AM, Bill Burke > > wrote: >> >> I'll work on refactoring the adapters next week to help support >> this. Maybe if I get things cleaned up enough and provide some bare >> bones support for multi-tenancy you could take it over to help drive >> for your requirements? >> >> >> On 2/28/2014 3:57 PM, Travis De Silva wrote: >> >> >> On Sat, Mar 1, 2014 at 1:07 AM, Bill Burke > >> >> wrote: >> >> >> >> On 2/27/2014 11:31 PM, Travis De Silva wrote: >> >> >> As per your future plans, if we can get a stateless >> keycloak >> co-location >> option and also enable external config in a DB when you >> refactor the >> adapter code, that should cover the needs of most >> developers who >> want to >> go beyond the out of the box solutions. >> >> BTW, I hope with the above changes it would be possible >> to >> associate one >> war with multiple realms and this is not a core >> keycloak structure >> design issue. >> >> >> How soon you need this by? Yesterday? ;) >> >> >> In our project, I was going to build the security model with >> social >> login and was on the verge of using an open source social login >> library >> to start building it when like god sent the keycloak project >> appeared :) >> So I am not the one to demand and happy with the little miracles >> that >> come my way. Having said that, yesterday would be great :) But >> seriously >> if your Jira roadmap is sort of an indicator and beta 1 would be >> released end of Match, that timeframe is fine for us :) >> >> >> Like I said earlier, I don't think colocation is necessarily >> a >> requirement if we a) provided an option for public clients >> (don't >> require a client secret) or b) you had a shared secret >> between >> clients for all realms. The adapter would just extract the >> realm >> name from the request, invoke on the keycloak server to get >> the >> public information about the realm (i.e. public key), then >> cache >> this information locally. >> >> >> I guess a shared secret would do. Just wondering why we can't >> use the >> keycloak-admin realm as the top level realm and use it's secret >> to get >> the realm info to be cached locally and from that point onwards, >> it >> falls into the current keycloak flow. >> >> I am assuming that the individual keycloak realm admins (as per >> the >> change done by Stin on KEYCLOAK-292 >> > >> >) will not be >> able to view >> >> the keycloak-admin realm info. >> >> Bill >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140311/4c1670f7/attachment-0001.html From n.preusker at gmail.com Tue Mar 11 07:08:30 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 11 Mar 2014 12:08:30 +0100 Subject: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant In-Reply-To: <351215940.16537136.1391098980154.JavaMail.root@redhat.com> References: <52E91946.5040400@redhat.com> <52E92361.5090404@redhat.com> <52EA53F1.1050205@redhat.com> <52EA73EC.3010909@redhat.com> <351215940.16537136.1391098980154.JavaMail.root@redhat.com> Message-ID: Hey guys, I just looked at the login mechanism and the communication between the admin console and the backend in the alpha 2 release again. If I'm not mistaken, you used to use HTTP-only for the KEYCLOAK_SAAS_IDENTITY cookie. Did something change about that in alpha 2? When I look at the HTTP requests in the chrome developer console, I don't see the HttpOnly flag anywhere. Cheers, Nils On Thu, Jan 30, 2014 at 5:23 PM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Bill Burke" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 30 January, 2014 3:46:52 PM > > Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner > Password Credentials Grant > > > > > > > > On 1/30/2014 9:29 AM, Nils Preusker wrote: > > > Hey Bill, thanks for the clarification, I didn't realize that the > cookie > > > was Http-only, neat! > > > > > > We are building a pure HTML5 client that is also hosted separately from > > > the REST-backends. The thing is that we use a reverse proxy so for the > > > browser it all looks like one app since everything comes from different > > > paths in the same domain. > > > > > > I'll try to clarify the last part of my last mail: We are currently > > > using > org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve > > > (skeleton-key-as7) in our REST-backend modules. If I'm not mistaken, > > > some parts of the code base and concepts are the same as in keycloak, > > > right? > > > > > > So far, in the AngularJS application we've been adding bearer tokens to > > > the HTTP Authorization header. Since the backend uses JAX-RS/ RestEasy, > > > the verification of the bearer tokens was done transparently by > > > OAuthAuthenticationServerValve and RESTEasy automatically added the > > > roles etc. to the HttpServletRequest. Now in the REST backend of the > > > admin app in keycloak you're doing the same thing (validating the > tokens > > > and extracting the roles) manually with the AuthenticationManager > > > (authenticateSaasIdentityCookie(...)). So I was just wondering whether > > > you are planning to make that process more transparent in the future? > > > > > > > We're doing it manually because the original idea was that the admin > > service could manage multiple organizations (a SaaS), so you'd have to > > set up the cookie path's correctly. > > > > For your app, it sounds like @RolesAllowed will work. You just have to > > set up the appropriate web.xml security constraints for your REST urls > > in web.xml. Just set up the REST apis to require authentication and let > > @RolesAllowed do the rest. The keycloak jboss/wildfly adapter can > > handle BEARER token auth at the same time as regular browser oauth. If > > the server is initiating the login, then you can just follow the current > > keycloak examples. If not, then the Javascript lib Stian wrote is an > > option (and something we'll have to document). > > JS lib needs a bit of work as well, if it's something you want I can make > it a priority > > > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140311/3c889a68/attachment.html From n.preusker at gmail.com Tue Mar 11 08:59:07 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 11 Mar 2014 13:59:07 +0100 Subject: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant In-Reply-To: References: <52E91946.5040400@redhat.com> <52E92361.5090404@redhat.com> <52EA53F1.1050205@redhat.com> <52EA73EC.3010909@redhat.com> <351215940.16537136.1391098980154.JavaMail.root@redhat.com> Message-ID: digging a bit deeper... I looked for usages of HttpFacade.setCookie and noticed that HttpOnly always seems to be set to false... If I understood the log-in mechanism for pure client side JavaScript applications correctly, it was supposed to be based on a HttpOnly cookie, which makes it impossible for scripts (so the JavaScript application) to access the cookie. Am I missing something? Cheers, Nils On Tue, Mar 11, 2014 at 12:08 PM, Nils Preusker wrote: > Hey guys, > > I just looked at the login mechanism and the communication between the > admin console and the backend in the alpha 2 release again. If I'm not > mistaken, you used to use HTTP-only for the KEYCLOAK_SAAS_IDENTITY cookie. > Did something change about that in alpha 2? When I look at the HTTP > requests in the chrome developer console, I don't see the HttpOnly flag > anywhere. > > Cheers, > Nils > > > On Thu, Jan 30, 2014 at 5:23 PM, Stian Thorgersen wrote: > >> >> >> ----- Original Message ----- >> > From: "Bill Burke" >> > To: keycloak-user at lists.jboss.org >> > Sent: Thursday, 30 January, 2014 3:46:52 PM >> > Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner >> Password Credentials Grant >> > >> > >> > >> > On 1/30/2014 9:29 AM, Nils Preusker wrote: >> > > Hey Bill, thanks for the clarification, I didn't realize that the >> cookie >> > > was Http-only, neat! >> > > >> > > We are building a pure HTML5 client that is also hosted separately >> from >> > > the REST-backends. The thing is that we use a reverse proxy so for the >> > > browser it all looks like one app since everything comes from >> different >> > > paths in the same domain. >> > > >> > > I'll try to clarify the last part of my last mail: We are currently >> > > using >> org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve >> > > (skeleton-key-as7) in our REST-backend modules. If I'm not mistaken, >> > > some parts of the code base and concepts are the same as in keycloak, >> > > right? >> > > >> > > So far, in the AngularJS application we've been adding bearer tokens >> to >> > > the HTTP Authorization header. Since the backend uses JAX-RS/ >> RestEasy, >> > > the verification of the bearer tokens was done transparently by >> > > OAuthAuthenticationServerValve and RESTEasy automatically added the >> > > roles etc. to the HttpServletRequest. Now in the REST backend of the >> > > admin app in keycloak you're doing the same thing (validating the >> tokens >> > > and extracting the roles) manually with the AuthenticationManager >> > > (authenticateSaasIdentityCookie(...)). So I was just wondering whether >> > > you are planning to make that process more transparent in the future? >> > > >> > >> > We're doing it manually because the original idea was that the admin >> > service could manage multiple organizations (a SaaS), so you'd have to >> > set up the cookie path's correctly. >> > >> > For your app, it sounds like @RolesAllowed will work. You just have to >> > set up the appropriate web.xml security constraints for your REST urls >> > in web.xml. Just set up the REST apis to require authentication and let >> > @RolesAllowed do the rest. The keycloak jboss/wildfly adapter can >> > handle BEARER token auth at the same time as regular browser oauth. If >> > the server is initiating the login, then you can just follow the current >> > keycloak examples. If not, then the Javascript lib Stian wrote is an >> > option (and something we'll have to document). >> >> JS lib needs a bit of work as well, if it's something you want I can make >> it a priority >> >> > >> > >> > >> > -- >> > Bill Burke >> > JBoss, a division of Red Hat >> > http://bill.burkecentral.com >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140311/899e3633/attachment.html From bburke at redhat.com Tue Mar 11 09:14:04 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 11 Mar 2014 09:14:04 -0400 Subject: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant In-Reply-To: References: <52E91946.5040400@redhat.com> <52E92361.5090404@redhat.com> <52EA53F1.1050205@redhat.com> <52EA73EC.3010909@redhat.com> <351215940.16537136.1391098980154.JavaMail.root@redhat.com> Message-ID: <531F0C1C.4060508@redhat.com> The adapters do not set any cookies except the temporary OAUTH *state* cookie. The demo examples remember authenticated sessions by storing the token in the HttpSession. The admin console is really just a bunch of stateless REST services which is why it sets the Identity cookie. What you're seeing is a bug in Resteasy as the cookie is created with HttpOnly set to true. https://issues.jboss.org/browse/RESTEASY-1026 On 3/11/2014 8:59 AM, Nils Preusker wrote: > digging a bit deeper... I looked for usages of HttpFacade.setCookie and > noticed that HttpOnly always seems to be set to false... If I understood > the log-in mechanism for pure client side JavaScript applications > correctly, it was supposed to be based on a HttpOnly cookie, which makes > it impossible for scripts (so the JavaScript application) to access the > cookie. > > Am I missing something? > > Cheers, > Nils > > > On Tue, Mar 11, 2014 at 12:08 PM, Nils Preusker > wrote: > > Hey guys, > > I just looked at the login mechanism and the communication between > the admin console and the backend in the alpha 2 release again. If > I'm not mistaken, you used to use HTTP-only for the > KEYCLOAK_SAAS_IDENTITY cookie. Did something change about that in > alpha 2? When I look at the HTTP requests in the chrome developer > console, I don't see the HttpOnly flag anywhere. > > Cheers, > Nils > > > On Thu, Jan 30, 2014 at 5:23 PM, Stian Thorgersen > wrote: > > > > ----- Original Message ----- > > From: "Bill Burke" > > > To: keycloak-user at lists.jboss.org > > > Sent: Thursday, 30 January, 2014 3:46:52 PM > > Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource > Owner Password Credentials Grant > > > > > > > > On 1/30/2014 9:29 AM, Nils Preusker wrote: > > > Hey Bill, thanks for the clarification, I didn't realize > that the cookie > > > was Http-only, neat! > > > > > > We are building a pure HTML5 client that is also hosted > separately from > > > the REST-backends. The thing is that we use a reverse proxy > so for the > > > browser it all looks like one app since everything comes > from different > > > paths in the same domain. > > > > > > I'll try to clarify the last part of my last mail: We are > currently > > > using > org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve > > > (skeleton-key-as7) in our REST-backend modules. If I'm not > mistaken, > > > some parts of the code base and concepts are the same as in > keycloak, > > > right? > > > > > > So far, in the AngularJS application we've been adding > bearer tokens to > > > the HTTP Authorization header. Since the backend uses > JAX-RS/ RestEasy, > > > the verification of the bearer tokens was done transparently by > > > OAuthAuthenticationServerValve and RESTEasy automatically > added the > > > roles etc. to the HttpServletRequest. Now in the REST > backend of the > > > admin app in keycloak you're doing the same thing > (validating the tokens > > > and extracting the roles) manually with the > AuthenticationManager > > > (authenticateSaasIdentityCookie(...)). So I was just > wondering whether > > > you are planning to make that process more transparent in > the future? > > > > > > > We're doing it manually because the original idea was that > the admin > > service could manage multiple organizations (a SaaS), so > you'd have to > > set up the cookie path's correctly. > > > > For your app, it sounds like @RolesAllowed will work. You > just have to > > set up the appropriate web.xml security constraints for your > REST urls > > in web.xml. Just set up the REST apis to require > authentication and let > > @RolesAllowed do the rest. The keycloak jboss/wildfly > adapter can > > handle BEARER token auth at the same time as regular browser > oauth. If > > the server is initiating the login, then you can just follow > the current > > keycloak examples. If not, then the Javascript lib Stian > wrote is an > > option (and something we'll have to document). > > JS lib needs a bit of work as well, if it's something you want I > can make it a priority > > > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Tue Mar 11 09:48:01 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Tue, 11 Mar 2014 14:48:01 +0100 Subject: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant In-Reply-To: <531F0C1C.4060508@redhat.com> References: <52E91946.5040400@redhat.com> <52E92361.5090404@redhat.com> <52EA53F1.1050205@redhat.com> <52EA73EC.3010909@redhat.com> <351215940.16537136.1391098980154.JavaMail.root@redhat.com> <531F0C1C.4060508@redhat.com> Message-ID: Hey Bill, thanks for the clarification! We're also building a pure client side JavaScript application which calls a bunch of stateless REST services. I'm looking for the best way to secure those REST services and add a log-in mechanism to the UI. Now I looked at the new example customer-app-js which will be included in the Alpha 3 release and saw that you are using bearer tokens there. So far, I thought that the HttpOnly cookie mechanism was the preferred way to handle OAuth in a pure client side app which uses stateless REST services. In that scenario, I was just going to add a request interceptor in my JS application, where I would handle unauthorized responses with either a refresh token or a redirect to the log-in page. What do you think? Cheers, Nils On Tue, Mar 11, 2014 at 2:14 PM, Bill Burke wrote: > The adapters do not set any cookies except the temporary OAUTH *state* > cookie. The demo examples remember authenticated sessions by storing > the token in the HttpSession. > > The admin console is really just a bunch of stateless REST services > which is why it sets the Identity cookie. What you're seeing is a bug > in Resteasy as the cookie is created with HttpOnly set to true. > > https://issues.jboss.org/browse/RESTEASY-1026 > > On 3/11/2014 8:59 AM, Nils Preusker wrote: > > digging a bit deeper... I looked for usages of HttpFacade.setCookie and > > noticed that HttpOnly always seems to be set to false... If I understood > > the log-in mechanism for pure client side JavaScript applications > > correctly, it was supposed to be based on a HttpOnly cookie, which makes > > it impossible for scripts (so the JavaScript application) to access the > > cookie. > > > > Am I missing something? > > > > Cheers, > > Nils > > > > > > On Tue, Mar 11, 2014 at 12:08 PM, Nils Preusker > > wrote: > > > > Hey guys, > > > > I just looked at the login mechanism and the communication between > > the admin console and the backend in the alpha 2 release again. If > > I'm not mistaken, you used to use HTTP-only for the > > KEYCLOAK_SAAS_IDENTITY cookie. Did something change about that in > > alpha 2? When I look at the HTTP requests in the chrome developer > > console, I don't see the HttpOnly flag anywhere. > > > > Cheers, > > Nils > > > > > > On Thu, Jan 30, 2014 at 5:23 PM, Stian Thorgersen > > wrote: > > > > > > > > ----- Original Message ----- > > > From: "Bill Burke" bburke at redhat.com>> > > > To: keycloak-user at lists.jboss.org > > > > > Sent: Thursday, 30 January, 2014 3:46:52 PM > > > Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource > > Owner Password Credentials Grant > > > > > > > > > > > > On 1/30/2014 9:29 AM, Nils Preusker wrote: > > > > Hey Bill, thanks for the clarification, I didn't realize > > that the cookie > > > > was Http-only, neat! > > > > > > > > We are building a pure HTML5 client that is also hosted > > separately from > > > > the REST-backends. The thing is that we use a reverse proxy > > so for the > > > > browser it all looks like one app since everything comes > > from different > > > > paths in the same domain. > > > > > > > > I'll try to clarify the last part of my last mail: We are > > currently > > > > using > > > org.jboss.resteasy.skeleton.key.as7.OAuthAuthenticationServerValve > > > > (skeleton-key-as7) in our REST-backend modules. If I'm not > > mistaken, > > > > some parts of the code base and concepts are the same as in > > keycloak, > > > > right? > > > > > > > > So far, in the AngularJS application we've been adding > > bearer tokens to > > > > the HTTP Authorization header. Since the backend uses > > JAX-RS/ RestEasy, > > > > the verification of the bearer tokens was done > transparently by > > > > OAuthAuthenticationServerValve and RESTEasy automatically > > added the > > > > roles etc. to the HttpServletRequest. Now in the REST > > backend of the > > > > admin app in keycloak you're doing the same thing > > (validating the tokens > > > > and extracting the roles) manually with the > > AuthenticationManager > > > > (authenticateSaasIdentityCookie(...)). So I was just > > wondering whether > > > > you are planning to make that process more transparent in > > the future? > > > > > > > > > > We're doing it manually because the original idea was that > > the admin > > > service could manage multiple organizations (a SaaS), so > > you'd have to > > > set up the cookie path's correctly. > > > > > > For your app, it sounds like @RolesAllowed will work. You > > just have to > > > set up the appropriate web.xml security constraints for your > > REST urls > > > in web.xml. Just set up the REST apis to require > > authentication and let > > > @RolesAllowed do the rest. The keycloak jboss/wildfly > > adapter can > > > handle BEARER token auth at the same time as regular browser > > oauth. If > > > the server is initiating the login, then you can just follow > > the current > > > keycloak examples. If not, then the Javascript lib Stian > > wrote is an > > > option (and something we'll have to document). > > > > JS lib needs a bit of work as well, if it's something you want I > > can make it a priority > > > > > > > > > > > > > > -- > > > Bill Burke > > > JBoss, a division of Red Hat > > > http://bill.burkecentral.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140311/04259648/attachment.html From bburke at redhat.com Wed Mar 12 18:16:00 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 12 Mar 2014 18:16:00 -0400 Subject: [keycloak-user] Keycloak alph3 released Message-ID: <5320DCA0.5090203@redhat.com> http://blog.keycloak.org/2014/03/12/keycloak-alpha-3-released/ keycloak.org for docs and downloads -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From peterson.dean at gmail.com Thu Mar 13 14:40:23 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 13 Mar 2014 13:40:23 -0500 Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors Message-ID: I get transaction rollback errors frequently. Every time I leave the application idle for a few minutes and come back, the system has transaction errors. I have to refresh multiple times for the keycloak admun-ui to start responding again. I realized my settings were using local database transactions and that does not work well. I am using JBOSS and J2EE so I definitely want to use the container managed transactions. I switched the settings in my management console and changed my persistence.xml to this: java:jboss/datasources/ui_users org.keycloak.models.jpa.entities.ApplicationEntity org.keycloak.models.jpa.entities.CredentialEntity org.keycloak.models.jpa.entities.OAuthClientEntity org.keycloak.models.jpa.entities.RealmEntity org.keycloak.models.jpa.entities.RequiredCredentialEntity org.keycloak.models.jpa.entities.ApplicationRoleEntity org.keycloak.models.jpa.entities.RealmRoleEntity org.keycloak.models.jpa.entities.SocialLinkEntity org.keycloak.models.jpa.entities.UserEntity org.keycloak.models.jpa.entities.UserRoleMappingEntity org.keycloak.models.jpa.entities.ScopeMappingEntity true *Now when I start the server I get the following error:* java.lang.NullPointerException at org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) at . . . org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) at . . . jboss.undertow.deployment.default-server.default-host./auth: Failed to start service Caused by: java.lang.RuntimeException: Failed to construct public org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) throws java.io.FileNotFoundException Any ideas why this is happening? Thanks, Dean Peterson -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140313/72714a5e/attachment-0001.html From peterson.dean at gmail.com Thu Mar 13 14:42:59 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 13 Mar 2014 13:42:59 -0500 Subject: [keycloak-user] Fwd: Trying to use JTA transactions for JPA causes errors In-Reply-To: References: Message-ID: This is in relation to my last submission. It seems the following line in JpaModelProvider.java is not compatible with container managed JTA transactions? line: 26 EntityManagerFactory emf = Persistence.createEntityManagerFactory("jpa-keycloak-identity-store", getHibernateProperties()); ---------- Forwarded message ---------- From: Dean Peterson Date: Thu, Mar 13, 2014 at 1:40 PM Subject: Trying to use JTA transactions for JPA causes errors To: keycloak-user at lists.jboss.org I get transaction rollback errors frequently. Every time I leave the application idle for a few minutes and come back, the system has transaction errors. I have to refresh multiple times for the keycloak admun-ui to start responding again. I realized my settings were using local database transactions and that does not work well. I am using JBOSS and J2EE so I definitely want to use the container managed transactions. I switched the settings in my management console and changed my persistence.xml to this: java:jboss/datasources/ui_users org.keycloak.models.jpa.entities.ApplicationEntity org.keycloak.models.jpa.entities.CredentialEntity org.keycloak.models.jpa.entities.OAuthClientEntity org.keycloak.models.jpa.entities.RealmEntity org.keycloak.models.jpa.entities.RequiredCredentialEntity org.keycloak.models.jpa.entities.ApplicationRoleEntity org.keycloak.models.jpa.entities.RealmRoleEntity org.keycloak.models.jpa.entities.SocialLinkEntity org.keycloak.models.jpa.entities.UserEntity org.keycloak.models.jpa.entities.UserRoleMappingEntity org.keycloak.models.jpa.entities.ScopeMappingEntity true *Now when I start the server I get the following error:* java.lang.NullPointerException at org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) at . . . org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) at . . . jboss.undertow.deployment.default-server.default-host./auth: Failed to start service Caused by: java.lang.RuntimeException: Failed to construct public org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) throws java.io.FileNotFoundException Any ideas why this is happening? Thanks, Dean Peterson -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140313/6c567901/attachment.html From ungarida at gmail.com Thu Mar 13 20:05:23 2014 From: ungarida at gmail.com (Davide Ungari) Date: Fri, 14 Mar 2014 01:05:23 +0100 Subject: [keycloak-user] Maven compile Alpha 1.3 Message-ID: Hi everybody, I did checkout of the 1.0-alpha-3. I'm trying to do a mvn compile war:war and it fails for: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project keycloak-model-api: Compilation failure: Compilation failure: [ERROR] /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[14,24] error: package org.keycloak.util does not exist [ERROR] [ERROR] /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[35,23] error: cannot find symbol [ERROR] [ERROR] class KeycloakModelUtils [ERROR] /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[47,23] error: cannot find symbol [ERROR] [ERROR] class KeycloakModelUtils [ERROR] /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[65,15] error: cannot find symbol [ERROR] -> [Help 1] [ERROR] Any help? -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140314/ecf6f847/attachment.html From stian at redhat.com Fri Mar 14 04:44:34 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 14 Mar 2014 04:44:34 -0400 (EDT) Subject: [keycloak-user] Maven compile Alpha 1.3 In-Reply-To: References: Message-ID: <1472751774.27338092.1394786674362.JavaMail.zimbra@redhat.com> Try running "mvn package" instead of "mvn compile war:war", as you need to package the jar modules. ----- Original Message ----- > From: "Davide Ungari" > To: keycloak-user at lists.jboss.org > Sent: Friday, 14 March, 2014 12:05:23 AM > Subject: [keycloak-user] Maven compile Alpha 1.3 > > Hi everybody, > I did checkout of the 1.0-alpha-3. > I'm trying to do a mvn compile war:war and it fails for: > > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile > (default-compile) on project keycloak-model-api: Compilation failure: > Compilation failure: > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[14,24] > error: package org.keycloak.util does not exist > [ERROR] > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[35,23] > error: cannot find symbol > [ERROR] > [ERROR] class KeycloakModelUtils > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[47,23] > error: cannot find symbol > [ERROR] > [ERROR] class KeycloakModelUtils > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[65,15] > error: cannot find symbol > [ERROR] -> [Help 1] > [ERROR] > > Any help? > > -- > Davide > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Mar 14 04:47:30 2014 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 14 Mar 2014 09:47:30 +0100 Subject: [keycloak-user] Maven compile Alpha 1.3 In-Reply-To: References: Message-ID: <5322C222.2080509@redhat.com> Hi Davide, can you try first to run "mvn clean install" for whole project and then "mvn war:war" after that? The point is that "install" will add artifacts to your local maven repo, so they will be able to find dependencies between each other. I think that "compile" is not sufficient as it just compile classes, but not create JAR and not copy them to your local repo. Good luck, Marek On 14.3.2014 01:05, Davide Ungari wrote: > Hi everybody, > I did checkout of the 1.0-alpha-3. > I'm trying to do a mvn compile war:war and it fails for: > > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile > (default-compile) on project keycloak-model-api: Compilation failure: > Compilation failure: > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[14,24] > error: package org.keycloak.util does not exist > [ERROR] > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[35,23] > error: cannot find symbol > [ERROR] > [ERROR] class KeycloakModelUtils > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[47,23] > error: cannot find symbol > [ERROR] > [ERROR] class KeycloakModelUtils > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[65,15] > error: cannot find symbol > [ERROR] -> [Help 1] > [ERROR] > > Any help? > > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140314/5a8a7dd7/attachment.html From stian at redhat.com Fri Mar 14 04:53:24 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 14 Mar 2014 04:53:24 -0400 (EDT) Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: References: Message-ID: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> Keycloak has been designed to work in multiple environments, not just JavaEE. That's why container managed transactions are not used. JTA transactions are not required either as there's a single database, hence no need for distributed transactions. Can you provide me with some more information about the errors you are seeing? Including the server log, persistence.xml, etc. It should work perfectly well with resource local transactions. If you have a real requirement for using JTA a data-source we can certainly look into supporting that. ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 13 March, 2014 6:40:23 PM > Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors > > I get transaction rollback errors frequently. Every time I leave the > application idle for a few minutes and come back, the system has transaction > errors. I have to refresh multiple times for the keycloak admun-ui to start > responding again. I realized my settings were using local database > transactions and that does not work well. I am using JBOSS and J2EE so I > definitely want to use the container managed transactions. I switched the > settings in my management console and changed my persistence.xml to this: > > xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " > xsi:schemaLocation=" http://java.sun.com/xml/ns/persistence > http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd " > version="1.0"> > > java:jboss/datasources/ui_users > org.keycloak.models.jpa.entities.ApplicationEntity > org.keycloak.models.jpa.entities.CredentialEntity > org.keycloak.models.jpa.entities.OAuthClientEntity > org.keycloak.models.jpa.entities.RealmEntity > org.keycloak.models.jpa.entities.RequiredCredentialEntity > org.keycloak.models.jpa.entities.ApplicationRoleEntity > org.keycloak.models.jpa.entities.RealmRoleEntity > org.keycloak.models.jpa.entities.SocialLinkEntity > org.keycloak.models.jpa.entities.UserEntity > org.keycloak.models.jpa.entities.UserRoleMappingEntity > org.keycloak.models.jpa.entities.ScopeMappingEntity > > true > > > value="org.hibernate.dialect.SQLServer2008Dialect"/> > > > > > > > > > > Now when I start the server I get the following error: > > java.lang.NullPointerException > at > org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) > at > . > . > . > org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) > at > . > . > . > jboss.undertow.deployment.default-server.default-host./auth: Failed to start > service > Caused by: java.lang.RuntimeException: Failed to construct public > org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) > throws java.io.FileNotFoundException > > Any ideas why this is happening? > > Thanks, > > Dean Peterson > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Mar 14 09:11:22 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 14 Mar 2014 09:11:22 -0400 Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> References: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> Message-ID: <5322FFFA.2060201@redhat.com> And, there is no container to manage the transactions anyways! Nothing runs in an EJB container. I thought you could use a JTA datasource without a container to manage them. That the datasource would just be a regular datasource if there was no active transaction., guess I was wrong... FYI, you don't need a TM anyways as there is only one "transactional" resource and we manage the sessions via a filter. On 3/14/2014 4:53 AM, Stian Thorgersen wrote: > Keycloak has been designed to work in multiple environments, not just JavaEE. That's why container managed transactions are not used. JTA transactions are not required either as there's a single database, hence no need for distributed transactions. > > Can you provide me with some more information about the errors you are seeing? Including the server log, persistence.xml, etc. It should work perfectly well with resource local transactions. > > If you have a real requirement for using JTA a data-source we can certainly look into supporting that. > > ----- Original Message ----- >> From: "Dean Peterson" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, 13 March, 2014 6:40:23 PM >> Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors >> >> I get transaction rollback errors frequently. Every time I leave the >> application idle for a few minutes and come back, the system has transaction >> errors. I have to refresh multiple times for the keycloak admun-ui to start >> responding again. I realized my settings were using local database >> transactions and that does not work well. I am using JBOSS and J2EE so I >> definitely want to use the container managed transactions. I switched the >> settings in my management console and changed my persistence.xml to this: >> >> > xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " >> xsi:schemaLocation=" http://java.sun.com/xml/ns/persistence >> http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd " >> version="1.0"> >> >> java:jboss/datasources/ui_users >> org.keycloak.models.jpa.entities.ApplicationEntity >> org.keycloak.models.jpa.entities.CredentialEntity >> org.keycloak.models.jpa.entities.OAuthClientEntity >> org.keycloak.models.jpa.entities.RealmEntity >> org.keycloak.models.jpa.entities.RequiredCredentialEntity >> org.keycloak.models.jpa.entities.ApplicationRoleEntity >> org.keycloak.models.jpa.entities.RealmRoleEntity >> org.keycloak.models.jpa.entities.SocialLinkEntity >> org.keycloak.models.jpa.entities.UserEntity >> org.keycloak.models.jpa.entities.UserRoleMappingEntity >> org.keycloak.models.jpa.entities.ScopeMappingEntity >> >> true >> >> >> > value="org.hibernate.dialect.SQLServer2008Dialect"/> >> >> >> >> >> >> >> >> >> >> Now when I start the server I get the following error: >> >> java.lang.NullPointerException >> at >> org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) >> at >> . >> . >> . >> org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) >> at >> . >> . >> . >> jboss.undertow.deployment.default-server.default-host./auth: Failed to start >> service >> Caused by: java.lang.RuntimeException: Failed to construct public >> org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) >> throws java.io.FileNotFoundException >> >> Any ideas why this is happening? >> >> Thanks, >> >> Dean Peterson >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Fri Mar 14 09:15:01 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 14 Mar 2014 09:15:01 -0400 (EDT) Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: <5322FFFA.2060201@redhat.com> References: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> <5322FFFA.2060201@redhat.com> Message-ID: <115471402.27493412.1394802901188.JavaMail.zimbra@redhat.com> We can use a JTA data-source with some additional configuration for Hibernate (without the ejb container). I've done this in the past and it works fine, but I don't see a use-case for it. ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Friday, 14 March, 2014 1:11:22 PM > Subject: Re: [keycloak-user] Trying to use JTA transactions for JPA causes errors > > And, there is no container to manage the transactions anyways! Nothing > runs in an EJB container. I thought you could use a JTA datasource > without a container to manage them. That the datasource would just be a > regular datasource if there was no active transaction., guess I was wrong... > > FYI, you don't need a TM anyways as there is only one "transactional" > resource and we manage the sessions via a filter. > > On 3/14/2014 4:53 AM, Stian Thorgersen wrote: > > Keycloak has been designed to work in multiple environments, not just > > JavaEE. That's why container managed transactions are not used. JTA > > transactions are not required either as there's a single database, hence > > no need for distributed transactions. > > > > Can you provide me with some more information about the errors you are > > seeing? Including the server log, persistence.xml, etc. It should work > > perfectly well with resource local transactions. > > > > If you have a real requirement for using JTA a data-source we can certainly > > look into supporting that. > > > > ----- Original Message ----- > >> From: "Dean Peterson" > >> To: keycloak-user at lists.jboss.org > >> Sent: Thursday, 13 March, 2014 6:40:23 PM > >> Subject: [keycloak-user] Trying to use JTA transactions for JPA causes > >> errors > >> > >> I get transaction rollback errors frequently. Every time I leave the > >> application idle for a few minutes and come back, the system has > >> transaction > >> errors. I have to refresh multiple times for the keycloak admun-ui to > >> start > >> responding again. I realized my settings were using local database > >> transactions and that does not work well. I am using JBOSS and J2EE so I > >> definitely want to use the container managed transactions. I switched the > >> settings in my management console and changed my persistence.xml to this: > >> > >> >> xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " > >> xsi:schemaLocation=" http://java.sun.com/xml/ns/persistence > >> http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd " > >> version="1.0"> > >> >> transaction-type="JTA"> > >> java:jboss/datasources/ui_users > >> org.keycloak.models.jpa.entities.ApplicationEntity > >> org.keycloak.models.jpa.entities.CredentialEntity > >> org.keycloak.models.jpa.entities.OAuthClientEntity > >> org.keycloak.models.jpa.entities.RealmEntity > >> org.keycloak.models.jpa.entities.RequiredCredentialEntity > >> org.keycloak.models.jpa.entities.ApplicationRoleEntity > >> org.keycloak.models.jpa.entities.RealmRoleEntity > >> org.keycloak.models.jpa.entities.SocialLinkEntity > >> org.keycloak.models.jpa.entities.UserEntity > >> org.keycloak.models.jpa.entities.UserRoleMappingEntity > >> org.keycloak.models.jpa.entities.ScopeMappingEntity > >> > >> true > >> > >> > >> >> value="org.hibernate.dialect.SQLServer2008Dialect"/> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> Now when I start the server I get the following error: > >> > >> java.lang.NullPointerException > >> at > >> org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) > >> at > >> . > >> . > >> . > >> org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) > >> at > >> . > >> . > >> . > >> jboss.undertow.deployment.default-server.default-host./auth: Failed to > >> start > >> service > >> Caused by: java.lang.RuntimeException: Failed to construct public > >> org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) > >> throws java.io.FileNotFoundException > >> > >> Any ideas why this is happening? > >> > >> Thanks, > >> > >> Dean Peterson > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Fri Mar 14 09:17:38 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 14 Mar 2014 09:17:38 -0400 Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: <115471402.27493412.1394802901188.JavaMail.zimbra@redhat.com> References: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> <5322FFFA.2060201@redhat.com> <115471402.27493412.1394802901188.JavaMail.zimbra@redhat.com> Message-ID: <53230172.3080400@redhat.com> On 3/14/2014 9:15 AM, Stian Thorgersen wrote: > We can use a JTA data-source with some additional configuration for Hibernate (without the ejb container). I've done this in the past and it works fine, but I don't see a use-case for it. > We might need it in the future when we start doing some caching. Then you'll have two resources: the cache and the database that you'll want to ensure integrity for. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Fri Mar 14 09:21:06 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 14 Mar 2014 09:21:06 -0400 (EDT) Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: <53230172.3080400@redhat.com> References: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> <5322FFFA.2060201@redhat.com> <115471402.27493412.1394802901188.JavaMail.zimbra@redhat.com> <53230172.3080400@redhat.com> Message-ID: <1902478480.27496314.1394803266573.JavaMail.zimbra@redhat.com> JIRA created: https://issues.jboss.org/browse/KEYCLOAK-377 ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Friday, 14 March, 2014 1:17:38 PM > Subject: Re: [keycloak-user] Trying to use JTA transactions for JPA causes errors > > > > On 3/14/2014 9:15 AM, Stian Thorgersen wrote: > > We can use a JTA data-source with some additional configuration for > > Hibernate (without the ejb container). I've done this in the past and it > > works fine, but I don't see a use-case for it. > > > > We might need it in the future when we start doing some caching. Then > you'll have two resources: the cache and the database that you'll want > to ensure integrity for. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From peterson.dean at gmail.com Fri Mar 14 12:26:52 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Fri, 14 Mar 2014 11:26:52 -0500 Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> References: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> Message-ID: That makes sense. I do not necessarily need JTA transactions for keycloak but I am experiencing the error you can see in the keycloak-log.txt constantly. Without fail, that error occurs when I let keycloak sit idle for about 5 minutes or so. It would be nice to let the container manage connections and transactions to Keycloak still. Without that, I am fairly certain a production environment needs something like c3p0 or DBCP(Apache Database Connection Pooling) to make the connections to the database stable. What are your thoughts? I will try using c3p0 today to see if that fixes the problem in the attached log. Also, should the jta-data-source tag in the persistence.xml be changed to non-jta-data-source? The keycloak-server persistence.xml comes with jta-data-source tag out of the box. I did try changing it to non-jta-data-source and I still get the same errors so that is not the cause of my problem. Thanks, Dean On Fri, Mar 14, 2014 at 3:53 AM, Stian Thorgersen wrote: > Keycloak has been designed to work in multiple environments, not just > JavaEE. That's why container managed transactions are not used. JTA > transactions are not required either as there's a single database, hence no > need for distributed transactions. > > Can you provide me with some more information about the errors you are > seeing? Including the server log, persistence.xml, etc. It should work > perfectly well with resource local transactions. > > If you have a real requirement for using JTA a data-source we can > certainly look into supporting that. > > ----- Original Message ----- > > From: "Dean Peterson" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 13 March, 2014 6:40:23 PM > > Subject: [keycloak-user] Trying to use JTA transactions for JPA causes > errors > > > > I get transaction rollback errors frequently. Every time I leave the > > application idle for a few minutes and come back, the system has > transaction > > errors. I have to refresh multiple times for the keycloak admun-ui to > start > > responding again. I realized my settings were using local database > > transactions and that does not work well. I am using JBOSS and J2EE so I > > definitely want to use the container managed transactions. I switched the > > settings in my management console and changed my persistence.xml to this: > > > > > xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " > > xsi:schemaLocation=" http://java.sun.com/xml/ns/persistence > > http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd " > > version="1.0"> > > transaction-type="JTA"> > > java:jboss/datasources/ui_users > > org.keycloak.models.jpa.entities.ApplicationEntity > > org.keycloak.models.jpa.entities.CredentialEntity > > org.keycloak.models.jpa.entities.OAuthClientEntity > > org.keycloak.models.jpa.entities.RealmEntity > > org.keycloak.models.jpa.entities.RequiredCredentialEntity > > org.keycloak.models.jpa.entities.ApplicationRoleEntity > > org.keycloak.models.jpa.entities.RealmRoleEntity > > org.keycloak.models.jpa.entities.SocialLinkEntity > > org.keycloak.models.jpa.entities.UserEntity > > org.keycloak.models.jpa.entities.UserRoleMappingEntity > > org.keycloak.models.jpa.entities.ScopeMappingEntity > > > > true > > > > > > > value="org.hibernate.dialect.SQLServer2008Dialect"/> > > > > > > > > > > > > > > > > > > > > Now when I start the server I get the following error: > > > > java.lang.NullPointerException > > at > > > org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) > > at > > . > > . > > . > > > org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) > > at > > . > > . > > . > > jboss.undertow.deployment.default-server.default-host./auth: Failed to > start > > service > > Caused by: java.lang.RuntimeException: Failed to construct public > > > org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) > > throws java.io.FileNotFoundException > > > > Any ideas why this is happening? > > > > Thanks, > > > > Dean Peterson > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140314/11107277/attachment-0001.html -------------- next part -------------- 09:54:40,616 INFO [org.jboss.modules] (main) JBoss Modules version 1.3.0.Final 09:54:40,937 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.0.Final 09:54:41,028 INFO [org.jboss.as] (MSC service thread 1-6) JBAS015899: WildFly 8.0.0.Final "WildFly" starting 09:54:42,203 WARN [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015002: Deployment of 'keycloak-adapter-core' requested, but the deployment is not present 09:54:42,203 INFO [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015003: Found customer-portal-example.war in deployment directory. To trigger deployment create a file called customer-portal-example.war.dodeploy 09:54:42,204 INFO [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015003: Found database-service.war in deployment directory. To trigger deployment create a file called database-service.war.dodeploy 09:54:42,221 INFO [org.jboss.as.server] (Controller Boot Thread) JBAS015888: Creating http management service using socket-binding (management-http) 09:54:42,243 INFO [org.xnio] (MSC service thread 1-39) XNIO version 3.2.0.Final 09:54:42,251 INFO [org.xnio.nio] (MSC service thread 1-39) XNIO NIO Implementation Version 3.2.0.Final 09:54:42,275 INFO [org.jboss.as.security] (ServerService Thread Pool -- 47) JBAS013171: Activating Security Subsystem 09:54:42,279 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 34) JBAS010280: Activating Infinispan subsystem. 09:54:42,284 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 42) JBAS011800: Activating Naming Subsystem 09:54:42,289 INFO [org.jboss.as.webservices] (ServerService Thread Pool -- 51) JBAS015537: Activating WebServices Extension 09:54:42,291 INFO [org.jboss.as.security] (MSC service thread 1-26) JBAS013170: Current PicketBox version=4.0.20.Final 09:54:42,293 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 40) JBAS012615: Activated the following JSF Implementations: [main] 09:54:42,323 INFO [org.wildfly.extension.undertow] (MSC service thread 1-14) JBAS017502: Undertow 1.0.0.Final starting 09:54:42,324 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 50) JBAS017502: Undertow 1.0.0.Final starting 09:54:42,329 INFO [org.jboss.as.connector.logging] (MSC service thread 1-33) JBAS010408: Starting JCA Subsystem (IronJacamar 1.1.3.Final) 09:54:42,354 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 29) JBAS010403: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3) 09:54:42,360 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-33) JBAS010417: Started Driver service with driver-name = h2 09:54:42,366 INFO [org.jboss.as.naming] (MSC service thread 1-15) JBAS011802: Starting Naming Service 09:54:42,368 INFO [org.jboss.as.mail.extension] (MSC service thread 1-34) JBAS015400: Bound mail session [java:jboss/mail/Default] 09:54:42,417 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss Remoting version 4.0.0.Final 09:54:42,436 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 50) JBAS017527: Creating file handler for path C:\wildfly-8.0.0.Final/welcome-content 09:54:42,450 INFO [org.wildfly.extension.undertow] (MSC service thread 1-16) JBAS017525: Started server default-server. 09:54:42,460 INFO [org.wildfly.extension.undertow] (MSC service thread 1-22) JBAS017531: Host default-host starting 09:54:42,495 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-10) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS] 09:54:42,498 INFO [org.wildfly.extension.undertow] (MSC service thread 1-17) JBAS017519: Undertow HTTP listener default listening on /0.0.0.0:8080 09:54:42,668 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-12) JBAS015012: Started FileSystemDeploymentService for directory C:\wildfly-8.0.0.Final\standalone\deployments 09:54:42,673 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015876: Starting deployment of "sqljdbc4.jar" (runtime-name: "sqljdbc4.jar") 09:54:42,930 INFO [org.jboss.ws.common.management] (MSC service thread 1-40) JBWS022052: Starting JBoss Web Services - Stack CXF Server 4.2.3.Final 09:54:43,218 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-34) JBAS010403: Deploying JDBC-compliant driver class com.microsoft.sqlserver.jdbc.SQLServerDriver (version 4.0) 09:54:43,231 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-7) JBAS010417: Started Driver service with driver-name = sqljdbc4.jar 09:54:43,233 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-35) JBAS010400: Bound data source [java:jboss/datasources/ui_users] 09:54:43,320 INFO [org.jboss.as.server] (Controller Boot Thread) JBAS018559: Deployed "sqljdbc4.jar" (runtime-name : "sqljdbc4.jar") 09:54:43,519 INFO [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management 09:54:43,520 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990 09:54:43,520 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: WildFly 8.0.0.Final "WildFly" started in 3301ms - Started 222 of 277 services (88 services are lazy, passive or on-demand) 09:55:17,767 INFO [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) JBAS015003: Found keycloak-server.war in deployment directory. To trigger deployment create a file called keycloak-server.war.dodeploy 09:55:27,860 INFO [org.jboss.as.server.deployment] (MSC service thread 1-16) JBAS015876: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 09:55:32,770 WARN [org.jboss.as.server.deployment] (MSC service thread 1-40) JBAS015960: Class Path entry jaxb-api.jar in /C:/wildfly-8.0.0.Final/standalone/deployments/keycloak-server.war/WEB-INF/lib/jaxb-core-2.2.7.jar does not point to a valid jar for a Class-Path reference. 09:55:32,771 WARN [org.jboss.as.server.deployment] (MSC service thread 1-40) JBAS015960: Class Path entry jaxb-api.jar in /C:/wildfly-8.0.0.Final/standalone/deployments/keycloak-server.war/WEB-INF/lib/jaxb-impl-2.2.7.jar does not point to a valid jar for a Class-Path reference. 09:55:32,771 WARN [org.jboss.as.server.deployment] (MSC service thread 1-40) JBAS015960: Class Path entry jaxb-core.jar in /C:/wildfly-8.0.0.Final/standalone/deployments/keycloak-server.war/WEB-INF/lib/jaxb-impl-2.2.7.jar does not point to a valid jar for a Class-Path reference. 09:55:32,881 INFO [org.jboss.as.jpa] (MSC service thread 1-6) JBAS011401: Read persistence.xml for jpa-keycloak-identity-store 09:55:33,299 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 54) JBAS011409: Starting Persistence Unit (phase 1 of 2) Service 'keycloak-server.war#jpa-keycloak-identity-store' 09:55:33,324 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 54) HHH000204: Processing PersistenceUnitInfo [ name: jpa-keycloak-identity-store ...] 09:55:33,481 INFO [org.hibernate.Version] (ServerService Thread Pool -- 54) HHH000412: Hibernate Core {4.3.1.Final} 09:55:33,486 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 54) HHH000206: hibernate.properties not found 09:55:33,490 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 54) HHH000021: Bytecode provider name : javassist 09:55:33,736 WARN [org.jboss.as.ee] (MSC service thread 1-12) JBAS011006: Not installing optional component org.jboss.resteasy.plugins.server.servlet.Servlet3AsyncHttpRequest$Servlet3ExecutionContext$Servle3AsychronousResponse due to an exception (enable DEBUG log level to see the cause) 09:55:33,903 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 54) JBAS011409: Starting Persistence Unit (phase 2 of 2) Service 'keycloak-server.war#jpa-keycloak-identity-store' 09:55:34,039 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 54) HCANN000001: Hibernate Commons Annotations {4.0.4.Final} 09:55:36,415 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 54) HHH000400: Using dialect: org.hibernate.dialect.SQLServer2008Dialect 09:55:36,933 INFO [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService Thread Pool -- 54) HHH000397: Using ASTQueryTranslatorFactory 09:55:37,031 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 54) HV000001: Hibernate Validator 5.0.3.Final 09:55:38,229 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (ServerService Thread Pool -- 54) HHH000228: Running hbm2ddl schema update 09:55:38,231 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (ServerService Thread Pool -- 54) HHH000102: Fetching database metadata 09:55:38,245 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (ServerService Thread Pool -- 54) HHH000396: Updating schema 09:55:38,835 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ApplicationDefaultRoles 09:55:38,836 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [defaultroles_id, applicationentity_id] 09:55:38,836 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_g6l8hy3l98i72814tlecxbsal, fk_63mlbcao16xl0fihhba5hj955] 09:55:38,837 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_applicationdefaultroles_column, uk_63mlbcao16xl0fihhba5hj955] 09:55:38,944 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ApplicationEntity 09:55:38,945 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, beareronly, realm_id, managementurl, baseurl, surrogateauthrequired] 09:55:38,946 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_2ne1lwypulqs3pini9phv5fr2, fk_5lh1t23ye3m5taifap3eoh6e5] 09:55:38,946 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__applicat__3213e83f39c1eba6] 09:55:39,047 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ApplicationRole 09:55:39,048 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, application_id] 09:55:39,048 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_ulxuhip32h8nk5pbb1m6103n, fk_9rk108fvewkeagy9qjhuqfb9m] 09:55:39,049 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__applicat__3213e83f7c129ea3] 09:55:39,164 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ClientEntity 09:55:39,165 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, enabled, publicclient, notbefore, name, secret, allowedclaimsmask] 09:55:39,165 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [] 09:55:39,166 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__clienten__3213e83f43042403] 09:55:39,310 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ClientEntity_redirectUris 09:55:39,311 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [cliententity_id, redirecturis] 09:55:39,312 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_feix1pdp92lddt2ou5qa7u2l6] 09:55:39,313 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_cliententity_redirecturis_column] 09:55:39,422 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ClientEntity_webOrigins 09:55:39,423 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [weborigins, cliententity_id] 09:55:39,423 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_gh3h7pfhqdulen2dafqy5i4y0] 09:55:39,423 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_cliententity_weborigins_column] 09:55:39,523 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.CredentialEntity 09:55:39,524 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, value, device, user_id, type, salt] 09:55:39,524 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_pn32x46lgmhlaldchhp47wfgj] 09:55:39,525 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__credenti__3213e83fd607e6bd] 09:55:39,620 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.OAuthClientEntity 09:55:39,621 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, realm_id] 09:55:39,621 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_c7p5k3d5mewb3yym9qypp76uj, fk_qlc5yqdm2qs1kpiias2ccx8qw] 09:55:39,622 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__oauthcli__3213e83ffce156ca] 09:55:39,728 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RealmDefaultRoles 09:55:39,729 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [realmentity_id, defaultroles_id] 09:55:39,729 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_olcemcd95akm5sj17xr8rwrkg, fk_lm3mms6o7y861qvb68sycmkaj] 09:55:39,730 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_realmdefaultroles_column, uk_olcemcd95akm5sj17xr8rwrkg] 09:55:39,836 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RealmEntity 09:55:39,838 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [rememberme, enabled, publickeypem, accounttheme, passwordpolicy, registrationallowed, centralloginlifespan, notbefore, accesstokenlifespan, resetpasswordallowed, privatekeypem, updateprofileoninitsoclogin, accesscodelifespan, accesscodelifespanuseraction, id, refreshtokenlifespan, logintheme, sslnotrequired, social, name, verifyemail] 09:55:39,838 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [] 09:55:39,838 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__realment__3213e83feb80b4a2] 09:55:39,941 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RealmEntity_smtpConfig 09:55:39,942 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [realmentity_id, name, value] 09:55:39,942 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_hbtlvt068mnrudm3cf0px691h] 09:55:39,943 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__realment__672db377a990e010] 09:55:40,046 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RealmEntity_socialConfig 09:55:40,046 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [realmentity_id, name, value] 09:55:40,046 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_18sn19xqpu83b06jv6w8ksvfv] 09:55:40,046 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__realment__672db37711d130f8] 09:55:40,207 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RequiredCredentialEntity 09:55:40,207 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, input, secret, formlabel, type] 09:55:40,208 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [] 09:55:40,209 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__required__3213e83fc274502a] 09:55:40,309 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RoleEntity 09:55:40,310 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, realm_id, description, name, dtype] 09:55:40,310 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_2wxhye0e7ejl1swt4ju9buaxw] 09:55:40,311 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__roleenti__3213e83f9783b1ca] 09:55:40,411 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.RoleEntity_RoleEntity 09:55:40,412 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [roleentity_id, compositeroles_id] 09:55:40,412 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_rhas6cbjwjewh3qe1ar3ewv3x, fk_fqxkb97litt72ru58fr1y8v8n] 09:55:40,413 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_roleentity_roleentity_column] 09:55:40,507 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.ScopeMappingEntity 09:55:40,508 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, role_id, client_id] 09:55:40,508 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_bkaeyvs28ip6gx4y2h4ij4277, fk_so3wyrspaer7i9it9fr8t9a0o] 09:55:40,508 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__scopemap__3213e83f29ccb440] 09:55:40,605 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.SocialLinkEntity 09:55:40,606 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, socialusername, realm_id, socialprovider, user_id] 09:55:40,606 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_jav76o82ob85iuxm2l0gg904h, fk_of3vi3cc8yo5aavbsq2flfm32] 09:55:40,607 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__socialli__3213e83f99518587] 09:55:40,706 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.UserEntity 09:55:40,708 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, loginname, enabled, realm_id, totp, email, emailverified, lastname, firstname] 09:55:40,708 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_1u1wm7gj4o98kabis6et6klh5] 09:55:40,708 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__userenti__3213e83fb65d69ce] 09:55:40,810 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.UserEntity_CredentialEntity 09:55:40,811 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [credentials_id, userentity_id] 09:55:40,812 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_302t29u9komfu7d7qffci0cie, fk_kwlok0nencsu8kuhwervrn2p5] 09:55:40,812 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_userentity_credentialentity_column, uk_kwlok0nencsu8kuhwervrn2p5] 09:55:40,916 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.UserEntity_attributes 09:55:40,916 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [userentity_id, name, value] 09:55:40,916 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_pv89d7hl2qoyg2dc1b9bupw7l] 09:55:40,917 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__userenti__cbbe5e2fcbbb72d1] 09:55:41,018 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.UserEntity_requiredActions 09:55:41,019 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [userentity_id, requiredactions] 09:55:41,019 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_eclsk6gyvwy477usdcwu8l1mx] 09:55:41,020 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [ix_userentity_requiredactions_column] 09:55:41,117 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.UserRoleMappingEntity 09:55:41,118 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [id, role_id, user_id] 09:55:41,118 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_agpsm5ca3g409ed9l3tn2j2ei, fk_j518aofj2vsvq3uo7qygnx6kn] 09:55:41,119 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [pk__userrole__3213e83f2a2d4194] 09:55:41,220 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000261: Table found: ui_users.dbo.User_RequiredCreds 09:55:41,221 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000037: Columns: [realmentity_id, requiredcredentials_id] 09:55:41,222 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000108: Foreign keys: [fk_anp4huiptj153jqe0muwgsvkf, fk_4vn3690ov78s8nai1fmpgax0m] 09:55:41,222 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (ServerService Thread Pool -- 54) HHH000126: Indexes: [uk_anp4huiptj153jqe0muwgsvkf, ix_user_requiredcreds_column] 09:55:41,227 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (ServerService Thread Pool -- 54) HHH000232: Schema update complete 09:55:41,228 WARN [org.hibernate.internal.SessionFactoryImpl] (ServerService Thread Pool -- 54) HHH000008: JTASessionContext being used with JDBCTransactionFactory; auto-flush will not operate correctly with getCurrentSession() 09:55:42,505 INFO [org.hibernate.jpa.internal.util.LogHelper] (MSC service thread 1-10) HHH000204: Processing PersistenceUnitInfo [ name: jpa-keycloak-identity-store ...] 09:55:42,581 INFO [org.hibernate.dialect.Dialect] (MSC service thread 1-10) HHH000400: Using dialect: org.hibernate.dialect.SQLServer2008Dialect 09:55:42,681 INFO [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (MSC service thread 1-10) HHH000397: Using ASTQueryTranslatorFactory 09:55:43,034 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (MSC service thread 1-10) HHH000228: Running hbm2ddl schema update 09:55:43,034 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (MSC service thread 1-10) HHH000102: Fetching database metadata 09:55:43,036 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (MSC service thread 1-10) HHH000396: Updating schema 09:55:43,133 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ApplicationDefaultRoles 09:55:43,134 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [defaultroles_id, applicationentity_id] 09:55:43,134 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_g6l8hy3l98i72814tlecxbsal, fk_63mlbcao16xl0fihhba5hj955] 09:55:43,135 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_applicationdefaultroles_column, uk_63mlbcao16xl0fihhba5hj955] 09:55:43,232 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ApplicationEntity 09:55:43,233 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, beareronly, realm_id, managementurl, baseurl, surrogateauthrequired] 09:55:43,233 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_2ne1lwypulqs3pini9phv5fr2, fk_5lh1t23ye3m5taifap3eoh6e5] 09:55:43,234 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__applicat__3213e83f39c1eba6] 09:55:43,325 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ApplicationRole 09:55:43,326 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, application_id] 09:55:43,326 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_ulxuhip32h8nk5pbb1m6103n, fk_9rk108fvewkeagy9qjhuqfb9m] 09:55:43,326 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__applicat__3213e83f7c129ea3] 09:55:43,422 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ClientEntity 09:55:43,423 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, enabled, publicclient, notbefore, name, secret, allowedclaimsmask] 09:55:43,423 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [] 09:55:43,424 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__clienten__3213e83f43042403] 09:55:43,529 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ClientEntity_redirectUris 09:55:43,530 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [cliententity_id, redirecturis] 09:55:43,531 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_feix1pdp92lddt2ou5qa7u2l6] 09:55:43,531 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_cliententity_redirecturis_column] 09:55:43,625 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ClientEntity_webOrigins 09:55:43,625 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [weborigins, cliententity_id] 09:55:43,626 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_gh3h7pfhqdulen2dafqy5i4y0] 09:55:43,626 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_cliententity_weborigins_column] 09:55:43,723 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.CredentialEntity 09:55:43,724 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, value, device, user_id, type, salt] 09:55:43,724 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_pn32x46lgmhlaldchhp47wfgj] 09:55:43,725 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__credenti__3213e83fd607e6bd] 09:55:43,821 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.OAuthClientEntity 09:55:43,821 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, realm_id] 09:55:43,821 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_c7p5k3d5mewb3yym9qypp76uj, fk_qlc5yqdm2qs1kpiias2ccx8qw] 09:55:43,821 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__oauthcli__3213e83ffce156ca] 09:55:43,917 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RealmDefaultRoles 09:55:43,918 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [realmentity_id, defaultroles_id] 09:55:43,918 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_olcemcd95akm5sj17xr8rwrkg, fk_lm3mms6o7y861qvb68sycmkaj] 09:55:43,919 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_realmdefaultroles_column, uk_olcemcd95akm5sj17xr8rwrkg] 09:55:44,022 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RealmEntity 09:55:44,023 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [rememberme, enabled, publickeypem, accounttheme, passwordpolicy, registrationallowed, centralloginlifespan, notbefore, accesstokenlifespan, resetpasswordallowed, privatekeypem, updateprofileoninitsoclogin, accesscodelifespan, accesscodelifespanuseraction, id, refreshtokenlifespan, logintheme, sslnotrequired, social, name, verifyemail] 09:55:44,023 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [] 09:55:44,024 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__realment__3213e83feb80b4a2] 09:55:44,126 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RealmEntity_smtpConfig 09:55:44,126 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [realmentity_id, name, value] 09:55:44,127 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_hbtlvt068mnrudm3cf0px691h] 09:55:44,127 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__realment__672db377a990e010] 09:55:44,225 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RealmEntity_socialConfig 09:55:44,225 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [realmentity_id, name, value] 09:55:44,226 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_18sn19xqpu83b06jv6w8ksvfv] 09:55:44,226 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__realment__672db37711d130f8] 09:55:44,326 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RequiredCredentialEntity 09:55:44,326 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, input, secret, formlabel, type] 09:55:44,326 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [] 09:55:44,327 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__required__3213e83fc274502a] 09:55:44,444 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RoleEntity 09:55:44,445 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, realm_id, description, name, dtype] 09:55:44,445 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_2wxhye0e7ejl1swt4ju9buaxw] 09:55:44,446 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__roleenti__3213e83f9783b1ca] 09:55:44,542 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.RoleEntity_RoleEntity 09:55:44,543 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [roleentity_id, compositeroles_id] 09:55:44,543 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_rhas6cbjwjewh3qe1ar3ewv3x, fk_fqxkb97litt72ru58fr1y8v8n] 09:55:44,543 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_roleentity_roleentity_column] 09:55:44,637 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.ScopeMappingEntity 09:55:44,637 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, role_id, client_id] 09:55:44,637 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_bkaeyvs28ip6gx4y2h4ij4277, fk_so3wyrspaer7i9it9fr8t9a0o] 09:55:44,638 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__scopemap__3213e83f29ccb440] 09:55:44,732 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.SocialLinkEntity 09:55:44,732 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, socialusername, realm_id, socialprovider, user_id] 09:55:44,734 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_jav76o82ob85iuxm2l0gg904h, fk_of3vi3cc8yo5aavbsq2flfm32] 09:55:44,734 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__socialli__3213e83f99518587] 09:55:44,835 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.UserEntity 09:55:44,837 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, loginname, enabled, realm_id, totp, email, emailverified, lastname, firstname] 09:55:44,837 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_1u1wm7gj4o98kabis6et6klh5] 09:55:44,837 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__userenti__3213e83fb65d69ce] 09:55:44,937 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.UserEntity_CredentialEntity 09:55:44,938 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [credentials_id, userentity_id] 09:55:44,938 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_302t29u9komfu7d7qffci0cie, fk_kwlok0nencsu8kuhwervrn2p5] 09:55:44,939 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_userentity_credentialentity_column, uk_kwlok0nencsu8kuhwervrn2p5] 09:55:45,037 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.UserEntity_attributes 09:55:45,038 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [userentity_id, name, value] 09:55:45,039 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_pv89d7hl2qoyg2dc1b9bupw7l] 09:55:45,039 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__userenti__cbbe5e2fcbbb72d1] 09:55:45,136 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.UserEntity_requiredActions 09:55:45,137 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [userentity_id, requiredactions] 09:55:45,137 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_eclsk6gyvwy477usdcwu8l1mx] 09:55:45,138 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [ix_userentity_requiredactions_column] 09:55:45,232 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.UserRoleMappingEntity 09:55:45,232 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [id, role_id, user_id] 09:55:45,233 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_agpsm5ca3g409ed9l3tn2j2ei, fk_j518aofj2vsvq3uo7qygnx6kn] 09:55:45,234 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [pk__userrole__3213e83f2a2d4194] 09:55:45,332 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000261: Table found: ui_users.dbo.User_RequiredCreds 09:55:45,333 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000037: Columns: [realmentity_id, requiredcredentials_id] 09:55:45,334 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000108: Foreign keys: [fk_anp4huiptj153jqe0muwgsvkf, fk_4vn3690ov78s8nai1fmpgax0m] 09:55:45,334 INFO [org.hibernate.tool.hbm2ddl.TableMetadata] (MSC service thread 1-10) HHH000126: Indexes: [uk_anp4huiptj153jqe0muwgsvkf, ix_user_requiredcreds_column] 09:55:45,337 INFO [org.hibernate.tool.hbm2ddl.SchemaUpdate] (MSC service thread 1-10) HHH000232: Schema update complete 09:55:45,898 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Deploying javax.ws.rs.core.Application: class org.keycloak.server.KeycloakServerApplication 09:55:45,904 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Adding class resource org.keycloak.services.resources.QRCodeResource from Application class org.keycloak.server.KeycloakServerApplication 09:55:45,904 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Adding provider class org.keycloak.SkeletonKeyContextResolver from Application class org.keycloak.server.KeycloakServerApplication 09:55:45,905 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.server.KeycloakServerApplication 09:55:45,905 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Adding singleton resource org.keycloak.services.resources.admin.AdminService from Application class org.keycloak.server.KeycloakServerApplication 09:55:45,905 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Adding singleton resource org.keycloak.services.resources.SocialResource from Application class org.keycloak.server.KeycloakServerApplication 09:55:45,906 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service thread 1-10) Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.server.KeycloakServerApplication 09:55:46,286 INFO [org.wildfly.extension.undertow] (MSC service thread 1-10) JBAS017534: Registered web context: /auth 09:55:46,467 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS018559: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 09:56:04,139 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-6) authenticateCookie 09:56:04,143 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-6) authenticateCookie could not find cookie: KEYCLOAK_ADMIN_CONSOLE_IDENTITY 09:56:04,678 INFO [org.keycloak.services.resources.TokenService] (default task-1) TokenService.loginPage 09:56:05,028 INFO [org.keycloak.services.resources.TokenService] (default task-1) Checking cookie... 09:56:05,028 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-1) authenticateIdentityCookie 09:56:05,029 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-1) authenticateIdentityCookie 09:56:05,030 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-1) authenticateCookie could not find cookie: KEYCLOAK_IDENTITY 09:56:05,030 INFO [org.keycloak.services.resources.TokenService] (default task-1) createLogin() now... 09:56:10,033 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-15) createLoginCookie 09:56:10,034 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-15) createIdentityToken 09:56:10,284 INFO [org.keycloak.services.resources.admin.AdminService] (default task-12) loginRedirect ********************** <--- 09:56:10,594 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-12) createIdentityToken 09:56:11,351 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-8) authenticateCookie 09:56:11,401 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-8) token verified 09:56:12,864 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-14) authenticateCookie 09:56:12,865 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-9) authenticateCookie 09:56:12,868 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-14) token verified 09:56:12,868 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-9) token verified 09:56:14,202 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-1) authenticateCookie 09:56:14,203 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-4) authenticateCookie 09:56:14,206 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-1) token verified 09:56:14,207 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-4) token verified 09:57:11,895 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-3) authenticateCookie 09:57:11,900 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-3) token verified 09:57:12,171 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-3) createIdentityToken 09:58:12,894 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-6) authenticateCookie 09:58:12,897 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-6) token verified 09:58:13,184 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-6) createIdentityToken 09:59:13,335 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) authenticateCookie 09:59:13,339 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) token verified 09:59:13,567 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) createIdentityToken 10:06:20,809 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-14) SQL Error: 0, SQLState: 08S01 10:06:20,810 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-14) Read timed out 10:06:20,815 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (default task-14) HHH000327: Error performing load command : org.hibernate.exception.JDBCConnectionException: could not prepare statement 10:06:20,822 ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /auth/rest/admin/logout: javax.persistence.PersistenceException: unexpected error when rollbacking at org.hibernate.jpa.internal.TransactionImpl.rollback(TransactionImpl.java:111) [hibernate-entitymanager-4.3.1.Final.jar:4.3.1.Final] at org.keycloak.models.jpa.JpaKeycloakSession.close(JpaKeycloakSession.java:99) [keycloak-model-jpa-1.0-alpha-3-SNAPSHOT.jar:] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:52) [keycloak-services-1.0-alpha-3-SNAPSHOT.jar:] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) [undertow-core-1.0.0.Final.jar:1.0.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_13] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_13] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_13] Caused by: org.hibernate.TransactionException: rollback failed at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.rollback(AbstractTransactionImpl.java:217) [hibernate-core-4.3.1.Final.jar:4.3.1.Final] at org.hibernate.jpa.internal.TransactionImpl.rollback(TransactionImpl.java:108) [hibernate-entitymanager-4.3.1.Final.jar:4.3.1.Final] ... 28 more Caused by: java.lang.NullPointerException at org.hibernate.engine.transaction.internal.jdbc.JdbcTransaction.doRollback(JdbcTransaction.java:163) [hibernate-core-4.3.1.Final.jar:4.3.1.Final] at org.hibernate.engine.transaction.spi.AbstractTransactionImpl.rollback(AbstractTransactionImpl.java:211) [hibernate-core-4.3.1.Final.jar:4.3.1.Final] ... 29 more -------------- next part -------------- A non-text attachment was scrubbed... Name: persistence.xml Type: text/xml Size: 1613 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140314/11107277/attachment-0001.xml From delkant at gmail.com Sun Mar 16 04:09:38 2014 From: delkant at gmail.com (Rodrigo Del Canto) Date: Sun, 16 Mar 2014 04:09:38 -0400 Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> References: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> Message-ID: Hello Stian, I was testing this today. My problem is that the keycloak.js script assumes that the client application is hosted in a app/web server. I'm trying to build a html 5 based app for smartphones. So there is no way to use the redirect functionality, I need a way to provide to keycloak a username and password and receive as response the token id. Do you think that is possible? Is there any example available. Thanks. On Mon, Mar 10, 2014 at 10:34 AM, Stian Thorgersen wrote: > Hi, > > We have a JS library, it's available at > http://localhost:8080/js/keycloak.js. There's no documentation for it > yet, and the example needs a bit of TLC, but the example is customer-app-js > and will be included in the alpha3 downloads that is due this week. > > A quick overview to get you started: > > Keycloak constructor takes a single object with the following properties: > > * client_id (required) - the name of the application/client in the admin > console > * client_secret (optional) - not recommended, instead select public client > option for your application/client in the admin console > * realm (required) > * url (optional) - the base url of the server, if not specified it will > infer it from the url of the keycloak.js script > * onload (optional) - valid options: login-required, check-sso. Login > required will redirect to login form when init is called. Check-sso will > also redirect to login form, but won't display login form (used to check if > user is logged into to sso realm) > > For example: > > var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) > keycloak.init(function() { alert('authenticated') }, function() { > alert('auth failed') } ); > > Addition methods: > > * login - redirect to login form > * logout - log out > * hasRealmRole(role) - returns true if user has the realm role > * hasResourceRole(role, resource) - return true if user has the role for > the specified resource (application) > * loadUserProfile(success, failure) - loads the profile (in the future > profile will be retrieved with IDToken from OpenID Connect spec, so this > will probably not be required) > * onValidAccessToken(success, failure) - invoke methods with a valid > token. If the token is expired the refresh token is used to retrieve a new > token before invoking the success callback > > Once authenticated the following properties are available as well: > > * token - base64 encoded token (use this as the value for the > 'Authorization' header, for example > "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + > keycloak.token)") > * tokenParsed - parsed token > * authenticated - true if authenticated, false otherwise > * subject - userId > > Please let me know how you get on with it, any feedback would be > appreciated. > > Cheers, > Stian > > > ----- Original Message ----- > > From: "Rodrigo Del Canto" > > To: keycloak-user at lists.jboss.org > > Sent: Saturday, 8 March, 2014 5:54:44 AM > > Subject: [keycloak-user] External JS AJAX client for jax-rs backend API > > > > Hello guys, > > > > Congrats on the release of project! I think this is the most useful > project > > for developers in the whole history of internet :D > > > > I would like to know if you have any example on how to perform a login > from > > an external JavaScript client? > > > > How would you recommend to do this. I heard you have a JS/jQuery lib to > do > > this, where can it be found? > > > > Thanks, > > > > delkant > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140316/b7c053bf/attachment.html From ungarida at gmail.com Sun Mar 16 09:19:46 2014 From: ungarida at gmail.com (Davide Ungari) Date: Sun, 16 Mar 2014 14:19:46 +0100 Subject: [keycloak-user] Maven compile Alpha 1.3 In-Reply-To: <5322C222.2080509@redhat.com> References: <5322C222.2080509@redhat.com> Message-ID: I tried "mvn package" and it works! Thanks. -- Davide On Fri, Mar 14, 2014 at 9:47 AM, Marek Posolda wrote: > Hi Davide, > > can you try first to run "mvn clean install" for whole project and then > "mvn war:war" after that? > > The point is that "install" will add artifacts to your local maven repo, > so they will be able to find dependencies between each other. I think that > "compile" is not sufficient as it just compile classes, but not create JAR > and not copy them to your local repo. > > Good luck, > Marek > > > On 14.3.2014 01:05, Davide Ungari wrote: > > Hi everybody, > I did checkout of the 1.0-alpha-3. > I'm trying to do a mvn compile war:war and it fails for: > > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile > (default-compile) on project keycloak-model-api: Compilation failure: > Compilation failure: > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[14,24] > error: package org.keycloak.util does not exist > [ERROR] > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[35,23] > error: cannot find symbol > [ERROR] > [ERROR] class KeycloakModelUtils > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[47,23] > error: cannot find symbol > [ERROR] > [ERROR] class KeycloakModelUtils > [ERROR] > /home/davide/projects/keycloak/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java:[65,15] > error: cannot find symbol > [ERROR] -> [Help 1] > [ERROR] > > Any help? > > -- > Davide > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140316/f4e2c679/attachment.html From ungarida at gmail.com Sun Mar 16 09:25:21 2014 From: ungarida at gmail.com (Davide Ungari) Date: Sun, 16 Mar 2014 14:25:21 +0100 Subject: [keycloak-user] Tomcat / Jetty adapter Message-ID: Hi everybody, I'm evaluating keycloak to be adopted in one of my projects. At the moment I'm very satisfied, but I can not manage the dependency from JBoss. In our infrastructure we use tomcat and jetty. As you know is not only a technical issue, for example out team members have a lot of experience on tomcat and few of them barely know jboss. Are there any adapter for tomcat? or even any documentation to write our adapter? -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140316/40b0f7b9/attachment.html From stian at redhat.com Mon Mar 17 05:24:34 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 17 Mar 2014 05:24:34 -0400 (EDT) Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: References: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> Message-ID: <1215629611.443087.1395048274078.JavaMail.zimbra@redhat.com> Hi, Are you referring to a packaged html5 based app for smarthpones (and not one that is access through the smartphones browser)? There are several ways available to use Keycloak from a packaged/installed app: * Register a custom URI schema for the application (something like myapp://oauth-callback) - recommended for a native app (our not yet released iOS and Android adapters will use this approach) * Start a temporary web server on http://localhost on any available port - installed app on a desktop (our cli example uses this approach) * Use a child window to open the login form (our not yet released Cordova/PhoneGap adapter will use this approach) If you are using PhoneGap/Cordova the adapter should be ready soon. It won't be "released" until early May, but will also work with alpha3. If you're using another technology for your packaged html5 apps, let me know what you're using and I can give you some hints (it should just require a few minor changes to the PhoneGap/Cordova adapter). ----- Original Message ----- > From: "Rodrigo Del Canto" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Sunday, 16 March, 2014 8:09:38 AM > Subject: Re: [keycloak-user] External JS AJAX client for jax-rs backend API > > Hello Stian, > > I was testing this today. My problem is that the keycloak.js script assumes > that the client application is hosted in a app/web server. I'm trying to > build a html 5 based app for smartphones. So there is no way to use the > redirect functionality, I need a way to provide to keycloak a username and > password and receive as response the token id. > > Do you think that is possible? Is there any example available. > > Thanks. > > > On Mon, Mar 10, 2014 at 10:34 AM, Stian Thorgersen wrote: > > > Hi, > > > > We have a JS library, it's available at > > http://localhost:8080/js/keycloak.js. There's no documentation for it > > yet, and the example needs a bit of TLC, but the example is customer-app-js > > and will be included in the alpha3 downloads that is due this week. > > > > A quick overview to get you started: > > > > Keycloak constructor takes a single object with the following properties: > > > > * client_id (required) - the name of the application/client in the admin > > console > > * client_secret (optional) - not recommended, instead select public client > > option for your application/client in the admin console > > * realm (required) > > * url (optional) - the base url of the server, if not specified it will > > infer it from the url of the keycloak.js script > > * onload (optional) - valid options: login-required, check-sso. Login > > required will redirect to login form when init is called. Check-sso will > > also redirect to login form, but won't display login form (used to check if > > user is logged into to sso realm) > > > > For example: > > > > var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) > > keycloak.init(function() { alert('authenticated') }, function() { > > alert('auth failed') } ); > > > > Addition methods: > > > > * login - redirect to login form > > * logout - log out > > * hasRealmRole(role) - returns true if user has the realm role > > * hasResourceRole(role, resource) - return true if user has the role for > > the specified resource (application) > > * loadUserProfile(success, failure) - loads the profile (in the future > > profile will be retrieved with IDToken from OpenID Connect spec, so this > > will probably not be required) > > * onValidAccessToken(success, failure) - invoke methods with a valid > > token. If the token is expired the refresh token is used to retrieve a new > > token before invoking the success callback > > > > Once authenticated the following properties are available as well: > > > > * token - base64 encoded token (use this as the value for the > > 'Authorization' header, for example > > "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + > > keycloak.token)") > > * tokenParsed - parsed token > > * authenticated - true if authenticated, false otherwise > > * subject - userId > > > > Please let me know how you get on with it, any feedback would be > > appreciated. > > > > Cheers, > > Stian > > > > > > ----- Original Message ----- > > > From: "Rodrigo Del Canto" > > > To: keycloak-user at lists.jboss.org > > > Sent: Saturday, 8 March, 2014 5:54:44 AM > > > Subject: [keycloak-user] External JS AJAX client for jax-rs backend API > > > > > > Hello guys, > > > > > > Congrats on the release of project! I think this is the most useful > > project > > > for developers in the whole history of internet :D > > > > > > I would like to know if you have any example on how to perform a login > > from > > > an external JavaScript client? > > > > > > How would you recommend to do this. I heard you have a JS/jQuery lib to > > do > > > this, where can it be found? > > > > > > Thanks, > > > > > > delkant > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From stian at redhat.com Mon Mar 17 07:48:21 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 17 Mar 2014 07:48:21 -0400 (EDT) Subject: [keycloak-user] Trying to use JTA transactions for JPA causes errors In-Reply-To: References: <348909436.27341792.1394787204800.JavaMail.zimbra@redhat.com> Message-ID: <194814012.500162.1395056901694.JavaMail.zimbra@redhat.com> A datasource is a managed connection provided by the container and provides connection pooling, so you don't need to configure connection pooling in persistence.xml. I think your issues are not directly related to Keycloak, but has something to do with how the datasource is configured and/or the JDBC driver. The 'Read timed out' error suggests to me that you may be receiving an expired connection from the datasource/connection pool. It should be 'non-jta-data-source', but that won't make any difference as even though JPA is asking for a JTA capable datasource it doesn't use JTA transactions. ----- Original Message ----- > From: "Dean Peterson" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Friday, 14 March, 2014 4:26:52 PM > Subject: Re: [keycloak-user] Trying to use JTA transactions for JPA causes errors > > That makes sense. I do not necessarily need JTA transactions for keycloak > but I am experiencing the error you can see in the keycloak-log.txt > constantly. Without fail, that error occurs when I let keycloak sit idle > for about 5 minutes or so. > > It would be nice to let the container manage connections and transactions > to Keycloak still. Without that, I am fairly certain a production > environment needs something like c3p0 or DBCP(Apache Database Connection > Pooling) to make the connections to the database stable. What are your > thoughts? I will try using c3p0 today to see if that fixes the problem in > the attached log. Also, should the jta-data-source tag in the > persistence.xml be changed to non-jta-data-source? The keycloak-server > persistence.xml comes with jta-data-source tag out of the box. I did try > changing it to non-jta-data-source and I still get the same errors so that > is not the cause of my problem. > > Thanks, > > Dean > > > On Fri, Mar 14, 2014 at 3:53 AM, Stian Thorgersen wrote: > > > Keycloak has been designed to work in multiple environments, not just > > JavaEE. That's why container managed transactions are not used. JTA > > transactions are not required either as there's a single database, hence no > > need for distributed transactions. > > > > Can you provide me with some more information about the errors you are > > seeing? Including the server log, persistence.xml, etc. It should work > > perfectly well with resource local transactions. > > > > If you have a real requirement for using JTA a data-source we can > > certainly look into supporting that. > > > > ----- Original Message ----- > > > From: "Dean Peterson" > > > To: keycloak-user at lists.jboss.org > > > Sent: Thursday, 13 March, 2014 6:40:23 PM > > > Subject: [keycloak-user] Trying to use JTA transactions for JPA causes > > errors > > > > > > I get transaction rollback errors frequently. Every time I leave the > > > application idle for a few minutes and come back, the system has > > transaction > > > errors. I have to refresh multiple times for the keycloak admun-ui to > > start > > > responding again. I realized my settings were using local database > > > transactions and that does not work well. I am using JBOSS and J2EE so I > > > definitely want to use the container managed transactions. I switched the > > > settings in my management console and changed my persistence.xml to this: > > > > > > > > xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " > > > xsi:schemaLocation=" http://java.sun.com/xml/ns/persistence > > > http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd " > > > version="1.0"> > > > > transaction-type="JTA"> > > > java:jboss/datasources/ui_users > > > org.keycloak.models.jpa.entities.ApplicationEntity > > > org.keycloak.models.jpa.entities.CredentialEntity > > > org.keycloak.models.jpa.entities.OAuthClientEntity > > > org.keycloak.models.jpa.entities.RealmEntity > > > org.keycloak.models.jpa.entities.RequiredCredentialEntity > > > org.keycloak.models.jpa.entities.ApplicationRoleEntity > > > org.keycloak.models.jpa.entities.RealmRoleEntity > > > org.keycloak.models.jpa.entities.SocialLinkEntity > > > org.keycloak.models.jpa.entities.UserEntity > > > org.keycloak.models.jpa.entities.UserRoleMappingEntity > > > org.keycloak.models.jpa.entities.ScopeMappingEntity > > > > > > true > > > > > > > > > > > value="org.hibernate.dialect.SQLServer2008Dialect"/> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Now when I start the server I get the following error: > > > > > > java.lang.NullPointerException > > > at > > > > > org.hibernate.engine.transaction.internal.jta.JtaStatusHelper.getStatus(JtaStatusHelper.java:76) > > > at > > > . > > > . > > > . > > > > > org.keycloak.models.jpa.JpaKeycloakSessionFactory.createSession(JpaKeycloakSessionFactory.java:21) > > > at > > > . > > > . > > > . > > > jboss.undertow.deployment.default-server.default-host./auth: Failed to > > start > > > service > > > Caused by: java.lang.RuntimeException: Failed to construct public > > > > > org.keycloak.server.KeycloakServerApplication(javax.servlet.ServletContext) > > > throws java.io.FileNotFoundException > > > > > > Any ideas why this is happening? > > > > > > Thanks, > > > > > > Dean Peterson > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bburke at redhat.com Mon Mar 17 09:13:22 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 17 Mar 2014 09:13:22 -0400 Subject: [keycloak-user] Tomcat / Jetty adapter In-Reply-To: References: Message-ID: <5326F4F2.50901@redhat.com> We're probably not going to tackle new adapters until June. It would be really cool if a community contributor could pick it up before then though. I could walk you through things if you want to do it: Take a look at the as7-eap adapter. AS7/EAP uses JBossWeb which is a derivative of Tomcat. As for the server itself? It could probably be made to run under Tomcat or Jetty fairly easy, but again, this is just time I don't have right now. On 3/16/2014 9:25 AM, Davide Ungari wrote: > Hi everybody, > I'm evaluating keycloak to be adopted in one of my projects. > > At the moment I'm very satisfied, but I can not manage the dependency > from JBoss. > > In our infrastructure we use tomcat and jetty. As you know is not only a > technical issue, for example out team members have a lot of experience > on tomcat and few of them barely know jboss. > > Are there any adapter for tomcat? or even any documentation to write our > adapter? > > -- > Davide > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From delkant at gmail.com Mon Mar 17 09:51:14 2014 From: delkant at gmail.com (Rodrigo Del Canto) Date: Mon, 17 Mar 2014 09:51:14 -0400 Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: <1215629611.443087.1395048274078.JavaMail.zimbra@redhat.com> References: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> <1215629611.443087.1395048274078.JavaMail.zimbra@redhat.com> Message-ID: Hi Stian, I'm sorry for the lack of information. Yes you are right I was talking about a packaged/installed app and yes it is Cordova. * Use a child window to open the login form (our not yet released Cordova/PhoneGap adapter will use this approach) If I open a child window for the login form I will need a callback page/script hosted on the server to process the response back from keycloak, right? could you give me some ideas on how to handle this? Thanks again, On Mon, Mar 17, 2014 at 5:24 AM, Stian Thorgersen wrote: > Hi, > > Are you referring to a packaged html5 based app for smarthpones (and not > one that is access through the smartphones browser)? > > There are several ways available to use Keycloak from a packaged/installed > app: > > * Register a custom URI schema for the application (something like > myapp://oauth-callback) - recommended for a native app (our not yet > released iOS and Android adapters will use this approach) > * Start a temporary web server on http://localhost on any available port > - installed app on a desktop (our cli example uses this approach) > * Use a child window to open the login form (our not yet released > Cordova/PhoneGap adapter will use this approach) > > If you are using PhoneGap/Cordova the adapter should be ready soon. It > won't be "released" until early May, but will also work with alpha3. If > you're using another technology for your packaged html5 apps, let me know > what you're using and I can give you some hints (it should just require a > few minor changes to the PhoneGap/Cordova adapter). > > ----- Original Message ----- > > From: "Rodrigo Del Canto" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Sunday, 16 March, 2014 8:09:38 AM > > Subject: Re: [keycloak-user] External JS AJAX client for jax-rs backend > API > > > > Hello Stian, > > > > I was testing this today. My problem is that the keycloak.js script > assumes > > that the client application is hosted in a app/web server. I'm trying to > > build a html 5 based app for smartphones. So there is no way to use the > > redirect functionality, I need a way to provide to keycloak a username > and > > password and receive as response the token id. > > > > Do you think that is possible? Is there any example available. > > > > Thanks. > > > > > > On Mon, Mar 10, 2014 at 10:34 AM, Stian Thorgersen > wrote: > > > > > Hi, > > > > > > We have a JS library, it's available at > > > http://localhost:8080/js/keycloak.js. There's no documentation for it > > > yet, and the example needs a bit of TLC, but the example is > customer-app-js > > > and will be included in the alpha3 downloads that is due this week. > > > > > > A quick overview to get you started: > > > > > > Keycloak constructor takes a single object with the following > properties: > > > > > > * client_id (required) - the name of the application/client in the > admin > > > console > > > * client_secret (optional) - not recommended, instead select public > client > > > option for your application/client in the admin console > > > * realm (required) > > > * url (optional) - the base url of the server, if not specified it will > > > infer it from the url of the keycloak.js script > > > * onload (optional) - valid options: login-required, check-sso. Login > > > required will redirect to login form when init is called. Check-sso > will > > > also redirect to login form, but won't display login form (used to > check if > > > user is logged into to sso realm) > > > > > > For example: > > > > > > var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) > > > keycloak.init(function() { alert('authenticated') }, function() { > > > alert('auth failed') } ); > > > > > > Addition methods: > > > > > > * login - redirect to login form > > > * logout - log out > > > * hasRealmRole(role) - returns true if user has the realm role > > > * hasResourceRole(role, resource) - return true if user has the role > for > > > the specified resource (application) > > > * loadUserProfile(success, failure) - loads the profile (in the future > > > profile will be retrieved with IDToken from OpenID Connect spec, so > this > > > will probably not be required) > > > * onValidAccessToken(success, failure) - invoke methods with a valid > > > token. If the token is expired the refresh token is used to retrieve a > new > > > token before invoking the success callback > > > > > > Once authenticated the following properties are available as well: > > > > > > * token - base64 encoded token (use this as the value for the > > > 'Authorization' header, for example > > > "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + > > > keycloak.token)") > > > * tokenParsed - parsed token > > > * authenticated - true if authenticated, false otherwise > > > * subject - userId > > > > > > Please let me know how you get on with it, any feedback would be > > > appreciated. > > > > > > Cheers, > > > Stian > > > > > > > > > ----- Original Message ----- > > > > From: "Rodrigo Del Canto" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Saturday, 8 March, 2014 5:54:44 AM > > > > Subject: [keycloak-user] External JS AJAX client for jax-rs backend > API > > > > > > > > Hello guys, > > > > > > > > Congrats on the release of project! I think this is the most useful > > > project > > > > for developers in the whole history of internet :D > > > > > > > > I would like to know if you have any example on how to perform a > login > > > from > > > > an external JavaScript client? > > > > > > > > How would you recommend to do this. I heard you have a JS/jQuery lib > to > > > do > > > > this, where can it be found? > > > > > > > > Thanks, > > > > > > > > delkant > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140317/6c4812d3/attachment.html From peterson.dean at gmail.com Mon Mar 17 10:02:53 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Mon, 17 Mar 2014 09:02:53 -0500 Subject: [keycloak-user] I think I know the cause of my JPA transaction errors Message-ID: I have mentioned it before but I am trying to get things to work using an Azure MS-SQL database. Yes, I remember being told you will not support that. Just in case it will spark some ideas I want to mention that I found Azure closes database connections after one minute and end users have no control over that: http://blogs.msdn.com/b/avkashchauhan/archive/2011/11/12/windows-azure-load-balancer-timeout-details.aspx This is the behavior I am seeing. I log in, let the application sit until I am automatically logged out and I always get this timeout error (sql error: 0, SQLState: 08S01) when the JpaKeycloakSession.close() method is called. I will probably have to switch to a local database. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140317/8a8973f0/attachment.html From stian at redhat.com Mon Mar 17 10:04:59 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 17 Mar 2014 10:04:59 -0400 (EDT) Subject: [keycloak-user] External JS AJAX client for jax-rs backend API In-Reply-To: References: <2037553391.24122544.1394462046005.JavaMail.zimbra@redhat.com> <1215629611.443087.1395048274078.JavaMail.zimbra@redhat.com> Message-ID: <1807643376.621513.1395065099287.JavaMail.zimbra@redhat.com> I'm in the process of refining keycloak.js as well as creating a JS library for Cordova/Phonegap. Should be ready in a day or two. Basically how it works is that it listens for events for when the url changes in the child window, if it's a OAuth2 callback extracts the code/error/state query params and closes the window. The window is closed before displaying the page so you can use http://localhost even without a web server listening on localhost, so the 'page not found' won't be displayed. With the ChildBrowser plugin something along the lines of this will work: var keycloak = new Keycloak(...); var loginUrl = keycloak.createLoginUrl(); window.plugins.ChildBrowser.onLocationChange = function (url) { if (window.oauth.callback) { return; } var code = /code=([^&]+)/.exec(url); var error = /error=([^&]+)/.exec(url); var state = /state=([^&]+)/.exec(url); if (code || error) { if (code && state) { window.oauth.code = code[1]; window.oauth.state = state[1]; window.oauth.callback = true; } else if (error && state) { window.oauth.error = error[1]; window.oauth.state = state[1]; window.oauth.callback = true; } window.plugins.ChildBrowser.close(); } } window.plugins.ChildBrowser.showWebPage(loginUrl, { showLocationBar: false }); ----- Original Message ----- > From: "Rodrigo Del Canto" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Monday, 17 March, 2014 1:51:14 PM > Subject: Re: [keycloak-user] External JS AJAX client for jax-rs backend API > > Hi Stian, > > I'm sorry for the lack of information. Yes you are right I was talking > about a packaged/installed app and yes it is Cordova. > > > * Use a child window to open the login form (our not yet released > Cordova/PhoneGap adapter will use this approach) > > If I open a child window for the login form I will need a callback > page/script hosted on the server to process the response back from > keycloak, right? could you give me some ideas on how to handle this? > > Thanks again, > > > > > On Mon, Mar 17, 2014 at 5:24 AM, Stian Thorgersen wrote: > > > Hi, > > > > Are you referring to a packaged html5 based app for smarthpones (and not > > one that is access through the smartphones browser)? > > > > There are several ways available to use Keycloak from a packaged/installed > > app: > > > > * Register a custom URI schema for the application (something like > > myapp://oauth-callback) - recommended for a native app (our not yet > > released iOS and Android adapters will use this approach) > > * Start a temporary web server on http://localhost on any available port > > - installed app on a desktop (our cli example uses this approach) > > * Use a child window to open the login form (our not yet released > > Cordova/PhoneGap adapter will use this approach) > > > > If you are using PhoneGap/Cordova the adapter should be ready soon. It > > won't be "released" until early May, but will also work with alpha3. If > > you're using another technology for your packaged html5 apps, let me know > > what you're using and I can give you some hints (it should just require a > > few minor changes to the PhoneGap/Cordova adapter). > > > > ----- Original Message ----- > > > From: "Rodrigo Del Canto" > > > To: "Stian Thorgersen" > > > Cc: keycloak-user at lists.jboss.org > > > Sent: Sunday, 16 March, 2014 8:09:38 AM > > > Subject: Re: [keycloak-user] External JS AJAX client for jax-rs backend > > API > > > > > > Hello Stian, > > > > > > I was testing this today. My problem is that the keycloak.js script > > assumes > > > that the client application is hosted in a app/web server. I'm trying to > > > build a html 5 based app for smartphones. So there is no way to use the > > > redirect functionality, I need a way to provide to keycloak a username > > and > > > password and receive as response the token id. > > > > > > Do you think that is possible? Is there any example available. > > > > > > Thanks. > > > > > > > > > On Mon, Mar 10, 2014 at 10:34 AM, Stian Thorgersen > > wrote: > > > > > > > Hi, > > > > > > > > We have a JS library, it's available at > > > > http://localhost:8080/js/keycloak.js. There's no documentation for it > > > > yet, and the example needs a bit of TLC, but the example is > > customer-app-js > > > > and will be included in the alpha3 downloads that is due this week. > > > > > > > > A quick overview to get you started: > > > > > > > > Keycloak constructor takes a single object with the following > > properties: > > > > > > > > * client_id (required) - the name of the application/client in the > > admin > > > > console > > > > * client_secret (optional) - not recommended, instead select public > > client > > > > option for your application/client in the admin console > > > > * realm (required) > > > > * url (optional) - the base url of the server, if not specified it will > > > > infer it from the url of the keycloak.js script > > > > * onload (optional) - valid options: login-required, check-sso. Login > > > > required will redirect to login form when init is called. Check-sso > > will > > > > also redirect to login form, but won't display login form (used to > > check if > > > > user is logged into to sso realm) > > > > > > > > For example: > > > > > > > > var keycloak = Keycloak({ client_id: 'myapp', realm: 'myrealm' }) > > > > keycloak.init(function() { alert('authenticated') }, function() { > > > > alert('auth failed') } ); > > > > > > > > Addition methods: > > > > > > > > * login - redirect to login form > > > > * logout - log out > > > > * hasRealmRole(role) - returns true if user has the realm role > > > > * hasResourceRole(role, resource) - return true if user has the role > > for > > > > the specified resource (application) > > > > * loadUserProfile(success, failure) - loads the profile (in the future > > > > profile will be retrieved with IDToken from OpenID Connect spec, so > > this > > > > will probably not be required) > > > > * onValidAccessToken(success, failure) - invoke methods with a valid > > > > token. If the token is expired the refresh token is used to retrieve a > > new > > > > token before invoking the success callback > > > > > > > > Once authenticated the following properties are available as well: > > > > > > > > * token - base64 encoded token (use this as the value for the > > > > 'Authorization' header, for example > > > > "xMLHttpRequest.setRequestHeader('Authorization', 'Bearer ' + > > > > keycloak.token)") > > > > * tokenParsed - parsed token > > > > * authenticated - true if authenticated, false otherwise > > > > * subject - userId > > > > > > > > Please let me know how you get on with it, any feedback would be > > > > appreciated. > > > > > > > > Cheers, > > > > Stian > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Rodrigo Del Canto" > > > > > To: keycloak-user at lists.jboss.org > > > > > Sent: Saturday, 8 March, 2014 5:54:44 AM > > > > > Subject: [keycloak-user] External JS AJAX client for jax-rs backend > > API > > > > > > > > > > Hello guys, > > > > > > > > > > Congrats on the release of project! I think this is the most useful > > > > project > > > > > for developers in the whole history of internet :D > > > > > > > > > > I would like to know if you have any example on how to perform a > > login > > > > from > > > > > an external JavaScript client? > > > > > > > > > > How would you recommend to do this. I heard you have a JS/jQuery lib > > to > > > > do > > > > > this, where can it be found? > > > > > > > > > > Thanks, > > > > > > > > > > delkant > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > From bburke at redhat.com Mon Mar 17 10:15:47 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 17 Mar 2014 10:15:47 -0400 Subject: [keycloak-user] I think I know the cause of my JPA transaction errors In-Reply-To: References: Message-ID: <53270393.1060200@redhat.com> You can set an idle timeout for pooled connections: http://www.ironjacamar.org/doc/userguide/1.1/en-US/html_single/index.html#ds12 On 3/17/2014 10:02 AM, Dean Peterson wrote: > I have mentioned it before but I am trying to get things to work using > an Azure MS-SQL database. Yes, I remember being told you will not > support that. Just in case it will spark some ideas I want to mention > that I found Azure closes database connections after one minute and end > users have no control over that: > http://blogs.msdn.com/b/avkashchauhan/archive/2011/11/12/windows-azure-load-balancer-timeout-details.aspx > > This is the behavior I am seeing. I log in, let the application sit > until I am automatically logged out and I always get this timeout error > (sql error: 0, SQLState: 08S01) when the JpaKeycloakSession.close() > method is called. I will probably have to switch to a local database. > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Mon Mar 17 10:19:19 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 17 Mar 2014 10:19:19 -0400 (EDT) Subject: [keycloak-user] I think I know the cause of my JPA transaction errors In-Reply-To: References: Message-ID: <1881022041.641510.1395065959947.JavaMail.zimbra@redhat.com> You should still be able to use Azure, you just need to configure your datasource to do validation, or to timeout idle connections. Have a look at: https://docs.jboss.org/author/display/WFLY8/DataSource+configuration http://www.ironjacamar.org/doc/userguide/1.1/en-US/html_single/index.html#deployingds_descriptor https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Example_Microsoft_SQLServer_Datasource1.html ----- Original Message ----- > From: "Dean Peterson" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Monday, 17 March, 2014 2:02:53 PM > Subject: I think I know the cause of my JPA transaction errors > > I have mentioned it before but I am trying to get things to work using an > Azure MS-SQL database. Yes, I remember being told you will not support > that. Just in case it will spark some ideas I want to mention that I found > Azure closes database connections after one minute and end users have no > control over that: > http://blogs.msdn.com/b/avkashchauhan/archive/2011/11/12/windows-azure-load-balancer-timeout-details.aspx > > This is the behavior I am seeing. I log in, let the application sit until > I am automatically logged out and I always get this timeout error (sql > error: 0, SQLState: 08S01) when the JpaKeycloakSession.close() method is > called. I will probably have to switch to a local database. > > > > > > From peterson.dean at gmail.com Mon Mar 17 14:10:03 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Mon, 17 Mar 2014 13:10:03 -0500 Subject: [keycloak-user] That did the trick (JPA transaction errors) Message-ID: Setting the idle timeout to 1 minute worked. On Mon, Mar 17, 2014 at 9:19 AM, Stian Thorgersen wrote: > You should still be able to use Azure, you just need to configure your > datasource to do validation, or to timeout idle connections. > > Have a look at: > > https://docs.jboss.org/author/display/WFLY8/DataSource+configuration > > http://www.ironjacamar.org/doc/userguide/1.1/en-US/html_single/index.html#deployingds_descriptor > > https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/Example_Microsoft_SQLServer_Datasource1.html > > ----- Original Message ----- > > From: "Dean Peterson" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Monday, 17 March, 2014 2:02:53 PM > > Subject: I think I know the cause of my JPA transaction errors > > > > I have mentioned it before but I am trying to get things to work using an > > Azure MS-SQL database. Yes, I remember being told you will not support > > that. Just in case it will spark some ideas I want to mention that I > found > > Azure closes database connections after one minute and end users have no > > control over that: > > > http://blogs.msdn.com/b/avkashchauhan/archive/2011/11/12/windows-azure-load-balancer-timeout-details.aspx > > > > This is the behavior I am seeing. I log in, let the application sit > until > > I am automatically logged out and I always get this timeout error (sql > > error: 0, SQLState: 08S01) when the JpaKeycloakSession.close() method is > > called. I will probably have to switch to a local database. > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140317/f6aa6fc8/attachment.html From ungarida at gmail.com Tue Mar 18 17:48:27 2014 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 18 Mar 2014 22:48:27 +0100 Subject: [keycloak-user] Tomcat / Jetty adapter Message-ID: I will take a look at the as7-eap adapter this weekend. As I will star development I will inform you on the developers list. -- -- Davide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140318/979ef255/attachment.html From peterson.dean at gmail.com Thu Mar 20 11:33:24 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 20 Mar 2014 10:33:24 -0500 Subject: [keycloak-user] Spring Keycloak Security integration? (I can't go back) Message-ID: I am currently using Keycloak for a proof of concept at my job working on the unemployment insurance application for the State of MN. I love it, it is great. There I am using Wildfly and everything is easy. However, every second of my free time is spent writing www.metroseattlegamers.com (soon to be abecorn.com). I have been working on that a long time. It is three separate Spring applications tied together with REST and spring security for single sign on. The main site is an oauth2 authorization provider; I use a combination of spring social, spring oauth/oauth 2 to let users share credentials between the apps of the site. I spend a lot of time just keeping it all straight. I very much want to use Keycloak for my own Spring project too. Any suggestions how I might get that to work? Do you have plans to make Keycloak compatible with Spring applications running on Tomcat? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140320/553d96a6/attachment.html From bburke at redhat.com Fri Mar 21 08:28:19 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 21 Mar 2014 08:28:19 -0400 Subject: [keycloak-user] Spring Keycloak Security integration? (I can't go back) In-Reply-To: References: Message-ID: <532C3063.7090006@redhat.com> I'd really like to get some sort of Spring security plugin. We're probably a few months away from being able to look into that though. It would be great if somebody in the community could take a look...hint hint... ;) On 3/20/2014 11:33 AM, Dean Peterson wrote: > I am currently using Keycloak for a proof of concept at my job working > on the unemployment insurance application for the State of MN. I love > it, it is great. There I am using Wildfly and everything is easy. > However, every second of my free time is spent writing > www.metroseattlegamers.com (soon to > be abecorn.com ). I have been working on that a > long time. It is three separate Spring applications tied together with > REST and spring security for single sign on. The main site is an oauth2 > authorization provider; I use a combination of spring social, spring > oauth/oauth 2 to let users share credentials between the apps of the > site. I spend a lot of time just keeping it all straight. I very much > want to use Keycloak for my own Spring project too. Any suggestions how > I might get that to work? Do you have plans to make Keycloak compatible > with Spring applications running on Tomcat? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From peterson.dean at gmail.com Mon Mar 24 17:10:37 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Mon, 24 Mar 2014 16:10:37 -0500 Subject: [keycloak-user] Logging out Message-ID: Logging out seems unnecessarily complicated. I need to have a management url located in my application? I use KeycloakUriBuilder to build the logout url and end up in the logoutApplication method of ResourceAdminManager. That is where I am at a loss. The application is expecting I have something in my app with a path that contains "k_logout". What should happen at that location? What code goes in the REST service at that location on my end? Also, if I do not fill out the "Admin" url inside keycloak, the managementUrl parameter comes back as an empty string instead of null. That causes an error because the if statement in the logoutApplication method only checks for null. Thanks, Dean -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140324/59934b83/attachment.html From bburke at redhat.com Mon Mar 24 17:16:31 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 24 Mar 2014 17:16:31 -0400 Subject: [keycloak-user] Logging out In-Reply-To: References: Message-ID: <5330A0AF.5050703@redhat.com> On 3/24/2014 5:10 PM, Dean Peterson wrote: > Logging out seems unnecessarily complicated. I need to have a > management url located in my application? > How else would we do it? We have to: 1. Reset the realm's login cookie at the keycloak server's domain 2. Invalidate each login session of each logged in application #1 requires a redirect to the keycloak server. For #2 we invoke k_logout on each managementUrl which invalidates the HttpSession. > I use KeycloakUriBuilder to build the logout url and end up in the > logoutApplication method of ResourceAdminManager. That is where I am at > a loss. The application is expecting I have something in my app with a > path that contains "k_logout". What should happen at that location? > What code goes in the REST service at that location on my end? > > Also, if I do not fill out the "Admin" url inside keycloak, the > managementUrl parameter comes back as an empty string instead of null. > That causes an error because the if statement in the logoutApplication > method only checks for null. > Keycloak server should check for empty string for managementUrl. That is a bug. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From peterson.dean at gmail.com Mon Mar 24 17:58:24 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Mon, 24 Mar 2014 16:58:24 -0500 Subject: [keycloak-user] Logging out Message-ID: I used a different e-mail and my previous post did not get through. Ok, that makes sense. I am still trying to figure out how k_logout should work on my end. I do have the keycloak modules installed on the server running my app. However, I still get a value of false in logoutApplication: Response response = client.target(managementUrl).path(AdapterConstants. *K_LOGOUT*).request().post(Entity.*text*(token)); *boolean* success = response.getStatus() == 204; The success Boolean is false. I set the Admin url to some path with "admin" but I do not have a REST service at any location for .../admin/.../k_logout. Am I supposed to do something on my end or should the keycloak modules have automatically set something up that understands how to handle a request to something like .../admin/.../k_logout? I just would have liked to make all of this a bit easier. Why can't I create some REST service on my end that calls something like: KeycloakSecurityContext.logout(); Under the covers KeycloakSecurityContext.logout() builds the logout uri, sends the request to the keycloak server and finally logs me out of the local application? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140324/1d716f30/attachment-0001.html From peterson.dean at gmail.com Tue Mar 25 14:29:34 2014 From: peterson.dean at gmail.com (Dean Peterson) Date: Tue, 25 Mar 2014 13:29:34 -0500 Subject: [keycloak-user] Figured out Logging out Message-ID: When I entered the Admin URL I used a localhost url. I have my test app on a separate machine from the keycloak server I have running. My redirect urls all have localhost and that is fine because I am using my app on the machine it is running on and a localhost redirect is ok when the redirect happens on my end. It was intuitive for me to put localhost in the admin url too because the redirect urls and the admin url are all entered on the same page. When I log out, the keycloak server makes a request on its end using the management url. Of course that fails because localhost refers to the keycloak server in that case and not my application. So, long story short, stupid user error. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140325/4c3c2408/attachment.html From xuantoan.nguyen at vtc.vn Wed Mar 26 04:24:58 2014 From: xuantoan.nguyen at vtc.vn (Toan Nguyen Xuan) Date: Wed, 26 Mar 2014 15:24:58 +0700 Subject: [keycloak-user] token expired exception Message-ID: <000601cf48cc$e259d4e0$a70d7ea0$@vtc.vn> Hi you, I just use keycloak for authen application to access my resource, but I don't know control token key life time. One app will not access my resource when token key is expired, this app does not know when reinit token key. I want to catch Token key expired to return apps. Please help me. Have any extend keylocak library? Goal of Keyloak is very good, I like this. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140326/03676008/attachment.html From stian at redhat.com Wed Mar 26 05:19:39 2014 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 26 Mar 2014 05:19:39 -0400 (EDT) Subject: [keycloak-user] token expired exception In-Reply-To: <000601cf48cc$e259d4e0$a70d7ea0$@vtc.vn> References: <000601cf48cc$e259d4e0$a70d7ea0$@vtc.vn> Message-ID: <529013826.675789.1395825579143.JavaMail.zimbra@redhat.com> Are you using one of our adapters? The token expiration can be controlled through the admin console, but generally a token should have a relatively short expiration (5-10 min). Then you have a refresh token with a long expiration (days) that can be used to retrieve a new token. Prior to doing a request you should check the expiration time and retrieve a new token if needed. ----- Original Message ----- > From: "Toan Nguyen Xuan" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 26 March, 2014 8:24:58 AM > Subject: [keycloak-user] token expired exception > > > > Hi you, > > I just use keycloak for authen application to access my resource, but I don?t > know control token key life time. One app will not access my resource when > token key is expired, this app does not know when reinit token key. I want > to catch Token key expired to return apps. Please help me. > > Have any extend keylocak library? Goal of Keyloak is very good, I like this. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From xuantoan.nguyen at vtc.vn Wed Mar 26 23:11:11 2014 From: xuantoan.nguyen at vtc.vn (Toan Nguyen Xuan) Date: Thu, 27 Mar 2014 10:11:11 +0700 Subject: [keycloak-user] token expired exception In-Reply-To: <529013826.675789.1395825579143.JavaMail.zimbra@redhat.com> References: <000601cf48cc$e259d4e0$a70d7ea0$@vtc.vn> <529013826.675789.1395825579143.JavaMail.zimbra@redhat.com> Message-ID: <000001cf496a$34a519b0$9def4d10$@vtc.vn> Hi, The current I have not try keycloak with my project. I try reseasy 3.0.6 that has simple oauth2 implement and I can't control expired key in my project. Can you show me how to solve this problem by using keyloak? I install keycloak successfully but I don't know start where. If this is solved I will use keycloak in my project. Many thanks before. -----Original Message----- From: Stian Thorgersen [mailto:stian at redhat.com] Sent: Wednesday, March 26, 2014 4:20 PM To: Toan Nguyen Xuan Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] token expired exception Are you using one of our adapters? The token expiration can be controlled through the admin console, but generally a token should have a relatively short expiration (5-10 min). Then you have a refresh token with a long expiration (days) that can be used to retrieve a new token. Prior to doing a request you should check the expiration time and retrieve a new token if needed. ----- Original Message ----- > From: "Toan Nguyen Xuan" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 26 March, 2014 8:24:58 AM > Subject: [keycloak-user] token expired exception > > > > Hi you, > > I just use keycloak for authen application to access my resource, but > I don?t know control token key life time. One app will not access my > resource when token key is expired, this app does not know when reinit > token key. I want to catch Token key expired to return apps. Please help me. > > Have any extend keylocak library? Goal of Keyloak is very good, I like this. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From n.preusker at gmail.com Thu Mar 27 06:29:22 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Thu, 27 Mar 2014 11:29:22 +0100 Subject: [keycloak-user] Install examples Message-ID: Hey guys, I just noticed that if you want to install the preconfigured examples, the README.md file states that you should run mvn clean install. While that works fine if you have keycloak checked out and the root pom installed in your local maven repo (in the correct version), it fails if you just download the keycloak-war-dist-all-1.0-alpha-XX.zip and try to install the examples. This might be confusing for someone who just wants to quickly install the examples. I didn't check in detail yet, but I guess it could easily be avoided by removing the parent pom dependency in the example app poms. Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/f1d9b808/attachment.html From bburke at redhat.com Thu Mar 27 09:34:12 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 27 Mar 2014 09:34:12 -0400 Subject: [keycloak-user] Install examples In-Reply-To: References: Message-ID: <533428D4.4040508@redhat.com> Oops, thanks. On 3/27/2014 6:29 AM, Nils Preusker wrote: > Hey guys, > > I just noticed that if you want to install the preconfigured examples, > the README.md file states that you should run mvn clean install. While > that works fine if you have keycloak checked out and the root pom > installed in your local maven repo (in the correct version), it fails if > you just download the keycloak-war-dist-all-1.0-alpha-XX.zip and try to > install the examples. This might be confusing for someone who just wants > to quickly install the examples. I didn't check in detail yet, but I > guess it could easily be avoided by removing the parent pom dependency > in the example app poms. > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Thu Mar 27 09:52:39 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 27 Mar 2014 09:52:39 -0400 Subject: [keycloak-user] token expired exception In-Reply-To: <000001cf496a$34a519b0$9def4d10$@vtc.vn> References: <000601cf48cc$e259d4e0$a70d7ea0$@vtc.vn> <529013826.675789.1395825579143.JavaMail.zimbra@redhat.com> <000001cf496a$34a519b0$9def4d10$@vtc.vn> Message-ID: <53342D27.4030808@redhat.com> We have a lot of screencasts that walk you through how to do things: keycloak.org/docs On 3/26/2014 11:11 PM, Toan Nguyen Xuan wrote: > Hi, > The current I have not try keycloak with my project. I try reseasy 3.0.6 that has simple oauth2 implement and I can't control expired key in my project. Can you show me how to solve this problem by using keyloak? I install keycloak successfully but I don't know start where. If this is solved I will use keycloak in my project. > Many thanks before. > > -----Original Message----- > From: Stian Thorgersen [mailto:stian at redhat.com] > Sent: Wednesday, March 26, 2014 4:20 PM > To: Toan Nguyen Xuan > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] token expired exception > > Are you using one of our adapters? > > The token expiration can be controlled through the admin console, but generally a token should have a relatively short expiration (5-10 min). Then you have a refresh token with a long expiration (days) that can be used to retrieve a new token. Prior to doing a request you should check the expiration time and retrieve a new token if needed. > > ----- Original Message ----- >> From: "Toan Nguyen Xuan" >> To: keycloak-user at lists.jboss.org >> Sent: Wednesday, 26 March, 2014 8:24:58 AM >> Subject: [keycloak-user] token expired exception >> >> >> >> Hi you, >> >> I just use keycloak for authen application to access my resource, but >> I don?t know control token key life time. One app will not access my >> resource when token key is expired, this app does not know when reinit >> token key. I want to catch Token key expired to return apps. Please help me. >> >> Have any extend keylocak library? Goal of Keyloak is very good, I like this. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Thu Mar 27 10:41:44 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Thu, 27 Mar 2014 15:41:44 +0100 Subject: [keycloak-user] Keycloak and AngularJS Message-ID: Hi Stian and Bill, I've posted some questions regarding this topic before but I thought I'd start a new thread to keep things focused: I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) backend modules. To add authentication and authorization to this application, I'd like to use keycloak * as a user and role management front-end * to provide a customizable login page (works very well by the way ;) * as an OAuth 2.0 token provider * to add user and role information to the HTTPRequests in my REST/ backend modules To do this, I'm currently looking at keycloak.js and the customer-app-js example. However, I'm wondering whether this is really the best way to go. In a reply to an earlier post of mine you mentioned that the keycloak admin console is written in AngularJS and that you are using HTTP-only cookies there. However, in keycloak.js and the customer-app-js example you are retrieving the token in the JS app and adding an authorization header with a bearer token to the HTTP requests. So here are my questions: * Is there a reason you are using two different approaches in the admin console and the official demo app? * which one of the two approaches (bearer tokens vs. HTTP-only cookie) will you support/ will be the officially recommended one for HTML5/ client side JavaScript applications in keycloak? * am I right in assuming that you haven't quite decided yet which approach to use and that you are still discussing this in the keycloak team? Looking forwards to your reply! Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/e963ca92/attachment-0001.html From bburke at redhat.com Thu Mar 27 11:39:07 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 27 Mar 2014 11:39:07 -0400 Subject: [keycloak-user] Keycloak and AngularJS In-Reply-To: References: Message-ID: <5334461B.8040202@redhat.com> What I like about the current admin console approach is that there is no book keeping required by the browser. The Angular app has really no knowledge of how it is being secured as its all driven by the server. Also, you need to remember that the admin console was designed to be run in a non-Java EE, non-servlet environment. While this is a requirement for Keycloak, it may not be for your application. So, what I'm saying is that for your angular application, you could rely on the servlet container and keycloak adapter to maintain a session cookie and identity. What I like about the keycloak.js approach is that there is no server-side adapter required for the UI. The UI could be hosted off any number of static web sites and use CORS invocations to any number of Restful services. There's also the debate of public vs. confidential clients. The keycloak.js approach requires a public client. My understanding was that confidential clients exist so that only an authenticated client (client *NOT* user) is able to obtain an access token. I'm not exactly sure what additional security benefits are obtained here beyond this. I've been trying to ask this very question on OAuth mail lists but have been unable to get a response so far. On 3/27/2014 10:41 AM, Nils Preusker wrote: > Hi Stian and Bill, > > I've posted some questions regarding this topic before but I thought I'd > start a new thread to keep things focused: > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > backend modules. To add authentication and authorization to this > application, I'd like to use keycloak > > * as a user and role management front-end > * to provide a customizable login page (works very well by the way ;) > * as an OAuth 2.0 token provider > * to add user and role information to the HTTPRequests in my REST/ > backend modules > > To do this, I'm currently looking at keycloak.js and the customer-app-js > example. However, I'm wondering whether this is really the best way to > go. In a reply to an earlier post of mine you mentioned that the > keycloak admin console is written in AngularJS and that you are using > HTTP-only cookies there. > > However, in keycloak.js and the customer-app-js example you are > retrieving the token in the JS app and adding an authorization header > with a bearer token to the HTTP requests. > > So here are my questions: > > * Is there a reason you are using two different approaches in the admin > console and the official demo app? > * which one of the two approaches (bearer tokens vs. HTTP-only cookie) > will you support/ will be the officially recommended one for HTML5/ > client side JavaScript applications in keycloak? > * am I right in assuming that you haven't quite decided yet which > approach to use and that you are still discussing this in the keycloak team? > > Looking forwards to your reply! > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Thu Mar 27 12:18:01 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) Subject: [keycloak-user] Keycloak and AngularJS In-Reply-To: <5334461B.8040202@redhat.com> References: <5334461B.8040202@redhat.com> Message-ID: <884719116.3009607.1395937081146.JavaMail.zimbra@redhat.com> Personally, I think that in most cases for a client-side web app the best approach is to let the client-side do the oauth flow (the approach we're currently taking in keycloak.js). It does depend on your application though, and if you're application has a strict one html5 app calls one REST service then http-only cookies are an option. I don't see any real benefits of it though, and I believe it significantly complicates things. Have a look at http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, I think it provides a good summary of the pros of the token approach. ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 27 March, 2014 3:39:07 PM > Subject: Re: [keycloak-user] Keycloak and AngularJS > > What I like about the current admin console approach is that there is no > book keeping required by the browser. The Angular app has really no > knowledge of how it is being secured as its all driven by the server. > Also, you need to remember that the admin console was designed to be run > in a non-Java EE, non-servlet environment. While this is a requirement > for Keycloak, it may not be for your application. So, what I'm saying > is that for your angular application, you could rely on the servlet > container and keycloak adapter to maintain a session cookie and identity. > > What I like about the keycloak.js approach is that there is no > server-side adapter required for the UI. The UI could be hosted off any > number of static web sites and use CORS invocations to any number of > Restful services. > > There's also the debate of public vs. confidential clients. The > keycloak.js approach requires a public client. My understanding was > that confidential clients exist so that only an authenticated client > (client *NOT* user) is able to obtain an access token. I'm not exactly > sure what additional security benefits are obtained here beyond this. > I've been trying to ask this very question on OAuth mail lists but have > been unable to get a response so far. > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > Hi Stian and Bill, > > > > I've posted some questions regarding this topic before but I thought I'd > > start a new thread to keep things focused: > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > backend modules. To add authentication and authorization to this > > application, I'd like to use keycloak > > > > * as a user and role management front-end > > * to provide a customizable login page (works very well by the way ;) > > * as an OAuth 2.0 token provider > > * to add user and role information to the HTTPRequests in my REST/ > > backend modules > > > > To do this, I'm currently looking at keycloak.js and the customer-app-js > > example. However, I'm wondering whether this is really the best way to > > go. In a reply to an earlier post of mine you mentioned that the > > keycloak admin console is written in AngularJS and that you are using > > HTTP-only cookies there. > > > > However, in keycloak.js and the customer-app-js example you are > > retrieving the token in the JS app and adding an authorization header > > with a bearer token to the HTTP requests. > > > > So here are my questions: > > > > * Is there a reason you are using two different approaches in the admin > > console and the official demo app? > > * which one of the two approaches (bearer tokens vs. HTTP-only cookie) > > will you support/ will be the officially recommended one for HTML5/ > > client side JavaScript applications in keycloak? > > * am I right in assuming that you haven't quite decided yet which > > approach to use and that you are still discussing this in the keycloak > > team? > > > > Looking forwards to your reply! > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From n.preusker at gmail.com Thu Mar 27 12:24:06 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Thu, 27 Mar 2014 17:24:06 +0100 Subject: [keycloak-user] Keycloak and AngularJS In-Reply-To: <884719116.3009607.1395937081146.JavaMail.zimbra@redhat.com> References: <5334461B.8040202@redhat.com> <884719116.3009607.1395937081146.JavaMail.zimbra@redhat.com> Message-ID: Hi Stian and Bill, thanks for your replies! I'll check out the blog post and try the approach with a web.xml and a keycloak.json in the backend for now. I'll keep you posted on what I end up with on the client side. Cheers, Nils On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen wrote: > Personally, I think that in most cases for a client-side web app the best > approach is to let the client-side do the oauth flow (the approach we're > currently taking in keycloak.js). It does depend on your application > though, and if you're application has a strict one html5 app calls one REST > service then http-only cookies are an option. I don't see any real benefits > of it though, and I believe it significantly complicates things. > > Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > I think it provides a good summary of the pros of the token approach. > > ----- Original Message ----- > > From: "Bill Burke" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 27 March, 2014 3:39:07 PM > > Subject: Re: [keycloak-user] Keycloak and AngularJS > > > > What I like about the current admin console approach is that there is no > > book keeping required by the browser. The Angular app has really no > > knowledge of how it is being secured as its all driven by the server. > > Also, you need to remember that the admin console was designed to be run > > in a non-Java EE, non-servlet environment. While this is a requirement > > for Keycloak, it may not be for your application. So, what I'm saying > > is that for your angular application, you could rely on the servlet > > container and keycloak adapter to maintain a session cookie and identity. > > > > What I like about the keycloak.js approach is that there is no > > server-side adapter required for the UI. The UI could be hosted off any > > number of static web sites and use CORS invocations to any number of > > Restful services. > > > > There's also the debate of public vs. confidential clients. The > > keycloak.js approach requires a public client. My understanding was > > that confidential clients exist so that only an authenticated client > > (client *NOT* user) is able to obtain an access token. I'm not exactly > > sure what additional security benefits are obtained here beyond this. > > I've been trying to ask this very question on OAuth mail lists but have > > been unable to get a response so far. > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > > Hi Stian and Bill, > > > > > > I've posted some questions regarding this topic before but I thought > I'd > > > start a new thread to keep things focused: > > > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > > backend modules. To add authentication and authorization to this > > > application, I'd like to use keycloak > > > > > > * as a user and role management front-end > > > * to provide a customizable login page (works very well by the way ;) > > > * as an OAuth 2.0 token provider > > > * to add user and role information to the HTTPRequests in my REST/ > > > backend modules > > > > > > To do this, I'm currently looking at keycloak.js and the > customer-app-js > > > example. However, I'm wondering whether this is really the best way to > > > go. In a reply to an earlier post of mine you mentioned that the > > > keycloak admin console is written in AngularJS and that you are using > > > HTTP-only cookies there. > > > > > > However, in keycloak.js and the customer-app-js example you are > > > retrieving the token in the JS app and adding an authorization header > > > with a bearer token to the HTTP requests. > > > > > > So here are my questions: > > > > > > * Is there a reason you are using two different approaches in the admin > > > console and the official demo app? > > > * which one of the two approaches (bearer tokens vs. HTTP-only cookie) > > > will you support/ will be the officially recommended one for HTML5/ > > > client side JavaScript applications in keycloak? > > > * am I right in assuming that you haven't quite decided yet which > > > approach to use and that you are still discussing this in the keycloak > > > team? > > > > > > Looking forwards to your reply! > > > Cheers, > > > Nils > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment.html From bburke at redhat.com Thu Mar 27 12:29:54 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 27 Mar 2014 12:29:54 -0400 Subject: [keycloak-user] Keycloak and AngularJS In-Reply-To: <884719116.3009607.1395937081146.JavaMail.zimbra@redhat.com> References: <5334461B.8040202@redhat.com> <884719116.3009607.1395937081146.JavaMail.zimbra@redhat.com> Message-ID: <53345202.4060105@redhat.com> One of the problems with the keycloak.js approach is that we have no way to perform a single log out or to force a logout of a specific user. I think the OpenID Connect spec may have a way with IFrames to do this sort of thing though. I didn't really get it at first glance though. On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > Personally, I think that in most cases for a client-side web app the best approach is to let the client-side do the oauth flow (the approach we're currently taking in keycloak.js). It does depend on your application though, and if you're application has a strict one html5 app calls one REST service then http-only cookies are an option. I don't see any real benefits of it though, and I believe it significantly complicates things. > > Have a look at http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, I think it provides a good summary of the pros of the token approach. > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, 27 March, 2014 3:39:07 PM >> Subject: Re: [keycloak-user] Keycloak and AngularJS >> >> What I like about the current admin console approach is that there is no >> book keeping required by the browser. The Angular app has really no >> knowledge of how it is being secured as its all driven by the server. >> Also, you need to remember that the admin console was designed to be run >> in a non-Java EE, non-servlet environment. While this is a requirement >> for Keycloak, it may not be for your application. So, what I'm saying >> is that for your angular application, you could rely on the servlet >> container and keycloak adapter to maintain a session cookie and identity. >> >> What I like about the keycloak.js approach is that there is no >> server-side adapter required for the UI. The UI could be hosted off any >> number of static web sites and use CORS invocations to any number of >> Restful services. >> >> There's also the debate of public vs. confidential clients. The >> keycloak.js approach requires a public client. My understanding was >> that confidential clients exist so that only an authenticated client >> (client *NOT* user) is able to obtain an access token. I'm not exactly >> sure what additional security benefits are obtained here beyond this. >> I've been trying to ask this very question on OAuth mail lists but have >> been unable to get a response so far. >> >> >> >> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>> Hi Stian and Bill, >>> >>> I've posted some questions regarding this topic before but I thought I'd >>> start a new thread to keep things focused: >>> >>> I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) >>> backend modules. To add authentication and authorization to this >>> application, I'd like to use keycloak >>> >>> * as a user and role management front-end >>> * to provide a customizable login page (works very well by the way ;) >>> * as an OAuth 2.0 token provider >>> * to add user and role information to the HTTPRequests in my REST/ >>> backend modules >>> >>> To do this, I'm currently looking at keycloak.js and the customer-app-js >>> example. However, I'm wondering whether this is really the best way to >>> go. In a reply to an earlier post of mine you mentioned that the >>> keycloak admin console is written in AngularJS and that you are using >>> HTTP-only cookies there. >>> >>> However, in keycloak.js and the customer-app-js example you are >>> retrieving the token in the JS app and adding an authorization header >>> with a bearer token to the HTTP requests. >>> >>> So here are my questions: >>> >>> * Is there a reason you are using two different approaches in the admin >>> console and the official demo app? >>> * which one of the two approaches (bearer tokens vs. HTTP-only cookie) >>> will you support/ will be the officially recommended one for HTML5/ >>> client side JavaScript applications in keycloak? >>> * am I right in assuming that you haven't quite decided yet which >>> approach to use and that you are still discussing this in the keycloak >>> team? >>> >>> Looking forwards to your reply! >>> Cheers, >>> Nils >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From dirk.franssen at gmail.com Thu Mar 27 20:31:03 2014 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Fri, 28 Mar 2014 01:31:03 +0100 Subject: [keycloak-user] Inject (Keycloak)Principal Message-ID: Hi, I was playing around with the examples, more specifically with the customer-portal-js which is accessing the database resource. In that CustomerService I was trying to get access to the Principal and trying to extend to return in addition the username of the logged-in user: @Path("customers") public class CustomerService { @Inject Principal principal; //@Context //SecurityContext sc; //Principal principal = sc.getUserPrincipal(); //@Context //ContainerRequestContext request; //SecurityContext sc = request.getSecurityContext(); //Principal principal = sc.getUserPrincipal(); @GET @Produces("application/json") @NoCache public List getCustomers() { ArrayList rtn = new ArrayList(); rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); rtn.add(principal.getName()); //<--- add username to the list return rtn; } } But this throws a npe as the principal is always null. I noticed that the JaxrsBearerTokenFilter is adding to the ContainerRequestContext a new SecurityContex, of which the getUserPrincipal method returns the KeycloakPrincipal. But I can't figure out how to get access to this from the CustomerService. My intention is to verify if the logged-in user is accessing his own resources, and e.g. is not trying to update data of somebody else. E.g. the id should match principal.getName() in following: @POST @Path("/users/{id}/friends") public void addFriend(@PathParam("id") String userId, Friend friend) { ... } Any suggestions? It would be nice if, beside the KeycloakPrincipal is injectable, to be able to define something like @IsOwner: public void addFriend(@PathParam("id") @IsOwner String userId, Friend friend) or even more concise: public void addFriend(@IsOwner("id") String userId, Friend friend) Kind regards, Dirk Franssen On Thu, Mar 27, 2014 at 5:29 PM, wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Keycloak and AngularJS (Bill Burke) > 2. Re: Keycloak and AngularJS (Stian Thorgersen) > 3. Re: Keycloak and AngularJS (Nils Preusker) > 4. Re: Keycloak and AngularJS (Bill Burke) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 27 Mar 2014 11:39:07 -0400 > From: Bill Burke > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: keycloak-user at lists.jboss.org > Message-ID: <5334461B.8040202 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > What I like about the current admin console approach is that there is no > book keeping required by the browser. The Angular app has really no > knowledge of how it is being secured as its all driven by the server. > Also, you need to remember that the admin console was designed to be run > in a non-Java EE, non-servlet environment. While this is a requirement > for Keycloak, it may not be for your application. So, what I'm saying > is that for your angular application, you could rely on the servlet > container and keycloak adapter to maintain a session cookie and identity. > > What I like about the keycloak.js approach is that there is no > server-side adapter required for the UI. The UI could be hosted off any > number of static web sites and use CORS invocations to any number of > Restful services. > > There's also the debate of public vs. confidential clients. The > keycloak.js approach requires a public client. My understanding was > that confidential clients exist so that only an authenticated client > (client *NOT* user) is able to obtain an access token. I'm not exactly > sure what additional security benefits are obtained here beyond this. > I've been trying to ask this very question on OAuth mail lists but have > been unable to get a response so far. > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > Hi Stian and Bill, > > > > I've posted some questions regarding this topic before but I thought I'd > > start a new thread to keep things focused: > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > backend modules. To add authentication and authorization to this > > application, I'd like to use keycloak > > > > * as a user and role management front-end > > * to provide a customizable login page (works very well by the way ;) > > * as an OAuth 2.0 token provider > > * to add user and role information to the HTTPRequests in my REST/ > > backend modules > > > > To do this, I'm currently looking at keycloak.js and the customer-app-js > > example. However, I'm wondering whether this is really the best way to > > go. In a reply to an earlier post of mine you mentioned that the > > keycloak admin console is written in AngularJS and that you are using > > HTTP-only cookies there. > > > > However, in keycloak.js and the customer-app-js example you are > > retrieving the token in the JS app and adding an authorization header > > with a bearer token to the HTTP requests. > > > > So here are my questions: > > > > * Is there a reason you are using two different approaches in the admin > > console and the official demo app? > > * which one of the two approaches (bearer tokens vs. HTTP-only cookie) > > will you support/ will be the officially recommended one for HTML5/ > > client side JavaScript applications in keycloak? > > * am I right in assuming that you haven't quite decided yet which > > approach to use and that you are still discussing this in the keycloak > team? > > > > Looking forwards to your reply! > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > Message: 2 > Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) > From: Stian Thorgersen > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: Bill Burke > Cc: keycloak-user at lists.jboss.org > Message-ID: > <884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com> > Content-Type: text/plain; charset=utf-8 > > Personally, I think that in most cases for a client-side web app the best > approach is to let the client-side do the oauth flow (the approach we're > currently taking in keycloak.js). It does depend on your application > though, and if you're application has a strict one html5 app calls one REST > service then http-only cookies are an option. I don't see any real benefits > of it though, and I believe it significantly complicates things. > > Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > I think it provides a good summary of the pros of the token approach. > > ----- Original Message ----- > > From: "Bill Burke" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 27 March, 2014 3:39:07 PM > > Subject: Re: [keycloak-user] Keycloak and AngularJS > > > > What I like about the current admin console approach is that there is no > > book keeping required by the browser. The Angular app has really no > > knowledge of how it is being secured as its all driven by the server. > > Also, you need to remember that the admin console was designed to be run > > in a non-Java EE, non-servlet environment. While this is a requirement > > for Keycloak, it may not be for your application. So, what I'm saying > > is that for your angular application, you could rely on the servlet > > container and keycloak adapter to maintain a session cookie and identity. > > > > What I like about the keycloak.js approach is that there is no > > server-side adapter required for the UI. The UI could be hosted off any > > number of static web sites and use CORS invocations to any number of > > Restful services. > > > > There's also the debate of public vs. confidential clients. The > > keycloak.js approach requires a public client. My understanding was > > that confidential clients exist so that only an authenticated client > > (client *NOT* user) is able to obtain an access token. I'm not exactly > > sure what additional security benefits are obtained here beyond this. > > I've been trying to ask this very question on OAuth mail lists but have > > been unable to get a response so far. > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > > Hi Stian and Bill, > > > > > > I've posted some questions regarding this topic before but I thought > I'd > > > start a new thread to keep things focused: > > > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > > backend modules. To add authentication and authorization to this > > > application, I'd like to use keycloak > > > > > > * as a user and role management front-end > > > * to provide a customizable login page (works very well by the way ;) > > > * as an OAuth 2.0 token provider > > > * to add user and role information to the HTTPRequests in my REST/ > > > backend modules > > > > > > To do this, I'm currently looking at keycloak.js and the > customer-app-js > > > example. However, I'm wondering whether this is really the best way to > > > go. In a reply to an earlier post of mine you mentioned that the > > > keycloak admin console is written in AngularJS and that you are using > > > HTTP-only cookies there. > > > > > > However, in keycloak.js and the customer-app-js example you are > > > retrieving the token in the JS app and adding an authorization header > > > with a bearer token to the HTTP requests. > > > > > > So here are my questions: > > > > > > * Is there a reason you are using two different approaches in the admin > > > console and the official demo app? > > > * which one of the two approaches (bearer tokens vs. HTTP-only cookie) > > > will you support/ will be the officially recommended one for HTML5/ > > > client side JavaScript applications in keycloak? > > > * am I right in assuming that you haven't quite decided yet which > > > approach to use and that you are still discussing this in the keycloak > > > team? > > > > > > Looking forwards to your reply! > > > Cheers, > > > Nils > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > Message: 3 > Date: Thu, 27 Mar 2014 17:24:06 +0100 > From: Nils Preusker > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: keycloak-user at lists.jboss.org > Message-ID: > rBgV-eFhwbDvaxq48NiOwQ at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Stian and Bill, > > thanks for your replies! I'll check out the blog post and try the approach > with a web.xml and a keycloak.json in the backend for now. I'll keep you > posted on what I end up with on the client side. > > Cheers, > Nils > > > > On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > wrote: > > > Personally, I think that in most cases for a client-side web app the best > > approach is to let the client-side do the oauth flow (the approach we're > > currently taking in keycloak.js). It does depend on your application > > though, and if you're application has a strict one html5 app calls one > REST > > service then http-only cookies are an option. I don't see any real > benefits > > of it though, and I believe it significantly complicates things. > > > > Have a look at > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > , > > I think it provides a good summary of the pros of the token approach. > > > > ----- Original Message ----- > > > From: "Bill Burke" > > > To: keycloak-user at lists.jboss.org > > > Sent: Thursday, 27 March, 2014 3:39:07 PM > > > Subject: Re: [keycloak-user] Keycloak and AngularJS > > > > > > What I like about the current admin console approach is that there is > no > > > book keeping required by the browser. The Angular app has really no > > > knowledge of how it is being secured as its all driven by the server. > > > Also, you need to remember that the admin console was designed to be > run > > > in a non-Java EE, non-servlet environment. While this is a requirement > > > for Keycloak, it may not be for your application. So, what I'm saying > > > is that for your angular application, you could rely on the servlet > > > container and keycloak adapter to maintain a session cookie and > identity. > > > > > > What I like about the keycloak.js approach is that there is no > > > server-side adapter required for the UI. The UI could be hosted off > any > > > number of static web sites and use CORS invocations to any number of > > > Restful services. > > > > > > There's also the debate of public vs. confidential clients. The > > > keycloak.js approach requires a public client. My understanding was > > > that confidential clients exist so that only an authenticated client > > > (client *NOT* user) is able to obtain an access token. I'm not exactly > > > sure what additional security benefits are obtained here beyond this. > > > I've been trying to ask this very question on OAuth mail lists but have > > > been unable to get a response so far. > > > > > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > > > Hi Stian and Bill, > > > > > > > > I've posted some questions regarding this topic before but I thought > > I'd > > > > start a new thread to keep things focused: > > > > > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > > > backend modules. To add authentication and authorization to this > > > > application, I'd like to use keycloak > > > > > > > > * as a user and role management front-end > > > > * to provide a customizable login page (works very well by the way ;) > > > > * as an OAuth 2.0 token provider > > > > * to add user and role information to the HTTPRequests in my REST/ > > > > backend modules > > > > > > > > To do this, I'm currently looking at keycloak.js and the > > customer-app-js > > > > example. However, I'm wondering whether this is really the best way > to > > > > go. In a reply to an earlier post of mine you mentioned that the > > > > keycloak admin console is written in AngularJS and that you are using > > > > HTTP-only cookies there. > > > > > > > > However, in keycloak.js and the customer-app-js example you are > > > > retrieving the token in the JS app and adding an authorization header > > > > with a bearer token to the HTTP requests. > > > > > > > > So here are my questions: > > > > > > > > * Is there a reason you are using two different approaches in the > admin > > > > console and the official demo app? > > > > * which one of the two approaches (bearer tokens vs. HTTP-only > cookie) > > > > will you support/ will be the officially recommended one for HTML5/ > > > > client side JavaScript applications in keycloak? > > > > * am I right in assuming that you haven't quite decided yet which > > > > approach to use and that you are still discussing this in the > keycloak > > > > team? > > > > > > > > Looking forwards to your reply! > > > > Cheers, > > > > Nils > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > > Bill Burke > > > JBoss, a division of Red Hat > > > http://bill.burkecentral.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > ------------------------------ > > Message: 4 > Date: Thu, 27 Mar 2014 12:29:54 -0400 > From: Bill Burke > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: Stian Thorgersen > Cc: keycloak-user at lists.jboss.org > Message-ID: <53345202.4060105 at redhat.com> > Content-Type: text/plain; charset=UTF-8; format=flowed > > One of the problems with the keycloak.js approach is that we have no way > to perform a single log out or to force a logout of a specific user. I > think the OpenID Connect spec may have a way with IFrames to do this > sort of thing though. I didn't really get it at first glance though. > > > On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > > Personally, I think that in most cases for a client-side web app the > best approach is to let the client-side do the oauth flow (the approach > we're currently taking in keycloak.js). It does depend on your application > though, and if you're application has a strict one html5 app calls one REST > service then http-only cookies are an option. I don't see any real benefits > of it though, and I believe it significantly complicates things. > > > > Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > I think it provides a good summary of the pros of the token approach. > > > > ----- Original Message ----- > >> From: "Bill Burke" > >> To: keycloak-user at lists.jboss.org > >> Sent: Thursday, 27 March, 2014 3:39:07 PM > >> Subject: Re: [keycloak-user] Keycloak and AngularJS > >> > >> What I like about the current admin console approach is that there is no > >> book keeping required by the browser. The Angular app has really no > >> knowledge of how it is being secured as its all driven by the server. > >> Also, you need to remember that the admin console was designed to be run > >> in a non-Java EE, non-servlet environment. While this is a requirement > >> for Keycloak, it may not be for your application. So, what I'm saying > >> is that for your angular application, you could rely on the servlet > >> container and keycloak adapter to maintain a session cookie and > identity. > >> > >> What I like about the keycloak.js approach is that there is no > >> server-side adapter required for the UI. The UI could be hosted off any > >> number of static web sites and use CORS invocations to any number of > >> Restful services. > >> > >> There's also the debate of public vs. confidential clients. The > >> keycloak.js approach requires a public client. My understanding was > >> that confidential clients exist so that only an authenticated client > >> (client *NOT* user) is able to obtain an access token. I'm not exactly > >> sure what additional security benefits are obtained here beyond this. > >> I've been trying to ask this very question on OAuth mail lists but have > >> been unable to get a response so far. > >> > >> > >> > >> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>> Hi Stian and Bill, > >>> > >>> I've posted some questions regarding this topic before but I thought > I'd > >>> start a new thread to keep things focused: > >>> > >>> I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > >>> backend modules. To add authentication and authorization to this > >>> application, I'd like to use keycloak > >>> > >>> * as a user and role management front-end > >>> * to provide a customizable login page (works very well by the way ;) > >>> * as an OAuth 2.0 token provider > >>> * to add user and role information to the HTTPRequests in my REST/ > >>> backend modules > >>> > >>> To do this, I'm currently looking at keycloak.js and the > customer-app-js > >>> example. However, I'm wondering whether this is really the best way to > >>> go. In a reply to an earlier post of mine you mentioned that the > >>> keycloak admin console is written in AngularJS and that you are using > >>> HTTP-only cookies there. > >>> > >>> However, in keycloak.js and the customer-app-js example you are > >>> retrieving the token in the JS app and adding an authorization header > >>> with a bearer token to the HTTP requests. > >>> > >>> So here are my questions: > >>> > >>> * Is there a reason you are using two different approaches in the admin > >>> console and the official demo app? > >>> * which one of the two approaches (bearer tokens vs. HTTP-only cookie) > >>> will you support/ will be the officially recommended one for HTML5/ > >>> client side JavaScript applications in keycloak? > >>> * am I right in assuming that you haven't quite decided yet which > >>> approach to use and that you are still discussing this in the keycloak > >>> team? > >>> > >>> Looking forwards to your reply! > >>> Cheers, > >>> Nils > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 3, Issue 14 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140328/058a6903/attachment-0001.html From xuantoan.nguyen at vtc.vn Thu Mar 27 22:36:32 2014 From: xuantoan.nguyen at vtc.vn (Toan Nguyen Xuan) Date: Fri, 28 Mar 2014 09:36:32 +0700 Subject: [keycloak-user] token expired exception (Stian Thorgersen) Message-ID: <000201cf4a2e$87f27a80$97d76f80$@vtc.vn> Hi, The current I have not try keycloak with my project. I try reseasy 3.0.6 that has simple oauth2 implement and I can't control expired key in my project. Can you show me how to solve this problem by using keyloak? I install keycloak successfully but I don't know start where. If this is solved I will use keycloak in my project. Many thanks before. -----Original Message----- From: Stian Thorgersen [mailto:stian at redhat.com] Sent: Wednesday, March 26, 2014 4:20 PM To: Toan Nguyen Xuan Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] token expired exception Are you using one of our adapters? The token expiration can be controlled through the admin console, but generally a token should have a relatively short expiration (5-10 min). Then you have a refresh token with a long expiration (days) that can be used to retrieve a new token. Prior to doing a request you should check the expiration time and retrieve a new token if needed. ----- Original Message ----- > From: "Toan Nguyen Xuan" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 26 March, 2014 8:24:58 AM > Subject: [keycloak-user] token expired exception > > > > Hi you, > > I just use keycloak for authen application to access my resource, but > I don?t know control token key life time. One app will not access my > resource when token key is expired, this app does not know when reinit > token key. I want to catch Token key expired to return apps. Please help me. > > Have any extend keylocak library? Goal of Keyloak is very good, I like this. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From juraci at kroehling.de Fri Mar 28 03:16:44 2014 From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=) Date: Fri, 28 Mar 2014 08:16:44 +0100 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: References: Message-ID: <533521DC.6010908@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dirk, It seems it's missing the @SecurityDomain("keycloak") in your service, at the type level. If that's not the case, I can update the "sample-ejb-roles" quickstart, adapted to use Keycloak, so you can compare and check what's missing. Just to confirm: have you also added the security-domain to the standalone.xml? The instructions are at the end of section 6.2.1 from the user guide: http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 Juca. On 03/28/2014 01:31 AM, Dirk Franssen wrote: > Hi, > > I was playing around with the examples, more specifically with the > customer-portal-js which is accessing the database resource. In > that CustomerService I was trying to get access to the Principal > and trying to extend to return in addition the username of the > logged-in user: > > @Path("customers") public class CustomerService { > > @Inject Principal principal; > > //@Context //SecurityContext sc; //Principal principal = > sc.getUserPrincipal(); > > //@Context //ContainerRequestContext request; //SecurityContext sc > = request.getSecurityContext(); //Principal principal = > sc.getUserPrincipal(); > > @GET @Produces("application/json") @NoCache public List > getCustomers() { ArrayList rtn = new ArrayList(); > rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan > Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); > rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); > rtn.add(principal.getName()); //<--- add username to the list > return rtn; } } > > But this throws a npe as the principal is always null. I noticed > that the JaxrsBearerTokenFilter is adding to the > ContainerRequestContext a new SecurityContex, of which the > getUserPrincipal method returns the KeycloakPrincipal. But I can't > figure out how to get access to this from the CustomerService. > > My intention is to verify if the logged-in user is accessing his > own resources, and e.g. is not trying to update data of somebody > else. E.g. the id should match principal.getName() in following: > > @POST @Path("/users/{id}/friends") public void > addFriend(@PathParam("id") String userId, Friend friend) { ... } > > Any suggestions? It would be nice if, beside the KeycloakPrincipal > is injectable, to be able to define something like @IsOwner: > > public void addFriend(@PathParam("id") @IsOwner String userId, > Friend friend) > > or even more concise: > > public void addFriend(@IsOwner("id") String userId, Friend friend) > > Kind regards, Dirk Franssen > > > On Thu, Mar 27, 2014 at 5:29 PM, > > wrote: > > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user or, via > email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > > When replying, please edit your Subject line so it is more > specific than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and > AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils > Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) > > > ---------------------------------------------------------------------- > > Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill Burke > > Subject: Re: > [keycloak-user] Keycloak and AngularJS To: > keycloak-user at lists.jboss.org > Message-ID: > <5334461B.8040202 at redhat.com > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > What I like about the current admin console approach is that there > is no book keeping required by the browser. The Angular app has > really no knowledge of how it is being secured as its all driven by > the server. Also, you need to remember that the admin console was > designed to be run in a non-Java EE, non-servlet environment. > While this is a requirement for Keycloak, it may not be for your > application. So, what I'm saying is that for your angular > application, you could rely on the servlet container and keycloak > adapter to maintain a session cookie and identity. > > What I like about the keycloak.js approach is that there is no > server-side adapter required for the UI. The UI could be hosted > off any number of static web sites and use CORS invocations to any > number of Restful services. > > There's also the debate of public vs. confidential clients. The > keycloak.js approach requires a public client. My understanding > was that confidential clients exist so that only an authenticated > client (client *NOT* user) is able to obtain an access token. I'm > not exactly sure what additional security benefits are obtained > here beyond this. I've been trying to ask this very question on > OAuth mail lists but have been unable to get a response so far. > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: >> Hi Stian and Bill, >> >> I've posted some questions regarding this topic before but I > thought I'd >> start a new thread to keep things focused: >> >> I'm writing an AngularJS application with Java EE 6/7 REST >> (JAX-RS) backend modules. To add authentication and authorization >> to this application, I'd like to use keycloak >> >> * as a user and role management front-end * to provide a >> customizable login page (works very well by the way ;) * as an >> OAuth 2.0 token provider * to add user and role information to >> the HTTPRequests in my REST/ backend modules >> >> To do this, I'm currently looking at keycloak.js and the > customer-app-js >> example. However, I'm wondering whether this is really the best >> way to go. In a reply to an earlier post of mine you mentioned >> that the keycloak admin console is written in AngularJS and that >> you are using HTTP-only cookies there. >> >> However, in keycloak.js and the customer-app-js example you are >> retrieving the token in the JS app and adding an authorization >> header with a bearer token to the HTTP requests. >> >> So here are my questions: >> >> * Is there a reason you are using two different approaches in >> the > admin >> console and the official demo app? * which one of the two >> approaches (bearer tokens vs. HTTP-only cookie) will you support/ >> will be the officially recommended one for HTML5/ client side >> JavaScript applications in keycloak? * am I right in assuming >> that you haven't quite decided yet which approach to use and that >> you are still discussing this in the > keycloak team? >> >> Looking forwards to your reply! Cheers, Nils >> >> >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Bill Burke JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: Stian > Thorgersen > Subject: > Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke > > Cc: > keycloak-user at lists.jboss.org > Message-ID: > <884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > > > > Content-Type: text/plain; charset=utf-8 > > Personally, I think that in most cases for a client-side web app > the best approach is to let the client-side do the oauth flow (the > approach we're currently taking in keycloak.js). It does depend on > your application though, and if you're application has a strict > one html5 app calls one REST service then http-only cookies are an > option. I don't see any real benefits of it though, and I believe > it significantly complicates things. > > Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > I think it provides a good summary of the pros of the token approach. > > ----- Original Message ----- >> From: "Bill Burke" > > To: keycloak-user at lists.jboss.org > >> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >> [keycloak-user] Keycloak and AngularJS >> >> What I like about the current admin console approach is that >> there > is no >> book keeping required by the browser. The Angular app has really >> no knowledge of how it is being secured as its all driven by the >> server. Also, you need to remember that the admin console was >> designed to > be run >> in a non-Java EE, non-servlet environment. While this is a > requirement >> for Keycloak, it may not be for your application. So, what I'm >> saying is that for your angular application, you could rely on >> the servlet container and keycloak adapter to maintain a session >> cookie and > identity. >> >> What I like about the keycloak.js approach is that there is no >> server-side adapter required for the UI. The UI could be hosted > off any >> number of static web sites and use CORS invocations to any number >> of Restful services. >> >> There's also the debate of public vs. confidential clients. The >> keycloak.js approach requires a public client. My understanding >> was that confidential clients exist so that only an authenticated >> client (client *NOT* user) is able to obtain an access token. >> I'm not > exactly >> sure what additional security benefits are obtained here beyond >> this. I've been trying to ask this very question on OAuth mail >> lists but > have >> been unable to get a response so far. >> >> >> >> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>> Hi Stian and Bill, >>> >>> I've posted some questions regarding this topic before but I > thought I'd >>> start a new thread to keep things focused: >>> >>> I'm writing an AngularJS application with Java EE 6/7 REST >>> (JAX-RS) backend modules. To add authentication and >>> authorization to this application, I'd like to use keycloak >>> >>> * as a user and role management front-end * to provide a >>> customizable login page (works very well by the > way ;) >>> * as an OAuth 2.0 token provider * to add user and role >>> information to the HTTPRequests in my REST/ backend modules >>> >>> To do this, I'm currently looking at keycloak.js and the > customer-app-js >>> example. However, I'm wondering whether this is really the >>> best > way to >>> go. In a reply to an earlier post of mine you mentioned that >>> the keycloak admin console is written in AngularJS and that you >>> are > using >>> HTTP-only cookies there. >>> >>> However, in keycloak.js and the customer-app-js example you >>> are retrieving the token in the JS app and adding an >>> authorization > header >>> with a bearer token to the HTTP requests. >>> >>> So here are my questions: >>> >>> * Is there a reason you are using two different approaches in > the admin >>> console and the official demo app? * which one of the two >>> approaches (bearer tokens vs. HTTP-only > cookie) >>> will you support/ will be the officially recommended one for >>> HTML5/ client side JavaScript applications in keycloak? * am I >>> right in assuming that you haven't quite decided yet which >>> approach to use and that you are still discussing this in the > keycloak >>> team? >>> >>> Looking forwards to your reply! Cheers, Nils >>> >>> >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -- Bill Burke JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > ------------------------------ > > Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils > Preusker > > Subject: Re: [keycloak-user] Keycloak and AngularJS To: > keycloak-user at lists.jboss.org > Message-ID: > > > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Stian and Bill, > > thanks for your replies! I'll check out the blog post and try the > approach with a web.xml and a keycloak.json in the backend for now. > I'll keep you posted on what I end up with on the client side. > > Cheers, Nils > > > > On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > > wrote: > >> Personally, I think that in most cases for a client-side web app > the best >> approach is to let the client-side do the oauth flow (the >> approach > we're >> currently taking in keycloak.js). It does depend on your >> application though, and if you're application has a strict one >> html5 app calls > one REST >> service then http-only cookies are an option. I don't see any >> real > benefits >> of it though, and I believe it significantly complicates things. >> >> Have a look at >> > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > I think it provides a good summary of the pros of the token > approach. >> >> ----- Original Message ----- >>> From: "Bill Burke" >> > To: keycloak-user at lists.jboss.org > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>> [keycloak-user] Keycloak and AngularJS >>> >>> What I like about the current admin console approach is that > there is no >>> book keeping required by the browser. The Angular app has >>> really no knowledge of how it is being secured as its all >>> driven by the > server. >>> Also, you need to remember that the admin console was designed > to be run >>> in a non-Java EE, non-servlet environment. While this is a > requirement >>> for Keycloak, it may not be for your application. So, what >>> I'm > saying >>> is that for your angular application, you could rely on the >>> servlet container and keycloak adapter to maintain a session >>> cookie and > identity. >>> >>> What I like about the keycloak.js approach is that there is no >>> server-side adapter required for the UI. The UI could be >>> hosted > off any >>> number of static web sites and use CORS invocations to any >>> number of Restful services. >>> >>> There's also the debate of public vs. confidential clients. >>> The keycloak.js approach requires a public client. My >>> understanding was that confidential clients exist so that only >>> an authenticated client (client *NOT* user) is able to obtain >>> an access token. I'm not > exactly >>> sure what additional security benefits are obtained here >>> beyond > this. >>> I've been trying to ask this very question on OAuth mail lists > but have >>> been unable to get a response so far. >>> >>> >>> >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>> Hi Stian and Bill, >>>> >>>> I've posted some questions regarding this topic before but I > thought >> I'd >>>> start a new thread to keep things focused: >>>> >>>> I'm writing an AngularJS application with Java EE 6/7 REST > (JAX-RS) >>>> backend modules. To add authentication and authorization to >>>> this application, I'd like to use keycloak >>>> >>>> * as a user and role management front-end * to provide a >>>> customizable login page (works very well by the > way ;) >>>> * as an OAuth 2.0 token provider * to add user and role >>>> information to the HTTPRequests in my REST/ backend modules >>>> >>>> To do this, I'm currently looking at keycloak.js and the >> customer-app-js >>>> example. However, I'm wondering whether this is really the > best way to >>>> go. In a reply to an earlier post of mine you mentioned that >>>> the keycloak admin console is written in AngularJS and that >>>> you > are using >>>> HTTP-only cookies there. >>>> >>>> However, in keycloak.js and the customer-app-js example you >>>> are retrieving the token in the JS app and adding an >>>> authorization > header >>>> with a bearer token to the HTTP requests. >>>> >>>> So here are my questions: >>>> >>>> * Is there a reason you are using two different approaches >>>> in > the admin >>>> console and the official demo app? * which one of the two >>>> approaches (bearer tokens vs. HTTP-only > cookie) >>>> will you support/ will be the officially recommended one for > HTML5/ >>>> client side JavaScript applications in keycloak? * am I right >>>> in assuming that you haven't quite decided yet which approach >>>> to use and that you are still discussing this in the > keycloak >>>> team? >>>> >>>> Looking forwards to your reply! Cheers, Nils >>>> >>>> >>>> _______________________________________________ keycloak-user >>>> mailing list keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> -- Bill Burke JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was > scrubbed... URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > ------------------------------ > > Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill Burke > > Subject: Re: > [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen > > Cc: > keycloak-user at lists.jboss.org > Message-ID: > <53345202.4060105 at redhat.com > > Content-Type: text/plain; charset=UTF-8; format=flowed > > One of the problems with the keycloak.js approach is that we have > no way to perform a single log out or to force a logout of a > specific user. I think the OpenID Connect spec may have a way with > IFrames to do this sort of thing though. I didn't really get it at > first glance though. > > > On 3/27/2014 12:18 PM, Stian Thorgersen wrote: >> Personally, I think that in most cases for a client-side web app > the best approach is to let the client-side do the oauth flow (the > approach we're currently taking in keycloak.js). It does depend on > your application though, and if you're application has a strict > one html5 app calls one REST service then http-only cookies are an > option. I don't see any real benefits of it though, and I believe > it significantly complicates things. >> >> Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > I think it provides a good summary of the pros of the token approach. >> >> ----- Original Message ----- >>> From: "Bill Burke" >> > To: keycloak-user at lists.jboss.org > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>> [keycloak-user] Keycloak and AngularJS >>> >>> What I like about the current admin console approach is that > there is no >>> book keeping required by the browser. The Angular app has >>> really no knowledge of how it is being secured as its all >>> driven by the server. Also, you need to remember that the admin >>> console was designed to > be run >>> in a non-Java EE, non-servlet environment. While this is a > requirement >>> for Keycloak, it may not be for your application. So, what >>> I'm > saying >>> is that for your angular application, you could rely on the >>> servlet container and keycloak adapter to maintain a session >>> cookie and > identity. >>> >>> What I like about the keycloak.js approach is that there is no >>> server-side adapter required for the UI. The UI could be >>> hosted > off any >>> number of static web sites and use CORS invocations to any >>> number of Restful services. >>> >>> There's also the debate of public vs. confidential clients. >>> The keycloak.js approach requires a public client. My >>> understanding was that confidential clients exist so that only >>> an authenticated client (client *NOT* user) is able to obtain >>> an access token. I'm not > exactly >>> sure what additional security benefits are obtained here beyond >>> this. I've been trying to ask this very question on OAuth mail >>> lists > but have >>> been unable to get a response so far. >>> >>> >>> >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>> Hi Stian and Bill, >>>> >>>> I've posted some questions regarding this topic before but I > thought I'd >>>> start a new thread to keep things focused: >>>> >>>> I'm writing an AngularJS application with Java EE 6/7 REST >>>> (JAX-RS) backend modules. To add authentication and >>>> authorization to this application, I'd like to use keycloak >>>> >>>> * as a user and role management front-end * to provide a >>>> customizable login page (works very well by the > way ;) >>>> * as an OAuth 2.0 token provider * to add user and role >>>> information to the HTTPRequests in my REST/ backend modules >>>> >>>> To do this, I'm currently looking at keycloak.js and the > customer-app-js >>>> example. However, I'm wondering whether this is really the >>>> best > way to >>>> go. In a reply to an earlier post of mine you mentioned that >>>> the keycloak admin console is written in AngularJS and that >>>> you are > using >>>> HTTP-only cookies there. >>>> >>>> However, in keycloak.js and the customer-app-js example you >>>> are retrieving the token in the JS app and adding an >>>> authorization > header >>>> with a bearer token to the HTTP requests. >>>> >>>> So here are my questions: >>>> >>>> * Is there a reason you are using two different approaches >>>> in > the admin >>>> console and the official demo app? * which one of the two >>>> approaches (bearer tokens vs. HTTP-only > cookie) >>>> will you support/ will be the officially recommended one for >>>> HTML5/ client side JavaScript applications in keycloak? * am >>>> I right in assuming that you haven't quite decided yet which >>>> approach to use and that you are still discussing this in >>>> the > keycloak >>>> team? >>>> >>>> Looking forwards to your reply! Cheers, Nils >>>> >>>> >>>> _______________________________________________ keycloak-user >>>> mailing list keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> -- Bill Burke JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > -- Bill Burke JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 3, Issue 14 > ******************************************** > > > > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTNSHcAAoJEDnJtskdmzLMHrYH/1D/vMgPxD0WUZ5KdIoD5Cow gb9fa+RZDQrpPxL1qKpqWJX3g1cKt8hQa1Xz7dX64G3/xcLUUkoJKkAtiJPysp75 xbkdWV+RGQXDHuyZcS75xEXQlPaWt2cEVxdSXMalzfQPzVhq00FBbeJLirKLbYsY I2CIjJgCSQhmOrVfP5vUSdrwsLsd+TBXee4779YiOceSW16oG9Nfsa5gF1XJSNhi o2fZCEkoXhbTD7RXuhhrDWlFBCQOIgWf6FUHEAVKnXeIR5oey6U9hv1Z16Kd2Pll Pv8+LWlJjKMfkmrCQrVQvYSI/n64vxjikta2ByBdOPethsebqXO9oknbiPtjq6E= =TiWl -----END PGP SIGNATURE----- From stian at redhat.com Fri Mar 28 05:39:15 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 28 Mar 2014 05:39:15 -0400 (EDT) Subject: [keycloak-user] token expired exception (Stian Thorgersen) In-Reply-To: <000201cf4a2e$87f27a80$97d76f80$@vtc.vn> References: <000201cf4a2e$87f27a80$97d76f80$@vtc.vn> Message-ID: <2122589136.3501786.1395999555207.JavaMail.zimbra@redhat.com> To get started with the Keycloak project you should start out by looking at our documentation, screen-casts and most of all the demos. If you have a JavaEE application, or a JavaScript application, you should find it quite easy to get started by looking at the demos. Once you have tried Keycloak and have a specific question about Keycloak let me know and I can help you out. ----- Original Message ----- > From: "Toan Nguyen Xuan" > To: keycloak-user at lists.jboss.org > Sent: Friday, 28 March, 2014 2:36:32 AM > Subject: Re: [keycloak-user] token expired exception (Stian Thorgersen) > > Hi, > The current I have not try keycloak with my project. I try reseasy 3.0.6 > that has simple oauth2 implement and I can't control expired key in my > project. Can you show me how to solve this problem by using keyloak? I > install keycloak successfully but I don't know start where. If this is > solved I will use keycloak in my project. > Many thanks before. > > -----Original Message----- > From: Stian Thorgersen [mailto:stian at redhat.com] > Sent: Wednesday, March 26, 2014 4:20 PM > To: Toan Nguyen Xuan > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] token expired exception > > Are you using one of our adapters? > > The token expiration can be controlled through the admin console, but > generally a token should have a relatively short expiration (5-10 min). Then > you have a refresh token with a long expiration (days) that can be used to > retrieve a new token. Prior to doing a request you should check the > expiration time and retrieve a new token if needed. > > ----- Original Message ----- > > From: "Toan Nguyen Xuan" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 26 March, 2014 8:24:58 AM > > Subject: [keycloak-user] token expired exception > > > > > > > > Hi you, > > > > I just use keycloak for authen application to access my resource, but > > I don?t know control token key life time. One app will not access my > > resource when token key is expired, this app does not know when reinit > > token key. I want to catch Token key expired to return apps. Please help > > me. > > > > Have any extend keylocak library? Goal of Keyloak is very good, I like > > this. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From n.preusker at gmail.com Fri Mar 28 11:17:37 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Fri, 28 Mar 2014 16:17:37 +0100 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: <533521DC.6010908@kroehling.de> References: <533521DC.6010908@kroehling.de> Message-ID: Hi all, I'm also looking into this right now and got it to work. However, I tried to retrieve the username from the HttpServletRequest with "servletRequest.getRemoteUser()" but instead of the name or e-mail I'm getting the actual ID from the database (62ccf5fd-949b-413d-977b-6f8bc29f94bf). Is this the expected/ intended behavior? Also, @Dirk: let me know if you need any help getting the injection of the roles and user id to work. Cheers, Nils On Fri, Mar 28, 2014 at 8:16 AM, Juraci Paix?o Kr?hling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Dirk, > > It seems it's missing the @SecurityDomain("keycloak") in your service, > at the type level. If that's not the case, I can update the > "sample-ejb-roles" quickstart, adapted to use Keycloak, so you can > compare and check what's missing. > > Just to confirm: have you also added the security-domain to the > standalone.xml? The instructions are at the end of section 6.2.1 from > the user guide: > > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 > > Juca. > > On 03/28/2014 01:31 AM, Dirk Franssen wrote: > > Hi, > > > > I was playing around with the examples, more specifically with the > > customer-portal-js which is accessing the database resource. In > > that CustomerService I was trying to get access to the Principal > > and trying to extend to return in addition the username of the > > logged-in user: > > > > @Path("customers") public class CustomerService { > > > > @Inject Principal principal; > > > > //@Context //SecurityContext sc; //Principal principal = > > sc.getUserPrincipal(); > > > > //@Context //ContainerRequestContext request; //SecurityContext sc > > = request.getSecurityContext(); //Principal principal = > > sc.getUserPrincipal(); > > > > @GET @Produces("application/json") @NoCache public List > > getCustomers() { ArrayList rtn = new ArrayList(); > > rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan > > Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); > > rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); > > rtn.add(principal.getName()); //<--- add username to the list > > return rtn; } } > > > > But this throws a npe as the principal is always null. I noticed > > that the JaxrsBearerTokenFilter is adding to the > > ContainerRequestContext a new SecurityContex, of which the > > getUserPrincipal method returns the KeycloakPrincipal. But I can't > > figure out how to get access to this from the CustomerService. > > > > My intention is to verify if the logged-in user is accessing his > > own resources, and e.g. is not trying to update data of somebody > > else. E.g. the id should match principal.getName() in following: > > > > @POST @Path("/users/{id}/friends") public void > > addFriend(@PathParam("id") String userId, Friend friend) { ... } > > > > Any suggestions? It would be nice if, beside the KeycloakPrincipal > > is injectable, to be able to define something like @IsOwner: > > > > public void addFriend(@PathParam("id") @IsOwner String userId, > > Friend friend) > > > > or even more concise: > > > > public void addFriend(@IsOwner("id") String userId, Friend friend) > > > > Kind regards, Dirk Franssen > > > > > > On Thu, Mar 27, 2014 at 5:29 PM, > > > > wrote: > > > > Send keycloak-user mailing list submissions to > > keycloak-user at lists.jboss.org > > > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.jboss.org/mailman/listinfo/keycloak-user or, via > > email, send a message with subject or body 'help' to > > keycloak-user-request at lists.jboss.org > > > > > > You can reach the person managing the list at > > keycloak-user-owner at lists.jboss.org > > > > > > When replying, please edit your Subject line so it is more > > specific than "Re: Contents of keycloak-user digest..." > > > > > > Today's Topics: > > > > 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and > > AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils > > Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill Burke > > > Subject: Re: > > [keycloak-user] Keycloak and AngularJS To: > > keycloak-user at lists.jboss.org > > Message-ID: > > <5334461B.8040202 at redhat.com > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > What I like about the current admin console approach is that there > > is no book keeping required by the browser. The Angular app has > > really no knowledge of how it is being secured as its all driven by > > the server. Also, you need to remember that the admin console was > > designed to be run in a non-Java EE, non-servlet environment. > > While this is a requirement for Keycloak, it may not be for your > > application. So, what I'm saying is that for your angular > > application, you could rely on the servlet container and keycloak > > adapter to maintain a session cookie and identity. > > > > What I like about the keycloak.js approach is that there is no > > server-side adapter required for the UI. The UI could be hosted > > off any number of static web sites and use CORS invocations to any > > number of Restful services. > > > > There's also the debate of public vs. confidential clients. The > > keycloak.js approach requires a public client. My understanding > > was that confidential clients exist so that only an authenticated > > client (client *NOT* user) is able to obtain an access token. I'm > > not exactly sure what additional security benefits are obtained > > here beyond this. I've been trying to ask this very question on > > OAuth mail lists but have been unable to get a response so far. > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > >> Hi Stian and Bill, > >> > >> I've posted some questions regarding this topic before but I > > thought I'd > >> start a new thread to keep things focused: > >> > >> I'm writing an AngularJS application with Java EE 6/7 REST > >> (JAX-RS) backend modules. To add authentication and authorization > >> to this application, I'd like to use keycloak > >> > >> * as a user and role management front-end * to provide a > >> customizable login page (works very well by the way ;) * as an > >> OAuth 2.0 token provider * to add user and role information to > >> the HTTPRequests in my REST/ backend modules > >> > >> To do this, I'm currently looking at keycloak.js and the > > customer-app-js > >> example. However, I'm wondering whether this is really the best > >> way to go. In a reply to an earlier post of mine you mentioned > >> that the keycloak admin console is written in AngularJS and that > >> you are using HTTP-only cookies there. > >> > >> However, in keycloak.js and the customer-app-js example you are > >> retrieving the token in the JS app and adding an authorization > >> header with a bearer token to the HTTP requests. > >> > >> So here are my questions: > >> > >> * Is there a reason you are using two different approaches in > >> the > > admin > >> console and the official demo app? * which one of the two > >> approaches (bearer tokens vs. HTTP-only cookie) will you support/ > >> will be the officially recommended one for HTML5/ client side > >> JavaScript applications in keycloak? * am I right in assuming > >> that you haven't quite decided yet which approach to use and that > >> you are still discussing this in the > > keycloak team? > >> > >> Looking forwards to your reply! Cheers, Nils > >> > >> > >> _______________________________________________ keycloak-user > >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > -- Bill Burke JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > > > ------------------------------ > > > > Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: Stian > > Thorgersen > Subject: > > Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke > > > Cc: > > keycloak-user at lists.jboss.org > > Message-ID: > > <884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > > > > > > > > Content-Type: text/plain; charset=utf-8 > > > > Personally, I think that in most cases for a client-side web app > > the best approach is to let the client-side do the oauth flow (the > > approach we're currently taking in keycloak.js). It does depend on > > your application though, and if you're application has a strict > > one html5 app calls one REST service then http-only cookies are an > > option. I don't see any real benefits of it though, and I believe > > it significantly complicates things. > > > > Have a look at > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > , > > > > > I think it provides a good summary of the pros of the token approach. > > > > ----- Original Message ----- > >> From: "Bill Burke" >> > To: keycloak-user at lists.jboss.org > > > >> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >> [keycloak-user] Keycloak and AngularJS > >> > >> What I like about the current admin console approach is that > >> there > > is no > >> book keeping required by the browser. The Angular app has really > >> no knowledge of how it is being secured as its all driven by the > >> server. Also, you need to remember that the admin console was > >> designed to > > be run > >> in a non-Java EE, non-servlet environment. While this is a > > requirement > >> for Keycloak, it may not be for your application. So, what I'm > >> saying is that for your angular application, you could rely on > >> the servlet container and keycloak adapter to maintain a session > >> cookie and > > identity. > >> > >> What I like about the keycloak.js approach is that there is no > >> server-side adapter required for the UI. The UI could be hosted > > off any > >> number of static web sites and use CORS invocations to any number > >> of Restful services. > >> > >> There's also the debate of public vs. confidential clients. The > >> keycloak.js approach requires a public client. My understanding > >> was that confidential clients exist so that only an authenticated > >> client (client *NOT* user) is able to obtain an access token. > >> I'm not > > exactly > >> sure what additional security benefits are obtained here beyond > >> this. I've been trying to ask this very question on OAuth mail > >> lists but > > have > >> been unable to get a response so far. > >> > >> > >> > >> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>> Hi Stian and Bill, > >>> > >>> I've posted some questions regarding this topic before but I > > thought I'd > >>> start a new thread to keep things focused: > >>> > >>> I'm writing an AngularJS application with Java EE 6/7 REST > >>> (JAX-RS) backend modules. To add authentication and > >>> authorization to this application, I'd like to use keycloak > >>> > >>> * as a user and role management front-end * to provide a > >>> customizable login page (works very well by the > > way ;) > >>> * as an OAuth 2.0 token provider * to add user and role > >>> information to the HTTPRequests in my REST/ backend modules > >>> > >>> To do this, I'm currently looking at keycloak.js and the > > customer-app-js > >>> example. However, I'm wondering whether this is really the > >>> best > > way to > >>> go. In a reply to an earlier post of mine you mentioned that > >>> the keycloak admin console is written in AngularJS and that you > >>> are > > using > >>> HTTP-only cookies there. > >>> > >>> However, in keycloak.js and the customer-app-js example you > >>> are retrieving the token in the JS app and adding an > >>> authorization > > header > >>> with a bearer token to the HTTP requests. > >>> > >>> So here are my questions: > >>> > >>> * Is there a reason you are using two different approaches in > > the admin > >>> console and the official demo app? * which one of the two > >>> approaches (bearer tokens vs. HTTP-only > > cookie) > >>> will you support/ will be the officially recommended one for > >>> HTML5/ client side JavaScript applications in keycloak? * am I > >>> right in assuming that you haven't quite decided yet which > >>> approach to use and that you are still discussing this in the > > keycloak > >>> team? > >>> > >>> Looking forwards to your reply! Cheers, Nils > >>> > >>> > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> -- Bill Burke JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> _______________________________________________ keycloak-user > >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > ------------------------------ > > > > Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils > > Preusker > > > Subject: Re: [keycloak-user] Keycloak and AngularJS To: > > keycloak-user at lists.jboss.org > > Message-ID: > > > > > > > > > > > Content-Type: text/plain; charset="iso-8859-1" > > > > Hi Stian and Bill, > > > > thanks for your replies! I'll check out the blog post and try the > > approach with a web.xml and a keycloak.json in the backend for now. > > I'll keep you posted on what I end up with on the client side. > > > > Cheers, Nils > > > > > > > > On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > > > wrote: > > > >> Personally, I think that in most cases for a client-side web app > > the best > >> approach is to let the client-side do the oauth flow (the > >> approach > > we're > >> currently taking in keycloak.js). It does depend on your > >> application though, and if you're application has a strict one > >> html5 app calls > > one REST > >> service then http-only cookies are an option. I don't see any > >> real > > benefits > >> of it though, and I believe it significantly complicates things. > >> > >> Have a look at > >> > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > , > > > > I think it provides a good summary of the pros of the token > > approach. > >> > >> ----- Original Message ----- > >>> From: "Bill Burke" >>> > To: keycloak-user at lists.jboss.org > > > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>> [keycloak-user] Keycloak and AngularJS > >>> > >>> What I like about the current admin console approach is that > > there is no > >>> book keeping required by the browser. The Angular app has > >>> really no knowledge of how it is being secured as its all > >>> driven by the > > server. > >>> Also, you need to remember that the admin console was designed > > to be run > >>> in a non-Java EE, non-servlet environment. While this is a > > requirement > >>> for Keycloak, it may not be for your application. So, what > >>> I'm > > saying > >>> is that for your angular application, you could rely on the > >>> servlet container and keycloak adapter to maintain a session > >>> cookie and > > identity. > >>> > >>> What I like about the keycloak.js approach is that there is no > >>> server-side adapter required for the UI. The UI could be > >>> hosted > > off any > >>> number of static web sites and use CORS invocations to any > >>> number of Restful services. > >>> > >>> There's also the debate of public vs. confidential clients. > >>> The keycloak.js approach requires a public client. My > >>> understanding was that confidential clients exist so that only > >>> an authenticated client (client *NOT* user) is able to obtain > >>> an access token. I'm not > > exactly > >>> sure what additional security benefits are obtained here > >>> beyond > > this. > >>> I've been trying to ask this very question on OAuth mail lists > > but have > >>> been unable to get a response so far. > >>> > >>> > >>> > >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>> Hi Stian and Bill, > >>>> > >>>> I've posted some questions regarding this topic before but I > > thought > >> I'd > >>>> start a new thread to keep things focused: > >>>> > >>>> I'm writing an AngularJS application with Java EE 6/7 REST > > (JAX-RS) > >>>> backend modules. To add authentication and authorization to > >>>> this application, I'd like to use keycloak > >>>> > >>>> * as a user and role management front-end * to provide a > >>>> customizable login page (works very well by the > > way ;) > >>>> * as an OAuth 2.0 token provider * to add user and role > >>>> information to the HTTPRequests in my REST/ backend modules > >>>> > >>>> To do this, I'm currently looking at keycloak.js and the > >> customer-app-js > >>>> example. However, I'm wondering whether this is really the > > best way to > >>>> go. In a reply to an earlier post of mine you mentioned that > >>>> the keycloak admin console is written in AngularJS and that > >>>> you > > are using > >>>> HTTP-only cookies there. > >>>> > >>>> However, in keycloak.js and the customer-app-js example you > >>>> are retrieving the token in the JS app and adding an > >>>> authorization > > header > >>>> with a bearer token to the HTTP requests. > >>>> > >>>> So here are my questions: > >>>> > >>>> * Is there a reason you are using two different approaches > >>>> in > > the admin > >>>> console and the official demo app? * which one of the two > >>>> approaches (bearer tokens vs. HTTP-only > > cookie) > >>>> will you support/ will be the officially recommended one for > > HTML5/ > >>>> client side JavaScript applications in keycloak? * am I right > >>>> in assuming that you haven't quite decided yet which approach > >>>> to use and that you are still discussing this in the > > keycloak > >>>> team? > >>>> > >>>> Looking forwards to your reply! Cheers, Nils > >>>> > >>>> > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> -- Bill Burke JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> _______________________________________________ keycloak-user > >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > -------------- next part -------------- An HTML attachment was > > scrubbed... URL: > > > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > > > ------------------------------ > > > > Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill Burke > > > Subject: Re: > > [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen > > > Cc: > > keycloak-user at lists.jboss.org > > Message-ID: > > <53345202.4060105 at redhat.com > > > Content-Type: text/plain; charset=UTF-8; format=flowed > > > > One of the problems with the keycloak.js approach is that we have > > no way to perform a single log out or to force a logout of a > > specific user. I think the OpenID Connect spec may have a way with > > IFrames to do this sort of thing though. I didn't really get it at > > first glance though. > > > > > > On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > >> Personally, I think that in most cases for a client-side web app > > the best approach is to let the client-side do the oauth flow (the > > approach we're currently taking in keycloak.js). It does depend on > > your application though, and if you're application has a strict > > one html5 app calls one REST service then http-only cookies are an > > option. I don't see any real benefits of it though, and I believe > > it significantly complicates things. > >> > >> Have a look at > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > , > > > > > I think it provides a good summary of the pros of the token approach. > >> > >> ----- Original Message ----- > >>> From: "Bill Burke" >>> > To: keycloak-user at lists.jboss.org > > > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>> [keycloak-user] Keycloak and AngularJS > >>> > >>> What I like about the current admin console approach is that > > there is no > >>> book keeping required by the browser. The Angular app has > >>> really no knowledge of how it is being secured as its all > >>> driven by the server. Also, you need to remember that the admin > >>> console was designed to > > be run > >>> in a non-Java EE, non-servlet environment. While this is a > > requirement > >>> for Keycloak, it may not be for your application. So, what > >>> I'm > > saying > >>> is that for your angular application, you could rely on the > >>> servlet container and keycloak adapter to maintain a session > >>> cookie and > > identity. > >>> > >>> What I like about the keycloak.js approach is that there is no > >>> server-side adapter required for the UI. The UI could be > >>> hosted > > off any > >>> number of static web sites and use CORS invocations to any > >>> number of Restful services. > >>> > >>> There's also the debate of public vs. confidential clients. > >>> The keycloak.js approach requires a public client. My > >>> understanding was that confidential clients exist so that only > >>> an authenticated client (client *NOT* user) is able to obtain > >>> an access token. I'm not > > exactly > >>> sure what additional security benefits are obtained here beyond > >>> this. I've been trying to ask this very question on OAuth mail > >>> lists > > but have > >>> been unable to get a response so far. > >>> > >>> > >>> > >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>> Hi Stian and Bill, > >>>> > >>>> I've posted some questions regarding this topic before but I > > thought I'd > >>>> start a new thread to keep things focused: > >>>> > >>>> I'm writing an AngularJS application with Java EE 6/7 REST > >>>> (JAX-RS) backend modules. To add authentication and > >>>> authorization to this application, I'd like to use keycloak > >>>> > >>>> * as a user and role management front-end * to provide a > >>>> customizable login page (works very well by the > > way ;) > >>>> * as an OAuth 2.0 token provider * to add user and role > >>>> information to the HTTPRequests in my REST/ backend modules > >>>> > >>>> To do this, I'm currently looking at keycloak.js and the > > customer-app-js > >>>> example. However, I'm wondering whether this is really the > >>>> best > > way to > >>>> go. In a reply to an earlier post of mine you mentioned that > >>>> the keycloak admin console is written in AngularJS and that > >>>> you are > > using > >>>> HTTP-only cookies there. > >>>> > >>>> However, in keycloak.js and the customer-app-js example you > >>>> are retrieving the token in the JS app and adding an > >>>> authorization > > header > >>>> with a bearer token to the HTTP requests. > >>>> > >>>> So here are my questions: > >>>> > >>>> * Is there a reason you are using two different approaches > >>>> in > > the admin > >>>> console and the official demo app? * which one of the two > >>>> approaches (bearer tokens vs. HTTP-only > > cookie) > >>>> will you support/ will be the officially recommended one for > >>>> HTML5/ client side JavaScript applications in keycloak? * am > >>>> I right in assuming that you haven't quite decided yet which > >>>> approach to use and that you are still discussing this in > >>>> the > > keycloak > >>>> team? > >>>> > >>>> Looking forwards to your reply! Cheers, Nils > >>>> > >>>> > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> -- Bill Burke JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > > > > -- Bill Burke JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > > > ------------------------------ > > > > _______________________________________________ keycloak-user > > mailing list keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > End of keycloak-user Digest, Vol 3, Issue 14 > > ******************************************** > > > > > > > > > > _______________________________________________ keycloak-user > > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJTNSHcAAoJEDnJtskdmzLMHrYH/1D/vMgPxD0WUZ5KdIoD5Cow > gb9fa+RZDQrpPxL1qKpqWJX3g1cKt8hQa1Xz7dX64G3/xcLUUkoJKkAtiJPysp75 > xbkdWV+RGQXDHuyZcS75xEXQlPaWt2cEVxdSXMalzfQPzVhq00FBbeJLirKLbYsY > I2CIjJgCSQhmOrVfP5vUSdrwsLsd+TBXee4779YiOceSW16oG9Nfsa5gF1XJSNhi > o2fZCEkoXhbTD7RXuhhrDWlFBCQOIgWf6FUHEAVKnXeIR5oey6U9hv1Z16Kd2Pll > Pv8+LWlJjKMfkmrCQrVQvYSI/n64vxjikta2ByBdOPethsebqXO9oknbiPtjq6E= > =TiWl > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140328/10401d8e/attachment-0001.html From juraci at kroehling.de Fri Mar 28 11:35:19 2014 From: juraci at kroehling.de (=?ISO-8859-1?Q?Juraci_Paix=E3o_Kr=F6hling?=) Date: Fri, 28 Mar 2014 16:35:19 +0100 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: References: <533521DC.6010908@kroehling.de> Message-ID: <533596B7.8010509@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - From what I see on my own tests, yes, that's expected :-) You can get the other details by giving more claims to the application, and then casting the Principal to a keycloak identity class, which will provide methods to get the other information. I can't recall the class name from the top of my head, but it should be easy to find out in a quick debugging session. By the way, I quite like this approach of giving only IDs by default, as I can control which applications can get the name/email of the user. Some applications of mine just need a stable ID, no emails nor names or anything else, so, this is quite convenient. Juca. On 03/28/2014 04:17 PM, Nils Preusker wrote: > Hi all, > > I'm also looking into this right now and got it to work. However, > I tried to retrieve the username from the HttpServletRequest with > "servletRequest.getRemoteUser()" but instead of the name or e-mail > I'm getting the actual ID from the database > (62ccf5fd-949b-413d-977b-6f8bc29f94bf). > > Is this the expected/ intended behavior? > > Also, @Dirk: let me know if you need any help getting the injection > of the roles and user id to work. > > Cheers, Nils > > > On Fri, Mar 28, 2014 at 8:16 AM, Juraci Paix?o Kr?hling > > wrote: > > Dirk, > > It seems it's missing the @SecurityDomain("keycloak") in your > service, at the type level. If that's not the case, I can update > the "sample-ejb-roles" quickstart, adapted to use Keycloak, so you > can compare and check what's missing. > > Just to confirm: have you also added the security-domain to the > standalone.xml? The instructions are at the end of section 6.2.1 > from the user guide: > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 > > Juca. > > On 03/28/2014 01:31 AM, Dirk Franssen wrote: >> Hi, > >> I was playing around with the examples, more specifically with >> the customer-portal-js which is accessing the database resource. >> In that CustomerService I was trying to get access to the >> Principal and trying to extend to return in addition the username >> of the logged-in user: > >> @Path("customers") public class CustomerService { > >> @Inject Principal principal; > >> //@Context //SecurityContext sc; //Principal principal = >> sc.getUserPrincipal(); > >> //@Context //ContainerRequestContext request; //SecurityContext >> sc = request.getSecurityContext(); //Principal principal = >> sc.getUserPrincipal(); > >> @GET @Produces("application/json") @NoCache public List >> getCustomers() { ArrayList rtn = new >> ArrayList(); rtn.add("Bill Burke"); rtn.add("Stian >> Thorgersen"); rtn.add("Stan Silvert"); rtn.add("Gabriel >> Cardoso"); rtn.add("Viliam Rockai"); rtn.add("Marek Posolda"); >> rtn.add("Boleslaw Dawidowicz"); rtn.add(principal.getName()); >> //<--- add username to the list return rtn; } } > >> But this throws a npe as the principal is always null. I noticed >> that the JaxrsBearerTokenFilter is adding to the >> ContainerRequestContext a new SecurityContex, of which the >> getUserPrincipal method returns the KeycloakPrincipal. But I >> can't figure out how to get access to this from the >> CustomerService. > >> My intention is to verify if the logged-in user is accessing his >> own resources, and e.g. is not trying to update data of somebody >> else. E.g. the id should match principal.getName() in following: > >> @POST @Path("/users/{id}/friends") public void >> addFriend(@PathParam("id") String userId, Friend friend) { ... } > >> Any suggestions? It would be nice if, beside the >> KeycloakPrincipal is injectable, to be able to define something >> like @IsOwner: > >> public void addFriend(@PathParam("id") @IsOwner String userId, >> Friend friend) > >> or even more concise: > >> public void addFriend(@IsOwner("id") String userId, Friend >> friend) > >> Kind regards, Dirk Franssen > > >> On Thu, Mar 27, 2014 at 5:29 PM, >> >> >> wrote: > >> Send keycloak-user mailing list submissions to >> keycloak-user at lists.jboss.org >> >> > > >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.jboss.org/mailman/listinfo/keycloak-user or, via >> email, send a message with subject or body 'help' to >> keycloak-user-request at lists.jboss.org > >> > > >> You can reach the person managing the list at >> keycloak-user-owner at lists.jboss.org > >> > > >> When replying, please edit your Subject line so it is more >> specific than "Re: Contents of keycloak-user digest..." > > >> Today's Topics: > >> 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and >> AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils >> Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) > > >> ---------------------------------------------------------------------- > >> Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill >> Burke > >> Subject: > Re: >> [keycloak-user] Keycloak and AngularJS To: >> keycloak-user at lists.jboss.org >> >> > Message-ID: >> <5334461B.8040202 at redhat.com >> > >> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >> What I like about the current admin console approach is that >> there is no book keeping required by the browser. The Angular >> app has really no knowledge of how it is being secured as its all >> driven by the server. Also, you need to remember that the admin >> console was designed to be run in a non-Java EE, non-servlet >> environment. While this is a requirement for Keycloak, it may not >> be for your application. So, what I'm saying is that for your >> angular application, you could rely on the servlet container and >> keycloak adapter to maintain a session cookie and identity. > >> What I like about the keycloak.js approach is that there is no >> server-side adapter required for the UI. The UI could be hosted >> off any number of static web sites and use CORS invocations to >> any number of Restful services. > >> There's also the debate of public vs. confidential clients. The >> keycloak.js approach requires a public client. My understanding >> was that confidential clients exist so that only an >> authenticated client (client *NOT* user) is able to obtain an >> access token. I'm not exactly sure what additional security >> benefits are obtained here beyond this. I've been trying to ask >> this very question on OAuth mail lists but have been unable to >> get a response so far. > > > >> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>> Hi Stian and Bill, >>> >>> I've posted some questions regarding this topic before but I >> thought I'd >>> start a new thread to keep things focused: >>> >>> I'm writing an AngularJS application with Java EE 6/7 REST >>> (JAX-RS) backend modules. To add authentication and >>> authorization to this application, I'd like to use keycloak >>> >>> * as a user and role management front-end * to provide a >>> customizable login page (works very well by the way ;) * as an >>> OAuth 2.0 token provider * to add user and role information to >>> the HTTPRequests in my REST/ backend modules >>> >>> To do this, I'm currently looking at keycloak.js and the >> customer-app-js >>> example. However, I'm wondering whether this is really the >>> best way to go. In a reply to an earlier post of mine you >>> mentioned that the keycloak admin console is written in >>> AngularJS and that you are using HTTP-only cookies there. >>> >>> However, in keycloak.js and the customer-app-js example you >>> are retrieving the token in the JS app and adding an >>> authorization header with a bearer token to the HTTP requests. >>> >>> So here are my questions: >>> >>> * Is there a reason you are using two different approaches in >>> the >> admin >>> console and the official demo app? * which one of the two >>> approaches (bearer tokens vs. HTTP-only cookie) will you >>> support/ will be the officially recommended one for HTML5/ >>> client side JavaScript applications in keycloak? * am I right >>> in assuming that you haven't quite decided yet which approach >>> to use and that you are still discussing this in the >> keycloak team? >>> >>> Looking forwards to your reply! Cheers, Nils >>> >>> >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >> -- Bill Burke JBoss, a division of Red Hat >> http://bill.burkecentral.com > > >> ------------------------------ > >> Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: >> Stian Thorgersen > >> Subject: >> Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke >> > >> Cc: >> keycloak-user at lists.jboss.org >> >> > Message-ID: >> <884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > >> > >> > > > > Content-Type: text/plain; charset=utf-8 > >> Personally, I think that in most cases for a client-side web app >> the best approach is to let the client-side do the oauth flow >> (the approach we're currently taking in keycloak.js). It does >> depend on your application though, and if you're application has >> a strict one html5 app calls one REST service then http-only >> cookies are an option. I don't see any real benefits of it >> though, and I believe it significantly complicates things. > >> Have a look at > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > > > I think it provides a good summary of the pros of the token > approach. > >> ----- Original Message ----- >>> From: "Bill Burke" >> >> >> To: > keycloak-user at lists.jboss.org > >> > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>> [keycloak-user] Keycloak and AngularJS >>> >>> What I like about the current admin console approach is that >>> there >> is no >>> book keeping required by the browser. The Angular app has >>> really no knowledge of how it is being secured as its all >>> driven by the server. Also, you need to remember that the admin >>> console was designed to >> be run >>> in a non-Java EE, non-servlet environment. While this is a >> requirement >>> for Keycloak, it may not be for your application. So, what >>> I'm saying is that for your angular application, you could rely >>> on the servlet container and keycloak adapter to maintain a >>> session cookie and >> identity. >>> >>> What I like about the keycloak.js approach is that there is no >>> server-side adapter required for the UI. The UI could be >>> hosted >> off any >>> number of static web sites and use CORS invocations to any >>> number of Restful services. >>> >>> There's also the debate of public vs. confidential clients. >>> The keycloak.js approach requires a public client. My >>> understanding was that confidential clients exist so that only >>> an authenticated client (client *NOT* user) is able to obtain >>> an access token. I'm not >> exactly >>> sure what additional security benefits are obtained here >>> beyond this. I've been trying to ask this very question on >>> OAuth mail lists but >> have >>> been unable to get a response so far. >>> >>> >>> >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>> Hi Stian and Bill, >>>> >>>> I've posted some questions regarding this topic before but I >> thought I'd >>>> start a new thread to keep things focused: >>>> >>>> I'm writing an AngularJS application with Java EE 6/7 REST >>>> (JAX-RS) backend modules. To add authentication and >>>> authorization to this application, I'd like to use keycloak >>>> >>>> * as a user and role management front-end * to provide a >>>> customizable login page (works very well by the >> way ;) >>>> * as an OAuth 2.0 token provider * to add user and role >>>> information to the HTTPRequests in my REST/ backend modules >>>> >>>> To do this, I'm currently looking at keycloak.js and the >> customer-app-js >>>> example. However, I'm wondering whether this is really the >>>> best >> way to >>>> go. In a reply to an earlier post of mine you mentioned that >>>> the keycloak admin console is written in AngularJS and that >>>> you are >> using >>>> HTTP-only cookies there. >>>> >>>> However, in keycloak.js and the customer-app-js example you >>>> are retrieving the token in the JS app and adding an >>>> authorization >> header >>>> with a bearer token to the HTTP requests. >>>> >>>> So here are my questions: >>>> >>>> * Is there a reason you are using two different approaches >>>> in >> the admin >>>> console and the official demo app? * which one of the two >>>> approaches (bearer tokens vs. HTTP-only >> cookie) >>>> will you support/ will be the officially recommended one for >>>> HTML5/ client side JavaScript applications in keycloak? * am >>>> I right in assuming that you haven't quite decided yet which >>>> approach to use and that you are still discussing this in >>>> the >> keycloak >>>> team? >>>> >>>> Looking forwards to your reply! Cheers, Nils >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> -- Bill Burke JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > >> ------------------------------ > >> Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils >> Preusker > >> >> Subject: Re: [keycloak-user] Keycloak and AngularJS To: >> keycloak-user at lists.jboss.org >> >> > Message-ID: > > > > > > > >> >> Content-Type: text/plain; charset="iso-8859-1" > >> Hi Stian and Bill, > >> thanks for your replies! I'll check out the blog post and try >> the approach with a web.xml and a keycloak.json in the backend >> for now. I'll keep you posted on what I end up with on the client >> side. > >> Cheers, Nils > > > >> On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen >> > >> wrote: > >>> Personally, I think that in most cases for a client-side web >>> app >> the best >>> approach is to let the client-side do the oauth flow (the >>> approach >> we're >>> currently taking in keycloak.js). It does depend on your >>> application though, and if you're application has a strict one >>> html5 app calls >> one REST >>> service then http-only cookies are an option. I don't see any >>> real >> benefits >>> of it though, and I believe it significantly complicates >>> things. >>> >>> Have a look at >>> > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > >> I think it provides a good summary of the pros of the token >> approach. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>> >>> >> To: > keycloak-user at lists.jboss.org > >> > >>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>>> [keycloak-user] Keycloak and AngularJS >>>> >>>> What I like about the current admin console approach is that >> there is no >>>> book keeping required by the browser. The Angular app has >>>> really no knowledge of how it is being secured as its all >>>> driven by the >> server. >>>> Also, you need to remember that the admin console was >>>> designed >> to be run >>>> in a non-Java EE, non-servlet environment. While this is a >> requirement >>>> for Keycloak, it may not be for your application. So, what >>>> I'm >> saying >>>> is that for your angular application, you could rely on the >>>> servlet container and keycloak adapter to maintain a session >>>> cookie and >> identity. >>>> >>>> What I like about the keycloak.js approach is that there is >>>> no server-side adapter required for the UI. The UI could be >>>> hosted >> off any >>>> number of static web sites and use CORS invocations to any >>>> number of Restful services. >>>> >>>> There's also the debate of public vs. confidential clients. >>>> The keycloak.js approach requires a public client. My >>>> understanding was that confidential clients exist so that >>>> only an authenticated client (client *NOT* user) is able to >>>> obtain an access token. I'm not >> exactly >>>> sure what additional security benefits are obtained here >>>> beyond >> this. >>>> I've been trying to ask this very question on OAuth mail >>>> lists >> but have >>>> been unable to get a response so far. >>>> >>>> >>>> >>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>>> Hi Stian and Bill, >>>>> >>>>> I've posted some questions regarding this topic before but >>>>> I >> thought >>> I'd >>>>> start a new thread to keep things focused: >>>>> >>>>> I'm writing an AngularJS application with Java EE 6/7 REST >> (JAX-RS) >>>>> backend modules. To add authentication and authorization >>>>> to this application, I'd like to use keycloak >>>>> >>>>> * as a user and role management front-end * to provide a >>>>> customizable login page (works very well by the >> way ;) >>>>> * as an OAuth 2.0 token provider * to add user and role >>>>> information to the HTTPRequests in my REST/ backend >>>>> modules >>>>> >>>>> To do this, I'm currently looking at keycloak.js and the >>> customer-app-js >>>>> example. However, I'm wondering whether this is really the >> best way to >>>>> go. In a reply to an earlier post of mine you mentioned >>>>> that the keycloak admin console is written in AngularJS and >>>>> that you >> are using >>>>> HTTP-only cookies there. >>>>> >>>>> However, in keycloak.js and the customer-app-js example >>>>> you are retrieving the token in the JS app and adding an >>>>> authorization >> header >>>>> with a bearer token to the HTTP requests. >>>>> >>>>> So here are my questions: >>>>> >>>>> * Is there a reason you are using two different approaches >>>>> in >> the admin >>>>> console and the official demo app? * which one of the two >>>>> approaches (bearer tokens vs. HTTP-only >> cookie) >>>>> will you support/ will be the officially recommended one >>>>> for >> HTML5/ >>>>> client side JavaScript applications in keycloak? * am I >>>>> right in assuming that you haven't quite decided yet which >>>>> approach to use and that you are still discussing this in >>>>> the >> keycloak >>>>> team? >>>>> >>>>> Looking forwards to your reply! Cheers, Nils >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> -- Bill Burke JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -------------- next part -------------- An HTML attachment was >> scrubbed... URL: > > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > >> ------------------------------ > >> Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill >> Burke > >> Subject: > Re: >> [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen >> > >> Cc: >> keycloak-user at lists.jboss.org >> >> > Message-ID: >> <53345202.4060105 at redhat.com >> > >> >> Content-Type: text/plain; charset=UTF-8; format=flowed > >> One of the problems with the keycloak.js approach is that we >> have no way to perform a single log out or to force a logout of >> a specific user. I think the OpenID Connect spec may have a way >> with IFrames to do this sort of thing though. I didn't really >> get it at first glance though. > > >> On 3/27/2014 12:18 PM, Stian Thorgersen wrote: >>> Personally, I think that in most cases for a client-side web >>> app >> the best approach is to let the client-side do the oauth flow >> (the approach we're currently taking in keycloak.js). It does >> depend on your application though, and if you're application has >> a strict one html5 app calls one REST service then http-only >> cookies are an option. I don't see any real benefits of it >> though, and I believe it significantly complicates things. >>> >>> Have a look at > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > > > I think it provides a good summary of the pros of the token > approach. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>> >>> >> To: > keycloak-user at lists.jboss.org > >> > >>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>>> [keycloak-user] Keycloak and AngularJS >>>> >>>> What I like about the current admin console approach is that >> there is no >>>> book keeping required by the browser. The Angular app has >>>> really no knowledge of how it is being secured as its all >>>> driven by the server. Also, you need to remember that the >>>> admin console was designed to >> be run >>>> in a non-Java EE, non-servlet environment. While this is a >> requirement >>>> for Keycloak, it may not be for your application. So, what >>>> I'm >> saying >>>> is that for your angular application, you could rely on the >>>> servlet container and keycloak adapter to maintain a session >>>> cookie and >> identity. >>>> >>>> What I like about the keycloak.js approach is that there is >>>> no server-side adapter required for the UI. The UI could be >>>> hosted >> off any >>>> number of static web sites and use CORS invocations to any >>>> number of Restful services. >>>> >>>> There's also the debate of public vs. confidential clients. >>>> The keycloak.js approach requires a public client. My >>>> understanding was that confidential clients exist so that >>>> only an authenticated client (client *NOT* user) is able to >>>> obtain an access token. I'm not >> exactly >>>> sure what additional security benefits are obtained here >>>> beyond this. I've been trying to ask this very question on >>>> OAuth mail lists >> but have >>>> been unable to get a response so far. >>>> >>>> >>>> >>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>>> Hi Stian and Bill, >>>>> >>>>> I've posted some questions regarding this topic before but >>>>> I >> thought I'd >>>>> start a new thread to keep things focused: >>>>> >>>>> I'm writing an AngularJS application with Java EE 6/7 REST >>>>> (JAX-RS) backend modules. To add authentication and >>>>> authorization to this application, I'd like to use >>>>> keycloak >>>>> >>>>> * as a user and role management front-end * to provide a >>>>> customizable login page (works very well by the >> way ;) >>>>> * as an OAuth 2.0 token provider * to add user and role >>>>> information to the HTTPRequests in my REST/ backend >>>>> modules >>>>> >>>>> To do this, I'm currently looking at keycloak.js and the >> customer-app-js >>>>> example. However, I'm wondering whether this is really the >>>>> best >> way to >>>>> go. In a reply to an earlier post of mine you mentioned >>>>> that the keycloak admin console is written in AngularJS and >>>>> that you are >> using >>>>> HTTP-only cookies there. >>>>> >>>>> However, in keycloak.js and the customer-app-js example >>>>> you are retrieving the token in the JS app and adding an >>>>> authorization >> header >>>>> with a bearer token to the HTTP requests. >>>>> >>>>> So here are my questions: >>>>> >>>>> * Is there a reason you are using two different approaches >>>>> in >> the admin >>>>> console and the official demo app? * which one of the two >>>>> approaches (bearer tokens vs. HTTP-only >> cookie) >>>>> will you support/ will be the officially recommended one >>>>> for HTML5/ client side JavaScript applications in keycloak? >>>>> * am I right in assuming that you haven't quite decided yet >>>>> which approach to use and that you are still discussing >>>>> this in the >> keycloak >>>>> team? >>>>> >>>>> Looking forwards to your reply! Cheers, Nils >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >>>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> -- Bill Burke JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >> -- Bill Burke JBoss, a division of Red Hat >> http://bill.burkecentral.com > > >> ------------------------------ > >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> End of keycloak-user Digest, Vol 3, Issue 14 >> ******************************************** > > > > >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTNZa3AAoJEDnJtskdmzLMHTsIAJ6DD/ZHonAUliDlWdg/2ahF WR03fkKyev9TOeRT3BRl8yBKy16ajoXoWX/FqAsISQ/fMq4n+bEzSpP5xuNsmmpQ qNMWM8/Kyk2GHbx4p1ajizzydRmjzmoKhcy+rm9N6qsy4YyfWfraWHEalKi2Vg5u KCFMQA5nzDjSkpq8y2RMy+HgtyIjIim3JakpZugszP8FzwXDRFBfwqfCzYpM6JYN bQ46ExEblTimzBI5vO2erQpUKaeO+a6E24GFMC4Qcq+xudbmW3itV5x+KLdzs6A6 +XXHPufHielNdXNMZknRiDljImlPEs+FdvHrKPSdx0SIylTKpMBjUKXq5E+foDU= =v0Bq -----END PGP SIGNATURE----- From stian at redhat.com Fri Mar 28 11:47:51 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 28 Mar 2014 11:47:51 -0400 (EDT) Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: References: <533521DC.6010908@kroehling.de> Message-ID: <334094727.3760111.1396021671687.JavaMail.zimbra@redhat.com> Yes that is expected behaviour. The ID of the user is the unique reference to a user within Keycloak, and is what we recommend you use to refer to the user within your application when possible. The reason being is that there are reasons why a username/email may not refer to the same user over time. For example we will allow users to change their username (a feature you'll be able to disable), a user may be deleted, and another user re-created with the same username. ----- Original Message ----- > From: "Nils Preusker" > To: keycloak-user at lists.jboss.org > Sent: Friday, 28 March, 2014 3:17:37 PM > Subject: Re: [keycloak-user] Inject (Keycloak)Principal > > Hi all, > > I'm also looking into this right now and got it to work. However, I tried to > retrieve the username from the HttpServletRequest with > "servletRequest.getRemoteUser()" but instead of the name or e-mail I'm > getting the actual ID from the database > (62ccf5fd-949b-413d-977b-6f8bc29f94bf). > > Is this the expected/ intended behavior? > > Also, @Dirk: let me know if you need any help getting the injection of the > roles and user id to work. > > Cheers, > Nils > > > On Fri, Mar 28, 2014 at 8:16 AM, Juraci Paix?o Kr?hling < juraci at kroehling.de > > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Dirk, > > It seems it's missing the @SecurityDomain("keycloak") in your service, > at the type level. If that's not the case, I can update the > "sample-ejb-roles" quickstart, adapted to use Keycloak, so you can > compare and check what's missing. > > Just to confirm: have you also added the security-domain to the > standalone.xml? The instructions are at the end of section 6.2.1 from > the user guide: > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 > > Juca. > > On 03/28/2014 01:31 AM, Dirk Franssen wrote: > > Hi, > > > > I was playing around with the examples, more specifically with the > > customer-portal-js which is accessing the database resource. In > > that CustomerService I was trying to get access to the Principal > > and trying to extend to return in addition the username of the > > logged-in user: > > > > @Path("customers") public class CustomerService { > > > > @Inject Principal principal; > > > > //@Context //SecurityContext sc; //Principal principal = > > sc.getUserPrincipal(); > > > > //@Context //ContainerRequestContext request; //SecurityContext sc > > = request.getSecurityContext(); //Principal principal = > > sc.getUserPrincipal(); > > > > @GET @Produces("application/json") @NoCache public List > > getCustomers() { ArrayList rtn = new ArrayList(); > > rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan > > Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); > > rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); > > rtn.add(principal.getName()); //<--- add username to the list > > return rtn; } } > > > > But this throws a npe as the principal is always null. I noticed > > that the JaxrsBearerTokenFilter is adding to the > > ContainerRequestContext a new SecurityContex, of which the > > getUserPrincipal method returns the KeycloakPrincipal. But I can't > > figure out how to get access to this from the CustomerService. > > > > My intention is to verify if the logged-in user is accessing his > > own resources, and e.g. is not trying to update data of somebody > > else. E.g. the id should match principal.getName() in following: > > > > @POST @Path("/users/{id}/friends") public void > > addFriend(@PathParam("id") String userId, Friend friend) { ... } > > > > Any suggestions? It would be nice if, beside the KeycloakPrincipal > > is injectable, to be able to define something like @IsOwner: > > > > public void addFriend(@PathParam("id") @IsOwner String userId, > > Friend friend) > > > > or even more concise: > > > > public void addFriend(@IsOwner("id") String userId, Friend friend) > > > > Kind regards, Dirk Franssen > > > > > > On Thu, Mar 27, 2014 at 5:29 PM, > > < keycloak-user-request at lists.jboss.org > > > wrote: > > > > Send keycloak-user mailing list submissions to > > keycloak-user at lists.jboss.org > > > > > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.jboss.org/mailman/listinfo/keycloak-user or, via > > email, send a message with subject or body 'help' to > > keycloak-user-request at lists.jboss.org > > > > > > You can reach the person managing the list at > > keycloak-user-owner at lists.jboss.org > > > > > > When replying, please edit your Subject line so it is more > > specific than "Re: Contents of keycloak-user digest..." > > > > > > Today's Topics: > > > > 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and > > AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils > > Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill Burke > > < bburke at redhat.com > Subject: Re: > > [keycloak-user] Keycloak and AngularJS To: > > keycloak-user at lists.jboss.org > > Message-ID: > > < 5334461B.8040202 at redhat.com > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > What I like about the current admin console approach is that there > > is no book keeping required by the browser. The Angular app has > > really no knowledge of how it is being secured as its all driven by > > the server. Also, you need to remember that the admin console was > > designed to be run in a non-Java EE, non-servlet environment. > > While this is a requirement for Keycloak, it may not be for your > > application. So, what I'm saying is that for your angular > > application, you could rely on the servlet container and keycloak > > adapter to maintain a session cookie and identity. > > > > What I like about the keycloak.js approach is that there is no > > server-side adapter required for the UI. The UI could be hosted > > off any number of static web sites and use CORS invocations to any > > number of Restful services. > > > > There's also the debate of public vs. confidential clients. The > > keycloak.js approach requires a public client. My understanding > > was that confidential clients exist so that only an authenticated > > client (client *NOT* user) is able to obtain an access token. I'm > > not exactly sure what additional security benefits are obtained > > here beyond this. I've been trying to ask this very question on > > OAuth mail lists but have been unable to get a response so far. > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > >> Hi Stian and Bill, > >> > >> I've posted some questions regarding this topic before but I > > thought I'd > >> start a new thread to keep things focused: > >> > >> I'm writing an AngularJS application with Java EE 6/7 REST > >> (JAX-RS) backend modules. To add authentication and authorization > >> to this application, I'd like to use keycloak > >> > >> * as a user and role management front-end * to provide a > >> customizable login page (works very well by the way ;) * as an > >> OAuth 2.0 token provider * to add user and role information to > >> the HTTPRequests in my REST/ backend modules > >> > >> To do this, I'm currently looking at keycloak.js and the > > customer-app-js > >> example. However, I'm wondering whether this is really the best > >> way to go. In a reply to an earlier post of mine you mentioned > >> that the keycloak admin console is written in AngularJS and that > >> you are using HTTP-only cookies there. > >> > >> However, in keycloak.js and the customer-app-js example you are > >> retrieving the token in the JS app and adding an authorization > >> header with a bearer token to the HTTP requests. > >> > >> So here are my questions: > >> > >> * Is there a reason you are using two different approaches in > >> the > > admin > >> console and the official demo app? * which one of the two > >> approaches (bearer tokens vs. HTTP-only cookie) will you support/ > >> will be the officially recommended one for HTML5/ client side > >> JavaScript applications in keycloak? * am I right in assuming > >> that you haven't quite decided yet which approach to use and that > >> you are still discussing this in the > > keycloak team? > >> > >> Looking forwards to your reply! Cheers, Nils > >> > >> > >> _______________________________________________ keycloak-user > >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > -- Bill Burke JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > > > ------------------------------ > > > > Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: Stian > > Thorgersen < stian at redhat.com > Subject: > > Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke > > < bburke at redhat.com > Cc: > > keycloak-user at lists.jboss.org > > Message-ID: > > < 884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > > > > > > > > Content-Type: text/plain; charset=utf-8 > > > > Personally, I think that in most cases for a client-side web app > > the best approach is to let the client-side do the oauth flow (the > > approach we're currently taking in keycloak.js). It does depend on > > your application though, and if you're application has a strict > > one html5 app calls one REST service then http-only cookies are an > > option. I don't see any real benefits of it though, and I believe > > it significantly complicates things. > > > > Have a look at > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > > , > > > > > I think it provides a good summary of the pros of the token approach. > > > > ----- Original Message ----- > >> From: "Bill Burke" < bburke at redhat.com > >> > To: keycloak-user at lists.jboss.org > > > >> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >> [keycloak-user] Keycloak and AngularJS > >> > >> What I like about the current admin console approach is that > >> there > > is no > >> book keeping required by the browser. The Angular app has really > >> no knowledge of how it is being secured as its all driven by the > >> server. Also, you need to remember that the admin console was > >> designed to > > be run > >> in a non-Java EE, non-servlet environment. While this is a > > requirement > >> for Keycloak, it may not be for your application. So, what I'm > >> saying is that for your angular application, you could rely on > >> the servlet container and keycloak adapter to maintain a session > >> cookie and > > identity. > >> > >> What I like about the keycloak.js approach is that there is no > >> server-side adapter required for the UI. The UI could be hosted > > off any > >> number of static web sites and use CORS invocations to any number > >> of Restful services. > >> > >> There's also the debate of public vs. confidential clients. The > >> keycloak.js approach requires a public client. My understanding > >> was that confidential clients exist so that only an authenticated > >> client (client *NOT* user) is able to obtain an access token. > >> I'm not > > exactly > >> sure what additional security benefits are obtained here beyond > >> this. I've been trying to ask this very question on OAuth mail > >> lists but > > have > >> been unable to get a response so far. > >> > >> > >> > >> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>> Hi Stian and Bill, > >>> > >>> I've posted some questions regarding this topic before but I > > thought I'd > >>> start a new thread to keep things focused: > >>> > >>> I'm writing an AngularJS application with Java EE 6/7 REST > >>> (JAX-RS) backend modules. To add authentication and > >>> authorization to this application, I'd like to use keycloak > >>> > >>> * as a user and role management front-end * to provide a > >>> customizable login page (works very well by the > > way ;) > >>> * as an OAuth 2.0 token provider * to add user and role > >>> information to the HTTPRequests in my REST/ backend modules > >>> > >>> To do this, I'm currently looking at keycloak.js and the > > customer-app-js > >>> example. However, I'm wondering whether this is really the > >>> best > > way to > >>> go. In a reply to an earlier post of mine you mentioned that > >>> the keycloak admin console is written in AngularJS and that you > >>> are > > using > >>> HTTP-only cookies there. > >>> > >>> However, in keycloak.js and the customer-app-js example you > >>> are retrieving the token in the JS app and adding an > >>> authorization > > header > >>> with a bearer token to the HTTP requests. > >>> > >>> So here are my questions: > >>> > >>> * Is there a reason you are using two different approaches in > > the admin > >>> console and the official demo app? * which one of the two > >>> approaches (bearer tokens vs. HTTP-only > > cookie) > >>> will you support/ will be the officially recommended one for > >>> HTML5/ client side JavaScript applications in keycloak? * am I > >>> right in assuming that you haven't quite decided yet which > >>> approach to use and that you are still discussing this in the > > keycloak > >>> team? > >>> > >>> Looking forwards to your reply! Cheers, Nils > >>> > >>> > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> -- Bill Burke JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> _______________________________________________ keycloak-user > >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > ------------------------------ > > > > Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils > > Preusker < n.preusker at gmail.com > > > Subject: Re: [keycloak-user] Keycloak and AngularJS To: > > keycloak-user at lists.jboss.org > > Message-ID: > > > > > > > > > > > Content-Type: text/plain; charset="iso-8859-1" > > > > Hi Stian and Bill, > > > > thanks for your replies! I'll check out the blog post and try the > > approach with a web.xml and a keycloak.json in the backend for now. > > I'll keep you posted on what I end up with on the client side. > > > > Cheers, Nils > > > > > > > > On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > > < stian at redhat.com > wrote: > > > >> Personally, I think that in most cases for a client-side web app > > the best > >> approach is to let the client-side do the oauth flow (the > >> approach > > we're > >> currently taking in keycloak.js). It does depend on your > >> application though, and if you're application has a strict one > >> html5 app calls > > one REST > >> service then http-only cookies are an option. I don't see any > >> real > > benefits > >> of it though, and I believe it significantly complicates things. > >> > >> Have a look at > >> > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > > , > > > > I think it provides a good summary of the pros of the token > > approach. > >> > >> ----- Original Message ----- > >>> From: "Bill Burke" < bburke at redhat.com > >>> > To: keycloak-user at lists.jboss.org > > > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>> [keycloak-user] Keycloak and AngularJS > >>> > >>> What I like about the current admin console approach is that > > there is no > >>> book keeping required by the browser. The Angular app has > >>> really no knowledge of how it is being secured as its all > >>> driven by the > > server. > >>> Also, you need to remember that the admin console was designed > > to be run > >>> in a non-Java EE, non-servlet environment. While this is a > > requirement > >>> for Keycloak, it may not be for your application. So, what > >>> I'm > > saying > >>> is that for your angular application, you could rely on the > >>> servlet container and keycloak adapter to maintain a session > >>> cookie and > > identity. > >>> > >>> What I like about the keycloak.js approach is that there is no > >>> server-side adapter required for the UI. The UI could be > >>> hosted > > off any > >>> number of static web sites and use CORS invocations to any > >>> number of Restful services. > >>> > >>> There's also the debate of public vs. confidential clients. > >>> The keycloak.js approach requires a public client. My > >>> understanding was that confidential clients exist so that only > >>> an authenticated client (client *NOT* user) is able to obtain > >>> an access token. I'm not > > exactly > >>> sure what additional security benefits are obtained here > >>> beyond > > this. > >>> I've been trying to ask this very question on OAuth mail lists > > but have > >>> been unable to get a response so far. > >>> > >>> > >>> > >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>> Hi Stian and Bill, > >>>> > >>>> I've posted some questions regarding this topic before but I > > thought > >> I'd > >>>> start a new thread to keep things focused: > >>>> > >>>> I'm writing an AngularJS application with Java EE 6/7 REST > > (JAX-RS) > >>>> backend modules. To add authentication and authorization to > >>>> this application, I'd like to use keycloak > >>>> > >>>> * as a user and role management front-end * to provide a > >>>> customizable login page (works very well by the > > way ;) > >>>> * as an OAuth 2.0 token provider * to add user and role > >>>> information to the HTTPRequests in my REST/ backend modules > >>>> > >>>> To do this, I'm currently looking at keycloak.js and the > >> customer-app-js > >>>> example. However, I'm wondering whether this is really the > > best way to > >>>> go. In a reply to an earlier post of mine you mentioned that > >>>> the keycloak admin console is written in AngularJS and that > >>>> you > > are using > >>>> HTTP-only cookies there. > >>>> > >>>> However, in keycloak.js and the customer-app-js example you > >>>> are retrieving the token in the JS app and adding an > >>>> authorization > > header > >>>> with a bearer token to the HTTP requests. > >>>> > >>>> So here are my questions: > >>>> > >>>> * Is there a reason you are using two different approaches > >>>> in > > the admin > >>>> console and the official demo app? * which one of the two > >>>> approaches (bearer tokens vs. HTTP-only > > cookie) > >>>> will you support/ will be the officially recommended one for > > HTML5/ > >>>> client side JavaScript applications in keycloak? * am I right > >>>> in assuming that you haven't quite decided yet which approach > >>>> to use and that you are still discussing this in the > > keycloak > >>>> team? > >>>> > >>>> Looking forwards to your reply! Cheers, Nils > >>>> > >>>> > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> -- Bill Burke JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> _______________________________________________ keycloak-user > >> mailing list keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > -------------- next part -------------- An HTML attachment was > > scrubbed... URL: > > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > > > ------------------------------ > > > > Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill Burke > > < bburke at redhat.com > Subject: Re: > > [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen > > < stian at redhat.com > Cc: > > keycloak-user at lists.jboss.org > > Message-ID: > > < 53345202.4060105 at redhat.com > > > Content-Type: text/plain; charset=UTF-8; format=flowed > > > > One of the problems with the keycloak.js approach is that we have > > no way to perform a single log out or to force a logout of a > > specific user. I think the OpenID Connect spec may have a way with > > IFrames to do this sort of thing though. I didn't really get it at > > first glance though. > > > > > > On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > >> Personally, I think that in most cases for a client-side web app > > the best approach is to let the client-side do the oauth flow (the > > approach we're currently taking in keycloak.js). It does depend on > > your application though, and if you're application has a strict > > one html5 app calls one REST service then http-only cookies are an > > option. I don't see any real benefits of it though, and I believe > > it significantly complicates things. > >> > >> Have a look at > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > > , > > > > > I think it provides a good summary of the pros of the token approach. > >> > >> ----- Original Message ----- > >>> From: "Bill Burke" < bburke at redhat.com > >>> > To: keycloak-user at lists.jboss.org > > > >>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>> [keycloak-user] Keycloak and AngularJS > >>> > >>> What I like about the current admin console approach is that > > there is no > >>> book keeping required by the browser. The Angular app has > >>> really no knowledge of how it is being secured as its all > >>> driven by the server. Also, you need to remember that the admin > >>> console was designed to > > be run > >>> in a non-Java EE, non-servlet environment. While this is a > > requirement > >>> for Keycloak, it may not be for your application. So, what > >>> I'm > > saying > >>> is that for your angular application, you could rely on the > >>> servlet container and keycloak adapter to maintain a session > >>> cookie and > > identity. > >>> > >>> What I like about the keycloak.js approach is that there is no > >>> server-side adapter required for the UI. The UI could be > >>> hosted > > off any > >>> number of static web sites and use CORS invocations to any > >>> number of Restful services. > >>> > >>> There's also the debate of public vs. confidential clients. > >>> The keycloak.js approach requires a public client. My > >>> understanding was that confidential clients exist so that only > >>> an authenticated client (client *NOT* user) is able to obtain > >>> an access token. I'm not > > exactly > >>> sure what additional security benefits are obtained here beyond > >>> this. I've been trying to ask this very question on OAuth mail > >>> lists > > but have > >>> been unable to get a response so far. > >>> > >>> > >>> > >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>> Hi Stian and Bill, > >>>> > >>>> I've posted some questions regarding this topic before but I > > thought I'd > >>>> start a new thread to keep things focused: > >>>> > >>>> I'm writing an AngularJS application with Java EE 6/7 REST > >>>> (JAX-RS) backend modules. To add authentication and > >>>> authorization to this application, I'd like to use keycloak > >>>> > >>>> * as a user and role management front-end * to provide a > >>>> customizable login page (works very well by the > > way ;) > >>>> * as an OAuth 2.0 token provider * to add user and role > >>>> information to the HTTPRequests in my REST/ backend modules > >>>> > >>>> To do this, I'm currently looking at keycloak.js and the > > customer-app-js > >>>> example. However, I'm wondering whether this is really the > >>>> best > > way to > >>>> go. In a reply to an earlier post of mine you mentioned that > >>>> the keycloak admin console is written in AngularJS and that > >>>> you are > > using > >>>> HTTP-only cookies there. > >>>> > >>>> However, in keycloak.js and the customer-app-js example you > >>>> are retrieving the token in the JS app and adding an > >>>> authorization > > header > >>>> with a bearer token to the HTTP requests. > >>>> > >>>> So here are my questions: > >>>> > >>>> * Is there a reason you are using two different approaches > >>>> in > > the admin > >>>> console and the official demo app? * which one of the two > >>>> approaches (bearer tokens vs. HTTP-only > > cookie) > >>>> will you support/ will be the officially recommended one for > >>>> HTML5/ client side JavaScript applications in keycloak? * am > >>>> I right in assuming that you haven't quite decided yet which > >>>> approach to use and that you are still discussing this in > >>>> the > > keycloak > >>>> team? > >>>> > >>>> Looking forwards to your reply! Cheers, Nils > >>>> > >>>> > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> -- Bill Burke JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > > > > -- Bill Burke JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > > > ------------------------------ > > > > _______________________________________________ keycloak-user > > mailing list keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > End of keycloak-user Digest, Vol 3, Issue 14 > > ******************************************** > > > > > > > > > > _______________________________________________ keycloak-user > > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBCgAGBQJTNSHcAAoJEDnJtskdmzLMHrYH/1D/vMgPxD0WUZ5KdIoD5Cow > gb9fa+RZDQrpPxL1qKpqWJX3g1cKt8hQa1Xz7dX64G3/xcLUUkoJKkAtiJPysp75 > xbkdWV+RGQXDHuyZcS75xEXQlPaWt2cEVxdSXMalzfQPzVhq00FBbeJLirKLbYsY > I2CIjJgCSQhmOrVfP5vUSdrwsLsd+TBXee4779YiOceSW16oG9Nfsa5gF1XJSNhi > o2fZCEkoXhbTD7RXuhhrDWlFBCQOIgWf6FUHEAVKnXeIR5oey6U9hv1Z16Kd2Pll > Pv8+LWlJjKMfkmrCQrVQvYSI/n64vxjikta2ByBdOPethsebqXO9oknbiPtjq6E= > =TiWl > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Mar 28 11:52:30 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 28 Mar 2014 11:52:30 -0400 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: References: Message-ID: <53359ABE.5060706@redhat.com> SecurityContext.getUserPrincipal() should be working without any other additional JAX-RS filters. I'll take a look. On 3/27/2014 8:31 PM, Dirk Franssen wrote: > Hi, > > I was playing around with the examples, more specifically with the > customer-portal-js which is accessing the database resource. In that > CustomerService I was trying to get access to the Principal and trying > to extend to return in addition the username of the logged-in user: > > @Path("customers") > public class CustomerService { > @Inject > Principal principal; > //@Context > //SecurityContext sc; > //Principal principal = sc.getUserPrincipal(); > //@Context > //ContainerRequestContext request; > //SecurityContext sc = request.getSecurityContext(); > //Principal principal = sc.getUserPrincipal(); > > @GET > @Produces("application/json") > @NoCache > public List getCustomers() { > ArrayList rtn = new ArrayList(); > rtn.add("Bill Burke"); > rtn.add("Stian Thorgersen"); > rtn.add("Stan Silvert"); > rtn.add("Gabriel Cardoso"); > rtn.add("Viliam Rockai"); > rtn.add("Marek Posolda"); > rtn.add("Boleslaw Dawidowicz"); > rtn.add(principal.getName()); //<--- add username to the list > return rtn; > } > } > > But this throws a npe as the principal is always null. I noticed that > the JaxrsBearerTokenFilter is adding to the ContainerRequestContext a > new SecurityContex, of which the getUserPrincipal method returns the > KeycloakPrincipal. But I can't figure out how to get access to this from > the CustomerService. > > My intention is to verify if the logged-in user is accessing his own > resources, and e.g. is not trying to update data of somebody else. E.g. > the id should match principal.getName() in following: > > @POST > @Path("/users/{id}/friends") > public void addFriend(@PathParam("id") String userId, Friend friend) { > ... > } > > Any suggestions? It would be nice if, beside the KeycloakPrincipal is > injectable, to be able to define something like @IsOwner: > > public void addFriend(@PathParam("id") @IsOwner String userId, Friend > friend) > > or even more concise: > > public void addFriend(@IsOwner("id") String userId, Friend friend) > > Kind regards, > Dirk Franssen > > > On Thu, Mar 27, 2014 at 5:29 PM, > wrote: > > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Keycloak and AngularJS (Bill Burke) > 2. Re: Keycloak and AngularJS (Stian Thorgersen) > 3. Re: Keycloak and AngularJS (Nils Preusker) > 4. Re: Keycloak and AngularJS (Bill Burke) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 27 Mar 2014 11:39:07 -0400 > From: Bill Burke > > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: keycloak-user at lists.jboss.org > Message-ID: <5334461B.8040202 at redhat.com > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > What I like about the current admin console approach is that there is no > book keeping required by the browser. The Angular app has really no > knowledge of how it is being secured as its all driven by the server. > Also, you need to remember that the admin console was designed to be run > in a non-Java EE, non-servlet environment. While this is a requirement > for Keycloak, it may not be for your application. So, what I'm saying > is that for your angular application, you could rely on the servlet > container and keycloak adapter to maintain a session cookie and > identity. > > What I like about the keycloak.js approach is that there is no > server-side adapter required for the UI. The UI could be hosted off any > number of static web sites and use CORS invocations to any number of > Restful services. > > There's also the debate of public vs. confidential clients. The > keycloak.js approach requires a public client. My understanding was > that confidential clients exist so that only an authenticated client > (client *NOT* user) is able to obtain an access token. I'm not exactly > sure what additional security benefits are obtained here beyond this. > I've been trying to ask this very question on OAuth mail lists but have > been unable to get a response so far. > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > Hi Stian and Bill, > > > > I've posted some questions regarding this topic before but I > thought I'd > > start a new thread to keep things focused: > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > backend modules. To add authentication and authorization to this > > application, I'd like to use keycloak > > > > * as a user and role management front-end > > * to provide a customizable login page (works very well by the way ;) > > * as an OAuth 2.0 token provider > > * to add user and role information to the HTTPRequests in my REST/ > > backend modules > > > > To do this, I'm currently looking at keycloak.js and the > customer-app-js > > example. However, I'm wondering whether this is really the best > way to > > go. In a reply to an earlier post of mine you mentioned that the > > keycloak admin console is written in AngularJS and that you are using > > HTTP-only cookies there. > > > > However, in keycloak.js and the customer-app-js example you are > > retrieving the token in the JS app and adding an authorization header > > with a bearer token to the HTTP requests. > > > > So here are my questions: > > > > * Is there a reason you are using two different approaches in the > admin > > console and the official demo app? > > * which one of the two approaches (bearer tokens vs. HTTP-only > cookie) > > will you support/ will be the officially recommended one for HTML5/ > > client side JavaScript applications in keycloak? > > * am I right in assuming that you haven't quite decided yet which > > approach to use and that you are still discussing this in the > keycloak team? > > > > Looking forwards to your reply! > > Cheers, > > Nils > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > Message: 2 > Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) > From: Stian Thorgersen > > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: Bill Burke > > Cc: keycloak-user at lists.jboss.org > Message-ID: > <884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > > > Content-Type: text/plain; charset=utf-8 > > Personally, I think that in most cases for a client-side web app the > best approach is to let the client-side do the oauth flow (the > approach we're currently taking in keycloak.js). It does depend on > your application though, and if you're application has a strict one > html5 app calls one REST service then http-only cookies are an > option. I don't see any real benefits of it though, and I believe it > significantly complicates things. > > Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > I think it provides a good summary of the pros of the token approach. > > ----- Original Message ----- > > From: "Bill Burke" > > > To: keycloak-user at lists.jboss.org > > > Sent: Thursday, 27 March, 2014 3:39:07 PM > > Subject: Re: [keycloak-user] Keycloak and AngularJS > > > > What I like about the current admin console approach is that > there is no > > book keeping required by the browser. The Angular app has really no > > knowledge of how it is being secured as its all driven by the server. > > Also, you need to remember that the admin console was designed to > be run > > in a non-Java EE, non-servlet environment. While this is a > requirement > > for Keycloak, it may not be for your application. So, what I'm > saying > > is that for your angular application, you could rely on the servlet > > container and keycloak adapter to maintain a session cookie and > identity. > > > > What I like about the keycloak.js approach is that there is no > > server-side adapter required for the UI. The UI could be hosted > off any > > number of static web sites and use CORS invocations to any number of > > Restful services. > > > > There's also the debate of public vs. confidential clients. The > > keycloak.js approach requires a public client. My understanding was > > that confidential clients exist so that only an authenticated client > > (client *NOT* user) is able to obtain an access token. I'm not > exactly > > sure what additional security benefits are obtained here beyond this. > > I've been trying to ask this very question on OAuth mail lists > but have > > been unable to get a response so far. > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > > Hi Stian and Bill, > > > > > > I've posted some questions regarding this topic before but I > thought I'd > > > start a new thread to keep things focused: > > > > > > I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > > > backend modules. To add authentication and authorization to this > > > application, I'd like to use keycloak > > > > > > * as a user and role management front-end > > > * to provide a customizable login page (works very well by the > way ;) > > > * as an OAuth 2.0 token provider > > > * to add user and role information to the HTTPRequests in my REST/ > > > backend modules > > > > > > To do this, I'm currently looking at keycloak.js and the > customer-app-js > > > example. However, I'm wondering whether this is really the best > way to > > > go. In a reply to an earlier post of mine you mentioned that the > > > keycloak admin console is written in AngularJS and that you are > using > > > HTTP-only cookies there. > > > > > > However, in keycloak.js and the customer-app-js example you are > > > retrieving the token in the JS app and adding an authorization > header > > > with a bearer token to the HTTP requests. > > > > > > So here are my questions: > > > > > > * Is there a reason you are using two different approaches in > the admin > > > console and the official demo app? > > > * which one of the two approaches (bearer tokens vs. HTTP-only > cookie) > > > will you support/ will be the officially recommended one for HTML5/ > > > client side JavaScript applications in keycloak? > > > * am I right in assuming that you haven't quite decided yet which > > > approach to use and that you are still discussing this in the > keycloak > > > team? > > > > > > Looking forwards to your reply! > > > Cheers, > > > Nils > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > Message: 3 > Date: Thu, 27 Mar 2014 17:24:06 +0100 > From: Nils Preusker > > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: keycloak-user at lists.jboss.org > Message-ID: > > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Stian and Bill, > > thanks for your replies! I'll check out the blog post and try the > approach > with a web.xml and a keycloak.json in the backend for now. I'll keep you > posted on what I end up with on the client side. > > Cheers, > Nils > > > > On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > wrote: > > > Personally, I think that in most cases for a client-side web app > the best > > approach is to let the client-side do the oauth flow (the > approach we're > > currently taking in keycloak.js). It does depend on your application > > though, and if you're application has a strict one html5 app > calls one REST > > service then http-only cookies are an option. I don't see any > real benefits > > of it though, and I believe it significantly complicates things. > > > > Have a look at > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > > I think it provides a good summary of the pros of the token approach. > > > > ----- Original Message ----- > > > From: "Bill Burke" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Thursday, 27 March, 2014 3:39:07 PM > > > Subject: Re: [keycloak-user] Keycloak and AngularJS > > > > > > What I like about the current admin console approach is that > there is no > > > book keeping required by the browser. The Angular app has > really no > > > knowledge of how it is being secured as its all driven by the > server. > > > Also, you need to remember that the admin console was designed > to be run > > > in a non-Java EE, non-servlet environment. While this is a > requirement > > > for Keycloak, it may not be for your application. So, what I'm > saying > > > is that for your angular application, you could rely on the servlet > > > container and keycloak adapter to maintain a session cookie and > identity. > > > > > > What I like about the keycloak.js approach is that there is no > > > server-side adapter required for the UI. The UI could be > hosted off any > > > number of static web sites and use CORS invocations to any > number of > > > Restful services. > > > > > > There's also the debate of public vs. confidential clients. The > > > keycloak.js approach requires a public client. My > understanding was > > > that confidential clients exist so that only an authenticated > client > > > (client *NOT* user) is able to obtain an access token. I'm not > exactly > > > sure what additional security benefits are obtained here beyond > this. > > > I've been trying to ask this very question on OAuth mail lists > but have > > > been unable to get a response so far. > > > > > > > > > > > > On 3/27/2014 10:41 AM, Nils Preusker wrote: > > > > Hi Stian and Bill, > > > > > > > > I've posted some questions regarding this topic before but I > thought > > I'd > > > > start a new thread to keep things focused: > > > > > > > > I'm writing an AngularJS application with Java EE 6/7 REST > (JAX-RS) > > > > backend modules. To add authentication and authorization to this > > > > application, I'd like to use keycloak > > > > > > > > * as a user and role management front-end > > > > * to provide a customizable login page (works very well by > the way ;) > > > > * as an OAuth 2.0 token provider > > > > * to add user and role information to the HTTPRequests in my > REST/ > > > > backend modules > > > > > > > > To do this, I'm currently looking at keycloak.js and the > > customer-app-js > > > > example. However, I'm wondering whether this is really the > best way to > > > > go. In a reply to an earlier post of mine you mentioned that the > > > > keycloak admin console is written in AngularJS and that you > are using > > > > HTTP-only cookies there. > > > > > > > > However, in keycloak.js and the customer-app-js example you are > > > > retrieving the token in the JS app and adding an > authorization header > > > > with a bearer token to the HTTP requests. > > > > > > > > So here are my questions: > > > > > > > > * Is there a reason you are using two different approaches in > the admin > > > > console and the official demo app? > > > > * which one of the two approaches (bearer tokens vs. > HTTP-only cookie) > > > > will you support/ will be the officially recommended one for > HTML5/ > > > > client side JavaScript applications in keycloak? > > > > * am I right in assuming that you haven't quite decided yet which > > > > approach to use and that you are still discussing this in the > keycloak > > > > team? > > > > > > > > Looking forwards to your reply! > > > > Cheers, > > > > Nils > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > > Bill Burke > > > JBoss, a division of Red Hat > > > http://bill.burkecentral.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > ------------------------------ > > Message: 4 > Date: Thu, 27 Mar 2014 12:29:54 -0400 > From: Bill Burke > > Subject: Re: [keycloak-user] Keycloak and AngularJS > To: Stian Thorgersen > > Cc: keycloak-user at lists.jboss.org > Message-ID: <53345202.4060105 at redhat.com > > > Content-Type: text/plain; charset=UTF-8; format=flowed > > One of the problems with the keycloak.js approach is that we have no way > to perform a single log out or to force a logout of a specific user. I > think the OpenID Connect spec may have a way with IFrames to do this > sort of thing though. I didn't really get it at first glance though. > > > On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > > Personally, I think that in most cases for a client-side web app > the best approach is to let the client-side do the oauth flow (the > approach we're currently taking in keycloak.js). It does depend on > your application though, and if you're application has a strict one > html5 app calls one REST service then http-only cookies are an > option. I don't see any real benefits of it though, and I believe it > significantly complicates things. > > > > Have a look at > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/, > I think it provides a good summary of the pros of the token approach. > > > > ----- Original Message ----- > >> From: "Bill Burke" > > >> To: keycloak-user at lists.jboss.org > > >> Sent: Thursday, 27 March, 2014 3:39:07 PM > >> Subject: Re: [keycloak-user] Keycloak and AngularJS > >> > >> What I like about the current admin console approach is that > there is no > >> book keeping required by the browser. The Angular app has really no > >> knowledge of how it is being secured as its all driven by the > server. > >> Also, you need to remember that the admin console was designed > to be run > >> in a non-Java EE, non-servlet environment. While this is a > requirement > >> for Keycloak, it may not be for your application. So, what I'm > saying > >> is that for your angular application, you could rely on the servlet > >> container and keycloak adapter to maintain a session cookie and > identity. > >> > >> What I like about the keycloak.js approach is that there is no > >> server-side adapter required for the UI. The UI could be hosted > off any > >> number of static web sites and use CORS invocations to any number of > >> Restful services. > >> > >> There's also the debate of public vs. confidential clients. The > >> keycloak.js approach requires a public client. My understanding was > >> that confidential clients exist so that only an authenticated client > >> (client *NOT* user) is able to obtain an access token. I'm not > exactly > >> sure what additional security benefits are obtained here beyond > this. > >> I've been trying to ask this very question on OAuth mail lists > but have > >> been unable to get a response so far. > >> > >> > >> > >> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>> Hi Stian and Bill, > >>> > >>> I've posted some questions regarding this topic before but I > thought I'd > >>> start a new thread to keep things focused: > >>> > >>> I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) > >>> backend modules. To add authentication and authorization to this > >>> application, I'd like to use keycloak > >>> > >>> * as a user and role management front-end > >>> * to provide a customizable login page (works very well by the > way ;) > >>> * as an OAuth 2.0 token provider > >>> * to add user and role information to the HTTPRequests in my REST/ > >>> backend modules > >>> > >>> To do this, I'm currently looking at keycloak.js and the > customer-app-js > >>> example. However, I'm wondering whether this is really the best > way to > >>> go. In a reply to an earlier post of mine you mentioned that the > >>> keycloak admin console is written in AngularJS and that you are > using > >>> HTTP-only cookies there. > >>> > >>> However, in keycloak.js and the customer-app-js example you are > >>> retrieving the token in the JS app and adding an authorization > header > >>> with a bearer token to the HTTP requests. > >>> > >>> So here are my questions: > >>> > >>> * Is there a reason you are using two different approaches in > the admin > >>> console and the official demo app? > >>> * which one of the two approaches (bearer tokens vs. HTTP-only > cookie) > >>> will you support/ will be the officially recommended one for HTML5/ > >>> client side JavaScript applications in keycloak? > >>> * am I right in assuming that you haven't quite decided yet which > >>> approach to use and that you are still discussing this in the > keycloak > >>> team? > >>> > >>> Looking forwards to your reply! > >>> Cheers, > >>> Nils > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 3, Issue 14 > ******************************************** > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Mar 28 11:57:29 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 28 Mar 2014 11:57:29 -0400 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: <334094727.3760111.1396021671687.JavaMail.zimbra@redhat.com> References: <533521DC.6010908@kroehling.de> <334094727.3760111.1396021671687.JavaMail.zimbra@redhat.com> Message-ID: <53359BE9.6060104@redhat.com> The KeycloakSecurityContext has access to the IDToken which can contain information like name, email, address, etc... Depending on how you configure your realm. Maybe IDToken should be added to the KeycloakPrincipal? On 3/28/2014 11:47 AM, Stian Thorgersen wrote: > Yes that is expected behaviour. The ID of the user is the unique reference to a user within Keycloak, and is what we recommend you use to refer to the user within your application when possible. The reason being is that there are reasons why a username/email may not refer to the same user over time. For example we will allow users to change their username (a feature you'll be able to disable), a user may be deleted, and another user re-created with the same username. > > ----- Original Message ----- >> From: "Nils Preusker" >> To: keycloak-user at lists.jboss.org >> Sent: Friday, 28 March, 2014 3:17:37 PM >> Subject: Re: [keycloak-user] Inject (Keycloak)Principal >> >> Hi all, >> >> I'm also looking into this right now and got it to work. However, I tried to >> retrieve the username from the HttpServletRequest with >> "servletRequest.getRemoteUser()" but instead of the name or e-mail I'm >> getting the actual ID from the database >> (62ccf5fd-949b-413d-977b-6f8bc29f94bf). >> >> Is this the expected/ intended behavior? >> >> Also, @Dirk: let me know if you need any help getting the injection of the >> roles and user id to work. >> >> Cheers, >> Nils >> >> >> On Fri, Mar 28, 2014 at 8:16 AM, Juraci Paix?o Kr?hling < juraci at kroehling.de >>> wrote: >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Dirk, >> >> It seems it's missing the @SecurityDomain("keycloak") in your service, >> at the type level. If that's not the case, I can update the >> "sample-ejb-roles" quickstart, adapted to use Keycloak, so you can >> compare and check what's missing. >> >> Just to confirm: have you also added the security-domain to the >> standalone.xml? The instructions are at the end of section 6.2.1 from >> the user guide: >> >> http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 >> >> Juca. >> >> On 03/28/2014 01:31 AM, Dirk Franssen wrote: >>> Hi, >>> >>> I was playing around with the examples, more specifically with the >>> customer-portal-js which is accessing the database resource. In >>> that CustomerService I was trying to get access to the Principal >>> and trying to extend to return in addition the username of the >>> logged-in user: >>> >>> @Path("customers") public class CustomerService { >>> >>> @Inject Principal principal; >>> >>> //@Context //SecurityContext sc; //Principal principal = >>> sc.getUserPrincipal(); >>> >>> //@Context //ContainerRequestContext request; //SecurityContext sc >>> = request.getSecurityContext(); //Principal principal = >>> sc.getUserPrincipal(); >>> >>> @GET @Produces("application/json") @NoCache public List >>> getCustomers() { ArrayList rtn = new ArrayList(); >>> rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan >>> Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); >>> rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); >>> rtn.add(principal.getName()); //<--- add username to the list >>> return rtn; } } >>> >>> But this throws a npe as the principal is always null. I noticed >>> that the JaxrsBearerTokenFilter is adding to the >>> ContainerRequestContext a new SecurityContex, of which the >>> getUserPrincipal method returns the KeycloakPrincipal. But I can't >>> figure out how to get access to this from the CustomerService. >>> >>> My intention is to verify if the logged-in user is accessing his >>> own resources, and e.g. is not trying to update data of somebody >>> else. E.g. the id should match principal.getName() in following: >>> >>> @POST @Path("/users/{id}/friends") public void >>> addFriend(@PathParam("id") String userId, Friend friend) { ... } >>> >>> Any suggestions? It would be nice if, beside the KeycloakPrincipal >>> is injectable, to be able to define something like @IsOwner: >>> >>> public void addFriend(@PathParam("id") @IsOwner String userId, >>> Friend friend) >>> >>> or even more concise: >>> >>> public void addFriend(@IsOwner("id") String userId, Friend friend) >>> >>> Kind regards, Dirk Franssen >>> >>> >>> On Thu, Mar 27, 2014 at 5:29 PM, >>> < keycloak-user-request at lists.jboss.org >>> > wrote: >>> >>> Send keycloak-user mailing list submissions to >>> keycloak-user at lists.jboss.org >>> >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> https://lists.jboss.org/mailman/listinfo/keycloak-user or, via >>> email, send a message with subject or body 'help' to >>> keycloak-user-request at lists.jboss.org >>> >>> >>> You can reach the person managing the list at >>> keycloak-user-owner at lists.jboss.org >>> >>> >>> When replying, please edit your Subject line so it is more >>> specific than "Re: Contents of keycloak-user digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and >>> AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils >>> Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill Burke >>> < bburke at redhat.com > Subject: Re: >>> [keycloak-user] Keycloak and AngularJS To: >>> keycloak-user at lists.jboss.org >>> Message-ID: >>> < 5334461B.8040202 at redhat.com > >>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >>> >>> What I like about the current admin console approach is that there >>> is no book keeping required by the browser. The Angular app has >>> really no knowledge of how it is being secured as its all driven by >>> the server. Also, you need to remember that the admin console was >>> designed to be run in a non-Java EE, non-servlet environment. >>> While this is a requirement for Keycloak, it may not be for your >>> application. So, what I'm saying is that for your angular >>> application, you could rely on the servlet container and keycloak >>> adapter to maintain a session cookie and identity. >>> >>> What I like about the keycloak.js approach is that there is no >>> server-side adapter required for the UI. The UI could be hosted >>> off any number of static web sites and use CORS invocations to any >>> number of Restful services. >>> >>> There's also the debate of public vs. confidential clients. The >>> keycloak.js approach requires a public client. My understanding >>> was that confidential clients exist so that only an authenticated >>> client (client *NOT* user) is able to obtain an access token. I'm >>> not exactly sure what additional security benefits are obtained >>> here beyond this. I've been trying to ask this very question on >>> OAuth mail lists but have been unable to get a response so far. >>> >>> >>> >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>> Hi Stian and Bill, >>>> >>>> I've posted some questions regarding this topic before but I >>> thought I'd >>>> start a new thread to keep things focused: >>>> >>>> I'm writing an AngularJS application with Java EE 6/7 REST >>>> (JAX-RS) backend modules. To add authentication and authorization >>>> to this application, I'd like to use keycloak >>>> >>>> * as a user and role management front-end * to provide a >>>> customizable login page (works very well by the way ;) * as an >>>> OAuth 2.0 token provider * to add user and role information to >>>> the HTTPRequests in my REST/ backend modules >>>> >>>> To do this, I'm currently looking at keycloak.js and the >>> customer-app-js >>>> example. However, I'm wondering whether this is really the best >>>> way to go. In a reply to an earlier post of mine you mentioned >>>> that the keycloak admin console is written in AngularJS and that >>>> you are using HTTP-only cookies there. >>>> >>>> However, in keycloak.js and the customer-app-js example you are >>>> retrieving the token in the JS app and adding an authorization >>>> header with a bearer token to the HTTP requests. >>>> >>>> So here are my questions: >>>> >>>> * Is there a reason you are using two different approaches in >>>> the >>> admin >>>> console and the official demo app? * which one of the two >>>> approaches (bearer tokens vs. HTTP-only cookie) will you support/ >>>> will be the officially recommended one for HTML5/ client side >>>> JavaScript applications in keycloak? * am I right in assuming >>>> that you haven't quite decided yet which approach to use and that >>>> you are still discussing this in the >>> keycloak team? >>>> >>>> Looking forwards to your reply! Cheers, Nils >>>> >>>> >>>> _______________________________________________ keycloak-user >>>> mailing list keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> -- Bill Burke JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >>> >>> ------------------------------ >>> >>> Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: Stian >>> Thorgersen < stian at redhat.com > Subject: >>> Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke >>> < bburke at redhat.com > Cc: >>> keycloak-user at lists.jboss.org >>> Message-ID: >>> < 884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com >>> > >>> >>> >> Content-Type: text/plain; charset=utf-8 >>> >>> Personally, I think that in most cases for a client-side web app >>> the best approach is to let the client-side do the oauth flow (the >>> approach we're currently taking in keycloak.js). It does depend on >>> your application though, and if you're application has a strict >>> one html5 app calls one REST service then http-only cookies are an >>> option. I don't see any real benefits of it though, and I believe >>> it significantly complicates things. >>> >>> Have a look at >>> http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ >>> , >>> >>> >> I think it provides a good summary of the pros of the token approach. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" < bburke at redhat.com >>>> > To: keycloak-user at lists.jboss.org >>> >>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>>> [keycloak-user] Keycloak and AngularJS >>>> >>>> What I like about the current admin console approach is that >>>> there >>> is no >>>> book keeping required by the browser. The Angular app has really >>>> no knowledge of how it is being secured as its all driven by the >>>> server. Also, you need to remember that the admin console was >>>> designed to >>> be run >>>> in a non-Java EE, non-servlet environment. While this is a >>> requirement >>>> for Keycloak, it may not be for your application. So, what I'm >>>> saying is that for your angular application, you could rely on >>>> the servlet container and keycloak adapter to maintain a session >>>> cookie and >>> identity. >>>> >>>> What I like about the keycloak.js approach is that there is no >>>> server-side adapter required for the UI. The UI could be hosted >>> off any >>>> number of static web sites and use CORS invocations to any number >>>> of Restful services. >>>> >>>> There's also the debate of public vs. confidential clients. The >>>> keycloak.js approach requires a public client. My understanding >>>> was that confidential clients exist so that only an authenticated >>>> client (client *NOT* user) is able to obtain an access token. >>>> I'm not >>> exactly >>>> sure what additional security benefits are obtained here beyond >>>> this. I've been trying to ask this very question on OAuth mail >>>> lists but >>> have >>>> been unable to get a response so far. >>>> >>>> >>>> >>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>>> Hi Stian and Bill, >>>>> >>>>> I've posted some questions regarding this topic before but I >>> thought I'd >>>>> start a new thread to keep things focused: >>>>> >>>>> I'm writing an AngularJS application with Java EE 6/7 REST >>>>> (JAX-RS) backend modules. To add authentication and >>>>> authorization to this application, I'd like to use keycloak >>>>> >>>>> * as a user and role management front-end * to provide a >>>>> customizable login page (works very well by the >>> way ;) >>>>> * as an OAuth 2.0 token provider * to add user and role >>>>> information to the HTTPRequests in my REST/ backend modules >>>>> >>>>> To do this, I'm currently looking at keycloak.js and the >>> customer-app-js >>>>> example. However, I'm wondering whether this is really the >>>>> best >>> way to >>>>> go. In a reply to an earlier post of mine you mentioned that >>>>> the keycloak admin console is written in AngularJS and that you >>>>> are >>> using >>>>> HTTP-only cookies there. >>>>> >>>>> However, in keycloak.js and the customer-app-js example you >>>>> are retrieving the token in the JS app and adding an >>>>> authorization >>> header >>>>> with a bearer token to the HTTP requests. >>>>> >>>>> So here are my questions: >>>>> >>>>> * Is there a reason you are using two different approaches in >>> the admin >>>>> console and the official demo app? * which one of the two >>>>> approaches (bearer tokens vs. HTTP-only >>> cookie) >>>>> will you support/ will be the officially recommended one for >>>>> HTML5/ client side JavaScript applications in keycloak? * am I >>>>> right in assuming that you haven't quite decided yet which >>>>> approach to use and that you are still discussing this in the >>> keycloak >>>>> team? >>>>> >>>>> Looking forwards to your reply! Cheers, Nils >>>>> >>>>> >>>>> _______________________________________________ keycloak-user >>>>> mailing list keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> -- Bill Burke JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ keycloak-user >>>> mailing list keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> ------------------------------ >>> >>> Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils >>> Preusker < n.preusker at gmail.com > >>> Subject: Re: [keycloak-user] Keycloak and AngularJS To: >>> keycloak-user at lists.jboss.org >>> Message-ID: >>> >>> >> >>> >> > >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Hi Stian and Bill, >>> >>> thanks for your replies! I'll check out the blog post and try the >>> approach with a web.xml and a keycloak.json in the backend for now. >>> I'll keep you posted on what I end up with on the client side. >>> >>> Cheers, Nils >>> >>> >>> >>> On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen >>> < stian at redhat.com > wrote: >>> >>>> Personally, I think that in most cases for a client-side web app >>> the best >>>> approach is to let the client-side do the oauth flow (the >>>> approach >>> we're >>>> currently taking in keycloak.js). It does depend on your >>>> application though, and if you're application has a strict one >>>> html5 app calls >>> one REST >>>> service then http-only cookies are an option. I don't see any >>>> real >>> benefits >>>> of it though, and I believe it significantly complicates things. >>>> >>>> Have a look at >>>> >>> http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ >>> , >>> >>> I think it provides a good summary of the pros of the token >>> approach. >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" < bburke at redhat.com >>>>> > To: keycloak-user at lists.jboss.org >>> >>>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>>>> [keycloak-user] Keycloak and AngularJS >>>>> >>>>> What I like about the current admin console approach is that >>> there is no >>>>> book keeping required by the browser. The Angular app has >>>>> really no knowledge of how it is being secured as its all >>>>> driven by the >>> server. >>>>> Also, you need to remember that the admin console was designed >>> to be run >>>>> in a non-Java EE, non-servlet environment. While this is a >>> requirement >>>>> for Keycloak, it may not be for your application. So, what >>>>> I'm >>> saying >>>>> is that for your angular application, you could rely on the >>>>> servlet container and keycloak adapter to maintain a session >>>>> cookie and >>> identity. >>>>> >>>>> What I like about the keycloak.js approach is that there is no >>>>> server-side adapter required for the UI. The UI could be >>>>> hosted >>> off any >>>>> number of static web sites and use CORS invocations to any >>>>> number of Restful services. >>>>> >>>>> There's also the debate of public vs. confidential clients. >>>>> The keycloak.js approach requires a public client. My >>>>> understanding was that confidential clients exist so that only >>>>> an authenticated client (client *NOT* user) is able to obtain >>>>> an access token. I'm not >>> exactly >>>>> sure what additional security benefits are obtained here >>>>> beyond >>> this. >>>>> I've been trying to ask this very question on OAuth mail lists >>> but have >>>>> been unable to get a response so far. >>>>> >>>>> >>>>> >>>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>>>> Hi Stian and Bill, >>>>>> >>>>>> I've posted some questions regarding this topic before but I >>> thought >>>> I'd >>>>>> start a new thread to keep things focused: >>>>>> >>>>>> I'm writing an AngularJS application with Java EE 6/7 REST >>> (JAX-RS) >>>>>> backend modules. To add authentication and authorization to >>>>>> this application, I'd like to use keycloak >>>>>> >>>>>> * as a user and role management front-end * to provide a >>>>>> customizable login page (works very well by the >>> way ;) >>>>>> * as an OAuth 2.0 token provider * to add user and role >>>>>> information to the HTTPRequests in my REST/ backend modules >>>>>> >>>>>> To do this, I'm currently looking at keycloak.js and the >>>> customer-app-js >>>>>> example. However, I'm wondering whether this is really the >>> best way to >>>>>> go. In a reply to an earlier post of mine you mentioned that >>>>>> the keycloak admin console is written in AngularJS and that >>>>>> you >>> are using >>>>>> HTTP-only cookies there. >>>>>> >>>>>> However, in keycloak.js and the customer-app-js example you >>>>>> are retrieving the token in the JS app and adding an >>>>>> authorization >>> header >>>>>> with a bearer token to the HTTP requests. >>>>>> >>>>>> So here are my questions: >>>>>> >>>>>> * Is there a reason you are using two different approaches >>>>>> in >>> the admin >>>>>> console and the official demo app? * which one of the two >>>>>> approaches (bearer tokens vs. HTTP-only >>> cookie) >>>>>> will you support/ will be the officially recommended one for >>> HTML5/ >>>>>> client side JavaScript applications in keycloak? * am I right >>>>>> in assuming that you haven't quite decided yet which approach >>>>>> to use and that you are still discussing this in the >>> keycloak >>>>>> team? >>>>>> >>>>>> Looking forwards to your reply! Cheers, Nils >>>>>> >>>>>> >>>>>> _______________________________________________ keycloak-user >>>>>> mailing list keycloak-user at lists.jboss.org >>> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> -- Bill Burke JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ keycloak-user >>>>> mailing list keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> _______________________________________________ keycloak-user >>>> mailing list keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> -------------- next part -------------- An HTML attachment was >>> scrubbed... URL: >>> http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html >>> >>> ------------------------------ >>> >>> Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill Burke >>> < bburke at redhat.com > Subject: Re: >>> [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen >>> < stian at redhat.com > Cc: >>> keycloak-user at lists.jboss.org >>> Message-ID: >>> < 53345202.4060105 at redhat.com > >>> Content-Type: text/plain; charset=UTF-8; format=flowed >>> >>> One of the problems with the keycloak.js approach is that we have >>> no way to perform a single log out or to force a logout of a >>> specific user. I think the OpenID Connect spec may have a way with >>> IFrames to do this sort of thing though. I didn't really get it at >>> first glance though. >>> >>> >>> On 3/27/2014 12:18 PM, Stian Thorgersen wrote: >>>> Personally, I think that in most cases for a client-side web app >>> the best approach is to let the client-side do the oauth flow (the >>> approach we're currently taking in keycloak.js). It does depend on >>> your application though, and if you're application has a strict >>> one html5 app calls one REST service then http-only cookies are an >>> option. I don't see any real benefits of it though, and I believe >>> it significantly complicates things. >>>> >>>> Have a look at >>> http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ >>> , >>> >>> >> I think it provides a good summary of the pros of the token approach. >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" < bburke at redhat.com >>>>> > To: keycloak-user at lists.jboss.org >>> >>>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: >>>>> [keycloak-user] Keycloak and AngularJS >>>>> >>>>> What I like about the current admin console approach is that >>> there is no >>>>> book keeping required by the browser. The Angular app has >>>>> really no knowledge of how it is being secured as its all >>>>> driven by the server. Also, you need to remember that the admin >>>>> console was designed to >>> be run >>>>> in a non-Java EE, non-servlet environment. While this is a >>> requirement >>>>> for Keycloak, it may not be for your application. So, what >>>>> I'm >>> saying >>>>> is that for your angular application, you could rely on the >>>>> servlet container and keycloak adapter to maintain a session >>>>> cookie and >>> identity. >>>>> >>>>> What I like about the keycloak.js approach is that there is no >>>>> server-side adapter required for the UI. The UI could be >>>>> hosted >>> off any >>>>> number of static web sites and use CORS invocations to any >>>>> number of Restful services. >>>>> >>>>> There's also the debate of public vs. confidential clients. >>>>> The keycloak.js approach requires a public client. My >>>>> understanding was that confidential clients exist so that only >>>>> an authenticated client (client *NOT* user) is able to obtain >>>>> an access token. I'm not >>> exactly >>>>> sure what additional security benefits are obtained here beyond >>>>> this. I've been trying to ask this very question on OAuth mail >>>>> lists >>> but have >>>>> been unable to get a response so far. >>>>> >>>>> >>>>> >>>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: >>>>>> Hi Stian and Bill, >>>>>> >>>>>> I've posted some questions regarding this topic before but I >>> thought I'd >>>>>> start a new thread to keep things focused: >>>>>> >>>>>> I'm writing an AngularJS application with Java EE 6/7 REST >>>>>> (JAX-RS) backend modules. To add authentication and >>>>>> authorization to this application, I'd like to use keycloak >>>>>> >>>>>> * as a user and role management front-end * to provide a >>>>>> customizable login page (works very well by the >>> way ;) >>>>>> * as an OAuth 2.0 token provider * to add user and role >>>>>> information to the HTTPRequests in my REST/ backend modules >>>>>> >>>>>> To do this, I'm currently looking at keycloak.js and the >>> customer-app-js >>>>>> example. However, I'm wondering whether this is really the >>>>>> best >>> way to >>>>>> go. In a reply to an earlier post of mine you mentioned that >>>>>> the keycloak admin console is written in AngularJS and that >>>>>> you are >>> using >>>>>> HTTP-only cookies there. >>>>>> >>>>>> However, in keycloak.js and the customer-app-js example you >>>>>> are retrieving the token in the JS app and adding an >>>>>> authorization >>> header >>>>>> with a bearer token to the HTTP requests. >>>>>> >>>>>> So here are my questions: >>>>>> >>>>>> * Is there a reason you are using two different approaches >>>>>> in >>> the admin >>>>>> console and the official demo app? * which one of the two >>>>>> approaches (bearer tokens vs. HTTP-only >>> cookie) >>>>>> will you support/ will be the officially recommended one for >>>>>> HTML5/ client side JavaScript applications in keycloak? * am >>>>>> I right in assuming that you haven't quite decided yet which >>>>>> approach to use and that you are still discussing this in >>>>>> the >>> keycloak >>>>>> team? >>>>>> >>>>>> Looking forwards to your reply! Cheers, Nils >>>>>> >>>>>> >>>>>> _______________________________________________ keycloak-user >>>>>> mailing list keycloak-user at lists.jboss.org >>>>>> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> -- Bill Burke JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ keycloak-user >>>>> mailing list keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>> >>> -- Bill Burke JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >>> >>> ------------------------------ >>> >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> End of keycloak-user Digest, Vol 3, Issue 14 >>> ******************************************** >>> >>> >>> >>> >>> _______________________________________________ keycloak-user >>> mailing list keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (GNU/Linux) >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQEcBAEBCgAGBQJTNSHcAAoJEDnJtskdmzLMHrYH/1D/vMgPxD0WUZ5KdIoD5Cow >> gb9fa+RZDQrpPxL1qKpqWJX3g1cKt8hQa1Xz7dX64G3/xcLUUkoJKkAtiJPysp75 >> xbkdWV+RGQXDHuyZcS75xEXQlPaWt2cEVxdSXMalzfQPzVhq00FBbeJLirKLbYsY >> I2CIjJgCSQhmOrVfP5vUSdrwsLsd+TBXee4779YiOceSW16oG9Nfsa5gF1XJSNhi >> o2fZCEkoXhbTD7RXuhhrDWlFBCQOIgWf6FUHEAVKnXeIR5oey6U9hv1Z16Kd2Pll >> Pv8+LWlJjKMfkmrCQrVQvYSI/n64vxjikta2ByBdOPethsebqXO9oknbiPtjq6E= >> =TiWl >> -----END PGP SIGNATURE----- >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Fri Mar 28 12:14:03 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Fri, 28 Mar 2014 17:14:03 +0100 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: <53359BE9.6060104@redhat.com> References: <533521DC.6010908@kroehling.de> <334094727.3760111.1396021671687.JavaMail.zimbra@redhat.com> <53359BE9.6060104@redhat.com> Message-ID: Cheers Bill, I added KeycloakSecurityContext ctx = (KeycloakSecurityContext) servletRequest.getAttribute(KeycloakSecurityContext.class.getName()); and can now access the user name via ctx.getToken().getPreferredUsername(). The only downside to this is that I now need keycloak in my dependencies in irder to know the class KeycloakSecurityContext, but I guess I can live with that :) Thanks again! Nils On Fri, Mar 28, 2014 at 4:57 PM, Bill Burke wrote: > The KeycloakSecurityContext has access to the IDToken which can contain > information like name, email, address, etc... Depending on how you > configure your realm. Maybe IDToken should be added to the > KeycloakPrincipal? > > On 3/28/2014 11:47 AM, Stian Thorgersen wrote: > > Yes that is expected behaviour. The ID of the user is the unique > reference to a user within Keycloak, and is what we recommend you use to > refer to the user within your application when possible. The reason being > is that there are reasons why a username/email may not refer to the same > user over time. For example we will allow users to change their username (a > feature you'll be able to disable), a user may be deleted, and another user > re-created with the same username. > > > > ----- Original Message ----- > >> From: "Nils Preusker" > >> To: keycloak-user at lists.jboss.org > >> Sent: Friday, 28 March, 2014 3:17:37 PM > >> Subject: Re: [keycloak-user] Inject (Keycloak)Principal > >> > >> Hi all, > >> > >> I'm also looking into this right now and got it to work. However, I > tried to > >> retrieve the username from the HttpServletRequest with > >> "servletRequest.getRemoteUser()" but instead of the name or e-mail I'm > >> getting the actual ID from the database > >> (62ccf5fd-949b-413d-977b-6f8bc29f94bf). > >> > >> Is this the expected/ intended behavior? > >> > >> Also, @Dirk: let me know if you need any help getting the injection of > the > >> roles and user id to work. > >> > >> Cheers, > >> Nils > >> > >> > >> On Fri, Mar 28, 2014 at 8:16 AM, Juraci Paix?o Kr?hling < > juraci at kroehling.de > >>> wrote: > >> > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA512 > >> > >> Dirk, > >> > >> It seems it's missing the @SecurityDomain("keycloak") in your service, > >> at the type level. If that's not the case, I can update the > >> "sample-ejb-roles" quickstart, adapted to use Keycloak, so you can > >> compare and check what's missing. > >> > >> Just to confirm: have you also added the security-domain to the > >> standalone.xml? The instructions are at the end of section 6.2.1 from > >> the user guide: > >> > >> > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 > >> > >> Juca. > >> > >> On 03/28/2014 01:31 AM, Dirk Franssen wrote: > >>> Hi, > >>> > >>> I was playing around with the examples, more specifically with the > >>> customer-portal-js which is accessing the database resource. In > >>> that CustomerService I was trying to get access to the Principal > >>> and trying to extend to return in addition the username of the > >>> logged-in user: > >>> > >>> @Path("customers") public class CustomerService { > >>> > >>> @Inject Principal principal; > >>> > >>> //@Context //SecurityContext sc; //Principal principal = > >>> sc.getUserPrincipal(); > >>> > >>> //@Context //ContainerRequestContext request; //SecurityContext sc > >>> = request.getSecurityContext(); //Principal principal = > >>> sc.getUserPrincipal(); > >>> > >>> @GET @Produces("application/json") @NoCache public List > >>> getCustomers() { ArrayList rtn = new ArrayList(); > >>> rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan > >>> Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); > >>> rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); > >>> rtn.add(principal.getName()); //<--- add username to the list > >>> return rtn; } } > >>> > >>> But this throws a npe as the principal is always null. I noticed > >>> that the JaxrsBearerTokenFilter is adding to the > >>> ContainerRequestContext a new SecurityContex, of which the > >>> getUserPrincipal method returns the KeycloakPrincipal. But I can't > >>> figure out how to get access to this from the CustomerService. > >>> > >>> My intention is to verify if the logged-in user is accessing his > >>> own resources, and e.g. is not trying to update data of somebody > >>> else. E.g. the id should match principal.getName() in following: > >>> > >>> @POST @Path("/users/{id}/friends") public void > >>> addFriend(@PathParam("id") String userId, Friend friend) { ... } > >>> > >>> Any suggestions? It would be nice if, beside the KeycloakPrincipal > >>> is injectable, to be able to define something like @IsOwner: > >>> > >>> public void addFriend(@PathParam("id") @IsOwner String userId, > >>> Friend friend) > >>> > >>> or even more concise: > >>> > >>> public void addFriend(@IsOwner("id") String userId, Friend friend) > >>> > >>> Kind regards, Dirk Franssen > >>> > >>> > >>> On Thu, Mar 27, 2014 at 5:29 PM, > >>> < keycloak-user-request at lists.jboss.org > >>> > wrote: > >>> > >>> Send keycloak-user mailing list submissions to > >>> keycloak-user at lists.jboss.org > >>> > >>> > >>> To subscribe or unsubscribe via the World Wide Web, visit > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user or, via > >>> email, send a message with subject or body 'help' to > >>> keycloak-user-request at lists.jboss.org > >>> > >>> > >>> You can reach the person managing the list at > >>> keycloak-user-owner at lists.jboss.org > >>> > >>> > >>> When replying, please edit your Subject line so it is more > >>> specific than "Re: Contents of keycloak-user digest..." > >>> > >>> > >>> Today's Topics: > >>> > >>> 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and > >>> AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils > >>> Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) > >>> > >>> > >>> ---------------------------------------------------------------------- > >>> > >>> Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill Burke > >>> < bburke at redhat.com > Subject: Re: > >>> [keycloak-user] Keycloak and AngularJS To: > >>> keycloak-user at lists.jboss.org > >>> Message-ID: > >>> < 5334461B.8040202 at redhat.com > > >>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >>> > >>> What I like about the current admin console approach is that there > >>> is no book keeping required by the browser. The Angular app has > >>> really no knowledge of how it is being secured as its all driven by > >>> the server. Also, you need to remember that the admin console was > >>> designed to be run in a non-Java EE, non-servlet environment. > >>> While this is a requirement for Keycloak, it may not be for your > >>> application. So, what I'm saying is that for your angular > >>> application, you could rely on the servlet container and keycloak > >>> adapter to maintain a session cookie and identity. > >>> > >>> What I like about the keycloak.js approach is that there is no > >>> server-side adapter required for the UI. The UI could be hosted > >>> off any number of static web sites and use CORS invocations to any > >>> number of Restful services. > >>> > >>> There's also the debate of public vs. confidential clients. The > >>> keycloak.js approach requires a public client. My understanding > >>> was that confidential clients exist so that only an authenticated > >>> client (client *NOT* user) is able to obtain an access token. I'm > >>> not exactly sure what additional security benefits are obtained > >>> here beyond this. I've been trying to ask this very question on > >>> OAuth mail lists but have been unable to get a response so far. > >>> > >>> > >>> > >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>> Hi Stian and Bill, > >>>> > >>>> I've posted some questions regarding this topic before but I > >>> thought I'd > >>>> start a new thread to keep things focused: > >>>> > >>>> I'm writing an AngularJS application with Java EE 6/7 REST > >>>> (JAX-RS) backend modules. To add authentication and authorization > >>>> to this application, I'd like to use keycloak > >>>> > >>>> * as a user and role management front-end * to provide a > >>>> customizable login page (works very well by the way ;) * as an > >>>> OAuth 2.0 token provider * to add user and role information to > >>>> the HTTPRequests in my REST/ backend modules > >>>> > >>>> To do this, I'm currently looking at keycloak.js and the > >>> customer-app-js > >>>> example. However, I'm wondering whether this is really the best > >>>> way to go. In a reply to an earlier post of mine you mentioned > >>>> that the keycloak admin console is written in AngularJS and that > >>>> you are using HTTP-only cookies there. > >>>> > >>>> However, in keycloak.js and the customer-app-js example you are > >>>> retrieving the token in the JS app and adding an authorization > >>>> header with a bearer token to the HTTP requests. > >>>> > >>>> So here are my questions: > >>>> > >>>> * Is there a reason you are using two different approaches in > >>>> the > >>> admin > >>>> console and the official demo app? * which one of the two > >>>> approaches (bearer tokens vs. HTTP-only cookie) will you support/ > >>>> will be the officially recommended one for HTML5/ client side > >>>> JavaScript applications in keycloak? * am I right in assuming > >>>> that you haven't quite decided yet which approach to use and that > >>>> you are still discussing this in the > >>> keycloak team? > >>>> > >>>> Looking forwards to your reply! Cheers, Nils > >>>> > >>>> > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> -- Bill Burke JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> > >>> > >>> ------------------------------ > >>> > >>> Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: Stian > >>> Thorgersen < stian at redhat.com > Subject: > >>> Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke > >>> < bburke at redhat.com > Cc: > >>> keycloak-user at lists.jboss.org > >>> Message-ID: > >>> < 884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > >>> > > >>> > >>> > >> Content-Type: text/plain; charset=utf-8 > >>> > >>> Personally, I think that in most cases for a client-side web app > >>> the best approach is to let the client-side do the oauth flow (the > >>> approach we're currently taking in keycloak.js). It does depend on > >>> your application though, and if you're application has a strict > >>> one html5 app calls one REST service then http-only cookies are an > >>> option. I don't see any real benefits of it though, and I believe > >>> it significantly complicates things. > >>> > >>> Have a look at > >>> > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > >>> , > >>> > >>> > >> I think it provides a good summary of the pros of the token approach. > >>> > >>> ----- Original Message ----- > >>>> From: "Bill Burke" < bburke at redhat.com > >>>> > To: keycloak-user at lists.jboss.org > >>> > >>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>>> [keycloak-user] Keycloak and AngularJS > >>>> > >>>> What I like about the current admin console approach is that > >>>> there > >>> is no > >>>> book keeping required by the browser. The Angular app has really > >>>> no knowledge of how it is being secured as its all driven by the > >>>> server. Also, you need to remember that the admin console was > >>>> designed to > >>> be run > >>>> in a non-Java EE, non-servlet environment. While this is a > >>> requirement > >>>> for Keycloak, it may not be for your application. So, what I'm > >>>> saying is that for your angular application, you could rely on > >>>> the servlet container and keycloak adapter to maintain a session > >>>> cookie and > >>> identity. > >>>> > >>>> What I like about the keycloak.js approach is that there is no > >>>> server-side adapter required for the UI. The UI could be hosted > >>> off any > >>>> number of static web sites and use CORS invocations to any number > >>>> of Restful services. > >>>> > >>>> There's also the debate of public vs. confidential clients. The > >>>> keycloak.js approach requires a public client. My understanding > >>>> was that confidential clients exist so that only an authenticated > >>>> client (client *NOT* user) is able to obtain an access token. > >>>> I'm not > >>> exactly > >>>> sure what additional security benefits are obtained here beyond > >>>> this. I've been trying to ask this very question on OAuth mail > >>>> lists but > >>> have > >>>> been unable to get a response so far. > >>>> > >>>> > >>>> > >>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>>> Hi Stian and Bill, > >>>>> > >>>>> I've posted some questions regarding this topic before but I > >>> thought I'd > >>>>> start a new thread to keep things focused: > >>>>> > >>>>> I'm writing an AngularJS application with Java EE 6/7 REST > >>>>> (JAX-RS) backend modules. To add authentication and > >>>>> authorization to this application, I'd like to use keycloak > >>>>> > >>>>> * as a user and role management front-end * to provide a > >>>>> customizable login page (works very well by the > >>> way ;) > >>>>> * as an OAuth 2.0 token provider * to add user and role > >>>>> information to the HTTPRequests in my REST/ backend modules > >>>>> > >>>>> To do this, I'm currently looking at keycloak.js and the > >>> customer-app-js > >>>>> example. However, I'm wondering whether this is really the > >>>>> best > >>> way to > >>>>> go. In a reply to an earlier post of mine you mentioned that > >>>>> the keycloak admin console is written in AngularJS and that you > >>>>> are > >>> using > >>>>> HTTP-only cookies there. > >>>>> > >>>>> However, in keycloak.js and the customer-app-js example you > >>>>> are retrieving the token in the JS app and adding an > >>>>> authorization > >>> header > >>>>> with a bearer token to the HTTP requests. > >>>>> > >>>>> So here are my questions: > >>>>> > >>>>> * Is there a reason you are using two different approaches in > >>> the admin > >>>>> console and the official demo app? * which one of the two > >>>>> approaches (bearer tokens vs. HTTP-only > >>> cookie) > >>>>> will you support/ will be the officially recommended one for > >>>>> HTML5/ client side JavaScript applications in keycloak? * am I > >>>>> right in assuming that you haven't quite decided yet which > >>>>> approach to use and that you are still discussing this in the > >>> keycloak > >>>>> team? > >>>>> > >>>>> Looking forwards to your reply! Cheers, Nils > >>>>> > >>>>> > >>>>> _______________________________________________ keycloak-user > >>>>> mailing list keycloak-user at lists.jboss.org > >>>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>> > >>>> -- Bill Burke JBoss, a division of Red Hat > >>>> http://bill.burkecentral.com > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> > >>> ------------------------------ > >>> > >>> Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils > >>> Preusker < n.preusker at gmail.com > > >>> Subject: Re: [keycloak-user] Keycloak and AngularJS To: > >>> keycloak-user at lists.jboss.org > >>> Message-ID: > >>> > >>> >>> > >>> > >> > > >>> Content-Type: text/plain; charset="iso-8859-1" > >>> > >>> Hi Stian and Bill, > >>> > >>> thanks for your replies! I'll check out the blog post and try the > >>> approach with a web.xml and a keycloak.json in the backend for now. > >>> I'll keep you posted on what I end up with on the client side. > >>> > >>> Cheers, Nils > >>> > >>> > >>> > >>> On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > >>> < stian at redhat.com > wrote: > >>> > >>>> Personally, I think that in most cases for a client-side web app > >>> the best > >>>> approach is to let the client-side do the oauth flow (the > >>>> approach > >>> we're > >>>> currently taking in keycloak.js). It does depend on your > >>>> application though, and if you're application has a strict one > >>>> html5 app calls > >>> one REST > >>>> service then http-only cookies are an option. I don't see any > >>>> real > >>> benefits > >>>> of it though, and I believe it significantly complicates things. > >>>> > >>>> Have a look at > >>>> > >>> > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > >>> , > >>> > >>> I think it provides a good summary of the pros of the token > >>> approach. > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Bill Burke" < bburke at redhat.com > >>>>> > To: keycloak-user at lists.jboss.org > >>> > >>>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>>>> [keycloak-user] Keycloak and AngularJS > >>>>> > >>>>> What I like about the current admin console approach is that > >>> there is no > >>>>> book keeping required by the browser. The Angular app has > >>>>> really no knowledge of how it is being secured as its all > >>>>> driven by the > >>> server. > >>>>> Also, you need to remember that the admin console was designed > >>> to be run > >>>>> in a non-Java EE, non-servlet environment. While this is a > >>> requirement > >>>>> for Keycloak, it may not be for your application. So, what > >>>>> I'm > >>> saying > >>>>> is that for your angular application, you could rely on the > >>>>> servlet container and keycloak adapter to maintain a session > >>>>> cookie and > >>> identity. > >>>>> > >>>>> What I like about the keycloak.js approach is that there is no > >>>>> server-side adapter required for the UI. The UI could be > >>>>> hosted > >>> off any > >>>>> number of static web sites and use CORS invocations to any > >>>>> number of Restful services. > >>>>> > >>>>> There's also the debate of public vs. confidential clients. > >>>>> The keycloak.js approach requires a public client. My > >>>>> understanding was that confidential clients exist so that only > >>>>> an authenticated client (client *NOT* user) is able to obtain > >>>>> an access token. I'm not > >>> exactly > >>>>> sure what additional security benefits are obtained here > >>>>> beyond > >>> this. > >>>>> I've been trying to ask this very question on OAuth mail lists > >>> but have > >>>>> been unable to get a response so far. > >>>>> > >>>>> > >>>>> > >>>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>>>> Hi Stian and Bill, > >>>>>> > >>>>>> I've posted some questions regarding this topic before but I > >>> thought > >>>> I'd > >>>>>> start a new thread to keep things focused: > >>>>>> > >>>>>> I'm writing an AngularJS application with Java EE 6/7 REST > >>> (JAX-RS) > >>>>>> backend modules. To add authentication and authorization to > >>>>>> this application, I'd like to use keycloak > >>>>>> > >>>>>> * as a user and role management front-end * to provide a > >>>>>> customizable login page (works very well by the > >>> way ;) > >>>>>> * as an OAuth 2.0 token provider * to add user and role > >>>>>> information to the HTTPRequests in my REST/ backend modules > >>>>>> > >>>>>> To do this, I'm currently looking at keycloak.js and the > >>>> customer-app-js > >>>>>> example. However, I'm wondering whether this is really the > >>> best way to > >>>>>> go. In a reply to an earlier post of mine you mentioned that > >>>>>> the keycloak admin console is written in AngularJS and that > >>>>>> you > >>> are using > >>>>>> HTTP-only cookies there. > >>>>>> > >>>>>> However, in keycloak.js and the customer-app-js example you > >>>>>> are retrieving the token in the JS app and adding an > >>>>>> authorization > >>> header > >>>>>> with a bearer token to the HTTP requests. > >>>>>> > >>>>>> So here are my questions: > >>>>>> > >>>>>> * Is there a reason you are using two different approaches > >>>>>> in > >>> the admin > >>>>>> console and the official demo app? * which one of the two > >>>>>> approaches (bearer tokens vs. HTTP-only > >>> cookie) > >>>>>> will you support/ will be the officially recommended one for > >>> HTML5/ > >>>>>> client side JavaScript applications in keycloak? * am I right > >>>>>> in assuming that you haven't quite decided yet which approach > >>>>>> to use and that you are still discussing this in the > >>> keycloak > >>>>>> team? > >>>>>> > >>>>>> Looking forwards to your reply! Cheers, Nils > >>>>>> > >>>>>> > >>>>>> _______________________________________________ keycloak-user > >>>>>> mailing list keycloak-user at lists.jboss.org > >>> > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>> > >>>>> > >>>>> -- Bill Burke JBoss, a division of Red Hat > >>>>> http://bill.burkecentral.com > >>>>> _______________________________________________ keycloak-user > >>>>> mailing list keycloak-user at lists.jboss.org > >>>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>> _______________________________________________ keycloak-user > >>>> mailing list keycloak-user at lists.jboss.org > >>>> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> -------------- next part -------------- An HTML attachment was > >>> scrubbed... URL: > >>> > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > >>> > >>> ------------------------------ > >>> > >>> Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill Burke > >>> < bburke at redhat.com > Subject: Re: > >>> [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen > >>> < stian at redhat.com > Cc: > >>> keycloak-user at lists.jboss.org > >>> Message-ID: > >>> < 53345202.4060105 at redhat.com > > >>> Content-Type: text/plain; charset=UTF-8; format=flowed > >>> > >>> One of the problems with the keycloak.js approach is that we have > >>> no way to perform a single log out or to force a logout of a > >>> specific user. I think the OpenID Connect spec may have a way with > >>> IFrames to do this sort of thing though. I didn't really get it at > >>> first glance though. > >>> > >>> > >>> On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > >>>> Personally, I think that in most cases for a client-side web app > >>> the best approach is to let the client-side do the oauth flow (the > >>> approach we're currently taking in keycloak.js). It does depend on > >>> your application though, and if you're application has a strict > >>> one html5 app calls one REST service then http-only cookies are an > >>> option. I don't see any real benefits of it though, and I believe > >>> it significantly complicates things. > >>>> > >>>> Have a look at > >>> > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > >>> , > >>> > >>> > >> I think it provides a good summary of the pros of the token approach. > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Bill Burke" < bburke at redhat.com > >>>>> > To: keycloak-user at lists.jboss.org > >>> > >>>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > >>>>> [keycloak-user] Keycloak and AngularJS > >>>>> > >>>>> What I like about the current admin console approach is that > >>> there is no > >>>>> book keeping required by the browser. The Angular app has > >>>>> really no knowledge of how it is being secured as its all > >>>>> driven by the server. Also, you need to remember that the admin > >>>>> console was designed to > >>> be run > >>>>> in a non-Java EE, non-servlet environment. While this is a > >>> requirement > >>>>> for Keycloak, it may not be for your application. So, what > >>>>> I'm > >>> saying > >>>>> is that for your angular application, you could rely on the > >>>>> servlet container and keycloak adapter to maintain a session > >>>>> cookie and > >>> identity. > >>>>> > >>>>> What I like about the keycloak.js approach is that there is no > >>>>> server-side adapter required for the UI. The UI could be > >>>>> hosted > >>> off any > >>>>> number of static web sites and use CORS invocations to any > >>>>> number of Restful services. > >>>>> > >>>>> There's also the debate of public vs. confidential clients. > >>>>> The keycloak.js approach requires a public client. My > >>>>> understanding was that confidential clients exist so that only > >>>>> an authenticated client (client *NOT* user) is able to obtain > >>>>> an access token. I'm not > >>> exactly > >>>>> sure what additional security benefits are obtained here beyond > >>>>> this. I've been trying to ask this very question on OAuth mail > >>>>> lists > >>> but have > >>>>> been unable to get a response so far. > >>>>> > >>>>> > >>>>> > >>>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > >>>>>> Hi Stian and Bill, > >>>>>> > >>>>>> I've posted some questions regarding this topic before but I > >>> thought I'd > >>>>>> start a new thread to keep things focused: > >>>>>> > >>>>>> I'm writing an AngularJS application with Java EE 6/7 REST > >>>>>> (JAX-RS) backend modules. To add authentication and > >>>>>> authorization to this application, I'd like to use keycloak > >>>>>> > >>>>>> * as a user and role management front-end * to provide a > >>>>>> customizable login page (works very well by the > >>> way ;) > >>>>>> * as an OAuth 2.0 token provider * to add user and role > >>>>>> information to the HTTPRequests in my REST/ backend modules > >>>>>> > >>>>>> To do this, I'm currently looking at keycloak.js and the > >>> customer-app-js > >>>>>> example. However, I'm wondering whether this is really the > >>>>>> best > >>> way to > >>>>>> go. In a reply to an earlier post of mine you mentioned that > >>>>>> the keycloak admin console is written in AngularJS and that > >>>>>> you are > >>> using > >>>>>> HTTP-only cookies there. > >>>>>> > >>>>>> However, in keycloak.js and the customer-app-js example you > >>>>>> are retrieving the token in the JS app and adding an > >>>>>> authorization > >>> header > >>>>>> with a bearer token to the HTTP requests. > >>>>>> > >>>>>> So here are my questions: > >>>>>> > >>>>>> * Is there a reason you are using two different approaches > >>>>>> in > >>> the admin > >>>>>> console and the official demo app? * which one of the two > >>>>>> approaches (bearer tokens vs. HTTP-only > >>> cookie) > >>>>>> will you support/ will be the officially recommended one for > >>>>>> HTML5/ client side JavaScript applications in keycloak? * am > >>>>>> I right in assuming that you haven't quite decided yet which > >>>>>> approach to use and that you are still discussing this in > >>>>>> the > >>> keycloak > >>>>>> team? > >>>>>> > >>>>>> Looking forwards to your reply! Cheers, Nils > >>>>>> > >>>>>> > >>>>>> _______________________________________________ keycloak-user > >>>>>> mailing list keycloak-user at lists.jboss.org > >>>>>> > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>> > >>>>> > >>>>> -- Bill Burke JBoss, a division of Red Hat > >>>>> http://bill.burkecentral.com > >>>>> _______________________________________________ keycloak-user > >>>>> mailing list keycloak-user at lists.jboss.org > >>>>> > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>> > >>> -- Bill Burke JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> > >>> > >>> ------------------------------ > >>> > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> End of keycloak-user Digest, Vol 3, Issue 14 > >>> ******************************************** > >>> > >>> > >>> > >>> > >>> _______________________________________________ keycloak-user > >>> mailing list keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v2.0.22 (GNU/Linux) > >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >> > >> iQEcBAEBCgAGBQJTNSHcAAoJEDnJtskdmzLMHrYH/1D/vMgPxD0WUZ5KdIoD5Cow > >> gb9fa+RZDQrpPxL1qKpqWJX3g1cKt8hQa1Xz7dX64G3/xcLUUkoJKkAtiJPysp75 > >> xbkdWV+RGQXDHuyZcS75xEXQlPaWt2cEVxdSXMalzfQPzVhq00FBbeJLirKLbYsY > >> I2CIjJgCSQhmOrVfP5vUSdrwsLsd+TBXee4779YiOceSW16oG9Nfsa5gF1XJSNhi > >> o2fZCEkoXhbTD7RXuhhrDWlFBCQOIgWf6FUHEAVKnXeIR5oey6U9hv1Z16Kd2Pll > >> Pv8+LWlJjKMfkmrCQrVQvYSI/n64vxjikta2ByBdOPethsebqXO9oknbiPtjq6E= > >> =TiWl > >> -----END PGP SIGNATURE----- > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140328/d14cb7f6/attachment-0001.html From dirk.franssen at gmail.com Sun Mar 30 17:08:56 2014 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Sun, 30 Mar 2014 23:08:56 +0200 Subject: [keycloak-user] Inject (Keycloak)Principal Message-ID: Hey Bill, I think it would make sense to add the IDToken to the KeycloakPrincipal. This avoids the additional servletRequest.getAttribute(KeycloakSecurityContext.class.getName()) call in order to get the user details. For info to other users: in order to get more than only the (preferred) username, you should change in your realm the Allowed Claims at the application level, otherwise e.g. the email address will stay null however it was provided in the account of the user. @Nils/Juca: the injection of the principal is now working. I didn't had @Stateless on the CustomerService before, that's why :-). Just to be sure: in one of the video's the database service was also being defined in the admin console as an application, but I assume that this is superfluous as the bundeld demo realm is not describing it? Thanks. Dirk Franssen On Fri, Mar 28, 2014 at 5:14 PM, wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Inject (Keycloak)Principal (Nils Preusker) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 28 Mar 2014 17:14:03 +0100 > From: Nils Preusker > Subject: Re: [keycloak-user] Inject (Keycloak)Principal > To: keycloak-user at lists.jboss.org > Message-ID: > EUQ at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Cheers Bill, I added > > KeycloakSecurityContext ctx = (KeycloakSecurityContext) > servletRequest.getAttribute(KeycloakSecurityContext.class.getName()); > > and can now access the user name via ctx.getToken().getPreferredUsername(). > > The only downside to this is that I now need keycloak in my dependencies in > irder to know the class KeycloakSecurityContext, but I guess I can live > with that :) > > Thanks again! > Nils > > > > On Fri, Mar 28, 2014 at 4:57 PM, Bill Burke wrote: > > > The KeycloakSecurityContext has access to the IDToken which can contain > > information like name, email, address, etc... Depending on how you > > configure your realm. Maybe IDToken should be added to the > > KeycloakPrincipal? > > > > On 3/28/2014 11:47 AM, Stian Thorgersen wrote: > > > Yes that is expected behaviour. The ID of the user is the unique > > reference to a user within Keycloak, and is what we recommend you use to > > refer to the user within your application when possible. The reason being > > is that there are reasons why a username/email may not refer to the same > > user over time. For example we will allow users to change their username > (a > > feature you'll be able to disable), a user may be deleted, and another > user > > re-created with the same username. > > > > > > ----- Original Message ----- > > >> From: "Nils Preusker" > > >> To: keycloak-user at lists.jboss.org > > >> Sent: Friday, 28 March, 2014 3:17:37 PM > > >> Subject: Re: [keycloak-user] Inject (Keycloak)Principal > > >> > > >> Hi all, > > >> > > >> I'm also looking into this right now and got it to work. However, I > > tried to > > >> retrieve the username from the HttpServletRequest with > > >> "servletRequest.getRemoteUser()" but instead of the name or e-mail I'm > > >> getting the actual ID from the database > > >> (62ccf5fd-949b-413d-977b-6f8bc29f94bf). > > >> > > >> Is this the expected/ intended behavior? > > >> > > >> Also, @Dirk: let me know if you need any help getting the injection of > > the > > >> roles and user id to work. > > >> > > >> Cheers, > > >> Nils > > >> > > >> > > >> On Fri, Mar 28, 2014 at 8:16 AM, Juraci Paix?o Kr?hling < > > juraci at kroehling.de > > >>> wrote: > > >> > > >> > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA512 > > >> > > >> Dirk, > > >> > > >> It seems it's missing the @SecurityDomain("keycloak") in your service, > > >> at the type level. If that's not the case, I can update the > > >> "sample-ejb-roles" quickstart, adapted to use Keycloak, so you can > > >> compare and check what's missing. > > >> > > >> Just to confirm: have you also added the security-domain to the > > >> standalone.xml? The instructions are at the end of section 6.2.1 from > > >> the user guide: > > >> > > >> > > > http://docs.jboss.org/keycloak/docs/1.0-alpha-3/userguide/html_single/index.html#d4e485 > > >> > > >> Juca. > > >> > > >> On 03/28/2014 01:31 AM, Dirk Franssen wrote: > > >>> Hi, > > >>> > > >>> I was playing around with the examples, more specifically with the > > >>> customer-portal-js which is accessing the database resource. In > > >>> that CustomerService I was trying to get access to the Principal > > >>> and trying to extend to return in addition the username of the > > >>> logged-in user: > > >>> > > >>> @Path("customers") public class CustomerService { > > >>> > > >>> @Inject Principal principal; > > >>> > > >>> //@Context //SecurityContext sc; //Principal principal = > > >>> sc.getUserPrincipal(); > > >>> > > >>> //@Context //ContainerRequestContext request; //SecurityContext sc > > >>> = request.getSecurityContext(); //Principal principal = > > >>> sc.getUserPrincipal(); > > >>> > > >>> @GET @Produces("application/json") @NoCache public List > > >>> getCustomers() { ArrayList rtn = new ArrayList(); > > >>> rtn.add("Bill Burke"); rtn.add("Stian Thorgersen"); rtn.add("Stan > > >>> Silvert"); rtn.add("Gabriel Cardoso"); rtn.add("Viliam Rockai"); > > >>> rtn.add("Marek Posolda"); rtn.add("Boleslaw Dawidowicz"); > > >>> rtn.add(principal.getName()); //<--- add username to the list > > >>> return rtn; } } > > >>> > > >>> But this throws a npe as the principal is always null. I noticed > > >>> that the JaxrsBearerTokenFilter is adding to the > > >>> ContainerRequestContext a new SecurityContex, of which the > > >>> getUserPrincipal method returns the KeycloakPrincipal. But I can't > > >>> figure out how to get access to this from the CustomerService. > > >>> > > >>> My intention is to verify if the logged-in user is accessing his > > >>> own resources, and e.g. is not trying to update data of somebody > > >>> else. E.g. the id should match principal.getName() in following: > > >>> > > >>> @POST @Path("/users/{id}/friends") public void > > >>> addFriend(@PathParam("id") String userId, Friend friend) { ... } > > >>> > > >>> Any suggestions? It would be nice if, beside the KeycloakPrincipal > > >>> is injectable, to be able to define something like @IsOwner: > > >>> > > >>> public void addFriend(@PathParam("id") @IsOwner String userId, > > >>> Friend friend) > > >>> > > >>> or even more concise: > > >>> > > >>> public void addFriend(@IsOwner("id") String userId, Friend friend) > > >>> > > >>> Kind regards, Dirk Franssen > > >>> > > >>> > > >>> On Thu, Mar 27, 2014 at 5:29 PM, > > >>> < keycloak-user-request at lists.jboss.org > > >>> > wrote: > > >>> > > >>> Send keycloak-user mailing list submissions to > > >>> keycloak-user at lists.jboss.org > > >>> > > >>> > > >>> To subscribe or unsubscribe via the World Wide Web, visit > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user or, via > > >>> email, send a message with subject or body 'help' to > > >>> keycloak-user-request at lists.jboss.org > > >>> > > >>> > > >>> You can reach the person managing the list at > > >>> keycloak-user-owner at lists.jboss.org > > >>> > > >>> > > >>> When replying, please edit your Subject line so it is more > > >>> specific than "Re: Contents of keycloak-user digest..." > > >>> > > >>> > > >>> Today's Topics: > > >>> > > >>> 1. Re: Keycloak and AngularJS (Bill Burke) 2. Re: Keycloak and > > >>> AngularJS (Stian Thorgersen) 3. Re: Keycloak and AngularJS (Nils > > >>> Preusker) 4. Re: Keycloak and AngularJS (Bill Burke) > > >>> > > >>> > > >>> > ---------------------------------------------------------------------- > > >>> > > >>> Message: 1 Date: Thu, 27 Mar 2014 11:39:07 -0400 From: Bill Burke > > >>> < bburke at redhat.com > Subject: Re: > > >>> [keycloak-user] Keycloak and AngularJS To: > > >>> keycloak-user at lists.jboss.org > > >>> Message-ID: > > >>> < 5334461B.8040202 at redhat.com > > > >>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > >>> > > >>> What I like about the current admin console approach is that there > > >>> is no book keeping required by the browser. The Angular app has > > >>> really no knowledge of how it is being secured as its all driven by > > >>> the server. Also, you need to remember that the admin console was > > >>> designed to be run in a non-Java EE, non-servlet environment. > > >>> While this is a requirement for Keycloak, it may not be for your > > >>> application. So, what I'm saying is that for your angular > > >>> application, you could rely on the servlet container and keycloak > > >>> adapter to maintain a session cookie and identity. > > >>> > > >>> What I like about the keycloak.js approach is that there is no > > >>> server-side adapter required for the UI. The UI could be hosted > > >>> off any number of static web sites and use CORS invocations to any > > >>> number of Restful services. > > >>> > > >>> There's also the debate of public vs. confidential clients. The > > >>> keycloak.js approach requires a public client. My understanding > > >>> was that confidential clients exist so that only an authenticated > > >>> client (client *NOT* user) is able to obtain an access token. I'm > > >>> not exactly sure what additional security benefits are obtained > > >>> here beyond this. I've been trying to ask this very question on > > >>> OAuth mail lists but have been unable to get a response so far. > > >>> > > >>> > > >>> > > >>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > > >>>> Hi Stian and Bill, > > >>>> > > >>>> I've posted some questions regarding this topic before but I > > >>> thought I'd > > >>>> start a new thread to keep things focused: > > >>>> > > >>>> I'm writing an AngularJS application with Java EE 6/7 REST > > >>>> (JAX-RS) backend modules. To add authentication and authorization > > >>>> to this application, I'd like to use keycloak > > >>>> > > >>>> * as a user and role management front-end * to provide a > > >>>> customizable login page (works very well by the way ;) * as an > > >>>> OAuth 2.0 token provider * to add user and role information to > > >>>> the HTTPRequests in my REST/ backend modules > > >>>> > > >>>> To do this, I'm currently looking at keycloak.js and the > > >>> customer-app-js > > >>>> example. However, I'm wondering whether this is really the best > > >>>> way to go. In a reply to an earlier post of mine you mentioned > > >>>> that the keycloak admin console is written in AngularJS and that > > >>>> you are using HTTP-only cookies there. > > >>>> > > >>>> However, in keycloak.js and the customer-app-js example you are > > >>>> retrieving the token in the JS app and adding an authorization > > >>>> header with a bearer token to the HTTP requests. > > >>>> > > >>>> So here are my questions: > > >>>> > > >>>> * Is there a reason you are using two different approaches in > > >>>> the > > >>> admin > > >>>> console and the official demo app? * which one of the two > > >>>> approaches (bearer tokens vs. HTTP-only cookie) will you support/ > > >>>> will be the officially recommended one for HTML5/ client side > > >>>> JavaScript applications in keycloak? * am I right in assuming > > >>>> that you haven't quite decided yet which approach to use and that > > >>>> you are still discussing this in the > > >>> keycloak team? > > >>>> > > >>>> Looking forwards to your reply! Cheers, Nils > > >>>> > > >>>> > > >>>> _______________________________________________ keycloak-user > > >>>> mailing list keycloak-user at lists.jboss.org > > >>>> > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>> > > >>> > > >>> -- Bill Burke JBoss, a division of Red Hat > > >>> http://bill.burkecentral.com > > >>> > > >>> > > >>> ------------------------------ > > >>> > > >>> Message: 2 Date: Thu, 27 Mar 2014 12:18:01 -0400 (EDT) From: Stian > > >>> Thorgersen < stian at redhat.com > Subject: > > >>> Re: [keycloak-user] Keycloak and AngularJS To: Bill Burke > > >>> < bburke at redhat.com > Cc: > > >>> keycloak-user at lists.jboss.org > > >>> Message-ID: > > >>> < 884719116.3009607.1395937081146.JavaMail.zimbra at redhat.com > > >>> > > > >>> > > >>> > > >> Content-Type: text/plain; charset=utf-8 > > >>> > > >>> Personally, I think that in most cases for a client-side web app > > >>> the best approach is to let the client-side do the oauth flow (the > > >>> approach we're currently taking in keycloak.js). It does depend on > > >>> your application though, and if you're application has a strict > > >>> one html5 app calls one REST service then http-only cookies are an > > >>> option. I don't see any real benefits of it though, and I believe > > >>> it significantly complicates things. > > >>> > > >>> Have a look at > > >>> > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > > >>> , > > >>> > > >>> > > >> I think it provides a good summary of the pros of the token approach. > > >>> > > >>> ----- Original Message ----- > > >>>> From: "Bill Burke" < bburke at redhat.com > > >>>> > To: keycloak-user at lists.jboss.org > > >>> > > >>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > > >>>> [keycloak-user] Keycloak and AngularJS > > >>>> > > >>>> What I like about the current admin console approach is that > > >>>> there > > >>> is no > > >>>> book keeping required by the browser. The Angular app has really > > >>>> no knowledge of how it is being secured as its all driven by the > > >>>> server. Also, you need to remember that the admin console was > > >>>> designed to > > >>> be run > > >>>> in a non-Java EE, non-servlet environment. While this is a > > >>> requirement > > >>>> for Keycloak, it may not be for your application. So, what I'm > > >>>> saying is that for your angular application, you could rely on > > >>>> the servlet container and keycloak adapter to maintain a session > > >>>> cookie and > > >>> identity. > > >>>> > > >>>> What I like about the keycloak.js approach is that there is no > > >>>> server-side adapter required for the UI. The UI could be hosted > > >>> off any > > >>>> number of static web sites and use CORS invocations to any number > > >>>> of Restful services. > > >>>> > > >>>> There's also the debate of public vs. confidential clients. The > > >>>> keycloak.js approach requires a public client. My understanding > > >>>> was that confidential clients exist so that only an authenticated > > >>>> client (client *NOT* user) is able to obtain an access token. > > >>>> I'm not > > >>> exactly > > >>>> sure what additional security benefits are obtained here beyond > > >>>> this. I've been trying to ask this very question on OAuth mail > > >>>> lists but > > >>> have > > >>>> been unable to get a response so far. > > >>>> > > >>>> > > >>>> > > >>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > > >>>>> Hi Stian and Bill, > > >>>>> > > >>>>> I've posted some questions regarding this topic before but I > > >>> thought I'd > > >>>>> start a new thread to keep things focused: > > >>>>> > > >>>>> I'm writing an AngularJS application with Java EE 6/7 REST > > >>>>> (JAX-RS) backend modules. To add authentication and > > >>>>> authorization to this application, I'd like to use keycloak > > >>>>> > > >>>>> * as a user and role management front-end * to provide a > > >>>>> customizable login page (works very well by the > > >>> way ;) > > >>>>> * as an OAuth 2.0 token provider * to add user and role > > >>>>> information to the HTTPRequests in my REST/ backend modules > > >>>>> > > >>>>> To do this, I'm currently looking at keycloak.js and the > > >>> customer-app-js > > >>>>> example. However, I'm wondering whether this is really the > > >>>>> best > > >>> way to > > >>>>> go. In a reply to an earlier post of mine you mentioned that > > >>>>> the keycloak admin console is written in AngularJS and that you > > >>>>> are > > >>> using > > >>>>> HTTP-only cookies there. > > >>>>> > > >>>>> However, in keycloak.js and the customer-app-js example you > > >>>>> are retrieving the token in the JS app and adding an > > >>>>> authorization > > >>> header > > >>>>> with a bearer token to the HTTP requests. > > >>>>> > > >>>>> So here are my questions: > > >>>>> > > >>>>> * Is there a reason you are using two different approaches in > > >>> the admin > > >>>>> console and the official demo app? * which one of the two > > >>>>> approaches (bearer tokens vs. HTTP-only > > >>> cookie) > > >>>>> will you support/ will be the officially recommended one for > > >>>>> HTML5/ client side JavaScript applications in keycloak? * am I > > >>>>> right in assuming that you haven't quite decided yet which > > >>>>> approach to use and that you are still discussing this in the > > >>> keycloak > > >>>>> team? > > >>>>> > > >>>>> Looking forwards to your reply! Cheers, Nils > > >>>>> > > >>>>> > > >>>>> _______________________________________________ keycloak-user > > >>>>> mailing list keycloak-user at lists.jboss.org > > >>>>> > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>>> > > >>>> > > >>>> -- Bill Burke JBoss, a division of Red Hat > > >>>> http://bill.burkecentral.com > > >>>> _______________________________________________ keycloak-user > > >>>> mailing list keycloak-user at lists.jboss.org > > >>>> > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>> > > >>> > > >>> > > >>> ------------------------------ > > >>> > > >>> Message: 3 Date: Thu, 27 Mar 2014 17:24:06 +0100 From: Nils > > >>> Preusker < n.preusker at gmail.com > > > >>> Subject: Re: [keycloak-user] Keycloak and AngularJS To: > > >>> keycloak-user at lists.jboss.org > > >>> Message-ID: > > >>> > > >>> > >>> > > >>> > > >> > > > >>> Content-Type: text/plain; charset="iso-8859-1" > > >>> > > >>> Hi Stian and Bill, > > >>> > > >>> thanks for your replies! I'll check out the blog post and try the > > >>> approach with a web.xml and a keycloak.json in the backend for now. > > >>> I'll keep you posted on what I end up with on the client side. > > >>> > > >>> Cheers, Nils > > >>> > > >>> > > >>> > > >>> On Thu, Mar 27, 2014 at 5:18 PM, Stian Thorgersen > > >>> < stian at redhat.com > wrote: > > >>> > > >>>> Personally, I think that in most cases for a client-side web app > > >>> the best > > >>>> approach is to let the client-side do the oauth flow (the > > >>>> approach > > >>> we're > > >>>> currently taking in keycloak.js). It does depend on your > > >>>> application though, and if you're application has a strict one > > >>>> html5 app calls > > >>> one REST > > >>>> service then http-only cookies are an option. I don't see any > > >>>> real > > >>> benefits > > >>>> of it though, and I believe it significantly complicates things. > > >>>> > > >>>> Have a look at > > >>>> > > >>> > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > > >>> , > > >>> > > >>> I think it provides a good summary of the pros of the token > > >>> approach. > > >>>> > > >>>> ----- Original Message ----- > > >>>>> From: "Bill Burke" < bburke at redhat.com > > >>>>> > To: keycloak-user at lists.jboss.org > > >>> > > >>>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > > >>>>> [keycloak-user] Keycloak and AngularJS > > >>>>> > > >>>>> What I like about the current admin console approach is that > > >>> there is no > > >>>>> book keeping required by the browser. The Angular app has > > >>>>> really no knowledge of how it is being secured as its all > > >>>>> driven by the > > >>> server. > > >>>>> Also, you need to remember that the admin console was designed > > >>> to be run > > >>>>> in a non-Java EE, non-servlet environment. While this is a > > >>> requirement > > >>>>> for Keycloak, it may not be for your application. So, what > > >>>>> I'm > > >>> saying > > >>>>> is that for your angular application, you could rely on the > > >>>>> servlet container and keycloak adapter to maintain a session > > >>>>> cookie and > > >>> identity. > > >>>>> > > >>>>> What I like about the keycloak.js approach is that there is no > > >>>>> server-side adapter required for the UI. The UI could be > > >>>>> hosted > > >>> off any > > >>>>> number of static web sites and use CORS invocations to any > > >>>>> number of Restful services. > > >>>>> > > >>>>> There's also the debate of public vs. confidential clients. > > >>>>> The keycloak.js approach requires a public client. My > > >>>>> understanding was that confidential clients exist so that only > > >>>>> an authenticated client (client *NOT* user) is able to obtain > > >>>>> an access token. I'm not > > >>> exactly > > >>>>> sure what additional security benefits are obtained here > > >>>>> beyond > > >>> this. > > >>>>> I've been trying to ask this very question on OAuth mail lists > > >>> but have > > >>>>> been unable to get a response so far. > > >>>>> > > >>>>> > > >>>>> > > >>>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > > >>>>>> Hi Stian and Bill, > > >>>>>> > > >>>>>> I've posted some questions regarding this topic before but I > > >>> thought > > >>>> I'd > > >>>>>> start a new thread to keep things focused: > > >>>>>> > > >>>>>> I'm writing an AngularJS application with Java EE 6/7 REST > > >>> (JAX-RS) > > >>>>>> backend modules. To add authentication and authorization to > > >>>>>> this application, I'd like to use keycloak > > >>>>>> > > >>>>>> * as a user and role management front-end * to provide a > > >>>>>> customizable login page (works very well by the > > >>> way ;) > > >>>>>> * as an OAuth 2.0 token provider * to add user and role > > >>>>>> information to the HTTPRequests in my REST/ backend modules > > >>>>>> > > >>>>>> To do this, I'm currently looking at keycloak.js and the > > >>>> customer-app-js > > >>>>>> example. However, I'm wondering whether this is really the > > >>> best way to > > >>>>>> go. In a reply to an earlier post of mine you mentioned that > > >>>>>> the keycloak admin console is written in AngularJS and that > > >>>>>> you > > >>> are using > > >>>>>> HTTP-only cookies there. > > >>>>>> > > >>>>>> However, in keycloak.js and the customer-app-js example you > > >>>>>> are retrieving the token in the JS app and adding an > > >>>>>> authorization > > >>> header > > >>>>>> with a bearer token to the HTTP requests. > > >>>>>> > > >>>>>> So here are my questions: > > >>>>>> > > >>>>>> * Is there a reason you are using two different approaches > > >>>>>> in > > >>> the admin > > >>>>>> console and the official demo app? * which one of the two > > >>>>>> approaches (bearer tokens vs. HTTP-only > > >>> cookie) > > >>>>>> will you support/ will be the officially recommended one for > > >>> HTML5/ > > >>>>>> client side JavaScript applications in keycloak? * am I right > > >>>>>> in assuming that you haven't quite decided yet which approach > > >>>>>> to use and that you are still discussing this in the > > >>> keycloak > > >>>>>> team? > > >>>>>> > > >>>>>> Looking forwards to your reply! Cheers, Nils > > >>>>>> > > >>>>>> > > >>>>>> _______________________________________________ keycloak-user > > >>>>>> mailing list keycloak-user at lists.jboss.org > > >>> > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>>>> > > >>>>> > > >>>>> -- Bill Burke JBoss, a division of Red Hat > > >>>>> http://bill.burkecentral.com > > >>>>> _______________________________________________ keycloak-user > > >>>>> mailing list keycloak-user at lists.jboss.org > > >>>>> > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>>> > > >>>> _______________________________________________ keycloak-user > > >>>> mailing list keycloak-user at lists.jboss.org > > >>>> > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>> > > >>> -------------- next part -------------- An HTML attachment was > > >>> scrubbed... URL: > > >>> > > > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140327/b8e5ee89/attachment-0001.html > > >>> > > >>> ------------------------------ > > >>> > > >>> Message: 4 Date: Thu, 27 Mar 2014 12:29:54 -0400 From: Bill Burke > > >>> < bburke at redhat.com > Subject: Re: > > >>> [keycloak-user] Keycloak and AngularJS To: Stian Thorgersen > > >>> < stian at redhat.com > Cc: > > >>> keycloak-user at lists.jboss.org > > >>> Message-ID: > > >>> < 53345202.4060105 at redhat.com > > > >>> Content-Type: text/plain; charset=UTF-8; format=flowed > > >>> > > >>> One of the problems with the keycloak.js approach is that we have > > >>> no way to perform a single log out or to force a logout of a > > >>> specific user. I think the OpenID Connect spec may have a way with > > >>> IFrames to do this sort of thing though. I didn't really get it at > > >>> first glance though. > > >>> > > >>> > > >>> On 3/27/2014 12:18 PM, Stian Thorgersen wrote: > > >>>> Personally, I think that in most cases for a client-side web app > > >>> the best approach is to let the client-side do the oauth flow (the > > >>> approach we're currently taking in keycloak.js). It does depend on > > >>> your application though, and if you're application has a strict > > >>> one html5 app calls one REST service then http-only cookies are an > > >>> option. I don't see any real benefits of it though, and I believe > > >>> it significantly complicates things. > > >>>> > > >>>> Have a look at > > >>> > > > http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-vs-token/ > > >>> , > > >>> > > >>> > > >> I think it provides a good summary of the pros of the token approach. > > >>>> > > >>>> ----- Original Message ----- > > >>>>> From: "Bill Burke" < bburke at redhat.com > > >>>>> > To: keycloak-user at lists.jboss.org > > >>> > > >>>>> Sent: Thursday, 27 March, 2014 3:39:07 PM Subject: Re: > > >>>>> [keycloak-user] Keycloak and AngularJS > > >>>>> > > >>>>> What I like about the current admin console approach is that > > >>> there is no > > >>>>> book keeping required by the browser. The Angular app has > > >>>>> really no knowledge of how it is being secured as its all > > >>>>> driven by the server. Also, you need to remember that the admin > > >>>>> console was designed to > > >>> be run > > >>>>> in a non-Java EE, non-servlet environment. While this is a > > >>> requirement > > >>>>> for Keycloak, it may not be for your application. So, what > > >>>>> I'm > > >>> saying > > >>>>> is that for your angular application, you could rely on the > > >>>>> servlet container and keycloak adapter to maintain a session > > >>>>> cookie and > > >>> identity. > > >>>>> > > >>>>> What I like about the keycloak.js approach is that there is no > > >>>>> server-side adapter required for the UI. The UI could be > > >>>>> hosted > > >>> off any > > >>>>> number of static web sites and use CORS invocations to any > > >>>>> number of Restful services. > > >>>>> > > >>>>> There's also the debate of public vs. confidential clients. > > >>>>> The keycloak.js approach requires a public client. My > > >>>>> understanding was that confidential clients exist so that only > > >>>>> an authenticated client (client *NOT* user) is able to obtain > > >>>>> an access token. I'm not > > >>> exactly > > >>>>> sure what additional security benefits are obtained here beyond > > >>>>> this. I've been trying to ask this very question on OAuth mail > > >>>>> lists > > >>> but have > > >>>>> been unable to get a response so far. > > >>>>> > > >>>>> > > >>>>> > > >>>>> On 3/27/2014 10:41 AM, Nils Preusker wrote: > > >>>>>> Hi Stian and Bill, > > >>>>>> > > >>>>>> I've posted some questions regarding this topic before but I > > >>> thought I'd > > >>>>>> start a new thread to keep things focused: > > >>>>>> > > >>>>>> I'm writing an AngularJS application with Java EE 6/7 REST > > >>>>>> (JAX-RS) backend modules. To add authentication and > > >>>>>> authorization to this application, I'd like to use keycloak > > >>>>>> > > >>>>>> * as a user and role management front-end * to provide a > > >>>>>> customizable login page (works very well by the > > >>> way ;) > > >>>>>> * as an OAuth 2.0 token provider * to add user and role > > >>>>>> information to the HTTPRequests in my REST/ backend modules > > >>>>>> > > >>>>>> To do this, I'm currently looking at keycloak.js and the > > >>> customer-app-js > > >>>>>> example. However, I'm wondering whether this is really the > > >>>>>> best > > >>> way to > > >>>>>> go. In a reply to an earlier post of mine you mentioned that > > >>>>>> the keycloak admin console is written in AngularJS and that > > >>>>>> you are > > >>> using > > >>>>>> HTTP-only cookies there. > > >>>>>> > > >>>>>> However, in keycloak.js and the customer-app-js example you > > >>>>>> are retrieving the token in the JS app and adding an > > >>>>>> authorization > > >>> header > > >>>>>> with a bearer token to the HTTP requests. > > >>>>>> > > >>>>>> So here are my questions: > > >>>>>> > > >>>>>> * Is there a reason you are using two different approaches > > >>>>>> in > > >>> the admin > > >>>>>> console and the official demo app? * which one of the two > > >>>>>> approaches (bearer tokens vs. HTTP-only > > >>> cookie) > > >>>>>> will you support/ will be the officially recommended one for > > >>>>>> HTML5/ client side JavaScript applications in keycloak? * am > > >>>>>> I right in assuming that you haven't quite decided yet which > > >>>>>> approach to use and that you are still discussing this in > > >>>>>> the > > >>> keycloak > > >>>>>> team? > > >>>>>> > > >>>>>> Looking forwards to your reply! Cheers, Nils > > >>>>>> > > >>>>>> > > >>>>>> _______________________________________________ keycloak-user > > >>>>>> mailing list keycloak-user at lists.jboss.org > > >>>>>> > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>>>> > > >>>>> > > >>>>> -- Bill Burke JBoss, a division of Red Hat > > >>>>> http://bill.burkecentral.com > > >>>>> _______________________________________________ keycloak-user > > >>>>> mailing list keycloak-user at lists.jboss.org > > >>>>> > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>>> > > >>> > > >>> -- Bill Burke JBoss, a division of Red Hat > > >>> http://bill.burkecentral.com > > >>> > > >>> > > >>> ------------------------------ > > >>> > > >>> _______________________________________________ keycloak-user > > >>> mailing list keycloak-user at lists.jboss.org > > >>> > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > >>> End of keycloak-user Digest, Vol 3, Issue 14 > > >>> ******************************************** > > >>> > > >>> > > >>> > > >>> > > >>> _______________________________________________ keycloak-user > > >>> mailing list keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>> > > >> -----BEGIN PGP SIGNATURE----- > > >> Version: GnuPG v2.0.22 (GNU/Linux) > > >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > >> > > >> iQEcBAEBCgAGBQJTNSHcAAoJEDnJtskdmzLMHrYH/1D/vMgPxD0WUZ5KdIoD5Cow > > >> gb9fa+RZDQrpPxL1qKpqWJX3g1cKt8hQa1Xz7dX64G3/xcLUUkoJKkAtiJPysp75 > > >> xbkdWV+RGQXDHuyZcS75xEXQlPaWt2cEVxdSXMalzfQPzVhq00FBbeJLirKLbYsY > > >> I2CIjJgCSQhmOrVfP5vUSdrwsLsd+TBXee4779YiOceSW16oG9Nfsa5gF1XJSNhi > > >> o2fZCEkoXhbTD7RXuhhrDWlFBCQOIgWf6FUHEAVKnXeIR5oey6U9hv1Z16Kd2Pll > > >> Pv8+LWlJjKMfkmrCQrVQvYSI/n64vxjikta2ByBdOPethsebqXO9oknbiPtjq6E= > > >> =TiWl > > >> -----END PGP SIGNATURE----- > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140328/d14cb7f6/attachment.html > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 3, Issue 21 > ******************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140330/b5d2b73e/attachment-0001.html From bburke at redhat.com Sun Mar 30 18:30:14 2014 From: bburke at redhat.com (Bill Burke) Date: Sun, 30 Mar 2014 18:30:14 -0400 Subject: [keycloak-user] Inject (Keycloak)Principal In-Reply-To: References: Message-ID: <53389AF6.1050501@redhat.com> On 3/30/2014 5:08 PM, Dirk Franssen wrote: > Hey Bill, > > I think it would make sense to add the IDToken to the KeycloakPrincipal. > This avoids the additional > servletRequest.getAttribute(KeycloakSecurityContext.class.getName()) > call in order to get the user details. > > For info to other users: in order to get more than only the (preferred) > username, you should change in your realm the Allowed Claims at the > application level, otherwise e.g. the email address will stay null > however it was provided in the account of the user. > > @Nils/Juca: > the injection of the principal is now working. I didn't had @Stateless > on the CustomerService before, that's why :-). > > Just to be sure: in one of the video's the database service was also > being defined in the admin console as an application, but I assume that > this is superfluous as the bundeld demo realm is not describing it? > The database service is registered when you want to have per-app roles. The OOTB demo uses realm-level roles for everything. Generally, though, you should register each application with an admin URL so that it can have things updated like not-before policies. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From n.preusker at gmail.com Mon Mar 31 11:35:43 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Mon, 31 Mar 2014 17:35:43 +0200 Subject: [keycloak-user] JSON Export of Realm Message-ID: Hi all, I was wondering whether there is a simple way to export the realms you create in the admin console as JSON like you did with the demo realm. I didn't find a way to do this in the console UI. Cheers, Nils -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140331/9c0f6425/attachment.html From stian at redhat.com Mon Mar 31 11:36:45 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 31 Mar 2014 11:36:45 -0400 (EDT) Subject: [keycloak-user] JSON Export of Realm In-Reply-To: References: Message-ID: <1996003533.4722432.1396280205233.JavaMail.zimbra@redhat.com> Not at the moment, but this is something we're planning to add soon. ----- Original Message ----- > From: "Nils Preusker" > To: keycloak-user at lists.jboss.org > Sent: Monday, 31 March, 2014 4:35:43 PM > Subject: [keycloak-user] JSON Export of Realm > > Hi all, > > I was wondering whether there is a simple way to export the realms you create > in the admin console as JSON like you did with the demo realm. I didn't find > a way to do this in the console UI. > > Cheers, > Nils > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From n.preusker at gmail.com Mon Mar 31 11:43:52 2014 From: n.preusker at gmail.com (Nils Preusker) Date: Mon, 31 Mar 2014 17:43:52 +0200 Subject: [keycloak-user] JSON Export of Realm In-Reply-To: <1996003533.4722432.1396280205233.JavaMail.zimbra@redhat.com> References: <1996003533.4722432.1396280205233.JavaMail.zimbra@redhat.com> Message-ID: Wow, thanks for the super fast answer! And is there any other way? Even if it's a hack :) Cheers, Nils On Mon, Mar 31, 2014 at 5:36 PM, Stian Thorgersen wrote: > Not at the moment, but this is something we're planning to add soon. > > ----- Original Message ----- > > From: "Nils Preusker" > > To: keycloak-user at lists.jboss.org > > Sent: Monday, 31 March, 2014 4:35:43 PM > > Subject: [keycloak-user] JSON Export of Realm > > > > Hi all, > > > > I was wondering whether there is a simple way to export the realms you > create > > in the admin console as JSON like you did with the demo realm. I didn't > find > > a way to do this in the console UI. > > > > Cheers, > > Nils > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140331/a3bc9b67/attachment.html From dean.peterson at state.mn.us Mon Mar 24 17:52:30 2014 From: dean.peterson at state.mn.us (Peterson, Dean (MNIT)) Date: Mon, 24 Mar 2014 21:52:30 -0000 Subject: [keycloak-user] Logging out Message-ID: <1EABCDF53DE61D4CBAA8B44901ED2054493A77@055-CH1MPN1-031.055d.mgd.msft.net> Ok, that makes sense. I am still trying to figure out how k_logout should work on my end. I do have the keycloak modules installed on the server running my app. However, I still get a value of false in logoutApplication: Response response = client.target(managementUrl).path(AdapterConstants.K_LOGOUT).request().post(Entity.text(token)); boolean success = response.getStatus() == 204; The success Boolean is false. I set the Admin url to some path with "admin" but I do not have a REST service at any location for .../admin/.../k_logout. Am I supposed to do something on my end or should the keycloak modules have automatically set something up that understands how to handle a request to something like .../admin/.../k_logout? I just would have liked to make all of this a bit easier. Why can't I create some REST service on my end that calls something like: KeycloakSecurityContext.logout(); Under the covers KeycloakSecurityContext.logout() builds the logout uri, sends the request to the keycloak server and finally logs me out of the local application? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140324/22238306/attachment.html