From sebastian.p.lorenz at gmail.com Wed Apr 1 02:52:25 2015 From: sebastian.p.lorenz at gmail.com (Sebastian Lorenz) Date: Wed, 1 Apr 2015 08:52:25 +0200 Subject: [keycloak-user] Fwd: Help troubleshooting config Message-ID: Hi Tom, I'm also quite new to Keycloak and had some trouble setting it up in the beginning. That's why I wrote a small tutorial http://sebplorenz.blogspot.de/ Maybe it is of help for you. Since you are not redirected to Keycloak at all, I would assume that either: 1. Your web resource is not listed in the element in web.xml or 2. Your is not set to Keycloak in web.xml or 3. Keycloak is not configured correctly in your standalone.xml server configuration and therefore does not interrupt the access to the resource. Good Luck. Sebastian > ---------- Weitergeleitete Nachricht ---------- > From: Thomas LaPorte > To: keycloak-user at lists.jboss.org > Cc: > Date: Tue, 31 Mar 2015 15:05:32 -0700 > Subject: Re: [keycloak-user] Help troubleshooting config > Thanks to a list member for some debug setup help, I'm getting much more > information. > > Now I can see (and confirm my suspicion), that something is not right and > my resource is unprotected. > > For the example customer-portal app, I see that after the "callback-uri: > ..." message, I get a "Sending redirect to login page:..." message. > > For my app, it goes directly to "AuthenticatedActionsValve.invoke" > > -- Tom > > On Tue, Mar 31, 2015 at 2:49 PM, Guy Davis wrote: > >> Hi Thomas, >> >> To dial up logging, try adding this to your standalone.xml file in the >> logging subsystem and re-starting your Wildfly instance: >> >> >> >> >> >> Then, be sure you have the right configuration in your web.xml of your >> test WAR file. See the docs here >> >> for details. >> >> Hope this helps, >> Guy >> >> >> On Tue, Mar 31, 2015 at 3:30 PM, Thomas LaPorte < >> Thomas.LaPorte at dreamworks.com> wrote: >> >>> Apologies for cutting off by hitting send prematurely. >>> >>> >>> >>> On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte < >>> Thomas.LaPorte at dreamworks.com> wrote: >>> >>>> Greetings. I'm a first-time user of Keycloak, trying to set up a simple >>>> demonstration after the examples, however, I'm having 0% success in getting >>>> my configuration correct enough such that my web resource is protected. >>>> >>>> I have reduced my setup all the way down to a basic "HelloWorld.jsp" in >>>> a WAR file that is deployed into the standalone Wildfly server that is also >>>> hosting the Keycloak server. >>>> >>>> I am convinced that it is a configuration step being missed somewhere, >>>> as I can always access my URL without intervention from the Keycloak server. >>>> >>>> My WAR file consists of the following: >>>> >>>> 0 Tue Mar 31 14:20:20 PDT 2015 META-INF/ >>>> 68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF >>>> 0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/ >>>> 1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml >>>> 491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json >>>> 308 Tue Mar 31 14:20:18 PDT 2015 index.jsp >>>> >>> >>> I have added my application to the demo realm by copying the >>> customer-portal application stanza, and replacing the "customer-portal" >>> with my app name: >>> >>> { >>> "name": "goalkeepers", >>> "enabled": true, >>> "adminUrl": "/goalkeepers", >>> "baseUrl": "/goalkeepers", >>> "redirectUris": [ >>> "/goalkeepers/*" >>> ], >>> "secret": "password" >>> } >>> >>> At this stage I am just looking for suggestions on how best to >>> troubleshoot my configuration? What logging properties can I set to enable >>> more debugging? Or where else can I look for some clues as to the errors in >>> my configuration? >>> >>> I fear I am missing something extremely fundamental, but I can't for the >>> life of me see what it is. >>> >>> - Tom >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/7ef03686/attachment.html From stian at redhat.com Wed Apr 1 02:58:39 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 1 Apr 2015 02:58:39 -0400 (EDT) Subject: [keycloak-user] Fwd: Help troubleshooting config In-Reply-To: References: Message-ID: <1956978098.9763144.1427871519460.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Sebastian Lorenz" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 1 April, 2015 8:52:25 AM > Subject: [keycloak-user] Fwd: Help troubleshooting config > > Hi Tom, > > I'm also quite new to Keycloak and had some trouble setting it up in the > beginning. > That's why I wrote a small tutorial http://sebplorenz.blogspot.de/ > Maybe it is of help for you. > > Since you are not redirected to Keycloak at all, I would assume that either: > > 1. Your web resource is not listed in the element in > web.xml or I'd say this is the problem - as 2 and 3 would result in errors not leaving the resource unsecured > 2. Your is not set to Keycloak in web.xml or > 3. Keycloak is not configured correctly in your standalone.xml server > configuration and therefore does not interrupt the access to the resource. > > Good Luck. Sebastian > > > > ---------- Weitergeleitete Nachricht ---------- > From: Thomas LaPorte < Thomas.LaPorte at dreamworks.com > > To: keycloak-user at lists.jboss.org > Cc: > Date: Tue, 31 Mar 2015 15:05:32 -0700 > Subject: Re: [keycloak-user] Help troubleshooting config > Thanks to a list member for some debug setup help, I'm getting much more > information. > > Now I can see (and confirm my suspicion), that something is not right and my > resource is unprotected. > > For the example customer-portal app, I see that after the "callback-uri: ..." > message, I get a "Sending redirect to login page:..." message. > > For my app, it goes directly to "AuthenticatedActionsValve.invoke" > > -- Tom > > On Tue, Mar 31, 2015 at 2:49 PM, Guy Davis < guydavis.ca at gmail.com > wrote: > > > > Hi Thomas, > > To dial up logging, try adding this to your standalone.xml file in the > logging subsystem and re-starting your Wildfly instance: > > > > > > Then, be sure you have the right configuration in your web.xml of your test > WAR file. See the docs here for details. > > Hope this helps, > Guy > > > On Tue, Mar 31, 2015 at 3:30 PM, Thomas LaPorte < > Thomas.LaPorte at dreamworks.com > wrote: > > > > Apologies for cutting off by hitting send prematurely. > > > > On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte < > Thomas.LaPorte at dreamworks.com > wrote: > > > > Greetings. I'm a first-time user of Keycloak, trying to set up a simple > demonstration after the examples, however, I'm having 0% success in getting > my configuration correct enough such that my web resource is protected. > > I have reduced my setup all the way down to a basic "HelloWorld.jsp" in a WAR > file that is deployed into the standalone Wildfly server that is also > hosting the Keycloak server. > > I am convinced that it is a configuration step being missed somewhere, as I > can always access my URL without intervention from the Keycloak server. > > My WAR file consists of the following: > > 0 Tue Mar 31 14:20:20 PDT 2015 META-INF/ > 68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF > 0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/ > 1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml > 491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json > 308 Tue Mar 31 14:20:18 PDT 2015 index.jsp > > I have added my application to the demo realm by copying the customer-portal > application stanza, and replacing the "customer-portal" with my app name: > > { > "name": "goalkeepers", > "enabled": true, > "adminUrl": "/goalkeepers", > "baseUrl": "/goalkeepers", > "redirectUris": [ > "/goalkeepers/*" > ], > "secret": "password" > } > At this stage I am just looking for suggestions on how best to troubleshoot > my configuration? What logging properties can I set to enable more > debugging? Or where else can I look for some clues as to the errors in my > configuration? > > I fear I am missing something extremely fundamental, but I can't for the life > of me see what it is. > > - Tom > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chenkeong.yap at izeno.com Wed Apr 1 03:14:26 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Wed, 1 Apr 2015 15:14:26 +0800 Subject: [keycloak-user] Application access control by user Message-ID: Hi Guys, I just wondering can we restrict the application access by user in keycloak? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/4d7a77a6/attachment.html From stian at redhat.com Wed Apr 1 03:31:15 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 1 Apr 2015 03:31:15 -0400 (EDT) Subject: [keycloak-user] Application access control by user In-Reply-To: References: Message-ID: <1596005791.9779136.1427873475679.JavaMail.zimbra@redhat.com> Yes, you just select what roles a user has permissions to. ----- Original Message ----- > From: "Chen Keong Yap" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 1 April, 2015 9:14:26 AM > Subject: [keycloak-user] Application access control by user > > Hi Guys, > > I just wondering can we restrict the application access by user in keycloak? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Henk.Laracker at planonsoftware.com Wed Apr 1 05:52:34 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Wed, 1 Apr 2015 11:52:34 +0200 Subject: [keycloak-user] keycloak openshift cartridge In-Reply-To: References: <1253396268.9347081.1427823413622.JavaMail.zimbra@redhat.com> Message-ID: Hi, We have a local open shift origin installation (v3) what are the preconditions on the node to install the keycloak cartridge ? Locally I get the following error: * Error: Failed to execute: 'control start' for /var/lib/openshift/551bbdcf740240aa43000004/wildfly * Starting wildfly cart wildfly process failed to start * WildFly 8 administrator added. Please make note of these credentials: Username: adminLBGfqXG Password: P6LkriS1mLWu run 'rhc port-forward keycloak' to access the web admin area on port 9990. * Unable to complete the requested operation due to: An invalid exit code (157) was returned from the server node-dev-eu-m-atd-00.infra.planoncloud.com. This indicates an unexpected problem during the execution of your request.. Reference ID: c9bc685846fcf14554c2dc7251d80949 I think wildfly is missing, do I need to add the cartridge to open shift or do I need to install it on every node? Thanks On 31/03/15 21:33, "Henk Laracker" wrote: > >On 31/03/15 19:36, "Stian Thorgersen" wrote: > >> >> >>----- Original Message ----- >>> From: "Henk Laracker" >>> To: keycloak-user at lists.jboss.org >>> Sent: Tuesday, 31 March, 2015 5:05:27 PM >>> Subject: [keycloak-user] keycloak openshift cartridge >>> >>> Hi, >>> >>> Can someone explain me the difference between the two openshift >>>projects in >>> github. >>> >>> https://github.com/stianst/openshift-keycloak-cartridge/ >> >>That's my personal fork which I often push snapshots to >> >>> >>> https://github.com/keycloak/openshift-keycloak-cartridge >> >>That's the official one and should be working so please give me some more >>details about your issues > >It is not tagged (branch) for keycloak 1.1, so I don?t now which version I >install of keycloak when I install the master. I don?t like to install the >master because the result can change every time. >The result of installing the master on open shift online is that I first >get a message: > >Application creation is taking longer than expected. Please wait a few >minutes, then refresh this page. > >After that the application is very short visible but automaticly removed >from openshift. > >De second time I try it works >WildFly 8 administrator added. Please make note of these credentials: > > Username: ************ > Password: ************ > > run 'rhc port-forward keycloakmaster' to access the web admin area on >port 9990. > > >The result : http://keycloakmaster-ciwwa.rhcloud.com/ is working fine ( >this is the first time after several attempts the last days) > >Some suggestion, can you add > >Mappings: > - Frontend: '' > Backend: '' > Options: { tohttps: '' } > > >This will result in automatically redirection to https. > >The next step I will try out is to use the new server, I keep you informed >if I get again the message "ERROR: failed verification of token? > >Keep up the good work! > >> >>> >>> I?m curieus about the status, the official keycloak openshift cartridge >>>does >>> not show the keycloak interface after deployment, I don?t know what I?m >>> doing wrong. >>> The openshift cartridge of stianst is working but I have problems >>>connecting >>> to it, it keep getting a ERROR: failed verification of token in my >>>local >>> tomcat when trying to use it. >>> >>> >>> >>> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / >>>Tr?s >>> cordialement, >>> >>> >>> >>> >>> Henk Laracker >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From chenkeong.yap at izeno.com Wed Apr 1 06:14:52 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Wed, 1 Apr 2015 18:14:52 +0800 Subject: [keycloak-user] Application access control by user In-Reply-To: <1596005791.9779136.1427873475679.JavaMail.zimbra@redhat.com> References: <1596005791.9779136.1427873475679.JavaMail.zimbra@redhat.com> Message-ID: thanks! it's working now. On Wed, Apr 1, 2015 at 3:31 PM, Stian Thorgersen wrote: > Yes, you just select what roles a user has permissions to. > > ----- Original Message ----- > > From: "Chen Keong Yap" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 1 April, 2015 9:14:26 AM > > Subject: [keycloak-user] Application access control by user > > > > Hi Guys, > > > > I just wondering can we restrict the application access by user in > keycloak? > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/130c0eef/attachment.html From chenkeong.yap at izeno.com Wed Apr 1 06:26:02 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Wed, 1 Apr 2015 18:26:02 +0800 Subject: [keycloak-user] Default Redirect URL is not working Message-ID: Hi, I've configured Default Redirect URL=http://localhost:8080/employee/test.jsp in keycloak (1.1.0 beta2) admin console. When i access ServiceURL, the request is redirected to keycloak login page. After authentication is successful then keycloak redirected to ServiceURL instead of Default Redirect URL. Can someone please advise? Picketlink.xml : ${idp.url:: https://localhost:8443/auth/realms/saml-demo-1/protocol/saml} ${EMPLOYEE.url::http://localhost:8080/employee/} -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/e74dcc1c/attachment.html From bburke at redhat.com Wed Apr 1 08:16:48 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 01 Apr 2015 08:16:48 -0400 Subject: [keycloak-user] Default Redirect URL is not working In-Reply-To: References: Message-ID: <551BE1B0.10408@redhat.com> Default URL is for when no redirect URL is provided to Keycloak at login. For SAML, you have to be redirected back to the service URL or login won't complete successfully. On 4/1/2015 6:26 AM, Chen Keong Yap wrote: > Hi, > > I've configured Default Redirect > URL=http://localhost:8080/employee/test.jsp in keycloak (1.1.0 beta2) > admin console. When i access ServiceURL, the request is redirected to > keycloak > login page. After authentication is successful then keycloak redirected > to ServiceURL instead of Default Redirect URL. Can someone please advise? > > Picketlink.xml : > > > ServerEnvironment="tomcat" BindingType="REDIRECT" RelayState="someURL"> > ${idp.url::https://localhost:8443/auth/realms/saml-demo-1/protocol/saml} > ${EMPLOYEE.url::http://localhost:8080/employee/} > > > > class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" > /> > class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"> > > class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" > /> > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From Tom.Nuernberger at tceq.texas.gov Wed Apr 1 13:28:39 2015 From: Tom.Nuernberger at tceq.texas.gov (Tom Nuernberger) Date: Wed, 1 Apr 2015 17:28:39 +0000 Subject: [keycloak-user] Is there an example Oracle Configuration for Keycloak Message-ID: Can anyone point me to some example Oracle configuration ? Thanks. Tom W. Nuernberger Programmer Analyst IV Texas Commission on Environmental Equality 12100 Park 35 Circle | Bldg. A | Austin, TX 78753 (512) 239-0895 [cid:image001.jpg at 01D06C77.5FEAB630] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/a6fd3c36/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 2402 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/a6fd3c36/attachment.jpg From stian at redhat.com Wed Apr 1 13:31:01 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 1 Apr 2015 13:31:01 -0400 (EDT) Subject: [keycloak-user] Is there an example Oracle Configuration for Keycloak In-Reply-To: References: Message-ID: <1298505730.10275962.1427909461321.JavaMail.zimbra@redhat.com> Google "WildFly oracle datasource" and you'll find it ;) ----- Original Message ----- > From: "Tom Nuernberger" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 1 April, 2015 7:28:39 PM > Subject: [keycloak-user] Is there an example Oracle Configuration for Keycloak > > > > Can anyone point me to some example Oracle configuration ? > > > > Thanks. > > > > Tom W. Nuernberger > > Programmer Analyst IV > > Texas Commission on Environmental Equality > > 12100 Park 35 Circle | Bldg. A | Austin, TX 78753 > > (512) 239-0895 > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thiago.addevico at gmail.com Wed Apr 1 13:33:26 2015 From: thiago.addevico at gmail.com (Thiago Presa) Date: Wed, 1 Apr 2015 14:33:26 -0300 Subject: [keycloak-user] Application Management In-Reply-To: <1915332308.6796315.1427464264502.JavaMail.zimbra@redhat.com> References: <235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>

<596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com> <1915332308.6796315.1427464264502.JavaMail.zimbra@redhat.com> Message-ID: Speaking with my colleagues, I believe it won't cause troubles for us. We had to give view-applications: the admin console wouldn't work properly, but this is also OK according to our requirements. Would you mind giving us some feedback on [1]? We wrote this to experiment a bit with the proposal, but I'm not familiar with keycloak's source or practices. What should I do to help get this merged? [1] https://github.com/keycloak/keycloak/compare/master...tpresa:master On Fri, Mar 27, 2015 at 10:51 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Thiago Presa" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Friday, 27 March, 2015 2:01:56 PM > > Subject: Re: [keycloak-user] Application Management > > > > Ah, yes, I didn't understand your proposal properly. Wouldn't giving > > manage-users to app-admins wouldn't cause trouble, since app-admins could > > create and modify user accounts? > > Whether or not it's causing trouble depends on your requirements, but yes, > they could create and modify user accounts, but not grant more privileges. > > If you need to go beyond this one alternative is to wrap the admin > endpoints in your own application. We've just got so much on our plate at > the moment that we can't provide this level of control on permissions. > > > > > On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen > wrote: > > > > > Well, yes.. I told you it was a bit rubbish and would need some > re-design > > > to implement more fine grained permissions. Doing that is a relatively > big > > > task and is not a high priority for us ATM. > > > > > > I'm a bit confused by this email as I proposed a simple solution that > > > would resolve your requirements. If an admin can only grant permissions > > > that admin has access to all you have to do is to create an admin that > can > > > only access roles for certain applications and your problem should be > > > solved. That's a simple solution that we can add soon. > > > > > > ----- Original Message ----- > > > > From: "Thiago Presa" > > > > To: "Stian Thorgersen" > > > > Cc: keycloak-user at lists.jboss.org > > > > Sent: Thursday, 26 March, 2015 8:10:07 PM > > > > Subject: Re: [keycloak-user] Application Management > > > > > > > > So I've spent the last couple of days playing with the source. :-) > > > > > > > > The current authorization mechanism is based on Realm/RealmApp i.e. > > > > whenever an API resource is called, check if the User has the > required > > > > Right (manage, any, view) in the resource's Realm/RealmApp. > > > > > > > > Consider, for example, the URI > > > > > /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. > > > What > > > > I was trying to do is to create a permission for {app-name} so that > this > > > > API call wouldn't require any Realm/RealmApp right. > > > > > > > > The problem I see is that this API call trigger many methods (i.e. > > > > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin, > > > > RealmAdminResource#getApplicationsById, and so on...), and at those > > > methods > > > > there is not enough information to figure out whether this is: > > > > > > > > 1- An app-specific call and thus should be authorized even without > realm > > > > authorization, or; > > > > 2- Not app-specific call and this should be properly authorized by > > > > Realm/RealmApp. > > > > > > > > Even in the case of (1), the information on which app should I check > for > > > > authorization is not available. > > > > > > > > So it seems to me that this resource-loading mechanisms pressuposes > an > > > > authorization mechanism that checks only against the realm for > > > permission, > > > > and changing this seems daunting to me. > > > > > > > > Do you guys have any idea on a more local change I could make to > achieve > > > > the intended behavior? > > > > > > > > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa < > thiago.addevico at gmail.com > > > > > > > > wrote: > > > > > > > > > OK, agreed. We thought this out of consistency, but if that's not a > > > good > > > > > design we surely can consider a better one. > > > > > > > > > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen < > stian at redhat.com> > > > > > wrote: > > > > > > > > > >> > > > > >> > > > > >> ----- Original Message ----- > > > > >> > From: "Thiago Presa" > > > > >> > To: stian at redhat.com > > > > >> > Cc: keycloak-user at lists.jboss.org > > > > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM > > > > >> > Subject: Re: [keycloak-user] Application Management > > > > >> > > > > > >> > Hi there, > > > > >> > > > > > >> > I'm Alex's coworker and I'll be working on this too. > > > > >> > > > > > >> > We were just discussing your idea, and it seems to fit our > > > requirements. > > > > >> > > > > > >> > As far as we have seen, keycloak already has a realm-admin > concept. > > > > >> > Whenever a realm "R" is created, it creates a R-realm > application > > > with > > > > >> > a bunch of default roles (manage-users, manage-roles, etc.) > into the > > > > >> > realm master. > > > > >> > > > > > >> > We are currently thinking if we could mimic this structure for > > > > >> > applications. What do you think? > > > > >> > > > > >> It's already messy with the way I modelled it and adding the same > for > > > > >> applications would be even worse. I don't see why that's needed > > > though if > > > > >> we'd add what I proposed. > > > > >> > > > > >> > > > > > >> > > I had an idea a while back that is a simple way to achieve > what > > > you're > > > > >> > > asking for. Th> e idea would be to only allow an admin to > grant > > > roles > > > > >> that > > > > >> > > the admin has access to. > > > > >> > > > > > >> > > Basically:> * A user with admin (super user) role can grant > any > > > roles > > > > >> (we > > > > >> > > would need to add a per-> realm super user role) > > > > >> > > > > > >> > > * A user with the role manage-users and some roles on app1 can > > > only > > > > >> grant > > > > >> > > other users > the roles on app1 > > > > >> > > > > > >> > > * A user with the role manage-users and some roles on app2 can > > > only > > > > >> grant > > > > >> > > other users > the roles on app2 > > > > >> > > > > > >> > > > > > > >> > > > > > >> > > This is something we should add in either case (to prevent > users > > > > >> granting > > > > >> > themselves more access). Would it solve your problems? > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/8f964f28/attachment-0001.html From Thomas.LaPorte at dreamworks.com Wed Apr 1 18:58:23 2015 From: Thomas.LaPorte at dreamworks.com (Thomas LaPorte) Date: Wed, 1 Apr 2015 15:58:23 -0700 Subject: [keycloak-user] Fwd: Help troubleshooting config In-Reply-To: <1956978098.9763144.1427871519460.JavaMail.zimbra@redhat.com> References: <1956978098.9763144.1427871519460.JavaMail.zimbra@redhat.com> Message-ID: Thank you both, very much! Pointing me at the web.xml was the final piece I needed. I spent some more time trying to understand the bits and bobs in that file and finally understood the URL paths of my sample app, and how they were (or were not, in my case) being reflected in the web.xml. I was even able to move my working configuration to a Tomcat server and replicate my success there. Many thanks!! On Tue, Mar 31, 2015 at 11:58 PM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Sebastian Lorenz" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 1 April, 2015 8:52:25 AM > > Subject: [keycloak-user] Fwd: Help troubleshooting config > > > > Hi Tom, > > > > I'm also quite new to Keycloak and had some trouble setting it up in the > > beginning. > > That's why I wrote a small tutorial http://sebplorenz.blogspot.de/ > > Maybe it is of help for you. > > > > Since you are not redirected to Keycloak at all, I would assume that > either: > > > > 1. Your web resource is not listed in the element > in > > web.xml or > > I'd say this is the problem - as 2 and 3 would result in errors not > leaving the resource unsecured > > > 2. Your is not set to Keycloak in web.xml or > > 3. Keycloak is not configured correctly in your standalone.xml server > > configuration and therefore does not interrupt the access to the > resource. > > > > Good Luck. Sebastian > > > > > > > > ---------- Weitergeleitete Nachricht ---------- > > From: Thomas LaPorte < Thomas.LaPorte at dreamworks.com > > > To: keycloak-user at lists.jboss.org > > Cc: > > Date: Tue, 31 Mar 2015 15:05:32 -0700 > > Subject: Re: [keycloak-user] Help troubleshooting config > > Thanks to a list member for some debug setup help, I'm getting much more > > information. > > > > Now I can see (and confirm my suspicion), that something is not right > and my > > resource is unprotected. > > > > For the example customer-portal app, I see that after the "callback-uri: > ..." > > message, I get a "Sending redirect to login page:..." message. > > > > For my app, it goes directly to "AuthenticatedActionsValve.invoke" > > > > -- Tom > > > > On Tue, Mar 31, 2015 at 2:49 PM, Guy Davis < guydavis.ca at gmail.com > > wrote: > > > > > > > > Hi Thomas, > > > > To dial up logging, try adding this to your standalone.xml file in the > > logging subsystem and re-starting your Wildfly instance: > > > > > > > > > > > > Then, be sure you have the right configuration in your web.xml of your > test > > WAR file. See the docs here for details. > > > > Hope this helps, > > Guy > > > > > > On Tue, Mar 31, 2015 at 3:30 PM, Thomas LaPorte < > > Thomas.LaPorte at dreamworks.com > wrote: > > > > > > > > Apologies for cutting off by hitting send prematurely. > > > > > > > > On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte < > > Thomas.LaPorte at dreamworks.com > wrote: > > > > > > > > Greetings. I'm a first-time user of Keycloak, trying to set up a simple > > demonstration after the examples, however, I'm having 0% success in > getting > > my configuration correct enough such that my web resource is protected. > > > > I have reduced my setup all the way down to a basic "HelloWorld.jsp" in > a WAR > > file that is deployed into the standalone Wildfly server that is also > > hosting the Keycloak server. > > > > I am convinced that it is a configuration step being missed somewhere, > as I > > can always access my URL without intervention from the Keycloak server. > > > > My WAR file consists of the following: > > > > 0 Tue Mar 31 14:20:20 PDT 2015 META-INF/ > > 68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF > > 0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/ > > 1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml > > 491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json > > 308 Tue Mar 31 14:20:18 PDT 2015 index.jsp > > > > I have added my application to the demo realm by copying the > customer-portal > > application stanza, and replacing the "customer-portal" with my app name: > > > > { > > "name": "goalkeepers", > > "enabled": true, > > "adminUrl": "/goalkeepers", > > "baseUrl": "/goalkeepers", > > "redirectUris": [ > > "/goalkeepers/*" > > ], > > "secret": "password" > > } > > At this stage I am just looking for suggestions on how best to > troubleshoot > > my configuration? What logging properties can I set to enable more > > debugging? Or where else can I look for some clues as to the errors in my > > configuration? > > > > I fear I am missing something extremely fundamental, but I can't for the > life > > of me see what it is. > > > > - Tom > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/99bb217a/attachment.html From srossillo at smartling.com Wed Apr 1 19:37:23 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 1 Apr 2015 19:37:23 -0400 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated Message-ID: Hi all, I?m running Keycloak 1.1.0-Final in standalone mode and using Keycloak agents on Tomcat 6 and Tomcat 8. With both agents, whenever I try to log a user out via the Keycloak server, I see this in the Tomcat server?s log: Apr 01, 2015 7:27:47 PM org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession WARN: Session not present or already invalidated. The session is still valid and continues to be valid for some period of time in each of the Tomcat instances. Anyone know how to fix? I was looking at the source and I see this method: - - org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. logoutSession() I may test loging the actual exception tomorrow if no one has a clue, but I think it?s probably the exception is being thrown for some reason other than the session no longer existing (it definitely still does). Best, Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150401/cf536830/attachment.html From stian at redhat.com Thu Apr 2 08:38:51 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 2 Apr 2015 08:38:51 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.2.0.Beta1 Released In-Reply-To: <1943269927.10938403.1427978311541.JavaMail.zimbra@redhat.com> Message-ID: <1466648129.10938551.1427978331196.JavaMail.zimbra@redhat.com> We're proud to announce the release of Keycloak 1.2.0.Beta1. This is a great release, especially if you're after enterprise capabilities. The major new features in this release includes: * Protocol mapping - With protocol mapping it's easy to define what claims are added to the token an application receives. * Kerberos - It's now possible to authenticate with a Keycloak realm using Kerberos tickets through SPNEGO. * Identity Brokering - As well as Kerberos you can also authenticate with Keycloak with an external SAML 2.0 or OpenID Connect Identity Provider. * OpenID Connect improvements - We've made several improvements to comply with the OpenID Connect specification and we've also introduced new features such as Discovery, Session Management and UserInfo endpoint. * Internationalization support for login and account management Thanks to Michael Gerber the login and account management pages now have internationalization support. We have built in support for English, German and Brazilian Portuguese. We've also made it easy to add your own and if you'd like to contribute a translation let us know. * Deploy providers as modules - It's now possible to deploy custom providers as modules. This gives you full control of the classloader for your provider. * Deploy themes as modules - We've made it much simpler to package themes and they can also be deployed as a module. This makes it simpler to distribute themes as well as using custom themes in a cluster. * Login with Stackoverflow and LinkedIn - Thanks to Vlastimil Eli?? we now have built-in support to login with Stackoverflow and LinkedIn. * SysLog event listener - Thanks to Giriraj Sharma we now have a syslog event listener. * Version control on cached resources - A common issue in the past was that the admin console didn't work after upgrading Keycloak. This was caused by the browser caching old html and javascript. We've solved this issue by including a version number in the resource urls, so upgrading should be even simpler now! To get the release go to www.keycloak.org. For the full lists of issues resolved for this release check https://issues.jboss.org/browse/KEYCLOAK. Remember to read the migration guide before upgrading as it contains vital information about what's changed and how to upgrade. From mposolda at redhat.com Thu Apr 2 10:23:55 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 02 Apr 2015 16:23:55 +0200 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: References: Message-ID: <551D50FB.9010601@redhat.com> Hi, I've tried with Apache Tomcat 6.0.35 but wasn't able to reproduce with latest Keycloak 1.2.0.Beta1. Logout works fine for me. How are you doing logout? From the application or from KC admin console? For the tomcat6, the httpServletRequest.logout() method is not yet available, so best for logout from the application is redirecting to Keycloak logout URL similarly like in our demo example: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 You can also enable debug logging, which should show some additional messages in the log by adding this line into $TOMCAT_HOME/conf/logging.properties: org.keycloak.level = FINE Marek On 2.4.2015 01:37, Scott Rossillo wrote: > Hi all, > > I?m running Keycloak 1.1.0-Final in standalone mode and using Keycloak > agents on Tomcat 6 and Tomcat 8. > > With both agents, whenever I try to log a user out via the Keycloak > server, I see this in the Tomcat server?s log: > > Apr 01, 2015 7:27:47 PM > org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession > WARN: Session not present or already invalidated. > > The session is still valid and continues to be valid for some period > of time in each of the Tomcat instances. Anyone know how to fix? > > I was looking at the source and I see this method: > > * > > > * org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. > > logoutSession() > > I may test loging the actual exception tomorrow if no one has a clue, > but I think it?s probably the exception is being thrown for some > reason other than the session no longer existing (it definitely still > does). > > Best, > Scott > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/a992fd79/attachment-0001.html From srossillo at smartling.com Thu Apr 2 11:06:40 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 2 Apr 2015 11:06:40 -0400 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: <551D50FB.9010601@redhat.com> References: <551D50FB.9010601@redhat.com> Message-ID: Hi, Thanks for the reply. I was trying to log a user out from the Keycloak admin console. I will try the redirect method and see if it works. Also, I?m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 and report if the issue is still occurring. Best, Scott On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda wrote: > Hi, > > I've tried with Apache Tomcat 6.0.35 but wasn't able to reproduce with > latest Keycloak 1.2.0.Beta1. Logout works fine for me. > > How are you doing logout? From the application or from KC admin console? > For the tomcat6, the httpServletRequest.logout() method is not yet > available, so best for logout from the application is redirecting to > Keycloak logout URL similarly like in our demo example: > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 > > You can also enable debug logging, which should show some additional > messages in the log by adding this line into > $TOMCAT_HOME/conf/logging.properties: > > org.keycloak.level = FINE > > Marek > > > > On 2.4.2015 01:37, Scott Rossillo wrote: > > Hi all, > > I?m running Keycloak 1.1.0-Final in standalone mode and using Keycloak > agents on Tomcat 6 and Tomcat 8. > > With both agents, whenever I try to log a user out via the Keycloak > server, I see this in the Tomcat server?s log: > > Apr 01, 2015 7:27:47 PM > org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession > WARN: Session not present or already invalidated. > > The session is still valid and continues to be valid for some period of > time in each of the Tomcat instances. Anyone know how to fix? > > I was looking at the source and I see this method: > > - > > > - org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. > > logoutSession() > > I may test loging the actual exception tomorrow if no one has a clue, > but I think it?s probably the exception is being thrown for some reason > other than the session no longer existing (it definitely still does). > > Best, > Scott > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/03735e67/attachment.html From srossillo at smartling.com Thu Apr 2 11:37:25 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 2 Apr 2015 11:37:25 -0400 Subject: [keycloak-user] Keycloak 1.2.0.Beta1 Released In-Reply-To: <1466648129.10938551.1427978331196.JavaMail.zimbra@redhat.com> References: <1943269927.10938403.1427978311541.JavaMail.zimbra@redhat.com> <1466648129.10938551.1427978331196.JavaMail.zimbra@redhat.com> Message-ID: Looks great! Will 1.2.0.Beta1 hit Maven Central today? ~ Scott On Thu, Apr 2, 2015 at 8:38 AM, Stian Thorgersen wrote: > We're proud to announce the release of Keycloak 1.2.0.Beta1. This is a > great release, especially if you're after enterprise capabilities. > > The major new features in this release includes: > > * Protocol mapping - With protocol mapping it's easy to define what claims > are added to the token an application receives. > * Kerberos - It's now possible to authenticate with a Keycloak realm using > Kerberos tickets through SPNEGO. > * Identity Brokering - As well as Kerberos you can also authenticate with > Keycloak with an external SAML 2.0 or OpenID Connect Identity Provider. > * OpenID Connect improvements - We've made several improvements to comply > with the OpenID Connect specification and we've also introduced new > features such as Discovery, Session Management and UserInfo endpoint. > * Internationalization support for login and account management Thanks to > Michael Gerber the login and account management pages now have > internationalization support. We have built in support for English, German > and Brazilian Portuguese. We've also made it easy to add your own and if > you'd like to contribute a translation let us know. > * Deploy providers as modules - It's now possible to deploy custom > providers as modules. This gives you full control of the classloader for > your provider. > * Deploy themes as modules - We've made it much simpler to package themes > and they can also be deployed as a module. This makes it simpler to > distribute themes as well as using custom themes in a cluster. > * Login with Stackoverflow and LinkedIn - Thanks to Vlastimil Eli?? we now > have built-in support to login with Stackoverflow and LinkedIn. > * SysLog event listener - Thanks to Giriraj Sharma we now have a syslog > event listener. > * Version control on cached resources - A common issue in the past was > that the admin console didn't work after upgrading Keycloak. This was > caused by the browser caching old html and javascript. We've solved this > issue by including a version number in the resource urls, so upgrading > should be even simpler now! > > To get the release go to www.keycloak.org. For the full lists of issues > resolved for this release check https://issues.jboss.org/browse/KEYCLOAK. > > Remember to read the migration guide before upgrading as it contains vital > information about what's changed and how to upgrade. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/70b8b812/attachment.html From aryvlin at morphotrust.com Thu Apr 2 13:21:51 2015 From: aryvlin at morphotrust.com (Ryvlin, Andrey) Date: Thu, 2 Apr 2015 17:21:51 +0000 Subject: [keycloak-user] keycloak.json file for angular app Message-ID: Hi I have AngularJs based UI web app talking to RESTfull web services using Keycloak security. Keycloak is running on a separate instance of Wildfly having https connection. UI Web application has keycloak.json file with hardcoded Keycloak URL. Everything works well with one problem: when I need to install my web application to a different environment I need to open WAR, modify keycloak.json with new URL and package it back. Since we deliver the entire installation to the client, I don?t know their host names, so they have to open WAR, which is in-convenient. Is there any way to avoid that? Thanks? Thanks? ----------------- Andrey Ryvlin Principal Software Engineer Phone: 952-979-8492 5705 W Old Shakopee Road, Suite 100 Bloomington, MN 55437 USA ARyvlin at MorphoTrust.com www.MorphoTrust.com [cid:image003.jpg at 01CFF75A.60542BC0] ________________________________ This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/5d6cc04a/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 1778 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/5d6cc04a/attachment-0001.jpg From mposolda at redhat.com Thu Apr 2 14:04:56 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 02 Apr 2015 20:04:56 +0200 Subject: [keycloak-user] keycloak.json file for angular app In-Reply-To: References: Message-ID: <551D84C8.70500@redhat.com> Hi, I guess in your Angular application you're using something like: var keycloakAuth = new Keycloak('keycloak.json'); right? So instead of this, you can read the Keycloak configuration from some separate URI like: var keycloakAuth = new Keycloak('myconfig'); Where the path 'myconfig' could be mapped to some servlet (or jaxrs application if you prefer), which will return you the JSON with the configuration. So instead of serving the configuration directly from file keycloak.json, you will serve it from the servlet (or jaxrs app). The servlet will run on server side, so you can use whatever is good for your app to init the auth-server-url dynamically (For example read it from System property) Marek On 2.4.2015 19:21, Ryvlin, Andrey wrote: > > Hi > > I have AngularJs based UI web app talking to RESTfull web services > using Keycloak security. > > Keycloak is running on a separate instance of Wildfly having https > connection. > > UI Web application has keycloak.json file with hardcoded Keycloak URL. > > Everything works well with one problem: when I need to install my web > application to a different environment I need to open WAR, modify > keycloak.json with new URL and package it back. > > Since we deliver the entire installation to the client, I don?t know > their host names, so they have to open WAR, which is in-convenient. > > Is there any way to avoid that? > > Thanks? > > Thanks? > > ----------------- > > Andrey Ryvlin > > Principal Software Engineer > > Phone: 952-979-8492 > > 5705 W Old Shakopee Road, Suite 100 > > Bloomington, MN 55437 USA > > ARyvlin at MorphoTrust.com > > www.MorphoTrust.com > > cid:image003.jpg at 01CFF75A.60542BC0 > > > ------------------------------------------------------------------------ > > This message is only for the use of the intended recipient and may > contain information that is CONFIDENTIAL and PROPRIETARY to > MorphoTrust USA, Inc. If you are not the intended recipient, please > erase all copies of the message and its attachments and notify the > sender immediately. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/0817e896/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1778 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/0817e896/attachment.jpe From aryvlin at morphotrust.com Thu Apr 2 16:02:43 2015 From: aryvlin at morphotrust.com (Ryvlin, Andrey) Date: Thu, 2 Apr 2015 20:02:43 +0000 Subject: [keycloak-user] keycloak.json file for angular app In-Reply-To: <551D84C8.70500@redhat.com> References: <551D84C8.70500@redhat.com> Message-ID: <6d2823192e314b3f90af07ee5eb5b183@BLM-MAIL01P.l1id.local> Marek, I guess this would work if I can pass Json object to Keycloak constructor. Is it possible? Thanks? ----------------- Andrey Ryvlin Principal Software Engineer Phone: 952-979-8492 5705 W Old Shakopee Road, Suite 100 Bloomington, MN 55437 USA ARyvlin at MorphoTrust.com www.MorphoTrust.com [cid:image003.jpg at 01CFF75A.60542BC0] From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Thursday, April 02, 2015 1:05 PM To: Ryvlin, Andrey; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] keycloak.json file for angular app Hi, I guess in your Angular application you're using something like: var keycloakAuth = new Keycloak('keycloak.json'); right? So instead of this, you can read the Keycloak configuration from some separate URI like: var keycloakAuth = new Keycloak('myconfig'); Where the path 'myconfig' could be mapped to some servlet (or jaxrs application if you prefer), which will return you the JSON with the configuration. So instead of serving the configuration directly from file keycloak.json, you will serve it from the servlet (or jaxrs app). The servlet will run on server side, so you can use whatever is good for your app to init the auth-server-url dynamically (For example read it from System property) Marek On 2.4.2015 19:21, Ryvlin, Andrey wrote: Hi I have AngularJs based UI web app talking to RESTfull web services using Keycloak security. Keycloak is running on a separate instance of Wildfly having https connection. UI Web application has keycloak.json file with hardcoded Keycloak URL. Everything works well with one problem: when I need to install my web application to a different environment I need to open WAR, modify keycloak.json with new URL and package it back. Since we deliver the entire installation to the client, I don?t know their host names, so they have to open WAR, which is in-convenient. Is there any way to avoid that? Thanks? Thanks? ----------------- Andrey Ryvlin Principal Software Engineer Phone: 952-979-8492 5705 W Old Shakopee Road, Suite 100 Bloomington, MN 55437 USA ARyvlin at MorphoTrust.com www.MorphoTrust.com [cid:image003.jpg at 01CFF75A.60542BC0] ________________________________ This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/3d3aaed2/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 1778 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/3d3aaed2/attachment-0001.jpg From srossillo at smartling.com Thu Apr 2 19:30:58 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 2 Apr 2015 19:30:58 -0400 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: References: <551D50FB.9010601@redhat.com> Message-ID: Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1. I will install a custom built agent tomorrow to catch the actual exception to see what's up. On Thursday, April 2, 2015, Scott Rossillo wrote: > Hi, > > Thanks for the reply. > > I was trying to log a user out from the Keycloak admin console. I will try > the redirect method and see if it works. > > Also, I?m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 and report if > the issue is still occurring. > > Best, > Scott > > > On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda > wrote: > >> Hi, >> >> I've tried with Apache Tomcat 6.0.35 but wasn't able to reproduce with >> latest Keycloak 1.2.0.Beta1. Logout works fine for me. >> >> How are you doing logout? From the application or from KC admin console? >> For the tomcat6, the httpServletRequest.logout() method is not yet >> available, so best for logout from the application is redirecting to >> Keycloak logout URL similarly like in our demo example: >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 >> >> You can also enable debug logging, which should show some additional >> messages in the log by adding this line into >> $TOMCAT_HOME/conf/logging.properties: >> >> org.keycloak.level = FINE >> >> Marek >> >> >> >> On 2.4.2015 01:37, Scott Rossillo wrote: >> >> Hi all, >> >> I?m running Keycloak 1.1.0-Final in standalone mode and using Keycloak >> agents on Tomcat 6 and Tomcat 8. >> >> With both agents, whenever I try to log a user out via the Keycloak >> server, I see this in the Tomcat server?s log: >> >> Apr 01, 2015 7:27:47 PM >> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession >> WARN: Session not present or already invalidated. >> >> The session is still valid and continues to be valid for some period of >> time in each of the Tomcat instances. Anyone know how to fix? >> >> I was looking at the source and I see this method: >> >> - >> >> >> - org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. >> >> logoutSession() >> >> I may test loging the actual exception tomorrow if no one has a clue, >> but I think it?s probably the exception is being thrown for some reason >> other than the session no longer existing (it definitely still does). >> >> Best, >> Scott >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150402/9bfb7bc3/attachment.html From chenkeong.yap at izeno.com Thu Apr 2 19:44:24 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Fri, 3 Apr 2015 07:44:24 +0800 Subject: [keycloak-user] Http Session is not invalidated Message-ID: Hi, I've 2 applications installed with Picketlink SPFilter to authenticate with keycloak 1.1.0 beta 2. When i perform global logout, first application was logged out successfully because SP/keycloak session and application http session are removed but the problem is second application SP/keycloak session is removed but application http session is still remained. I've set admin url for these 2 applications in keycloak admin console. Kindly share your ideas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/357befc9/attachment.html From mposolda at redhat.com Fri Apr 3 01:37:16 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 03 Apr 2015 07:37:16 +0200 Subject: [keycloak-user] keycloak.json file for angular app In-Reply-To: <6d2823192e314b3f90af07ee5eb5b183@BLM-MAIL01P.l1id.local> References: <551D84C8.70500@redhat.com> <6d2823192e314b3f90af07ee5eb5b183@BLM-MAIL01P.l1id.local> Message-ID: <551E270C.3020102@redhat.com> Yes, that works too. You can pass the JSON object with properties "url", "realm" and "clientId" to the constructor. See the docs with the example for this: http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#javascript-adapter Marek On 2.4.2015 22:02, Ryvlin, Andrey wrote: > > Marek, > > I guess this would work if I can pass Json object to Keycloak constructor. > > Is it possible? > > Thanks? > > ----------------- > > Andrey Ryvlin > > Principal Software Engineer > > Phone: 952-979-8492 > > 5705 W Old Shakopee Road, Suite 100 > > Bloomington, MN 55437 USA > > ARyvlin at MorphoTrust.com > > www.MorphoTrust.com > > cid:image003.jpg at 01CFF75A.60542BC0 > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Thursday, April 02, 2015 1:05 PM > *To:* Ryvlin, Andrey; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] keycloak.json file for angular app > > Hi, > > I guess in your Angular application you're using something like: > > var keycloakAuth = new Keycloak('keycloak.json'); > > right? So instead of this, you can read the Keycloak configuration > from some separate URI like: > > var keycloakAuth = new Keycloak('myconfig'); > > Where the path 'myconfig' could be mapped to some servlet (or jaxrs > application if you prefer), which will return you the JSON with the > configuration. So instead of serving the configuration directly from > file keycloak.json, you will serve it from the servlet (or jaxrs app). > The servlet will run on server side, so you can use whatever is good > for your app to init the auth-server-url dynamically (For example read > it from System property) > > Marek > > > On 2.4.2015 19:21, Ryvlin, Andrey wrote: > > Hi > > I have AngularJs based UI web app talking to RESTfull web services > using Keycloak security. > > Keycloak is running on a separate instance of Wildfly having https > connection. > > UI Web application has keycloak.json file with hardcoded Keycloak URL. > > Everything works well with one problem: when I need to install my > web application to a different environment I need to open WAR, > modify keycloak.json with new URL and package it back. > > Since we deliver the entire installation to the client, I don?t > know their host names, so they have to open WAR, which is > in-convenient. > > Is there any way to avoid that? > > Thanks? > > Thanks? > > ----------------- > > Andrey Ryvlin > > Principal Software Engineer > > Phone: 952-979-8492 > > 5705 W Old Shakopee Road, Suite 100 > > Bloomington, MN 55437 USA > > ARyvlin at MorphoTrust.com > > www.MorphoTrust.com > > cid:image003.jpg at 01CFF75A.60542BC0 > > ------------------------------------------------------------------------ > > > This message is only for the use of the intended recipient and may > contain information that is CONFIDENTIAL and PROPRIETARY to > MorphoTrust USA, Inc. If you are not the intended recipient, > please erase all copies of the message and its attachments and > notify the sender immediately. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/ca309569/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1778 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/ca309569/attachment-0001.jpe From mposolda at redhat.com Fri Apr 3 01:42:47 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 03 Apr 2015 07:42:47 +0200 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: References: <551D50FB.9010601@redhat.com>

Message-ID: <551E2857.6020501@redhat.com> Sure, maybe even easier alternative is to try debugger. You can add this to the beginning of $TOMCAT_HOME/bin/catalina.sh: JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n" then start tomcat and then remotely connect to it from your IDE. You will need opened IDE with keycloak sources though. I've changed the code to display the exception stacktrace, but it will be available in next release (not yet in 1.2.0.Beta1 released yesterday) Marek On 3.4.2015 01:30, Scott Rossillo wrote: > Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1. > > I will install a custom built agent tomorrow to catch the actual > exception to see what's up. > > > On Thursday, April 2, 2015, Scott Rossillo > wrote: > > Hi, > > Thanks for the reply. > > I was trying to log a user out from the Keycloak admin console. I > will try the redirect method and see if it works. > > Also, I?m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 and > report if the issue is still occurring. > > Best, > Scott > > On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda > > wrote: > > Hi, > > I've tried with Apache Tomcat 6.0.35 but wasn't able to > reproduce with latest Keycloak 1.2.0.Beta1. Logout works fine > for me. > > How are you doing logout? From the application or from KC > admin console? For the tomcat6, the > httpServletRequest.logout() method is not yet available, so > best for logout from the application is redirecting to > Keycloak logout URL similarly like in our demo example: > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 > > You can also enable debug logging, which should show some > additional messages in the log by adding this line into > $TOMCAT_HOME/conf/logging.properties: > > org.keycloak.level = FINE > > Marek > > > > On 2.4.2015 01:37, Scott Rossillo wrote: >> Hi all, >> >> I?m running Keycloak 1.1.0-Final in standalone mode and using >> Keycloak agents on Tomcat 6 and Tomcat 8. >> >> With both agents, whenever I try to log a user out via the >> Keycloak server, I see this in the Tomcat server?s log: >> >> Apr 01, 2015 7:27:47 PM >> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement >> logoutSession >> WARN: Session not present or already invalidated. >> >> The session is still valid and continues to be valid for some >> period of time in each of the Tomcat instances. Anyone know >> how to fix? >> >> I was looking at the source and I see this method: >> >> * >> >> >> * org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. >> >> logoutSession() >> >> I may test loging the actual exception tomorrow if no one has >> a clue, but I think it?s probably the exception is being >> thrown for some reason other than the session no longer >> existing (it definitely still does). >> >> Best, >> Scott >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/ba532a00/attachment.html From mposolda at redhat.com Fri Apr 3 01:50:52 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 03 Apr 2015 07:50:52 +0200 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: Message-ID: <551E2A3C.8070006@redhat.com> I would try to upgrade to latest 1.2.0.Beta1 as it has some related fixes AFAIK. In this version, you have also possibility to setup either frontChannel logout or backchannel logout for the application. It could be set in Keycloak admin console. I think that at least one of them will work with SP filter in latest version (if not both). Marek On 3.4.2015 01:44, Chen Keong Yap wrote: > Hi, > > I've 2 applications installed with Picketlink SPFilter to authenticate > with keycloak 1.1.0 beta 2. > > When i perform global logout, first application was logged out > successfully because SP/keycloak session and application http session > are removed but the problem is second > application SP/keycloak session is removed but application http > session is still remained. I've set admin url for these 2 applications > in keycloak admin console. Kindly share your ideas. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/3726a699/attachment.html From chenkeong.yap at izeno.com Fri Apr 3 02:28:24 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Fri, 3 Apr 2015 14:28:24 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: <551E2A3C.8070006@redhat.com> References: <551E2A3C.8070006@redhat.com> Message-ID: Hi Merek, I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the same issues, please refer to the settings shown in the screen shot. Can you please advise how to test backchannel logout? [image: Inline image 1] On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda wrote: > I would try to upgrade to latest 1.2.0.Beta1 as it has some related > fixes AFAIK. > > In this version, you have also possibility to setup either frontChannel > logout or backchannel logout for the application. It could be set in > Keycloak admin console. I think that at least one of them will work with SP > filter in latest version (if not both). > > Marek > > > On 3.4.2015 01:44, Chen Keong Yap wrote: > > Hi, > > I've 2 applications installed with Picketlink SPFilter to authenticate > with keycloak 1.1.0 beta 2. > > When i perform global logout, first application was logged out > successfully because SP/keycloak session and application http session are > removed but the problem is second > application SP/keycloak session is removed but application http session is > still remained. I've set admin url for these 2 applications in keycloak > admin console. Kindly share your ideas. > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/dcea2f7b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 71582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/dcea2f7b/attachment-0001.png From mposolda at redhat.com Fri Apr 3 03:36:23 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 03 Apr 2015 09:36:23 +0200 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> Message-ID: <551E42F7.9070404@redhat.com> Switch the "Front channel logout" to off. In this case it should use backchannel (not redirecting through browser, but sending logout requests from Keycloak in background) Marek On 3.4.2015 08:28, Chen Keong Yap wrote: > > Hi Merek, > > I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the > same issues, please refer to the settings shown in the screen shot. > > Can you please advise how to test backchannel logout? > > > Inline image 1 > > > > On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda > wrote: > > I would try to upgrade to latest 1.2.0.Beta1 as it has some > related fixes AFAIK. > > In this version, you have also possibility to setup either > frontChannel logout or backchannel logout for the application. It > could be set in Keycloak admin console. I think that at least one > of them will work with SP filter in latest version (if not both). > > Marek > > > On 3.4.2015 01:44, Chen Keong Yap wrote: >> Hi, >> >> I've 2 applications installed with Picketlink SPFilter to >> authenticate with keycloak 1.1.0 beta 2. >> >> When i perform global logout, first application was logged out >> successfully because SP/keycloak session and application http >> session are removed but the problem is second >> application SP/keycloak session is removed but application http >> session is still remained. I've set admin url for these 2 >> applications in keycloak admin console. Kindly share your ideas. >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/1aec29c7/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 71582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/1aec29c7/attachment-0001.png From chenkeong.yap at izeno.com Fri Apr 3 03:47:19 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Fri, 3 Apr 2015 15:47:19 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: <551E42F7.9070404@redhat.com> References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com> Message-ID: Hi Marek, I've just tested backchannel logout and it's showing same issue. Both applications are using PL SP Filter and the steps below are used for testing. 1. Open https://localhost:8443/employee/ and http request is redirected to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml 2. Enter username and password into keycloak login page and redirected to employee landing page 3. Open https://localhost:8443/sales-post/ and redirected to sales-post landing page without login 4. Logon to keycloak admin console and noticed there are 2 active sessions 5. Perform global logout from employee landing page ( https://localhost:8443/employee/?GLO=true) and http request is redirected to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml 6. Logon to keycloak admin console and noticed all sessions are gone 7. Refresh sales-post landing page and it's not redirected to keycloak login page. sales-post session still active. Kindly advise why GLO is performed but the second application (sales-post) session still active? On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda wrote: > Switch the "Front channel logout" to off. In this case it should use > backchannel (not redirecting through browser, but sending logout requests > from Keycloak in background) > > Marek > > > > On 3.4.2015 08:28, Chen Keong Yap wrote: > > > Hi Merek, > > I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the > same issues, please refer to the settings shown in the screen shot. > > Can you please advise how to test backchannel logout? > > > [image: Inline image 1] > > > > On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda wrote: > >> I would try to upgrade to latest 1.2.0.Beta1 as it has some related >> fixes AFAIK. >> >> In this version, you have also possibility to setup either frontChannel >> logout or backchannel logout for the application. It could be set in >> Keycloak admin console. I think that at least one of them will work with SP >> filter in latest version (if not both). >> >> Marek >> >> >> On 3.4.2015 01:44, Chen Keong Yap wrote: >> >> Hi, >> >> I've 2 applications installed with Picketlink SPFilter to authenticate >> with keycloak 1.1.0 beta 2. >> >> When i perform global logout, first application was logged out >> successfully because SP/keycloak session and application http session are >> removed but the problem is second >> application SP/keycloak session is removed but application http session >> is still remained. I've set admin url for these 2 applications in keycloak >> admin console. Kindly share your ideas. >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/400efcef/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 71582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/400efcef/attachment-0001.png From prabhalar at yahoo.com Fri Apr 3 09:19:55 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Fri, 3 Apr 2015 13:19:55 +0000 (UTC) Subject: [keycloak-user] Keycloak 1.2.0.Beta1 Released In-Reply-To: <1466648129.10938551.1427978331196.JavaMail.zimbra@redhat.com> References: <1466648129.10938551.1427978331196.JavaMail.zimbra@redhat.com> Message-ID: <531579039.4426124.1428067195788.JavaMail.yahoo@mail.yahoo.com> That's great news Stian. Kudos to the team for putting in a?great deal of functionality in such a short period of time - KC has now taken a big leap in terms of enterprise capabilities. Can you also outline the roadmap for Keycloak and whether the below will be addressed?1) FIDO protocols2)?STS Thanks,Raghu ? From: Stian Thorgersen To: keycloak-dev ; "keycloak-user at lists.jboss.org" Sent: Thursday, April 2, 2015 8:38 AM Subject: [keycloak-user] Keycloak 1.2.0.Beta1 Released We're proud to announce the release of Keycloak 1.2.0.Beta1. This is a great release, especially if you're after enterprise capabilities. The major new features in this release includes: * Protocol mapping - With protocol mapping it's easy to define what claims are added to the token an application receives. * Kerberos - It's now possible to authenticate with a Keycloak realm using Kerberos tickets through SPNEGO. * Identity Brokering - As well as Kerberos you can also authenticate with Keycloak with an external SAML 2.0 or OpenID Connect Identity Provider. * OpenID Connect improvements - We've made several improvements to comply with the OpenID Connect specification and we've also introduced new features such as Discovery, Session Management and UserInfo endpoint. * Internationalization support for login and account management Thanks to Michael Gerber the login and account management pages now have internationalization support. We have built in support for English, German and Brazilian Portuguese. We've also made it easy to add your own and if you'd like to contribute a translation let us know. * Deploy providers as modules - It's now possible to deploy custom providers as modules. This gives you full control of the classloader for your provider. * Deploy themes as modules - We've made it much simpler to package themes and they can also be deployed as a module. This makes it simpler to distribute themes as well as using custom themes in a cluster. * Login with Stackoverflow and LinkedIn - Thanks to Vlastimil Eli?? we now have built-in support to login with Stackoverflow and LinkedIn. * SysLog event listener - Thanks to Giriraj Sharma we now have a syslog event listener. * Version control on cached resources - A common issue in the past was that the admin console didn't work after upgrading Keycloak. This was caused by the browser caching old html and javascript. We've solved this issue by including a version number in the resource urls, so upgrading should be even simpler now! To get the release go to www.keycloak.org. For the full lists of issues resolved for this release check https://issues.jboss.org/browse/KEYCLOAK. Remember to read the migration guide before upgrading as it contains vital information about what's changed and how to upgrade. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/e15a281e/attachment.html From msakho at redhat.com Fri Apr 3 09:41:45 2015 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Fri, 3 Apr 2015 09:41:45 -0400 (EDT) Subject: [keycloak-user] deploying restful service application out of the keycloak autorisation server In-Reply-To: <2025474053.10998781.1428066513501.JavaMail.zimbra@redhat.com> Message-ID: <1081623203.11004743.1428068505044.JavaMail.zimbra@redhat.com> Hi all, I have a question about running my applications in a different server than the keycloak one. I have one third party oauth client web application and one pure restful web service application. I have created a realm, configured the two applications as explained in the videos tutorials. The two applications behaviour are similar to the database service and the third-party oauth client that are shipped in the example of keycloak distribution. Every thing work fine when I deploy all on the same wildfly server that is hosting the keycloak server; I would like to deploy the restful web application and the oauth client in a another JBOSS EAP 6 server. For the oauth client, as explained in the video tutorial, I will have to define the complete url while defining the redirect url in the registration step. For the restful services web application, it's a bearer only access type application. It will only accept token authentification. There is no redirect url. How do I configure the restful services web application in this situation? Is there something to configure so that the keycloak adapter could be able to valide the token when the oauth client calls a service from the restful web application? Thank you in advance. Meissa -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/cae66974/attachment.html From aryvlin at morphotrust.com Fri Apr 3 15:15:38 2015 From: aryvlin at morphotrust.com (Ryvlin, Andrey) Date: Fri, 3 Apr 2015 19:15:38 +0000 Subject: [keycloak-user] Exchange access token to id token Message-ID: Hi, I?m using Keycloak direct grant login to my REST APIs and I need to get authenticated user information for auditing purpose. At my REST implementation class I can get access token from HTTP header by using a request interceptor, but I believe that token is useless for auditing. Is there Keycloak REST API to get id token for the access token? Thank you in advance Andrey Ryvlin Sr. Software Engineer ________________________________ This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/e7f0339d/attachment.html From bburke at redhat.com Fri Apr 3 15:20:27 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 03 Apr 2015 15:20:27 -0400 Subject: [keycloak-user] Exchange access token to id token In-Reply-To: References: Message-ID: <551EE7FB.40702@redhat.com> Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct Grant login should also return an IDToken within the Access Token Response. On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote: > Hi, > > I?m using Keycloak direct grant login to my REST APIs and I need to get > authenticated user information for auditing purpose. > > At my REST implementation class I can get access token from HTTP header > by using a request interceptor, but I believe that token is useless for > auditing. > > Is there Keycloak REST API to get id token for the access token? > > Thank you in advance > > Andrey Ryvlin > > Sr. Software Engineer > > > ------------------------------------------------------------------------ > > This message is only for the use of the intended recipient and may > contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust > USA, Inc. If you are not the intended recipient, please erase all copies > of the message and its attachments and notify the sender immediately. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From srossillo at smartling.com Fri Apr 3 15:21:10 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Fri, 3 Apr 2015 15:21:10 -0400 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: <551E2857.6020501@redhat.com> References: <551D50FB.9010601@redhat.com>

<551E2857.6020501@redhat.com> Message-ID: Ok, so a few followups. Just to be clear, here?s what I?m trying to do and the outcomes of each against 1.2.0.Beta1: 1. (Original scenario) Log user out from KC console (Users > [user] Sessions). Result: This still fails with the exception, "org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession Session not present or already invalidated.? The exception thrown here is an NPE as manager.findSession(httpSessionId) failed to find the session. Interestingly, the session is still valid and the ID passed into the manager is correct. Furthermore, while debugging I can see that manager.findSession() looks up the session in a hash map. Interestingly, the session id (key) is there, but the value (session) is null. Maybe this is a Tomcat bug. Using Tomcat 8.0.18, will test with 8.0.21. 2. (Second scenario) Application logout. Documentation 8.10. Logout ( http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152) say you can either call HttpServletRequest.logout() or redirect tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri. However, you have to do both. Call only .logout() and the KC token is still valid and user can access app with a new session (it will just redirect to KC, see KC session is valid and grant access). Call only auth-server/?/logout and the Tomcat session remains valid. I would have thought that calling the auth-server?s logout endpoint would broadcast logout events to logged in applications, but it doesn?t. I?ll file a JIRA for the second case and continue investigating the first scenario with a newer Tomcat release. Best, Scott On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda wrote: > Sure, maybe even easier alternative is to try debugger. You can add this > to the beginning of $TOMCAT_HOME/bin/catalina.sh: > > JAVA_OPTS="$JAVA_OPTS > -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n" > > then start tomcat and then remotely connect to it from your IDE. You will > need opened IDE with keycloak sources though. > > I've changed the code to display the exception stacktrace, but it will be > available in next release (not yet in 1.2.0.Beta1 released yesterday) > > Marek > > > On 3.4.2015 01:30, Scott Rossillo wrote: > > Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1. > > I will install a custom built agent tomorrow to catch the actual > exception to see what's up. > > > On Thursday, April 2, 2015, Scott Rossillo > wrote: > >> Hi, >> >> Thanks for the reply. >> >> I was trying to log a user out from the Keycloak admin console. I will >> try the redirect method and see if it works. >> >> Also, I?m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 and report >> if the issue is still occurring. >> >> Best, >> Scott >> >> >> On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda >> wrote: >> >>> Hi, >>> >>> I've tried with Apache Tomcat 6.0.35 but wasn't able to reproduce with >>> latest Keycloak 1.2.0.Beta1. Logout works fine for me. >>> >>> How are you doing logout? From the application or from KC admin console? >>> For the tomcat6, the httpServletRequest.logout() method is not yet >>> available, so best for logout from the application is redirecting to >>> Keycloak logout URL similarly like in our demo example: >>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 >>> >>> You can also enable debug logging, which should show some additional >>> messages in the log by adding this line into >>> $TOMCAT_HOME/conf/logging.properties: >>> >>> org.keycloak.level = FINE >>> >>> Marek >>> >>> >>> >>> On 2.4.2015 01:37, Scott Rossillo wrote: >>> >>> Hi all, >>> >>> I?m running Keycloak 1.1.0-Final in standalone mode and using Keycloak >>> agents on Tomcat 6 and Tomcat 8. >>> >>> With both agents, whenever I try to log a user out via the Keycloak >>> server, I see this in the Tomcat server?s log: >>> >>> Apr 01, 2015 7:27:47 PM >>> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession >>> WARN: Session not present or already invalidated. >>> >>> The session is still valid and continues to be valid for some period >>> of time in each of the Tomcat instances. Anyone know how to fix? >>> >>> I was looking at the source and I see this method: >>> >>> - >>> >>> >>> - org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. >>> >>> logoutSession() >>> >>> I may test loging the actual exception tomorrow if no one has a clue, >>> but I think it?s probably the exception is being thrown for some reason >>> other than the session no longer existing (it definitely still does). >>> >>> Best, >>> Scott >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/35d62b8d/attachment-0001.html From aryvlin at morphotrust.com Fri Apr 3 15:29:40 2015 From: aryvlin at morphotrust.com (Ryvlin, Andrey) Date: Fri, 3 Apr 2015 19:29:40 +0000 Subject: [keycloak-user] Exchange access token to id token In-Reply-To: <551EE7FB.40702@redhat.com> References: <551EE7FB.40702@redhat.com> Message-ID: <92e3221bd8fd4486bd49d60e177924dd@BLM-MAIL01P.l1id.local> Can I get user id from the access token? That's the only token I can get from HTTP Authorization header. Actual login and getting login response happens earlier, at my web application or oauth client. So, at my REST implementation class I only have access token. Thanks!! -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Friday, April 03, 2015 2:20 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Exchange access token to id token Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct Grant login should also return an IDToken within the Access Token Response. On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote: > Hi, > > I?m using Keycloak direct grant login to my REST APIs and I need to > get authenticated user information for auditing purpose. > > At my REST implementation class I can get access token from HTTP > header by using a request interceptor, but I believe that token is > useless for auditing. > > Is there Keycloak REST API to get id token for the access token? > > Thank you in advance > > Andrey Ryvlin > > Sr. Software Engineer > > > ---------------------------------------------------------------------- > -- > > This message is only for the use of the intended recipient and may > contain information that is CONFIDENTIAL and PROPRIETARY to > MorphoTrust USA, Inc. If you are not the intended recipient, please > erase all copies of the message and its attachments and notify the sender immediately. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately. From bburke at redhat.com Fri Apr 3 15:40:26 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 03 Apr 2015 15:40:26 -0400 Subject: [keycloak-user] Exchange access token to id token In-Reply-To: <92e3221bd8fd4486bd49d60e177924dd@BLM-MAIL01P.l1id.local> References: <551EE7FB.40702@redhat.com> <92e3221bd8fd4486bd49d60e177924dd@BLM-MAIL01P.l1id.local> Message-ID: <551EECAA.6060705@redhat.com> Oh, you have a REST service being invoked on? And you want to get claim information? Yes, you can get the access token. AccessToken accessToken = ((KeycloakSecurityContext)request.getAttribute(KeycloakSecurityContext.class.getName())).getToken(); request here is HttpServetRequest On 4/3/2015 3:29 PM, Ryvlin, Andrey wrote: > Can I get user id from the access token? > That's the only token I can get from HTTP Authorization header. Actual login and getting login response happens earlier, at my web application or oauth client. > So, at my REST implementation class I only have access token. > > Thanks!! > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke > Sent: Friday, April 03, 2015 2:20 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Exchange access token to id token > > Our access tokens are actually JsonWebTokens packaged in a Json Web Signature. Direct Grant login should also return an IDToken within the Access Token Response. > > On 4/3/2015 3:15 PM, Ryvlin, Andrey wrote: >> Hi, >> >> I?m using Keycloak direct grant login to my REST APIs and I need to >> get authenticated user information for auditing purpose. >> >> At my REST implementation class I can get access token from HTTP >> header by using a request interceptor, but I believe that token is >> useless for auditing. >> >> Is there Keycloak REST API to get id token for the access token? >> >> Thank you in advance >> >> Andrey Ryvlin >> >> Sr. Software Engineer >> >> >> ---------------------------------------------------------------------- >> -- >> >> This message is only for the use of the intended recipient and may >> contain information that is CONFIDENTIAL and PROPRIETARY to >> MorphoTrust USA, Inc. If you are not the intended recipient, please >> erase all copies of the message and its attachments and notify the sender immediately. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ________________________________ > > This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately. > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From srossillo at smartling.com Fri Apr 3 16:22:24 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Fri, 3 Apr 2015 16:22:24 -0400 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: References: <551D50FB.9010601@redhat.com>

<551E2857.6020501@redhat.com> Message-ID: Update on issue 1, Log user out from KC console: It appears this is due to Spring security creating a new session and migrating data into it but KC knows nothing about this. There?s a way to disable this behavior in Spring Security and I?m going to take that path. This should be a non-issue. ~ Scott On Fri, Apr 3, 2015 at 3:21 PM, Scott Rossillo wrote: > Ok, so a few followups. Just to be clear, here?s what I?m trying to do and > the outcomes of each against 1.2.0.Beta1: > > 1. (Original scenario) Log user out from KC console (Users > [user] > Sessions). > Result: This still fails with the exception, > "org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession > Session not present or already invalidated.? > > The exception thrown here is an NPE as manager.findSession(httpSessionId) > failed to find the session. Interestingly, the session is still valid and > the ID passed into the manager is correct. Furthermore, while debugging I > can see that manager.findSession() looks up the session in a hash map. > Interestingly, the session id (key) is there, but the value (session) is > null. Maybe this is a Tomcat bug. Using Tomcat 8.0.18, will test with > 8.0.21. > > 2. (Second scenario) Application logout. > Documentation 8.10. Logout ( > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152) > say you can either call HttpServletRequest.logout() or redirect > tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri. > > However, you have to do both. > > Call only .logout() and the KC token is still valid and user can access > app with a new session (it will just redirect to KC, see KC session is > valid and grant access). > > Call only auth-server/?/logout and the Tomcat session remains valid. I > would have thought that calling the auth-server?s logout endpoint would > broadcast logout events to logged in applications, but it doesn?t. > > I?ll file a JIRA for the second case and continue investigating the first > scenario with a newer Tomcat release. > > Best, > Scott > > > > > > > > > > On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda wrote: > >> Sure, maybe even easier alternative is to try debugger. You can add >> this to the beginning of $TOMCAT_HOME/bin/catalina.sh: >> >> JAVA_OPTS="$JAVA_OPTS >> -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n" >> >> then start tomcat and then remotely connect to it from your IDE. You will >> need opened IDE with keycloak sources though. >> >> I've changed the code to display the exception stacktrace, but it will be >> available in next release (not yet in 1.2.0.Beta1 released yesterday) >> >> Marek >> >> >> On 3.4.2015 01:30, Scott Rossillo wrote: >> >> Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1. >> >> I will install a custom built agent tomorrow to catch the actual >> exception to see what's up. >> >> >> On Thursday, April 2, 2015, Scott Rossillo >> wrote: >> >>> Hi, >>> >>> Thanks for the reply. >>> >>> I was trying to log a user out from the Keycloak admin console. I will >>> try the redirect method and see if it works. >>> >>> Also, I?m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 and report >>> if the issue is still occurring. >>> >>> Best, >>> Scott >>> >>> >>> On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda >>> wrote: >>> >>>> Hi, >>>> >>>> I've tried with Apache Tomcat 6.0.35 but wasn't able to reproduce with >>>> latest Keycloak 1.2.0.Beta1. Logout works fine for me. >>>> >>>> How are you doing logout? From the application or from KC admin >>>> console? For the tomcat6, the httpServletRequest.logout() method is not yet >>>> available, so best for logout from the application is redirecting to >>>> Keycloak logout URL similarly like in our demo example: >>>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 >>>> >>>> You can also enable debug logging, which should show some additional >>>> messages in the log by adding this line into >>>> $TOMCAT_HOME/conf/logging.properties: >>>> >>>> org.keycloak.level = FINE >>>> >>>> Marek >>>> >>>> >>>> >>>> On 2.4.2015 01:37, Scott Rossillo wrote: >>>> >>>> Hi all, >>>> >>>> I?m running Keycloak 1.1.0-Final in standalone mode and using >>>> Keycloak agents on Tomcat 6 and Tomcat 8. >>>> >>>> With both agents, whenever I try to log a user out via the Keycloak >>>> server, I see this in the Tomcat server?s log: >>>> >>>> Apr 01, 2015 7:27:47 PM >>>> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement logoutSession >>>> WARN: Session not present or already invalidated. >>>> >>>> The session is still valid and continues to be valid for some period >>>> of time in each of the Tomcat instances. Anyone know how to fix? >>>> >>>> I was looking at the source and I see this method: >>>> >>>> - >>>> >>>> >>>> - org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. >>>> >>>> logoutSession() >>>> >>>> I may test loging the actual exception tomorrow if no one has a clue, >>>> but I think it?s probably the exception is being thrown for some reason >>>> other than the session no longer existing (it definitely still does). >>>> >>>> Best, >>>> Scott >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150403/b82ee157/attachment.html From chenkeong.yap at izeno.com Sun Apr 5 18:41:20 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Mon, 6 Apr 2015 06:41:20 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com> Message-ID: Guys, Can share your ideas why global logout is not working? On Apr 3, 2015 3:47 PM, "Chen Keong Yap" wrote: > Hi Marek, > > I've just tested backchannel logout and it's showing same issue. Both > applications are using PL SP Filter and the steps below are used for > testing. > > 1. Open https://localhost:8443/employee/ and http request is redirected > to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml > > 2. Enter username and password into keycloak login page and redirected to > employee landing page > > 3. Open https://localhost:8443/sales-post/ and redirected to sales-post > landing page without login > > 4. Logon to keycloak admin console and noticed there are 2 active sessions > > 5. Perform global logout from employee landing page ( > https://localhost:8443/employee/?GLO=true) and http request is redirected > to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml > > 6. Logon to keycloak admin console and noticed all sessions are gone > > 7. Refresh sales-post landing page and it's not redirected to keycloak > login page. sales-post session still active. > > Kindly advise why GLO is performed but the second application (sales-post) > session still active? > > On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda wrote: > >> Switch the "Front channel logout" to off. In this case it should use >> backchannel (not redirecting through browser, but sending logout requests >> from Keycloak in background) >> >> Marek >> >> >> >> On 3.4.2015 08:28, Chen Keong Yap wrote: >> >> >> Hi Merek, >> >> I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the >> same issues, please refer to the settings shown in the screen shot. >> >> Can you please advise how to test backchannel logout? >> >> >> [image: Inline image 1] >> >> >> >> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >> wrote: >> >>> I would try to upgrade to latest 1.2.0.Beta1 as it has some related >>> fixes AFAIK. >>> >>> In this version, you have also possibility to setup either frontChannel >>> logout or backchannel logout for the application. It could be set in >>> Keycloak admin console. I think that at least one of them will work with SP >>> filter in latest version (if not both). >>> >>> Marek >>> >>> >>> On 3.4.2015 01:44, Chen Keong Yap wrote: >>> >>> Hi, >>> >>> I've 2 applications installed with Picketlink SPFilter to authenticate >>> with keycloak 1.1.0 beta 2. >>> >>> When i perform global logout, first application was logged out >>> successfully because SP/keycloak session and application http session are >>> removed but the problem is second >>> application SP/keycloak session is removed but application http session >>> is still remained. I've set admin url for these 2 applications in keycloak >>> admin console. Kindly share your ideas. >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> >> >> >> >> >> > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/d3ca96ae/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 71582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/d3ca96ae/attachment-0001.png From chenkeong.yap at izeno.com Mon Apr 6 06:47:43 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Mon, 6 Apr 2015 18:47:43 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

Message-ID: Hi bill, Global logout only removed sp sessions but not web application sessions and this created security loopholes. Please advise On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap wrote: > Guys, > > Can share your ideas why global logout is not working? > On Apr 3, 2015 3:47 PM, "Chen Keong Yap" wrote: > >> Hi Marek, >> >> I've just tested backchannel logout and it's showing same issue. Both >> applications are using PL SP Filter and the steps below are used for >> testing. >> >> 1. Open https://localhost:8443/employee/ and http request is redirected >> to https://localhost:8443/auth/realms/saml-demo-1/protocol/saml >> >> 2. Enter username and password into keycloak login page and redirected to >> employee landing page >> >> 3. Open https://localhost:8443/sales-post/ and redirected to sales-post >> landing page without login >> >> 4. Logon to keycloak admin console and noticed there are 2 active sessions >> >> 5. Perform global logout from employee landing page ( >> https://localhost:8443/employee/?GLO=true) and http request is >> redirected to >> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml >> >> 6. Logon to keycloak admin console and noticed all sessions are gone >> >> 7. Refresh sales-post landing page and it's not redirected to keycloak >> login page. sales-post session still active. >> >> Kindly advise why GLO is performed but the second application >> (sales-post) session still active? >> >> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda >> wrote: >> >>> Switch the "Front channel logout" to off. In this case it should use >>> backchannel (not redirecting through browser, but sending logout requests >>> from Keycloak in background) >>> >>> Marek >>> >>> >>> >>> On 3.4.2015 08:28, Chen Keong Yap wrote: >>> >>> >>> Hi Merek, >>> >>> I've tried frontChannel logout in 1.2.0.Beta1 and it's giving me the >>> same issues, please refer to the settings shown in the screen shot. >>> >>> Can you please advise how to test backchannel logout? >>> >>> >>> [image: Inline image 1] >>> >>> >>> >>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >>> wrote: >>> >>>> I would try to upgrade to latest 1.2.0.Beta1 as it has some related >>>> fixes AFAIK. >>>> >>>> In this version, you have also possibility to setup either frontChannel >>>> logout or backchannel logout for the application. It could be set in >>>> Keycloak admin console. I think that at least one of them will work with SP >>>> filter in latest version (if not both). >>>> >>>> Marek >>>> >>>> >>>> On 3.4.2015 01:44, Chen Keong Yap wrote: >>>> >>>> Hi, >>>> >>>> I've 2 applications installed with Picketlink SPFilter to >>>> authenticate with keycloak 1.1.0 beta 2. >>>> >>>> When i perform global logout, first application was logged out >>>> successfully because SP/keycloak session and application http session are >>>> removed but the problem is second >>>> application SP/keycloak session is removed but application http session >>>> is still remained. I've set admin url for these 2 applications in keycloak >>>> admin console. Kindly share your ideas. >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/5613e8ad/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 71582 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/5613e8ad/attachment-0001.png From kalinga at leapset.com Mon Apr 6 08:13:42 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Mon, 6 Apr 2015 17:43:42 +0530 (IST) Subject: [keycloak-user] Externalising session storage in keycloak Message-ID: <1428322422.154413249@apps.rackspace.com> Guys i know this has been discussed before, but im trying to find a simple number of steps for me to externalize the session storage in keycloak. I just need to do the following; 1. Two servers running keycloak (wildfly) 2. A load balancer in front of these two servers. Preferably an AWS loadbalancer 3. I need to store the session details on an external store so that the sessions work accurately. There is so much documentation for this but I am actually confused as to what i should do and the bare minimum i should do to achieve this. I dont need a distributed cache or anything just need one cache store (may be infinispan or memcached) and the two keycloak servers running storing the sessions on that. Is there one key place i should look into which contains the bare minimum i should do. Kalinga. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/b2086c0c/attachment.html From bburke at redhat.com Mon Apr 6 09:31:59 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 06 Apr 2015 09:31:59 -0400 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

Message-ID: <55228ACF.6020809@redhat.com> I'll try out the demo example. One problem I did have with the Picketlink SP adapter is that the session was invalidated, but the principal was still available when redirecting back to the logout page. Doesn't sound like this is your problem though. On 4/6/2015 6:47 AM, Chen Keong Yap wrote: > Hi bill, > > Global logout only removed sp sessions but not web application sessions > and this created security loopholes. > > Please advise > > On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap > wrote: > > Guys, > > Can share your ideas why global logout is not working? > > On Apr 3, 2015 3:47 PM, "Chen Keong Yap" > wrote: > > Hi Marek, > > I've just tested backchannel logout and it's showing same issue. > Both applications are using PL SP Filter and the steps below are > used for testing. > > 1. Open https://localhost:8443/employee/ and http request is > redirected to > https://localhost:8443/auth/realms/saml-demo-1/protocol/saml > > 2. Enter username and password into keycloak login page and > redirected to employee landing page > > 3. Open https://localhost:8443/sales-post/ and redirected to > sales-post landing page without login > > 4. Logon to keycloak admin console and noticed there are 2 > active sessions > > 5. Perform global logout from employee landing page > (https://localhost:8443/employee/?GLO=true) and http request is > redirected to > https://localhost:8443/auth/realms/saml-demo-1/protocol/saml > > 6. Logon to keycloak admin console and noticed all sessions are gone > > 7. Refresh sales-post landing page and it's not redirected to > keycloak login page. sales-post session still active. > > Kindly advise why GLO is performed but the second application > (sales-post) session still active? > > On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda > > wrote: > > Switch the "Front channel logout" to off. In this case it > should use backchannel (not redirecting through browser, but > sending logout requests from Keycloak in background) > > Marek > > > > On 3.4.2015 08:28, Chen Keong Yap wrote: >> >> Hi Merek, >> >> I've tried frontChannel logout in 1.2.0.Beta1 and it's >> giving me the same issues, please refer to the settings >> shown in the screen shot. >> >> Can you please advise how to test backchannel logout? >> >> >> Inline image 1 >> >> >> >> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >> > wrote: >> >> I would try to upgrade to latest 1.2.0.Beta1 as it has >> some related fixes AFAIK. >> >> In this version, you have also possibility to setup >> either frontChannel logout or backchannel logout for >> the application. It could be set in Keycloak admin >> console. I think that at least one of them will work >> with SP filter in latest version (if not both). >> >> Marek >> >> >> On 3.4.2015 01:44, Chen Keong Yap wrote: >>> Hi, >>> >>> I've 2 applications installed with Picketlink >>> SPFilter to authenticate with keycloak 1.1.0 beta 2. >>> >>> When i perform global logout, first application was >>> logged out successfully because SP/keycloak session >>> and application http session are removed but the >>> problem is second >>> application SP/keycloak session is removed but >>> application http session is still remained. I've set >>> admin url for these 2 applications in keycloak admin >>> console. Kindly share your ideas. >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> > > > > > > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Apr 6 09:56:30 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 06 Apr 2015 09:56:30 -0400 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

Message-ID: <5522908E.4060507@redhat.com> I tried out the saml demo app and logout works just fine, so I'm guessing this is a bug in the PL SP Filter. On 4/6/2015 6:47 AM, Chen Keong Yap wrote: > Hi bill, > > Global logout only removed sp sessions but not web application sessions > and this created security loopholes. > > Please advise > > On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap > wrote: > > Guys, > > Can share your ideas why global logout is not working? > > On Apr 3, 2015 3:47 PM, "Chen Keong Yap" > wrote: > > Hi Marek, > > I've just tested backchannel logout and it's showing same issue. > Both applications are using PL SP Filter and the steps below are > used for testing. > > 1. Open https://localhost:8443/employee/ and http request is > redirected to > https://localhost:8443/auth/realms/saml-demo-1/protocol/saml > > 2. Enter username and password into keycloak login page and > redirected to employee landing page > > 3. Open https://localhost:8443/sales-post/ and redirected to > sales-post landing page without login > > 4. Logon to keycloak admin console and noticed there are 2 > active sessions > > 5. Perform global logout from employee landing page > (https://localhost:8443/employee/?GLO=true) and http request is > redirected to > https://localhost:8443/auth/realms/saml-demo-1/protocol/saml > > 6. Logon to keycloak admin console and noticed all sessions are gone > > 7. Refresh sales-post landing page and it's not redirected to > keycloak login page. sales-post session still active. > > Kindly advise why GLO is performed but the second application > (sales-post) session still active? > > On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda > > wrote: > > Switch the "Front channel logout" to off. In this case it > should use backchannel (not redirecting through browser, but > sending logout requests from Keycloak in background) > > Marek > > > > On 3.4.2015 08:28, Chen Keong Yap wrote: >> >> Hi Merek, >> >> I've tried frontChannel logout in 1.2.0.Beta1 and it's >> giving me the same issues, please refer to the settings >> shown in the screen shot. >> >> Can you please advise how to test backchannel logout? >> >> >> Inline image 1 >> >> >> >> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >> > wrote: >> >> I would try to upgrade to latest 1.2.0.Beta1 as it has >> some related fixes AFAIK. >> >> In this version, you have also possibility to setup >> either frontChannel logout or backchannel logout for >> the application. It could be set in Keycloak admin >> console. I think that at least one of them will work >> with SP filter in latest version (if not both). >> >> Marek >> >> >> On 3.4.2015 01:44, Chen Keong Yap wrote: >>> Hi, >>> >>> I've 2 applications installed with Picketlink >>> SPFilter to authenticate with keycloak 1.1.0 beta 2. >>> >>> When i perform global logout, first application was >>> logged out successfully because SP/keycloak session >>> and application http session are removed but the >>> problem is second >>> application SP/keycloak session is removed but >>> application http session is still remained. I've set >>> admin url for these 2 applications in keycloak admin >>> console. Kindly share your ideas. >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> > > > > > > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From chenkeong.yap at izeno.com Mon Apr 6 09:01:30 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Mon, 6 Apr 2015 21:01:30 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: <5522908E.4060507@redhat.com> References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

<5522908E.4060507@redhat.com> Message-ID: Hi bill, Are you using 2 applications for testing? If yes, need to know have you logged out the first application then redirect to keycloak login page? After that refresh the second application then redirect to keycloak login page? Can i know which version of picketlink federation lib are you using? On Apr 6, 2015 8:56 PM, "Bill Burke" wrote: > I tried out the saml demo app and logout works just fine, so I'm guessing > this is a bug in the PL SP Filter. > > On 4/6/2015 6:47 AM, Chen Keong Yap wrote: > >> Hi bill, >> >> Global logout only removed sp sessions but not web application sessions >> and this created security loopholes. >> >> Please advise >> >> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap > > wrote: >> >> Guys, >> >> Can share your ideas why global logout is not working? >> >> On Apr 3, 2015 3:47 PM, "Chen Keong Yap" > > wrote: >> >> Hi Marek, >> >> I've just tested backchannel logout and it's showing same issue. >> Both applications are using PL SP Filter and the steps below are >> used for testing. >> >> 1. Open https://localhost:8443/employee/ and http request is >> redirected to >> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml >> >> 2. Enter username and password into keycloak login page and >> redirected to employee landing page >> >> 3. Open https://localhost:8443/sales-post/ and redirected to >> sales-post landing page without login >> >> 4. Logon to keycloak admin console and noticed there are 2 >> active sessions >> >> 5. Perform global logout from employee landing page >> (https://localhost:8443/employee/?GLO=true) and http request is >> redirected to >> https://localhost:8443/auth/realms/saml-demo-1/protocol/saml >> >> 6. Logon to keycloak admin console and noticed all sessions are >> gone >> >> 7. Refresh sales-post landing page and it's not redirected to >> keycloak login page. sales-post session still active. >> >> Kindly advise why GLO is performed but the second application >> (sales-post) session still active? >> >> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda >> > wrote: >> >> Switch the "Front channel logout" to off. In this case it >> should use backchannel (not redirecting through browser, but >> sending logout requests from Keycloak in background) >> >> Marek >> >> >> >> On 3.4.2015 08:28, Chen Keong Yap wrote: >> >>> >>> Hi Merek, >>> >>> I've tried frontChannel logout in 1.2.0.Beta1 and it's >>> giving me the same issues, please refer to the settings >>> shown in the screen shot. >>> >>> Can you please advise how to test backchannel logout? >>> >>> >>> Inline image 1 >>> >>> >>> >>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >>> > wrote: >>> >>> I would try to upgrade to latest 1.2.0.Beta1 as it has >>> some related fixes AFAIK. >>> >>> In this version, you have also possibility to setup >>> either frontChannel logout or backchannel logout for >>> the application. It could be set in Keycloak admin >>> console. I think that at least one of them will work >>> with SP filter in latest version (if not both). >>> >>> Marek >>> >>> >>> On 3.4.2015 01:44, Chen Keong Yap wrote: >>> >>>> Hi, >>>> >>>> I've 2 applications installed with Picketlink >>>> SPFilter to authenticate with keycloak 1.1.0 beta 2. >>>> >>>> When i perform global logout, first application was >>>> logged out successfully because SP/keycloak session >>>> and application http session are removed but the >>>> problem is second >>>> application SP/keycloak session is removed but >>>> application http session is still remained. I've set >>>> admin url for these 2 applications in keycloak admin >>>> console. Kindly share your ideas. >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>> keycloak-user at lists.jboss.org> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> >>> >>> >>> >> >> >> >> >> >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/b3a42702/attachment-0001.html From bburke at redhat.com Mon Apr 6 10:20:49 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 06 Apr 2015 10:20:49 -0400 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

<5522908E.4060507@redhat.com> Message-ID: <55229641.6090406@redhat.com> Demos work fine for me, but I'm using the wildfly Picketlink SP adapter. I am able to have an SSO session with all the examples, then I am able to logout and have all sessions invalidated. On 4/6/2015 9:01 AM, Chen Keong Yap wrote: > Hi bill, > > Are you using 2 applications for testing? > > If yes, need to know have you logged out the first application then > redirect to keycloak login page? After that refresh the second > application then redirect to keycloak login page? > > Can i know which version of picketlink federation lib are you using? > > On Apr 6, 2015 8:56 PM, "Bill Burke" > wrote: > > I tried out the saml demo app and logout works just fine, so I'm > guessing this is a bug in the PL SP Filter. > > On 4/6/2015 6:47 AM, Chen Keong Yap wrote: > > Hi bill, > > Global logout only removed sp sessions but not web application > sessions > and this created security loopholes. > > Please advise > > On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap > > >> wrote: > > Guys, > > Can share your ideas why global logout is not working? > > On Apr 3, 2015 3:47 PM, "Chen Keong Yap" > > >> wrote: > > Hi Marek, > > I've just tested backchannel logout and it's showing > same issue. > Both applications are using PL SP Filter and the steps > below are > used for testing. > > 1. Open https://localhost:8443/__employee/ > and http request is > redirected to > https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml > > > 2. Enter username and password into keycloak login page and > redirected to employee landing page > > 3. Open https://localhost:8443/sales-__post/ > and redirected to > sales-post landing page without login > > 4. Logon to keycloak admin console and noticed there are 2 > active sessions > > 5. Perform global logout from employee landing page > (https://localhost:8443/__employee/?GLO=true > ) and http request is > redirected to > https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml > > > 6. Logon to keycloak admin console and noticed all > sessions are gone > > 7. Refresh sales-post landing page and it's not > redirected to > keycloak login page. sales-post session still active. > > Kindly advise why GLO is performed but the second > application > (sales-post) session still active? > > On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda > > >> wrote: > > Switch the "Front channel logout" to off. In this > case it > should use backchannel (not redirecting through > browser, but > sending logout requests from Keycloak in background) > > Marek > > > > On 3.4.2015 08:28, Chen Keong Yap wrote: > > > Hi Merek, > > I've tried frontChannel logout in 1.2.0.Beta1 > and it's > giving me the same issues, please refer to the > settings > shown in the screen shot. > > Can you please advise how to test backchannel > logout? > > > Inline image 1 > > > > On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda > >> wrote: > > I would try to upgrade to latest > 1.2.0.Beta1 as it has > some related fixes AFAIK. > > In this version, you have also possibility > to setup > either frontChannel logout or backchannel > logout for > the application. It could be set in > Keycloak admin > console. I think that at least one of them > will work > with SP filter in latest version (if not both). > > Marek > > > On 3.4.2015 01:44, Chen Keong Yap wrote: > > Hi, > > I've 2 applications installed with > Picketlink > SPFilter to authenticate with keycloak > 1.1.0 beta 2. > > When i perform global logout, first > application was > logged out successfully because > SP/keycloak session > and application http session are > removed but the > problem is second > application SP/keycloak session is > removed but > application http session is still > remained. I've set > admin url for these 2 applications in > keycloak admin > console. Kindly share your ideas. > > > > > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > >

> > https://lists.jboss.org/__mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From John.Schneider at carrier.utc.com Mon Apr 6 13:20:15 2015 From: John.Schneider at carrier.utc.com (Schneider, John DODGE CONSULTING SERVICES, LLC) Date: Mon, 6 Apr 2015 17:20:15 +0000 Subject: [keycloak-user] Apache Reverse Proxy in front of Keycloak Proxy Message-ID: Hi, I have Keycloak Proxy working well. However, it's installed on machines that are not Internet-accessible and I need to put an Apache Reverse Proxy in front of it. Installing the Keycloak Proxy on the externally-facing Apache servers is not an option for me. My issue is, Keycloak Proxy sends a redirect-URI to the auth server that is based on the bind-address value in the config. I need the redirect URI sent to the Auth server to be the Apache reverse proxy. Is there a clever way to do this, or is a feature addition needed to support this? If the latter, then I suggest adding an optional property "redirect_base_address" to the config. Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/6636ade9/attachment.html From bburke at redhat.com Mon Apr 6 14:29:36 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 06 Apr 2015 14:29:36 -0400 Subject: [keycloak-user] Apache Reverse Proxy in front of Keycloak Proxy In-Reply-To: References: Message-ID: <5522D090.5090800@redhat.com> No, nothing right now to work around this. On 4/6/2015 1:20 PM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote: > Hi, > > I have Keycloak Proxy working well. However, it?s installed on machines > that are not Internet-accessible and I need to put an Apache Reverse > Proxy in front of it. Installing the Keycloak Proxy on the > externally-facing Apache servers is not an option for me. My issue is, > Keycloak Proxy sends a redirect-URI to the auth server that is based on > the bind-address value in the config. I need the redirect URI sent to > the Auth server to be the Apache reverse proxy. > > Is there a clever way to do this, or is a feature addition needed to > support this? If the latter, then I suggest adding an optional property > ?redirect_base_address? to the config. > > Thanks, > > John > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Apr 6 14:31:57 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 06 Apr 2015 14:31:57 -0400 Subject: [keycloak-user] Apache Reverse Proxy in front of Keycloak Proxy In-Reply-To: References: Message-ID: <5522D11D.9010901@redhat.com> https://issues.jboss.org/browse/KEYCLOAK-1180 Added a jira for this and scheduled. Still a month away from this though. On 4/6/2015 1:20 PM, Schneider, John DODGE CONSULTING SERVICES, LLC wrote: > Hi, > > I have Keycloak Proxy working well. However, it?s installed on machines > that are not Internet-accessible and I need to put an Apache Reverse > Proxy in front of it. Installing the Keycloak Proxy on the > externally-facing Apache servers is not an option for me. My issue is, > Keycloak Proxy sends a redirect-URI to the auth server that is based on > the bind-address value in the config. I need the redirect URI sent to > the Auth server to be the Apache reverse proxy. > > Is there a clever way to do this, or is a feature addition needed to > support this? If the latter, then I suggest adding an optional property > ?redirect_base_address? to the config. > > Thanks, > > John > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From tschneider at connecture.com Mon Apr 6 14:38:55 2015 From: tschneider at connecture.com (Schneider, Tom) Date: Mon, 6 Apr 2015 18:38:55 +0000 Subject: [keycloak-user] Running Liquibase updates via maven plugin Message-ID: I'd like to populate a database for keycloak via the command line using the liquibase maven plugin. With the latest master code, when I try to run this command: mvn -f connections/jpa-liquibase/pom.xml liquibase:update -Durl=jdbc:h2:keycloak I receive the following error message: [ERROR] liquibase.exception.UnexpectedLiquibaseException: liquibase.exception.CustomChangeException: liquibase.exception.SetupException: No KeycloakSession provided in ThreadLocal Am I missing some setup or is this no longer supported? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/a70717d7/attachment.html From adisari06 at yahoo.com Mon Apr 6 17:43:41 2015 From: adisari06 at yahoo.com (Adil Arif) Date: Mon, 6 Apr 2015 21:43:41 +0000 (UTC) Subject: [keycloak-user] Curious about the Email constraint on UserEntity Message-ID: <1707221802.602972.1428356621257.JavaMail.yahoo@mail.yahoo.com> I have been testing Keycloak (1.1.0 Final) federation ability against some of our existing user databases. I came across the unique email address constraint in the UserEntity table. What is the reasoning behind email addresses being unique? Our particular use case is that a user can create multiple usernames and have the same email address across many of them if they choose to. Adil Arif -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150406/c081e28a/attachment-0001.html From thomas_connolly at yahoo.com Mon Apr 6 20:10:33 2015 From: thomas_connolly at yahoo.com (Thomas Connolly) Date: Tue, 7 Apr 2015 00:10:33 +0000 (UTC) Subject: [keycloak-user] Using Informix DB with Keycloak ... Message-ID: <173304705.803869.1428365433517.JavaMail.yahoo@mail.yahoo.com> Hi All As part of a standardisation process, I'm trying to get Keycloak working with Informix DB, the enterprise DB!I understand that Keycloak does not officially support Informix however given the use of JPA / Hibernate I though there was a good chance it would work out of the box.However this has proven not the case. The connection dialect does indeed recognise Informix but does not appear to correctly map to this DB. The issue I've come across is the handling of boolean conditional in SQL. In RoleEntry.java the query? ? ? ? @NamedQuery(name="getRealmRoleByName", query="select role from RoleEntity role where role.applicationRole = false and role.name = :name and role.realm = :realm") Generates the following?select? ? ? ? roleentity0_.id as id1_15_,? ? ? ? roleentity0_.APP_REALM_CONSTRAINT as APP_REAL2_15_,? ? ? ? roleentity0_.APPLICATION as APPLICAT7_15_,? ? ? ? roleentity0_.APPLICATION_ROLE as APPLICAT3_15_,? ? ? ? roleentity0_.DESCRIPTION as DESCRIPT4_15_,? ? ? ? roleentity0_.NAME as NAME5_15_,? ? ? ? roleentity0_.REALM as REALM8_15_,? ? ? ? roleentity0_.REALM_ID as REALM_ID6_15_?? ? from? ? ? ? KEYCLOAK_ROLE roleentity0_?? ? where? ? ? ? roleentity0_.APPLICATION_ROLE=0?The above does not work with Informix as 't', 'f', true and false respectively is used. So it should be? ? where? ? ? ??roleentity0_.APPLICATION_ROLE='f' Looking through the code, it appears I cannot configure this. Happy to be proven wrong here!I found I could override within Hibernate using the property? ? hibernate.query.substitutions=true t, false f I've added this change into DefaultJpaConnectionProviderFactory.java? String querySubstitutions = config.get("querySubstitutions"); if (querySubstitutions != null) { logger.debug("hibernate.query.substitutions=" + querySubstitutions);? ? properties.put("hibernate.query.substitutions", querySubstitutions); } Adding the setting in?keycloak-server.json? ? "connectionsJpa": {? ? ? ? "default": {? ? ? ? ? ? "dataSource": "java:jboss/datasources/KeycloakDS",? ? ? ? ? ? "databaseSchema": "update", "querySubstitutions" : "true t, false f"? ? ? ? } However I've found the translation is not occurring as I would have expected.? Can you please advise on the approach I'm taking or any alternatives I have not looked into? Also once we get this working with Informix how can I get it added to the supported DB list? Regards Tom Connolly. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/e49c6971/attachment.html From chenkeong.yap at izeno.com Mon Apr 6 20:37:17 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Tue, 7 Apr 2015 08:37:17 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: <55229641.6090406@redhat.com> References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

<5522908E.4060507@redhat.com> <55229641.6090406@redhat.com> Message-ID: Hi bill, Can you give me the link or path for the demo? Not sure if you are using keycloak or picketlink demo for testing? On Apr 6, 2015 9:20 PM, "Bill Burke" wrote: > Demos work fine for me, but I'm using the wildfly Picketlink SP adapter. > I am able to have an SSO session with all the examples, then I am able to > logout and have all sessions invalidated. > > On 4/6/2015 9:01 AM, Chen Keong Yap wrote: > >> Hi bill, >> >> Are you using 2 applications for testing? >> >> If yes, need to know have you logged out the first application then >> redirect to keycloak login page? After that refresh the second >> application then redirect to keycloak login page? >> >> Can i know which version of picketlink federation lib are you using? >> >> On Apr 6, 2015 8:56 PM, "Bill Burke" > > wrote: >> >> I tried out the saml demo app and logout works just fine, so I'm >> guessing this is a bug in the PL SP Filter. >> >> On 4/6/2015 6:47 AM, Chen Keong Yap wrote: >> >> Hi bill, >> >> Global logout only removed sp sessions but not web application >> sessions >> and this created security loopholes. >> >> Please advise >> >> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap >> >> > >> wrote: >> >> Guys, >> >> Can share your ideas why global logout is not working? >> >> On Apr 3, 2015 3:47 PM, "Chen Keong Yap" >> >> > >> wrote: >> >> Hi Marek, >> >> I've just tested backchannel logout and it's showing >> same issue. >> Both applications are using PL SP Filter and the steps >> below are >> used for testing. >> >> 1. Open https://localhost:8443/__employee/ >> and http request is >> redirected to >> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml >> >> >> 2. Enter username and password into keycloak login page >> and >> redirected to employee landing page >> >> 3. Open https://localhost:8443/sales-__post/ >> and redirected to >> sales-post landing page without login >> >> 4. Logon to keycloak admin console and noticed there are >> 2 >> active sessions >> >> 5. Perform global logout from employee landing page >> (https://localhost:8443/__employee/?GLO=true >> ) and http request is >> redirected to >> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml >> >> >> 6. Logon to keycloak admin console and noticed all >> sessions are gone >> >> 7. Refresh sales-post landing page and it's not >> redirected to >> keycloak login page. sales-post session still active. >> >> Kindly advise why GLO is performed but the second >> application >> (sales-post) session still active? >> >> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda >> >> >> wrote: >> >> Switch the "Front channel logout" to off. In this >> case it >> should use backchannel (not redirecting through >> browser, but >> sending logout requests from Keycloak in background) >> >> Marek >> >> >> >> On 3.4.2015 08:28, Chen Keong Yap wrote: >> >> >> Hi Merek, >> >> I've tried frontChannel logout in 1.2.0.Beta1 >> and it's >> giving me the same issues, please refer to the >> settings >> shown in the screen shot. >> >> Can you please advise how to test backchannel >> logout? >> >> >> Inline image 1 >> >> >> >> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >> > > >> wrote: >> >> I would try to upgrade to latest >> 1.2.0.Beta1 as it has >> some related fixes AFAIK. >> >> In this version, you have also possibility >> to setup >> either frontChannel logout or backchannel >> logout for >> the application. It could be set in >> Keycloak admin >> console. I think that at least one of them >> will work >> with SP filter in latest version (if not >> both). >> >> Marek >> >> >> On 3.4.2015 01:44, Chen Keong Yap wrote: >> >> Hi, >> >> I've 2 applications installed with >> Picketlink >> SPFilter to authenticate with keycloak >> 1.1.0 beta 2. >> >> When i perform global logout, first >> application was >> logged out successfully because >> SP/keycloak session >> and application http session are >> removed but the >> problem is second >> application SP/keycloak session is >> removed but >> application http session is still >> remained. I've set >> admin url for these 2 applications in >> keycloak admin >> console. Kindly share your ideas. >> >> >> >> >> _________________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> > > >> https://lists.jboss.org/__mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/275a9d7e/attachment-0001.html From stian at redhat.com Tue Apr 7 02:20:57 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 7 Apr 2015 02:20:57 -0400 (EDT) Subject: [keycloak-user] Externalising session storage in keycloak In-Reply-To: <1428322422.154413249@apps.rackspace.com> References: <1428322422.154413249@apps.rackspace.com> Message-ID: <1715592343.13219857.1428387657008.JavaMail.zimbra@redhat.com> We have support for using either Infinispan or a database (relational or Mongo) to store the user sessions when load balanced. If performance is not a problem you can just go with storing sessions in the database. Otherwise go with Infinispan, see http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering.html for the details on how to configure that. To use a replicated cache instead of a distributed cache use the following config for Infinspan:

... You can also just use the configuration from the docs above but set 'owners="2"'. ----- Original Message ----- > From: "Kalinga Dissanayake" > To: keycloak-user at lists.jboss.org > Cc: "Stian Thorgersen" > Sent: Monday, 6 April, 2015 2:13:42 PM > Subject: Externalising session storage in keycloak > > > Guys i know this has been discussed before, but im trying to find a simple > number of steps for me to externalize the session storage in keycloak. > I just need to do the following; > 1. Two servers running keycloak (wildfly) > 2. A load balancer in front of these two servers. Preferably an AWS > loadbalancer > 3. I need to store the session details on an external store so that the > sessions work accurately. > > There is so much documentation for this but I am actually confused as to what > i should do and the bare minimum i should do to achieve this. I dont need a > distributed cache or anything just need one cache store (may be infinispan > or memcached) and the two keycloak servers running storing the sessions on > that. Is there one key place i should look into which contains the bare > minimum i should do. > > Kalinga. > From stian at redhat.com Tue Apr 7 02:38:25 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 7 Apr 2015 02:38:25 -0400 (EDT) Subject: [keycloak-user] Application Management In-Reply-To: References: <235824875.3863019.1427201098648.JavaMail.zimbra@redhat.com>

<596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com> <1915332308.6796315.1427464264502.JavaMail.zimbra@redhat.com> Message-ID: <657783737.13228908.1428388705228.JavaMail.zimbra@redhat.com> What's the purpose of app-admin? ----- Original Message ----- > From: "Thiago Presa" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, 1 April, 2015 7:33:26 PM > Subject: Re: [keycloak-user] Application Management > > Speaking with my colleagues, I believe it won't cause troubles for us. We > had to give view-applications: the admin console wouldn't work properly, > but this is also OK according to our requirements. > > Would you mind giving us some feedback on [1]? We wrote this to experiment > a bit with the proposal, but I'm not familiar with keycloak's source or > practices. What should I do to help get this merged? > > [1] https://github.com/keycloak/keycloak/compare/master...tpresa:master > > On Fri, Mar 27, 2015 at 10:51 AM, Stian Thorgersen wrote: > > > > > > > ----- Original Message ----- > > > From: "Thiago Presa" > > > To: "Stian Thorgersen" > > > Cc: keycloak-user at lists.jboss.org > > > Sent: Friday, 27 March, 2015 2:01:56 PM > > > Subject: Re: [keycloak-user] Application Management > > > > > > Ah, yes, I didn't understand your proposal properly. Wouldn't giving > > > manage-users to app-admins wouldn't cause trouble, since app-admins could > > > create and modify user accounts? > > > > Whether or not it's causing trouble depends on your requirements, but yes, > > they could create and modify user accounts, but not grant more privileges. > > > > If you need to go beyond this one alternative is to wrap the admin > > endpoints in your own application. We've just got so much on our plate at > > the moment that we can't provide this level of control on permissions. > > > > > > > > On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen > > wrote: > > > > > > > Well, yes.. I told you it was a bit rubbish and would need some > > re-design > > > > to implement more fine grained permissions. Doing that is a relatively > > big > > > > task and is not a high priority for us ATM. > > > > > > > > I'm a bit confused by this email as I proposed a simple solution that > > > > would resolve your requirements. If an admin can only grant permissions > > > > that admin has access to all you have to do is to create an admin that > > can > > > > only access roles for certain applications and your problem should be > > > > solved. That's a simple solution that we can add soon. > > > > > > > > ----- Original Message ----- > > > > > From: "Thiago Presa" > > > > > To: "Stian Thorgersen" > > > > > Cc: keycloak-user at lists.jboss.org > > > > > Sent: Thursday, 26 March, 2015 8:10:07 PM > > > > > Subject: Re: [keycloak-user] Application Management > > > > > > > > > > So I've spent the last couple of days playing with the source. :-) > > > > > > > > > > The current authorization mechanism is based on Realm/RealmApp i.e. > > > > > whenever an API resource is called, check if the User has the > > required > > > > > Right (manage, any, view) in the resource's Realm/RealmApp. > > > > > > > > > > Consider, for example, the URI > > > > > > > /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. > > > > What > > > > > I was trying to do is to create a permission for {app-name} so that > > this > > > > > API call wouldn't require any Realm/RealmApp right. > > > > > > > > > > The problem I see is that this API call trigger many methods (i.e. > > > > > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin, > > > > > RealmAdminResource#getApplicationsById, and so on...), and at those > > > > methods > > > > > there is not enough information to figure out whether this is: > > > > > > > > > > 1- An app-specific call and thus should be authorized even without > > realm > > > > > authorization, or; > > > > > 2- Not app-specific call and this should be properly authorized by > > > > > Realm/RealmApp. > > > > > > > > > > Even in the case of (1), the information on which app should I check > > for > > > > > authorization is not available. > > > > > > > > > > So it seems to me that this resource-loading mechanisms pressuposes > > an > > > > > authorization mechanism that checks only against the realm for > > > > permission, > > > > > and changing this seems daunting to me. > > > > > > > > > > Do you guys have any idea on a more local change I could make to > > achieve > > > > > the intended behavior? > > > > > > > > > > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa < > > thiago.addevico at gmail.com > > > > > > > > > > wrote: > > > > > > > > > > > OK, agreed. We thought this out of consistency, but if that's not a > > > > good > > > > > > design we surely can consider a better one. > > > > > > > > > > > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen < > > stian at redhat.com> > > > > > > wrote: > > > > > > > > > > > >> > > > > > >> > > > > > >> ----- Original Message ----- > > > > > >> > From: "Thiago Presa" > > > > > >> > To: stian at redhat.com > > > > > >> > Cc: keycloak-user at lists.jboss.org > > > > > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM > > > > > >> > Subject: Re: [keycloak-user] Application Management > > > > > >> > > > > > > >> > Hi there, > > > > > >> > > > > > > >> > I'm Alex's coworker and I'll be working on this too. > > > > > >> > > > > > > >> > We were just discussing your idea, and it seems to fit our > > > > requirements. > > > > > >> > > > > > > >> > As far as we have seen, keycloak already has a realm-admin > > concept. > > > > > >> > Whenever a realm "R" is created, it creates a R-realm > > application > > > > with > > > > > >> > a bunch of default roles (manage-users, manage-roles, etc.) > > into the > > > > > >> > realm master. > > > > > >> > > > > > > >> > We are currently thinking if we could mimic this structure for > > > > > >> > applications. What do you think? > > > > > >> > > > > > >> It's already messy with the way I modelled it and adding the same > > for > > > > > >> applications would be even worse. I don't see why that's needed > > > > though if > > > > > >> we'd add what I proposed. > > > > > >> > > > > > >> > > > > > > >> > > I had an idea a while back that is a simple way to achieve > > what > > > > you're > > > > > >> > > asking for. Th> e idea would be to only allow an admin to > > grant > > > > roles > > > > > >> that > > > > > >> > > the admin has access to. > > > > > >> > > > > > > >> > > Basically:> * A user with admin (super user) role can grant > > any > > > > roles > > > > > >> (we > > > > > >> > > would need to add a per-> realm super user role) > > > > > >> > > > > > > >> > > * A user with the role manage-users and some roles on app1 can > > > > only > > > > > >> grant > > > > > >> > > other users > the roles on app1 > > > > > >> > > > > > > >> > > * A user with the role manage-users and some roles on app2 can > > > > only > > > > > >> grant > > > > > >> > > other users > the roles on app2 > > > > > >> > > > > > > >> > > > > > > > >> > > > > > > >> > > This is something we should add in either case (to prevent > > users > > > > > >> granting > > > > > >> > themselves more access). Would it solve your problems? > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > From stian at redhat.com Tue Apr 7 03:02:17 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 7 Apr 2015 03:02:17 -0400 (EDT) Subject: [keycloak-user] Curious about the Email constraint on UserEntity In-Reply-To: <1707221802.602972.1428356621257.JavaMail.yahoo@mail.yahoo.com> References: <1707221802.602972.1428356621257.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1601687592.13235120.1428390137576.JavaMail.zimbra@redhat.com> As we allow login using email it has to be unique ----- Original Message ----- > From: "Adil Arif" > To: keycloak-user at lists.jboss.org > Sent: Monday, 6 April, 2015 11:43:41 PM > Subject: [keycloak-user] Curious about the Email constraint on UserEntity > > I have been testing Keycloak (1.1.0 Final) federation ability against some of > our existing user databases. I came across the unique email address > constraint in the UserEntity table. What is the reasoning behind email > addresses being unique? > > Our particular use case is that a user can create multiple usernames and have > the same email address across many of them if they choose to. > > Adil Arif > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Tue Apr 7 03:09:05 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 7 Apr 2015 03:09:05 -0400 (EDT) Subject: [keycloak-user] Using Informix DB with Keycloak ... In-Reply-To: <173304705.803869.1428365433517.JavaMail.yahoo@mail.yahoo.com> References: <173304705.803869.1428365433517.JavaMail.yahoo@mail.yahoo.com> Message-ID: <493030664.13237004.1428390545942.JavaMail.zimbra@redhat.com> To start with we can most likely accept PRs to make Informix to work, but we can't support all dbs out there. That being said it looks like either the Informix dialect is not being used, or it's not working properly. What you've done below hibernate.query.substitutions should be taken care of by Hibernate dialects. Try setting the "driverDialect" to org.hibernate.dialect.InformixDialect and see if you're still having issues. Another problem you may encounter is that Liquibase change-sets may need to be tweaked to work with Informix. ----- Original Message ----- > From: "Thomas Connolly" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 7 April, 2015 2:10:33 AM > Subject: [keycloak-user] Using Informix DB with Keycloak ... > > Hi All > > As part of a standardisation process, I'm trying to get Keycloak working with > Informix DB, the enterprise DB! > I understand that Keycloak does not officially support Informix however given > the use of JPA / Hibernate I though there was a good chance it would work > out of the box. > However this has proven not the case. The connection dialect does indeed > recognise Informix but does not appear to correctly map to this DB. > > The issue I've come across is the handling of boolean conditional in SQL. > > In RoleEntry.java the query > @NamedQuery(name="getRealmRoleByName", query="select role from RoleEntity > role where role.applicationRole = false and role.name = :name and role.realm > = :realm") > > Generates the following > select > roleentity0_.id as id1_15_, > roleentity0_.APP_REALM_CONSTRAINT as APP_REAL2_15_, > roleentity0_.APPLICATION as APPLICAT7_15_, > roleentity0_.APPLICATION_ROLE as APPLICAT3_15_, > roleentity0_.DESCRIPTION as DESCRIPT4_15_, > roleentity0_.NAME as NAME5_15_, > roleentity0_.REALM as REALM8_15_, > roleentity0_.REALM_ID as REALM_ID6_15_ > from > KEYCLOAK_ROLE roleentity0_ > where > roleentity0_.APPLICATION_ROLE=0 > The above does not work with Informix as 't', 'f', true and false > respectively is used. So it should be > where > roleentity0_.APPLICATION_ROLE='f' > > Looking through the code, it appears I cannot configure this. Happy to be > proven wrong here! > I found I could override within Hibernate using the property > hibernate.query.substitutions=true t, false f > > I've added this change into DefaultJpaConnectionProviderFactory.java > > String querySubstitutions = config.get("querySubstitutions"); > if (querySubstitutions != null) { > logger.debug("hibernate.query.substitutions=" + querySubstitutions); > properties.put("hibernate.query.substitutions", querySubstitutions); > } > > Adding the setting in keycloak-server.json > "connectionsJpa": { > "default": { > "dataSource": "java:jboss/datasources/KeycloakDS", > "databaseSchema": "update", > "querySubstitutions" : "true t, false f" > } > > However I've found the translation is not occurring as I would have expected. > > Can you please advise on the approach I'm taking or any alternatives I have > not looked into? > > Also once we get this working with Informix how can I get it added to the > supported DB list? > > Regards > Tom Connolly. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Apr 7 03:20:57 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 07 Apr 2015 09:20:57 +0200 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

<5522908E.4060507@redhat.com> <55229641.6090406@redhat.com> Message-ID: <55238559.4040902@redhat.com> The demo is bundled in keycloak-appliance-dist ZIP in directory examples/saml . The demo sources are here: https://github.com/keycloak/keycloak/tree/master/examples/saml Marek On 7.4.2015 02:37, Chen Keong Yap wrote: > > Hi bill, > > Can you give me the link or path for the demo? Not sure if you are > using keycloak or picketlink demo for testing? > > On Apr 6, 2015 9:20 PM, "Bill Burke" > wrote: > > Demos work fine for me, but I'm using the wildfly Picketlink SP > adapter. I am able to have an SSO session with all the examples, > then I am able to logout and have all sessions invalidated. > > On 4/6/2015 9:01 AM, Chen Keong Yap wrote: > > Hi bill, > > Are you using 2 applications for testing? > > If yes, need to know have you logged out the first application > then > redirect to keycloak login page? After that refresh the second > application then redirect to keycloak login page? > > Can i know which version of picketlink federation lib are you > using? > > On Apr 6, 2015 8:56 PM, "Bill Burke" > >> wrote: > > I tried out the saml demo app and logout works just fine, > so I'm > guessing this is a bug in the PL SP Filter. > > On 4/6/2015 6:47 AM, Chen Keong Yap wrote: > > Hi bill, > > Global logout only removed sp sessions but not web > application > sessions > and this created security loopholes. > > Please advise > > On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap > > > > __com > >>> wrote: > > Guys, > > Can share your ideas why global logout is not > working? > > On Apr 3, 2015 3:47 PM, "Chen Keong Yap" > > > > __com > >>> wrote: > > Hi Marek, > > I've just tested backchannel logout and it's > showing > same issue. > Both applications are using PL SP Filter and > the steps > below are > used for testing. > > 1. Open https://localhost:8443/__employee/ > and http request is > redirected to > https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml > > > > 2. Enter username and password into keycloak > login page and > redirected to employee landing page > > 3. Open https://localhost:8443/sales-__post/ > and redirected to > sales-post landing page without login > > 4. Logon to keycloak admin console and > noticed there are 2 > active sessions > > 5. Perform global logout from employee > landing page > (https://localhost:8443/__employee/?GLO=true > ) and http > request is > redirected to > https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml > > > > 6. Logon to keycloak admin console and > noticed all > sessions are gone > > 7. Refresh sales-post landing page and it's not > redirected to > keycloak login page. sales-post session still > active. > > Kindly advise why GLO is performed but the second > application > (sales-post) session still active? > > On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda > > > >>> wrote: > > Switch the "Front channel logout" to off. > In this > case it > should use backchannel (not redirecting > through > browser, but > sending logout requests from Keycloak in > background) > > Marek > > > > On 3.4.2015 08:28, Chen Keong Yap wrote: > > > Hi Merek, > > I've tried frontChannel logout in > 1.2.0.Beta1 > and it's > giving me the same issues, please > refer to the > settings > shown in the screen shot. > > Can you please advise how to test > backchannel > logout? > > > Inline image 1 > > > > On Fri, Apr 3, 2015 at 1:50 PM, Marek > Posolda > > > > >>> wrote: > > I would try to upgrade to latest > 1.2.0.Beta1 as it has > some related fixes AFAIK. > > In this version, you have also > possibility > to setup > either frontChannel logout or > backchannel > logout for > the application. It could be set in > Keycloak admin > console. I think that at least > one of them > will work > with SP filter in latest version > (if not both). > > Marek > > > On 3.4.2015 01:44, Chen Keong Yap > wrote: > > Hi, > > I've 2 applications installed > with > Picketlink > SPFilter to authenticate with > keycloak > 1.1.0 beta 2. > > When i perform global logout, > first > application was > logged out successfully because > SP/keycloak session > and application http session are > removed but the > problem is second > application SP/keycloak > session is > removed but > application http session is still > remained. I've set > admin url for these 2 > applications in > keycloak admin > console. Kindly share your ideas. > > > > > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > >

> >

__jboss.org >

>> > https://lists.jboss.org/__mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/85cb004d/attachment-0001.html From mposolda at redhat.com Tue Apr 7 03:33:05 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 07 Apr 2015 09:33:05 +0200 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: References: <551D50FB.9010601@redhat.com>

<551E2857.6020501@redhat.com> Message-ID: <55238831.8080004@redhat.com> On 3.4.2015 21:21, Scott Rossillo wrote: > Ok, so a few followups. Just to be clear, here?s what I?m trying to do > and the outcomes of each against 1.2.0.Beta1: > > 1. (Original scenario) Log user out from KC console (Users > [user] > Sessions). > Result: This still fails with the exception, > "org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession > Session not present or already invalidated.? > > The exception thrown here is an NPE > as manager.findSession(httpSessionId) failed to find the session. > Interestingly, the session is still valid and the ID passed into the > manager is correct. Furthermore, while debugging I can see that > manager.findSession() looks up the session in a hash map. > Interestingly, the session id (key) is there, but the value (session) > is null. Maybe this is a Tomcat bug. Using Tomcat 8.0.18, will test > with 8.0.21. > > 2. (Second scenario) Application logout. > Documentation 8.10. Logout > (http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152) > say you can either call HttpServletRequest.logout() or redirect > tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri. > > However, you have to do both. > > Call only .logout() and the KC token is still valid and user can > access app with a new session (it will just redirect to KC, see KC > session is valid and grant access). > > Call only auth-server/?/logout and the Tomcat session remains valid. I > would have thought that calling the auth-server?s logout endpoint > would broadcast logout events to logged in applications, but it doesn?t. Actually auth-server logout should broadcast the logout to all logged-in applications. Auth-server will do it if you have configured "admin URL" for your application in Keycloak admin console. Do you have it configured? Calling to .logout() should ensure redirecting to auth-server, which will logout Keycloak user session and then broadcast to logged applications. In summary, both .logout() and redirection to auth-server/.../logout should invalidate both Keycloak UserSession and all logged application sessions (As long as you have admin URL configured for the applications). If something of it doesn't work, it may be a bug. Marek > > I?ll file a JIRA for the second case and continue investigating the > first scenario with a newer Tomcat release. > > Best, > Scott > > > > > > > > > > On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda > wrote: > > Sure, maybe even easier alternative is to try debugger. You can > add this to the beginning of $TOMCAT_HOME/bin/catalina.sh: > > JAVA_OPTS="$JAVA_OPTS > -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n" > > then start tomcat and then remotely connect to it from your IDE. > You will need opened IDE with keycloak sources though. > > I've changed the code to display the exception stacktrace, but it > will be available in next release (not yet in 1.2.0.Beta1 released > yesterday) > > Marek > > > On 3.4.2015 01:30, Scott Rossillo wrote: >> Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1. >> >> I will install a custom built agent tomorrow to catch the actual >> exception to see what's up. >> >> >> On Thursday, April 2, 2015, Scott Rossillo >> > wrote: >> >> Hi, >> >> Thanks for the reply. >> >> I was trying to log a user out from the Keycloak admin >> console. I will try the redirect method and see if it works. >> >> Also, I?m using 1.1.0.Final. I will upgrade to 1.2.0.Beta1 >> and report if the issue is still occurring. >> >> Best, >> Scott >> >> On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda >> wrote: >> >> Hi, >> >> I've tried with Apache Tomcat 6.0.35 but wasn't able to >> reproduce with latest Keycloak 1.2.0.Beta1. Logout works >> fine for me. >> >> How are you doing logout? From the application or from KC >> admin console? For the tomcat6, the >> httpServletRequest.logout() method is not yet available, >> so best for logout from the application is redirecting to >> Keycloak logout URL similarly like in our demo example: >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 >> >> You can also enable debug logging, which should show some >> additional messages in the log by adding this line into >> $TOMCAT_HOME/conf/logging.properties: >> >> org.keycloak.level = FINE >> >> Marek >> >> >> >> On 2.4.2015 01:37, Scott Rossillo wrote: >>> Hi all, >>> >>> I?m running Keycloak 1.1.0-Final in standalone mode and >>> using Keycloak agents on Tomcat 6 and Tomcat 8. >>> >>> With both agents, whenever I try to log a user out via >>> the Keycloak server, I see this in the Tomcat server?s log: >>> >>> Apr 01, 2015 7:27:47 PM >>> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement >>> logoutSession >>> WARN: Session not present or already invalidated. >>> >>> The session is still valid and continues to be valid for >>> some period of time in each of the Tomcat instances. >>> Anyone know how to fix? >>> >>> I was looking at the source and I see this method: >>> >>> * >>> >>> >>> * org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. >>> >>> logoutSession() >>> >>> I may test loging the actual exception tomorrow if no >>> one has a clue, but I think it?s probably the exception >>> is being thrown for some reason other than the session >>> no longer existing (it definitely still does). >>> >>> Best, >>> Scott >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/792500a2/attachment.html From mposolda at redhat.com Tue Apr 7 03:38:55 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 07 Apr 2015 09:38:55 +0200 Subject: [keycloak-user] CatalinaUserSessionManagement: Session not present or already invalidated In-Reply-To: References: <551D50FB.9010601@redhat.com>

<551E2857.6020501@redhat.com> Message-ID: <5523898F.1020305@redhat.com> So you're using spring security? This is quite an important detail, which you didn't mention before... Yeah, it depends on the behaviour what Spring security is doing regarding sessions. You can try our demo applications customer-portal + product-portal. Those are simple servlet applications. If you're not seeing issues with them, but still seeing issue with your spring security app, then we know that the issue might be related to spring security. If you manage to have it working with Spring security, it would be cool if you can share the details here. We had some questions related to spring security in the past. If you manage to secure Spring Security with our adapter, it could be good reference for the future. Thanks, Marek On 3.4.2015 22:22, Scott Rossillo wrote: > Update on issue 1, Log user out from KC console: > It appears this is due to Spring security creating a new session and > migrating data into it but KC knows nothing about this. There?s a way > to disable this behavior in Spring Security and I?m going to take that > path. This should be a non-issue. > > ~ Scott > > > On Fri, Apr 3, 2015 at 3:21 PM, Scott Rossillo > > wrote: > > Ok, so a few followups. Just to be clear, here?s what I?m trying > to do and the outcomes of each against 1.2.0.Beta1: > > 1. (Original scenario) Log user out from KC console (Users > > [user] Sessions). > Result: This still fails with the exception, > "org.keycloak.adapters.tomcat.CatalinaUserSessionManagement.logoutSession > Session not present or already invalidated.? > > The exception thrown here is an NPE > as manager.findSession(httpSessionId) failed to find the session. > Interestingly, the session is still valid and the ID passed into > the manager is correct. Furthermore, while debugging I can see > that manager.findSession() looks up the session in a hash map. > Interestingly, the session id (key) is there, but the value > (session) is null. Maybe this is a Tomcat bug. Using > Tomcat 8.0.18, will test with 8.0.21. > > 2. (Second scenario) Application logout. > Documentation 8.10. Logout > (http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#d4e1152) > say you can either call HttpServletRequest.logout() or redirect > tohttp://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri. > > However, you have to do both. > > Call only .logout() and the KC token is still valid and user can > access app with a new session (it will just redirect to KC, see KC > session is valid and grant access). > > Call only auth-server/?/logout and the Tomcat session remains > valid. I would have thought that calling the auth-server?s logout > endpoint would broadcast logout events to logged in applications, > but it doesn?t. > > I?ll file a JIRA for the second case and continue investigating > the first scenario with a newer Tomcat release. > > Best, > Scott > > > > > > > > > > On Fri, Apr 3, 2015 at 1:42 AM, Marek Posolda > wrote: > > Sure, maybe even easier alternative is to try debugger. You > can add this to the beginning of $TOMCAT_HOME/bin/catalina.sh: > > JAVA_OPTS="$JAVA_OPTS > -agentlib:jdwp=transport=dt_socket,address=5005,server=y,suspend=n" > > then start tomcat and then remotely connect to it from your > IDE. You will need opened IDE with keycloak sources though. > > I've changed the code to display the exception stacktrace, but > it will be available in next release (not yet in 1.2.0.Beta1 > released yesterday) > > Marek > > > On 3.4.2015 01:30, Scott Rossillo wrote: >> Still no luck using Tomcat 8 and Keycloak 1.2.0.Beta1. >> >> I will install a custom built agent tomorrow to catch the >> actual exception to see what's up. >> >> >> On Thursday, April 2, 2015, Scott Rossillo >> > wrote: >> >> Hi, >> >> Thanks for the reply. >> >> I was trying to log a user out from the Keycloak admin >> console. I will try the redirect method and see if it works. >> >> Also, I?m using 1.1.0.Final. I will upgrade to >> 1.2.0.Beta1 and report if the issue is still occurring. >> >> Best, >> Scott >> >> On Thu, Apr 2, 2015 at 10:23 AM, Marek Posolda >> wrote: >> >> Hi, >> >> I've tried with Apache Tomcat 6.0.35 but wasn't able >> to reproduce with latest Keycloak 1.2.0.Beta1. Logout >> works fine for me. >> >> How are you doing logout? From the application or >> from KC admin console? For the tomcat6, the >> httpServletRequest.logout() method is not yet >> available, so best for logout from the application is >> redirecting to Keycloak logout URL similarly like in >> our demo example: >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L14 >> >> You can also enable debug logging, which should show >> some additional messages in the log by adding this >> line into $TOMCAT_HOME/conf/logging.properties: >> >> org.keycloak.level = FINE >> >> Marek >> >> >> >> On 2.4.2015 01:37, Scott Rossillo wrote: >>> Hi all, >>> >>> I?m running Keycloak 1.1.0-Final in standalone mode >>> and using Keycloak agents on Tomcat 6 and Tomcat 8. >>> >>> With both agents, whenever I try to log a user out >>> via the Keycloak server, I see this in the Tomcat >>> server?s log: >>> >>> Apr 01, 2015 7:27:47 PM >>> org.keycloak.adapters.tomcat.CatalinaUserSessionManagement >>> logoutSession >>> WARN: Session not present or already invalidated. >>> >>> The session is still valid and continues to be valid >>> for some period of time in each of the Tomcat >>> instances. Anyone know how to fix? >>> >>> I was looking at the source and I see this method: >>> >>> * >>> >>> >>> * org.keycloak.adapters.tomcat.CatalinaUserSessionManagement. >>> >>> logoutSession() >>> >>> I may test loging the actual exception tomorrow if >>> no one has a clue, but I think it?s probably the >>> exception is being thrown for some reason other than >>> the session no longer existing (it definitely still >>> does). >>> >>> Best, >>> Scott >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/dd329f63/attachment-0001.html From mposolda at redhat.com Tue Apr 7 03:55:52 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 07 Apr 2015 09:55:52 +0200 Subject: [keycloak-user] Running Liquibase updates via maven plugin In-Reply-To: References: Message-ID: <55238D88.4050001@redhat.com> Looks like a bug. I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-1181 and will take a look at it. Marek On 6.4.2015 20:38, Schneider, Tom wrote: > > I?d like to populate a database for keycloak via the command line > using the liquibase maven plugin. > > With the latest master code, when I try to run this command: > > mvn -f connections/jpa-liquibase/pom.xml liquibase:update > -Durl=jdbc:h2:keycloak > > I receive the following error message: > > [ERROR] liquibase.exception.UnexpectedLiquibaseException: > liquibase.exception.CustomChangeException: > liquibase.exception.SetupException: No KeycloakSession provided in > ThreadLocal > > Am I missing some setup or is this no longer supported? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/76798a28/attachment.html From sadiqkhoja at gmail.com Tue Apr 7 04:24:49 2015 From: sadiqkhoja at gmail.com (Sadiq Khoja) Date: Tue, 7 Apr 2015 13:24:49 +0500 Subject: [keycloak-user] CORS for direct grant access Message-ID: Guys, I want to enable CORS for Direct Grant Access, how to do it? I am getting following error from my javascript application: (index):1 XMLHttpRequest cannot load http://localhost:8080/auth/realms/master/tokens/grants/access. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://pn.localhost:81' is therefore not allowed access. The response had HTTP status code 400. ? Regards, *??Sadiq Khoja* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/b10d9545/attachment.html From chenkeong.yap at izeno.com Tue Apr 7 04:41:15 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Tue, 7 Apr 2015 16:41:15 +0800 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: <55238559.4040902@redhat.com> References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

<5522908E.4060507@redhat.com> <55229641.6090406@redhat.com> <55238559.4040902@redhat.com> Message-ID: Hi, I cannot find the spfilter definition in web.xml of the sample demo. Just wondering is the demo running on SP filter?

SPFilter

org.picketlink.identity.federation.web.filters.SPFilter

IGNORE_SIGNATURES

true

ROLES

PRUONE

LOGOUT_PAGE

/logout1.jsp

SPFilter

On Tue, Apr 7, 2015 at 3:20 PM, Marek Posolda wrote: > The demo is bundled in keycloak-appliance-dist ZIP in directory > examples/saml . > > The demo sources are here: > https://github.com/keycloak/keycloak/tree/master/examples/saml > > Marek > > > On 7.4.2015 02:37, Chen Keong Yap wrote: > > Hi bill, > > Can you give me the link or path for the demo? Not sure if you are using > keycloak or picketlink demo for testing? > On Apr 6, 2015 9:20 PM, "Bill Burke" wrote: > >> Demos work fine for me, but I'm using the wildfly Picketlink SP adapter. >> I am able to have an SSO session with all the examples, then I am able to >> logout and have all sessions invalidated. >> >> On 4/6/2015 9:01 AM, Chen Keong Yap wrote: >> >>> Hi bill, >>> >>> Are you using 2 applications for testing? >>> >>> If yes, need to know have you logged out the first application then >>> redirect to keycloak login page? After that refresh the second >>> application then redirect to keycloak login page? >>> >>> Can i know which version of picketlink federation lib are you using? >>> >>> On Apr 6, 2015 8:56 PM, "Bill Burke" >> > wrote: >>> >>> I tried out the saml demo app and logout works just fine, so I'm >>> guessing this is a bug in the PL SP Filter. >>> >>> On 4/6/2015 6:47 AM, Chen Keong Yap wrote: >>> >>> Hi bill, >>> >>> Global logout only removed sp sessions but not web application >>> sessions >>> and this created security loopholes. >>> >>> Please advise >>> >>> On Mon, Apr 6, 2015 at 6:41 AM, Chen Keong Yap >>> >>> >> >> wrote: >>> >>> Guys, >>> >>> Can share your ideas why global logout is not working? >>> >>> On Apr 3, 2015 3:47 PM, "Chen Keong Yap" >>> >>> >> >> wrote: >>> >>> Hi Marek, >>> >>> I've just tested backchannel logout and it's showing >>> same issue. >>> Both applications are using PL SP Filter and the steps >>> below are >>> used for testing. >>> >>> 1. Open https://localhost:8443/__employee/ >>> and http request is >>> redirected to >>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml >>> >>> >>> 2. Enter username and password into keycloak login page >>> and >>> redirected to employee landing page >>> >>> 3. Open https://localhost:8443/sales-__post/ >>> and redirected to >>> sales-post landing page without login >>> >>> 4. Logon to keycloak admin console and noticed there >>> are 2 >>> active sessions >>> >>> 5. Perform global logout from employee landing page >>> (https://localhost:8443/__employee/?GLO=true >>> ) and http request is >>> redirected to >>> https://localhost:8443/auth/__realms/saml-demo-1/protocol/__saml >>> >>> >>> 6. Logon to keycloak admin console and noticed all >>> sessions are gone >>> >>> 7. Refresh sales-post landing page and it's not >>> redirected to >>> keycloak login page. sales-post session still active. >>> >>> Kindly advise why GLO is performed but the second >>> application >>> (sales-post) session still active? >>> >>> On Fri, Apr 3, 2015 at 3:36 PM, Marek Posolda >>> >>> >> >>> wrote: >>> >>> Switch the "Front channel logout" to off. In this >>> case it >>> should use backchannel (not redirecting through >>> browser, but >>> sending logout requests from Keycloak in background) >>> >>> Marek >>> >>> >>> >>> On 3.4.2015 08:28, Chen Keong Yap wrote: >>> >>> >>> Hi Merek, >>> >>> I've tried frontChannel logout in 1.2.0.Beta1 >>> and it's >>> giving me the same issues, please refer to the >>> settings >>> shown in the screen shot. >>> >>> Can you please advise how to test backchannel >>> logout? >>> >>> >>> Inline image 1 >>> >>> >>> >>> On Fri, Apr 3, 2015 at 1:50 PM, Marek Posolda >>> >> >> >> wrote: >>> >>> I would try to upgrade to latest >>> 1.2.0.Beta1 as it has >>> some related fixes AFAIK. >>> >>> In this version, you have also possibility >>> to setup >>> either frontChannel logout or backchannel >>> logout for >>> the application. It could be set in >>> Keycloak admin >>> console. I think that at least one of them >>> will work >>> with SP filter in latest version (if not >>> both). >>> >>> Marek >>> >>> >>> On 3.4.2015 01:44, Chen Keong Yap wrote: >>> >>> Hi, >>> >>> I've 2 applications installed with >>> Picketlink >>> SPFilter to authenticate with keycloak >>> 1.1.0 beta 2. >>> >>> When i perform global logout, first >>> application was >>> logged out successfully because >>> SP/keycloak session >>> and application http session are >>> removed but the >>> problem is second >>> application SP/keycloak session is >>> removed but >>> application http session is still >>> remained. I've set >>> admin url for these 2 applications in >>> keycloak admin >>> console. Kindly share your ideas. >>> >>> >>> >>> >>> _________________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> >> > >>> https://lists.jboss.org/__mailman/listinfo/keycloak-user >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >>> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150407/18c48e77/attachment-0001.html From mposolda at redhat.com Tue Apr 7 04:47:22 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 07 Apr 2015 10:47:22 +0200 Subject: [keycloak-user] Http Session is not invalidated In-Reply-To: References: <551E2A3C.8070006@redhat.com> <551E42F7.9070404@redhat.com>

<5522908E.4060507@redhat.com>