From stian at redhat.com  Mon Sep  1 03:33:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 1 Sep 2014 03:33:21 -0400 (EDT)
Subject: [keycloak-user] Authenticate user without using login page
In-Reply-To: <CANLOgwD2U4SuEUAV95YtqRiJ4ctE0YQA4CekFEPCB-Cx1zmHww@mail.gmail.com>
References: <CANLOgwCwfU5CbYX7jwbnOagYndnQ67mwpc5ahb0W-D+y2e2kpg@mail.gmail.com>
	<53D8F558.5050902@redhat.com>
	<2092751170.20453860.1406728125335.JavaMail.zimbra@redhat.com>
	<CANLOgwA6R1AkZTTuyiFhrfwZ0BNzkym5Mgehx5Uu6nmdhJW7CQ@mail.gmail.com>
	<2056374389.40730250.1409294802169.JavaMail.zimbra@redhat.com>
	<CANLOgwBWHcaQxg_CbvuGt6aiktwPSZ9FXD6_eNwM8ZM9gpjGCg@mail.gmail.com>
	<1410195858.40918657.1409314376303.JavaMail.zimbra@redhat.com>
	<CANLOgwD2U4SuEUAV95YtqRiJ4ctE0YQA4CekFEPCB-Cx1zmHww@mail.gmail.com>
Message-ID: <670057215.41788108.1409556801729.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 29 August, 2014 4:09:41 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
> 
> Not really I think, the thing is I wanted to use the *login_hint* feature,
> but I don't think it will be possible based on what you said now, is that
> correct?

Yes, that's correct :/

The only adapter that will work atm with login_hint is the JS adapter. For as7/wildfly adapters you could work around it by creating and setting your own state cookie and generating the login_url (if you need some hints on how to do that let me know). If you create a jira to request adding support for login_hint to the as7/wildfly adapters then we can look at adding support for it after 1.0.final is released.

> 
> PS: added back the mailing list because I excluded it from the previous
> e-mail by mistake
> 
> 
> On Fri, Aug 29, 2014 at 9:12 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > You can't create the login url yourself at the moment, this is because the
> > adapter sets a cookie to store the state variable so it can check it in the
> > callback.
> >
> > You can call HttpServletRequest.authenticate, which will redirect to the
> > login after setting the state cookie. Does that work for you?
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Sent: Friday, 29 August, 2014 1:07:22 PM
> > > Subject: Re: [keycloak-user] Authenticate user without using login page
> > >
> > > I'm using the JBoss AS7 adapter
> > > On Aug 29, 2014 3:46 AM, "Stian Thorgersen" <stian at redhat.com> wrote:
> > >
> > > > Which adapter are you using?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > > Sent: Thursday, 28 August, 2014 3:51:17 PM
> > > > > Subject: Re: [keycloak-user] Authenticate user without using login
> > page
> > > > >
> > > > > Coming back to this, I have a quick question. What would be the best
> > way
> > > > > for me to create a valid login URL dynamically?
> > > > >
> > > > > when we try to access a protected resource, the login page comes up,
> > > > > authenticates the user and it all works fine, but when I try to
> > > > fabricate a
> > > > > loginUrl to the redirect_uri that I need it to go after we encounter
> > some
> > > > > problems that I think may be related to the state variable, although
> > I'm
> > > > > not sure. I get Error 400 sometimes, which isn't very clear.
> > > > >
> > > > > Is there a guideline for this?
> > > > >
> > > > >
> > > > > On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian at redhat.com
> > >
> > > > wrote:
> > > > >
> > > > > > Yes, login_hint is one of the optional request parameters
> > supported by
> > > > > > OpenID Connect
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > > > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> > > > > > rodrigopsasaki at gmail.com>
> > > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > > Sent: Wednesday, 30 July, 2014 2:38:32 PM
> > > > > > > Subject: Re: [keycloak-user] Authenticate user without using
> > login
> > > > page
> > > > > > >
> > > > > > > OpenID Connect protocol is used to implement this?
> > > > > > >
> > > > > > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > > > > > > > Added login_hint query param. It can be used with keycloak.js
> > with
> > > > > > either:
> > > > > > > >
> > > > > > > >    keycloak.login({ loginHint: 'username' })
> > > > > > > >
> > > > > > > > or
> > > > > > > >
> > > > > > > >    keycloak.createLoginUrl({ loginHint: 'username' })
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > keycloak-user at lists.jboss.org
> > > > > > > >> Sent: Friday, 25 July, 2014 6:11:47 PM
> > > > > > > >> Subject: Re: [keycloak-user] Authenticate user without using
> > login
> > > > > > page
> > > > > > > >>
> > > > > > > >> It all worked great with the iframe, if I style it properly
> > and
> > > > use
> > > > > > that
> > > > > > > >> login_hint it should be perfect.
> > > > > > > >>
> > > > > > > >> Now how should I go about developing/using this login_hint?
> > Are
> > > > there
> > > > > > any
> > > > > > > >> tips on this, or is it something that you plan on including
> > > > > > yourselves?
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> > > > > > rodrigopsasaki at gmail.com>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >>> Just one more thing that wasn't completely clear to me.
> > > > > > > >>>
> > > > > > > >>> if I add a login page on an iframe, the user will be logged
> > > > > > normally? Or
> > > > > > > >>> would I have to get a token and keep managing it?
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> > > > > > > >>> <rodrigopsasaki at gmail.com
> > > > > > > >>>> wrote:
> > > > > > > >>>
> > > > > > > >>>> That idea actually sounds amazing, I didn't look into
> > > > keycloak.js
> > > > > > yet,
> > > > > > > >>>> but I'll see if I can get it working before I think about
> > > > styling.
> > > > > > > >>>>
> > > > > > > >>>> Thank you very much!
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <
> > > > > > stian at redhat.com>
> > > > > > > >>>> wrote:
> > > > > > > >>>>
> > > > > > > >>>>> I think we could quite easily add support for embedding the
> > > > login
> > > > > > page
> > > > > > > >>>>> to keycloak.js. Rough idea:
> > > > > > > >>>>>
> > > > > > > >>>>> 1. Set an option on keycloak.js to use embedded login form.
> > > > Would
> > > > > > also
> > > > > > > >>>>> require setting an id for a div where the form should be
> > > > embedded.
> > > > > > > >>>>> 2. When clicking on login instead of redirecting it would
> > > > render an
> > > > > > > >>>>> iframe element inside the configured div with the src of
> > the
> > > > iframe
> > > > > > > >>>>> being
> > > > > > > >>>>> the login page on Keycloak
> > > > > > > >>>>> 3. The redirect-uri would be a special url on Keycloak that
> > > > > > renders a
> > > > > > > >>>>> similar page to the iframe session page that allows
> > posting a
> > > > > > message
> > > > > > > >>>>> back
> > > > > > > >>>>> to keycloak.js containing the code
> > > > > > > >>>>> 4. Now keycloak.js can swap the code as usual
> > > > > > > >>>>>
> > > > > > > >>>>> One thing is that we'd probably need an additional styling
> > of
> > > > the
> > > > > > login
> > > > > > > >>>>> form, as you would want the login page to display
> > differently
> > > > when
> > > > > > > >>>>> embedded
> > > > > > > >>>>> compared to when you redirect to it.
> > > > > > > >>>>>
> > > > > > > >>>>> ----- Original Message -----
> > > > > > > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> > > > > > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > using
> > > > login
> > > > > > > >>>>>> page
> > > > > > > >>>>>>
> > > > > > > >>>>>> The cookies should be set fine, as the iframe would
> > contain
> > > > the
> > > > > > login
> > > > > > > >>>>> page
> > > > > > > >>>>>> directly from Keycloak.
> > > > > > > >>>>>>
> > > > > > > >>>>>> It would redirect to a special page on the app that after
> > > > > > extracting
> > > > > > > >>>>> the code
> > > > > > > >>>>>> would close the popup.
> > > > > > > >>>>>>
> > > > > > > >>>>>> ----- Original Message -----
> > > > > > > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> > Sasaki"
> > > > > > > >>>>>>> <rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> > > > > > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > using
> > > > > > login
> > > > > > > >>>>> page
> > > > > > > >>>>>>>
> > > > > > > >>>>>>> not sure this will work with SSO.  I'm not sure CORS
> > > > requests can
> > > > > > > >>>>> deal
> > > > > > > >>>>>>> with cookies.
> > > > > > > >>>>>>>
> > > > > > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > > > > > >>>>>>>> What about using an iframe in the popup to include the
> > login
> > > > > > form
> > > > > > > >>>>> from
> > > > > > > >>>>>>>> Keycloak?
> > > > > > > >>>>>>>>
> > > > > > > >>>>>>>> You can send a HTTP POST to
> > > > > > > >>>>> /auth-server/<realm>/tokens/grants/access
> > > > > > > >>>>>>>> with
> > > > > > > >>>>>>>> client id/secret and username/password and get a token
> > back.
> > > > > > With
> > > > > > > >>>>>>>> keycloak.js you can give it this token, not sure how/if
> > this
> > > > > > flow
> > > > > > > >>>>> works
> > > > > > > >>>>>>>> with the server-side (Undertow) adapter.
> > > > > > > >>>>>>>>
> > > > > > > >>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> > > > > > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > > > using
> > > > > > > >>>>> login page
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> Actually, the main problem is one of the flows where
> > the
> > > > > > password
> > > > > > > >>>>>>>>> request
> > > > > > > >>>>>>>>> appears in a popup, there's no redirect at all, and
> > one of
> > > > the
> > > > > > > >>>>> things
> > > > > > > >>>>>>>>> that
> > > > > > > >>>>>>>>> were agreed upon when decided to change the
> > authentication
> > > > > > > >>>>> provider, was
> > > > > > > >>>>>>>>> that nothing would be altered in the user experience.
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> So I really have to try and make keycloak "fit in" in
> > these
> > > > > > > >>>>> particular
> > > > > > > >>>>>>>>> scenarios, they are not used as much as the ones where
> > > > we'll
> > > > > > use
> > > > > > > >>>>> the
> > > > > > > >>>>>>>>> keycloak login page with our own style, but I do have
> > to
> > > > make
> > > > > > > >>>>> them work.
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> When you say I could use direct grant to get a token,
> > would
> > > > > > that
> > > > > > > >>>>> count
> > > > > > > >>>>>>>>> as
> > > > > > > >>>>>>>>> the same as an user logging in? It's not really clear
> > to me
> > > > > > right
> > > > > > > >>>>> now
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > > > > > > >>>>> stian at redhat.com>
> > > > > > > >>>>>>>>> wrote:
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> > > > > > > >>>>>>>>>>
> > > > > > > >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> > > > > > > >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> > > > > > > >>>>>>>>>>      a) If user doesn't exist in KC (you can use admin
> > > > > > endpoints
> > > > > > > >>>>> to
> > > > > > > >>>>>>>>>>      check
> > > > > > > >>>>>>>>>> this) redirect to registration page on KC with email
> > > > already
> > > > > > > >>>>> entered
> > > > > > > >>>>>>>>>>      b) If user does exist in KC redirect to login
> > page
> > > > again
> > > > > > > >>>>> with email
> > > > > > > >>>>>>>>>> already entered
> > > > > > > >>>>>>>>>> 3. Redirect back to app
> > > > > > > >>>>>>>>>>
> > > > > > > >>>>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> > > > Sasaki"
> > > > > > <
> > > > > > > >>>>>>>>>> rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > > > > > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > without
> > > > using
> > > > > > > >>>>> login
> > > > > > > >>>>>>>>>>> page
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>> It is because their first login screen is just
> > something
> > > > > > asking
> > > > > > > >>>>> for an
> > > > > > > >>>>>>>>>>> email.  If the email doesn't exist as a user, they
> > want a
> > > > > > > >>>>> redirect to
> > > > > > > >>>>>>>>>>> the register page.
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > > > > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a
> > token.
> > > > > > > >>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>> I'd like to know why redirecting to the login form,
> > when
> > > > > > > >>>>> styled to
> > > > > > > >>>>>>>>>> match
> > > > > > > >>>>>>>>>>>> your website, and using login_hint to pre-fill
> > > > > > username/email
> > > > > > > >>>>> doesn't
> > > > > > > >>>>>>>>>>>> work. Maybe there's something we can do so that you
> > can
> > > > > > still
> > > > > > > >>>>> use the
> > > > > > > >>>>>>>>>>>> "proper" flow?
> > > > > > > >>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > > > > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > without
> > > > > > using
> > > > > > > >>>>> login
> > > > > > > >>>>>>>>>> page
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's
> > being a
> > > > > > huge
> > > > > > > >>>>>>>>>> showstopper
> > > > > > > >>>>>>>>>>>>> so
> > > > > > > >>>>>>>>>>>>> far, I just have to ask.
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other
> > > > benefits
> > > > > > > >>>>> that the
> > > > > > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a
> > way
> > > > for
> > > > > > me
> > > > > > > >>>>> to do
> > > > > > > >>>>>>>>>> what I
> > > > > > > >>>>>>>>>>>>> want?
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > > > > > > >>>>> stian at redhat.com>
> > > > > > > >>>>>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> We could add support for login_hint query param so
> > > > you can
> > > > > > > >>>>> have the
> > > > > > > >>>>>>>>>>>>>> username/email field on the login form pre-filled
> > for
> > > > the
> > > > > > > >>>>> user, so
> > > > > > > >>>>>>>>>> once a
> > > > > > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on
> > KC
> > > > and
> > > > > > all
> > > > > > > >>>>> they
> > > > > > > >>>>>>>>>> would
> > > > > > > >>>>>>>>>>>>>> have to do is enter their password.
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,
> > > > > > multi-factor
> > > > > > > >>>>>>>>>>>>>> support,
> > > > > > > >>>>>>>>>>>>>> required actions, recover password, etc, etc,
> > etc..
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login
> > forms
> > > > > > that
> > > > > > > >>>>> can be
> > > > > > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker
> > > > > > templates
> > > > > > > >>>>> if you
> > > > > > > >>>>>>>>>> need
> > > > > > > >>>>>>>>>>>>>> a
> > > > > > > >>>>>>>>>>>>>> lot of customization, so you should be able to
> > make
> > > > the
> > > > > > > >>>>> login form
> > > > > > > >>>>>>>>>>>>>> integrate well with your website.
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
> > >
> > > > > > > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > > > > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > > > without
> > > > > > > >>>>> using login
> > > > > > > >>>>>>>>>> page
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> You think there could be a way to do this within
> > > > keycloak
> > > > > > > >>>>> itself?
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > > > > > > >>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
> > > > > > > >>>>>>>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> I'll give you an example:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> We have a situation in our website where we only
> > ask
> > > > for
> > > > > > the
> > > > > > > >>>>>>>>>>>>>>> user's
> > > > > > > >>>>>>>>>>>>>> e-mail,
> > > > > > > >>>>>>>>>>>>>>> and he can go on with the flow.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify
> > that
> > > > > > this
> > > > > > > >>>>> is an
> > > > > > > >>>>>>>>>> e-mail
> > > > > > > >>>>>>>>>>>>>> that
> > > > > > > >>>>>>>>>>>>>>> we already have in our user database, we ask him
> > for
> > > > his
> > > > > > > >>>>> password,
> > > > > > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this
> > e-mail
> > > > is
> > > > > > new,
> > > > > > > >>>>> we
> > > > > > > >>>>>>>>>> redirect
> > > > > > > >>>>>>>>>>>>>> him
> > > > > > > >>>>>>>>>>>>>>> to a page where he can register himself, and
> > after
> > > > that
> > > > > > > >>>>> continue
> > > > > > > >>>>>>>>>>>>>>> on.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't
> > like to
> > > > > > have
> > > > > > > >>>>> to
> > > > > > > >>>>>>>>>> redirect
> > > > > > > >>>>>>>>>>>>>> him to
> > > > > > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow
> > that
> > > > we
> > > > > > > >>>>> designed.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > > > > > > >>>>> bburke at redhat.com >
> > > > > > > >>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > > > > > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know
> > > > why.
> > > > > > > >>>>> Maybe we
> > > > > > > >>>>>>>>>>>>>>> can
> > > > > > > >>>>>>>>>>>>>> solve the
> > > > > > > >>>>>>>>>>>>>>> issue within keycloak itself.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want
> > to
> > > > > > handle
> > > > > > > >>>>> my own
> > > > > > > >>>>>>>>>> login
> > > > > > > >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto:
> > > > > > rodrigopsasaki at gmail.
> > > > > > > >>>>> com >>
> > > > > > > >>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which
> > is why
> > > > > > we're
> > > > > > > >>>>> mostly
> > > > > > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> It's just that we have cases that are so
> > specific,
> > > > that
> > > > > > it
> > > > > > > >>>>> would
> > > > > > > >>>>>>>>>>>>>>> be
> > > > > > > >>>>>>>>>>>>>>> better to authenticate the user in a different
> > > > manner,
> > > > > > > >>>>> create the
> > > > > > > >>>>>>>>>>>>>>> user session and everything, without redirecting.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > > > > > > >>>>> bburke at redhat.com
> > > > > > > >>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO,
> > you
> > > > are
> > > > > > > >>>>> missing
> > > > > > > >>>>>>>>>>>>>>> out on
> > > > > > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> * SSO
> > > > > > > >>>>>>>>>>>>>>> * forgot password
> > > > > > > >>>>>>>>>>>>>>> * admin forced credential reset/setup
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> Login pages can be styled however you like to
> > look
> > > > like
> > > > > > your
> > > > > > > >>>>>>>>>>>>>>> application.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access
> > token.
> > > > Here
> > > > > > is
> > > > > > > >>>>> an
> > > > > > > >>>>>>>>>>>>>>> example:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> https://github.com/keycloak/
> > > > > > keycloak/blob/master/examples/
> > > > > > > >>>>>>>>>>>>>>> demo-template/admin-access-
> > app/src/main/java/org/
> > > > > > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > > > > > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without
> > > > having
> > > > > > to
> > > > > > > >>>>>>>>>>>>>>> input username
> > > > > > > >>>>>>>>>>>>>>>> and password on the login page?
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> For example:
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> Say there's a situation in my application where
> > I
> > > > > > request
> > > > > > > >>>>> the
> > > > > > > >>>>>>>>>>>>>>> user for
> > > > > > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like
> > to
> > > > > > redirect
> > > > > > > >>>>>>>>>>>>>>> that to the
> > > > > > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would
> > > > there be
> > > > > > a
> > > > > > > >>>>> way
> > > > > > > >>>>>>>>>>>>>>> for me to
> > > > > > > >>>>>>>>>>>>>>>> do that?
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > > >>>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > > >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> https://lists.jboss.org/
> > > > mailman/listinfo/keycloak-user
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto:
> > > > > > keycloak-user at lists.
> > > > > > > >>>>>>>>>> jboss.org >
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> https://lists.jboss.org/
> > > > mailman/listinfo/keycloak-user
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> _______________________________________________
> > > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>>>>
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>> --
> > > > > > > >>>>>>>>>>> Bill Burke
> > > > > > > >>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> --
> > > > > > > >>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>
> > > > > > > >>>>>>> --
> > > > > > > >>>>>>> Bill Burke
> > > > > > > >>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>
> > > > > > > >>>>>> _______________________________________________
> > > > > > > >>>>>> keycloak-user mailing list
> > > > > > > >>>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >>>>>>
> > > > > > > >>>>> _______________________________________________
> > > > > > > >>>>> keycloak-user mailing list
> > > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >>>>>
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>> --
> > > > > > > >>>> Rodrigo Sasaki
> > > > > > > >>>>
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> --
> > > > > > > >>> Rodrigo Sasaki
> > > > > > > >>>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> --
> > > > > > > >> Rodrigo Sasaki
> > > > > > > >>
> > > > > > >
> > > > > > > --
> > > > > > > Bill Burke
> > > > > > > JBoss, a division of Red Hat
> > > > > > > http://bill.burkecentral.com
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > >
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From stian at redhat.com  Mon Sep  1 05:16:30 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 1 Sep 2014 05:16:30 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0 RC 2 Released
In-Reply-To: <1881583534.41838523.1409562982226.JavaMail.zimbra@redhat.com>
Message-ID: <81922133.41838537.1409562990332.JavaMail.zimbra@redhat.com>

This will be the last release candidate before we release 1.0 final in just two weeks! So, there?s no new exiting features in this release, only a few bug fixes.


From stian at redhat.com  Mon Sep  1 07:26:42 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 1 Sep 2014 07:26:42 -0400 (EDT)
Subject: [keycloak-user] access to IDM form java EJB
In-Reply-To: <CAEg-TvnbbL5XdVgSK5ct3JnmyFogf-dniFYnGzKX_2uJV_brYw@mail.gmail.com>
References: <CAEg-TvnbbL5XdVgSK5ct3JnmyFogf-dniFYnGzKX_2uJV_brYw@mail.gmail.com>
Message-ID: <1612259578.41896594.1409570802201.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "?????? ??????" <kotychok at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Sunday, 31 August, 2014 12:01:33 PM
> Subject: [keycloak-user] access to IDM form java EJB
> 
> Good afternoon.
> My English is not very good, so just apologize. I really liked your project
> Keycloak. I've had a number of questions on it, in which I ask your help. So
> ...
> 1 How REST interface through JSApp create user with specified password. In my
> case I "PUT" reset-password and get a "Access to the specified resource has
> been forbidden", but without password is ok.

You need to first create the user, then reset the password for the user afterwards (the password can best to temporary to require the user to change on next login)

> 2 How to check in Stateless EJB which role belongs to a particular user, get
> his ID, etc. That access to users IDM from the business code.
> Thank you very much.

You can use the standard JavaEE mechanism for this (EJBContext.isCallerInRole)

> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From rodrigopsasaki at gmail.com  Mon Sep  1 10:10:01 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 1 Sep 2014 11:10:01 -0300
Subject: [keycloak-user] Find by email not working?
Message-ID: <CANLOgwAQYRgzN7gwPfTgPg-ojjMBcdcoE+-PhuCk82-ovQt5Dg@mail.gmail.com>

Hello,

I have a method in my project that finds users by e-mail using the REST API
on

*/realms/{realm}/users?email=...*

It used to work fine, but I upgrated to RC1 and it stopped working, I tried
debugging it but it doesn't seem to stop on my breakpoint inside the
*JpaUserProvider* class.

It simply returns nothing, with valid calls and a valid e-mail that I know
exists.

Is this a known bug?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140901/d0beece3/attachment.html 

From rodrigopsasaki at gmail.com  Mon Sep  1 12:40:08 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 1 Sep 2014 13:40:08 -0300
Subject: [keycloak-user] Find by email not working?
In-Reply-To: <CANLOgwAQYRgzN7gwPfTgPg-ojjMBcdcoE+-PhuCk82-ovQt5Dg@mail.gmail.com>
References: <CANLOgwAQYRgzN7gwPfTgPg-ojjMBcdcoE+-PhuCk82-ovQt5Dg@mail.gmail.com>
Message-ID: <CANLOgwCp18tC1=7YJVRh3J5hVTUdi6katy5oEXzsyYCXbfAhew@mail.gmail.com>

I believe I have found the problem. If I don't send a *max* query param, it
is set as -1, and by having that value it stops the execution of the
*query* method
inside *UserFederationManager* class so it doesn't return any value.

If I send a value on *max* I get a return, but it comes duplicated, I
receive a JSON that has the same user twice. I was looking inside the
method *getUsers* inside the *UsersResource* class and it executes the same
for loop twice, adding the same userModel to the results list.

should the inner for loop exist?


On Mon, Sep 1, 2014 at 11:10 AM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> Hello,
>
> I have a method in my project that finds users by e-mail using the REST
> API on
>
> */realms/{realm}/users?email=...*
>
> It used to work fine, but I upgrated to RC1 and it stopped working, I
> tried debugging it but it doesn't seem to stop on my breakpoint inside the
> *JpaUserProvider* class.
>
> It simply returns nothing, with valid calls and a valid e-mail that I know
> exists.
>
> Is this a known bug?
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140901/fc40c52f/attachment.html 

From bburke at redhat.com  Mon Sep  1 13:19:53 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 01 Sep 2014 13:19:53 -0400
Subject: [keycloak-user] Find by email not working?
In-Reply-To: <CANLOgwCp18tC1=7YJVRh3J5hVTUdi6katy5oEXzsyYCXbfAhew@mail.gmail.com>
References: <CANLOgwAQYRgzN7gwPfTgPg-ojjMBcdcoE+-PhuCk82-ovQt5Dg@mail.gmail.com>
	<CANLOgwCp18tC1=7YJVRh3J5hVTUdi6katy5oEXzsyYCXbfAhew@mail.gmail.com>
Message-ID: <5404AAB9.70800@redhat.com>

log a jira.

On 9/1/2014 12:40 PM, Rodrigo Sasaki wrote:
> I believe I have found the problem. If I don't send a *max* query param,
> it is set as -1, and by having that value it stops the execution of the
> /query/ method inside /UserFederationManager/ class so it doesn't return
> any value.
>
> If I send a value on *max* I get a return, but it comes duplicated, I
> receive a JSON that has the same user twice. I was looking inside the
> method /getUsers/ inside the /UsersResource/ class and it executes the
> same for loop twice, adding the same userModel to the results list.
>
> should the inner for loop exist?
>
>
> On Mon, Sep 1, 2014 at 11:10 AM, Rodrigo Sasaki
> <rodrigopsasaki at gmail.com <mailto:rodrigopsasaki at gmail.com>> wrote:
>
>     Hello,
>
>     I have a method in my project that finds users by e-mail using the
>     REST API on
>
>     */realms/{realm}/users?email=...*
>     *
>     *
>     It used to work fine, but I upgrated to RC1 and it stopped working,
>     I tried debugging it but it doesn't seem to stop on my breakpoint
>     inside the /JpaUserProvider/ class.
>
>     It simply returns nothing, with valid calls and a valid e-mail that
>     I know exists.
>
>     Is this a known bug?
>
>     --
>     Rodrigo Sasaki
>
>
>
>
> --
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Mon Sep  1 14:29:53 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Mon, 1 Sep 2014 15:29:53 -0300
Subject: [keycloak-user] Find by email not working?
In-Reply-To: <5404AAB9.70800@redhat.com>
References: <CANLOgwAQYRgzN7gwPfTgPg-ojjMBcdcoE+-PhuCk82-ovQt5Dg@mail.gmail.com>
	<CANLOgwCp18tC1=7YJVRh3J5hVTUdi6katy5oEXzsyYCXbfAhew@mail.gmail.com>
	<5404AAB9.70800@redhat.com>
Message-ID: <CANLOgwBMChtnD_98KjVpJX8ea7U49VDE3kf32ZAsF2K3_zzv_w@mail.gmail.com>

Done. https://issues.jboss.org/browse/KEYCLOAK-658


On Mon, Sep 1, 2014 at 2:19 PM, Bill Burke <bburke at redhat.com> wrote:

> log a jira.
>
> On 9/1/2014 12:40 PM, Rodrigo Sasaki wrote:
> > I believe I have found the problem. If I don't send a *max* query param,
> > it is set as -1, and by having that value it stops the execution of the
> > /query/ method inside /UserFederationManager/ class so it doesn't return
> > any value.
> >
> > If I send a value on *max* I get a return, but it comes duplicated, I
> > receive a JSON that has the same user twice. I was looking inside the
> > method /getUsers/ inside the /UsersResource/ class and it executes the
> > same for loop twice, adding the same userModel to the results list.
> >
> > should the inner for loop exist?
> >
> >
> > On Mon, Sep 1, 2014 at 11:10 AM, Rodrigo Sasaki
> > <rodrigopsasaki at gmail.com <mailto:rodrigopsasaki at gmail.com>> wrote:
> >
> >     Hello,
> >
> >     I have a method in my project that finds users by e-mail using the
> >     REST API on
> >
> >     */realms/{realm}/users?email=...*
> >     *
> >     *
> >     It used to work fine, but I upgrated to RC1 and it stopped working,
> >     I tried debugging it but it doesn't seem to stop on my breakpoint
> >     inside the /JpaUserProvider/ class.
> >
> >     It simply returns nothing, with valid calls and a valid e-mail that
> >     I know exists.
> >
> >     Is this a known bug?
> >
> >     --
> >     Rodrigo Sasaki
> >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140901/7f67c060/attachment.html 

From peterson.dean at gmail.com  Mon Sep  1 21:50:54 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 1 Sep 2014 20:50:54 -0500
Subject: [keycloak-user] LiveOak integration with Keycloak
Message-ID: <CAFGzvP=iNxRAVmo_RLAFDoCuA309N137NWYcF0wye2OoS5fReA@mail.gmail.com>

I am wondering about the KeycloakApplication class the LiveOak project
seems to be using to extend Keycloak for their framework.  I really like
what LiveOak is doing but I am not able to understand why they would couple
everything to a custom version of Keycloak.  I want to have a separate
Keycloak server that handles security for whatever applications I have.  It
seems their decision to include Keycloak in the deployment of LiveOak
prevents me from deploying multiple LiveOak domain models on separate
servers.  Every LiveOak will have its own instance of Keycloak.  I am
asking here because it seems Stian has had a hand in the creation of
LiveOak and I was hoping he might see this and shed some light on the
subject.  There is little documentation on the KeycloakApplication class.
 Is that used to easily extend Keycloak and embed it into other frameworks?
 Doesn't that defeat the purpose of  Security As A Service?  Any ideas how
I might decouple Keycloak from LiveOak?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140901/d3738974/attachment.html 

From stian at redhat.com  Tue Sep  2 03:37:30 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 2 Sep 2014 03:37:30 -0400 (EDT)
Subject: [keycloak-user] LiveOak integration with Keycloak
In-Reply-To: <CAFGzvP=iNxRAVmo_RLAFDoCuA309N137NWYcF0wye2OoS5fReA@mail.gmail.com>
References: <CAFGzvP=iNxRAVmo_RLAFDoCuA309N137NWYcF0wye2OoS5fReA@mail.gmail.com>
Message-ID: <1155100161.42215509.1409643450943.JavaMail.zimbra@redhat.com>

To make LiveOak as easy as possible to use we wanted it to work out of the box, so we include a ready bootstrapped Keycloak.

It's quite easy to remove the bootstrap Keycloak server and use your own. Marek is going to upgrade Keycloak in LiveOak soon and he'll add some documentation on how to use an external Keycloak server.

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 2 September, 2014 3:50:54 AM
> Subject: [keycloak-user] LiveOak integration with Keycloak
> 
> I am wondering about the KeycloakApplication class the LiveOak project seems
> to be using to extend Keycloak for their framework. I really like what
> LiveOak is doing but I am not able to understand why they would couple
> everything to a custom version of Keycloak. I want to have a separate
> Keycloak server that handles security for whatever applications I have. It
> seems their decision to include Keycloak in the deployment of LiveOak
> prevents me from deploying multiple LiveOak domain models on separate
> servers. Every LiveOak will have its own instance of Keycloak. I am asking
> here because it seems Stian has had a hand in the creation of LiveOak and I
> was hoping he might see this and shed some light on the subject. There is
> little documentation on the KeycloakApplication class. Is that used to
> easily extend Keycloak and embed it into other frameworks? Doesn't that
> defeat the purpose of Security As A Service? Any ideas how I might decouple
> Keycloak from LiveOak?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alarik at zwift.com  Tue Sep  2 10:14:04 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Tue, 2 Sep 2014 10:14:04 -0400
Subject: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1
	compatible SQL schema
Message-ID: <CAKTx7M7nUwgBnzzmOU5+MSWADSMHG37uJVDP_JBingT6F2bHxA@mail.gmail.com>

I am using Wildfly 8.0.0-Final and Postgres 9.3.5.  When I try to start up
1.0-rc-2 and point to a schema that worked with 1.0-rc-1, I get the
following:

Caused by: org.keycloak.models.ModelException:
javax.persistence.PersistenceException:
org.hibernate.PropertyAccessException: Null value was assigned to a
property of primitive type setter of
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled

at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)

at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)

at com.sun.proxy.$Proxy53.find(Unknown Source)

at
org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:51)

at
org.keycloak.models.cache.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:173)

at
org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:42)

at
org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:33)

at
org.keycloak.services.resources.KeycloakApplication.setupDefaultRealm(KeycloakApplication.java:137)

at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[rt.jar:1.8.0_05]

at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[rt.jar:1.8.0_05]

at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.8.0_05]

at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
[rt.jar:1.8.0_05]

at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)

... 15 more

Caused by: javax.persistence.PersistenceException:
org.hibernate.PropertyAccessException: Null value was assigned to a
property of primitive type setter of
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled

at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)

at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694)

at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141)

at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.8.0_05]

at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_05]

at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_05]

at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_05]

at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)

... 27 more

Caused by: org.hibernate.PropertyAccessException: Null value was assigned
to a property of primitive type setter of
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled

at
org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126)

at
org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713)

at
org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362)

at
org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4712)

at
org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188)

at
org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144)

at
org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244)

at
org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215)

at
org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140)

at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138)

at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102)

at
org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186)

at
org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4120)

at
org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:502)

at
org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:467)

at
org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:212)

at
org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:274)

at
org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150)

at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1066)

at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176)

at
org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2540)

at org.hibernate.internal.SessionImpl.get(SessionImpl.java:951)

at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110)

... 33 more

Caused by: java.lang.IllegalArgumentException: Can not set boolean field
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled to null value

at
sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
[rt.jar:1.8.0_05]

at
sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
[rt.jar:1.8.0_05]

at
sun.reflect.UnsafeBooleanFieldAccessorImpl.set(UnsafeBooleanFieldAccessorImpl.java:80)
[rt.jar:1.8.0_05]

at java.lang.reflect.Field.set(Field.java:758) [rt.jar:1.8.0_05]

at
org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122)

... 55 more


If I start from an empty schema, I don't see this problem.  This isn't a
killer for me for now, but just thought I would bring it up.


Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140902/f02d3fb4/attachment.html 

From stian at redhat.com  Tue Sep  2 10:41:14 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 2 Sep 2014 10:41:14 -0400 (EDT)
Subject: [keycloak-user] Problem starting up 1.0-rc-2 using
	1.0-rc-1	compatible SQL schema
In-Reply-To: <CAKTx7M7nUwgBnzzmOU5+MSWADSMHG37uJVDP_JBingT6F2bHxA@mail.gmail.com>
References: <CAKTx7M7nUwgBnzzmOU5+MSWADSMHG37uJVDP_JBingT6F2bHxA@mail.gmail.com>
Message-ID: <1519960643.42549762.1409668874903.JavaMail.zimbra@redhat.com>

I'm afraid the database schema changed again from rc-1 to rc-2 (I forgot to mention it in the migration guide). 

For now you'll have to clear the db, after 1.0.final is released we'll support upgrading the database between versions.

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 2 September, 2014 4:14:04 PM
> Subject: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1	compatible SQL schema
> 
> I am using Wildfly 8.0.0-Final and Postgres 9.3.5. When I try to start up
> 1.0-rc-2 and point to a schema that worked with 1.0-rc-1, I get the
> following:
> 
> 
> 
> Caused by: org.keycloak.models.ModelException:
> javax.persistence.PersistenceException:
> org.hibernate.PropertyAccessException: Null value was assigned to a property
> of primitive type setter of
> org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> 
> at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)
> 
> at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)
> 
> at com.sun.proxy.$Proxy53.find(Unknown Source)
> 
> at
> org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:51)
> 
> at
> org.keycloak.models.cache.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:173)
> 
> at
> org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:42)
> 
> at
> org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:33)
> 
> at
> org.keycloak.services.resources.KeycloakApplication.setupDefaultRealm(KeycloakApplication.java:137)
> 
> at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
> 
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> [rt.jar:1.8.0_05]
> 
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> [rt.jar:1.8.0_05]
> 
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> [rt.jar:1.8.0_05]
> 
> at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
> [rt.jar:1.8.0_05]
> 
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> 
> ... 15 more
> 
> Caused by: javax.persistence.PersistenceException:
> org.hibernate.PropertyAccessException: Null value was assigned to a property
> of primitive type setter of
> org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> 
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)
> 
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694)
> 
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141)
> 
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068)
> 
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.8.0_05]
> 
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> [rt.jar:1.8.0_05]
> 
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.8.0_05]
> 
> at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_05]
> 
> at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)
> 
> ... 27 more
> 
> Caused by: org.hibernate.PropertyAccessException: Null value was assigned to
> a property of primitive type setter of
> org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> 
> at
> org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126)
> 
> at
> org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713)
> 
> at
> org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362)
> 
> at
> org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4712)
> 
> at
> org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188)
> 
> at
> org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144)
> 
> at
> org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244)
> 
> at
> org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215)
> 
> at
> org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140)
> 
> at
> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138)
> 
> at
> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102)
> 
> at
> org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186)
> 
> at
> org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4120)
> 
> at
> org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:502)
> 
> at
> org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:467)
> 
> at
> org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:212)
> 
> at
> org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:274)
> 
> at
> org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150)
> 
> at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1066)
> 
> at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176)
> 
> at
> org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2540)
> 
> at org.hibernate.internal.SessionImpl.get(SessionImpl.java:951)
> 
> at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110)
> 
> ... 33 more
> 
> Caused by: java.lang.IllegalArgumentException: Can not set boolean field
> org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled to null value
> 
> at
> sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
> [rt.jar:1.8.0_05]
> 
> at
> sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
> [rt.jar:1.8.0_05]
> 
> at
> sun.reflect.UnsafeBooleanFieldAccessorImpl.set(UnsafeBooleanFieldAccessorImpl.java:80)
> [rt.jar:1.8.0_05]
> 
> at java.lang.reflect.Field.set(Field.java:758) [rt.jar:1.8.0_05]
> 
> at
> org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122)
> 
> ... 55 more
> 
> 
> 
> 
> If I start from an empty schema, I don't see this problem. This isn't a
> killer for me for now, but just thought I would bring it up.
> 
> 
> 
> 
> Alarik
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alarik at zwift.com  Tue Sep  2 10:42:23 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Tue, 2 Sep 2014 10:42:23 -0400
Subject: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1
 compatible SQL schema
In-Reply-To: <1519960643.42549762.1409668874903.JavaMail.zimbra@redhat.com>
References: <CAKTx7M7nUwgBnzzmOU5+MSWADSMHG37uJVDP_JBingT6F2bHxA@mail.gmail.com>
	<1519960643.42549762.1409668874903.JavaMail.zimbra@redhat.com>
Message-ID: <CAKTx7M6h8X4ZqbEY8E1tvn6=nrrV1v7CmdZ_4FUagT5xrn8PZg@mail.gmail.com>

OK.  That's what I figured.  Any idea when rc-2 will be in maven?


On Tue, Sep 2, 2014 at 10:41 AM, Stian Thorgersen <stian at redhat.com> wrote:

> I'm afraid the database schema changed again from rc-1 to rc-2 (I forgot
> to mention it in the migration guide).
>
> For now you'll have to clear the db, after 1.0.final is released we'll
> support upgrading the database between versions.
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 2 September, 2014 4:14:04 PM
> > Subject: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1
> compatible SQL schema
> >
> > I am using Wildfly 8.0.0-Final and Postgres 9.3.5. When I try to start up
> > 1.0-rc-2 and point to a schema that worked with 1.0-rc-1, I get the
> > following:
> >
> >
> >
> > Caused by: org.keycloak.models.ModelException:
> > javax.persistence.PersistenceException:
> > org.hibernate.PropertyAccessException: Null value was assigned to a
> property
> > of primitive type setter of
> > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> >
> > at
> >
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)
> >
> > at
> >
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)
> >
> > at com.sun.proxy.$Proxy53.find(Unknown Source)
> >
> > at
> >
> org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:51)
> >
> > at
> >
> org.keycloak.models.cache.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:173)
> >
> > at
> >
> org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:42)
> >
> > at
> >
> org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:33)
> >
> > at
> >
> org.keycloak.services.resources.KeycloakApplication.setupDefaultRealm(KeycloakApplication.java:137)
> >
> > at
> >
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
> >
> > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> > [rt.jar:1.8.0_05]
> >
> > at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> >
> > ... 15 more
> >
> > Caused by: javax.persistence.PersistenceException:
> > org.hibernate.PropertyAccessException: Null value was assigned to a
> property
> > of primitive type setter of
> > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> >
> > at
> >
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)
> >
> > at
> >
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694)
> >
> > at
> >
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141)
> >
> > at
> >
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068)
> >
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > [rt.jar:1.8.0_05]
> >
> > at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_05]
> >
> > at
> >
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)
> >
> > ... 27 more
> >
> > Caused by: org.hibernate.PropertyAccessException: Null value was
> assigned to
> > a property of primitive type setter of
> > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> >
> > at
> >
> org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126)
> >
> > at
> >
> org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713)
> >
> > at
> >
> org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362)
> >
> > at
> >
> org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4712)
> >
> > at
> >
> org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188)
> >
> > at
> >
> org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144)
> >
> > at
> >
> org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244)
> >
> > at
> >
> org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215)
> >
> > at
> >
> org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140)
> >
> > at
> >
> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138)
> >
> > at
> >
> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102)
> >
> > at
> >
> org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186)
> >
> > at
> >
> org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4120)
> >
> > at
> >
> org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:502)
> >
> > at
> >
> org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:467)
> >
> > at
> >
> org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:212)
> >
> > at
> >
> org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:274)
> >
> > at
> >
> org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150)
> >
> > at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1066)
> >
> > at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176)
> >
> > at
> >
> org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2540)
> >
> > at org.hibernate.internal.SessionImpl.get(SessionImpl.java:951)
> >
> > at
> >
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110)
> >
> > ... 33 more
> >
> > Caused by: java.lang.IllegalArgumentException: Can not set boolean field
> > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled to null value
> >
> > at
> >
> sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
> > [rt.jar:1.8.0_05]
> >
> > at
> >
> sun.reflect.UnsafeBooleanFieldAccessorImpl.set(UnsafeBooleanFieldAccessorImpl.java:80)
> > [rt.jar:1.8.0_05]
> >
> > at java.lang.reflect.Field.set(Field.java:758) [rt.jar:1.8.0_05]
> >
> > at
> >
> org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122)
> >
> > ... 55 more
> >
> >
> >
> >
> > If I start from an empty schema, I don't see this problem. This isn't a
> > killer for me for now, but just thought I would bring it up.
> >
> >
> >
> >
> > Alarik
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140902/2e08d551/attachment-0001.html 

From stian at redhat.com  Tue Sep  2 10:43:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 2 Sep 2014 10:43:26 -0400 (EDT)
Subject: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1
 compatible SQL schema
In-Reply-To: <CAKTx7M6h8X4ZqbEY8E1tvn6=nrrV1v7CmdZ_4FUagT5xrn8PZg@mail.gmail.com>
References: <CAKTx7M7nUwgBnzzmOU5+MSWADSMHG37uJVDP_JBingT6F2bHxA@mail.gmail.com>
	<1519960643.42549762.1409668874903.JavaMail.zimbra@redhat.com>
	<CAKTx7M6h8X4ZqbEY8E1tvn6=nrrV1v7CmdZ_4FUagT5xrn8PZg@mail.gmail.com>
Message-ID: <693804359.42550698.1409669006956.JavaMail.zimbra@redhat.com>

It's in there now

It can take up to 24 hours from we do a release until it's synced with central :(

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 2 September, 2014 4:42:23 PM
> Subject: Re: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1 compatible SQL schema
> 
> OK.  That's what I figured.  Any idea when rc-2 will be in maven?
> 
> 
> On Tue, Sep 2, 2014 at 10:41 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > I'm afraid the database schema changed again from rc-1 to rc-2 (I forgot
> > to mention it in the migration guide).
> >
> > For now you'll have to clear the db, after 1.0.final is released we'll
> > support upgrading the database between versions.
> >
> > ----- Original Message -----
> > > From: "Alarik Myrin" <alarik at zwift.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 2 September, 2014 4:14:04 PM
> > > Subject: [keycloak-user] Problem starting up 1.0-rc-2 using 1.0-rc-1
> > compatible SQL schema
> > >
> > > I am using Wildfly 8.0.0-Final and Postgres 9.3.5. When I try to start up
> > > 1.0-rc-2 and point to a schema that worked with 1.0-rc-1, I get the
> > > following:
> > >
> > >
> > >
> > > Caused by: org.keycloak.models.ModelException:
> > > javax.persistence.PersistenceException:
> > > org.hibernate.PropertyAccessException: Null value was assigned to a
> > property
> > > of primitive type setter of
> > > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> > >
> > > at
> > >
> > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)
> > >
> > > at
> > >
> > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)
> > >
> > > at com.sun.proxy.$Proxy53.find(Unknown Source)
> > >
> > > at
> > >
> > org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:51)
> > >
> > > at
> > >
> > org.keycloak.models.cache.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:173)
> > >
> > > at
> > >
> > org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:42)
> > >
> > > at
> > >
> > org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:33)
> > >
> > > at
> > >
> > org.keycloak.services.resources.KeycloakApplication.setupDefaultRealm(KeycloakApplication.java:137)
> > >
> > > at
> > >
> > org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
> > >
> > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> > > [rt.jar:1.8.0_05]
> > >
> > > at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> > >
> > > ... 15 more
> > >
> > > Caused by: javax.persistence.PersistenceException:
> > > org.hibernate.PropertyAccessException: Null value was assigned to a
> > property
> > > of primitive type setter of
> > > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> > >
> > > at
> > >
> > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)
> > >
> > > at
> > >
> > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694)
> > >
> > > at
> > >
> > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141)
> > >
> > > at
> > >
> > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068)
> > >
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > [rt.jar:1.8.0_05]
> > >
> > > at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)
> > >
> > > ... 27 more
> > >
> > > Caused by: org.hibernate.PropertyAccessException: Null value was
> > assigned to
> > > a property of primitive type setter of
> > > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
> > >
> > > at
> > >
> > org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126)
> > >
> > > at
> > >
> > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713)
> > >
> > > at
> > >
> > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362)
> > >
> > > at
> > >
> > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4712)
> > >
> > > at
> > >
> > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188)
> > >
> > > at
> > >
> > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144)
> > >
> > > at
> > >
> > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244)
> > >
> > > at
> > >
> > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215)
> > >
> > > at
> > >
> > org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140)
> > >
> > > at
> > >
> > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138)
> > >
> > > at
> > >
> > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102)
> > >
> > > at
> > >
> > org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186)
> > >
> > > at
> > >
> > org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4120)
> > >
> > > at
> > >
> > org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:502)
> > >
> > > at
> > >
> > org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:467)
> > >
> > > at
> > >
> > org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:212)
> > >
> > > at
> > >
> > org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:274)
> > >
> > > at
> > >
> > org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150)
> > >
> > > at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1066)
> > >
> > > at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176)
> > >
> > > at
> > >
> > org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2540)
> > >
> > > at org.hibernate.internal.SessionImpl.get(SessionImpl.java:951)
> > >
> > > at
> > >
> > org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110)
> > >
> > > ... 33 more
> > >
> > > Caused by: java.lang.IllegalArgumentException: Can not set boolean field
> > > org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled to null value
> > >
> > > at
> > >
> > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
> > > [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > sun.reflect.UnsafeBooleanFieldAccessorImpl.set(UnsafeBooleanFieldAccessorImpl.java:80)
> > > [rt.jar:1.8.0_05]
> > >
> > > at java.lang.reflect.Field.set(Field.java:758) [rt.jar:1.8.0_05]
> > >
> > > at
> > >
> > org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122)
> > >
> > > ... 55 more
> > >
> > >
> > >
> > >
> > > If I start from an empty schema, I don't see this problem. This isn't a
> > > killer for me for now, but just thought I would bring it up.
> > >
> > >
> > >
> > >
> > > Alarik
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From rodrigopsasaki at gmail.com  Tue Sep  2 17:25:50 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 2 Sep 2014 18:25:50 -0300
Subject: [keycloak-user] Cancel button on JBoss 7 triggering Status 400
Message-ID: <CANLOgwBcojMiQUQZk59OFiCuMqgsnqSjawF2EpgVg7iy2zqwcA@mail.gmail.com>

I was testing keycloak and I came across something weird.

I try to access a protected resource, so I get redirected to the Keycloak
login page, if I hit cancel without doing anything, I get a response with
status 400 and a query param appears like this:

*error=access_denied*

The same does not happen on Wildfly.

Should I open a JIRA for this?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140902/f01348f9/attachment.html 

From mposolda at redhat.com  Wed Sep  3 03:36:34 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 03 Sep 2014 09:36:34 +0200
Subject: [keycloak-user] Cancel button on JBoss 7 triggering Status 400
In-Reply-To: <CANLOgwBcojMiQUQZk59OFiCuMqgsnqSjawF2EpgVg7iy2zqwcA@mail.gmail.com>
References: <CANLOgwBcojMiQUQZk59OFiCuMqgsnqSjawF2EpgVg7iy2zqwcA@mail.gmail.com>
Message-ID: <5406C502.70202@redhat.com>

Hi,

I would say that this is not a bug but expected behaviour. If user press 
"Cancel", keycloak will redirect you to your application with 
"error=access_denied" so it's up to your application how to handle this 
situation. You can either redirect user to public resource or display 
some page with error like "Access is denied for you because you rejected 
to login".

I think that this behaviour should be on both AS7 and Wildfly. I've just 
tried with Wildfly appliance distribution and it works (When pressing 
cancel it redirects me to my app with 400 and "error=access_denied"). 
Quite strange that you are seeing different behaviour with Wildfly.

Marek

On 2.9.2014 23:25, Rodrigo Sasaki wrote:
> I was testing keycloak and I came across something weird.
>
> I try to access a protected resource, so I get redirected to the 
> Keycloak login page, if I hit cancel without doing anything, I get a 
> response with status 400 and a query param appears like this:
>
> *error=access_denied*
> *
> *
> The same does not happen on Wildfly.
>
> Should I open a JIRA for this?
>
> -- 
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140903/36651b72/attachment.html 

From christinalau28 at icloud.com  Wed Sep  3 07:14:36 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Wed, 03 Sep 2014 07:14:36 -0400
Subject: [keycloak-user] Query param with "code" property name will get 400
	Bad request
Message-ID: <74C5B5EC-6270-4D10-8A01-36556DD8FFB0@icloud.com>

Hi, I have an app deployed on Keycloak, whenever I add a query parameter to any URL with the property name of ?code", I get a 400 Bad Request (whether it's a static file or a servlet).

The same app on JBoss does not have the same issue. Is this a bug? 

Here are two URLs to try out, both unsecure:

JBoss EAP:
http://jbosseap-test.apps.qatest.biz/v1/cloudproviders?code=100

Keycloak:

http://ec2-54-84-240-18.compute-1.amazonaws.com:8080/dsgapi/cloudproviders?code=123

Christina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140903/ee2f75e9/attachment.html 

From rodrigopsasaki at gmail.com  Wed Sep  3 09:01:11 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Wed, 3 Sep 2014 10:01:11 -0300
Subject: [keycloak-user] Cancel button on JBoss 7 triggering Status 400
In-Reply-To: <5406C502.70202@redhat.com>
References: <CANLOgwBcojMiQUQZk59OFiCuMqgsnqSjawF2EpgVg7iy2zqwcA@mail.gmail.com>
	<5406C502.70202@redhat.com>
Message-ID: <CANLOgwDUGgBuvwQQ+G0stsO_XEDCb0adC_VHzPH69V8s2gE-Yg@mail.gmail.com>

I think it does the same thing, but on the JBoss 7 adapter it follows a
different flow, if there is anything on the error query param, it redirects
to status 400, and it doesn't work the same way as the Wildfly one. There's
a TODO commentary there, maybe that's what's missing. Not sure.

I see it on line 193 of the OAuthRequestAuthenticator class

Is this how it should behave?


On Wed, Sep 3, 2014 at 4:36 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi,
>
> I would say that this is not a bug but expected behaviour. If user press
> "Cancel", keycloak will redirect you to your application with
> "error=access_denied" so it's up to your application how to handle this
> situation. You can either redirect user to public resource or display some
> page with error like "Access is denied for you because you rejected to
> login".
>
> I think that this behaviour should be on both AS7 and Wildfly. I've just
> tried with Wildfly appliance distribution and it works (When pressing
> cancel it redirects me to my app with 400 and "error=access_denied"). Quite
> strange that you are seeing different behaviour with Wildfly.
>
> Marek
>
>
> On 2.9.2014 23:25, Rodrigo Sasaki wrote:
>
> I was testing keycloak and I came across something weird.
>
>  I try to access a protected resource, so I get redirected to the
> Keycloak login page, if I hit cancel without doing anything, I get a
> response with status 400 and a query param appears like this:
>
>  *error=access_denied*
>
>  The same does not happen on Wildfly.
>
>  Should I open a JIRA for this?
>
>  --
>  Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>


-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140903/cb4922e2/attachment-0001.html 

From traviskds at gmail.com  Wed Sep  3 22:43:26 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Thu, 4 Sep 2014 12:43:26 +1000
Subject: [keycloak-user] user-resource-role-mappings typo error in doco
Message-ID: <CACQJ6LQ7f9MVAXbTkVENr4AoZrYMdmOo-oEdFLgad0ocZj3mUA@mail.gmail.com>

Hi,

As per the documentation here,
http://docs.jboss.org/keycloak/docs/1.0-rc-2/userguide/html/ch07.html

we can set "user-resource-role-mappings" : true, in the keycloak.json file,
which will then make the adapter look inside the token for application
level role mappings for the user.

But when I add this, I get the following err.r

Caused by: java.lang.RuntimeException:
org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized
field "user-resource-role-mappings" (Class
org.keycloak.representations.adapters.config.AdapterConfig), not marked as
ignorable

I was able to track this down to the code in AdapterConfig in the
org.keycloak.representations.adapters.config package. In there, it is
defined as "use-resource-role-mappings"

When I changed it to this it worked.

I believe the doco has a typo that needs to be fixed.

Cheers

Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140904/f89fd6f5/attachment.html 

From traviskds at gmail.com  Thu Sep  4 02:36:04 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Thu, 4 Sep 2014 16:36:04 +1000
Subject: [keycloak-user] Multitenancy for WAR
Message-ID: <CACQJ6LQkSPMuys0c6Y56nbaG+ozRJfJ=NjPFc7C4WCMPCKgnyg@mail.gmail.com>

Hi Stian,

You proposed solution would not cover the use case where we can create
tenants at runtime as the realm config in the keycloak.json would be hard
coded into the war.

I had discussed this identical use case a while ago on this forum and Bill
was planning to refactor the adapters to support this use case.
Unfortunately he got caught up in other tasks and was not able to proceed
on this.

The discussion thread is here
http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html

Basically what I believe Bill suggested which would meet this use case is
to:


   1. Have a shared secret between clients for all realms.
   2. The adapter would just extract the realm name from the request,
   invoke on the keycloak server to get the public information about the realm
   (i.e. public key) and then cache the information locally.

The key bit here is extracting the realm name from the request and then
pulling the realm info from the keycloak server.

I had a look at the keycloak source code and I believe the magic happens in
the KeycloakServletExtension class under the org.keycloak.adapters.undertow
package for my use case (since I deploy it on wildfly)

What I have got stumped is that this class gets loaded when my war is
deployed and I am wondering how I can do it per request (if the info is not
already cached locally)

Maybe with the imminent release of 1.0 (btw congrats for the great work to
everyone in the team and for Bill and your leadership), maybe we should
start thinking about this multi tenancy use case to be included in future
releases.

I believe that SaaS models are going to be popular and having this feature
added will make keycloak a major player in this space.

Cheers
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140904/e0dc4587/attachment.html 

From bburke at redhat.com  Thu Sep  4 09:15:15 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 04 Sep 2014 09:15:15 -0400
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <CACQJ6LQkSPMuys0c6Y56nbaG+ozRJfJ=NjPFc7C4WCMPCKgnyg@mail.gmail.com>
References: <CACQJ6LQkSPMuys0c6Y56nbaG+ozRJfJ=NjPFc7C4WCMPCKgnyg@mail.gmail.com>
Message-ID: <540865E3.3020401@redhat.com>

Travis, I did do most of the work for this.  I think I pinged you to see 
if you still wanted the feature, but never followed through.  I'm sorry.

All this would require a shared client secret, or public clients.  It 
would require you to extract the realm name somehow based on the current 
HTTP request.  Probably a URI pattern.

There is an AdapterDeploymentContext class.  This class has a method:

KeycloakDeployment resolveDeployment(HttpFacade)

This method get's called every request.  You would extend this class and 
override resolveDeployment and create (and then cache) your 
KeycloakDeployment based on the incoming HTTP request.

The only problem is that the current code has no way for you to plug in 
a new implementation of the AdapterDeploymentContext.

On 9/4/2014 2:36 AM, Travis De Silva wrote:
> Hi Stian,
>
> You proposed solution would not cover the use case where we can create
> tenants at runtime as the realm config in the keycloak.json would be
> hard coded into the war.
>
> I had discussed this identical use case a while ago on this forum and
> Bill was planning to refactor the adapters to support this use case.
> Unfortunately he got caught up in other tasks and was not able to
> proceed on this.
>
> The discussion thread is here
> http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html
>
> Basically what I believe Bill suggested which would meet this use case
> is to:
>
>  1. Have a shared secret between clients for all realms.
>  2. The adapter would just extract the realm name from the request,
>     invoke on the keycloak server to get the public information about
>     the realm (i.e. public key) and then cache the information locally.
>
> The key bit here is extracting the realm name from the request and then
> pulling the realm info from the keycloak server.
>
> I had a look at the keycloak source code and I believe the magic happens
> in the KeycloakServletExtension class under the
> org.keycloak.adapters.undertow package for my use case (since I deploy
> it on wildfly)
>
> What I have got stumped is that this class gets loaded when my war is
> deployed and I am wondering how I can do it per request (if the info is
> not already cached locally)
>
> Maybe with the imminent release of 1.0 (btw congrats for the great work
> to everyone in the team and for Bill and your leadership), maybe we
> should start thinking about this multi tenancy use case to be included
> in future releases.
>
> I believe that SaaS models are going to be popular and having this
> feature added will make keycloak a major player in this space.
>
> Cheers
> Travis
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Thu Sep  4 09:20:54 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 04 Sep 2014 15:20:54 +0200
Subject: [keycloak-user] LiveOak integration with Keycloak
In-Reply-To: <1155100161.42215509.1409643450943.JavaMail.zimbra@redhat.com>
References: <CAFGzvP=iNxRAVmo_RLAFDoCuA309N137NWYcF0wye2OoS5fReA@mail.gmail.com>
	<1155100161.42215509.1409643450943.JavaMail.zimbra@redhat.com>
Message-ID: <54086736.1090404@redhat.com>

I've added some "quick and dirty" instructions on how to use separate 
Keycloak from your Liveoak 
https://github.com/mposolda/mposolda.github.io/blob/master/tmp/Separate-Keycloak.md 
. I will try to properly document somewhere later, until then you can 
use those temporary instructions. You will also need latest LiveOak master.

Let me know if it suits your needs or if seeing some issues...

Marek

On 2.9.2014 09:37, Stian Thorgersen wrote:
> To make LiveOak as easy as possible to use we wanted it to work out of the box, so we include a ready bootstrapped Keycloak.
>
> It's quite easy to remove the bootstrap Keycloak server and use your own. Marek is going to upgrade Keycloak in LiveOak soon and he'll add some documentation on how to use an external Keycloak server.
>
> ----- Original Message -----
>> From: "Dean Peterson" <peterson.dean at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Tuesday, 2 September, 2014 3:50:54 AM
>> Subject: [keycloak-user] LiveOak integration with Keycloak
>>
>> I am wondering about the KeycloakApplication class the LiveOak project seems
>> to be using to extend Keycloak for their framework. I really like what
>> LiveOak is doing but I am not able to understand why they would couple
>> everything to a custom version of Keycloak. I want to have a separate
>> Keycloak server that handles security for whatever applications I have. It
>> seems their decision to include Keycloak in the deployment of LiveOak
>> prevents me from deploying multiple LiveOak domain models on separate
>> servers. Every LiveOak will have its own instance of Keycloak. I am asking
>> here because it seems Stian has had a hand in the creation of LiveOak and I
>> was hoping he might see this and shed some light on the subject. There is
>> little documentation on the KeycloakApplication class. Is that used to
>> easily extend Keycloak and embed it into other frameworks? Doesn't that
>> defeat the purpose of Security As A Service? Any ideas how I might decouple
>> Keycloak from LiveOak?
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From traviskds at gmail.com  Thu Sep  4 19:17:29 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Fri, 5 Sep 2014 09:17:29 +1000
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <540865E3.3020401@redhat.com>
References: <CACQJ6LQkSPMuys0c6Y56nbaG+ozRJfJ=NjPFc7C4WCMPCKgnyg@mail.gmail.com>
	<540865E3.3020401@redhat.com>
Message-ID: <CACQJ6LS8SqnU8PnRGS+7QxJOiUGs1ZkCXMd4_am-OJXL6w24Kw@mail.gmail.com>

Hi Bill,

Sorry for missing your ping as this is something that we definitely need. I
was going down the keycloak.js path (since we use AngularJS as our UI
layer) but doing it on the server side is so much more elegant.

Picking the realm name from the URI is the way to go. Maybe we have it as a
query parameter rather than within the path as then it is less invasive for
the war application.

I don't understand the keycloak code base enough to comment on how we can
deploy the new AdapterDeploymentContext but what if this feature is plugged
into the current AdapterDeploymentContext and this is a feature of the core
product?

Also with regard to getting realm information from the server using a shared
client secret, or public clients, another way to do this might be to
provide an alternate way to pick the keycloak.json file by storing it
outside the war in the file system and then based on the realm name in the
uri, pick the corresponding keycloak.json file and run the KeycloakDeployment.
We can name the the files as keycloak-{realmname}.json

Note we can keep the current functionality where it can pick it from within
the war but if the file is missing, currently its throwing an exception.
Maybe before we throw the exception, we also check the file system as well.

Then maybe we don't need to load this on request but can have a directory
scanner and whenever a new file is added or removed, it will automatically
pick it up. Sort of how the JBoss/Wildfly deployment scanner works. On each
request of course it will need to pick the correct realm to perform the
authentication.

This might be more elegant but once again I don't know enough of the core
keycloak code to comment if doing this is more complex than the other
option.

Obviously these changes will not go into 1.0 release but a subsequent
release (hopefully the first beta release after 1.0 :)

Therefore it might be good to give some thought and get this right. For me
this and the multi-lingual are the two key items that we need to tick off
to be able to use this in a multi tenancy environment.

Keen to know your thoughts.

Cheers
Travis




On Thu, Sep 4, 2014 at 11:15 PM, Bill Burke <bburke at redhat.com> wrote:

> Travis, I did do most of the work for this.  I think I pinged you to see
> if you still wanted the feature, but never followed through.  I'm sorry.
>
> All this would require a shared client secret, or public clients.  It
> would require you to extract the realm name somehow based on the current
> HTTP request.  Probably a URI pattern.
>
> There is an AdapterDeploymentContext class.  This class has a method:
>
> KeycloakDeployment resolveDeployment(HttpFacade)
>
> This method get's called every request.  You would extend this class and
> override resolveDeployment and create (and then cache) your
> KeycloakDeployment based on the incoming HTTP request.
>
> The only problem is that the current code has no way for you to plug in
> a new implementation of the AdapterDeploymentContext.
>
> On 9/4/2014 2:36 AM, Travis De Silva wrote:
> > Hi Stian,
> >
> > You proposed solution would not cover the use case where we can create
> > tenants at runtime as the realm config in the keycloak.json would be
> > hard coded into the war.
> >
> > I had discussed this identical use case a while ago on this forum and
> > Bill was planning to refactor the adapters to support this use case.
> > Unfortunately he got caught up in other tasks and was not able to
> > proceed on this.
> >
> > The discussion thread is here
> > http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html
> >
> > Basically what I believe Bill suggested which would meet this use case
> > is to:
> >
> >  1. Have a shared secret between clients for all realms.
> >  2. The adapter would just extract the realm name from the request,
> >     invoke on the keycloak server to get the public information about
> >     the realm (i.e. public key) and then cache the information locally.
> >
> > The key bit here is extracting the realm name from the request and then
> > pulling the realm info from the keycloak server.
> >
> > I had a look at the keycloak source code and I believe the magic happens
> > in the KeycloakServletExtension class under the
> > org.keycloak.adapters.undertow package for my use case (since I deploy
> > it on wildfly)
> >
> > What I have got stumped is that this class gets loaded when my war is
> > deployed and I am wondering how I can do it per request (if the info is
> > not already cached locally)
> >
> > Maybe with the imminent release of 1.0 (btw congrats for the great work
> > to everyone in the team and for Bill and your leadership), maybe we
> > should start thinking about this multi tenancy use case to be included
> > in future releases.
> >
> > I believe that SaaS models are going to be popular and having this
> > feature added will make keycloak a major player in this space.
> >
> > Cheers
> > Travis
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/42e0b074/attachment-0001.html 

From bburke at redhat.com  Fri Sep  5 10:14:08 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Sep 2014 10:14:08 -0400
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <CACQJ6LS8SqnU8PnRGS+7QxJOiUGs1ZkCXMd4_am-OJXL6w24Kw@mail.gmail.com>
References: <CACQJ6LQkSPMuys0c6Y56nbaG+ozRJfJ=NjPFc7C4WCMPCKgnyg@mail.gmail.com>	<540865E3.3020401@redhat.com>
	<CACQJ6LS8SqnU8PnRGS+7QxJOiUGs1ZkCXMd4_am-OJXL6w24Kw@mail.gmail.com>
Message-ID: <5409C530.7020604@redhat.com>

I think it would be 1 day work for me, as again, I already refactored 
the adapters to support this use case.  It would just be a matter of:

* Making AdatperDeploymentContext pluggable
* Writing an AdapterDeploymentContext which could accept a URI pattern 
to extract the name of the realm.

Once I have that in place, you guys can fork it and implement anything 
you want.  What I think I want to do, is keep this SPI private until 
users like you have testdrived it.

On 9/4/2014 7:17 PM, Travis De Silva wrote:
> Hi Bill,
>
> Sorry for missing your ping as this is something that we definitely
> need. I was going down the keycloak.js path (since we use AngularJS as
> our UI layer) but doing it on the server side is so much more elegant.
>
> Picking the realm name from the URI is the way to go. Maybe we have it
> as a query parameter rather than within the path as then it is less
> invasive for the war application.
>
> I don't understand the keycloak code base enough to comment on how we
> can deploy the new AdapterDeploymentContext but what if this feature is
> plugged into the current AdapterDeploymentContext and this is a feature
> of the core product?
>
> Also with regard to getting realm information from the server using a
> shared client secret, or public clients, another way to do this might be
> to provide an alternate way to pick the keycloak.json file by storing it
> outside the war in the file system and then based on the realm name in
> the uri, pick the corresponding keycloak.json file and run the
> KeycloakDeployment. We can name the the files as keycloak-{realmname}.json
>
> Note we can keep the current functionality where it can pick it from
> within the war but if the file is missing, currently its throwing an
> exception. Maybe before we throw the exception, we also check the file
> system as well.
>
> Then maybe we don't need to load this on request but can have a
> directory scanner and whenever a new file is added or removed, it will
> automatically pick it up. Sort of how the JBoss/Wildfly deployment
> scanner works. On each request of course it will need to pick the
> correct realm to perform the authentication.
>
> This might be more elegant but once again I don't know enough of the
> core keycloak code to comment if doing this is more complex than the
> other option.
>
> Obviously these changes will not go into 1.0 release but a subsequent
> release (hopefully the first beta release after 1.0 :)
>
> Therefore it might be good to give some thought and get this right. For
> me this and the multi-lingual are the two key items that we need to tick
> off to be able to use this in a multi tenancy environment.
>
> Keen to know your thoughts.
>
> Cheers
> Travis
>
>
>
>
> On Thu, Sep 4, 2014 at 11:15 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Travis, I did do most of the work for this.  I think I pinged you to see
>     if you still wanted the feature, but never followed through.  I'm sorry.
>
>     All this would require a shared client secret, or public clients.  It
>     would require you to extract the realm name somehow based on the current
>     HTTP request.  Probably a URI pattern.
>
>     There is an AdapterDeploymentContext class.  This class has a method:
>
>     KeycloakDeployment resolveDeployment(HttpFacade)
>
>     This method get's called every request.  You would extend this class and
>     override resolveDeployment and create (and then cache) your
>     KeycloakDeployment based on the incoming HTTP request.
>
>     The only problem is that the current code has no way for you to plug in
>     a new implementation of the AdapterDeploymentContext.
>
>     On 9/4/2014 2:36 AM, Travis De Silva wrote:
>      > Hi Stian,
>      >
>      > You proposed solution would not cover the use case where we can
>     create
>      > tenants at runtime as the realm config in the keycloak.json would be
>      > hard coded into the war.
>      >
>      > I had discussed this identical use case a while ago on this forum and
>      > Bill was planning to refactor the adapters to support this use case.
>      > Unfortunately he got caught up in other tasks and was not able to
>      > proceed on this.
>      >
>      > The discussion thread is here
>      > http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html
>      >
>      > Basically what I believe Bill suggested which would meet this use
>     case
>      > is to:
>      >
>      >  1. Have a shared secret between clients for all realms.
>      >  2. The adapter would just extract the realm name from the request,
>      >     invoke on the keycloak server to get the public information about
>      >     the realm (i.e. public key) and then cache the information
>     locally.
>      >
>      > The key bit here is extracting the realm name from the request
>     and then
>      > pulling the realm info from the keycloak server.
>      >
>      > I had a look at the keycloak source code and I believe the magic
>     happens
>      > in the KeycloakServletExtension class under the
>      > org.keycloak.adapters.undertow package for my use case (since I
>     deploy
>      > it on wildfly)
>      >
>      > What I have got stumped is that this class gets loaded when my war is
>      > deployed and I am wondering how I can do it per request (if the
>     info is
>      > not already cached locally)
>      >
>      > Maybe with the imminent release of 1.0 (btw congrats for the
>     great work
>      > to everyone in the team and for Bill and your leadership), maybe we
>      > should start thinking about this multi tenancy use case to be
>     included
>      > in future releases.
>      >
>      > I believe that SaaS models are going to be popular and having this
>      > feature added will make keycloak a major player in this space.
>      >
>      > Cheers
>      > Travis
>      >
>      >
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From redsamh at gmail.com  Fri Sep  5 10:58:29 2014
From: redsamh at gmail.com (Red Samh)
Date: Fri, 5 Sep 2014 10:58:29 -0400
Subject: [keycloak-user] REST -> Backend App
Message-ID: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>

Hello,

We have an application that is protected using Keycloak and a user can
access this application through a web front. After login the user can use
the functionality of the application. The application is also exposed
through REST API's and is protected via keycloak as part of the application
and accessible only after login into the main application.

We have a

(Step 1) Javascript application (retrieving data from) ->

(Step 2) Business Application exposed as REST API (REST API has to make
calls to backend Application mentioned above) ->

(Step 3) BackEnd Application Server + REST API.

Directly accessing the BackEnd Application Server works fine but when we
need to call the REST API from another REST service which is authenticated
via Keycloak we have issues.

We used the existing sample to try and do a POC but not sure what is the
best approach to solve this issue. The part from (Step 1) to (Step 2) works
and the REST API is protected using BEARER token. The (Step 2) to (Step 3)
is a problem as in (Step 2) we only have the BEARER token and the BackEnd
Application is protected using the full keycloak configuration. So The
BackEnd Application service is not authenticating by sending in only the
BEARER token in the header which is a full keycloak installation (work as
only a web service).

Thanks
Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/f258e089/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-issue.png
Type: image/png
Size: 40822 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/f258e089/attachment-0001.png 

From bburke at redhat.com  Fri Sep  5 11:42:19 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Sep 2014 11:42:19 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
Message-ID: <5409D9DB.9000601@redhat.com>

Should work.  You'll have to actually describe what your problem is or I 
can't help you.  I'll take a guess though:

Keycloak doesn't propagate the Authorization bearer token header 
automatically when you have multiple REST "hops" between multiple 
servers  You'll have to obtain the access token and set up the HTTP 
header manually.  The demo customer-portal example in the distro does 
exactly this, so take a look at that for more details.

On 9/5/2014 10:58 AM, Red Samh wrote:
> Hello,
>
> We have an application that is protected using Keycloak and a user can
> access this application through a web front. After login the user can
> use the functionality of the application. The application is also
> exposed through REST API's and is protected via keycloak as part of the
> application and accessible only after login into the main application.
>
> We have a
>
> (Step 1) Javascript application (retrieving data from) ->
>
> (Step 2) Business Application exposed as REST API (REST API has to make
> calls to backend Application mentioned above) ->
>
> (Step 3) BackEnd Application Server + REST API.
>
> Directly accessing the BackEnd Application Server works fine but when we
> need to call the REST API from another REST service which is
> authenticated via Keycloak we have issues.
>
> We used the existing sample to try and do a POC but not sure what is the
> best approach to solve this issue. The part from (Step 1) to (Step 2)
> works and the REST API is protected using BEARER token. The (Step 2) to
> (Step 3) is a problem as in (Step 2) we only have the BEARER token and
> the BackEnd Application is protected using the full keycloak
> configuration. So The BackEnd Application service is not authenticating
> by sending in only the BEARER token in the header which is a full
> keycloak installation (work as only a web service).
>
> Thanks
> Sam
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From redsamh at gmail.com  Fri Sep  5 11:49:14 2014
From: redsamh at gmail.com (Red Samh)
Date: Fri, 5 Sep 2014 11:49:14 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <5409D9DB.9000601@redhat.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
	<5409D9DB.9000601@redhat.com>
Message-ID: <CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>

Bill,

Thanks for the reply.

Yes it works when I have to call REST to another REST service and any
number of hops. The problem is calling a full  fledged application from a
REST service that I have the issue. When it is an application that is both
Web App + REST and I add the authorization header (bearer) I get an
unauthorized 401 (blackbox in the attachment).

Thanks
Sam


On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke at redhat.com> wrote:

> Should work.  You'll have to actually describe what your problem is or I
> can't help you.  I'll take a guess though:
>
> Keycloak doesn't propagate the Authorization bearer token header
> automatically when you have multiple REST "hops" between multiple
> servers  You'll have to obtain the access token and set up the HTTP
> header manually.  The demo customer-portal example in the distro does
> exactly this, so take a look at that for more details.
>
> On 9/5/2014 10:58 AM, Red Samh wrote:
> > Hello,
> >
> > We have an application that is protected using Keycloak and a user can
> > access this application through a web front. After login the user can
> > use the functionality of the application. The application is also
> > exposed through REST API's and is protected via keycloak as part of the
> > application and accessible only after login into the main application.
> >
> > We have a
> >
> > (Step 1) Javascript application (retrieving data from) ->
> >
> > (Step 2) Business Application exposed as REST API (REST API has to make
> > calls to backend Application mentioned above) ->
> >
> > (Step 3) BackEnd Application Server + REST API.
> >
> > Directly accessing the BackEnd Application Server works fine but when we
> > need to call the REST API from another REST service which is
> > authenticated via Keycloak we have issues.
> >
> > We used the existing sample to try and do a POC but not sure what is the
> > best approach to solve this issue. The part from (Step 1) to (Step 2)
> > works and the REST API is protected using BEARER token. The (Step 2) to
> > (Step 3) is a problem as in (Step 2) we only have the BEARER token and
> > the BackEnd Application is protected using the full keycloak
> > configuration. So The BackEnd Application service is not authenticating
> > by sending in only the BEARER token in the header which is a full
> > keycloak installation (work as only a web service).
> >
> > Thanks
> > Sam
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/6a9ffd7d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-issue.png
Type: image/png
Size: 40822 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/6a9ffd7d/attachment-0001.png 

From bburke at redhat.com  Fri Sep  5 11:51:33 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Sep 2014 11:51:33 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>	<5409D9DB.9000601@redhat.com>
	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
Message-ID: <5409DC05.8080104@redhat.com>

Wildfly or JBoss EAP 6.x or JBoss AS 7.1?


On 9/5/2014 11:49 AM, Red Samh wrote:
> Bill,
>
> Thanks for the reply.
>
> Yes it works when I have to call REST to another REST service and any
> number of hops. The problem is calling a full  fledged application from
> a REST service that I have the issue. When it is an application that is
> both Web App + REST and I add the authorization header (bearer) I get an
> unauthorized 401 (blackbox in the attachment).
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Should work.  You'll have to actually describe what your problem is or I
>     can't help you.  I'll take a guess though:
>
>     Keycloak doesn't propagate the Authorization bearer token header
>     automatically when you have multiple REST "hops" between multiple
>     servers  You'll have to obtain the access token and set up the HTTP
>     header manually.  The demo customer-portal example in the distro does
>     exactly this, so take a look at that for more details.
>
>     On 9/5/2014 10:58 AM, Red Samh wrote:
>      > Hello,
>      >
>      > We have an application that is protected using Keycloak and a
>     user can
>      > access this application through a web front. After login the user can
>      > use the functionality of the application. The application is also
>      > exposed through REST API's and is protected via keycloak as part
>     of the
>      > application and accessible only after login into the main
>     application.
>      >
>      > We have a
>      >
>      > (Step 1) Javascript application (retrieving data from) ->
>      >
>      > (Step 2) Business Application exposed as REST API (REST API has
>     to make
>      > calls to backend Application mentioned above) ->
>      >
>      > (Step 3) BackEnd Application Server + REST API.
>      >
>      > Directly accessing the BackEnd Application Server works fine but
>     when we
>      > need to call the REST API from another REST service which is
>      > authenticated via Keycloak we have issues.
>      >
>      > We used the existing sample to try and do a POC but not sure what
>     is the
>      > best approach to solve this issue. The part from (Step 1) to (Step 2)
>      > works and the REST API is protected using BEARER token. The (Step
>     2) to
>      > (Step 3) is a problem as in (Step 2) we only have the BEARER
>     token and
>      > the BackEnd Application is protected using the full keycloak
>      > configuration. So The BackEnd Application service is not
>     authenticating
>      > by sending in only the BEARER token in the header which is a full
>      > keycloak installation (work as only a web service).
>      >
>      > Thanks
>      > Sam
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alarik at zwift.com  Fri Sep  5 11:57:41 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Fri, 5 Sep 2014 11:57:41 -0400
Subject: [keycloak-user] SessionContext
Message-ID: <CAKTx7M7Q=-MTJSU0hiJ91RB=DJRrshQ3LdA3uB-hc-e7FOuhrg@mail.gmail.com>

Is it possible (or can it be possible in the future) to get
the KeycloakSecurityContext out of javax.ejb.SessionContext?  I am using
Wildfly with the Wildfly adapter, and the only way I could figure out how
to get it (based on the example code) is from the HttpServletRequest.  It
would be cool if it made its way into the SessionContext somehow...

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/5a56ac18/attachment.html 

From redsamh at gmail.com  Fri Sep  5 11:59:35 2014
From: redsamh at gmail.com (Red Samh)
Date: Fri, 5 Sep 2014 11:59:35 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <5409DC05.8080104@redhat.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
	<5409D9DB.9000601@redhat.com>
	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
	<5409DC05.8080104@redhat.com>
Message-ID: <CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>

Eap 6.x, it would be nice if i could generalize to any war deployed to to
tomcat or jetty.

Thanks
Sam
On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com> wrote:

> Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
> On 9/5/2014 11:49 AM, Red Samh wrote:
>
>> Bill,
>>
>> Thanks for the reply.
>>
>> Yes it works when I have to call REST to another REST service and any
>> number of hops. The problem is calling a full  fledged application from
>> a REST service that I have the issue. When it is an application that is
>> both Web App + REST and I add the authorization header (bearer) I get an
>> unauthorized 401 (blackbox in the attachment).
>>
>> Thanks
>> Sam
>>
>>
>> On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Should work.  You'll have to actually describe what your problem is
>> or I
>>     can't help you.  I'll take a guess though:
>>
>>     Keycloak doesn't propagate the Authorization bearer token header
>>     automatically when you have multiple REST "hops" between multiple
>>     servers  You'll have to obtain the access token and set up the HTTP
>>     header manually.  The demo customer-portal example in the distro does
>>     exactly this, so take a look at that for more details.
>>
>>     On 9/5/2014 10:58 AM, Red Samh wrote:
>>      > Hello,
>>      >
>>      > We have an application that is protected using Keycloak and a
>>     user can
>>      > access this application through a web front. After login the user
>> can
>>      > use the functionality of the application. The application is also
>>      > exposed through REST API's and is protected via keycloak as part
>>     of the
>>      > application and accessible only after login into the main
>>     application.
>>      >
>>      > We have a
>>      >
>>      > (Step 1) Javascript application (retrieving data from) ->
>>      >
>>      > (Step 2) Business Application exposed as REST API (REST API has
>>     to make
>>      > calls to backend Application mentioned above) ->
>>      >
>>      > (Step 3) BackEnd Application Server + REST API.
>>      >
>>      > Directly accessing the BackEnd Application Server works fine but
>>     when we
>>      > need to call the REST API from another REST service which is
>>      > authenticated via Keycloak we have issues.
>>      >
>>      > We used the existing sample to try and do a POC but not sure what
>>     is the
>>      > best approach to solve this issue. The part from (Step 1) to (Step
>> 2)
>>      > works and the REST API is protected using BEARER token. The (Step
>>     2) to
>>      > (Step 3) is a problem as in (Step 2) we only have the BEARER
>>     token and
>>      > the BackEnd Application is protected using the full keycloak
>>      > configuration. So The BackEnd Application service is not
>>     authenticating
>>      > by sending in only the BEARER token in the header which is a full
>>      > keycloak installation (work as only a web service).
>>      >
>>      > Thanks
>>      > Sam
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/d7aba5fe/attachment.html 

From bburke at redhat.com  Fri Sep  5 13:19:09 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Sep 2014 13:19:09 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>	<5409D9DB.9000601@redhat.com>	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>	<5409DC05.8080104@redhat.com>
	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>
Message-ID: <5409F08D.2060502@redhat.com>

A pure servlet filter is on the roadmap, but it wouldn't be as 
seemlessly integrated.  I'll take a look at your problem.

On 9/5/2014 11:59 AM, Red Samh wrote:
>
> Eap 6.x, it would be nice if i could generalize to any war deployed to
> to tomcat or jetty.
>
> Thanks
> Sam
>
> On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
>     On 9/5/2014 11:49 AM, Red Samh wrote:
>
>         Bill,
>
>         Thanks for the reply.
>
>         Yes it works when I have to call REST to another REST service
>         and any
>         number of hops. The problem is calling a full  fledged
>         application from
>         a REST service that I have the issue. When it is an application
>         that is
>         both Web App + REST and I add the authorization header (bearer)
>         I get an
>         unauthorized 401 (blackbox in the attachment).
>
>         Thanks
>         Sam
>
>
>         On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              Should work.  You'll have to actually describe what your
>         problem is or I
>              can't help you.  I'll take a guess though:
>
>              Keycloak doesn't propagate the Authorization bearer token
>         header
>              automatically when you have multiple REST "hops" between
>         multiple
>              servers  You'll have to obtain the access token and set up
>         the HTTP
>              header manually.  The demo customer-portal example in the
>         distro does
>              exactly this, so take a look at that for more details.
>
>              On 9/5/2014 10:58 AM, Red Samh wrote:
>               > Hello,
>               >
>               > We have an application that is protected using Keycloak
>         and a
>              user can
>               > access this application through a web front. After login
>         the user can
>               > use the functionality of the application. The
>         application is also
>               > exposed through REST API's and is protected via keycloak
>         as part
>              of the
>               > application and accessible only after login into the main
>              application.
>               >
>               > We have a
>               >
>               > (Step 1) Javascript application (retrieving data from) ->
>               >
>               > (Step 2) Business Application exposed as REST API (REST
>         API has
>              to make
>               > calls to backend Application mentioned above) ->
>               >
>               > (Step 3) BackEnd Application Server + REST API.
>               >
>               > Directly accessing the BackEnd Application Server works
>         fine but
>              when we
>               > need to call the REST API from another REST service which is
>               > authenticated via Keycloak we have issues.
>               >
>               > We used the existing sample to try and do a POC but not
>         sure what
>              is the
>               > best approach to solve this issue. The part from (Step
>         1) to (Step 2)
>               > works and the REST API is protected using BEARER token.
>         The (Step
>              2) to
>               > (Step 3) is a problem as in (Step 2) we only have the BEARER
>              token and
>               > the BackEnd Application is protected using the full keycloak
>               > configuration. So The BackEnd Application service is not
>              authenticating
>               > by sending in only the BEARER token in the header which
>         is a full
>               > keycloak installation (work as only a web service).
>               >
>               > Thanks
>               > Sam
>               >
>               >
>               > _________________________________________________
>               > keycloak-user mailing list
>               > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>               >
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>              _________________________________________________
>              keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From redsamh at gmail.com  Fri Sep  5 13:31:51 2014
From: redsamh at gmail.com (Red Samh)
Date: Fri, 5 Sep 2014 13:31:51 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <5409F08D.2060502@redhat.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
	<5409D9DB.9000601@redhat.com>
	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
	<5409DC05.8080104@redhat.com>
	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>
	<5409F08D.2060502@redhat.com>
Message-ID: <CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>

Thanks Bill, much appreciated. Is there something I can do in the interim
even if it is a hack?. I was looking at adapter code or even something I
can hardcode in the rest service to pull out the user information and make
the call to the back end application?

Thanks
Sam
On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com> wrote:

> A pure servlet filter is on the roadmap, but it wouldn't be as seemlessly
> integrated.  I'll take a look at your problem.
>
> On 9/5/2014 11:59 AM, Red Samh wrote:
>
>>
>> Eap 6.x, it would be nice if i could generalize to any war deployed to
>> to tomcat or jetty.
>>
>> Thanks
>> Sam
>>
>> On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>>
>>
>>     On 9/5/2014 11:49 AM, Red Samh wrote:
>>
>>         Bill,
>>
>>         Thanks for the reply.
>>
>>         Yes it works when I have to call REST to another REST service
>>         and any
>>         number of hops. The problem is calling a full  fledged
>>         application from
>>         a REST service that I have the issue. When it is an application
>>         that is
>>         both Web App + REST and I add the authorization header (bearer)
>>         I get an
>>         unauthorized 401 (blackbox in the attachment).
>>
>>         Thanks
>>         Sam
>>
>>
>>         On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              Should work.  You'll have to actually describe what your
>>         problem is or I
>>              can't help you.  I'll take a guess though:
>>
>>              Keycloak doesn't propagate the Authorization bearer token
>>         header
>>              automatically when you have multiple REST "hops" between
>>         multiple
>>              servers  You'll have to obtain the access token and set up
>>         the HTTP
>>              header manually.  The demo customer-portal example in the
>>         distro does
>>              exactly this, so take a look at that for more details.
>>
>>              On 9/5/2014 10:58 AM, Red Samh wrote:
>>               > Hello,
>>               >
>>               > We have an application that is protected using Keycloak
>>         and a
>>              user can
>>               > access this application through a web front. After login
>>         the user can
>>               > use the functionality of the application. The
>>         application is also
>>               > exposed through REST API's and is protected via keycloak
>>         as part
>>              of the
>>               > application and accessible only after login into the main
>>              application.
>>               >
>>               > We have a
>>               >
>>               > (Step 1) Javascript application (retrieving data from) ->
>>               >
>>               > (Step 2) Business Application exposed as REST API (REST
>>         API has
>>              to make
>>               > calls to backend Application mentioned above) ->
>>               >
>>               > (Step 3) BackEnd Application Server + REST API.
>>               >
>>               > Directly accessing the BackEnd Application Server works
>>         fine but
>>              when we
>>               > need to call the REST API from another REST service which
>> is
>>               > authenticated via Keycloak we have issues.
>>               >
>>               > We used the existing sample to try and do a POC but not
>>         sure what
>>              is the
>>               > best approach to solve this issue. The part from (Step
>>         1) to (Step 2)
>>               > works and the REST API is protected using BEARER token.
>>         The (Step
>>              2) to
>>               > (Step 3) is a problem as in (Step 2) we only have the
>> BEARER
>>              token and
>>               > the BackEnd Application is protected using the full
>> keycloak
>>               > configuration. So The BackEnd Application service is not
>>              authenticating
>>               > by sending in only the BEARER token in the header which
>>         is a full
>>               > keycloak installation (work as only a web service).
>>               >
>>               > Thanks
>>               > Sam
>>               >
>>               >
>>               > _________________________________________________
>>               > keycloak-user mailing list
>>               > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>               > https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>               >
>>
>>              --
>>              Bill Burke
>>              JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>              _________________________________________________
>>              keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/455b2bac/attachment-0001.html 

From bburke at redhat.com  Fri Sep  5 14:41:38 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Sep 2014 14:41:38 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>	<5409D9DB.9000601@redhat.com>	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>	<5409DC05.8080104@redhat.com>	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>	<5409F08D.2060502@redhat.com>
	<CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>
Message-ID: <540A03E2.6060905@redhat.com>

You're going to have to elaborate on your problem as I was unable to 
reproduce it.

I took examples/preconfigured-demo/customer-app and added the database/ 
projects Java files to it.  I was able to deploy this application and do 
both web and bearer auth from the same war.

Are you using latest Keycloak?  1.0-rc2?

On 9/5/2014 1:31 PM, Red Samh wrote:
>
> Thanks Bill, much appreciated. Is there something I can do in the
> interim even if it is a hack?. I was looking at adapter code or even
> something I can hardcode in the rest service to pull out the user
> information and make the call to the back end application?
>
> Thanks
> Sam
>
> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     A pure servlet filter is on the roadmap, but it wouldn't be as
>     seemlessly integrated.  I'll take a look at your problem.
>
>     On 9/5/2014 11:59 AM, Red Samh wrote:
>
>
>         Eap 6.x, it would be nice if i could generalize to any war
>         deployed to
>         to tomcat or jetty.
>
>         Thanks
>         Sam
>
>         On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com
>         <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>              Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
>              On 9/5/2014 11:49 AM, Red Samh wrote:
>
>                  Bill,
>
>                  Thanks for the reply.
>
>                  Yes it works when I have to call REST to another REST
>         service
>                  and any
>                  number of hops. The problem is calling a full  fledged
>                  application from
>                  a REST service that I have the issue. When it is an
>         application
>                  that is
>                  both Web App + REST and I add the authorization header
>         (bearer)
>                  I get an
>                  unauthorized 401 (blackbox in the attachment).
>
>                  Thanks
>                  Sam
>
>
>                  On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>         <bburke at redhat.com <mailto:bburke at redhat.com>
>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>
>                       Should work.  You'll have to actually describe
>         what your
>                  problem is or I
>                       can't help you.  I'll take a guess though:
>
>                       Keycloak doesn't propagate the Authorization
>         bearer token
>                  header
>                       automatically when you have multiple REST "hops"
>         between
>                  multiple
>                       servers  You'll have to obtain the access token
>         and set up
>                  the HTTP
>                       header manually.  The demo customer-portal example
>         in the
>                  distro does
>                       exactly this, so take a look at that for more details.
>
>                       On 9/5/2014 10:58 AM, Red Samh wrote:
>                        > Hello,
>                        >
>                        > We have an application that is protected using
>         Keycloak
>                  and a
>                       user can
>                        > access this application through a web front.
>         After login
>                  the user can
>                        > use the functionality of the application. The
>                  application is also
>                        > exposed through REST API's and is protected via
>         keycloak
>                  as part
>                       of the
>                        > application and accessible only after login
>         into the main
>                       application.
>                        >
>                        > We have a
>                        >
>                        > (Step 1) Javascript application (retrieving
>         data from) ->
>                        >
>                        > (Step 2) Business Application exposed as REST
>         API (REST
>                  API has
>                       to make
>                        > calls to backend Application mentioned above) ->
>                        >
>                        > (Step 3) BackEnd Application Server + REST API.
>                        >
>                        > Directly accessing the BackEnd Application
>         Server works
>                  fine but
>                       when we
>                        > need to call the REST API from another REST
>         service which is
>                        > authenticated via Keycloak we have issues.
>                        >
>                        > We used the existing sample to try and do a POC
>         but not
>                  sure what
>                       is the
>                        > best approach to solve this issue. The part
>         from (Step
>                  1) to (Step 2)
>                        > works and the REST API is protected using
>         BEARER token.
>                  The (Step
>                       2) to
>                        > (Step 3) is a problem as in (Step 2) we only
>         have the BEARER
>                       token and
>                        > the BackEnd Application is protected using the
>         full keycloak
>                        > configuration. So The BackEnd Application
>         service is not
>                       authenticating
>                        > by sending in only the BEARER token in the
>         header which
>                  is a full
>                        > keycloak installation (work as only a web service).
>                        >
>                        > Thanks
>                        > Sam
>                        >
>                        >
>                        > ___________________________________________________
>                        > keycloak-user mailing list
>                        > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                  <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>                        >
>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>                        >
>
>                       --
>                       Bill Burke
>                       JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>                       ___________________________________________________
>                       keycloak-user mailing list
>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>                  <mailto:keycloak-user at lists.
>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                  <mailto:keycloak-user at lists.__jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>>
>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>
>
>
>              --
>              Bill Burke
>              JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From redsamh at gmail.com  Fri Sep  5 15:13:53 2014
From: redsamh at gmail.com (Red Samh)
Date: Fri, 5 Sep 2014 15:13:53 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <540A03E2.6060905@redhat.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
	<5409D9DB.9000601@redhat.com>
	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
	<5409DC05.8080104@redhat.com>
	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>
	<5409F08D.2060502@redhat.com>
	<CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>
	<540A03E2.6060905@redhat.com>
Message-ID: <CAHh5fuyiWm2acAjhkZZ+cnx7_5SREnvV+EL+vT9dnSKMxv+0ow@mail.gmail.com>

Bill,

I am able to get the example to work and it is fine if I am calling REST
service to any other REST service (any number of hops). Does it work if you
try to access another web application (just submit a form, access content
or anything) that is authenticated by Keycloak or Are you able to make a
call from the REST Service to a web application that is configured with
Keycloak?

See attached explanation.

Thanks
Sam


On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke at redhat.com> wrote:

> You're going to have to elaborate on your problem as I was unable to
> reproduce it.
>
> I took examples/preconfigured-demo/customer-app and added the database/
> projects Java files to it.  I was able to deploy this application and do
> both web and bearer auth from the same war.
>
> Are you using latest Keycloak?  1.0-rc2?
>
> On 9/5/2014 1:31 PM, Red Samh wrote:
>
>>
>> Thanks Bill, much appreciated. Is there something I can do in the
>> interim even if it is a hack?. I was looking at adapter code or even
>> something I can hardcode in the rest service to pull out the user
>> information and make the call to the back end application?
>>
>> Thanks
>> Sam
>>
>> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     A pure servlet filter is on the roadmap, but it wouldn't be as
>>     seemlessly integrated.  I'll take a look at your problem.
>>
>>     On 9/5/2014 11:59 AM, Red Samh wrote:
>>
>>
>>         Eap 6.x, it would be nice if i could generalize to any war
>>         deployed to
>>         to tomcat or jetty.
>>
>>         Thanks
>>         Sam
>>
>>         On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com
>>         <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>              Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>>
>>
>>              On 9/5/2014 11:49 AM, Red Samh wrote:
>>
>>                  Bill,
>>
>>                  Thanks for the reply.
>>
>>                  Yes it works when I have to call REST to another REST
>>         service
>>                  and any
>>                  number of hops. The problem is calling a full  fledged
>>                  application from
>>                  a REST service that I have the issue. When it is an
>>         application
>>                  that is
>>                  both Web App + REST and I add the authorization header
>>         (bearer)
>>                  I get an
>>                  unauthorized 401 (blackbox in the attachment).
>>
>>                  Thanks
>>                  Sam
>>
>>
>>                  On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>
>>                       Should work.  You'll have to actually describe
>>         what your
>>                  problem is or I
>>                       can't help you.  I'll take a guess though:
>>
>>                       Keycloak doesn't propagate the Authorization
>>         bearer token
>>                  header
>>                       automatically when you have multiple REST "hops"
>>         between
>>                  multiple
>>                       servers  You'll have to obtain the access token
>>         and set up
>>                  the HTTP
>>                       header manually.  The demo customer-portal example
>>         in the
>>                  distro does
>>                       exactly this, so take a look at that for more
>> details.
>>
>>                       On 9/5/2014 10:58 AM, Red Samh wrote:
>>                        > Hello,
>>                        >
>>                        > We have an application that is protected using
>>         Keycloak
>>                  and a
>>                       user can
>>                        > access this application through a web front.
>>         After login
>>                  the user can
>>                        > use the functionality of the application. The
>>                  application is also
>>                        > exposed through REST API's and is protected via
>>         keycloak
>>                  as part
>>                       of the
>>                        > application and accessible only after login
>>         into the main
>>                       application.
>>                        >
>>                        > We have a
>>                        >
>>                        > (Step 1) Javascript application (retrieving
>>         data from) ->
>>                        >
>>                        > (Step 2) Business Application exposed as REST
>>         API (REST
>>                  API has
>>                       to make
>>                        > calls to backend Application mentioned above) ->
>>                        >
>>                        > (Step 3) BackEnd Application Server + REST API.
>>                        >
>>                        > Directly accessing the BackEnd Application
>>         Server works
>>                  fine but
>>                       when we
>>                        > need to call the REST API from another REST
>>         service which is
>>                        > authenticated via Keycloak we have issues.
>>                        >
>>                        > We used the existing sample to try and do a POC
>>         but not
>>                  sure what
>>                       is the
>>                        > best approach to solve this issue. The part
>>         from (Step
>>                  1) to (Step 2)
>>                        > works and the REST API is protected using
>>         BEARER token.
>>                  The (Step
>>                       2) to
>>                        > (Step 3) is a problem as in (Step 2) we only
>>         have the BEARER
>>                       token and
>>                        > the BackEnd Application is protected using the
>>         full keycloak
>>                        > configuration. So The BackEnd Application
>>         service is not
>>                       authenticating
>>                        > by sending in only the BEARER token in the
>>         header which
>>                  is a full
>>                        > keycloak installation (work as only a web
>> service).
>>                        >
>>                        > Thanks
>>                        > Sam
>>                        >
>>                        >
>>                        > ______________________________
>> _____________________
>>                        > keycloak-user mailing list
>>                        > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>                  <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>                        >
>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>                        >
>>
>>                       --
>>                       Bill Burke
>>                       JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>                       ___________________________________________________
>>                       keycloak-user mailing list
>>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>                  <mailto:keycloak-user at lists.
>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                  <mailto:keycloak-user at lists.__jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>>
>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>
>>
>>
>>              --
>>              Bill Burke
>>              JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/13f18ccc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-issue-details.png
Type: image/png
Size: 64256 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/13f18ccc/attachment-0001.png 

From redsamh at gmail.com  Fri Sep  5 15:23:49 2014
From: redsamh at gmail.com (Red Samh)
Date: Fri, 5 Sep 2014 15:23:49 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <CAHh5fuyiWm2acAjhkZZ+cnx7_5SREnvV+EL+vT9dnSKMxv+0ow@mail.gmail.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
	<5409D9DB.9000601@redhat.com>
	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
	<5409DC05.8080104@redhat.com>
	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>
	<5409F08D.2060502@redhat.com>
	<CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>
	<540A03E2.6060905@redhat.com>
	<CAHh5fuyiWm2acAjhkZZ+cnx7_5SREnvV+EL+vT9dnSKMxv+0ow@mail.gmail.com>
Message-ID: <CAHh5fuxH+Fq6m5gvbN4uoOVGPvA9bT5Xf89PB-kpJGpYYtA1dA@mail.gmail.com>

Bill,

I have rc1 and not rc2, let me check if it works in the newer version. It
may be the version.

Thanks
Sam


On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh at gmail.com> wrote:

> Bill,
>
> I am able to get the example to work and it is fine if I am calling REST
> service to any other REST service (any number of hops). Does it work if you
> try to access another web application (just submit a form, access content
> or anything) that is authenticated by Keycloak or Are you able to make a
> call from the REST Service to a web application that is configured with
> Keycloak?
>
> See attached explanation.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke at redhat.com> wrote:
>
>> You're going to have to elaborate on your problem as I was unable to
>> reproduce it.
>>
>> I took examples/preconfigured-demo/customer-app and added the database/
>> projects Java files to it.  I was able to deploy this application and do
>> both web and bearer auth from the same war.
>>
>> Are you using latest Keycloak?  1.0-rc2?
>>
>> On 9/5/2014 1:31 PM, Red Samh wrote:
>>
>>>
>>> Thanks Bill, much appreciated. Is there something I can do in the
>>> interim even if it is a hack?. I was looking at adapter code or even
>>> something I can hardcode in the rest service to pull out the user
>>> information and make the call to the back end application?
>>>
>>> Thanks
>>> Sam
>>>
>>> On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>
>>>     A pure servlet filter is on the roadmap, but it wouldn't be as
>>>     seemlessly integrated.  I'll take a look at your problem.
>>>
>>>     On 9/5/2014 11:59 AM, Red Samh wrote:
>>>
>>>
>>>         Eap 6.x, it would be nice if i could generalize to any war
>>>         deployed to
>>>         to tomcat or jetty.
>>>
>>>         Thanks
>>>         Sam
>>>
>>>         On Sep 5, 2014 11:51 AM, "Bill Burke" <bburke at redhat.com
>>>         <mailto:bburke at redhat.com>
>>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>>
>>>              Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>>>
>>>
>>>              On 9/5/2014 11:49 AM, Red Samh wrote:
>>>
>>>                  Bill,
>>>
>>>                  Thanks for the reply.
>>>
>>>                  Yes it works when I have to call REST to another REST
>>>         service
>>>                  and any
>>>                  number of hops. The problem is calling a full  fledged
>>>                  application from
>>>                  a REST service that I have the issue. When it is an
>>>         application
>>>                  that is
>>>                  both Web App + REST and I add the authorization header
>>>         (bearer)
>>>                  I get an
>>>                  unauthorized 401 (blackbox in the attachment).
>>>
>>>                  Thanks
>>>                  Sam
>>>
>>>
>>>                  On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>>>         <bburke at redhat.com <mailto:bburke at redhat.com>
>>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>>                  <mailto:bburke at redhat.com <mailto:bburke at redhat.com>
>>>         <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>>> wrote:
>>>
>>>                       Should work.  You'll have to actually describe
>>>         what your
>>>                  problem is or I
>>>                       can't help you.  I'll take a guess though:
>>>
>>>                       Keycloak doesn't propagate the Authorization
>>>         bearer token
>>>                  header
>>>                       automatically when you have multiple REST "hops"
>>>         between
>>>                  multiple
>>>                       servers  You'll have to obtain the access token
>>>         and set up
>>>                  the HTTP
>>>                       header manually.  The demo customer-portal example
>>>         in the
>>>                  distro does
>>>                       exactly this, so take a look at that for more
>>> details.
>>>
>>>                       On 9/5/2014 10:58 AM, Red Samh wrote:
>>>                        > Hello,
>>>                        >
>>>                        > We have an application that is protected using
>>>         Keycloak
>>>                  and a
>>>                       user can
>>>                        > access this application through a web front.
>>>         After login
>>>                  the user can
>>>                        > use the functionality of the application. The
>>>                  application is also
>>>                        > exposed through REST API's and is protected via
>>>         keycloak
>>>                  as part
>>>                       of the
>>>                        > application and accessible only after login
>>>         into the main
>>>                       application.
>>>                        >
>>>                        > We have a
>>>                        >
>>>                        > (Step 1) Javascript application (retrieving
>>>         data from) ->
>>>                        >
>>>                        > (Step 2) Business Application exposed as REST
>>>         API (REST
>>>                  API has
>>>                       to make
>>>                        > calls to backend Application mentioned above) ->
>>>                        >
>>>                        > (Step 3) BackEnd Application Server + REST API.
>>>                        >
>>>                        > Directly accessing the BackEnd Application
>>>         Server works
>>>                  fine but
>>>                       when we
>>>                        > need to call the REST API from another REST
>>>         service which is
>>>                        > authenticated via Keycloak we have issues.
>>>                        >
>>>                        > We used the existing sample to try and do a POC
>>>         but not
>>>                  sure what
>>>                       is the
>>>                        > best approach to solve this issue. The part
>>>         from (Step
>>>                  1) to (Step 2)
>>>                        > works and the REST API is protected using
>>>         BEARER token.
>>>                  The (Step
>>>                       2) to
>>>                        > (Step 3) is a problem as in (Step 2) we only
>>>         have the BEARER
>>>                       token and
>>>                        > the BackEnd Application is protected using the
>>>         full keycloak
>>>                        > configuration. So The BackEnd Application
>>>         service is not
>>>                       authenticating
>>>                        > by sending in only the BEARER token in the
>>>         header which
>>>                  is a full
>>>                        > keycloak installation (work as only a web
>>> service).
>>>                        >
>>>                        > Thanks
>>>                        > Sam
>>>                        >
>>>                        >
>>>                        > ______________________________
>>> _____________________
>>>                        > keycloak-user mailing list
>>>                        > keycloak-user at lists.jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>
>>>                  <mailto:keycloak-user at lists.
>>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>>
>>>                        >
>>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>>
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>>                        >
>>>
>>>                       --
>>>                       Bill Burke
>>>                       JBoss, a division of Red Hat
>>>         http://bill.burkecentral.com
>>>                       ______________________________
>>> _____________________
>>>                       keycloak-user mailing list
>>>         keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>>> jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>
>>>                  <mailto:keycloak-user at lists.
>>>         <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>>                  <mailto:keycloak-user at lists.__jboss.org
>>>         <mailto:keycloak-user at lists.jboss.org>>>
>>>         https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>>
>>>         <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>
>>>
>>>
>>>
>>>              --
>>>              Bill Burke
>>>              JBoss, a division of Red Hat
>>>         http://bill.burkecentral.com
>>>
>>>
>>>     --
>>>     Bill Burke
>>>     JBoss, a division of Red Hat
>>>     http://bill.burkecentral.com
>>>
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/ce55fd22/attachment-0001.html 

From bburke at redhat.com  Fri Sep  5 15:35:17 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Sep 2014 15:35:17 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <CAHh5fuxH+Fq6m5gvbN4uoOVGPvA9bT5Xf89PB-kpJGpYYtA1dA@mail.gmail.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>	<5409D9DB.9000601@redhat.com>	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>	<5409DC05.8080104@redhat.com>	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>	<5409F08D.2060502@redhat.com>	<CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>	<540A03E2.6060905@redhat.com>	<CAHh5fuyiWm2acAjhkZZ+cnx7_5SREnvV+EL+vT9dnSKMxv+0ow@mail.gmail.com>
	<CAHh5fuxH+Fq6m5gvbN4uoOVGPvA9bT5Xf89PB-kpJGpYYtA1dA@mail.gmail.com>
Message-ID: <540A1075.1050503@redhat.com>

I doubt the version is the problem.

On 9/5/2014 3:23 PM, Red Samh wrote:
> Bill,
>
> I have rc1 and not rc2, let me check if it works in the newer version.
> It may be the version.
>
> Thanks
> Sam
>
>
> On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh at gmail.com
> <mailto:redsamh at gmail.com>> wrote:
>
>     Bill,
>
>     I am able to get the example to work and it is fine if I am calling
>     REST service to any other REST service (any number of hops). Does it
>     work if you try to access another web application (just submit a
>     form, access content or anything) that is authenticated by Keycloak
>     or Are you able to make a call from the REST Service to a web
>     application that is configured with Keycloak?
>
>     See attached explanation.
>
>     Thanks
>     Sam
>
>
>     On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke at redhat.com
>     <mailto:bburke at redhat.com>> wrote:
>
>         You're going to have to elaborate on your problem as I was
>         unable to reproduce it.
>
>         I took examples/preconfigured-demo/__customer-app and added the
>         database/ projects Java files to it.  I was able to deploy this
>         application and do both web and bearer auth from the same war.
>
>         Are you using latest Keycloak?  1.0-rc2?
>
>         On 9/5/2014 1:31 PM, Red Samh wrote:
>
>
>             Thanks Bill, much appreciated. Is there something I can do
>             in the
>             interim even if it is a hack?. I was looking at adapter code
>             or even
>             something I can hardcode in the rest service to pull out the
>             user
>             information and make the call to the back end application?
>
>             Thanks
>             Sam
>
>             On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
>             <mailto:bburke at redhat.com>
>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>
>                  A pure servlet filter is on the roadmap, but it
>             wouldn't be as
>                  seemlessly integrated.  I'll take a look at your problem.
>
>                  On 9/5/2014 11:59 AM, Red Samh wrote:
>
>
>                      Eap 6.x, it would be nice if i could generalize to
>             any war
>                      deployed to
>                      to tomcat or jetty.
>
>                      Thanks
>                      Sam
>
>                      On Sep 5, 2014 11:51 AM, "Bill Burke"
>             <bburke at redhat.com <mailto:bburke at redhat.com>
>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                      <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>>> wrote:
>
>                           Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>
>
>                           On 9/5/2014 11:49 AM, Red Samh wrote:
>
>                               Bill,
>
>                               Thanks for the reply.
>
>                               Yes it works when I have to call REST to
>             another REST
>                      service
>                               and any
>                               number of hops. The problem is calling a
>             full  fledged
>                               application from
>                               a REST service that I have the issue. When
>             it is an
>                      application
>                               that is
>                               both Web App + REST and I add the
>             authorization header
>                      (bearer)
>                               I get an
>                               unauthorized 401 (blackbox in the attachment).
>
>                               Thanks
>                               Sam
>
>
>                               On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>                               <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>>
>                               <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>
>                      <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>             <mailto:bburke at redhat.com>>>>> wrote:
>
>                                    Should work.  You'll have to actually
>             describe
>                      what your
>                               problem is or I
>                                    can't help you.  I'll take a guess
>             though:
>
>                                    Keycloak doesn't propagate the
>             Authorization
>                      bearer token
>                               header
>                                    automatically when you have multiple
>             REST "hops"
>                      between
>                               multiple
>                                    servers  You'll have to obtain the
>             access token
>                      and set up
>                               the HTTP
>                                    header manually.  The demo
>             customer-portal example
>                      in the
>                               distro does
>                                    exactly this, so take a look at that
>             for more details.
>
>                                    On 9/5/2014 10:58 AM, Red Samh wrote:
>                                     > Hello,
>                                     >
>                                     > We have an application that is
>             protected using
>                      Keycloak
>                               and a
>                                    user can
>                                     > access this application through a
>             web front.
>                      After login
>                               the user can
>                                     > use the functionality of the
>             application. The
>                               application is also
>                                     > exposed through REST API's and is
>             protected via
>                      keycloak
>                               as part
>                                    of the
>                                     > application and accessible only
>             after login
>                      into the main
>                                    application.
>                                     >
>                                     > We have a
>                                     >
>                                     > (Step 1) Javascript application
>             (retrieving
>                      data from) ->
>                                     >
>                                     > (Step 2) Business Application
>             exposed as REST
>                      API (REST
>                               API has
>                                    to make
>                                     > calls to backend Application
>             mentioned above) ->
>                                     >
>                                     > (Step 3) BackEnd Application
>             Server + REST API.
>                                     >
>                                     > Directly accessing the BackEnd
>             Application
>                      Server works
>                               fine but
>                                    when we
>                                     > need to call the REST API from
>             another REST
>                      service which is
>                                     > authenticated via Keycloak we have
>             issues.
>                                     >
>                                     > We used the existing sample to try
>             and do a POC
>                      but not
>                               sure what
>                                    is the
>                                     > best approach to solve this issue.
>             The part
>                      from (Step
>                               1) to (Step 2)
>                                     > works and the REST API is
>             protected using
>                      BEARER token.
>                               The (Step
>                                    2) to
>                                     > (Step 3) is a problem as in (Step
>             2) we only
>                      have the BEARER
>                                    token and
>                                     > the BackEnd Application is
>             protected using the
>                      full keycloak
>                                     > configuration. So The BackEnd
>             Application
>                      service is not
>                                    authenticating
>                                     > by sending in only the BEARER
>             token in the
>                      header which
>                               is a full
>                                     > keycloak installation (work as
>             only a web service).
>                                     >
>                                     > Thanks
>                                     > Sam
>                                     >
>                                     >
>                                     >
>             _____________________________________________________
>                                     > keycloak-user mailing list
>                                     > keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>
>                               <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.>______jboss.org
>             <http://jboss.org> <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>>
>                                     >
>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
>                                     >
>
>                                    --
>                                    Bill Burke
>                                    JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>
>             _____________________________________________________
>                                    keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>
>                               <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.
>                      <mailto:keycloak-user at lists
>             <mailto:keycloak-user at lists>.>______jboss.org
>             <http://jboss.org> <http://jboss.org>
>                               <mailto:keycloak-user at lists.
>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>                      <mailto:keycloak-user at lists.__jboss.org
>             <mailto:keycloak-user at lists.jboss.org>>>>
>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>
>
>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>
>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>             <https://lists.jboss.org/mailman/listinfo/keycloak-user>__>__>
>
>
>
>                           --
>                           Bill Burke
>                           JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>
>
>                  --
>                  Bill Burke
>                  JBoss, a division of Red Hat
>             http://bill.burkecentral.com
>
>
>         --
>         Bill Burke
>         JBoss, a division of Red Hat
>         http://bill.burkecentral.com
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From traviskds at gmail.com  Fri Sep  5 18:24:04 2014
From: traviskds at gmail.com (Travis De Silva)
Date: Sat, 6 Sep 2014 08:24:04 +1000
Subject: [keycloak-user] Multitenancy for WAR
In-Reply-To: <5409C530.7020604@redhat.com>
References: <CACQJ6LQkSPMuys0c6Y56nbaG+ozRJfJ=NjPFc7C4WCMPCKgnyg@mail.gmail.com>
	<540865E3.3020401@redhat.com>
	<CACQJ6LS8SqnU8PnRGS+7QxJOiUGs1ZkCXMd4_am-OJXL6w24Kw@mail.gmail.com>
	<5409C530.7020604@redhat.com>
Message-ID: <CACQJ6LQVMdVq=CL95uDtCm5H77C4u8OdHsCKuy+5YiMianDN+A@mail.gmail.com>

sounds good. let me know once its done.


On Sat, Sep 6, 2014 at 12:14 AM, Bill Burke <bburke at redhat.com> wrote:

> I think it would be 1 day work for me, as again, I already refactored the
> adapters to support this use case.  It would just be a matter of:
>
> * Making AdatperDeploymentContext pluggable
> * Writing an AdapterDeploymentContext which could accept a URI pattern to
> extract the name of the realm.
>
> Once I have that in place, you guys can fork it and implement anything you
> want.  What I think I want to do, is keep this SPI private until users like
> you have testdrived it.
>
>
> On 9/4/2014 7:17 PM, Travis De Silva wrote:
>
>> Hi Bill,
>>
>> Sorry for missing your ping as this is something that we definitely
>> need. I was going down the keycloak.js path (since we use AngularJS as
>> our UI layer) but doing it on the server side is so much more elegant.
>>
>> Picking the realm name from the URI is the way to go. Maybe we have it
>> as a query parameter rather than within the path as then it is less
>> invasive for the war application.
>>
>> I don't understand the keycloak code base enough to comment on how we
>> can deploy the new AdapterDeploymentContext but what if this feature is
>> plugged into the current AdapterDeploymentContext and this is a feature
>> of the core product?
>>
>> Also with regard to getting realm information from the server using a
>> shared client secret, or public clients, another way to do this might be
>> to provide an alternate way to pick the keycloak.json file by storing it
>> outside the war in the file system and then based on the realm name in
>> the uri, pick the corresponding keycloak.json file and run the
>> KeycloakDeployment. We can name the the files as keycloak-{realmname}.json
>>
>> Note we can keep the current functionality where it can pick it from
>> within the war but if the file is missing, currently its throwing an
>> exception. Maybe before we throw the exception, we also check the file
>> system as well.
>>
>> Then maybe we don't need to load this on request but can have a
>> directory scanner and whenever a new file is added or removed, it will
>> automatically pick it up. Sort of how the JBoss/Wildfly deployment
>> scanner works. On each request of course it will need to pick the
>> correct realm to perform the authentication.
>>
>> This might be more elegant but once again I don't know enough of the
>> core keycloak code to comment if doing this is more complex than the
>> other option.
>>
>> Obviously these changes will not go into 1.0 release but a subsequent
>> release (hopefully the first beta release after 1.0 :)
>>
>> Therefore it might be good to give some thought and get this right. For
>> me this and the multi-lingual are the two key items that we need to tick
>> off to be able to use this in a multi tenancy environment.
>>
>> Keen to know your thoughts.
>>
>> Cheers
>> Travis
>>
>>
>>
>>
>> On Thu, Sep 4, 2014 at 11:15 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Travis, I did do most of the work for this.  I think I pinged you to
>> see
>>     if you still wanted the feature, but never followed through.  I'm
>> sorry.
>>
>>     All this would require a shared client secret, or public clients.  It
>>     would require you to extract the realm name somehow based on the
>> current
>>     HTTP request.  Probably a URI pattern.
>>
>>     There is an AdapterDeploymentContext class.  This class has a method:
>>
>>     KeycloakDeployment resolveDeployment(HttpFacade)
>>
>>     This method get's called every request.  You would extend this class
>> and
>>     override resolveDeployment and create (and then cache) your
>>     KeycloakDeployment based on the incoming HTTP request.
>>
>>     The only problem is that the current code has no way for you to plug
>> in
>>     a new implementation of the AdapterDeploymentContext.
>>
>>     On 9/4/2014 2:36 AM, Travis De Silva wrote:
>>      > Hi Stian,
>>      >
>>      > You proposed solution would not cover the use case where we can
>>     create
>>      > tenants at runtime as the realm config in the keycloak.json would
>> be
>>      > hard coded into the war.
>>      >
>>      > I had discussed this identical use case a while ago on this forum
>> and
>>      > Bill was planning to refactor the adapters to support this use
>> case.
>>      > Unfortunately he got caught up in other tasks and was not able to
>>      > proceed on this.
>>      >
>>      > The discussion thread is here
>>      > http://lists.jboss.org/pipermail/keycloak-user/2014-
>> March/000062.html
>>      >
>>      > Basically what I believe Bill suggested which would meet this use
>>     case
>>      > is to:
>>      >
>>      >  1. Have a shared secret between clients for all realms.
>>      >  2. The adapter would just extract the realm name from the request,
>>      >     invoke on the keycloak server to get the public information
>> about
>>      >     the realm (i.e. public key) and then cache the information
>>     locally.
>>      >
>>      > The key bit here is extracting the realm name from the request
>>     and then
>>      > pulling the realm info from the keycloak server.
>>      >
>>      > I had a look at the keycloak source code and I believe the magic
>>     happens
>>      > in the KeycloakServletExtension class under the
>>      > org.keycloak.adapters.undertow package for my use case (since I
>>     deploy
>>      > it on wildfly)
>>      >
>>      > What I have got stumped is that this class gets loaded when my war
>> is
>>      > deployed and I am wondering how I can do it per request (if the
>>     info is
>>      > not already cached locally)
>>      >
>>      > Maybe with the imminent release of 1.0 (btw congrats for the
>>     great work
>>      > to everyone in the team and for Bill and your leadership), maybe we
>>      > should start thinking about this multi tenancy use case to be
>>     included
>>      > in future releases.
>>      >
>>      > I believe that SaaS models are going to be popular and having this
>>      > feature added will make keycloak a major player in this space.
>>      >
>>      > Cheers
>>      > Travis
>>      >
>>      >
>>      >
>>      >
>>      > _______________________________________________
>>      > keycloak-user mailing list
>>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.
>> jboss.org>
>>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>      >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140906/7c787d0d/attachment-0001.html 

From peterson.dean at gmail.com  Sat Sep  6 12:43:56 2014
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 6 Sep 2014 11:43:56 -0500
Subject: [keycloak-user] LiveOak integration with Keycloak
In-Reply-To: <54086736.1090404@redhat.com>
References: <CAFGzvP=iNxRAVmo_RLAFDoCuA309N137NWYcF0wye2OoS5fReA@mail.gmail.com>
	<1155100161.42215509.1409643450943.JavaMail.zimbra@redhat.com>
	<54086736.1090404@redhat.com>
Message-ID: <CAFGzvPkP-0R+VRx1zm5mAW3HvPG7mzWROtBO=ME=zfgsmTR-rA@mail.gmail.com>

Perfect, thank you!


On Thu, Sep 4, 2014 at 8:20 AM, Marek Posolda <mposolda at redhat.com> wrote:

> I've added some "quick and dirty" instructions on how to use separate
> Keycloak from your Liveoak https://github.com/mposolda/
> mposolda.github.io/blob/master/tmp/Separate-Keycloak.md . I will try to
> properly document somewhere later, until then you can use those temporary
> instructions. You will also need latest LiveOak master.
>
> Let me know if it suits your needs or if seeing some issues...
>
> Marek
>
>
> On 2.9.2014 09:37, Stian Thorgersen wrote:
>
>> To make LiveOak as easy as possible to use we wanted it to work out of
>> the box, so we include a ready bootstrapped Keycloak.
>>
>> It's quite easy to remove the bootstrap Keycloak server and use your own.
>> Marek is going to upgrade Keycloak in LiveOak soon and he'll add some
>> documentation on how to use an external Keycloak server.
>>
>> ----- Original Message -----
>>
>>> From: "Dean Peterson" <peterson.dean at gmail.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Tuesday, 2 September, 2014 3:50:54 AM
>>> Subject: [keycloak-user] LiveOak integration with Keycloak
>>>
>>> I am wondering about the KeycloakApplication class the LiveOak project
>>> seems
>>> to be using to extend Keycloak for their framework. I really like what
>>> LiveOak is doing but I am not able to understand why they would couple
>>> everything to a custom version of Keycloak. I want to have a separate
>>> Keycloak server that handles security for whatever applications I have.
>>> It
>>> seems their decision to include Keycloak in the deployment of LiveOak
>>> prevents me from deploying multiple LiveOak domain models on separate
>>> servers. Every LiveOak will have its own instance of Keycloak. I am
>>> asking
>>> here because it seems Stian has had a hand in the creation of LiveOak
>>> and I
>>> was hoping he might see this and shed some light on the subject. There is
>>> little documentation on the KeycloakApplication class. Is that used to
>>> easily extend Keycloak and embed it into other frameworks? Doesn't that
>>> defeat the purpose of Security As A Service? Any ideas how I might
>>> decouple
>>> Keycloak from LiveOak?
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140906/10570f79/attachment.html 

From stian at redhat.com  Mon Sep  8 04:17:00 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 8 Sep 2014 04:17:00 -0400 (EDT)
Subject: [keycloak-user] Query param with "code" property name will get
 400	Bad request
In-Reply-To: <74C5B5EC-6270-4D10-8A01-36556DD8FFB0@icloud.com>
References: <74C5B5EC-6270-4D10-8A01-36556DD8FFB0@icloud.com>
Message-ID: <266190070.45228578.1410164220268.JavaMail.zimbra@redhat.com>

This is caused by the adapters assuming that any request with a code query param is a oauth2 callback. It's less than ideal, so can you create a jira issue please?

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 3 September, 2014 1:14:36 PM
> Subject: [keycloak-user] Query param with "code" property name will get 400	Bad request
> 
> Hi, I have an app deployed on Keycloak, whenever I add a query parameter to
> any URL with the property name of ?code", I get a 400 Bad Request (whether
> it's a static file or a servlet).
> 
> The same app on JBoss does not have the same issue. Is this a bug?
> 
> Here are two URLs to try out, both unsecure:
> 
> JBoss EAP:
> http://jbosseap-test.apps.qatest.biz/v1/cloudproviders?code=100
> 
> Keycloak:
> 
> http://ec2-54-84-240-18.compute-1.amazonaws.com:8080/dsgapi/cloudproviders?code=123
> 
> Christina
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Mon Sep  8 04:25:25 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 8 Sep 2014 04:25:25 -0400 (EDT)
Subject: [keycloak-user] user-resource-role-mappings typo error in doco
In-Reply-To: <CACQJ6LQ7f9MVAXbTkVENr4AoZrYMdmOo-oEdFLgad0ocZj3mUA@mail.gmail.com>
References: <CACQJ6LQ7f9MVAXbTkVENr4AoZrYMdmOo-oEdFLgad0ocZj3mUA@mail.gmail.com>
Message-ID: <510300311.45231468.1410164724997.JavaMail.zimbra@redhat.com>

Fixed, thanks

----- Original Message -----
> From: "Travis De Silva" <traviskds at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 4 September, 2014 4:43:26 AM
> Subject: [keycloak-user] user-resource-role-mappings typo error in doco
> 
> Hi,
> 
> As per the documentation here,
> http://docs.jboss.org/keycloak/docs/1.0-rc-2/userguide/html/ch07.html
> 
> we can set "user-resource-role-mappings" : true, in the keycloak.json file,
> which will then make the adapter look inside the token for application level
> role mappings for the user.
> 
> But when I add this, I get the following err.r
> 
> 
> Caused by: java.lang.RuntimeException:
> org.codehaus.jackson.map.exc.UnrecognizedPropertyException: Unrecognized
> field "user-resource-role-mappings" (Class
> org.keycloak.representations.adapters.config.AdapterConfig), not marked as
> ignorable
> 
> I was able to track this down to the code in AdapterConfig in the
> org.keycloak.representations.adapters.config package. In there, it is
> defined as "use-resource-role-mappings"
> 
> When I changed it to this it worked.
> 
> I believe the doco has a typo that needs to be fixed.
> 
> Cheers
> 
> 
> Travis
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Mon Sep  8 04:32:27 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 8 Sep 2014 04:32:27 -0400 (EDT)
Subject: [keycloak-user] SessionContext
In-Reply-To: <CAKTx7M7Q=-MTJSU0hiJ91RB=DJRrshQ3LdA3uB-hc-e7FOuhrg@mail.gmail.com>
References: <CAKTx7M7Q=-MTJSU0hiJ91RB=DJRrshQ3LdA3uB-hc-e7FOuhrg@mail.gmail.com>
Message-ID: <1044974826.45234300.1410165147528.JavaMail.zimbra@redhat.com>

I think it should be, can you create a jira to request this please?

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 5 September, 2014 5:57:41 PM
> Subject: [keycloak-user] SessionContext
> 
> Is it possible (or can it be possible in the future) to get the
> KeycloakSecurityContext out of javax.ejb.SessionContext? I am using Wildfly
> with the Wildfly adapter, and the only way I could figure out how to get it
> (based on the example code) is from the HttpServletRequest. It would be cool
> if it made its way into the SessionContext somehow...
> 
> Alarik
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alarik at zwift.com  Mon Sep  8 07:12:09 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Mon, 8 Sep 2014 07:12:09 -0400
Subject: [keycloak-user] SessionContext
In-Reply-To: <1044974826.45234300.1410165147528.JavaMail.zimbra@redhat.com>
References: <CAKTx7M7Q=-MTJSU0hiJ91RB=DJRrshQ3LdA3uB-hc-e7FOuhrg@mail.gmail.com>
	<1044974826.45234300.1410165147528.JavaMail.zimbra@redhat.com>
Message-ID: <CAKTx7M4OUxpR2SqZ+uB2Q3sBtA0ZKKyn308Gx5bpFRwxgngvWQ@mail.gmail.com>

Sure thing.

Keycloak-663:

https://issues.jboss.org/browse/KEYCLOAK-663


On Mon, Sep 8, 2014 at 4:32 AM, Stian Thorgersen <stian at redhat.com> wrote:

> I think it should be, can you create a jira to request this please?
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 5 September, 2014 5:57:41 PM
> > Subject: [keycloak-user] SessionContext
> >
> > Is it possible (or can it be possible in the future) to get the
> > KeycloakSecurityContext out of javax.ejb.SessionContext? I am using
> Wildfly
> > with the Wildfly adapter, and the only way I could figure out how to get
> it
> > (based on the example code) is from the HttpServletRequest. It would be
> cool
> > if it made its way into the SessionContext somehow...
> >
> > Alarik
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140908/bb8d940f/attachment.html 

From redsamh at gmail.com  Mon Sep  8 10:09:51 2014
From: redsamh at gmail.com (Red Samh)
Date: Mon, 8 Sep 2014 10:09:51 -0400
Subject: [keycloak-user] REST -> Backend App
In-Reply-To: <540A1075.1050503@redhat.com>
References: <CAHh5fuy6gFi1kVsrrfWg1tTE8YmEi=L7+zna4mop2EOLXRqmzg@mail.gmail.com>
	<5409D9DB.9000601@redhat.com>
	<CAHh5fuxE8+xO65=5JfyB0iONaVVw1QvOdgoCRbe4QCQ6ZBMiGg@mail.gmail.com>
	<5409DC05.8080104@redhat.com>
	<CAHh5fuxRFby4uXf28UTdEv_bHgBjSj-DFUuOmLVDind9vWp2+A@mail.gmail.com>
	<5409F08D.2060502@redhat.com>
	<CAHh5fuzQp6=ZwqtCz23fbsFCMP4KLY5WTqgBixxncWrTPFuySg@mail.gmail.com>
	<540A03E2.6060905@redhat.com>
	<CAHh5fuyiWm2acAjhkZZ+cnx7_5SREnvV+EL+vT9dnSKMxv+0ow@mail.gmail.com>
	<CAHh5fuxH+Fq6m5gvbN4uoOVGPvA9bT5Xf89PB-kpJGpYYtA1dA@mail.gmail.com>
	<540A1075.1050503@redhat.com>
Message-ID: <CAHh5fuw2ouv2dAca_VABZ-5VxX4gKSEcp0DMcsQY_dk6fVoRxg@mail.gmail.com>

Bill,

I redid everything and it is working now. Thanks :).

Thanks
Sam

On Fri, Sep 5, 2014 at 3:35 PM, Bill Burke <bburke at redhat.com> wrote:

> I doubt the version is the problem.
>
> On 9/5/2014 3:23 PM, Red Samh wrote:
>
>> Bill,
>>
>> I have rc1 and not rc2, let me check if it works in the newer version.
>> It may be the version.
>>
>> Thanks
>> Sam
>>
>>
>> On Fri, Sep 5, 2014 at 3:13 PM, Red Samh <redsamh at gmail.com
>> <mailto:redsamh at gmail.com>> wrote:
>>
>>     Bill,
>>
>>     I am able to get the example to work and it is fine if I am calling
>>     REST service to any other REST service (any number of hops). Does it
>>     work if you try to access another web application (just submit a
>>     form, access content or anything) that is authenticated by Keycloak
>>     or Are you able to make a call from the REST Service to a web
>>     application that is configured with Keycloak?
>>
>>     See attached explanation.
>>
>>     Thanks
>>     Sam
>>
>>
>>     On Fri, Sep 5, 2014 at 2:41 PM, Bill Burke <bburke at redhat.com
>>     <mailto:bburke at redhat.com>> wrote:
>>
>>         You're going to have to elaborate on your problem as I was
>>         unable to reproduce it.
>>
>>         I took examples/preconfigured-demo/__customer-app and added the
>>         database/ projects Java files to it.  I was able to deploy this
>>         application and do both web and bearer auth from the same war.
>>
>>         Are you using latest Keycloak?  1.0-rc2?
>>
>>         On 9/5/2014 1:31 PM, Red Samh wrote:
>>
>>
>>             Thanks Bill, much appreciated. Is there something I can do
>>             in the
>>             interim even if it is a hack?. I was looking at adapter code
>>             or even
>>             something I can hardcode in the rest service to pull out the
>>             user
>>             information and make the call to the back end application?
>>
>>             Thanks
>>             Sam
>>
>>             On Sep 5, 2014 1:19 PM, "Bill Burke" <bburke at redhat.com
>>             <mailto:bburke at redhat.com>
>>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>> wrote:
>>
>>                  A pure servlet filter is on the roadmap, but it
>>             wouldn't be as
>>                  seemlessly integrated.  I'll take a look at your problem.
>>
>>                  On 9/5/2014 11:59 AM, Red Samh wrote:
>>
>>
>>                      Eap 6.x, it would be nice if i could generalize to
>>             any war
>>                      deployed to
>>                      to tomcat or jetty.
>>
>>                      Thanks
>>                      Sam
>>
>>                      On Sep 5, 2014 11:51 AM, "Bill Burke"
>>             <bburke at redhat.com <mailto:bburke at redhat.com>
>>                      <mailto:bburke at redhat.com <mailto:bburke at redhat.com
>> >>
>>                      <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>> wrote:
>>
>>                           Wildfly or JBoss EAP 6.x or JBoss AS 7.1?
>>
>>
>>                           On 9/5/2014 11:49 AM, Red Samh wrote:
>>
>>                               Bill,
>>
>>                               Thanks for the reply.
>>
>>                               Yes it works when I have to call REST to
>>             another REST
>>                      service
>>                               and any
>>                               number of hops. The problem is calling a
>>             full  fledged
>>                               application from
>>                               a REST service that I have the issue. When
>>             it is an
>>                      application
>>                               that is
>>                               both Web App + REST and I add the
>>             authorization header
>>                      (bearer)
>>                               I get an
>>                               unauthorized 401 (blackbox in the
>> attachment).
>>
>>                               Thanks
>>                               Sam
>>
>>
>>                               On Fri, Sep 5, 2014 at 11:42 AM, Bill Burke
>>                      <bburke at redhat.com <mailto:bburke at redhat.com>
>>             <mailto:bburke at redhat.com <mailto:bburke at redhat.com>>
>>                               <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>
>>                               <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>
>>                      <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com> <mailto:bburke at redhat.com
>>             <mailto:bburke at redhat.com>>>>> wrote:
>>
>>                                    Should work.  You'll have to actually
>>             describe
>>                      what your
>>                               problem is or I
>>                                    can't help you.  I'll take a guess
>>             though:
>>
>>                                    Keycloak doesn't propagate the
>>             Authorization
>>                      bearer token
>>                               header
>>                                    automatically when you have multiple
>>             REST "hops"
>>                      between
>>                               multiple
>>                                    servers  You'll have to obtain the
>>             access token
>>                      and set up
>>                               the HTTP
>>                                    header manually.  The demo
>>             customer-portal example
>>                      in the
>>                               distro does
>>                                    exactly this, so take a look at that
>>             for more details.
>>
>>                                    On 9/5/2014 10:58 AM, Red Samh wrote:
>>                                     > Hello,
>>                                     >
>>                                     > We have an application that is
>>             protected using
>>                      Keycloak
>>                               and a
>>                                    user can
>>                                     > access this application through a
>>             web front.
>>                      After login
>>                               the user can
>>                                     > use the functionality of the
>>             application. The
>>                               application is also
>>                                     > exposed through REST API's and is
>>             protected via
>>                      keycloak
>>                               as part
>>                                    of the
>>                                     > application and accessible only
>>             after login
>>                      into the main
>>                                    application.
>>                                     >
>>                                     > We have a
>>                                     >
>>                                     > (Step 1) Javascript application
>>             (retrieving
>>                      data from) ->
>>                                     >
>>                                     > (Step 2) Business Application
>>             exposed as REST
>>                      API (REST
>>                               API has
>>                                    to make
>>                                     > calls to backend Application
>>             mentioned above) ->
>>                                     >
>>                                     > (Step 3) BackEnd Application
>>             Server + REST API.
>>                                     >
>>                                     > Directly accessing the BackEnd
>>             Application
>>                      Server works
>>                               fine but
>>                                    when we
>>                                     > need to call the REST API from
>>             another REST
>>                      service which is
>>                                     > authenticated via Keycloak we have
>>             issues.
>>                                     >
>>                                     > We used the existing sample to try
>>             and do a POC
>>                      but not
>>                               sure what
>>                                    is the
>>                                     > best approach to solve this issue.
>>             The part
>>                      from (Step
>>                               1) to (Step 2)
>>                                     > works and the REST API is
>>             protected using
>>                      BEARER token.
>>                               The (Step
>>                                    2) to
>>                                     > (Step 3) is a problem as in (Step
>>             2) we only
>>                      have the BEARER
>>                                    token and
>>                                     > the BackEnd Application is
>>             protected using the
>>                      full keycloak
>>                                     > configuration. So The BackEnd
>>             Application
>>                      service is not
>>                                    authenticating
>>                                     > by sending in only the BEARER
>>             token in the
>>                      header which
>>                               is a full
>>                                     > keycloak installation (work as
>>             only a web service).
>>                                     >
>>                                     > Thanks
>>                                     > Sam
>>                                     >
>>                                     >
>>                                     >
>>             _____________________________________________________
>>                                     > keycloak-user mailing list
>>                                     > keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>
>>                               <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.>______jboss.org
>>             <http://jboss.org> <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>>
>>                                     >
>>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >__>__>
>>                                     >
>>
>>                                    --
>>                                    Bill Burke
>>                                    JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>             _____________________________________________________
>>                                    keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>
>>                               <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.
>>                      <mailto:keycloak-user at lists
>>             <mailto:keycloak-user at lists>.>______jboss.org
>>             <http://jboss.org> <http://jboss.org>
>>                               <mailto:keycloak-user at lists.
>>             <mailto:keycloak-user at lists.>____jboss.org <http://jboss.org>
>>                      <mailto:keycloak-user at lists.__jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>>>
>>             https://lists.jboss.org/______mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>__>
>>
>>
>>             <https://lists.jboss.org/____mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user>
>>
>>             <https://lists.jboss.org/__mailman/listinfo/keycloak-user
>>             <https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >__>__>
>>
>>
>>
>>                           --
>>                           Bill Burke
>>                           JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>
>>                  --
>>                  Bill Burke
>>                  JBoss, a division of Red Hat
>>             http://bill.burkecentral.com
>>
>>
>>         --
>>         Bill Burke
>>         JBoss, a division of Red Hat
>>         http://bill.burkecentral.com
>>
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140908/078aa8bf/attachment-0001.html 

From christinalau28 at icloud.com  Mon Sep  8 10:17:50 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Mon, 08 Sep 2014 10:17:50 -0400
Subject: [keycloak-user] Query param with "code" property name will get
 400 Bad request
In-Reply-To: <266190070.45228578.1410164220268.JavaMail.zimbra@redhat.com>
References: <74C5B5EC-6270-4D10-8A01-36556DD8FFB0@icloud.com>
	<266190070.45228578.1410164220268.JavaMail.zimbra@redhat.com>
Message-ID: <BE261166-5BCF-4E3E-B4A6-753F99AEFD8B@icloud.com>

I opened this. Will it be possible to get it fix in the GA release? Otherwise we have to try another work around. Thx.

https://issues.jboss.org/browse/KEYCLOAK-664

On Sep 8, 2014, at 4:17 AM, Stian Thorgersen <stian at redhat.com> wrote:

> This is caused by the adapters assuming that any request with a code query param is a oauth2 callback. It's less than ideal, so can you create a jira issue please?
> 
> ----- Original Message -----
>> From: "Christina Lau" <christinalau28 at icloud.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Wednesday, 3 September, 2014 1:14:36 PM
>> Subject: [keycloak-user] Query param with "code" property name will get 400	Bad request
>> 
>> Hi, I have an app deployed on Keycloak, whenever I add a query parameter to
>> any URL with the property name of ?code", I get a 400 Bad Request (whether
>> it's a static file or a servlet).
>> 
>> The same app on JBoss does not have the same issue. Is this a bug?
>> 
>> Here are two URLs to try out, both unsecure:
>> 
>> JBoss EAP:
>> http://jbosseap-test.apps.qatest.biz/v1/cloudproviders?code=100
>> 
>> Keycloak:
>> 
>> http://ec2-54-84-240-18.compute-1.amazonaws.com:8080/dsgapi/cloudproviders?code=123
>> 
>> Christina
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From koenig at appcube.info  Mon Sep  8 10:49:23 2014
From: koenig at appcube.info (=?UTF-8?Q?Artjom_K=C3=B6nig?=)
Date: Mon, 8 Sep 2014 16:49:23 +0200
Subject: [keycloak-user] Transferring social login from mobile apps to
	Keycloak
Message-ID: <CACx3AppKnO_YT4m+j8zDZqbt7oZqU0_Um0Oun_cGh16kFT0u2w@mail.gmail.com>

Hi,

I would like to use Keycloak as a backend security and user management
solution for my native apps (Android and iOS).

In my native app, the user can register/login with Facebook/Google+ using
the corresponding native SDK. After the login I get all desired user data
and even the access token.

Then I would like to create a user in Keycloak via the REST API with this
social account. It should result in the same user data, like using the
social login of the Keycloak's web login.

Any ideas, how to get this done?

Cheers,
Artjom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140908/4f7a64a2/attachment.html 

From mposolda at redhat.com  Mon Sep  8 13:50:01 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 08 Sep 2014 19:50:01 +0200
Subject: [keycloak-user] LiveOak integration with Keycloak
In-Reply-To: <CAFGzvPkP-0R+VRx1zm5mAW3HvPG7mzWROtBO=ME=zfgsmTR-rA@mail.gmail.com>
References: <CAFGzvP=iNxRAVmo_RLAFDoCuA309N137NWYcF0wye2OoS5fReA@mail.gmail.com>	<1155100161.42215509.1409643450943.JavaMail.zimbra@redhat.com>	<54086736.1090404@redhat.com>
	<CAFGzvPkP-0R+VRx1zm5mAW3HvPG7mzWROtBO=ME=zfgsmTR-rA@mail.gmail.com>
Message-ID: <540DEC49.8090108@redhat.com>

It's in official LiveOak documentation now 
http://liveoak.io/docs/guides/tutorial_keycloak_separate/ .

Marek

On 6.9.2014 18:43, Dean Peterson wrote:
> Perfect, thank you!
>
>
> On Thu, Sep 4, 2014 at 8:20 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I've added some "quick and dirty" instructions on how to use
>     separate Keycloak from your Liveoak
>     https://github.com/mposolda/mposolda.github.io/blob/master/tmp/Separate-Keycloak.md
>     . I will try to properly document somewhere later, until then you
>     can use those temporary instructions. You will also need latest
>     LiveOak master.
>
>     Let me know if it suits your needs or if seeing some issues...
>
>     Marek
>
>
>     On 2.9.2014 09:37, Stian Thorgersen wrote:
>
>         To make LiveOak as easy as possible to use we wanted it to
>         work out of the box, so we include a ready bootstrapped Keycloak.
>
>         It's quite easy to remove the bootstrap Keycloak server and
>         use your own. Marek is going to upgrade Keycloak in LiveOak
>         soon and he'll add some documentation on how to use an
>         external Keycloak server.
>
>         ----- Original Message -----
>
>             From: "Dean Peterson" <peterson.dean at gmail.com
>             <mailto:peterson.dean at gmail.com>>
>             To: keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             Sent: Tuesday, 2 September, 2014 3:50:54 AM
>             Subject: [keycloak-user] LiveOak integration with Keycloak
>
>             I am wondering about the KeycloakApplication class the
>             LiveOak project seems
>             to be using to extend Keycloak for their framework. I
>             really like what
>             LiveOak is doing but I am not able to understand why they
>             would couple
>             everything to a custom version of Keycloak. I want to have
>             a separate
>             Keycloak server that handles security for whatever
>             applications I have. It
>             seems their decision to include Keycloak in the deployment
>             of LiveOak
>             prevents me from deploying multiple LiveOak domain models
>             on separate
>             servers. Every LiveOak will have its own instance of
>             Keycloak. I am asking
>             here because it seems Stian has had a hand in the creation
>             of LiveOak and I
>             was hoping he might see this and shed some light on the
>             subject. There is
>             little documentation on the KeycloakApplication class. Is
>             that used to
>             easily extend Keycloak and embed it into other frameworks?
>             Doesn't that
>             defeat the purpose of Security As A Service? Any ideas how
>             I might decouple
>             Keycloak from LiveOak?
>
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140908/5d872fa3/attachment.html 

From stian at redhat.com  Mon Sep  8 14:05:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 8 Sep 2014 14:05:21 -0400 (EDT)
Subject: [keycloak-user] Query param with "code" property name will get
 400 Bad request
In-Reply-To: <BE261166-5BCF-4E3E-B4A6-753F99AEFD8B@icloud.com>
References: <74C5B5EC-6270-4D10-8A01-36556DD8FFB0@icloud.com>
	<266190070.45228578.1410164220268.JavaMail.zimbra@redhat.com>
	<BE261166-5BCF-4E3E-B4A6-753F99AEFD8B@icloud.com>
Message-ID: <1822922458.45720575.1410199521239.JavaMail.zimbra@redhat.com>

I'm afraid it's to late for this to make it into 1.0.final

----- Original Message -----
> From: "Christina Lau" <christinalau28 at icloud.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 8 September, 2014 4:17:50 PM
> Subject: Re: [keycloak-user] Query param with "code" property name will get 400 Bad request
> 
> I opened this. Will it be possible to get it fix in the GA release? Otherwise
> we have to try another work around. Thx.
> 
> https://issues.jboss.org/browse/KEYCLOAK-664
> 
> On Sep 8, 2014, at 4:17 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > This is caused by the adapters assuming that any request with a code query
> > param is a oauth2 callback. It's less than ideal, so can you create a jira
> > issue please?
> > 
> > ----- Original Message -----
> >> From: "Christina Lau" <christinalau28 at icloud.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Wednesday, 3 September, 2014 1:14:36 PM
> >> Subject: [keycloak-user] Query param with "code" property name will get
> >> 400	Bad request
> >> 
> >> Hi, I have an app deployed on Keycloak, whenever I add a query parameter
> >> to
> >> any URL with the property name of ?code", I get a 400 Bad Request (whether
> >> it's a static file or a servlet).
> >> 
> >> The same app on JBoss does not have the same issue. Is this a bug?
> >> 
> >> Here are two URLs to try out, both unsecure:
> >> 
> >> JBoss EAP:
> >> http://jbosseap-test.apps.qatest.biz/v1/cloudproviders?code=100
> >> 
> >> Keycloak:
> >> 
> >> http://ec2-54-84-240-18.compute-1.amazonaws.com:8080/dsgapi/cloudproviders?code=123
> >> 
> >> Christina
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 


From evanthomjd at gmail.com  Tue Sep  9 16:33:35 2014
From: evanthomjd at gmail.com (Evan Thompson)
Date: Tue, 9 Sep 2014 16:33:35 -0400
Subject: [keycloak-user] user_attributes table
Message-ID: <CAJVY_4-=CAD_a+wdjnZFFbmD8WU9VT3F2iQFj+iuLPavThrpcw@mail.gmail.com>

Howdy all,

I've been looking into ways of storing user metdata within the my keycloak
database and noticed the user_attributes table. Now I am wondering is there
any way for me to write to that table via the keycloak console.

Thank for your time,

Evan Thompson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140909/ee874abf/attachment.html 

From bburke at redhat.com  Tue Sep  9 21:04:46 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 09 Sep 2014 21:04:46 -0400
Subject: [keycloak-user] user_attributes table
In-Reply-To: <CAJVY_4-=CAD_a+wdjnZFFbmD8WU9VT3F2iQFj+iuLPavThrpcw@mail.gmail.com>
References: <CAJVY_4-=CAD_a+wdjnZFFbmD8WU9VT3F2iQFj+iuLPavThrpcw@mail.gmail.com>
Message-ID: <540FA3AE.6020604@redhat.com>

Nope.  :( sorry.  Its on the roadmap though.

On 9/9/2014 4:33 PM, Evan Thompson wrote:
> Howdy all,
>
> I've been looking into ways of storing user metdata within the my
> keycloak database and noticed the user_attributes table. Now I am
> wondering is there any way for me to write to that table via the
> keycloak console.
>
> Thank for your time,
>
> Evan Thompson
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From christinalau28 at icloud.com  Wed Sep 10 08:27:56 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Wed, 10 Sep 2014 08:27:56 -0400
Subject: [keycloak-user] how to get user password from keycloak?
Message-ID: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>

I am trying to extend the keycloak new user registration path so that when a new user is registered to keycloak, it will automatically registered to another third party system with the same user name and password. How can I obtain the user password from keycloak? Is that possible? I tried the rest api (http://localhost:8080/auth/realms/{realm}/account/password) already and it returns the a html stream. Thx.

Christina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140910/3932fde2/attachment-0001.html 

From bburke at redhat.com  Wed Sep 10 08:39:23 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 10 Sep 2014 08:39:23 -0400
Subject: [keycloak-user] how to get user password from keycloak?
In-Reply-To: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>
References: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>
Message-ID: <5410467B.4050707@redhat.com>

For security reasons you can not obtain a password from our remote APIs. 
  We also do not store passwords directly, they are hashed, also for 
security reasons.

I think you've pinpointed yet another entry point where we need an SPI 
to intercept a specific event.

On 9/10/2014 8:27 AM, Christina Lau wrote:
> I am trying to extend the keycloak new user registration path so that
> when a new user is registered to keycloak, it will automatically
> registered to another third party system with the same user name and
> password. How can I obtain the user password from keycloak? Is that
> possible? I tried the rest api
> (http://localhost:8080/auth/realms/{realm}/account/password) already and
> it returns the a html stream. Thx.
>
> Christina
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Wed Sep 10 08:47:26 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 10 Sep 2014 08:47:26 -0400 (EDT)
Subject: [keycloak-user] how to get user password from keycloak?
In-Reply-To: <5410467B.4050707@redhat.com>
References: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>
	<5410467B.4050707@redhat.com>
Message-ID: <1631313801.46868206.1410353246339.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 10 September, 2014 2:39:23 PM
> Subject: Re: [keycloak-user] how to get user password from keycloak?
> 
> For security reasons you can not obtain a password from our remote APIs.
>   We also do not store passwords directly, they are hashed, also for
> security reasons.
> 
> I think you've pinpointed yet another entry point where we need an SPI
> to intercept a specific event.

Couldn't the UserFederationProvider be used in this case?

Alternatively, we could add to the Event SPI to make it possible to retrieve the password when a user is registered or updates the password.

> 
> On 9/10/2014 8:27 AM, Christina Lau wrote:
> > I am trying to extend the keycloak new user registration path so that
> > when a new user is registered to keycloak, it will automatically
> > registered to another third party system with the same user name and
> > password. How can I obtain the user password from keycloak? Is that
> > possible? I tried the rest api
> > (http://localhost:8080/auth/realms/{realm}/account/password) already and
> > it returns the a html stream. Thx.
> >
> > Christina
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From christinalau28 at icloud.com  Wed Sep 10 09:19:03 2014
From: christinalau28 at icloud.com (Christina Lau)
Date: Wed, 10 Sep 2014 09:19:03 -0400
Subject: [keycloak-user] how to get user password from keycloak?
In-Reply-To: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>
References: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>
Message-ID: <0F63C4F5-0177-42E2-B0FB-A5ECD07D2988@icloud.com>

Adding a method to the Event SPI will work since it is already giving me back the user name, and I can use it to call my code on new user registration. 
Any chance for 1.0? Otherwise not sure how to hack this, maybe I need to make my own login page? A lot of work.

Christina



From bburke at redhat.com  Wed Sep 10 09:22:52 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 10 Sep 2014 09:22:52 -0400
Subject: [keycloak-user] how to get user password from keycloak?
In-Reply-To: <0F63C4F5-0177-42E2-B0FB-A5ECD07D2988@icloud.com>
References: <61BCB4EB-C327-4FA1-B83D-35132C1DFB71@icloud.com>
	<0F63C4F5-0177-42E2-B0FB-A5ECD07D2988@icloud.com>
Message-ID: <541050AC.7070401@redhat.com>

See Stian's post.  Check out the UserFederationProvider SPI.  There's an 
example in the distribution.  Sorry I had a brain fart and forgot about 
it...

You won't be able to get the password, but you will be able to get the 
password hash.

On 9/10/2014 9:19 AM, Christina Lau wrote:
> Adding a method to the Event SPI will work since it is already giving me back the user name, and I can use it to call my code on new user registration.
> Any chance for 1.0? Otherwise not sure how to hack this, maybe I need to make my own login page? A lot of work.
>
> Christina
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From markoradinovic79 at gmail.com  Wed Sep 10 11:42:13 2014
From: markoradinovic79 at gmail.com (Marko Radinovic)
Date: Wed, 10 Sep 2014 17:42:13 +0200
Subject: [keycloak-user] Logout exception
Message-ID: <54107155.7070309@gmail.com>

Hi,
I have Vaadin application running on Wildfly and I'am having problems 
with logout.

I have installed keycloak on OpenShift and configure test domain for 
application testing.

When i try to logout I get:
2014-09-10 17:31:45,206 ERROR [io.undertow.request] (default task-39) 
UT005023: Exception handling request to /k_logout: 
java.lang.RuntimeException: java.io.IOException: UT010029: Stream is closed
     at 
org.keycloak.adapters.PreAuthActionsHandler.handleLogout(PreAuthActionsHandler.java:138) 
[keycloak-adapter-core-1.0-rc-2.jar:]
     at 
org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:57) 
[keycloak-adapter-core-1.0-rc-2.jar:]
     at 
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) 
[keycloak-undertow-adapter-1.0-rc-2.jar:]
     at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) 
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
     at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) 
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
     at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) 
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
     at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) 
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
     at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) 
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
     at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) 
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
     at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) 
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
[rt.jar:1.7.0_67]
     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
[rt.jar:1.7.0_67]
     at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]
Caused by: java.io.IOException: UT010029: Stream is closed
     at 
io.undertow.servlet.spec.ServletInputStreamImpl.read(ServletInputStreamImpl.java:115) 
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
     at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283) 
[rt.jar:1.7.0_67]
     at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325) 
[rt.jar:1.7.0_67]
     at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177) 
[rt.jar:1.7.0_67]
     at java.io.InputStreamReader.read(InputStreamReader.java:184) 
[rt.jar:1.7.0_67]
     at java.io.BufferedReader.fill(BufferedReader.java:154) 
[rt.jar:1.7.0_67]
     at java.io.BufferedReader.read1(BufferedReader.java:205) 
[rt.jar:1.7.0_67]
     at java.io.BufferedReader.read(BufferedReader.java:279) 
[rt.jar:1.7.0_67]
     at org.keycloak.util.StreamUtil.readString(StreamUtil.java:25) 
[keycloak-core-1.0-rc-2.jar:]
     at 
org.keycloak.adapters.PreAuthActionsHandler.verifyAdminRequest(PreAuthActionsHandler.java:165) 
[keycloak-adapter-core-1.0-rc-2.jar:]
     at 
org.keycloak.adapters.PreAuthActionsHandler.handleLogout(PreAuthActionsHandler.java:118) 
[keycloak-adapter-core-1.0-rc-2.jar:]
     ... 12 more

I tried both JaasAccessControl.logout() and httpServletRequest.logout().

Thanks

Marko

From bburke at redhat.com  Wed Sep 10 16:19:25 2014
From: bburke at redhat.com (Bill Burke)
Date: Wed, 10 Sep 2014 16:19:25 -0400
Subject: [keycloak-user] Keycloak 1.0 Final Released
Message-ID: <5410B24D.8010902@redhat.com>

Here's the details:

http://blog.keycloak.org/2014/09/10/keycloak-1-0-final-released/

Thank you Stian and Marek.  You guys have been amazing to work with.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From pmadden at tomsawyer.com  Wed Sep 10 17:22:35 2014
From: pmadden at tomsawyer.com (Patrick V. Madden)
Date: Wed, 10 Sep 2014 14:22:35 -0700 (PDT)
Subject: [keycloak-user] Keycloak 1.0 Final Released
In-Reply-To: <748074544.292462.1410384140567.JavaMail.zimbra@tomsawyer.com>
References: <5410B24D.8010902@redhat.com>
Message-ID: <545274342.292466.1410384155841.JavaMail.zimbra@tomsawyer.com>

Congratulations! 

I will upgrade my release candidate we have running internally in the next day or so :) We are using it for a bunch of internal enterprise applications we are writing. 

I really want to say thank you for the great work you all have done! 

Patrick Madden 
Principal Design Engineer 
Tom Sawyer Software 
1997 El Dorado Avenue 
Berkeley, CA 94707 

Cell: +1 (845) 416-4629 
E-mail: pmadden@ tomsawyer.com 




From: "Bill Burke" <bburke at redhat.com> 
To: keycloak-dev at lists.jboss.org, "keycloack-users" <keycloak-user at lists.jboss.org> 
Sent: Wednesday, September 10, 2014 4:19:25 PM 
Subject: [keycloak-user] Keycloak 1.0 Final Released 

Here's the details: 

http://blog.keycloak.org/2014/09/10/keycloak-1-0-final-released/ 

Thank you Stian and Marek. You guys have been amazing to work with. 

-- 
Bill Burke 
JBoss, a division of Red Hat 
http://bill.burkecentral.com 
_______________________________________________ 
keycloak-user mailing list 
keycloak-user at lists.jboss.org 
https://lists.jboss.org/mailman/listinfo/keycloak-user 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140910/47e286d3/attachment.html 

From bruno at abstractj.org  Wed Sep 10 21:34:06 2014
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 10 Sep 2014 18:34:06 -0700 (PDT)
Subject: [keycloak-user] [keycloak-dev] Keycloak 1.0 Final Released
In-Reply-To: <5410B24D.8010902@redhat.com>
References: <5410B24D.8010902@redhat.com>
Message-ID: <1410399245747.42f5834a@Nodemailer>

Congratulations!?
abstractj 
PGP: 0x84DC9914

On Wed, Sep 10, 2014 at 5:19 PM, Bill Burke <bburke at redhat.com> wrote:

> Here's the details:
> http://blog.keycloak.org/2014/09/10/keycloak-1-0-final-released/
> Thank you Stian and Marek.  You guys have been amazing to work with.
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140910/7c54c694/attachment-0001.html 

From gcollis at iinet.net.au  Wed Sep 10 21:53:02 2014
From: gcollis at iinet.net.au (Graeme Collis)
Date: Thu, 11 Sep 2014 11:53:02 +1000
Subject: [keycloak-user] Keycloak 1.0 Final Released
In-Reply-To: <5410B24D.8010902@redhat.com>
References: <5410B24D.8010902@redhat.com>
Message-ID: <337CB56A25624D4185E961FFB48AA00F04C512F5143B@SWANS20.fitzroy01.local>

Congratulations to the team. A product with a definite need.

Thanks to all contributors, Graeme


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Thursday, 11 September 2014 6:19 AM
To: keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak 1.0 Final Released

Here's the details:

http://blog.keycloak.org/2014/09/10/keycloak-1-0-final-released/

Thank you Stian and Marek.  You guys have been amazing to work with.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From josh at psidox.com  Thu Sep 11 01:22:44 2014
From: josh at psidox.com (Joshua Bellamy-Henn)
Date: Wed, 10 Sep 2014 23:22:44 -0600
Subject: [keycloak-user] Logged out of admin console after a short period of
	time
Message-ID: <CA+e=w_u=XrFwgat8h94zHyfzRrVcCducmubRfYq=iMs_NB9d6g@mail.gmail.com>

Version: 1.0-final
Setup: Keycloak behind a reverse proxy

Currently after logging in to the Admin Console it seems that after 1-2
minute I am getting booted back to the login page.  I am using default
timeout settings so it's odd that I am getting kicked out before the 10
minute session timeout.

Checking the logs after this occurs, I am seeing the following warn:

2014-09-11 05:20:05,025 WARN  [org.jboss.resteasy.core.ExceptionHandler]
(default task-123) Failed executing GET
/admin/realms/abc/applications/website/session-count:
org.jboss.resteasy.spi.UnauthorizedException: Bearer

at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:153)
[keycloak-services-1.0-final.jar:]

at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:184)
[keycloak-services-1.0-final.jar:]

at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) [:1.7.0_60]

at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_60]

at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]

at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.8.Final.jar:]

at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.8.Final.jar:]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]

at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.0-final.jar:]

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.0-final.jar:]

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]

at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_60]

at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_60]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]


Any ideas what's going wrong?

Thanks,

Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140910/939bb3d7/attachment.html 

From stian at redhat.com  Thu Sep 11 03:58:40 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 11 Sep 2014 03:58:40 -0400 (EDT)
Subject: [keycloak-user] Logged out of admin console after a short
 period of	time
In-Reply-To: <CA+e=w_u=XrFwgat8h94zHyfzRrVcCducmubRfYq=iMs_NB9d6g@mail.gmail.com>
References: <CA+e=w_u=XrFwgat8h94zHyfzRrVcCducmubRfYq=iMs_NB9d6g@mail.gmail.com>
Message-ID: <342831837.47461273.1410422320929.JavaMail.zimbra@redhat.com>

I've tried to replicate this without luck.

The default timeouts are:

* SSO Session Idle Timeout: 5 min
* SSO Session Max Lifespan: 10 hours
* Access Token Lifespan: 1 min

Are these the numbers you are using? With these numbers the access token expires after 1 min. When the access token has expired it will try to retrieve a new token using the refresh token. If there are no requests to refresh the token for that session within 5 min the session will expire. Basically there's the minimum time you can get logged out after is 4 min (SSO Session Idle Timeout - Access Token Lifespan).

----- Original Message -----
> From: "Joshua Bellamy-Henn" <josh at psidox.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 11 September, 2014 7:22:44 AM
> Subject: [keycloak-user] Logged out of admin console after a short period of	time
> 
> Version: 1.0-final
> Setup: Keycloak behind a reverse proxy
> 
> Currently after logging in to the Admin Console it seems that after 1-2
> minute I am getting booted back to the login page. I am using default
> timeout settings so it's odd that I am getting kicked out before the 10
> minute session timeout.
> 
> Checking the logs after this occurs, I am seeing the following warn:
> 
> 
> 
> 2014-09-11 05:20:05,025 WARN [org.jboss.resteasy.core.ExceptionHandler]
> (default task-123) Failed executing GET
> /admin/realms/abc/applications/website/session-count:
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> 
> at
> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:153)
> [keycloak-services-1.0-final.jar:]
> 
> at
> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:184)
> [keycloak-services-1.0-final.jar:]
> 
> at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) [:1.7.0_60]
> 
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_60]
> 
> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> 
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> [keycloak-services-1.0-final.jar:]
> 
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> [keycloak-services-1.0-final.jar:]
> 
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_60]
> 
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_60]
> 
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]
> 
> 
> 
> 
> Any ideas what's going wrong?
> 
> Thanks,
> 
> Josh
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Sep 11 04:01:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 11 Sep 2014 04:01:21 -0400 (EDT)
Subject: [keycloak-user] Keycloak OpenShift Cartridge 1.0.final Released
Message-ID: <920894234.47463103.1410422481400.JavaMail.zimbra@redhat.com>

The Keycloak OpenShift Cartridge has been updated to 1.0.final

From stian at redhat.com  Thu Sep 11 04:36:38 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 11 Sep 2014 04:36:38 -0400 (EDT)
Subject: [keycloak-user] Transferring social login from mobile apps
	to	Keycloak
In-Reply-To: <CACx3AppKnO_YT4m+j8zDZqbt7oZqU0_Um0Oun_cGh16kFT0u2w@mail.gmail.com>
References: <CACx3AppKnO_YT4m+j8zDZqbt7oZqU0_Um0Oun_cGh16kFT0u2w@mail.gmail.com>
Message-ID: <389632367.47477754.1410424598947.JavaMail.zimbra@redhat.com>

Hi,

I'm afraid this doesn't work currently, but it's a use-case that we'd like to add in the future so please create a jira feature request for it.

In the mean time you could archive this by either: 

1. Create a jax-rs application of your own that uses the Keycloak admin client interface to register the user and create the social-link
2. Extend KeycloakApplication to add a jax-rs class that can handle this - see project-integrations/aerogear-ups for an example on how to do this

----- Original Message -----
> From: "Artjom K?nig" <koenig at appcube.info>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 8 September, 2014 4:49:23 PM
> Subject: [keycloak-user] Transferring social login from mobile apps to	Keycloak
> 
> Hi,
> 
> I would like to use Keycloak as a backend security and user management
> solution for my native apps (Android and iOS).
> 
> In my native app, the user can register/login with Facebook/Google+ using the
> corresponding native SDK. After the login I get all desired user data and
> even the access token.
> 
> Then I would like to create a user in Keycloak via the REST API with this
> social account. It should result in the same user data, like using the
> social login of the Keycloak's web login.
> 
> Any ideas, how to get this done?
> 
> Cheers,
> Artjom
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From koenig at appcube.info  Thu Sep 11 04:39:15 2014
From: koenig at appcube.info (=?UTF-8?Q?Artjom_K=C3=B6nig?=)
Date: Thu, 11 Sep 2014 10:39:15 +0200
Subject: [keycloak-user] Transferring social login from mobile apps to
	Keycloak
In-Reply-To: <389632367.47477754.1410424598947.JavaMail.zimbra@redhat.com>
References: <CACx3AppKnO_YT4m+j8zDZqbt7oZqU0_Um0Oun_cGh16kFT0u2w@mail.gmail.com>
	<389632367.47477754.1410424598947.JavaMail.zimbra@redhat.com>
Message-ID: <CACx3ApoM=onYw-EmgaE79BQ9L19FM=Eg1N40qbMoGpgZcgX6DQ@mail.gmail.com>

Hi Stian,

thank you for the reply!

How can I add a social link to an existing user via the Keycloak REST API?

Cheers,
Artjom

2014-09-11 10:36 GMT+02:00 Stian Thorgersen <stian at redhat.com>:

> Hi,
>
> I'm afraid this doesn't work currently, but it's a use-case that we'd like
> to add in the future so please create a jira feature request for it.
>
> In the mean time you could archive this by either:
>
> 1. Create a jax-rs application of your own that uses the Keycloak admin
> client interface to register the user and create the social-link
> 2. Extend KeycloakApplication to add a jax-rs class that can handle this -
> see project-integrations/aerogear-ups for an example on how to do this
>
> ----- Original Message -----
> > From: "Artjom K?nig" <koenig at appcube.info>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 8 September, 2014 4:49:23 PM
> > Subject: [keycloak-user] Transferring social login from mobile apps to
>       Keycloak
> >
> > Hi,
> >
> > I would like to use Keycloak as a backend security and user management
> > solution for my native apps (Android and iOS).
> >
> > In my native app, the user can register/login with Facebook/Google+
> using the
> > corresponding native SDK. After the login I get all desired user data and
> > even the access token.
> >
> > Then I would like to create a user in Keycloak via the REST API with this
> > social account. It should result in the same user data, like using the
> > social login of the Keycloak's web login.
> >
> > Any ideas, how to get this done?
> >
> > Cheers,
> > Artjom
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
*Dipl.-Inf. Artjom K?nig*
Gesch?ftsf?hrer

*Tel: +49 228 286 346 78*
*Fax: **+49 228 286 346 63*
*Web:* *appcube.info <http://www.appcube.info>*

*Skype: koenig.appcube*
*XING-Profil <https://www.xing.com/profile/Artjom_Koenig>*

*Appcube GbR*
Alexander Thurn & Artjom K?nig
Markt 39
53111 Bonn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/5fc38c19/attachment.html 

From juraci at kroehling.de  Thu Sep 11 05:12:33 2014
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Thu, 11 Sep 2014 11:12:33 +0200
Subject: [keycloak-user] Keycloak Docker 1.0-final
Message-ID: <54116781.2070509@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The "latest" image on Docker for Keycloak is now at 1.0-final.

https://registry.hub.docker.com/u/jboss/keycloak/builds_history/25016/

- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUEWeBAAoJEDnJtskdmzLMhAMH/0Uy3NSuBdd1XNdFTFbj1UGm
4UG1g2t2UFGOpflgDVqmbcGnn0A+2dN/Soq78Qxa277v23b2M8AYHmurZ6VFf39i
LHxhFT6B1JD830o4uV8omX52q2L+N1gVg4OYe2EOYWDMGhPyVs+J4F7o2o46oeye
fXQFAsDP4oMwHAWSpEA4LirmpH/Dc/ioRRj5Ez30sQaBZaS0vAJxaIaUIZJ1IpgV
zZeuCLEET/Cdimw7pbVM2KLwriGqkZaDdfzD2OHmwMQ5u5wLi9mDb8NImhI3IPkW
zkhzkZtu+tXC+Mpai8nkZyVUPGAQzSIDz8HSnrKvJBvIdoK1rXW6PjizrNX8JIg=
=ZNir
-----END PGP SIGNATURE-----

From stian at redhat.com  Thu Sep 11 06:11:38 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 11 Sep 2014 06:11:38 -0400 (EDT)
Subject: [keycloak-user] Transferring social login from mobile apps to
 Keycloak
In-Reply-To: <CACx3ApoM=onYw-EmgaE79BQ9L19FM=Eg1N40qbMoGpgZcgX6DQ@mail.gmail.com>
References: <CACx3AppKnO_YT4m+j8zDZqbt7oZqU0_Um0Oun_cGh16kFT0u2w@mail.gmail.com>
	<389632367.47477754.1410424598947.JavaMail.zimbra@redhat.com>
	<CACx3ApoM=onYw-EmgaE79BQ9L19FM=Eg1N40qbMoGpgZcgX6DQ@mail.gmail.com>
Message-ID: <1761793254.47518256.1410430298396.JavaMail.zimbra@redhat.com>

Afraid that's not possible in 1.0.final. I've just added it for you, but you'll have to build Keycloak from source (or wait for 1.1.alpha to be released).

----- Original Message -----
> From: "Artjom K?nig" <koenig at appcube.info>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 11 September, 2014 10:39:15 AM
> Subject: Re: [keycloak-user] Transferring social login from mobile apps to Keycloak
> 
> Hi Stian,
> 
> thank you for the reply!
> 
> How can I add a social link to an existing user via the Keycloak REST API?
> 
> Cheers,
> Artjom
> 
> 2014-09-11 10:36 GMT+02:00 Stian Thorgersen <stian at redhat.com>:
> 
> > Hi,
> >
> > I'm afraid this doesn't work currently, but it's a use-case that we'd like
> > to add in the future so please create a jira feature request for it.
> >
> > In the mean time you could archive this by either:
> >
> > 1. Create a jax-rs application of your own that uses the Keycloak admin
> > client interface to register the user and create the social-link
> > 2. Extend KeycloakApplication to add a jax-rs class that can handle this -
> > see project-integrations/aerogear-ups for an example on how to do this
> >
> > ----- Original Message -----
> > > From: "Artjom K?nig" <koenig at appcube.info>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 8 September, 2014 4:49:23 PM
> > > Subject: [keycloak-user] Transferring social login from mobile apps to
> >       Keycloak
> > >
> > > Hi,
> > >
> > > I would like to use Keycloak as a backend security and user management
> > > solution for my native apps (Android and iOS).
> > >
> > > In my native app, the user can register/login with Facebook/Google+
> > using the
> > > corresponding native SDK. After the login I get all desired user data and
> > > even the access token.
> > >
> > > Then I would like to create a user in Keycloak via the REST API with this
> > > social account. It should result in the same user data, like using the
> > > social login of the Keycloak's web login.
> > >
> > > Any ideas, how to get this done?
> > >
> > > Cheers,
> > > Artjom
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> *Dipl.-Inf. Artjom K?nig*
> Gesch?ftsf?hrer
> 
> *Tel: +49 228 286 346 78*
> *Fax: **+49 228 286 346 63*
> *Web:* *appcube.info <http://www.appcube.info>*
> 
> *Skype: koenig.appcube*
> *XING-Profil <https://www.xing.com/profile/Artjom_Koenig>*
> 
> *Appcube GbR*
> Alexander Thurn & Artjom K?nig
> Markt 39
> 53111 Bonn
> 


From alarik at zwift.com  Thu Sep 11 07:12:36 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Thu, 11 Sep 2014 07:12:36 -0400
Subject: [keycloak-user] Keycloak 1.0 Final Released
Message-ID: <CAKTx7M4W49zxbX7GYeWgz5sbe1n-feEPYqjiLo_Rwhmwy3Juhg@mail.gmail.com>

Indeed, congratulations!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/30a5342f/attachment.html 

From rodrigopsasaki at gmail.com  Thu Sep 11 08:18:23 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 11 Sep 2014 09:18:23 -0300
Subject: [keycloak-user] Deploy a custom theme with the war
Message-ID: <CANLOgwBvLLbiWmHpL6G6vHFiSQXjwBqKT-eODM8L0ptxn1Z-oQ@mail.gmail.com>

Hello,

I'm not sure if there was already a question on this matter, but I searched
aroung in JIRA and I couldn't find it.

Is there a way to deploy a custom theme along with my war artifact?

I tried creating modules like the ones provided, I extended an e-mail
module and a common themes module, creating the factories with a new id,
but on the admin console UI I can't see my own theme on the select menu.

If I create a theme and insert it in the /standalone/configuration/themes
directory of my application server it works, but I was told to try and
deploy it along with our war, to capture the theme from the classpath.

Is there already a built in way to do this?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/5e93d7e9/attachment.html 

From stian at redhat.com  Thu Sep 11 08:24:41 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 11 Sep 2014 08:24:41 -0400 (EDT)
Subject: [keycloak-user] Deploy a custom theme with the war
In-Reply-To: <CANLOgwBvLLbiWmHpL6G6vHFiSQXjwBqKT-eODM8L0ptxn1Z-oQ@mail.gmail.com>
References: <CANLOgwBvLLbiWmHpL6G6vHFiSQXjwBqKT-eODM8L0ptxn1Z-oQ@mail.gmail.com>
Message-ID: <1000335973.47607615.1410438281368.JavaMail.zimbra@redhat.com>

You can bundle a theme as a jar, but as it's an extension to Keycloak, not your war, it has to be on Keycloak's classpath ('standalone/deployments/auth-server.war/WEB-INF/lib').

See https://github.com/keycloak/keycloak/tree/master/forms/common-themes, specifically https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/java/org/keycloak/theme/DefaultKeycloakThemeProvider.java

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 11 September, 2014 2:18:23 PM
> Subject: [keycloak-user] Deploy a custom theme with the war
> 
> Hello,
> 
> I'm not sure if there was already a question on this matter, but I searched
> aroung in JIRA and I couldn't find it.
> 
> Is there a way to deploy a custom theme along with my war artifact?
> 
> I tried creating modules like the ones provided, I extended an e-mail module
> and a common themes module, creating the factories with a new id, but on the
> admin console UI I can't see my own theme on the select menu.
> 
> If I create a theme and insert it in the /standalone/configuration/themes
> directory of my application server it works, but I was told to try and
> deploy it along with our war, to capture the theme from the classpath.
> 
> Is there already a built in way to do this?
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Thu Sep 11 08:31:03 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 11 Sep 2014 09:31:03 -0300
Subject: [keycloak-user] Deploy a custom theme with the war
In-Reply-To: <1000335973.47607615.1410438281368.JavaMail.zimbra@redhat.com>
References: <CANLOgwBvLLbiWmHpL6G6vHFiSQXjwBqKT-eODM8L0ptxn1Z-oQ@mail.gmail.com>
	<1000335973.47607615.1410438281368.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwB1qqH6jqtntjOQxYmFT-Be391-x6ma-T54XJswU0+Zsw@mail.gmail.com>

So I would have to build a module that has the same mechanics of that one
on providing themes, bundle it as a jar and adding it to my deployment's
lib directory.

Is that correct?

On Thu, Sep 11, 2014 at 9:24 AM, Stian Thorgersen <stian at redhat.com> wrote:

> You can bundle a theme as a jar, but as it's an extension to Keycloak, not
> your war, it has to be on Keycloak's classpath
> ('standalone/deployments/auth-server.war/WEB-INF/lib').
>
> See https://github.com/keycloak/keycloak/tree/master/forms/common-themes,
> specifically
> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/java/org/keycloak/theme/DefaultKeycloakThemeProvider.java
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Thursday, 11 September, 2014 2:18:23 PM
> > Subject: [keycloak-user] Deploy a custom theme with the war
> >
> > Hello,
> >
> > I'm not sure if there was already a question on this matter, but I
> searched
> > aroung in JIRA and I couldn't find it.
> >
> > Is there a way to deploy a custom theme along with my war artifact?
> >
> > I tried creating modules like the ones provided, I extended an e-mail
> module
> > and a common themes module, creating the factories with a new id, but on
> the
> > admin console UI I can't see my own theme on the select menu.
> >
> > If I create a theme and insert it in the /standalone/configuration/themes
> > directory of my application server it works, but I was told to try and
> > deploy it along with our war, to capture the theme from the classpath.
> >
> > Is there already a built in way to do this?
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/4282b442/attachment-0001.html 

From stian at redhat.com  Thu Sep 11 08:35:42 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 11 Sep 2014 08:35:42 -0400 (EDT)
Subject: [keycloak-user] Deploy a custom theme with the war
In-Reply-To: <CANLOgwB1qqH6jqtntjOQxYmFT-Be391-x6ma-T54XJswU0+Zsw@mail.gmail.com>
References: <CANLOgwBvLLbiWmHpL6G6vHFiSQXjwBqKT-eODM8L0ptxn1Z-oQ@mail.gmail.com>
	<1000335973.47607615.1410438281368.JavaMail.zimbra@redhat.com>
	<CANLOgwB1qqH6jqtntjOQxYmFT-Be391-x6ma-T54XJswU0+Zsw@mail.gmail.com>
Message-ID: <1783465893.47613497.1410438942192.JavaMail.zimbra@redhat.com>

Yes, if "my deployment's lib directory" means "<KEYCLOAK HOME>/standalone/deployments/auth-server.war/WEB-INF/lib"

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Thursday, 11 September, 2014 2:31:03 PM
> Subject: Re: [keycloak-user] Deploy a custom theme with the war
> 
> So I would have to build a module that has the same mechanics of that one
> on providing themes, bundle it as a jar and adding it to my deployment's
> lib directory.
> 
> Is that correct?
> 
> On Thu, Sep 11, 2014 at 9:24 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > You can bundle a theme as a jar, but as it's an extension to Keycloak, not
> > your war, it has to be on Keycloak's classpath
> > ('standalone/deployments/auth-server.war/WEB-INF/lib').
> >
> > See https://github.com/keycloak/keycloak/tree/master/forms/common-themes,
> > specifically
> > https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/java/org/keycloak/theme/DefaultKeycloakThemeProvider.java
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 11 September, 2014 2:18:23 PM
> > > Subject: [keycloak-user] Deploy a custom theme with the war
> > >
> > > Hello,
> > >
> > > I'm not sure if there was already a question on this matter, but I
> > searched
> > > aroung in JIRA and I couldn't find it.
> > >
> > > Is there a way to deploy a custom theme along with my war artifact?
> > >
> > > I tried creating modules like the ones provided, I extended an e-mail
> > module
> > > and a common themes module, creating the factories with a new id, but on
> > the
> > > admin console UI I can't see my own theme on the select menu.
> > >
> > > If I create a theme and insert it in the /standalone/configuration/themes
> > > directory of my application server it works, but I was told to try and
> > > deploy it along with our war, to capture the theme from the classpath.
> > >
> > > Is there already a built in way to do this?
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Thu Sep 11 08:44:47 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 11 Sep 2014 09:44:47 -0300
Subject: [keycloak-user] Deploy a custom theme with the war
In-Reply-To: <1783465893.47613497.1410438942192.JavaMail.zimbra@redhat.com>
References: <CANLOgwBvLLbiWmHpL6G6vHFiSQXjwBqKT-eODM8L0ptxn1Z-oQ@mail.gmail.com>
	<1000335973.47607615.1410438281368.JavaMail.zimbra@redhat.com>
	<CANLOgwB1qqH6jqtntjOQxYmFT-Be391-x6ma-T54XJswU0+Zsw@mail.gmail.com>
	<1783465893.47613497.1410438942192.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwBkZp-dokHm30yVebJUhXk-zKHjJYfsDua_QbpH4+1DXw@mail.gmail.com>

Yes, that's what I meant, sorry.

I tested it and it works. Thanks again, Stian!

On Thu, Sep 11, 2014 at 9:35 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Yes, if "my deployment's lib directory" means "<KEYCLOAK
> HOME>/standalone/deployments/auth-server.war/WEB-INF/lib"
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Thursday, 11 September, 2014 2:31:03 PM
> > Subject: Re: [keycloak-user] Deploy a custom theme with the war
> >
> > So I would have to build a module that has the same mechanics of that one
> > on providing themes, bundle it as a jar and adding it to my deployment's
> > lib directory.
> >
> > Is that correct?
> >
> > On Thu, Sep 11, 2014 at 9:24 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > You can bundle a theme as a jar, but as it's an extension to Keycloak,
> not
> > > your war, it has to be on Keycloak's classpath
> > > ('standalone/deployments/auth-server.war/WEB-INF/lib').
> > >
> > > See
> https://github.com/keycloak/keycloak/tree/master/forms/common-themes,
> > > specifically
> > >
> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/java/org/keycloak/theme/DefaultKeycloakThemeProvider.java
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 11 September, 2014 2:18:23 PM
> > > > Subject: [keycloak-user] Deploy a custom theme with the war
> > > >
> > > > Hello,
> > > >
> > > > I'm not sure if there was already a question on this matter, but I
> > > searched
> > > > aroung in JIRA and I couldn't find it.
> > > >
> > > > Is there a way to deploy a custom theme along with my war artifact?
> > > >
> > > > I tried creating modules like the ones provided, I extended an e-mail
> > > module
> > > > and a common themes module, creating the factories with a new id,
> but on
> > > the
> > > > admin console UI I can't see my own theme on the select menu.
> > > >
> > > > If I create a theme and insert it in the
> /standalone/configuration/themes
> > > > directory of my application server it works, but I was told to try
> and
> > > > deploy it along with our war, to capture the theme from the
> classpath.
> > > >
> > > > Is there already a built in way to do this?
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/72ec34ae/attachment.html 

From bburke at redhat.com  Thu Sep 11 09:13:07 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 11 Sep 2014 09:13:07 -0400
Subject: [keycloak-user] Logged out of admin console after a short
 period of	time
In-Reply-To: <342831837.47461273.1410422320929.JavaMail.zimbra@redhat.com>
References: <CA+e=w_u=XrFwgat8h94zHyfzRrVcCducmubRfYq=iMs_NB9d6g@mail.gmail.com>
	<342831837.47461273.1410422320929.JavaMail.zimbra@redhat.com>
Message-ID: <54119FE3.6070904@redhat.com>

Have you run on an earlier version of Keycloak before installing 
1.0-final?  The automatic logout was a problem that stian put some fixes 
in before the 1.0-final release...

...So maybe clearing your browser cache might help?

On 9/11/2014 3:58 AM, Stian Thorgersen wrote:
> I've tried to replicate this without luck.
>
> The default timeouts are:
>
> * SSO Session Idle Timeout: 5 min
> * SSO Session Max Lifespan: 10 hours
> * Access Token Lifespan: 1 min
>
> Are these the numbers you are using? With these numbers the access token expires after 1 min. When the access token has expired it will try to retrieve a new token using the refresh token. If there are no requests to refresh the token for that session within 5 min the session will expire. Basically there's the minimum time you can get logged out after is 4 min (SSO Session Idle Timeout - Access Token Lifespan).
>
> ----- Original Message -----
>> From: "Joshua Bellamy-Henn" <josh at psidox.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Thursday, 11 September, 2014 7:22:44 AM
>> Subject: [keycloak-user] Logged out of admin console after a short period of	time
>>
>> Version: 1.0-final
>> Setup: Keycloak behind a reverse proxy
>>
>> Currently after logging in to the Admin Console it seems that after 1-2
>> minute I am getting booted back to the login page. I am using default
>> timeout settings so it's odd that I am getting kicked out before the 10
>> minute session timeout.
>>
>> Checking the logs after this occurs, I am seeing the following warn:
>>
>>
>>
>> 2014-09-11 05:20:05,025 WARN [org.jboss.resteasy.core.ExceptionHandler]
>> (default task-123) Failed executing GET
>> /admin/realms/abc/applications/website/session-count:
>> org.jboss.resteasy.spi.UnauthorizedException: Bearer
>>
>> at
>> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:153)
>> [keycloak-services-1.0-final.jar:]
>>
>> at
>> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:184)
>> [keycloak-services-1.0-final.jar:]
>>
>> at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) [:1.7.0_60]
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> [rt.jar:1.7.0_60]
>>
>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> [resteasy-jaxrs-3.0.8.Final.jar:]
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
>>
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>> [keycloak-services-1.0-final.jar:]
>>
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>> [keycloak-services-1.0-final.jar:]
>>
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
>> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_60]
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_60]
>>
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]
>>
>>
>>
>>
>> Any ideas what's going wrong?
>>
>> Thanks,
>>
>> Josh
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Thu Sep 11 09:13:23 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 11 Sep 2014 09:13:23 -0400
Subject: [keycloak-user] Keycloak OpenShift Cartridge 1.0.final Released
In-Reply-To: <920894234.47463103.1410422481400.JavaMail.zimbra@redhat.com>
References: <920894234.47463103.1410422481400.JavaMail.zimbra@redhat.com>
Message-ID: <54119FF3.5050408@redhat.com>

Thank you.  I forgot to ask you to do this.

On 9/11/2014 4:01 AM, Stian Thorgersen wrote:
> The Keycloak OpenShift Cartridge has been updated to 1.0.final
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Thu Sep 11 09:16:30 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 11 Sep 2014 09:16:30 -0400
Subject: [keycloak-user] Keycloak Docker 1.0-final
In-Reply-To: <54116781.2070509@kroehling.de>
References: <54116781.2070509@kroehling.de>
Message-ID: <5411A0AE.2050802@redhat.com>

Thank you.

On 9/11/2014 5:12 AM, Juraci Paix?o Kr?hling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> The "latest" image on Docker for Keycloak is now at 1.0-final.
>
> https://registry.hub.docker.com/u/jboss/keycloak/builds_history/25016/
>
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBCgAGBQJUEWeBAAoJEDnJtskdmzLMhAMH/0Uy3NSuBdd1XNdFTFbj1UGm
> 4UG1g2t2UFGOpflgDVqmbcGnn0A+2dN/Soq78Qxa277v23b2M8AYHmurZ6VFf39i
> LHxhFT6B1JD830o4uV8omX52q2L+N1gVg4OYe2EOYWDMGhPyVs+J4F7o2o46oeye
> fXQFAsDP4oMwHAWSpEA4LirmpH/Dc/ioRRj5Ez30sQaBZaS0vAJxaIaUIZJ1IpgV
> zZeuCLEET/Cdimw7pbVM2KLwriGqkZaDdfzD2OHmwMQ5u5wLi9mDb8NImhI3IPkW
> zkhzkZtu+tXC+Mpai8nkZyVUPGAQzSIDz8HSnrKvJBvIdoK1rXW6PjizrNX8JIg=
> =ZNir
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From rodrigopsasaki at gmail.com  Thu Sep 11 13:31:44 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 11 Sep 2014 14:31:44 -0300
Subject: [keycloak-user] Custom E-Mail provider
Message-ID: <CANLOgwDk3TiXy-RcTgzPfQjT=x-4-DvC66nyN8N3S1rxSMuLQQ@mail.gmail.com>

Hello,

I wanted to keep the original SPIs untouched, so while doing this I created
a new module to act as my e-mail provider, although the
FreeMarkerEmailProvider keeps getting called as default.

Is there a place where I can define which EmailProvider I want to be used?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/a190c607/attachment.html 

From rodrigopsasaki at gmail.com  Thu Sep 11 13:57:57 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 11 Sep 2014 14:57:57 -0300
Subject: [keycloak-user] Custom E-Mail provider
In-Reply-To: <CANLOgwDk3TiXy-RcTgzPfQjT=x-4-DvC66nyN8N3S1rxSMuLQQ@mail.gmail.com>
References: <CANLOgwDk3TiXy-RcTgzPfQjT=x-4-DvC66nyN8N3S1rxSMuLQQ@mail.gmail.com>
Message-ID: <CANLOgwA+d2GKZvNdNHCjfQj_kgCnmyiT5zm_OHTrpMF4U_Zpyg@mail.gmail.com>

I just saw that it needs to be set on keycloak-server.json

Thanks :)

On Thu, Sep 11, 2014 at 2:31 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
wrote:

> Hello,
>
> I wanted to keep the original SPIs untouched, so while doing this I
> created a new module to act as my e-mail provider, although the
> FreeMarkerEmailProvider keeps getting called as default.
>
> Is there a place where I can define which EmailProvider I want to be used?
>
> --
> Rodrigo Sasaki
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/b989bff5/attachment.html 

From mposolda at redhat.com  Thu Sep 11 14:00:05 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 11 Sep 2014 20:00:05 +0200
Subject: [keycloak-user] Custom E-Mail provider
In-Reply-To: <CANLOgwDk3TiXy-RcTgzPfQjT=x-4-DvC66nyN8N3S1rxSMuLQQ@mail.gmail.com>
References: <CANLOgwDk3TiXy-RcTgzPfQjT=x-4-DvC66nyN8N3S1rxSMuLQQ@mail.gmail.com>
Message-ID: <5411E325.3040306@redhat.com>

yes, you can put to your 
KEYCLOAK_HOME/standalone/configuration/keycloak-server.json (assuming 
you're using wildfly appliance or WAR distribution) and change the line:

     "email": {
         "provider": "freemarker"
     },

to something like:

     "email": {
         "provider": "foo"
     },

where "foo" is the ID returned by your EmailProviderFactory.getId() 
implementation.

Marek

On 11.9.2014 19:31, Rodrigo Sasaki wrote:
> Hello,
>
> I wanted to keep the original SPIs untouched, so while doing this I 
> created a new module to act as my e-mail provider, although the 
> FreeMarkerEmailProvider keeps getting called as default.
>
> Is there a place where I can define which EmailProvider I want to be used?
>
> -- 
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/20cf9679/attachment.html 

From alarik at zwift.com  Thu Sep 11 14:52:50 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Thu, 11 Sep 2014 14:52:50 -0400
Subject: [keycloak-user] Admin url for bearer-only applications
Message-ID: <CAKTx7M6v2dDYyEmSgPidKqm4=g6qCBoZxtbgctHseYXVgR2F8g@mail.gmail.com>

I am not sure the Admin url is working for bearer-only applications, at
least not on Wildfly.

I have set the admin url for my bearer-only applications just like I do for
my confidential applications.  In both cases (they are both war file
deployments running in Wildfly 8.0.0 Final) it is the context-root of the
war file.  When I log out the sessions from the keycloak  admin console,
the confidential applications hear about the logout, and will respond with
a redirect, but the bearer-only reply with the protected resource instead
of responding with a 401 like I would expect.

Is anyone else having trouble with this? There are no bearer-only resources
in the preconfigured-demo realm file to check against...

BTW, I just verified that this was happening with Keycloak 1.0-final.

Thanks,

Alarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140911/5728e660/attachment.html 

From stian at redhat.com  Fri Sep 12 05:23:59 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 12 Sep 2014 05:23:59 -0400 (EDT)
Subject: [keycloak-user] Admin url for bearer-only applications
In-Reply-To: <CAKTx7M6v2dDYyEmSgPidKqm4=g6qCBoZxtbgctHseYXVgR2F8g@mail.gmail.com>
References: <CAKTx7M6v2dDYyEmSgPidKqm4=g6qCBoZxtbgctHseYXVgR2F8g@mail.gmail.com>
Message-ID: <1542887112.48478410.1410513839353.JavaMail.zimbra@redhat.com>

Bearer-only applications doesn't manage user sessions, they simply authenticate based on the token in the request. 

When a user logs out, the applications where a user has directly logged in to (confidential or public) should drop the user session. Confidential apps do this with the request from the server which will in turn invalidate the session in the app. Public apps (using keycloak.js) does this by detecting the logout from the session iframe.

You should obviously also have a short "Access Token Lifespan" configured for your realm, this makes sure that any tokens are quickly expired after a logout. As the user session is invalidated on the server, any associated refresh tokens will be expired as well, so it won't be possible for an app to retrieve a new token after the user has logged out.

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 11 September, 2014 8:52:50 PM
> Subject: [keycloak-user] Admin url for bearer-only applications
> 
> I am not sure the Admin url is working for bearer-only applications, at least
> not on Wildfly.
> 
> I have set the admin url for my bearer-only applications just like I do for
> my confidential applications. In both cases (they are both war file
> deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> war file. When I log out the sessions from the keycloak admin console, the
> confidential applications hear about the logout, and will respond with a
> redirect, but the bearer-only reply with the protected resource instead of
> responding with a 401 like I would expect.
> 
> Is anyone else having trouble with this? There are no bearer-only resources
> in the preconfigured-demo realm file to check against...
> 
> BTW, I just verified that this was happening with Keycloak 1.0-final.
> 
> Thanks,
> 
> Alarik
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alarik at zwift.com  Fri Sep 12 07:04:39 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Fri, 12 Sep 2014 07:04:39 -0400
Subject: [keycloak-user] Admin url for bearer-only applications
In-Reply-To: <1542887112.48478410.1410513839353.JavaMail.zimbra@redhat.com>
References: <CAKTx7M6v2dDYyEmSgPidKqm4=g6qCBoZxtbgctHseYXVgR2F8g@mail.gmail.com>
	<1542887112.48478410.1410513839353.JavaMail.zimbra@redhat.com>
Message-ID: <CAKTx7M7F14ujcVUC3AD1OWsWsODpZOU9cvgVXKkWqy6W0FKsGQ@mail.gmail.com>

Thanks Stain.

Then what is the purpose of the Admin URL when setting up the bearer-only
application in the console?  Perhaps it should be removed?

Or is there some way that the bearer-only application could still maintain
a "has-logged-out" list (which is would find out about via the admin-url
against which to validate a token?  Perhaps using timestamps, which
presumably is how the token lifespan stuff is checked too?



On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Bearer-only applications doesn't manage user sessions, they simply
> authenticate based on the token in the request.
>
> When a user logs out, the applications where a user has directly logged in
> to (confidential or public) should drop the user session. Confidential apps
> do this with the request from the server which will in turn invalidate the
> session in the app. Public apps (using keycloak.js) does this by detecting
> the logout from the session iframe.
>
> You should obviously also have a short "Access Token Lifespan" configured
> for your realm, this makes sure that any tokens are quickly expired after a
> logout. As the user session is invalidated on the server, any associated
> refresh tokens will be expired as well, so it won't be possible for an app
> to retrieve a new token after the user has logged out.
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Thursday, 11 September, 2014 8:52:50 PM
> > Subject: [keycloak-user] Admin url for bearer-only applications
> >
> > I am not sure the Admin url is working for bearer-only applications, at
> least
> > not on Wildfly.
> >
> > I have set the admin url for my bearer-only applications just like I do
> for
> > my confidential applications. In both cases (they are both war file
> > deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> > war file. When I log out the sessions from the keycloak admin console,
> the
> > confidential applications hear about the logout, and will respond with a
> > redirect, but the bearer-only reply with the protected resource instead
> of
> > responding with a 401 like I would expect.
> >
> > Is anyone else having trouble with this? There are no bearer-only
> resources
> > in the preconfigured-demo realm file to check against...
> >
> > BTW, I just verified that this was happening with Keycloak 1.0-final.
> >
> > Thanks,
> >
> > Alarik
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140912/4875e11f/attachment.html 

From stian at redhat.com  Fri Sep 12 07:12:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 12 Sep 2014 07:12:21 -0400 (EDT)
Subject: [keycloak-user] Admin url for bearer-only applications
In-Reply-To: <CAKTx7M7F14ujcVUC3AD1OWsWsODpZOU9cvgVXKkWqy6W0FKsGQ@mail.gmail.com>
References: <CAKTx7M6v2dDYyEmSgPidKqm4=g6qCBoZxtbgctHseYXVgR2F8g@mail.gmail.com>
	<1542887112.48478410.1410513839353.JavaMail.zimbra@redhat.com>
	<CAKTx7M7F14ujcVUC3AD1OWsWsODpZOU9cvgVXKkWqy6W0FKsGQ@mail.gmail.com>
Message-ID: <384191375.48528644.1410520341486.JavaMail.zimbra@redhat.com>

The admin URL is also used for other things as well, one which can be useful for bearer-only applications is pushing a not-before time (effectively invalidating any tokens generated prior to a specified time).

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 12 September, 2014 1:04:39 PM
> Subject: Re: [keycloak-user] Admin url for bearer-only applications
> 
> Thanks Stain.
> 
> Then what is the purpose of the Admin URL when setting up the bearer-only
> application in the console?  Perhaps it should be removed?
> 
> Or is there some way that the bearer-only application could still maintain
> a "has-logged-out" list (which is would find out about via the admin-url
> against which to validate a token?  Perhaps using timestamps, which
> presumably is how the token lifespan stuff is checked too?
> 
> 
> 
> On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Bearer-only applications doesn't manage user sessions, they simply
> > authenticate based on the token in the request.
> >
> > When a user logs out, the applications where a user has directly logged in
> > to (confidential or public) should drop the user session. Confidential apps
> > do this with the request from the server which will in turn invalidate the
> > session in the app. Public apps (using keycloak.js) does this by detecting
> > the logout from the session iframe.
> >
> > You should obviously also have a short "Access Token Lifespan" configured
> > for your realm, this makes sure that any tokens are quickly expired after a
> > logout. As the user session is invalidated on the server, any associated
> > refresh tokens will be expired as well, so it won't be possible for an app
> > to retrieve a new token after the user has logged out.
> >
> > ----- Original Message -----
> > > From: "Alarik Myrin" <alarik at zwift.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Thursday, 11 September, 2014 8:52:50 PM
> > > Subject: [keycloak-user] Admin url for bearer-only applications
> > >
> > > I am not sure the Admin url is working for bearer-only applications, at
> > least
> > > not on Wildfly.
> > >
> > > I have set the admin url for my bearer-only applications just like I do
> > for
> > > my confidential applications. In both cases (they are both war file
> > > deployments running in Wildfly 8.0.0 Final) it is the context-root of the
> > > war file. When I log out the sessions from the keycloak admin console,
> > the
> > > confidential applications hear about the logout, and will respond with a
> > > redirect, but the bearer-only reply with the protected resource instead
> > of
> > > responding with a 401 like I would expect.
> > >
> > > Is anyone else having trouble with this? There are no bearer-only
> > resources
> > > in the preconfigured-demo realm file to check against...
> > >
> > > BTW, I just verified that this was happening with Keycloak 1.0-final.
> > >
> > > Thanks,
> > >
> > > Alarik
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From alarik at zwift.com  Fri Sep 12 07:18:40 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Fri, 12 Sep 2014 07:18:40 -0400
Subject: [keycloak-user] Admin url for bearer-only applications
In-Reply-To: <384191375.48528644.1410520341486.JavaMail.zimbra@redhat.com>
References: <CAKTx7M6v2dDYyEmSgPidKqm4=g6qCBoZxtbgctHseYXVgR2F8g@mail.gmail.com>
	<1542887112.48478410.1410513839353.JavaMail.zimbra@redhat.com>
	<CAKTx7M7F14ujcVUC3AD1OWsWsODpZOU9cvgVXKkWqy6W0FKsGQ@mail.gmail.com>
	<384191375.48528644.1410520341486.JavaMail.zimbra@redhat.com>
Message-ID: <CAKTx7M6PFUh1FZSRLC2uYGF_O9+VxDwBiHYSkXf8yLFc=Qikdg@mail.gmail.com>

OK, thanks for the clarification.

On Fri, Sep 12, 2014 at 7:12 AM, Stian Thorgersen <stian at redhat.com> wrote:

> The admin URL is also used for other things as well, one which can be
> useful for bearer-only applications is pushing a not-before time
> (effectively invalidating any tokens generated prior to a specified time).
>
> ----- Original Message -----
> > From: "Alarik Myrin" <alarik at zwift.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Friday, 12 September, 2014 1:04:39 PM
> > Subject: Re: [keycloak-user] Admin url for bearer-only applications
> >
> > Thanks Stain.
> >
> > Then what is the purpose of the Admin URL when setting up the bearer-only
> > application in the console?  Perhaps it should be removed?
> >
> > Or is there some way that the bearer-only application could still
> maintain
> > a "has-logged-out" list (which is would find out about via the admin-url
> > against which to validate a token?  Perhaps using timestamps, which
> > presumably is how the token lifespan stuff is checked too?
> >
> >
> >
> > On Fri, Sep 12, 2014 at 5:23 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > Bearer-only applications doesn't manage user sessions, they simply
> > > authenticate based on the token in the request.
> > >
> > > When a user logs out, the applications where a user has directly
> logged in
> > > to (confidential or public) should drop the user session. Confidential
> apps
> > > do this with the request from the server which will in turn invalidate
> the
> > > session in the app. Public apps (using keycloak.js) does this by
> detecting
> > > the logout from the session iframe.
> > >
> > > You should obviously also have a short "Access Token Lifespan"
> configured
> > > for your realm, this makes sure that any tokens are quickly expired
> after a
> > > logout. As the user session is invalidated on the server, any
> associated
> > > refresh tokens will be expired as well, so it won't be possible for an
> app
> > > to retrieve a new token after the user has logged out.
> > >
> > > ----- Original Message -----
> > > > From: "Alarik Myrin" <alarik at zwift.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Thursday, 11 September, 2014 8:52:50 PM
> > > > Subject: [keycloak-user] Admin url for bearer-only applications
> > > >
> > > > I am not sure the Admin url is working for bearer-only applications,
> at
> > > least
> > > > not on Wildfly.
> > > >
> > > > I have set the admin url for my bearer-only applications just like I
> do
> > > for
> > > > my confidential applications. In both cases (they are both war file
> > > > deployments running in Wildfly 8.0.0 Final) it is the context-root
> of the
> > > > war file. When I log out the sessions from the keycloak admin
> console,
> > > the
> > > > confidential applications hear about the logout, and will respond
> with a
> > > > redirect, but the bearer-only reply with the protected resource
> instead
> > > of
> > > > responding with a 401 like I would expect.
> > > >
> > > > Is anyone else having trouble with this? There are no bearer-only
> > > resources
> > > > in the preconfigured-demo realm file to check against...
> > > >
> > > > BTW, I just verified that this was happening with Keycloak 1.0-final.
> > > >
> > > > Thanks,
> > > >
> > > > Alarik
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140912/cf83fc82/attachment.html 

From jerome.baton at drims.fr  Fri Sep 12 12:16:28 2014
From: jerome.baton at drims.fr (=?iso-8859-1?Q?J=E9r=F4me_BATON_-_DRiMS?=)
Date: Fri, 12 Sep 2014 16:16:28 +0000
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
Message-ID: <566573421BFABD41BF06FAF4E68BF00E016B6E@exbe-2010-f.ad.hosteam.fr>

Hello,

I know the Tomcat adapter is for v1.1 but I also saw it on github and there was some commits since aug19.
(http://lists.jboss.org/pipermail/keycloak-user/2014-August/000717.html)

So far, I have to use Tomcat7 for the existing apps.



Q: Is there a release date for v1.1 ? for the adapter ?

Q: Could the team add a page about adapters (what do they do ? how to install them ? test them ?)

@Marc R
Prebuilt binaries can be found @ http://grepcode.com/snapshot/repo1.maven.org/maven2/org.keycloak/keycloak-tomcat7-adapter/1.0-beta-1


Thank you

Jerome
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140912/e63e4289/attachment.html 

From stian at redhat.com  Mon Sep 15 02:50:20 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 15 Sep 2014 02:50:20 -0400 (EDT)
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
In-Reply-To: <566573421BFABD41BF06FAF4E68BF00E016B6E@exbe-2010-f.ad.hosteam.fr>
References: <566573421BFABD41BF06FAF4E68BF00E016B6E@exbe-2010-f.ad.hosteam.fr>
Message-ID: <1172362385.49490197.1410763820931.JavaMail.zimbra@redhat.com>

Hi,

We already have a Tomcat 7 adapter which is contributed by a member of our community. The remaining work is to do some testing and document it, which should be done for 1.1. We don't have a specific release date yet, but expect 1-2 months for the final.

In the mean time you can already use it, available here http://search.maven.org/#search|ga|1|a%3A%22keycloak-tomcat7-adapter%22, but I can't help you with how it's used atm.

----- Original Message -----
> From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 12 September, 2014 6:16:28 PM
> Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
> 
> 
> 
> Hello,
> 
> I know the Tomcat adapter is for v1.1 but I also saw it on github and there
> was some commits since aug19.
> (http://lists.jboss.org/pipermail/keycloak-user/2014-August/000717.html)
> 
> So far, I have to use Tomcat7 for the existing apps.
> 
> 
> 
> 
> 
> 
> Q: Is there a release date for v1.1 ? for the adapter ?
> 
> 
> 
> Q: Could the team add a page about adapters (what do they do ? how to install
> them ? test them ?)
> 
> @Marc R
> Prebuilt binaries can be found @
> http://grepcode.com/snapshot/repo1.maven.org/maven2/org.keycloak/keycloak-tomcat7-adapter/1.0-beta-1
> 
> 
> Thank you
> 
> Jerome
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From jerome.baton at drims.fr  Mon Sep 15 04:39:06 2014
From: jerome.baton at drims.fr (=?utf-8?B?SsOpcsO0bWUgQkFUT04gLSBEUmlNUw==?=)
Date: Mon, 15 Sep 2014 08:39:06 +0000
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
In-Reply-To: <1172362385.49490197.1410763820931.JavaMail.zimbra@redhat.com>
References: <566573421BFABD41BF06FAF4E68BF00E016B6E@exbe-2010-f.ad.hosteam.fr>
	<1172362385.49490197.1410763820931.JavaMail.zimbra@redhat.com>
Message-ID: <566573421BFABD41BF06FAF4E68BF00E016BD3@exbe-2010-f.ad.hosteam.fr>

Hi Stian,

Thank you for your answer.

Surprisingly, there is only one result for "adapter" on the website
https://www.google.fr/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8#q=adapter+%2Bsite:keycloak.jboss.org

But in the PDF, I can read that the WildFly adapter just needs to be unzipped in the WF_HOME.

Best regards,

J?r?me

-----Message d'origine-----
De?: Stian Thorgersen [mailto:stian at redhat.com] 
Envoy??: lundi 15 septembre 2014 08:50
??: J?r?me BATON - DRiMS
Cc?: keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] Tomcat 7 Adapter download and configuration

Hi,

We already have a Tomcat 7 adapter which is contributed by a member of our community. The remaining work is to do some testing and document it, which should be done for 1.1. We don't have a specific release date yet, but expect 1-2 months for the final.

In the mean time you can already use it, available here http://search.maven.org/#search|ga|1|a%3A%22keycloak-tomcat7-adapter%22, but I can't help you with how it's used atm.

----- Original Message -----
> From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 12 September, 2014 6:16:28 PM
> Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
> 
> 
> 
> Hello,
> 
> I know the Tomcat adapter is for v1.1 but I also saw it on github and 
> there was some commits since aug19.
> (http://lists.jboss.org/pipermail/keycloak-user/2014-August/000717.htm
> l)
> 
> So far, I have to use Tomcat7 for the existing apps.
> 
> 
> 
> 
> 
> 
> Q: Is there a release date for v1.1 ? for the adapter ?
> 
> 
> 
> Q: Could the team add a page about adapters (what do they do ? how to 
> install them ? test them ?)
> 
> @Marc R
> Prebuilt binaries can be found @
> http://grepcode.com/snapshot/repo1.maven.org/maven2/org.keycloak/keycl
> oak-tomcat7-adapter/1.0-beta-1
> 
> 
> Thank you
> 
> Jerome
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Mon Sep 15 05:43:18 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 15 Sep 2014 05:43:18 -0400 (EDT)
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
In-Reply-To: <566573421BFABD41BF06FAF4E68BF00E016BD3@exbe-2010-f.ad.hosteam.fr>
References: <566573421BFABD41BF06FAF4E68BF00E016B6E@exbe-2010-f.ad.hosteam.fr>
	<1172362385.49490197.1410763820931.JavaMail.zimbra@redhat.com>
	<566573421BFABD41BF06FAF4E68BF00E016BD3@exbe-2010-f.ad.hosteam.fr>
Message-ID: <297610874.49571099.1410774198562.JavaMail.zimbra@redhat.com>

All our adapters are documented here http://docs.jboss.org/keycloak/docs/1.0-final/userguide/html/ch07.html. This includes the WildFly and JBoss AS adapters and the JavaScript adapter, but as I said the Tomcat adapter is not an official adapter yet, so there's no documentation for that.

----- Original Message -----
> From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 15 September, 2014 10:39:06 AM
> Subject: RE: [keycloak-user] Tomcat 7 Adapter download and configuration
> 
> Hi Stian,
> 
> Thank you for your answer.
> 
> Surprisingly, there is only one result for "adapter" on the website
> https://www.google.fr/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8#q=adapter+%2Bsite:keycloak.jboss.org
> 
> But in the PDF, I can read that the WildFly adapter just needs to be unzipped
> in the WF_HOME.
> 
> Best regards,
> 
> J?r?me
> 
> -----Message d'origine-----
> De?: Stian Thorgersen [mailto:stian at redhat.com]
> Envoy??: lundi 15 septembre 2014 08:50
> ??: J?r?me BATON - DRiMS
> Cc?: keycloak-user at lists.jboss.org
> Objet?: Re: [keycloak-user] Tomcat 7 Adapter download and configuration
> 
> Hi,
> 
> We already have a Tomcat 7 adapter which is contributed by a member of our
> community. The remaining work is to do some testing and document it, which
> should be done for 1.1. We don't have a specific release date yet, but
> expect 1-2 months for the final.
> 
> In the mean time you can already use it, available here
> http://search.maven.org/#search|ga|1|a%3A%22keycloak-tomcat7-adapter%22, but
> I can't help you with how it's used atm.
> 
> ----- Original Message -----
> > From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 12 September, 2014 6:16:28 PM
> > Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
> > 
> > 
> > 
> > Hello,
> > 
> > I know the Tomcat adapter is for v1.1 but I also saw it on github and
> > there was some commits since aug19.
> > (http://lists.jboss.org/pipermail/keycloak-user/2014-August/000717.htm
> > l)
> > 
> > So far, I have to use Tomcat7 for the existing apps.
> > 
> > 
> > 
> > 
> > 
> > 
> > Q: Is there a release date for v1.1 ? for the adapter ?
> > 
> > 
> > 
> > Q: Could the team add a page about adapters (what do they do ? how to
> > install them ? test them ?)
> > 
> > @Marc R
> > Prebuilt binaries can be found @
> > http://grepcode.com/snapshot/repo1.maven.org/maven2/org.keycloak/keycl
> > oak-tomcat7-adapter/1.0-beta-1
> > 
> > 
> > Thank you
> > 
> > Jerome
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From bburke at redhat.com  Mon Sep 15 08:39:26 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 15 Sep 2014 08:39:26 -0400
Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
In-Reply-To: <297610874.49571099.1410774198562.JavaMail.zimbra@redhat.com>
References: <566573421BFABD41BF06FAF4E68BF00E016B6E@exbe-2010-f.ad.hosteam.fr>	<1172362385.49490197.1410763820931.JavaMail.zimbra@redhat.com>	<566573421BFABD41BF06FAF4E68BF00E016BD3@exbe-2010-f.ad.hosteam.fr>
	<297610874.49571099.1410774198562.JavaMail.zimbra@redhat.com>
Message-ID: <5416DDFE.3080605@redhat.com>

The tomcat adapter is incomplete and I don't even believe it works.

On 9/15/2014 5:43 AM, Stian Thorgersen wrote:
> All our adapters are documented here http://docs.jboss.org/keycloak/docs/1.0-final/userguide/html/ch07.html. This includes the WildFly and JBoss AS adapters and the JavaScript adapter, but as I said the Tomcat adapter is not an official adapter yet, so there's no documentation for that.
>
> ----- Original Message -----
>> From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Monday, 15 September, 2014 10:39:06 AM
>> Subject: RE: [keycloak-user] Tomcat 7 Adapter download and configuration
>>
>> Hi Stian,
>>
>> Thank you for your answer.
>>
>> Surprisingly, there is only one result for "adapter" on the website
>> https://www.google.fr/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8#q=adapter+%2Bsite:keycloak.jboss.org
>>
>> But in the PDF, I can read that the WildFly adapter just needs to be unzipped
>> in the WF_HOME.
>>
>> Best regards,
>>
>> J?r?me
>>
>> -----Message d'origine-----
>> De : Stian Thorgersen [mailto:stian at redhat.com]
>> Envoy? : lundi 15 septembre 2014 08:50
>> ? : J?r?me BATON - DRiMS
>> Cc : keycloak-user at lists.jboss.org
>> Objet : Re: [keycloak-user] Tomcat 7 Adapter download and configuration
>>
>> Hi,
>>
>> We already have a Tomcat 7 adapter which is contributed by a member of our
>> community. The remaining work is to do some testing and document it, which
>> should be done for 1.1. We don't have a specific release date yet, but
>> expect 1-2 months for the final.
>>
>> In the mean time you can already use it, available here
>> http://search.maven.org/#search|ga|1|a%3A%22keycloak-tomcat7-adapter%22, but
>> I can't help you with how it's used atm.
>>
>> ----- Original Message -----
>>> From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Friday, 12 September, 2014 6:16:28 PM
>>> Subject: [keycloak-user] Tomcat 7 Adapter download and configuration
>>>
>>>
>>>
>>> Hello,
>>>
>>> I know the Tomcat adapter is for v1.1 but I also saw it on github and
>>> there was some commits since aug19.
>>> (http://lists.jboss.org/pipermail/keycloak-user/2014-August/000717.htm
>>> l)
>>>
>>> So far, I have to use Tomcat7 for the existing apps.
>>>
>>>
>>>
>>>
>>>
>>>
>>> Q: Is there a release date for v1.1 ? for the adapter ?
>>>
>>>
>>>
>>> Q: Could the team add a page about adapters (what do they do ? how to
>>> install them ? test them ?)
>>>
>>> @Marc R
>>> Prebuilt binaries can be found @
>>> http://grepcode.com/snapshot/repo1.maven.org/maven2/org.keycloak/keycl
>>> oak-tomcat7-adapter/1.0-beta-1
>>>
>>>
>>> Thank you
>>>
>>> Jerome
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Sep 15 10:47:26 2014
From: bburke at redhat.com (Bill Burke)
Date: Mon, 15 Sep 2014 10:47:26 -0400
Subject: [keycloak-user] FYI: FreeOTP works OOTB
Message-ID: <5416FBFE.306@redhat.com>

Just tried FreeOTP.  It supports the same QR barcodes as Google 
Authenticator and works OOTB with keycloak.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From alarik at zwift.com  Tue Sep 16 06:25:40 2014
From: alarik at zwift.com (Alarik Myrin)
Date: Tue, 16 Sep 2014 06:25:40 -0400
Subject: [keycloak-user] SSO Session Max Lifespan Secret Maximum Value
Message-ID: <CAKTx7M7fMZQzOtvtE3=kdcgJeVXfPKrzGvTEbHj74XgOwCBneA@mail.gmail.com>

I was playing with the SSO Session Max Lifespan, and noticed that if I set
it to a very large value, like 10000 Days, that I could no longer log in to
the realm, but the admin console did not validate the input in any way, so
I don't know what the secret maximum value is.  1000 Days seems to be OK.
 10000 Days is not.

Should I book something in Jira for this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140916/c3f7dbcd/attachment.html 

From stian at redhat.com  Tue Sep 16 06:33:48 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 16 Sep 2014 06:33:48 -0400 (EDT)
Subject: [keycloak-user] SSO Session Max Lifespan Secret Maximum Value
In-Reply-To: <CAKTx7M7fMZQzOtvtE3=kdcgJeVXfPKrzGvTEbHj74XgOwCBneA@mail.gmail.com>
References: <CAKTx7M7fMZQzOtvtE3=kdcgJeVXfPKrzGvTEbHj74XgOwCBneA@mail.gmail.com>
Message-ID: <1122930028.50282334.1410863628575.JavaMail.zimbra@redhat.com>

Please create a jira. IMO we should add a max value for these, and 1000 days should be enough for anyone.

----- Original Message -----
> From: "Alarik Myrin" <alarik at zwift.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 16 September, 2014 12:25:40 PM
> Subject: [keycloak-user] SSO Session Max Lifespan Secret Maximum Value
> 
> I was playing with the SSO Session Max Lifespan, and noticed that if I set it
> to a very large value, like 10000 Days, that I could no longer log in to the
> realm, but the admin console did not validate the input in any way, so I
> don't know what the secret maximum value is. 1000 Days seems to be OK. 10000
> Days is not.
> 
> Should I book something in Jira for this?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Tue Sep 16 08:40:40 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 16 Sep 2014 09:40:40 -0300
Subject: [keycloak-user] Send parameter back after registration
Message-ID: <CANLOgwC76ouhSYBY2MMPt6xAjNPUe+LMa-zTEb2OeUoyu_023Q@mail.gmail.com>

Hello,

I was wondering if there is a way for me to send a parameter back to my
server after a new user registers in Keycloak.

For example, we have a checkbox that the user can check if he wants to
receive newsletter from our website, and I wanted to send that value back
to us.

I tried setting it as a query parameter on the redirect_uri param, it gets
sent on the request, but it isn't posted back to us.

Is there a defined way to accomplish this?

Thank you again!

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140916/649d77aa/attachment.html 

From stian at redhat.com  Tue Sep 16 08:49:38 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 16 Sep 2014 08:49:38 -0400 (EDT)
Subject: [keycloak-user] Send parameter back after registration
In-Reply-To: <CANLOgwC76ouhSYBY2MMPt6xAjNPUe+LMa-zTEb2OeUoyu_023Q@mail.gmail.com>
References: <CANLOgwC76ouhSYBY2MMPt6xAjNPUe+LMa-zTEb2OeUoyu_023Q@mail.gmail.com>
Message-ID: <151559136.50336870.1410871778831.JavaMail.zimbra@redhat.com>

Is the checkbox on your website and you add it to the redirect_uri as a query param? If so it should be included in the url Keycloak redirects to after login.

One feature that we want to add is to be able to customize the attributes for the users profiles, as well as configure which are shown on the registration screen. Not sure when we'll have time to add that though.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 16 September, 2014 2:40:40 PM
> Subject: [keycloak-user] Send parameter back after registration
> 
> Hello,
> 
> I was wondering if there is a way for me to send a parameter back to my
> server after a new user registers in Keycloak.
> 
> For example, we have a checkbox that the user can check if he wants to
> receive newsletter from our website, and I wanted to send that value back to
> us.
> 
> I tried setting it as a query parameter on the redirect_uri param, it gets
> sent on the request, but it isn't posted back to us.
> 
> Is there a defined way to accomplish this?
> 
> Thank you again!
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rodrigopsasaki at gmail.com  Tue Sep 16 08:56:12 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 16 Sep 2014 09:56:12 -0300
Subject: [keycloak-user] Send parameter back after registration
In-Reply-To: <151559136.50336870.1410871778831.JavaMail.zimbra@redhat.com>
References: <CANLOgwC76ouhSYBY2MMPt6xAjNPUe+LMa-zTEb2OeUoyu_023Q@mail.gmail.com>
	<151559136.50336870.1410871778831.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwDh_eTk_quDF1BXNbOVzkEwz0u8kmU6n+DQ5bxPjnG2tw@mail.gmail.com>

We actually added the checkbox on our login.ftl, with our own theme
customizations, and we wanted to send that value back when keycloak
redirects back to our application

On Tue, Sep 16, 2014 at 9:49 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Is the checkbox on your website and you add it to the redirect_uri as a
> query param? If so it should be included in the url Keycloak redirects to
> after login.
>
> One feature that we want to add is to be able to customize the attributes
> for the users profiles, as well as configure which are shown on the
> registration screen. Not sure when we'll have time to add that though.
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 16 September, 2014 2:40:40 PM
> > Subject: [keycloak-user] Send parameter back after registration
> >
> > Hello,
> >
> > I was wondering if there is a way for me to send a parameter back to my
> > server after a new user registers in Keycloak.
> >
> > For example, we have a checkbox that the user can check if he wants to
> > receive newsletter from our website, and I wanted to send that value
> back to
> > us.
> >
> > I tried setting it as a query parameter on the redirect_uri param, it
> gets
> > sent on the request, but it isn't posted back to us.
> >
> > Is there a defined way to accomplish this?
> >
> > Thank you again!
> >
> > --
> > Rodrigo Sasaki
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140916/6c16f636/attachment.html 

From stian at redhat.com  Tue Sep 16 09:09:51 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 16 Sep 2014 09:09:51 -0400 (EDT)
Subject: [keycloak-user] Send parameter back after registration
In-Reply-To: <CANLOgwDh_eTk_quDF1BXNbOVzkEwz0u8kmU6n+DQ5bxPjnG2tw@mail.gmail.com>
References: <CANLOgwC76ouhSYBY2MMPt6xAjNPUe+LMa-zTEb2OeUoyu_023Q@mail.gmail.com>
	<151559136.50336870.1410871778831.JavaMail.zimbra@redhat.com>
	<CANLOgwDh_eTk_quDF1BXNbOVzkEwz0u8kmU6n+DQ5bxPjnG2tw@mail.gmail.com>
Message-ID: <1341683055.50356593.1410872991343.JavaMail.zimbra@redhat.com>

How do you then set it as "query parameter on the redirect_uri param"? The redirect_uri is part of the form action url, not the form data.

Currently, I think your options are:

1. You can use JavaScript to add the checkbox value to the form action before submitting the form
2. Modify TokenService and build your own KC to have TokenService.processLogin extract the checkbox value from the form data and add to redirect_uri
3. Wait until we add customization user profiles and registration form
4. Display a separate registration form on your app when a user first logins

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 16 September, 2014 2:56:12 PM
> Subject: Re: [keycloak-user] Send parameter back after registration
> 
> We actually added the checkbox on our login.ftl, with our own theme
> customizations, and we wanted to send that value back when keycloak
> redirects back to our application
> 
> On Tue, Sep 16, 2014 at 9:49 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Is the checkbox on your website and you add it to the redirect_uri as a
> > query param? If so it should be included in the url Keycloak redirects to
> > after login.
> >
> > One feature that we want to add is to be able to customize the attributes
> > for the users profiles, as well as configure which are shown on the
> > registration screen. Not sure when we'll have time to add that though.
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 16 September, 2014 2:40:40 PM
> > > Subject: [keycloak-user] Send parameter back after registration
> > >
> > > Hello,
> > >
> > > I was wondering if there is a way for me to send a parameter back to my
> > > server after a new user registers in Keycloak.
> > >
> > > For example, we have a checkbox that the user can check if he wants to
> > > receive newsletter from our website, and I wanted to send that value
> > back to
> > > us.
> > >
> > > I tried setting it as a query parameter on the redirect_uri param, it
> > gets
> > > sent on the request, but it isn't posted back to us.
> > >
> > > Is there a defined way to accomplish this?
> > >
> > > Thank you again!
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> 
> 
> --
> Rodrigo Sasaki
> 

From rodrigopsasaki at gmail.com  Tue Sep 16 09:11:48 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Tue, 16 Sep 2014 10:11:48 -0300
Subject: [keycloak-user] Send parameter back after registration
In-Reply-To: <1341683055.50356593.1410872991343.JavaMail.zimbra@redhat.com>
References: <CANLOgwC76ouhSYBY2MMPt6xAjNPUe+LMa-zTEb2OeUoyu_023Q@mail.gmail.com>
	<151559136.50336870.1410871778831.JavaMail.zimbra@redhat.com>
	<CANLOgwDh_eTk_quDF1BXNbOVzkEwz0u8kmU6n+DQ5bxPjnG2tw@mail.gmail.com>
	<1341683055.50356593.1410872991343.JavaMail.zimbra@redhat.com>
Message-ID: <CANLOgwBkfm=f3VkbSWNgPC6JHe783BQBFh04eLyuNOr552mMJQ@mail.gmail.com>

Yeah, what I actually did was the 1st choice, we added it to the form
action via JavaScript, but somehow the value doesn't get returned, only the
redirect_uri without any query params.

I think I'll have to go with your 2nd option.

On Tue, Sep 16, 2014 at 10:09 AM, Stian Thorgersen <stian at redhat.com> wrote:

> How do you then set it as "query parameter on the redirect_uri param"? The
> redirect_uri is part of the form action url, not the form data.
>
> Currently, I think your options are:
>
> 1. You can use JavaScript to add the checkbox value to the form action
> before submitting the form
> 2. Modify TokenService and build your own KC to have
> TokenService.processLogin extract the checkbox value from the form data and
> add to redirect_uri
> 3. Wait until we add customization user profiles and registration form
> 4. Display a separate registration form on your app when a user first
> logins
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 16 September, 2014 2:56:12 PM
> > Subject: Re: [keycloak-user] Send parameter back after registration
> >
> > We actually added the checkbox on our login.ftl, with our own theme
> > customizations, and we wanted to send that value back when keycloak
> > redirects back to our application
> >
> > On Tue, Sep 16, 2014 at 9:49 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > Is the checkbox on your website and you add it to the redirect_uri as a
> > > query param? If so it should be included in the url Keycloak redirects
> to
> > > after login.
> > >
> > > One feature that we want to add is to be able to customize the
> attributes
> > > for the users profiles, as well as configure which are shown on the
> > > registration screen. Not sure when we'll have time to add that though.
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, 16 September, 2014 2:40:40 PM
> > > > Subject: [keycloak-user] Send parameter back after registration
> > > >
> > > > Hello,
> > > >
> > > > I was wondering if there is a way for me to send a parameter back to
> my
> > > > server after a new user registers in Keycloak.
> > > >
> > > > For example, we have a checkbox that the user can check if he wants
> to
> > > > receive newsletter from our website, and I wanted to send that value
> > > back to
> > > > us.
> > > >
> > > > I tried setting it as a query parameter on the redirect_uri param, it
> > > gets
> > > > sent on the request, but it isn't posted back to us.
> > > >
> > > > Is there a defined way to accomplish this?
> > > >
> > > > Thank you again!
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>



-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140916/db491597/attachment-0001.html 

From ivan at akvo.org  Thu Sep 18 04:59:29 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Thu, 18 Sep 2014 10:59:29 +0200
Subject: [keycloak-user] OpenID Connect support
Message-ID: <20140918105929.14b478d9@akvo.org>


Hi all,

I'm looking for a SSO solution that can help me with the need of having
a single set of user credentials for several applications (Web and
mobile - Android)

Looking at the list of features in Keycloack I see that there is
support for OpenID Connect.

I would like to know your opinion if Keycloack could be used for
handling SSO on several applications built on different technology
stacks, e.g. Wordpress [1], Django Web app [2], Android [3], Java

[1] https://github.com/jumbojett/Wordpress-OpenID-Connect-Login
[2] https://github.com/intelie/django-oidc-auth
[3] https://github.com/learning-layers/android-openid-connect-sample


Thanks,

-- 
Iv?n


From rodrigopsasaki at gmail.com  Thu Sep 18 09:36:33 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 18 Sep 2014 10:36:33 -0300
Subject: [keycloak-user] Authentication Provider
Message-ID: <CANLOgwCbP5Ah5ZaXLwp9Uv6ZmGkArQXkvGuRjpsEgQOp-o9gpw@mail.gmail.com>

Hello,

I was asked again to look into the AuthenticationProvider and I noticed
that it doesn't exist anymore, is that correct?

Is there a new way now to implement a custom authenticator?

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/de3822a0/attachment.html 

From jerome.baton at drims.fr  Thu Sep 18 11:07:52 2014
From: jerome.baton at drims.fr (=?iso-8859-1?Q?J=E9r=F4me_BATON_-_DRiMS?=)
Date: Thu, 18 Sep 2014 15:07:52 +0000
Subject: [keycloak-user] Building K
Message-ID: <566573421BFABD41BF06FAF4E68BF00E016F4A@exbe-2010-f.ad.hosteam.fr>

Hi,

As I'm facing an issue with creating a user via Java API, I wanted to modify  a unit test before to file a bug.
I'm trying to build K on my desktop but all modules refer to a parent pom in upper folder (the root of K). The pom is missing.
So, could you kindly point me to a way to build K.
Sorry if its more of a Maven question but I think that something is missing there.

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/2966572e/attachment.html 

From j.kamal at ymail.com  Thu Sep 18 12:02:31 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Thu, 18 Sep 2014 09:02:31 -0700
Subject: [keycloak-user] Keycloak integration with Tomcat
Message-ID: <1411056151.17156.YahooMailNeo@web120206.mail.ne1.yahoo.com>

Hello Keycloak dev team,
   Congratulations to you guys with your 1.0 final release and glad to see lot of great features & fixes made to this release.
All these while I was trying Keycloak with Jboss but now I have a requirement to use keycloak with Tomcat. From the Reference guide it was mentioned it is just maven pom work.  Looking for some directions from you guys to make Tomcat integration possible.

Please advise.

Best
Kamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/f9da96c8/attachment.html 

From bburke at redhat.com  Thu Sep 18 12:06:21 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 18 Sep 2014 12:06:21 -0400
Subject: [keycloak-user] Keycloak integration with Tomcat
In-Reply-To: <1411056151.17156.YahooMailNeo@web120206.mail.ne1.yahoo.com>
References: <1411056151.17156.YahooMailNeo@web120206.mail.ne1.yahoo.com>
Message-ID: <541B02FD.9060003@redhat.com>

You need to run the server on tomcat?  Or the adapter/client?

On 9/18/2014 12:02 PM, Kamal Jagadevan wrote:
> Hello Keycloak dev team,
>     Congratulations to you guys with your 1.0 final release and glad to
> see lot of great features & fixes made to this release.
> All these while I was trying Keycloak with Jboss but now I have a
> requirement to use keycloak with Tomcat. From the Reference guide it was
> mentioned it is just maven pom work.  Looking for some directions from
> you guys to make Tomcat integration possible.
>
> Please advise.
>
> Best
> Kamal
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From j.kamal at ymail.com  Thu Sep 18 12:33:24 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Thu, 18 Sep 2014 09:33:24 -0700
Subject: [keycloak-user] Keycloak integration with Tomcat
Message-ID: <1411058004.3088.YahooMailNeo@web120204.mail.ne1.yahoo.com>

Hello Bill,
As our application is running in Tomcat,I would like to run the adapter/client in Tomcat. 

Thanks
Kamal


You need to run the server on tomcat?  Or the adapter/client?

On 9/18/2014 12:02 PM, Kamal Jagadevan wrote:
>Hello Keycloak dev team, >Congratulations to you guys with your 1.0 final release and glad to >see lot of great features & fixes made to this release. >All these while I was trying Keycloak with Jboss but now I have a >requirement to use keycloak with Tomcat. From the Reference guide it was >mentioned it is just maven pom work.  Looking for some directions from >you guys to make Tomcat integration possible. >>Please advise. >>Best >Kamal >>>>>>_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user > -- 
Bill Burke
JBoss, a division of Red Hat Bill the Plumber
  
             
Bill the Plumber
Software plumbing using middleware wrenches  
View on bill.burkecentral.com Preview by Yahoo  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/dd6dec53/attachment-0001.html 

From mposolda at redhat.com  Thu Sep 18 12:59:30 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 18 Sep 2014 18:59:30 +0200
Subject: [keycloak-user] Authentication Provider
In-Reply-To: <CANLOgwCbP5Ah5ZaXLwp9Uv6ZmGkArQXkvGuRjpsEgQOp-o9gpw@mail.gmail.com>
References: <CANLOgwCbP5Ah5ZaXLwp9Uv6ZmGkArQXkvGuRjpsEgQOp-o9gpw@mail.gmail.com>
Message-ID: <541B0F72.5070301@redhat.com>

Hi,

it doesn't exist anymore. You can use UserFederationProvider SPI instead 
of it now: 
http://docs.jboss.org/keycloak/docs/1.0-final/userguide/html/user_federation.html 
, which is more complex, but more powerfull . It allows to plug your 
user DB and fully use your users in keycloak and also sync your users 
from external DB into local Keycloak DB (even those which weren't 
previously authenticated. AuthenticationProvider synced just users, 
which authenticate at least once to Keycloak)

Marek

On 18.9.2014 15:36, Rodrigo Sasaki wrote:
> Hello,
>
> I was asked again to look into the AuthenticationProvider and I 
> noticed that it doesn't exist anymore, is that correct?
>
> Is there a new way now to implement a custom authenticator?
>
> -- 
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/8944ec07/attachment.html 

From stian at redhat.com  Thu Sep 18 13:02:27 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Sep 2014 13:02:27 -0400 (EDT)
Subject: [keycloak-user] Building K
In-Reply-To: <566573421BFABD41BF06FAF4E68BF00E016F4A@exbe-2010-f.ad.hosteam.fr>
References: <566573421BFABD41BF06FAF4E68BF00E016F4A@exbe-2010-f.ad.hosteam.fr>
Message-ID: <2036328108.51870326.1411059747036.JavaMail.zimbra@redhat.com>

As long as you have Java SDK, Maven and Git installed it's just a matter of:

  git clone https://github.com/keycloak/keycloak.git
  cd keycloak
  mvn clean install

And if you want to build the distribution as well run:

  mvn clean install -Pdistribution

----- Original Message -----
> From: "J?r?me BATON - DRiMS" <jerome.baton at drims.fr>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 18 September, 2014 5:07:52 PM
> Subject: [keycloak-user] Building K
> 
> 
> 
> Hi,
> 
> 
> 
> As I?m facing an issue with creating a user via Java API, I wanted to modify
> a unit test before to file a bug.
> 
> I?m trying to build K on my desktop but all modules refer to a parent pom in
> upper folder (the root of K). The pom is missing.
> 
> So, could you kindly point me to a way to build K.
> 
> Sorry if its more of a Maven question but I think that something is missing
> there.
> 
> 
> 
> Thank you
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Thu Sep 18 13:02:30 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 18 Sep 2014 19:02:30 +0200
Subject: [keycloak-user] Building K
In-Reply-To: <566573421BFABD41BF06FAF4E68BF00E016F4A@exbe-2010-f.ad.hosteam.fr>
References: <566573421BFABD41BF06FAF4E68BF00E016F4A@exbe-2010-f.ad.hosteam.fr>
Message-ID: <541B1026.4000306@redhat.com>

Hi,

I think that those 3 commands:

$ git clone https://github.com/keycloak/keycloak.git
$ cd keycloak
$ mvn clean install

should be fine to build keycloak. You may need Java 7 (or later) and 
Maven 3 (I have maven 3.1.1 and not seeing issues)



On 18.9.2014 17:07, J?r?me BATON - DRiMS wrote:
>
> Hi,
>
> As I?m facing an issue with creating a user via Java API, I wanted to 
> modify  a unit test before to file a bug.
>
> I?m trying to build K on my desktop but all modules refer to a parent 
> pom in upper folder (the root of K). The pom is missing.
>
> So, could you kindly point me to a way to build K.
>
> Sorry if its more of a Maven question but I think that something is 
> missing there.
>
> Thank you
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/5947b404/attachment.html 

From stian at redhat.com  Thu Sep 18 13:05:37 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Sep 2014 13:05:37 -0400 (EDT)
Subject: [keycloak-user] Keycloak integration with Tomcat
In-Reply-To: <1411058004.3088.YahooMailNeo@web120204.mail.ne1.yahoo.com>
References: <1411058004.3088.YahooMailNeo@web120204.mail.ne1.yahoo.com>
Message-ID: <579940849.51873988.1411059937261.JavaMail.zimbra@redhat.com>

We have a Tomcat adapter, but it's contributed by someone in the community and we haven't tried it ourselves yet. It needs testing and documentation. I believe it works though, so you can give it a go if you'd like:

  http://search.maven.org/#artifactdetails|org.keycloak|keycloak-tomcat7-adapter|1.0-final|jar

----- Original Message -----
> From: "Kamal Jagadevan" <j.kamal at ymail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 18 September, 2014 6:33:24 PM
> Subject: Re: [keycloak-user] Keycloak integration with Tomcat
> 
> Hello Bill,
> As our application is running in Tomcat,I would like to run the
> adapter/client in Tomcat.
> 
> Thanks
> Kamal
> 
> 
> You need to run the server on tomcat?  Or the adapter/client?
> 
> On 9/18/2014 12:02 PM, Kamal Jagadevan wrote:
> > Hello Keycloak dev team, > Congratulations to you guys with your 1.0 final
> > release and glad to > see lot of great features & fixes made to this
> > release. > All these while I was trying Keycloak with Jboss but now I have
> > a > requirement to use keycloak with Tomcat. From the Reference guide it
> > was > mentioned it is just maven pom work.  Looking for some directions
> > from > you guys to make Tomcat integration possible. > > Please advise. >
> > > Best > Kamal > > > > > > _______________________________________________
> > > keycloak-user mailing list > keycloak-user at lists.jboss.org >
> > https://lists.jboss.org/mailman/listinfo/keycloak-user > --
> Bill Burke
> JBoss, a division of Red Hat Bill the Plumber
> 
> 	
> 	
> 	
> 	
> 	
> 	
> 
> Bill the Plumber
> Software plumbing using middleware wrenches
> 
> 
> View on bill.burkecentral.com
> 	
> Preview by Yahoo
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Sep 18 13:11:41 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Sep 2014 13:11:41 -0400 (EDT)
Subject: [keycloak-user] Building K
In-Reply-To: <541B1026.4000306@redhat.com>
References: <566573421BFABD41BF06FAF4E68BF00E016F4A@exbe-2010-f.ad.hosteam.fr>
	<541B1026.4000306@redhat.com>
Message-ID: <392883026.51879329.1411060301798.JavaMail.zimbra@redhat.com>

How's that for community support, two answers within 3 seconds of each other :)

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 18 September, 2014 7:02:30 PM
> Subject: Re: [keycloak-user] Building K
> 
> Hi,
> 
> I think that those 3 commands:
> 
> $ git clone https://github.com/keycloak/keycloak.git
> $ cd keycloak
> $ mvn clean install
> 
> should be fine to build keycloak. You may need Java 7 (or later) and Maven 3
> (I have maven 3.1.1 and not seeing issues)
> 
> 
> 
> On 18.9.2014 17:07, J?r?me BATON - DRiMS wrote:
> 
> 
> 
> 
> 
> Hi,
> 
> 
> 
> As I?m facing an issue with creating a user via Java API, I wanted to modify
> a unit test before to file a bug.
> 
> I?m trying to build K on my desktop but all modules refer to a parent pom in
> upper folder (the root of K). The pom is missing.
> 
> So, could you kindly point me to a way to build K.
> 
> Sorry if its more of a Maven question but I think that something is missing
> there.
> 
> 
> 
> Thank you
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Sep 18 13:49:56 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Sep 2014 13:49:56 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0.1 Final Released
In-Reply-To: <346688931.51908088.1411062563779.JavaMail.zimbra@redhat.com>
Message-ID: <283645111.51908422.1411062596314.JavaMail.zimbra@redhat.com>

We?re releasing a few minor fixes and improvements before we start work on SAML and Clustering.

For the complete list of fixes and improvements go to https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20AND%20fixVersion%20%3D%201.0.1.Final%20AND%20resolution%20%3D%20Done


From rodrigopsasaki at gmail.com  Thu Sep 18 18:13:05 2014
From: rodrigopsasaki at gmail.com (Rodrigo Sasaki)
Date: Thu, 18 Sep 2014 19:13:05 -0300
Subject: [keycloak-user] Opening Transactions
Message-ID: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>

Hello,

I have created some custom endpoints for my project, and in one of them I
need to use multiple transactions on a single request. I ran into some
issues, even though I call

session.getTransaction().begin()

It didn't work correctly saying that I didn't have an opened transaction. I
look a little deeper and saw that there are 2 lists of transactions inside
org.keycloak.services.DefaultKeycloakTransactionManager.

One is called *transactions* and the other is *afterCompletion*

when commit() is called, both lists are traversed committing every single
transaction in them, but when begin() is called, only the *transactions*
list is traversed, and the one I needed was inside *afterCompletion*, which
remained closed.

Is this supposed to be this way? I'm not sure what these lists do, but
maybe the other one should be opened too.

Is there a problem on opening the transactions on *afterCompletion* list as
well?

Thanks!

-- 
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/3d381c61/attachment.html 

From pmadden at tomsawyer.com  Fri Sep 19 02:14:34 2014
From: pmadden at tomsawyer.com (Patrick V. Madden)
Date: Thu, 18 Sep 2014 23:14:34 -0700 (PDT)
Subject: [keycloak-user] Missing logo-example theme causes failure on
	1.0.1.Final
Message-ID: <1630407969.256731.1411107274768.JavaMail.zimbra@tomsawyer.com>

Hi, 

I had keycloak-appliance-dist-all-1.0-final on a Debian VM. Haven't done much to it yet so decided to upgrade to 1.0.1.Final 

I did a full install. Redid my SSL, datasource, driver changes to standalone.xml etc to support http + mysql. I did not modify my database at all. It is a mysql instance running on a remote server. 

I got the following error which caused browser to show "server error": 



22:56:05,063 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /auth/realms/master/tokens/login: java.lang.RuntimeException: request path: /auth/realms/master/tokens/login 

at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) [keycloak-services-1.0.1.Final.jar:] 

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final] 

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51] 

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51] 

at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] 

Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: login theme 'logo-example' not found 

at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.8.Final.jar:] 

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] 

at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.0.1.Final.jar:] 

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] 

at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) [keycloak-services-1.0.1.Final.jar:] 

... 30 more 

Caused by: java.lang.RuntimeException: login theme 'logo-example' not found 

at org.keycloak.freemarker.ExtendingThemeManager.findTheme(ExtendingThemeManager.java:151) [keycloak-forms-common-freemarker-1.0.1.Final.jar:] 

at org.keycloak.freemarker.ExtendingThemeManager.loadTheme(ExtendingThemeManager.java:91) [keycloak-forms-common-freemarker-1.0.1.Final.jar:] 

at org.keycloak.freemarker.ExtendingThemeManager.getTheme(ExtendingThemeManager.java:79) [keycloak-forms-common-freemarker-1.0.1.Final.jar:] 

at org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:158) [keycloak-login-freemarker-1.0.1.Final.jar:] 

at org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createLogin(FreeMarkerLoginFormsProvider.java:230) [keycloak-login-freemarker-1.0.1.Final.jar:] 

at org.keycloak.services.resources.TokenService.loginPage(TokenService.java:987) [keycloak-services-1.0.1.Final.jar:] 

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_51] 

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_51] 

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_51] 

at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51] 

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.8.Final.jar:] 

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.8.Final.jar:] 

... 41 more 




Using MySQLWorkBench I modified my two realms LOGIN_THEME column to instead be "keycloak". Applied my changes and restarted wildfly service. All was well again! 




A small note, on my 1.0.final install, I had changed the logo image on the logo-example theme for login to use my companies logo. I fully intend to implement my own but this was just for demonstration purposes to management. 




However, should a missing theme really cause such a catastrophic failure? Or should it drop to keycloak by default? In hindsight, I realize I could have just copied it in from previous install. Just thought you might like to know about it. 




Again, love the work you all have done. 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140918/a8fe1a53/attachment-0001.html 

From stian at redhat.com  Fri Sep 19 03:35:17 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 19 Sep 2014 03:35:17 -0400 (EDT)
Subject: [keycloak-user] Opening Transactions
In-Reply-To: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
References: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
Message-ID: <697066874.52206657.1411112117846.JavaMail.zimbra@redhat.com>

Can you show me a code snippet of what's not working? Also the error message/stack trace you're getting?

afterCompletion is used mainly to invalidate the cache after the transaction has been committed successfully, so there's shouldn't really be anything listed there.

----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 19 September, 2014 12:13:05 AM
> Subject: [keycloak-user] Opening Transactions
> 
> Hello,
> 
> I have created some custom endpoints for my project, and in one of them I
> need to use multiple transactions on a single request. I ran into some
> issues, even though I call
> 
> session.getTransaction().begin()
> 
> It didn't work correctly saying that I didn't have an opened transaction. I
> look a little deeper and saw that there are 2 lists of transactions inside
> org.keycloak.services.DefaultKeycloakTransactionManager.
> 
> One is called transactions and the other is afterCompletion
> 
> when commit() is called, both lists are traversed committing every single
> transaction in them, but when begin() is called, only the transactions list
> is traversed, and the one I needed was inside afterCompletion , which
> remained closed.
> 
> Is this supposed to be this way? I'm not sure what these lists do, but maybe
> the other one should be opened too.
> 
> Is there a problem on opening the transactions on afterCompletion list as
> well?
> 
> Thanks!
> 
> --
> Rodrigo Sasaki
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Fri Sep 19 03:47:14 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 Sep 2014 09:47:14 +0200
Subject: [keycloak-user] Opening Transactions
In-Reply-To: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
References: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
Message-ID: <541BDF82.3090705@redhat.com>

Hello,

atm we don't support multiple transactions for the same session. If we 
would ever support it, we will need to traverse the "afterCompletion" 
list in DefaultKeycloakTransactionManager.begin (and also similarly in 
DefaultKeycloakTransactionManager.isRollbackOnly() ). Maybe you can 
create JIRA and we can take a look later? Another thing is that all 
enlisted transactions would also need to support multiple transactions 
per session (for example in case of JPA it is multiple transactions per 
single EntityManager, which JPA supports, but there might be some 
performance issues with it)

Note that until than, you can use pattern where each transaction will 
run in it's own KeycloakSession. So defacto multiple KeycloakSession per 
request. If you already have any KeycloakSession you can retrieve 
KeycloakSessionFactory with:
KeycloakSessionFactory factory = session.getKeycloakSessionFactory();

And then you can use for example: KeycloakModelUtils.runJobInTransaction 
to use separate KeycloakSession and transaction for your task. Does it 
work for your usecase?

Marek

On 19.9.2014 00:13, Rodrigo Sasaki wrote:
> Hello,
>
> I have created some custom endpoints for my project, and in one of 
> them I need to use multiple transactions on a single request. I ran 
> into some issues, even though I call
>
> session.getTransaction().begin()
>
> It didn't work correctly saying that I didn't have an opened 
> transaction. I look a little deeper and saw that there are 2 lists of 
> transactions inside 
> org.keycloak.services.DefaultKeycloakTransactionManager.
>
> One is called *transactions* and the other is *afterCompletion*
>
> when commit() is called, both lists are traversed committing every 
> single transaction in them, but when begin() is called, only the 
> *transactions* list is traversed, and the one I needed was inside 
> *afterCompletion*, which remained closed.
>
> Is this supposed to be this way? I'm not sure what these lists do, but 
> maybe the other one should be opened too.
>
> Is there a problem on opening the transactions on *afterCompletion* 
> list as well?
>
> Thanks!
>
> -- 
> Rodrigo Sasaki
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140919/b699b8db/attachment.html 

From stian at redhat.com  Fri Sep 19 03:48:33 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 19 Sep 2014 03:48:33 -0400 (EDT)
Subject: [keycloak-user] Missing logo-example theme causes failure
	on	1.0.1.Final
In-Reply-To: <1630407969.256731.1411107274768.JavaMail.zimbra@tomsawyer.com>
References: <1630407969.256731.1411107274768.JavaMail.zimbra@tomsawyer.com>
Message-ID: <97540837.52219829.1411112913504.JavaMail.zimbra@redhat.com>

It was supposed to fallback to the 'base' theme so this isn't expected behaviour. I've just confirmed that the same happens to me so created https://issues.jboss.org/browse/KEYCLOAK-701.

----- Original Message -----
> From: "Patrick V. Madden" <pmadden at tomsawyer.com>
> To: "keycloack-users" <keycloak-user at lists.jboss.org>
> Sent: Friday, 19 September, 2014 8:14:34 AM
> Subject: [keycloak-user] Missing logo-example theme causes failure on	1.0.1.Final
> 
> Hi,
> 
> I had keycloak-appliance-dist-all-1.0-final on a Debian VM. Haven't done much
> to it yet so decided to upgrade to 1.0.1.Final
> 
> I did a full install. Redid my SSL, datasource, driver changes to
> standalone.xml etc to support http + mysql. I did not modify my database at
> all. It is a mysql instance running on a remote server.
> 
> I got the following error which caused browser to show "server error":
> 
> 
> 
> 22:56:05,063 ERROR [io.undertow.request] (default task-3) UT005023: Exception
> handling request to /auth/realms/master/tokens/login:
> java.lang.RuntimeException: request path: /auth/realms/master/tokens/login
> 
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> [keycloak-services-1.0.1.Final.jar:]
> 
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_51]
> 
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_51]
> 
> at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
> 
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.RuntimeException: login theme 'logo-example' not found
> 
> at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> 
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> [keycloak-services-1.0.1.Final.jar:]
> 
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> 
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> [keycloak-services-1.0.1.Final.jar:]
> 
> ... 30 more
> 
> Caused by: java.lang.RuntimeException: login theme 'logo-example' not found
> 
> at
> org.keycloak.freemarker.ExtendingThemeManager.findTheme(ExtendingThemeManager.java:151)
> [keycloak-forms-common-freemarker-1.0.1.Final.jar:]
> 
> at
> org.keycloak.freemarker.ExtendingThemeManager.loadTheme(ExtendingThemeManager.java:91)
> [keycloak-forms-common-freemarker-1.0.1.Final.jar:]
> 
> at
> org.keycloak.freemarker.ExtendingThemeManager.getTheme(ExtendingThemeManager.java:79)
> [keycloak-forms-common-freemarker-1.0.1.Final.jar:]
> 
> at
> org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:158)
> [keycloak-login-freemarker-1.0.1.Final.jar:]
> 
> at
> org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createLogin(FreeMarkerLoginFormsProvider.java:230)
> [keycloak-login-freemarker-1.0.1.Final.jar:]
> 
> at
> org.keycloak.services.resources.TokenService.loginPage(TokenService.java:987)
> [keycloak-services-1.0.1.Final.jar:]
> 
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_51]
> 
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_51]
> 
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_51]
> 
> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_51]
> 
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> [resteasy-jaxrs-3.0.8.Final.jar:]
> 
> ... 41 more
> 
> 
> 
> 
> Using MySQLWorkBench I modified my two realms LOGIN_THEME column to instead
> be "keycloak". Applied my changes and restarted wildfly service. All was
> well again!
> 
> 
> 
> 
> A small note, on my 1.0.final install, I had changed the logo image on the
> logo-example theme for login to use my companies logo. I fully intend to
> implement my own but this was just for demonstration purposes to management.
> 
> 
> 
> 
> However, should a missing theme really cause such a catastrophic failure? Or
> should it drop to keycloak by default? In hindsight, I realize I could have
> just copied it in from previous install. Just thought you might like to know
> about it.
> 
> 
> 
> 
> Again, love the work you all have done.
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Fri Sep 19 03:53:09 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 19 Sep 2014 03:53:09 -0400 (EDT)
Subject: [keycloak-user] Opening Transactions
In-Reply-To: <541BDF82.3090705@redhat.com>
References: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
	<541BDF82.3090705@redhat.com>
Message-ID: <463911504.52221904.1411113189180.JavaMail.zimbra@redhat.com>

Multiple transactions work as long as they don't run in parallel. We have several tests that do this.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 19 September, 2014 9:47:14 AM
> Subject: Re: [keycloak-user] Opening Transactions
> 
> Hello,
> 
> atm we don't support multiple transactions for the same session. If we would
> ever support it, we will need to traverse the "afterCompletion" list in
> DefaultKeycloakTransactionManager.begin (and also similarly in
> DefaultKeycloakTransactionManager.isRollbackOnly() ). Maybe you can create
> JIRA and we can take a look later? Another thing is that all enlisted
> transactions would also need to support multiple transactions per session
> (for example in case of JPA it is multiple transactions per single
> EntityManager, which JPA supports, but there might be some performance
> issues with it)
> 
> Note that until than, you can use pattern where each transaction will run in
> it's own KeycloakSession. So defacto multiple KeycloakSession per request.
> If you already have any KeycloakSession you can retrieve
> KeycloakSessionFactory with:
> KeycloakSessionFactory factory = session.getKeycloakSessionFactory();
> 
> And then you can use for example: KeycloakModelUtils.runJobInTransaction to
> use separate KeycloakSession and transaction for your task. Does it work for
> your usecase?
> 
> Marek
> 
> On 19.9.2014 00:13, Rodrigo Sasaki wrote:
> 
> 
> 
> Hello,
> 
> I have created some custom endpoints for my project, and in one of them I
> need to use multiple transactions on a single request. I ran into some
> issues, even though I call
> 
> session.getTransaction().begin()
> 
> It didn't work correctly saying that I didn't have an opened transaction. I
> look a little deeper and saw that there are 2 lists of transactions inside
> org.keycloak.services.DefaultKeycloakTransactionManager.
> 
> One is called transactions and the other is afterCompletion
> 
> when commit() is called, both lists are traversed committing every single
> transaction in them, but when begin() is called, only the transactions list
> is traversed, and the one I needed was inside afterCompletion , which
> remained closed.
> 
> Is this supposed to be this way? I'm not sure what these lists do, but maybe
> the other one should be opened too.
> 
> Is there a problem on opening the transactions on afterCompletion list as
> well?
> 
> Thanks!
> 
> --
> Rodrigo Sasaki
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Fri Sep 19 04:09:27 2014
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 Sep 2014 10:09:27 +0200
Subject: [keycloak-user] Opening Transactions
In-Reply-To: <463911504.52221904.1411113189180.JavaMail.zimbra@redhat.com>
References: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
	<541BDF82.3090705@redhat.com>
	<463911504.52221904.1411113189180.JavaMail.zimbra@redhat.com>
Message-ID: <541BE4B7.6010308@redhat.com>

yes, but in tests we are using separate KeycloakSession for each 
transaction right? I think the case Rodrigo has is about multiple 
transactions per single KeycloakSession instance, which probably doesn't 
work atm .

Question is if we really want to support such usecase or if we just 
stick with the pattern to always require KeycloakSession per transaction 
(not sure if it matters much)


On 19.9.2014 09:53, Stian Thorgersen wrote:
> Multiple transactions work as long as they don't run in parallel. We have several tests that do this.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>, keycloak-user at lists.jboss.org
>> Sent: Friday, 19 September, 2014 9:47:14 AM
>> Subject: Re: [keycloak-user] Opening Transactions
>>
>> Hello,
>>
>> atm we don't support multiple transactions for the same session. If we would
>> ever support it, we will need to traverse the "afterCompletion" list in
>> DefaultKeycloakTransactionManager.begin (and also similarly in
>> DefaultKeycloakTransactionManager.isRollbackOnly() ). Maybe you can create
>> JIRA and we can take a look later? Another thing is that all enlisted
>> transactions would also need to support multiple transactions per session
>> (for example in case of JPA it is multiple transactions per single
>> EntityManager, which JPA supports, but there might be some performance
>> issues with it)
>>
>> Note that until than, you can use pattern where each transaction will run in
>> it's own KeycloakSession. So defacto multiple KeycloakSession per request.
>> If you already have any KeycloakSession you can retrieve
>> KeycloakSessionFactory with:
>> KeycloakSessionFactory factory = session.getKeycloakSessionFactory();
>>
>> And then you can use for example: KeycloakModelUtils.runJobInTransaction to
>> use separate KeycloakSession and transaction for your task. Does it work for
>> your usecase?
>>
>> Marek
>>
>> On 19.9.2014 00:13, Rodrigo Sasaki wrote:
>>
>>
>>
>> Hello,
>>
>> I have created some custom endpoints for my project, and in one of them I
>> need to use multiple transactions on a single request. I ran into some
>> issues, even though I call
>>
>> session.getTransaction().begin()
>>
>> It didn't work correctly saying that I didn't have an opened transaction. I
>> look a little deeper and saw that there are 2 lists of transactions inside
>> org.keycloak.services.DefaultKeycloakTransactionManager.
>>
>> One is called transactions and the other is afterCompletion
>>
>> when commit() is called, both lists are traversed committing every single
>> transaction in them, but when begin() is called, only the transactions list
>> is traversed, and the one I needed was inside afterCompletion , which
>> remained closed.
>>
>> Is this supposed to be this way? I'm not sure what these lists do, but maybe
>> the other one should be opened too.
>>
>> Is there a problem on opening the transactions on afterCompletion list as
>> well?
>>
>> Thanks!
>>
>> --
>> Rodrigo Sasaki
>>
>>
>> _______________________________________________
>> keycloak-user mailing list keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Fri Sep 19 04:12:03 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 19 Sep 2014 04:12:03 -0400 (EDT)
Subject: [keycloak-user] Opening Transactions
In-Reply-To: <541BE4B7.6010308@redhat.com>
References: <CANLOgwCdS3urv9Yk-wwuqX2++gqEeDqNQPiBq0bpDz+OKU=dxQ@mail.gmail.com>
	<541BDF82.3090705@redhat.com>
	<463911504.52221904.1411113189180.JavaMail.zimbra@redhat.com>
	<541BE4B7.6010308@redhat.com>
Message-ID: <2131127437.52231091.1411114323003.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 19 September, 2014 10:09:27 AM
> Subject: Re: [keycloak-user] Opening Transactions
> 
> yes, but in tests we are using separate KeycloakSession for each
> transaction right? I think the case Rodrigo has is about multiple
> transactions per single KeycloakSession instance, which probably doesn't
> work atm .

Yeah, I think you're right.

> 
> Question is if we really want to support such usecase or if we just
> stick with the pattern to always require KeycloakSession per transaction
> (not sure if it matters much)

Nah, let's keep it how it is. Otherwise all providers would have to be able to deal with multiple transactions. At the moment it's nice an easy to implement a provider where you know an instance is only used for one request and transaction.

> 
> 
> On 19.9.2014 09:53, Stian Thorgersen wrote:
> > Multiple transactions work as long as they don't run in parallel. We have
> > several tests that do this.
> >
> > ----- Original Message -----
> >> From: "Marek Posolda" <mposolda at redhat.com>
> >> To: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>,
> >> keycloak-user at lists.jboss.org
> >> Sent: Friday, 19 September, 2014 9:47:14 AM
> >> Subject: Re: [keycloak-user] Opening Transactions
> >>
> >> Hello,
> >>
> >> atm we don't support multiple transactions for the same session. If we
> >> would
> >> ever support it, we will need to traverse the "afterCompletion" list in
> >> DefaultKeycloakTransactionManager.begin (and also similarly in
> >> DefaultKeycloakTransactionManager.isRollbackOnly() ). Maybe you can create
> >> JIRA and we can take a look later? Another thing is that all enlisted
> >> transactions would also need to support multiple transactions per session
> >> (for example in case of JPA it is multiple transactions per single
> >> EntityManager, which JPA supports, but there might be some performance
> >> issues with it)
> >>
> >> Note that until than, you can use pattern where each transaction will run
> >> in
> >> it's own KeycloakSession. So defacto multiple KeycloakSession per request.
> >> If you already have any KeycloakSession you can retrieve
> >> KeycloakSessionFactory with:
> >> KeycloakSessionFactory factory = session.getKeycloakSessionFactory();
> >>
> >> And then you can use for example: KeycloakModelUtils.runJobInTransaction
> >> to
> >> use separate KeycloakSession and transaction for your task. Does it work
> >> for
> >> your usecase?
> >>
> >> Marek
> >>
> >> On 19.9.2014 00:13, Rodrigo Sasaki wrote:
> >>
> >>
> >>
> >> Hello,
> >>
> >> I have created some custom endpoints for my project, and in one of them I
> >> need to use multiple transactions on a single request. I ran into some
> >> issues, even though I call
> >>
> >> session.getTransaction().begin()
> >>
> >> It didn't work correctly saying that I didn't have an opened transaction.
> >> I
> >> look a little deeper and saw that there are 2 lists of transactions inside
> >> org.keycloak.services.DefaultKeycloakTransactionManager.
> >>
> >> One is called transactions and the other is afterCompletion
> >>
> >> when commit() is called, both lists are traversed committing every single
> >> transaction in them, but when begin() is called, only the transactions
> >> list
> >> is traversed, and the one I needed was inside afterCompletion , which
> >> remained closed.
> >>
> >> Is this supposed to be this way? I'm not sure what these lists do, but
> >> maybe
> >> the other one should be opened too.
> >>
> >> Is there a problem on opening the transactions on afterCompletion list as
> >> well?
> >>
> >> Thanks!
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From juraci at kroehling.de  Fri Sep 19 04:34:35 2014
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Fri, 19 Sep 2014 10:34:35 +0200
Subject: [keycloak-user] Keycloak 1.0.1 Final Released
In-Reply-To: <283645111.51908422.1411062596314.JavaMail.zimbra@redhat.com>
References: <283645111.51908422.1411062596314.JavaMail.zimbra@redhat.com>
Message-ID: <541BEA9B.2090202@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/18/2014 07:49 PM, Stian Thorgersen wrote:
> We?re releasing a few minor fixes and improvements before we start
> work on SAML and Clustering.

Docker image updated.

- - Juca.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUG+qbAAoJEDnJtskdmzLMbnAH/AoBvvxHBtWfjpjP6XUjLR2H
ALGwIZ7MVTISHBgJ5QV7aylCfpZE6ZOT0Kj1QqPAaKA8Cno7krenPixV58r2VC3t
zrc1bc3L9kopaojmIRnyJD//z0U4hGATJuu7LXzifmuEXVPmdBfa1NREcYD8ObhK
dZKEuilzzS3no3AzB5i2nZ035yqZjzBYby0QAc3AWPuRlNBi55b86U3HOOeZh56G
MpYyjLJ7JWB86iIeLXEogMd/AN/Z5hknn2E7Gtb0M5BEtoran1fB1rFInrRd1D89
FTlQpcniwvRpJ0xrtulyQnwePmCb2htMudAYXIXcYn1zUuDnLFZhQDvoKAZs1K4=
=GUj5
-----END PGP SIGNATURE-----

From Clifton.Lee at uftwf.org  Fri Sep 19 16:33:06 2014
From: Clifton.Lee at uftwf.org (Clifton Lee)
Date: Fri, 19 Sep 2014 20:33:06 +0000
Subject: [keycloak-user] RPMs
Message-ID: <1BA49D9525169A4D93AC895F9D513F162234353C@UFTWFEXMBX01.UFTMASTERAD.ORG>

Hi, I was wondering if there were any plans to release Keycloak as an rpm?

*******************************************************************************
The views, opinions, and judgments expressed in this message are solely those of the author. The message contents have not been reviewed or approved by the UFT Welfare Fund.
*******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140919/c9cec809/attachment.html 

From bburke at redhat.com  Fri Sep 19 16:45:27 2014
From: bburke at redhat.com (Bill Burke)
Date: Fri, 19 Sep 2014 16:45:27 -0400
Subject: [keycloak-user] RPMs
In-Reply-To: <1BA49D9525169A4D93AC895F9D513F162234353C@UFTWFEXMBX01.UFTMASTERAD.ORG>
References: <1BA49D9525169A4D93AC895F9D513F162234353C@UFTWFEXMBX01.UFTMASTERAD.ORG>
Message-ID: <541C95E7.6010206@redhat.com>

No.  We don't have the time or resources yet to be able to do this

On 9/19/2014 4:33 PM, Clifton Lee wrote:
> Hi, I was wondering if there were any plans to release Keycloak as an rpm?
>
> *******************************************************************************
>
>
> The views, opinions, and judgments expressed in this message are solely
> those of the author. The message contents have not been reviewed or
> approved by the UFT Welfare Fund.
>
> *******************************************************************************
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From conrad at mindless.com  Mon Sep 22 02:45:11 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 22 Sep 2014 07:45:11 +0100
Subject: [keycloak-user] 1.0.1 Problems & Questions
Message-ID: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>

Hi all,

I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some serious issues.

First a question: when will keycloak-core 1.0.1 be available from maven central? I am having to use 1.0-final in my war - is that compatible with 1.0.1 keycloak war - which is running on my server.

I upgraded by doing a complete wipe of the keycloak database, and reinstalling 1.0.1 over my wildly configuration. I am able to use the keycloak admin screens flawlessly. 

Now onto my problem.

In 1.0.3-beta I used to have a access type bearer-only application which used the rest api to register and login users to keycloak.

After upgrading I have found that even if I set the application to be bearer-only, keycloak still throws an invalid redirect uri error whenever I try to use the rest end points (surely this should not happen with a bearer-only application). In order to fix this I have moved the application over to access type confidential (it is sitting on the same server as keycloak) - are there any pointers to the correct config for this in 1.0.1? Basically my application is the backend to a mobile app that is using keycloak for access control - at the moment I am not allowed to use the keycloak login/register screens so must proxy it through the server. I am now able to register users using this configuration, but would prefer to go back to bearer-only

I also have a Direct Grant Only client which I use for the mobile application itself. I am able to get an access token by using the TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to access a resource with that bearer token set in the header I am still getting an unauthorised response.

My applications keycloak.json looks like this

{
    "realm": "shift",
    "realm-public-key": ?**",
    "auth-server-url": "http://.../auth",
    "ssl-required": "none",
    "resource": "shift-server",
    "credentials": {
        "secret": ?**"
    }
}

and my client JSON looks like this (although this is not put anywhere in my application war)

{
  "realm": "shift",
  "realm-public-key": ?***",
  "auth-server-url": "http://.../auth",
  "ssl-required": "none",
  "resource": "shift-ios",
  "public-client": true
}

I can login in with a correct username and password setting the client id to ?shift-ios?. However when I try to access a protected resource like this

GET /shift/feed HTTP/1.1
Host: www?..com
Connection: keep-alive
Accept: */*
User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
Accept-Language: en-us
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
Accept-Encoding: gzip, deflate

where the Bearer header is the access token I get from logging in, then I get a 403 unauthorised response.

This used to work perfectly in beta 3, but I seem unable to make this work in 1.0(.1) final.

Could this be because I am using 1.0-core instead of 1.0.1-core

Please help, as this has stopped all work on the product, and I am completely stuck. Whats the best way to go about debugging this?

Conrad

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/e460ebc4/attachment-0001.html 

From stian at redhat.com  Mon Sep 22 04:05:36 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 22 Sep 2014 04:05:36 -0400 (EDT)
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
Message-ID: <1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi all,
> 
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
> 
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.

Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository) and get it from there.

> 
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
> 
> Now onto my problem.
> 
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
> 
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only

Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.

> 
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
> 
> My applications keycloak.json looks like this
> 
> {
> "realm" : "shift" ,
> "realm-public-key" : ? **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : ? **"
> }
> }
> 
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
> 
> {
> "realm": "shift",
> "realm-public-key": ?***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
> 
> I can login in with a correct username and password setting the client id to
> ?shift-ios?. However when I try to access a protected resource like this
> 
> GET /shift/feed HTTP/1.1
> Host: www?..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
> 
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.

>From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.

Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).

> 
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
> 
> Could this be because I am using 1.0-core instead of 1.0.1-core
> 
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
> 
> Conrad
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From conrad at mindless.com  Mon Sep 22 04:29:28 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 22 Sep 2014 09:29:28 +0100
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
Message-ID: <0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>

Thanks for this very informative answer.

I will stick with the application being confidential as you have explained that this is more correct.

However, WRT roles. 

I have a realm role defined as ?user?
The client Has this role as an ?Effective role? in the admin screens. Full scope allowed is off, and there are no application roles assigned (nor are they available)
I have the following in my web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>shift</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
and

<login-config>
    <auth-method>KEYCLOAK</auth-method>
    <realm-name>shift</realm-name>
</login-config>

<security-role>
    <role-name>user</role-name>
</security-role>
Is this correct? Have I missed something.

BTW Thanks for the help and thanks for Keycloak - It really is awesome!

Conrad

> On 22 Sep 2014, at 09:05, Stian Thorgersen <stian at redhat.com> wrote:
> 
> 
> 
> ----- Original Message -----
>> From: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> Sent: Monday, 22 September, 2014 8:45:11 AM
>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>> 
>> Hi all,
>> 
>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>> serious issues.
>> 
>> First a question: when will keycloak-core 1.0.1 be available from maven
>> central? I am having to use 1.0-final in my war - is that compatible with
>> 1.0.1 keycloak war - which is running on my server.
> 
> Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository <https://developer.jboss.org/wiki/MavenRepository>) and get it from there.
> 
>> 
>> I upgraded by doing a complete wipe of the keycloak database, and
>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>> keycloak admin screens flawlessly.
>> 
>> Now onto my problem.
>> 
>> In 1.0.3-beta I used to have a access type bearer-only application which used
>> the rest api to register and login users to keycloak.
>> 
>> After upgrading I have found that even if I set the application to be
>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>> try to use the rest end points (surely this should not happen with a
>> bearer-only application). In order to fix this I have moved the application
>> over to access type confidential (it is sitting on the same server as
>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>> Basically my application is the backend to a mobile app that is using
>> keycloak for access control - at the moment I am not allowed to use the
>> keycloak login/register screens so must proxy it through the server. I am
>> now able to register users using this configuration, but would prefer to go
>> back to bearer-only
> 
> Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.
> 
>> 
>> I also have a Direct Grant Only client which I use for the mobile application
>> itself. I am able to get an access token by using the
>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>> access a resource with that bearer token set in the header I am still
>> getting an unauthorised response.
>> 
>> My applications keycloak.json looks like this
>> 
>> {
>> "realm" : "shift" ,
>> "realm-public-key" : ? **" ,
>> "auth-server-url" : " http://.../auth " ,
>> "ssl-required" : "none" ,
>> "resource" : "shift-server" ,
>> "credentials" : {
>> "secret" : ? **"
>> }
>> }
>> 
>> and my client JSON looks like this (although this is not put anywhere in my
>> application war)
>> 
>> {
>> "realm": "shift",
>> "realm-public-key": ?***",
>> "auth-server-url": " http://.../auth ",
>> "ssl-required": "none",
>> "resource": "shift-ios",
>> "public-client": true
>> }
>> 
>> I can login in with a correct username and password setting the client id to
>> ?shift-ios?. However when I try to access a protected resource like this
>> 
>> GET /shift/feed HTTP/1.1
>> Host: www?..com
>> Connection: keep-alive
>> Accept: */*
>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>> Accept-Language: en-us
>> Authorization: Bearer
>> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>> Accept-Encoding: gzip, deflate
>> 
>> where the Bearer header is the access token I get from logging in, then I get
>> a 403 unauthorised response.
> 
> From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.
> 
> Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).
> 
>> 
>> This used to work perfectly in beta 3, but I seem unable to make this work in
>> 1.0(.1) final.
>> 
>> Could this be because I am using 1.0-core instead of 1.0.1-core
>> 
>> Please help, as this has stopped all work on the product, and I am completely
>> stuck. Whats the best way to go about debugging this?
>> 
>> Conrad
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/837d04bc/attachment-0001.html 

From conrad at mindless.com  Mon Sep 22 06:17:43 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 22 Sep 2014 11:17:43 +0100
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
	<0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
Message-ID: <EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>

I have now also tried using application roles, but unfortunately that did not change the behaviour at all.

Am I supposed to install the client JSON file anywhere?

Conrad


> On 22 Sep 2014, at 09:29, Conrad Winchester <conrad at mindless.com> wrote:
> 
> Thanks for this very informative answer.
> 
> I will stick with the application being confidential as you have explained that this is more correct.
> 
> However, WRT roles. 
> 
> I have a realm role defined as ?user?
> The client Has this role as an ?Effective role? in the admin screens. Full scope allowed is off, and there are no application roles assigned (nor are they available)
> I have the following in my web.xml
> 
> <security-constraint>
>     <web-resource-collection>
>         <web-resource-name>shift</web-resource-name>
>         <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>         <role-name>user</role-name>
>     </auth-constraint>
> </security-constraint>
> and
> 
> <login-config>
>     <auth-method>KEYCLOAK</auth-method>
>     <realm-name>shift</realm-name>
> </login-config>
> 
> <security-role>
>     <role-name>user</role-name>
> </security-role>
> Is this correct? Have I missed something.
> 
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
> 
> Conrad
> 
>> On 22 Sep 2014, at 09:05, Stian Thorgersen <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>> 
>> 
>> 
>> ----- Original Message -----
>>> From: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>>> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> Sent: Monday, 22 September, 2014 8:45:11 AM
>>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>> 
>>> Hi all,
>>> 
>>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>>> serious issues.
>>> 
>>> First a question: when will keycloak-core 1.0.1 be available from maven
>>> central? I am having to use 1.0-final in my war - is that compatible with
>>> 1.0.1 keycloak war - which is running on my server.
>> 
>> Should have been there by now (it should be synced within 24h of a release), I've contacted the guys in charge to figure out what's going on. In the mean time you could add JBoss Nexus (https://developer.jboss.org/wiki/MavenRepository <https://developer.jboss.org/wiki/MavenRepository>) and get it from there.
>> 
>>> 
>>> I upgraded by doing a complete wipe of the keycloak database, and
>>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>>> keycloak admin screens flawlessly.
>>> 
>>> Now onto my problem.
>>> 
>>> In 1.0.3-beta I used to have a access type bearer-only application which used
>>> the rest api to register and login users to keycloak.
>>> 
>>> After upgrading I have found that even if I set the application to be
>>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>>> try to use the rest end points (surely this should not happen with a
>>> bearer-only application). In order to fix this I have moved the application
>>> over to access type confidential (it is sitting on the same server as
>>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>>> Basically my application is the backend to a mobile app that is using
>>> keycloak for access control - at the moment I am not allowed to use the
>>> keycloak login/register screens so must proxy it through the server. I am
>>> now able to register users using this configuration, but would prefer to go
>>> back to bearer-only
>> 
>> Bearer-only applications should not be able to register or login users at all, they should only be able to authenticate using bearer tokens.
>> 
>>> 
>>> I also have a Direct Grant Only client which I use for the mobile application
>>> itself. I am able to get an access token by using the
>>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>>> access a resource with that bearer token set in the header I am still
>>> getting an unauthorised response.
>>> 
>>> My applications keycloak.json looks like this
>>> 
>>> {
>>> "realm" : "shift" ,
>>> "realm-public-key" : ? **" ,
>>> "auth-server-url" : " http://.../auth <http://.../auth> " ,
>>> "ssl-required" : "none" ,
>>> "resource" : "shift-server" ,
>>> "credentials" : {
>>> "secret" : ? **"
>>> }
>>> }
>>> 
>>> and my client JSON looks like this (although this is not put anywhere in my
>>> application war)
>>> 
>>> {
>>> "realm": "shift",
>>> "realm-public-key": ?***",
>>> "auth-server-url": " http://.../auth <http://.../auth> ",
>>> "ssl-required": "none",
>>> "resource": "shift-ios",
>>> "public-client": true
>>> }
>>> 
>>> I can login in with a correct username and password setting the client id to
>>> ?shift-ios?. However when I try to access a protected resource like this
>>> 
>>> GET /shift/feed HTTP/1.1
>>> Host: www?..com
>>> Connection: keep-alive
>>> Accept: */*
>>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>>> Accept-Language: en-us
>>> Authorization: Bearer
>>> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>>> Accept-Encoding: gzip, deflate
>>> 
>>> where the Bearer header is the access token I get from logging in, then I get
>>> a 403 unauthorised response.
>> 
>> From a 403 it should mean that the application has successfully authenticated the user, but it doesn't have the correct roles.
>> 
>> Have you checked that the application you used to obtain the login has the required scope, that the user has the required role mappings, and that your bearer-only application is configured to use the correct roles (it can use either the roles associated with the resource or the realm, 'use-resource-role-mappings' configures this and it defaults to false, which mean it uses realm roles).
>> 
>>> 
>>> This used to work perfectly in beta 3, but I seem unable to make this work in
>>> 1.0(.1) final.
>>> 
>>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>> 
>>> Please help, as this has stopped all work on the product, and I am completely
>>> stuck. Whats the best way to go about debugging this?
>>> 
>>> Conrad
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/38b6ebb3/attachment.html 

From stian at redhat.com  Mon Sep 22 08:28:02 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 22 Sep 2014 08:28:02 -0400 (EDT)
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
	<0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
	<EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>
Message-ID: <261332147.53131229.1411388882110.JavaMail.zimbra@redhat.com>

How do you obtain the token? It seems you have two different ways to do this 

1) login using KC forms with 'shift-server'
2) login using direct grant with 'shift-ios'

Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).

If you have the bearer token available you can check the contents of it with:

  System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());

It would be helpful if you could send that to me.

----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: "Conrad Winchester" <conrad at mindless.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 12:17:43 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
> 
> I have now also tried using application roles, but unfortunately that did not
> change the behaviour at all.
> 
> Am I supposed to install the client JSON file anywhere?
> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com > wrote
> 
> Thanks for this very informative answer.
> 
> I will stick with the application being confidential as you have explained
> that this is more correct.
> 
> However, WRT roles.
> 
> I have a realm role defined as ?user?
> The client Has this role as an ?Effective role? in the admin screens. Full
> scope allowed is off, and there are no application roles assigned (nor are
> they available)
> I have the following in my web.xml
> 
> <security-constraint>
> <web-resource-collection>
> <web-resource-name> shift </web-resource-name>
> <url-pattern> /* </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name> user </role-name>
> </auth-constraint>
> </security-constraint>
> and
> 
> <login-config>
> <auth-method> KEYCLOAK </auth-method>
> <realm-name> shift </realm-name>
> </login-config>
> 
> <security-role>
> <role-name> user </role-name>
> </security-role>
> Is this correct? Have I missed something.
> 
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
> 
> Conrad
> 
> 
> 
> 
> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Conrad Winchester" < conrad at mindless.com >
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi all,
> 
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
> 
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.
> 
> Should have been there by now (it should be synced within 24h of a release),
> I've contacted the guys in charge to figure out what's going on. In the mean
> time you could add JBoss Nexus (
> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
> 
> 
> 
> 
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
> 
> Now onto my problem.
> 
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
> 
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only
> 
> Bearer-only applications should not be able to register or login users at
> all, they should only be able to authenticate using bearer tokens.
> 
> 
> 
> 
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
> 
> My applications keycloak.json looks like this
> 
> {
> "realm" : "shift" ,
> "realm-public-key" : ? **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : ? **"
> }
> }
> 
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
> 
> {
> "realm": "shift",
> "realm-public-key": ?***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
> 
> I can login in with a correct username and password setting the client id to
> ?shift-ios?. However when I try to access a protected resource like this
> 
> GET /shift/feed HTTP/1.1
> Host: www?..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
> 
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.
> 
> From a 403 it should mean that the application has successfully authenticated
> the user, but it doesn't have the correct roles.
> 
> Have you checked that the application you used to obtain the login has the
> required scope, that the user has the required role mappings, and that your
> bearer-only application is configured to use the correct roles (it can use
> either the roles associated with the resource or the realm,
> 'use-resource-role-mappings' configures this and it defaults to false, which
> mean it uses realm roles).
> 
> 
> 
> 
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
> 
> Could this be because I am using 1.0-core instead of 1.0.1-core
> 
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
> 
> Conrad
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From conrad at mindless.com  Mon Sep 22 09:32:12 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 22 Sep 2014 14:32:12 +0100
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <261332147.53131229.1411388882110.JavaMail.zimbra@redhat.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
	<0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
	<EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>
	<261332147.53131229.1411388882110.JavaMail.zimbra@redhat.com>
Message-ID: <C86DEA6C-F87A-4BDB-B4F0-55E4337D701C@mindless.com>

Hi Stian

I am loggin in using the direct grant rest end point with client id as shift-ios

The token I get back looks like this

2014-09-22 14:25:34,795 INFO  [com.shift.service.oauth.KeycloakAuthAdapter] (default task-1) Logged in with access token {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}

Does that help?

Thanks

Conrad

> On 22 Sep 2014, at 13:28, Stian Thorgersen <stian at redhat.com> wrote:
> 
> How do you obtain the token? It seems you have two different ways to do this 
> 
> 1) login using KC forms with 'shift-server'
> 2) login using direct grant with 'shift-ios'
> 
> Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).
> 
> If you have the bearer token available you can check the contents of it with:
> 
>  System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());
> 
> It would be helpful if you could send that to me.
> 
> ----- Original Message -----
>> From: "Conrad Winchester" <conrad at mindless.com>
>> To: "Conrad Winchester" <conrad at mindless.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Monday, 22 September, 2014 12:17:43 PM
>> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>> 
>> I have now also tried using application roles, but unfortunately that did not
>> change the behaviour at all.
>> 
>> Am I supposed to install the client JSON file anywhere?
>> 
>> Conrad
>> 
>> 
>> 
>> 
>> 
>> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com > wrote
>> 
>> Thanks for this very informative answer.
>> 
>> I will stick with the application being confidential as you have explained
>> that this is more correct.
>> 
>> However, WRT roles.
>> 
>> I have a realm role defined as ?user?
>> The client Has this role as an ?Effective role? in the admin screens. Full
>> scope allowed is off, and there are no application roles assigned (nor are
>> they available)
>> I have the following in my web.xml
>> 
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name> shift </web-resource-name>
>> <url-pattern> /* </url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name> user </role-name>
>> </auth-constraint>
>> </security-constraint>
>> and
>> 
>> <login-config>
>> <auth-method> KEYCLOAK </auth-method>
>> <realm-name> shift </realm-name>
>> </login-config>
>> 
>> <security-role>
>> <role-name> user </role-name>
>> </security-role>
>> Is this correct? Have I missed something.
>> 
>> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>> 
>> Conrad
>> 
>> 
>> 
>> 
>> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com > wrote:
>> 
>> 
>> 
>> ----- Original Message -----
>> 
>> 
>> From: "Conrad Winchester" < conrad at mindless.com >
>> To: keycloak-user at lists.jboss.org
>> Sent: Monday, 22 September, 2014 8:45:11 AM
>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>> 
>> Hi all,
>> 
>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>> serious issues.
>> 
>> First a question: when will keycloak-core 1.0.1 be available from maven
>> central? I am having to use 1.0-final in my war - is that compatible with
>> 1.0.1 keycloak war - which is running on my server.
>> 
>> Should have been there by now (it should be synced within 24h of a release),
>> I've contacted the guys in charge to figure out what's going on. In the mean
>> time you could add JBoss Nexus (
>> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
>> 
>> 
>> 
>> 
>> I upgraded by doing a complete wipe of the keycloak database, and
>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>> keycloak admin screens flawlessly.
>> 
>> Now onto my problem.
>> 
>> In 1.0.3-beta I used to have a access type bearer-only application which used
>> the rest api to register and login users to keycloak.
>> 
>> After upgrading I have found that even if I set the application to be
>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>> try to use the rest end points (surely this should not happen with a
>> bearer-only application). In order to fix this I have moved the application
>> over to access type confidential (it is sitting on the same server as
>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>> Basically my application is the backend to a mobile app that is using
>> keycloak for access control - at the moment I am not allowed to use the
>> keycloak login/register screens so must proxy it through the server. I am
>> now able to register users using this configuration, but would prefer to go
>> back to bearer-only
>> 
>> Bearer-only applications should not be able to register or login users at
>> all, they should only be able to authenticate using bearer tokens.
>> 
>> 
>> 
>> 
>> I also have a Direct Grant Only client which I use for the mobile application
>> itself. I am able to get an access token by using the
>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>> access a resource with that bearer token set in the header I am still
>> getting an unauthorised response.
>> 
>> My applications keycloak.json looks like this
>> 
>> {
>> "realm" : "shift" ,
>> "realm-public-key" : ? **" ,
>> "auth-server-url" : " http://.../auth " ,
>> "ssl-required" : "none" ,
>> "resource" : "shift-server" ,
>> "credentials" : {
>> "secret" : ? **"
>> }
>> }
>> 
>> and my client JSON looks like this (although this is not put anywhere in my
>> application war)
>> 
>> {
>> "realm": "shift",
>> "realm-public-key": ?***",
>> "auth-server-url": " http://.../auth ",
>> "ssl-required": "none",
>> "resource": "shift-ios",
>> "public-client": true
>> }
>> 
>> I can login in with a correct username and password setting the client id to
>> ?shift-ios?. However when I try to access a protected resource like this
>> 
>> GET /shift/feed HTTP/1.1
>> Host: www?..com
>> Connection: keep-alive
>> Accept: */*
>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>> Accept-Language: en-us
>> Authorization: Bearer
>> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>> Accept-Encoding: gzip, deflate
>> 
>> where the Bearer header is the access token I get from logging in, then I get
>> a 403 unauthorised response.
>> 
>> From a 403 it should mean that the application has successfully authenticated
>> the user, but it doesn't have the correct roles.
>> 
>> Have you checked that the application you used to obtain the login has the
>> required scope, that the user has the required role mappings, and that your
>> bearer-only application is configured to use the correct roles (it can use
>> either the roles associated with the resource or the realm,
>> 'use-resource-role-mappings' configures this and it defaults to false, which
>> mean it uses realm roles).
>> 
>> 
>> 
>> 
>> This used to work perfectly in beta 3, but I seem unable to make this work in
>> 1.0(.1) final.
>> 
>> Could this be because I am using 1.0-core instead of 1.0.1-core
>> 
>> Please help, as this has stopped all work on the product, and I am completely
>> stuck. Whats the best way to go about debugging this?
>> 
>> Conrad
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/43fe3457/attachment.html 

From n.preusker at gmail.com  Mon Sep 22 11:14:43 2014
From: n.preusker at gmail.com (Nils Preusker)
Date: Mon, 22 Sep 2014 17:14:43 +0200
Subject: [keycloak-user] Keycloak 1.0.1 Final Released
In-Reply-To: <541BEA9B.2090202@kroehling.de>
References: <283645111.51908422.1411062596314.JavaMail.zimbra@redhat.com>
	<541BEA9B.2090202@kroehling.de>
Message-ID: <CA+HCLu80x-ixac8X2v+rXRP03Vwi9_QqkmL8LaX1RGRvaxf6SA@mail.gmail.com>

Hi guys and congrats on the release! One question: will the 1.0.1.Final
release be available in the JBoss release maven repo soon? As far as I can
see, it is currently only available at
https://repository.jboss.org/nexus/service/local/repositories/jboss_releases_staging_profile-3884/content/

Cheers,
Nils

On Fri, Sep 19, 2014 at 10:34 AM, Juraci Paix?o Kr?hling <
juraci at kroehling.de> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 09/18/2014 07:49 PM, Stian Thorgersen wrote:
> > We?re releasing a few minor fixes and improvements before we start
> > work on SAML and Clustering.
>
> Docker image updated.
>
> - - Juca.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBCgAGBQJUG+qbAAoJEDnJtskdmzLMbnAH/AoBvvxHBtWfjpjP6XUjLR2H
> ALGwIZ7MVTISHBgJ5QV7aylCfpZE6ZOT0Kj1QqPAaKA8Cno7krenPixV58r2VC3t
> zrc1bc3L9kopaojmIRnyJD//z0U4hGATJuu7LXzifmuEXVPmdBfa1NREcYD8ObhK
> dZKEuilzzS3no3AzB5i2nZ035yqZjzBYby0QAc3AWPuRlNBi55b86U3HOOeZh56G
> MpYyjLJ7JWB86iIeLXEogMd/AN/Z5hknn2E7Gtb0M5BEtoran1fB1rFInrRd1D89
> FTlQpcniwvRpJ0xrtulyQnwePmCb2htMudAYXIXcYn1zUuDnLFZhQDvoKAZs1K4=
> =GUj5
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/b74c62e6/attachment.html 

From stian at redhat.com  Mon Sep 22 13:08:50 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 22 Sep 2014 13:08:50 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0.1 Final Released
In-Reply-To: <CA+HCLu80x-ixac8X2v+rXRP03Vwi9_QqkmL8LaX1RGRvaxf6SA@mail.gmail.com>
References: <283645111.51908422.1411062596314.JavaMail.zimbra@redhat.com>
	<541BEA9B.2090202@kroehling.de>
	<CA+HCLu80x-ixac8X2v+rXRP03Vwi9_QqkmL8LaX1RGRvaxf6SA@mail.gmail.com>
Message-ID: <1712747819.53389067.1411405730586.JavaMail.zimbra@redhat.com>

My bad - I've forgot to release it in Nexus. Should be in Maven Central within 24h.

----- Original Message -----
> From: "Nils Preusker" <n.preusker at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 5:14:43 PM
> Subject: Re: [keycloak-user] Keycloak 1.0.1 Final Released
> 
> Hi guys and congrats on the release! One question: will the 1.0.1.Final
> release be available in the JBoss release maven repo soon? As far as I can
> see, it is currently only available at
> https://repository.jboss.org/nexus/service/local/repositories/jboss_releases_staging_profile-3884/content/
> 
> Cheers,
> Nils
> 
> On Fri, Sep 19, 2014 at 10:34 AM, Juraci Paix?o Kr?hling <
> juraci at kroehling.de > wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 09/18/2014 07:49 PM, Stian Thorgersen wrote:
> > We?re releasing a few minor fixes and improvements before we start
> > work on SAML and Clustering.
> 
> Docker image updated.
> 
> - - Juca.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQEcBAEBCgAGBQJUG+qbAAoJEDnJtskdmzLMbnAH/AoBvvxHBtWfjpjP6XUjLR2H
> ALGwIZ7MVTISHBgJ5QV7aylCfpZE6ZOT0Kj1QqPAaKA8Cno7krenPixV58r2VC3t
> zrc1bc3L9kopaojmIRnyJD//z0U4hGATJuu7LXzifmuEXVPmdBfa1NREcYD8ObhK
> dZKEuilzzS3no3AzB5i2nZ035yqZjzBYby0QAc3AWPuRlNBi55b86U3HOOeZh56G
> MpYyjLJ7JWB86iIeLXEogMd/AN/Z5hknn2E7Gtb0M5BEtoran1fB1rFInrRd1D89
> FTlQpcniwvRpJ0xrtulyQnwePmCb2htMudAYXIXcYn1zUuDnLFZhQDvoKAZs1K4=
> =GUj5
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From conrad at mindless.com  Mon Sep 22 13:22:05 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 22 Sep 2014 18:22:05 +0100
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <C86DEA6C-F87A-4BDB-B4F0-55E4337D701C@mindless.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
	<0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
	<EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>
	<261332147.53131229.1411388882110.JavaMail.zimbra@redhat.com>
	<C86DEA6C-F87A-4BDB-B4F0-55E4337D701C@mindless.com>
Message-ID: <FCE1081E-E8B9-4C1F-A95A-F7DC671E7793@mindless.com>

Hi Stian

I have made some progress. I have discovered that if I assign the role ?user? to my user account in the ?role mappings? section of the keycloak admin screens for that user then access to the resources work. The access token looks like this

2014-09-22 18:13:01,057 INFO  [com.shift.service.oauth.KeycloakAuthAdapter] (default task-15) Logged in with access token {"name":"shift_141 not provided","email":"conrad at chiwestern.com","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not provided","preferred_username":"conrad at chiwestern.com","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}

I get roles:[user]

Isn?t this supposed to happen automatically if the role ?user? is the default realm role?

Thanks

Conrad


> On 22 Sep 2014, at 14:32, Conrad Winchester <conrad at mindless.com> wrote:
> 
> Hi Stian
> 
> I am loggin in using the direct grant rest end point with client id as shift-ios
> 
> The token I get back looks like this
> 
> 2014-09-22 14:25:34,795 INFO  [com.shift.service.oauth.KeycloakAuthAdapter] (default task-1) Logged in with access token {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
> 
> Does that help?
> 
> Thanks
> 
> Conrad
> 
>> On 22 Sep 2014, at 13:28, Stian Thorgersen <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>> 
>> How do you obtain the token? It seems you have two different ways to do this 
>> 
>> 1) login using KC forms with 'shift-server'
>> 2) login using direct grant with 'shift-ios'
>> 
>> Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).
>> 
>> If you have the bearer token available you can check the contents of it with:
>> 
>>  System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());
>> 
>> It would be helpful if you could send that to me.
>> 
>> ----- Original Message -----
>>> From: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>>> To: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>>> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> Sent: Monday, 22 September, 2014 12:17:43 PM
>>> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>>> 
>>> I have now also tried using application roles, but unfortunately that did not
>>> change the behaviour at all.
>>> 
>>> Am I supposed to install the client JSON file anywhere?
>>> 
>>> Conrad
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com <mailto:conrad at mindless.com> > wrote
>>> 
>>> Thanks for this very informative answer.
>>> 
>>> I will stick with the application being confidential as you have explained
>>> that this is more correct.
>>> 
>>> However, WRT roles.
>>> 
>>> I have a realm role defined as ?user?
>>> The client Has this role as an ?Effective role? in the admin screens. Full
>>> scope allowed is off, and there are no application roles assigned (nor are
>>> they available)
>>> I have the following in my web.xml
>>> 
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name> shift </web-resource-name>
>>> <url-pattern> /* </url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name> user </role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> and
>>> 
>>> <login-config>
>>> <auth-method> KEYCLOAK </auth-method>
>>> <realm-name> shift </realm-name>
>>> </login-config>
>>> 
>>> <security-role>
>>> <role-name> user </role-name>
>>> </security-role>
>>> Is this correct? Have I missed something.
>>> 
>>> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>>> 
>>> Conrad
>>> 
>>> 
>>> 
>>> 
>>> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com <mailto:stian at redhat.com> > wrote:
>>> 
>>> 
>>> 
>>> ----- Original Message -----
>>> 
>>> 
>>> From: "Conrad Winchester" < conrad at mindless.com <mailto:conrad at mindless.com> >
>>> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> Sent: Monday, 22 September, 2014 8:45:11 AM
>>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>> 
>>> Hi all,
>>> 
>>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>>> serious issues.
>>> 
>>> First a question: when will keycloak-core 1.0.1 be available from maven
>>> central? I am having to use 1.0-final in my war - is that compatible with
>>> 1.0.1 keycloak war - which is running on my server.
>>> 
>>> Should have been there by now (it should be synced within 24h of a release),
>>> I've contacted the guys in charge to figure out what's going on. In the mean
>>> time you could add JBoss Nexus (
>>> https://developer.jboss.org/wiki/MavenRepository <https://developer.jboss.org/wiki/MavenRepository> ) and get it from there.
>>> 
>>> 
>>> 
>>> 
>>> I upgraded by doing a complete wipe of the keycloak database, and
>>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>>> keycloak admin screens flawlessly.
>>> 
>>> Now onto my problem.
>>> 
>>> In 1.0.3-beta I used to have a access type bearer-only application which used
>>> the rest api to register and login users to keycloak.
>>> 
>>> After upgrading I have found that even if I set the application to be
>>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>>> try to use the rest end points (surely this should not happen with a
>>> bearer-only application). In order to fix this I have moved the application
>>> over to access type confidential (it is sitting on the same server as
>>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>>> Basically my application is the backend to a mobile app that is using
>>> keycloak for access control - at the moment I am not allowed to use the
>>> keycloak login/register screens so must proxy it through the server. I am
>>> now able to register users using this configuration, but would prefer to go
>>> back to bearer-only
>>> 
>>> Bearer-only applications should not be able to register or login users at
>>> all, they should only be able to authenticate using bearer tokens.
>>> 
>>> 
>>> 
>>> 
>>> I also have a Direct Grant Only client which I use for the mobile application
>>> itself. I am able to get an access token by using the
>>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>>> access a resource with that bearer token set in the header I am still
>>> getting an unauthorised response.
>>> 
>>> My applications keycloak.json looks like this
>>> 
>>> {
>>> "realm" : "shift" ,
>>> "realm-public-key" : ? **" ,
>>> "auth-server-url" : " http://.../auth <http://.../auth> " ,
>>> "ssl-required" : "none" ,
>>> "resource" : "shift-server" ,
>>> "credentials" : {
>>> "secret" : ? **"
>>> }
>>> }
>>> 
>>> and my client JSON looks like this (although this is not put anywhere in my
>>> application war)
>>> 
>>> {
>>> "realm": "shift",
>>> "realm-public-key": ?***",
>>> "auth-server-url": " http://.../auth <http://.../auth> ",
>>> "ssl-required": "none",
>>> "resource": "shift-ios",
>>> "public-client": true
>>> }
>>> 
>>> I can login in with a correct username and password setting the client id to
>>> ?shift-ios?. However when I try to access a protected resource like this
>>> 
>>> GET /shift/feed HTTP/1.1
>>> Host: www?..com
>>> Connection: keep-alive
>>> Accept: */*
>>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>>> Accept-Language: en-us
>>> Authorization: Bearer
>>> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>>> Accept-Encoding: gzip, deflate
>>> 
>>> where the Bearer header is the access token I get from logging in, then I get
>>> a 403 unauthorised response.
>>> 
>>> From a 403 it should mean that the application has successfully authenticated
>>> the user, but it doesn't have the correct roles.
>>> 
>>> Have you checked that the application you used to obtain the login has the
>>> required scope, that the user has the required role mappings, and that your
>>> bearer-only application is configured to use the correct roles (it can use
>>> either the roles associated with the resource or the realm,
>>> 'use-resource-role-mappings' configures this and it defaults to false, which
>>> mean it uses realm roles).
>>> 
>>> 
>>> 
>>> 
>>> This used to work perfectly in beta 3, but I seem unable to make this work in
>>> 1.0(.1) final.
>>> 
>>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>> 
>>> Please help, as this has stopped all work on the product, and I am completely
>>> stuck. Whats the best way to go about debugging this?
>>> 
>>> Conrad
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/11d644fa/attachment.html 

From conrad at mindless.com  Mon Sep 22 13:58:08 2014
From: conrad at mindless.com (Conrad Winchester)
Date: Mon, 22 Sep 2014 18:58:08 +0100
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <FCE1081E-E8B9-4C1F-A95A-F7DC671E7793@mindless.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
	<0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
	<EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>
	<261332147.53131229.1411388882110.JavaMail.zimbra@redhat.com>
	<C86DEA6C-F87A-4BDB-B4F0-55E4337D701C@mindless.com>
	<FCE1081E-E8B9-4C1F-A95A-F7DC671E7793@mindless.com>
Message-ID: <3D2496EA-A45C-466A-B816-995B12960796@mindless.com>

Hi Stian

I worked it out.

I had removed and re-added the user role from the realm after my user had registered. It seems that the default role is assigned at registration time and so if you change it that change is not reflected in existing users.

A surprising behaviour, but I can sort of see why that is.

Conrad


> On 22 Sep 2014, at 18:22, Conrad Winchester <conrad at mindless.com> wrote:
> 
> Hi Stian
> 
> I have made some progress. I have discovered that if I assign the role ?user? to my user account in the ?role mappings? section of the keycloak admin screens for that user then access to the resources work. The access token looks like this
> 
> 2014-09-22 18:13:01,057 INFO  [com.shift.service.oauth.KeycloakAuthAdapter] (default task-15) Logged in with access token {"name":"shift_141 not provided","email":"conrad at chiwestern.com <mailto:conrad at chiwestern.com>","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not provided","preferred_username":"conrad at chiwestern.com <mailto:conrad at chiwestern.com>","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}
> 
> I get roles:[user]
> 
> Isn?t this supposed to happen automatically if the role ?user? is the default realm role?
> 
> Thanks
> 
> Conrad
> 
> 
>> On 22 Sep 2014, at 14:32, Conrad Winchester <conrad at mindless.com <mailto:conrad at mindless.com>> wrote:
>> 
>> Hi Stian
>> 
>> I am loggin in using the direct grant rest end point with client id as shift-ios
>> 
>> The token I get back looks like this
>> 
>> 2014-09-22 14:25:34,795 INFO  [com.shift.service.oauth.KeycloakAuthAdapter] (default task-1) Logged in with access token {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
>> 
>> Does that help?
>> 
>> Thanks
>> 
>> Conrad
>> 
>>> On 22 Sep 2014, at 13:28, Stian Thorgersen <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>> 
>>> How do you obtain the token? It seems you have two different ways to do this 
>>> 
>>> 1) login using KC forms with 'shift-server'
>>> 2) login using direct grant with 'shift-ios'
>>> 
>>> Is this correct? If so both 'shift-server' and 'shift-ios' has to have a scope on the 'user' realm role. With 'shift-ios' as you're not using any of our adapters you don't need to install the client json for that anywhere. You obviously do need the json config for 'shift-server' (or use the WildFly subsystem to configure through standalone.xml).
>>> 
>>> If you have the bearer token available you can check the contents of it with:
>>> 
>>>  System.out.println(new org.keycloak.jose.jws.JWSInput(token).readContentAsString());
>>> 
>>> It would be helpful if you could send that to me.
>>> 
>>> ----- Original Message -----
>>>> From: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>>>> To: "Conrad Winchester" <conrad at mindless.com <mailto:conrad at mindless.com>>
>>>> Cc: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> Sent: Monday, 22 September, 2014 12:17:43 PM
>>>> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
>>>> 
>>>> I have now also tried using application roles, but unfortunately that did not
>>>> change the behaviour at all.
>>>> 
>>>> Am I supposed to install the client JSON file anywhere?
>>>> 
>>>> Conrad
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com <mailto:conrad at mindless.com> > wrote
>>>> 
>>>> Thanks for this very informative answer.
>>>> 
>>>> I will stick with the application being confidential as you have explained
>>>> that this is more correct.
>>>> 
>>>> However, WRT roles.
>>>> 
>>>> I have a realm role defined as ?user?
>>>> The client Has this role as an ?Effective role? in the admin screens. Full
>>>> scope allowed is off, and there are no application roles assigned (nor are
>>>> they available)
>>>> I have the following in my web.xml
>>>> 
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name> shift </web-resource-name>
>>>> <url-pattern> /* </url-pattern>
>>>> </web-resource-collection>
>>>> <auth-constraint>
>>>> <role-name> user </role-name>
>>>> </auth-constraint>
>>>> </security-constraint>
>>>> and
>>>> 
>>>> <login-config>
>>>> <auth-method> KEYCLOAK </auth-method>
>>>> <realm-name> shift </realm-name>
>>>> </login-config>
>>>> 
>>>> <security-role>
>>>> <role-name> user </role-name>
>>>> </security-role>
>>>> Is this correct? Have I missed something.
>>>> 
>>>> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
>>>> 
>>>> Conrad
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com <mailto:stian at redhat.com> > wrote:
>>>> 
>>>> 
>>>> 
>>>> ----- Original Message -----
>>>> 
>>>> 
>>>> From: "Conrad Winchester" < conrad at mindless.com <mailto:conrad at mindless.com> >
>>>> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> Sent: Monday, 22 September, 2014 8:45:11 AM
>>>> Subject: [keycloak-user] 1.0.1 Problems & Questions
>>>> 
>>>> Hi all,
>>>> 
>>>> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
>>>> serious issues.
>>>> 
>>>> First a question: when will keycloak-core 1.0.1 be available from maven
>>>> central? I am having to use 1.0-final in my war - is that compatible with
>>>> 1.0.1 keycloak war - which is running on my server.
>>>> 
>>>> Should have been there by now (it should be synced within 24h of a release),
>>>> I've contacted the guys in charge to figure out what's going on. In the mean
>>>> time you could add JBoss Nexus (
>>>> https://developer.jboss.org/wiki/MavenRepository <https://developer.jboss.org/wiki/MavenRepository> ) and get it from there.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> I upgraded by doing a complete wipe of the keycloak database, and
>>>> reinstalling 1.0.1 over my wildly configuration. I am able to use the
>>>> keycloak admin screens flawlessly.
>>>> 
>>>> Now onto my problem.
>>>> 
>>>> In 1.0.3-beta I used to have a access type bearer-only application which used
>>>> the rest api to register and login users to keycloak.
>>>> 
>>>> After upgrading I have found that even if I set the application to be
>>>> bearer-only, keycloak still throws an invalid redirect uri error whenever I
>>>> try to use the rest end points (surely this should not happen with a
>>>> bearer-only application). In order to fix this I have moved the application
>>>> over to access type confidential (it is sitting on the same server as
>>>> keycloak) - are there any pointers to the correct config for this in 1.0.1?
>>>> Basically my application is the backend to a mobile app that is using
>>>> keycloak for access control - at the moment I am not allowed to use the
>>>> keycloak login/register screens so must proxy it through the server. I am
>>>> now able to register users using this configuration, but would prefer to go
>>>> back to bearer-only
>>>> 
>>>> Bearer-only applications should not be able to register or login users at
>>>> all, they should only be able to authenticate using bearer tokens.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> I also have a Direct Grant Only client which I use for the mobile application
>>>> itself. I am able to get an access token by using the
>>>> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
>>>> access a resource with that bearer token set in the header I am still
>>>> getting an unauthorised response.
>>>> 
>>>> My applications keycloak.json looks like this
>>>> 
>>>> {
>>>> "realm" : "shift" ,
>>>> "realm-public-key" : ? **" ,
>>>> "auth-server-url" : " http://.../auth <http://.../auth> " ,
>>>> "ssl-required" : "none" ,
>>>> "resource" : "shift-server" ,
>>>> "credentials" : {
>>>> "secret" : ? **"
>>>> }
>>>> }
>>>> 
>>>> and my client JSON looks like this (although this is not put anywhere in my
>>>> application war)
>>>> 
>>>> {
>>>> "realm": "shift",
>>>> "realm-public-key": ?***",
>>>> "auth-server-url": " http://.../auth <http://.../auth> ",
>>>> "ssl-required": "none",
>>>> "resource": "shift-ios",
>>>> "public-client": true
>>>> }
>>>> 
>>>> I can login in with a correct username and password setting the client id to
>>>> ?shift-ios?. However when I try to access a protected resource like this
>>>> 
>>>> GET /shift/feed HTTP/1.1
>>>> Host: www?..com
>>>> Connection: keep-alive
>>>> Accept: */*
>>>> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
>>>> Accept-Language: en-us
>>>> Authorization: Bearer
>>>> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
>>>> Accept-Encoding: gzip, deflate
>>>> 
>>>> where the Bearer header is the access token I get from logging in, then I get
>>>> a 403 unauthorised response.
>>>> 
>>>> From a 403 it should mean that the application has successfully authenticated
>>>> the user, but it doesn't have the correct roles.
>>>> 
>>>> Have you checked that the application you used to obtain the login has the
>>>> required scope, that the user has the required role mappings, and that your
>>>> bearer-only application is configured to use the correct roles (it can use
>>>> either the roles associated with the resource or the realm,
>>>> 'use-resource-role-mappings' configures this and it defaults to false, which
>>>> mean it uses realm roles).
>>>> 
>>>> 
>>>> 
>>>> 
>>>> This used to work perfectly in beta 3, but I seem unable to make this work in
>>>> 1.0(.1) final.
>>>> 
>>>> Could this be because I am using 1.0-core instead of 1.0.1-core
>>>> 
>>>> Please help, as this has stopped all work on the product, and I am completely
>>>> stuck. Whats the best way to go about debugging this?
>>>> 
>>>> Conrad
>>>> 
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> 
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140922/d0f8cec8/attachment-0001.html 

From stian at redhat.com  Tue Sep 23 02:56:48 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 23 Sep 2014 02:56:48 -0400 (EDT)
Subject: [keycloak-user] 1.0.1 Problems & Questions
In-Reply-To: <3D2496EA-A45C-466A-B816-995B12960796@mindless.com>
References: <2A716C88-A4DF-4715-A9EF-06CADC872F6F@mindless.com>
	<1173015488.53003362.1411373136473.JavaMail.zimbra@redhat.com>
	<0D8DB054-60F7-495E-8F3D-8775C4476CCF@mindless.com>
	<EB9118C7-B780-49AC-A388-2E77FEB7C559@mindless.com>
	<261332147.53131229.1411388882110.JavaMail.zimbra@redhat.com>
	<C86DEA6C-F87A-4BDB-B4F0-55E4337D701C@mindless.com>
	<FCE1081E-E8B9-4C1F-A95A-F7DC671E7793@mindless.com>
	<3D2496EA-A45C-466A-B816-995B12960796@mindless.com>
Message-ID: <224909389.53702615.1411455408016.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Conrad Winchester" <conrad at mindless.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 7:58:08 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi Stian
> 
> I worked it out.
> 
> I had removed and re-added the user role from the realm after my user had
> registered. It seems that the default role is assigned at registration time
> and so if you change it that change is not reflected in existing users.
> 
> A surprising behaviour, but I can sort of see why that is.

We did it this way as you can do the alternative using a composite role. Basically if you create a composite role 'default-roles' and assign this as a default role, then you can add/remove roles to this and existing users will be updated.

> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 18:22, Conrad Winchester < conrad at mindless.com > wrote:
> 
> Hi Stian
> 
> I have made some progress. I have discovered that if I assign the role ?user?
> to my user account in the ?role mappings? section of the keycloak admin
> screens for that user then access to the resources work. The access token
> looks like this
> 
> 2014-09-22 18:13:01,057 INFO [com.shift.service.oauth.KeycloakAuthAdapter]
> (default task-15) Logged in with access token {"name":"shift_141 not
> provided","email":" conrad at chiwestern.com
> ","jti":"997e2a5c-389a-4b57-8a2b-669fcda587f7","exp":1411406281,"nbf":0,"iat":1411405981,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","given_name":"shift_141","family_name":"not
> provided","preferred_username":" conrad at chiwestern.com
> ","email_verified":false,"session_state":"e0ae4a87-18d1-446a-805e-ad9334a1d648","allowed-origins":[],"realm_access":{"roles":["user"]},"resource_access":{}}
> 
> I get roles:[user]
> 
> Isn?t this supposed to happen automatically if the role ?user? is the default
> realm role?
> 
> Thanks
> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 14:32, Conrad Winchester < conrad at mindless.com > wrote:
> 
> Hi Stian
> 
> I am loggin in using the direct grant rest end point with client id as
> shift-ios
> 
> The token I get back looks like this
> 
> 2014-09-22 14:25:34,795 INFO [com.shift.service.oauth.KeycloakAuthAdapter]
> (default task-1) Logged in with access token
> {"jti":"c78a0ec1-54fe-40c4-a2c7-d8e58129bf22","exp":1411392634,"nbf":0,"iat":1411392334,"iss":"shift","aud":"shift","sub":"9cff1b29-fb58-4b53-b4ce-ac79eb355843","azp":"shift-ios","session_state":"cc0559f9-78a2-4951-afac-48bee4fa9a23","allowed-origins":[],"resource_access":{}}
> 
> Does that help?
> 
> Thanks
> 
> Conrad
> 
> 
> 
> 
> On 22 Sep 2014, at 13:28, Stian Thorgersen < stian at redhat.com > wrote:
> 
> How do you obtain the token? It seems you have two different ways to do this
> 
> 1) login using KC forms with 'shift-server'
> 2) login using direct grant with 'shift-ios'
> 
> Is this correct? If so both 'shift-server' and 'shift-ios' has to have a
> scope on the 'user' realm role. With 'shift-ios' as you're not using any of
> our adapters you don't need to install the client json for that anywhere.
> You obviously do need the json config for 'shift-server' (or use the WildFly
> subsystem to configure through standalone.xml).
> 
> If you have the bearer token available you can check the contents of it with:
> 
> System.out.println(new
> org.keycloak.jose.jws.JWSInput(token).readContentAsString());
> 
> It would be helpful if you could send that to me.
> 
> ----- Original Message -----
> 
> 
> From: "Conrad Winchester" < conrad at mindless.com >
> To: "Conrad Winchester" < conrad at mindless.com >
> Cc: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 12:17:43 PM
> Subject: Re: [keycloak-user] 1.0.1 Problems & Questions
> 
> I have now also tried using application roles, but unfortunately that did not
> change the behaviour at all.
> 
> Am I supposed to install the client JSON file anywhere?
> 
> Conrad
> 
> 
> 
> 
> 
> On 22 Sep 2014, at 09:29, Conrad Winchester < conrad at mindless.com > wrote
> 
> Thanks for this very informative answer.
> 
> I will stick with the application being confidential as you have explained
> that this is more correct.
> 
> However, WRT roles.
> 
> I have a realm role defined as ?user?
> The client Has this role as an ?Effective role? in the admin screens. Full
> scope allowed is off, and there are no application roles assigned (nor are
> they available)
> I have the following in my web.xml
> 
> <security-constraint>
> <web-resource-collection>
> <web-resource-name> shift </web-resource-name>
> <url-pattern> /* </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name> user </role-name>
> </auth-constraint>
> </security-constraint>
> and
> 
> <login-config>
> <auth-method> KEYCLOAK </auth-method>
> <realm-name> shift </realm-name>
> </login-config>
> 
> <security-role>
> <role-name> user </role-name>
> </security-role>
> Is this correct? Have I missed something.
> 
> BTW Thanks for the help and thanks for Keycloak - It really is awesome!
> 
> Conrad
> 
> 
> 
> 
> On 22 Sep 2014, at 09:05, Stian Thorgersen < stian at redhat.com > wrote:
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: "Conrad Winchester" < conrad at mindless.com >
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 22 September, 2014 8:45:11 AM
> Subject: [keycloak-user] 1.0.1 Problems & Questions
> 
> Hi all,
> 
> I have just upgrade from 1.0-beta 3 to 1.0.1 final and am running into some
> serious issues.
> 
> First a question: when will keycloak-core 1.0.1 be available from maven
> central? I am having to use 1.0-final in my war - is that compatible with
> 1.0.1 keycloak war - which is running on my server.
> 
> Should have been there by now (it should be synced within 24h of a release),
> I've contacted the guys in charge to figure out what's going on. In the mean
> time you could add JBoss Nexus (
> https://developer.jboss.org/wiki/MavenRepository ) and get it from there.
> 
> 
> 
> 
> I upgraded by doing a complete wipe of the keycloak database, and
> reinstalling 1.0.1 over my wildly configuration. I am able to use the
> keycloak admin screens flawlessly.
> 
> Now onto my problem.
> 
> In 1.0.3-beta I used to have a access type bearer-only application which used
> the rest api to register and login users to keycloak.
> 
> After upgrading I have found that even if I set the application to be
> bearer-only, keycloak still throws an invalid redirect uri error whenever I
> try to use the rest end points (surely this should not happen with a
> bearer-only application). In order to fix this I have moved the application
> over to access type confidential (it is sitting on the same server as
> keycloak) - are there any pointers to the correct config for this in 1.0.1?
> Basically my application is the backend to a mobile app that is using
> keycloak for access control - at the moment I am not allowed to use the
> keycloak login/register screens so must proxy it through the server. I am
> now able to register users using this configuration, but would prefer to go
> back to bearer-only
> 
> Bearer-only applications should not be able to register or login users at
> all, they should only be able to authenticate using bearer tokens.
> 
> 
> 
> 
> I also have a Direct Grant Only client which I use for the mobile application
> itself. I am able to get an access token by using the
> TOKEN_SERVICE_DIRECT_GRANT_PATH via the proxy server but when I try to
> access a resource with that bearer token set in the header I am still
> getting an unauthorised response.
> 
> My applications keycloak.json looks like this
> 
> {
> "realm" : "shift" ,
> "realm-public-key" : ? **" ,
> "auth-server-url" : " http://.../auth " ,
> "ssl-required" : "none" ,
> "resource" : "shift-server" ,
> "credentials" : {
> "secret" : ? **"
> }
> }
> 
> and my client JSON looks like this (although this is not put anywhere in my
> application war)
> 
> {
> "realm": "shift",
> "realm-public-key": ?***",
> "auth-server-url": " http://.../auth ",
> "ssl-required": "none",
> "resource": "shift-ios",
> "public-client": true
> }
> 
> I can login in with a correct username and password setting the client id to
> ?shift-ios?. However when I try to access a protected resource like this
> 
> GET /shift/feed HTTP/1.1
> Host: www?..com
> Connection: keep-alive
> Accept: */*
> User-Agent: shift-ios-client/1.0 CFNetwork/711.0.6 Darwin/14.0.0
> Accept-Language: en-us
> Authorization: Bearer
> eyJhbGciOiJSUzI1NiJ9.eyJuYW???...5lXDBvPGu3bI7msV6Xh34g2PG1E2-d0GchWLFb4kGWofDbexDgIJoP1eeSHnKmahAHHbcl_LZkI3ayKYCgF-o3vfk0yh4T-zptEdK1EHFDndz4SkJlrPsyawueekf1mJD-drilFlL55nLIfFqjpaNdQDr5R3lAjUb0
> Accept-Encoding: gzip, deflate
> 
> where the Bearer header is the access token I get from logging in, then I get
> a 403 unauthorised response.
> 
> From a 403 it should mean that the application has successfully authenticated
> the user, but it doesn't have the correct roles.
> 
> Have you checked that the application you used to obtain the login has the
> required scope, that the user has the required role mappings, and that your
> bearer-only application is configured to use the correct roles (it can use
> either the roles associated with the resource or the realm,
> 'use-resource-role-mappings' configures this and it defaults to false, which
> mean it uses realm roles).
> 
> 
> 
> 
> This used to work perfectly in beta 3, but I seem unable to make this work in
> 1.0(.1) final.
> 
> Could this be because I am using 1.0-core instead of 1.0.1-core
> 
> Please help, as this has stopped all work on the product, and I am completely
> stuck. Whats the best way to go about debugging this?
> 
> Conrad
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Tue Sep 23 03:55:44 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 23 Sep 2014 03:55:44 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.0.1.Final finally in Maven Central
Message-ID: <1670745448.53728660.1411458944193.JavaMail.zimbra@redhat.com>

Keycloak 1.0.1.Final is finally in Maven Central. I forgot to mark it as released in JBoss Nexus, which is why it never synced to Central.

Sorry for any inconvenience,
Stian

From wenweikun at gmail.com  Tue Sep 23 04:34:40 2014
From: wenweikun at gmail.com (Weikun Wen)
Date: Tue, 23 Sep 2014 16:34:40 +0800
Subject: [keycloak-user] Restful client Obtaining bearer tokens via the
	OAuth2 protocol
Message-ID: <CALdWyNciSMPhTURLX3Vdp-qeTjo-FGFm8yaHWvRbqCPDdQyn-Q@mail.gmail.com>

Hi all,

May I know where can I find the example project or dev guide for the
following scenario which I think should be a common use scenario for
Keycloak?


Regards & Thanks
Kun
?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140923/53fd0dd3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Web Modeling Diagram.png
Type: image/png
Size: 20507 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20140923/53fd0dd3/attachment-0001.png 

From stian at redhat.com  Tue Sep 23 05:03:21 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 23 Sep 2014 05:03:21 -0400 (EDT)
Subject: [keycloak-user] Restful client Obtaining bearer tokens via
	the	OAuth2 protocol
In-Reply-To: <CALdWyNciSMPhTURLX3Vdp-qeTjo-FGFm8yaHWvRbqCPDdQyn-Q@mail.gmail.com>
References: <CALdWyNciSMPhTURLX3Vdp-qeTjo-FGFm8yaHWvRbqCPDdQyn-Q@mail.gmail.com>
Message-ID: <1570402205.53766732.1411463001725.JavaMail.zimbra@redhat.com>

examples/preconfigured-demo/admin-access-app

----- Original Message -----
> From: "Weikun Wen" <wenweikun at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 23 September, 2014 10:34:40 AM
> Subject: [keycloak-user] Restful client Obtaining bearer tokens via the	OAuth2 protocol
> 
> Hi all,
> 
> May I know where can I find the example project or dev guide for the
> following scenario which I think should be a common use scenario for
> Keycloak?
> 
> 
> Regards & Thanks
> Kun
> ?
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bburke at redhat.com  Tue Sep 23 07:25:57 2014
From: bburke at redhat.com (Bill Burke)
Date: Tue, 23 Sep 2014 07:25:57 -0400
Subject: [keycloak-user] Restful client Obtaining bearer tokens via the
 OAuth2 protocol
In-Reply-To: <1570402205.53766732.1411463001725.JavaMail.zimbra@redhat.com>
References: <CALdWyNciSMPhTURLX3Vdp-qeTjo-FGFm8yaHWvRbqCPDdQyn-Q@mail.gmail.com>
	<1570402205.53766732.1411463001725.JavaMail.zimbra@redhat.com>
Message-ID: <542158C5.1040200@redhat.com>

Note, you have to turn on direct grant api in the admin console for this 
to work.

On 9/23/2014 5:03 AM, Stian Thorgersen wrote:
> examples/preconfigured-demo/admin-access-app
>
> ----- Original Message -----
>> From: "Weikun Wen" <wenweikun at gmail.com>
>> To: keycloak-user at lists.jboss.org
>> Sent: Tuesday, 23 September, 2014 10:34:40 AM
>> Subject: [keycloak-user] Restful client Obtaining bearer tokens via the	OAuth2 protocol
>>
>> Hi all,
>>
>> May I know where can I find the example project or dev guide for the
>> following scenario which I think should be a common use scenario for
>> Keycloak?
>>
>>
>> Regards & Thanks
>> Kun
>> ?
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From wenweikun at gmail.com  Tue Sep 23 08:07:15 2014
From: wenweikun at gmail.com (Weikun Wen)
Date: Tue, 23 Sep 2014 20:07:15 +0800
Subject: [keycloak-user] Restful client Obtaining bearer tokens via the
 OAuth2 protocol
In-Reply-To: <542158C5.1040200@redhat.com>
References: <CALdWyNciSMPhTURLX3Vdp-qeTjo-FGFm8yaHWvRbqCPDdQyn-Q@mail.gmail.com>
	<1570402205.53766732.1411463001725.JavaMail.zimbra@redhat.com>
	<542158C5.1040200@redhat.com>
Message-ID: <CALdWyNfpktycaFXXxPEPKsQZUW_mYR_Xkt=Jk2kzy7gw4q-Xrw@mail.gmail.com>

Thank you so much for the help.

2014-09-23 19:25 GMT+08:00 Bill Burke <bburke at redhat.com>:

> Note, you have to turn on direct grant api in the admin console for this
> to work.
>
> On 9/23/2014 5:03 AM, Stian Thorgersen wrote:
> > examples/preconfigured-demo/admin-access-app
> >
> > ----- Original Message -----
> >> From: "Weikun Wen" <wenweikun at gmail.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Tuesday, 23 September, 2014 10:34:40 AM
> >> Subject: [keycloak-user] Restful client Obtaining bearer tokens via
> the      OAuth2 protocol
> >>
> >> Hi all,
> >>
> >> May I know where can I find the example project or dev guide for the
> >> following scenario which I think should be a common use scenario for
> >> Keycloak?
> >>
> >>
> >> Regards & Thanks
> >> Kun
> >> ?
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140923/1d4e0908/attachment.html 

From ivan at akvo.org  Wed Sep 24 06:44:30 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Wed, 24 Sep 2014 12:44:30 +0200
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <20140918105929.14b478d9@akvo.org>
References: <20140918105929.14b478d9@akvo.org>
Message-ID: <20140924124430.49a41efc@akvo.org>

Hi again,

Just a quick follow up.

I would like to know if Keycloack can be used as IDP [1] or the current
support is just as RP level?

[1] http://openid.net/connect/faq/

Thanks,

On Thu, 18 Sep 2014 10:59:29 +0200
Iv?n Perdomo <ivan at akvo.org> wrote:

> 
> Hi all,
> 
> I'm looking for a SSO solution that can help me with the need of
> having a single set of user credentials for several applications (Web
> and mobile - Android)
> 
> Looking at the list of features in Keycloack I see that there is
> support for OpenID Connect.
> 
> I would like to know your opinion if Keycloack could be used for
> handling SSO on several applications built on different technology
> stacks, e.g. Wordpress [1], Django Web app [2], Android [3], Java
> 
> [1] https://github.com/jumbojett/Wordpress-OpenID-Connect-Login
> [2] https://github.com/intelie/django-oidc-auth
> [3] https://github.com/learning-layers/android-openid-connect-sample
> 
> 
> Thanks,
> 



-- 
Iv?n


From markoradinovic79 at gmail.com  Wed Sep 24 10:19:11 2014
From: markoradinovic79 at gmail.com (Marko Radinovic)
Date: Wed, 24 Sep 2014 16:19:11 +0200
Subject: [keycloak-user] Admin REST API - create new user problem
Message-ID: <CANNSMnuDpEfZM5WbwYdp9BNyt4M7U4kZwz5O6kPX8DhkFaJ3dg@mail.gmail.com>

Hi,
I'm trying to make REST call to create new user account.

HttpPost post = new HttpPost(KeycloakUriBuilder
.fromUri(getBaseUrl(request) + "/auth")
.path("/admin/realms/{realm-name}/users")
.build("EHR Cloud"));

UserRepresentation userRepresentation = new UserRepresentation();
userRepresentation.setUsername("radinovic.marko");
userRepresentation.setEmail("markoradinovic79 at gmail.com");
userRepresentation.setEnabled(true);
userRepresentation.credential(CredentialRepresentation.PASSWORD, "marko");
userRepresentation.attribute("institutionId", "4");
userRepresentation.attribute("institution", "ZipSoft");
userRepresentation.setRealmRoles(Arrays.asList(new String[] {"ehr
-user-doctor"}));

After executing post, user is created, but user credentials and realm roles
are not saved.

Also, I try to update user, but still there is no credentials and realm
roles.

 HttpPost post = new HttpPost(KeycloakUriBuilder
.fromUri(getBaseUrl(request) + "/auth")
.path("/admin/realms/{realm-name}/users")
.build("EHR Cloud"));

I check in database, and there is no credentials and roles.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140924/c328b2a7/attachment.html 

From markoradinovic79 at gmail.com  Wed Sep 24 11:18:48 2014
From: markoradinovic79 at gmail.com (Marko Radinovic)
Date: Wed, 24 Sep 2014 17:18:48 +0200
Subject: [keycloak-user] Admin REST API - create new user problem
In-Reply-To: CANNSMnuDpEfZM5WbwYdp9BNyt4M7U4kZwz5O6kPX8DhkFaJ3dg@mail.gmail.com
Message-ID: <5422E0D8.4010007@gmail.com>

Sorry for this, I was lazy and I didn't looked into source.

From stian at redhat.com  Thu Sep 25 05:15:09 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Sep 2014 05:15:09 -0400 (EDT)
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <20140924124430.49a41efc@akvo.org>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
Message-ID: <58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>

Yes, Keycloak can be used as an IDP.

We haven't tested with other third-party OpenID Connect client libraries yet, also we only implement the core spec (and parts of session management spec). I you do try it with an third-part library, please let us know how you get on.

----- Original Message -----
> From: "Iv?n Perdomo" <ivan at akvo.org>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 24 September, 2014 12:44:30 PM
> Subject: Re: [keycloak-user] OpenID Connect support
> 
> Hi again,
> 
> Just a quick follow up.
> 
> I would like to know if Keycloack can be used as IDP [1] or the current
> support is just as RP level?
> 
> [1] http://openid.net/connect/faq/
> 
> Thanks,
> 
> On Thu, 18 Sep 2014 10:59:29 +0200
> Iv?n Perdomo <ivan at akvo.org> wrote:
> 
> > 
> > Hi all,
> > 
> > I'm looking for a SSO solution that can help me with the need of
> > having a single set of user credentials for several applications (Web
> > and mobile - Android)
> > 
> > Looking at the list of features in Keycloack I see that there is
> > support for OpenID Connect.
> > 
> > I would like to know your opinion if Keycloack could be used for
> > handling SSO on several applications built on different technology
> > stacks, e.g. Wordpress [1], Django Web app [2], Android [3], Java
> > 
> > [1] https://github.com/jumbojett/Wordpress-OpenID-Connect-Login
> > [2] https://github.com/intelie/django-oidc-auth
> > [3] https://github.com/learning-layers/android-openid-connect-sample
> > 
> > 
> > Thanks,
> > 
> 
> 
> 
> --
> Iv?n
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From ivan at akvo.org  Thu Sep 25 08:53:04 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Thu, 25 Sep 2014 14:53:04 +0200
Subject: [keycloak-user] OpenID Connect support
In-Reply-To: <58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
References: <20140918105929.14b478d9@akvo.org>
	<20140924124430.49a41efc@akvo.org>
	<58273656.55471417.1411636509910.JavaMail.zimbra@redhat.com>
Message-ID: <20140925145304.4ba311e0@akvo.org>

Hi,

On Thu, 25 Sep 2014 05:15:09 -0400 (EDT)
Stian Thorgersen <stian at redhat.com> wrote:

> Yes, Keycloak can be used as an IDP.
Thanks, that was the first thing i wanted to know.

> 
> We haven't tested with other third-party OpenID Connect client
> libraries yet, also we only implement the core spec (and parts of
> session management spec). I you do try it with an third-part library,
> please let us know how you get on.

I'll do some testing using third-party libs/clients and will share my
findings.

Cheers,

-- 
Iv?n


From rmartine at redhat.com  Thu Sep 25 11:56:57 2014
From: rmartine at redhat.com (Ricardo Martinelli de Oliveira)
Date: Thu, 25 Sep 2014 11:56:57 -0400 (EDT)
Subject: [keycloak-user] Removing totp authentication in a realm doesn't
 disable it in the realm.
In-Reply-To: <752018054.1199949.1411660512271.JavaMail.zimbra@redhat.com>
Message-ID: <998877171.1200947.1411660617203.JavaMail.zimbra@redhat.com>

Hello, 

I created a realm for my applications and just for testing purposes I added totp as a required user credentials and it worked (I could use Google Authenticator to login to my applications) but after removing it the keycloak login page still asks for the Google Authenticator token. 

Is it required to remove the token configuration in Google Authenticator to definitely remove this step or there's something else I'm missing? 


Regards, 


Ricardo Martinelli de Oliveira 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140925/1296c862/attachment.html 

From stian at redhat.com  Thu Sep 25 12:03:42 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Sep 2014 12:03:42 -0400 (EDT)
Subject: [keycloak-user] Removing totp authentication in a realm doesn't
 disable it in the realm.
In-Reply-To: <998877171.1200947.1411660617203.JavaMail.zimbra@redhat.com>
References: <998877171.1200947.1411660617203.JavaMail.zimbra@redhat.com>
Message-ID: <1260897898.55829455.1411661022562.JavaMail.zimbra@redhat.com>

Hi,

When you add totp as a required user credential all users are required to have totp configured. Removing this doesn't remove totp configuration for users, only the requirement for them to have it.

Once removed users can go to account management and manually remove it themselves, or an admin can remove totp for individual users.

----- Original Message -----
> From: "Ricardo Martinelli de Oliveira" <rmartine at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 25 September, 2014 5:56:57 PM
> Subject: [keycloak-user] Removing totp authentication in a realm doesn't disable it in the realm.
> 
> Hello,
> 
> I created a realm for my applications and just for testing purposes I added
> totp as a required user credentials and it worked (I could use Google
> Authenticator to login to my applications) but after removing it the
> keycloak login page still asks for the Google Authenticator token.
> 
> Is it required to remove the token configuration in Google Authenticator to
> definitely remove this step or there's something else I'm missing?
> 
> 
> Regards,
> 
> 
> Ricardo Martinelli de Oliveira
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From j.kamal at ymail.com  Thu Sep 25 16:14:16 2014
From: j.kamal at ymail.com (Kamal Jagadevan)
Date: Thu, 25 Sep 2014 13:14:16 -0700
Subject: [keycloak-user] Query about SP & IDP
Message-ID: <1411676056.4611.YahooMailNeo@web120205.mail.ne1.yahoo.com>

Hello,
  We are doing a feasibility study to replace one of the existing OAUTH solution with Keycloak.
And we were wondering if the following things are possible

1.) Can Keycloak act as Service Provider
2.) In the previous post Stian mentioned keycloak can act as IDP (Identity provider). But can Keycloak be integrated with external IDP over SAML.

Please advise 


Thanks
Kamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140925/d02a5996/attachment.html 

From bburke at redhat.com  Thu Sep 25 16:41:59 2014
From: bburke at redhat.com (Bill Burke)
Date: Thu, 25 Sep 2014 16:41:59 -0400
Subject: [keycloak-user] Query about SP & IDP
In-Reply-To: <1411676056.4611.YahooMailNeo@web120205.mail.ne1.yahoo.com>
References: <1411676056.4611.YahooMailNeo@web120205.mail.ne1.yahoo.com>
Message-ID: <54247E17.2020804@redhat.com>

No, the server cannot be integrated with an external IDP over SAML (or 
OAUTH).  It does integrate with external IDPs for social login, but not 
generic OpenID Connect or SAML IDPs.  It's on the roadmap.  If there is 
enough interest we'll bump the priority.



On 9/25/2014 4:14 PM, Kamal Jagadevan wrote:
> Hello,
>    We are doing a feasibility study to replace one of the existing OAUTH
> solution with Keycloak.
> And we were wondering if the following things are possible
>
> 1.) Can Keycloak act as Service Provider
> 2.) In the previous post Stian mentioned keycloak can act as IDP
> (Identity provider). But can Keycloak be integrated with external IDP
> over SAML.
>
> Please advise
>
> Thanks
> Kamal
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From panulab at gmail.com  Mon Sep 29 06:42:33 2014
From: panulab at gmail.com (Pablo N)
Date: Mon, 29 Sep 2014 12:42:33 +0200
Subject: [keycloak-user] Integration Keycloak with phyton application
Message-ID: <CAFunZaxgrvAT7th++Sp+wiLT3Y1J4YKM8o5kfe61fS5p0Dxo1w@mail.gmail.com>

Hello,



I am starting to use Keycloak as IDM inside my actual Project. I have to
projects, Java and Phyton projects and I want to use Keycloak as SSO. I
manage to integrate Java project with Keycloak running in Wildfly, but I
don?t know how I should proceed with Phyton project.



Currently we are using this Phyton plugin to connect with Django:



http://python-social-auth.readthedocs.org/en/latest/



Could you help us about what steps should be done to use Keycloak with this
plugin?



Thank you in advanced,



Pablo Nu?o
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140929/a847535c/attachment.html 

From stian at redhat.com  Mon Sep 29 13:03:13 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 29 Sep 2014 13:03:13 -0400 (EDT)
Subject: [keycloak-user] Integration Keycloak with phyton application
In-Reply-To: <CAFunZaxgrvAT7th++Sp+wiLT3Y1J4YKM8o5kfe61fS5p0Dxo1w@mail.gmail.com>
References: <CAFunZaxgrvAT7th++Sp+wiLT3Y1J4YKM8o5kfe61fS5p0Dxo1w@mail.gmail.com>
Message-ID: <1766298406.58107155.1412010192999.JavaMail.zimbra@redhat.com>

Hi,

Afraid we haven't looked at adapters for python yet, but you should be able to use any OAuth2 or OpenID Connect library to authenticate with Keycloak. The endpoints you need are:

* Login: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM NAME>/tokens/login
* Access token: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM NAME>/tokens/access/codes
* Refresh token: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM NAME>/tokens/refresh

With claims enabled through the admin console the access token contains ID token parameters from OpenID Connect (preferred_username, email, etc.) so you can retrieve those directly from the token. Alternatively you can also retrieve the user profile from the account profile endpoint (<KEYCLOAK SERVER>/auth/realms/<REALM NAME>/account).

----- Original Message -----
> From: "Pablo N" <panulab at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 29 September, 2014 12:42:33 PM
> Subject: [keycloak-user] Integration Keycloak with phyton application
> 
> 
> 
> Hello ,
> 
> 
> 
> I am starting to use Keycloak as IDM inside my actual Project. I have to
> projects, Java and Phyton projects and I want to use Keycloak as SSO. I
> manage to integrate Java project with Keycloak running in Wildfly, but I
> don?t know how I should proceed with Phyton project.
> 
> 
> 
> Currently we are using this Phyton plugin to connect with Django:
> 
> 
> 
> http://python-social-auth.readthedocs.org/en/latest/
> 
> 
> 
> Could you help us about what steps should be done to use Keycloak with this
> plugin?
> 
> 
> 
> Thank you in advanced,
> 
> 
> 
> Pablo Nu?o
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From alexander.chriztopher at gmail.com  Tue Sep 30 05:55:59 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 30 Sep 2014 11:55:59 +0200
Subject: [keycloak-user] Realm update through REST API
Message-ID: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>

Hi guys,

Just wondering wether you have an example to do any kind of update on a
realm through REST.

Many thanks for any help.

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140930/70024ee0/attachment.html 

From stian at redhat.com  Tue Sep 30 06:00:39 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 30 Sep 2014 06:00:39 -0400 (EDT)
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
Message-ID: <1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>

If you're doing it from Java the admin client makes this very simple:

  https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java

otherwise look at the rest docs:

  http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 30 September, 2014 11:55:59 AM
> Subject: [keycloak-user] Realm update through REST API
> 
> Hi guys,
> 
> Just wondering wether you have an example to do any kind of update on a realm
> through REST.
> 
> Many thanks for any help.
> 
> Regards.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From alexander.chriztopher at gmail.com  Tue Sep 30 06:06:20 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 30 Sep 2014 12:06:20 +0200
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
	<1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
Message-ID: <CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>

Am actually looking for an example like the AdminClient.

Once you create your post like this :

HttpPost post = *new* HttpPost(KeycloakUriBuilder.*fromUri*(*getBaseUrl*()
+ "/auth").path(ServiceUrlConstants.*REALM_INFO_PATH*).build(*realmName*));

List <NameValuePair> formparams = *new* ArrayList <NameValuePair>();

formparams.add(*new* BasicNameValuePair("username", *username*));

formparams.add(*new* BasicNameValuePair("password", *password*));

formparams.add(*new* BasicNameValuePair(OAuth2Constants.*CLIENT_ID*,
*clientIdOrApplicationName*));

UrlEncodedFormEntity form = *new* UrlEncodedFormEntity(formparams, "UTF-8");

post.setEntity(form);
How do you send your realm representation ?

On Tue, Sep 30, 2014 at 12:00 PM, Stian Thorgersen <stian at redhat.com> wrote:

> If you're doing it from Java the admin client makes this very simple:
>
>
> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
>
> otherwise look at the rest docs:
>
>
> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html
>
> ----- Original Message -----
> > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 30 September, 2014 11:55:59 AM
> > Subject: [keycloak-user] Realm update through REST API
> >
> > Hi guys,
> >
> > Just wondering wether you have an example to do any kind of update on a
> realm
> > through REST.
> >
> > Many thanks for any help.
> >
> > Regards.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140930/44c85217/attachment-0001.html 

From stian at redhat.com  Tue Sep 30 06:37:36 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 30 Sep 2014 06:37:36 -0400 (EDT)
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
	<1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
	<CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>
Message-ID: <246217773.58547897.1412073456937.JavaMail.zimbra@redhat.com>

http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/index.html#PUT

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 30 September, 2014 12:06:20 PM
> Subject: Re: [keycloak-user] Realm update through REST API
> 
> Am actually looking for an example like the AdminClient.
> 
> Once you create your post like this :
> 
> HttpPost post = *new* HttpPost(KeycloakUriBuilder.*fromUri*(*getBaseUrl*()
> + "/auth").path(ServiceUrlConstants.*REALM_INFO_PATH*).build(*realmName*));
> 
> List <NameValuePair> formparams = *new* ArrayList <NameValuePair>();
> 
> formparams.add(*new* BasicNameValuePair("username", *username*));
> 
> formparams.add(*new* BasicNameValuePair("password", *password*));
> 
> formparams.add(*new* BasicNameValuePair(OAuth2Constants.*CLIENT_ID*,
> *clientIdOrApplicationName*));
> 
> UrlEncodedFormEntity form = *new* UrlEncodedFormEntity(formparams, "UTF-8");
> 
> post.setEntity(form);
> How do you send your realm representation ?
> 
> On Tue, Sep 30, 2014 at 12:00 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > If you're doing it from Java the admin client makes this very simple:
> >
> >
> > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
> >
> > otherwise look at the rest docs:
> >
> >
> > http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html
> >
> > ----- Original Message -----
> > > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 30 September, 2014 11:55:59 AM
> > > Subject: [keycloak-user] Realm update through REST API
> > >
> > > Hi guys,
> > >
> > > Just wondering wether you have an example to do any kind of update on a
> > realm
> > > through REST.
> > >
> > > Many thanks for any help.
> > >
> > > Regards.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From alexander.chriztopher at gmail.com  Tue Sep 30 07:41:51 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 30 Sep 2014 13:41:51 +0200
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <246217773.58547897.1412073456937.JavaMail.zimbra@redhat.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
	<1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
	<CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>
	<246217773.58547897.1412073456937.JavaMail.zimbra@redhat.com>
Message-ID: <7C87142A-785E-43BD-9D00-289D5A226123@gmail.com>

Thanks but that is just the api which i already went through.

I was looking for a java example such as the ClientAdmin in the examples actually and that's why I sent the code.



> On 30 Sep 2014, at 12:37, Stian Thorgersen <stian at redhat.com> wrote:
> 
> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/index.html#PUT
> 
> ----- Original Message -----
>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Tuesday, 30 September, 2014 12:06:20 PM
>> Subject: Re: [keycloak-user] Realm update through REST API
>> 
>> Am actually looking for an example like the AdminClient.
>> 
>> Once you create your post like this :
>> 
>> HttpPost post = *new* HttpPost(KeycloakUriBuilder.*fromUri*(*getBaseUrl*()
>> + "/auth").path(ServiceUrlConstants.*REALM_INFO_PATH*).build(*realmName*));
>> 
>> List <NameValuePair> formparams = *new* ArrayList <NameValuePair>();
>> 
>> formparams.add(*new* BasicNameValuePair("username", *username*));
>> 
>> formparams.add(*new* BasicNameValuePair("password", *password*));
>> 
>> formparams.add(*new* BasicNameValuePair(OAuth2Constants.*CLIENT_ID*,
>> *clientIdOrApplicationName*));
>> 
>> UrlEncodedFormEntity form = *new* UrlEncodedFormEntity(formparams, "UTF-8");
>> 
>> post.setEntity(form);
>> How do you send your realm representation ?
>> 
>>> On Tue, Sep 30, 2014 at 12:00 PM, Stian Thorgersen <stian at redhat.com> wrote:
>>> 
>>> If you're doing it from Java the admin client makes this very simple:
>>> 
>>> 
>>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
>>> 
>>> otherwise look at the rest docs:
>>> 
>>> 
>>> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html
>>> 
>>> ----- Original Message -----
>>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
>>>> To: keycloak-user at lists.jboss.org
>>>> Sent: Tuesday, 30 September, 2014 11:55:59 AM
>>>> Subject: [keycloak-user] Realm update through REST API
>>>> 
>>>> Hi guys,
>>>> 
>>>> Just wondering wether you have an example to do any kind of update on a
>>> realm
>>>> through REST.
>>>> 
>>>> Many thanks for any help.
>>>> 
>>>> Regards.
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 


From stian at redhat.com  Tue Sep 30 07:50:11 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 30 Sep 2014 07:50:11 -0400 (EDT)
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <7C87142A-785E-43BD-9D00-289D5A226123@gmail.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
	<1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
	<CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>
	<246217773.58547897.1412073456937.JavaMail.zimbra@redhat.com>
	<7C87142A-785E-43BD-9D00-289D5A226123@gmail.com>
Message-ID: <585696073.58590926.1412077811706.JavaMail.zimbra@redhat.com>

Actually, just noticed that updating a realm is missing from the admin client atm :(

If you create a jira I'll make sure it's added before the next release

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 30 September, 2014 1:41:51 PM
> Subject: Re: [keycloak-user] Realm update through REST API
> 
> Thanks but that is just the api which i already went through.
> 
> I was looking for a java example such as the ClientAdmin in the examples
> actually and that's why I sent the code.
> 
> 
> 
> > On 30 Sep 2014, at 12:37, Stian Thorgersen <stian at redhat.com> wrote:
> > 
> > http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/index.html#PUT
> > 
> > ----- Original Message -----
> >> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-user at lists.jboss.org
> >> Sent: Tuesday, 30 September, 2014 12:06:20 PM
> >> Subject: Re: [keycloak-user] Realm update through REST API
> >> 
> >> Am actually looking for an example like the AdminClient.
> >> 
> >> Once you create your post like this :
> >> 
> >> HttpPost post = *new* HttpPost(KeycloakUriBuilder.*fromUri*(*getBaseUrl*()
> >> +
> >> "/auth").path(ServiceUrlConstants.*REALM_INFO_PATH*).build(*realmName*));
> >> 
> >> List <NameValuePair> formparams = *new* ArrayList <NameValuePair>();
> >> 
> >> formparams.add(*new* BasicNameValuePair("username", *username*));
> >> 
> >> formparams.add(*new* BasicNameValuePair("password", *password*));
> >> 
> >> formparams.add(*new* BasicNameValuePair(OAuth2Constants.*CLIENT_ID*,
> >> *clientIdOrApplicationName*));
> >> 
> >> UrlEncodedFormEntity form = *new* UrlEncodedFormEntity(formparams,
> >> "UTF-8");
> >> 
> >> post.setEntity(form);
> >> How do you send your realm representation ?
> >> 
> >>> On Tue, Sep 30, 2014 at 12:00 PM, Stian Thorgersen <stian at redhat.com>
> >>> wrote:
> >>> 
> >>> If you're doing it from Java the admin client makes this very simple:
> >>> 
> >>> 
> >>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
> >>> 
> >>> otherwise look at the rest docs:
> >>> 
> >>> 
> >>> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html
> >>> 
> >>> ----- Original Message -----
> >>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> >>>> To: keycloak-user at lists.jboss.org
> >>>> Sent: Tuesday, 30 September, 2014 11:55:59 AM
> >>>> Subject: [keycloak-user] Realm update through REST API
> >>>> 
> >>>> Hi guys,
> >>>> 
> >>>> Just wondering wether you have an example to do any kind of update on a
> >>> realm
> >>>> through REST.
> >>>> 
> >>>> Many thanks for any help.
> >>>> 
> >>>> Regards.
> >>>> 
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> 

From alexander.chriztopher at gmail.com  Tue Sep 30 08:20:39 2014
From: alexander.chriztopher at gmail.com (Alexander Chriztopher)
Date: Tue, 30 Sep 2014 14:20:39 +0200
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <585696073.58590926.1412077811706.JavaMail.zimbra@redhat.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
	<1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
	<CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>
	<246217773.58547897.1412073456937.JavaMail.zimbra@redhat.com>
	<7C87142A-785E-43BD-9D00-289D5A226123@gmail.com>
	<585696073.58590926.1412077811706.JavaMail.zimbra@redhat.com>
Message-ID: <CAJfT+OpxP7P-e4hnPa+pNxF_0kzt9QuJp-PrWY=qVxHyj-doLQ@mail.gmail.com>

ok great then.

i have created an issue here : https://issues.jboss.org/browse/KEYCLOAK-725

thanks for ur time :-)

On Tue, Sep 30, 2014 at 1:50 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Actually, just noticed that updating a realm is missing from the admin
> client atm :(
>
> If you create a jira I'll make sure it's added before the next release
>
> ----- Original Message -----
> > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, 30 September, 2014 1:41:51 PM
> > Subject: Re: [keycloak-user] Realm update through REST API
> >
> > Thanks but that is just the api which i already went through.
> >
> > I was looking for a java example such as the ClientAdmin in the examples
> > actually and that's why I sent the code.
> >
> >
> >
> > > On 30 Sep 2014, at 12:37, Stian Thorgersen <stian at redhat.com> wrote:
> > >
> > >
> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/index.html#PUT
> > >
> > > ----- Original Message -----
> > >> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > >> To: "Stian Thorgersen" <stian at redhat.com>
> > >> Cc: keycloak-user at lists.jboss.org
> > >> Sent: Tuesday, 30 September, 2014 12:06:20 PM
> > >> Subject: Re: [keycloak-user] Realm update through REST API
> > >>
> > >> Am actually looking for an example like the AdminClient.
> > >>
> > >> Once you create your post like this :
> > >>
> > >> HttpPost post = *new*
> HttpPost(KeycloakUriBuilder.*fromUri*(*getBaseUrl*()
> > >> +
> > >>
> "/auth").path(ServiceUrlConstants.*REALM_INFO_PATH*).build(*realmName*));
> > >>
> > >> List <NameValuePair> formparams = *new* ArrayList <NameValuePair>();
> > >>
> > >> formparams.add(*new* BasicNameValuePair("username", *username*));
> > >>
> > >> formparams.add(*new* BasicNameValuePair("password", *password*));
> > >>
> > >> formparams.add(*new* BasicNameValuePair(OAuth2Constants.*CLIENT_ID*,
> > >> *clientIdOrApplicationName*));
> > >>
> > >> UrlEncodedFormEntity form = *new* UrlEncodedFormEntity(formparams,
> > >> "UTF-8");
> > >>
> > >> post.setEntity(form);
> > >> How do you send your realm representation ?
> > >>
> > >>> On Tue, Sep 30, 2014 at 12:00 PM, Stian Thorgersen <stian at redhat.com
> >
> > >>> wrote:
> > >>>
> > >>> If you're doing it from Java the admin client makes this very simple:
> > >>>
> > >>>
> > >>>
> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
> > >>>
> > >>> otherwise look at the rest docs:
> > >>>
> > >>>
> > >>>
> http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > >>>> To: keycloak-user at lists.jboss.org
> > >>>> Sent: Tuesday, 30 September, 2014 11:55:59 AM
> > >>>> Subject: [keycloak-user] Realm update through REST API
> > >>>>
> > >>>> Hi guys,
> > >>>>
> > >>>> Just wondering wether you have an example to do any kind of update
> on a
> > >>> realm
> > >>>> through REST.
> > >>>>
> > >>>> Many thanks for any help.
> > >>>>
> > >>>> Regards.
> > >>>>
> > >>>> _______________________________________________
> > >>>> keycloak-user mailing list
> > >>>> keycloak-user at lists.jboss.org
> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140930/40004c09/attachment.html 

From stian at redhat.com  Tue Sep 30 09:45:42 2014
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 30 Sep 2014 09:45:42 -0400 (EDT)
Subject: [keycloak-user] Realm update through REST API
In-Reply-To: <CAJfT+OpxP7P-e4hnPa+pNxF_0kzt9QuJp-PrWY=qVxHyj-doLQ@mail.gmail.com>
References: <CAJfT+Oqf_OYcdDV2M5o2Tbym-dWt3VUvEPWi652eHttp3-=qOA@mail.gmail.com>
	<1527987466.58526222.1412071239797.JavaMail.zimbra@redhat.com>
	<CAJfT+OoxjCJJv_D4qaHjyfS9OVTk0U9ijdC8AkGwOMbe-owFaQ@mail.gmail.com>
	<246217773.58547897.1412073456937.JavaMail.zimbra@redhat.com>
	<7C87142A-785E-43BD-9D00-289D5A226123@gmail.com>
	<585696073.58590926.1412077811706.JavaMail.zimbra@redhat.com>
	<CAJfT+OpxP7P-e4hnPa+pNxF_0kzt9QuJp-PrWY=qVxHyj-doLQ@mail.gmail.com>
Message-ID: <532781422.58683083.1412084742563.JavaMail.zimbra@redhat.com>

Added:

  https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java#L50  

----- Original Message -----
> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 30 September, 2014 2:20:39 PM
> Subject: Re: [keycloak-user] Realm update through REST API
> 
> ok great then.
> 
> i have created an issue here : https://issues.jboss.org/browse/KEYCLOAK-725
> 
> thanks for ur time :-)
> 
> On Tue, Sep 30, 2014 at 1:50 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Actually, just noticed that updating a realm is missing from the admin
> > client atm :(
> >
> > If you create a jira I'll make sure it's added before the next release
> >
> > ----- Original Message -----
> > > From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, 30 September, 2014 1:41:51 PM
> > > Subject: Re: [keycloak-user] Realm update through REST API
> > >
> > > Thanks but that is just the api which i already went through.
> > >
> > > I was looking for a java example such as the ClientAdmin in the examples
> > > actually and that's why I sent the code.
> > >
> > >
> > >
> > > > On 30 Sep 2014, at 12:37, Stian Thorgersen <stian at redhat.com> wrote:
> > > >
> > > >
> > http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/admin/realms/%7Brealm%7D/index.html#PUT
> > > >
> > > > ----- Original Message -----
> > > >> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > >> Cc: keycloak-user at lists.jboss.org
> > > >> Sent: Tuesday, 30 September, 2014 12:06:20 PM
> > > >> Subject: Re: [keycloak-user] Realm update through REST API
> > > >>
> > > >> Am actually looking for an example like the AdminClient.
> > > >>
> > > >> Once you create your post like this :
> > > >>
> > > >> HttpPost post = *new*
> > HttpPost(KeycloakUriBuilder.*fromUri*(*getBaseUrl*()
> > > >> +
> > > >>
> > "/auth").path(ServiceUrlConstants.*REALM_INFO_PATH*).build(*realmName*));
> > > >>
> > > >> List <NameValuePair> formparams = *new* ArrayList <NameValuePair>();
> > > >>
> > > >> formparams.add(*new* BasicNameValuePair("username", *username*));
> > > >>
> > > >> formparams.add(*new* BasicNameValuePair("password", *password*));
> > > >>
> > > >> formparams.add(*new* BasicNameValuePair(OAuth2Constants.*CLIENT_ID*,
> > > >> *clientIdOrApplicationName*));
> > > >>
> > > >> UrlEncodedFormEntity form = *new* UrlEncodedFormEntity(formparams,
> > > >> "UTF-8");
> > > >>
> > > >> post.setEntity(form);
> > > >> How do you send your realm representation ?
> > > >>
> > > >>> On Tue, Sep 30, 2014 at 12:00 PM, Stian Thorgersen <stian at redhat.com
> > >
> > > >>> wrote:
> > > >>>
> > > >>> If you're doing it from Java the admin client makes this very simple:
> > > >>>
> > > >>>
> > > >>>
> > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/RealmTest.java
> > > >>>
> > > >>> otherwise look at the rest docs:
> > > >>>
> > > >>>
> > > >>>
> > http://docs.jboss.org/keycloak/docs/1.0.1.Final/rest-api/overview-index.html
> > > >>>
> > > >>> ----- Original Message -----
> > > >>>> From: "Alexander Chriztopher" <alexander.chriztopher at gmail.com>
> > > >>>> To: keycloak-user at lists.jboss.org
> > > >>>> Sent: Tuesday, 30 September, 2014 11:55:59 AM
> > > >>>> Subject: [keycloak-user] Realm update through REST API
> > > >>>>
> > > >>>> Hi guys,
> > > >>>>
> > > >>>> Just wondering wether you have an example to do any kind of update
> > on a
> > > >>> realm
> > > >>>> through REST.
> > > >>>>
> > > >>>> Many thanks for any help.
> > > >>>>
> > > >>>> Regards.
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> keycloak-user mailing list
> > > >>>> keycloak-user at lists.jboss.org
> > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>
> > >
> >
> 

From ivan at akvo.org  Tue Sep 30 10:04:48 2014
From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo)
Date: Tue, 30 Sep 2014 16:04:48 +0200
Subject: [keycloak-user] Integration Keycloak with phyton application
In-Reply-To: <1766298406.58107155.1412010192999.JavaMail.zimbra@redhat.com>
References: <CAFunZaxgrvAT7th++Sp+wiLT3Y1J4YKM8o5kfe61fS5p0Dxo1w@mail.gmail.com>
	<1766298406.58107155.1412010192999.JavaMail.zimbra@redhat.com>
Message-ID: <20140930160448.519bea6d@akvo.org>

Hi,

On Mon, 29 Sep 2014 13:03:13 -0400 (EDT)
Stian Thorgersen <stian at redhat.com> wrote:

> * Login: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM
> NAME>/tokens/login
> * Access token: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM
> NAME>/tokens/access/codes
> * Refresh token: <KEYCLOAK SERVER>/auth/tokens/realms/<REALM
> NAME>/tokens/refresh
 
Not sure if I'm correct, but there is an extra /tokens/ in those URLs ?

e.g. When you visit Admin Console

<KEYCLOAK-SERVER>/auth/admin/

You get redirected to the login page at:

<KEYCLOAK-SERVER>/auth/realms/master/tokens/login?client_id=security-admin-console&redirect_uri=<KEYCLOACK
SERVER>SERVER>%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&state=some-uuid&response_type=code

So the pattern is:

<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/login
<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/access/codes
<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME>/tokens/refresh

Is this a correct assumption?

Thanks,

-- 
Iv?n