From sthorger at redhat.com  Tue Dec  1 04:40:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 10:40:13 +0100
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAPj1eSyFvUHW_dmtkLqFaF8B6caNMBYkCSU7oBsQAmACjKAXoQ@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
	<565C5683.5030805@redhat.com>
	<CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>
	<CAJgngAd5eY478MpMst19Mnt1stF22LdZzJyze7AV6_MTr5sJFQ@mail.gmail.com>
	<CAPj1eSyFvUHW_dmtkLqFaF8B6caNMBYkCSU7oBsQAmACjKAXoQ@mail.gmail.com>
Message-ID: <CAJgngAeWViawmHmh1JQgNv2FO71QamfWU6t+eyeBf0e7TuhJdQ@mail.gmail.com>

We can make those classes serializable. Create a JIRA for it. It's to late
for 1.7 release though so won't be fixed until 1.8.

We also don't do any testing with ASYNC (as we know it will be problematic,
especially since Keycloak doesn't require sticky sessions) or replicated
caches, as we recommend using sync + invalidation caches.

On 30 November 2015 at 17:56, Lohitha Chiranjeewa <kalc04 at gmail.com> wrote:

> I agree that there could be inconsistent behavior with ASYNC mode
> depending on what your use case is.
>
> However, shouldn't the classes I mentioned be made serializable in any
> case? They are directly referenced from the classes inside infinispan cache
> model package.
> On Nov 30, 2015 7:56 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> I wouldn't not recommend setting async as you may get unpredictable
>> behavior
>>
>> On 30 November 2015 at 15:07, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> Yes, the 'mode' of 'realms' and 'users' caches were changed to 'ASYNC'.
>>> This causes the app to store the invalidations temporarily w/o sending to
>>> other nodes and flush them all only when a threshold value is arrived. I
>>> think this storage method causes the Serialization issue.
>>>
>>> On Mon, Nov 30, 2015 at 7:30 PM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>> Did you change caching configuration?
>>>>
>>>> On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
>>>>
>>>>> Issue came up with Realm and User caches. Not User Sessions.
>>>>>
>>>>> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>
>>>>>     Or is this related to UserSession cache?
>>>>>
>>>>>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>>>>>      > We don't replicate at all.  Why would this be an issue?
>>>>>      >
>>>>>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>>>>>      >> When Infinispan caching is enabled in ASYNC mode, exceptions
>>>>> get
>>>>>     logged
>>>>>      >> at startup due to serialization issues. Basically the following
>>>>>     classes
>>>>>      >> have to implement the Serialiazable interface:
>>>>>      >>
>>>>>      >> org.keycloak.models.OTPPolicy
>>>>>      >> org.keycloak.models.
>>>>>      >> RequiredActionProviderModel
>>>>>      >>
>>>>>      >> There could be other classes as well.
>>>>>      >>
>>>>>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>>>>      >>
>>>>>      >>
>>>>>      >> Regards,
>>>>>      >> Lohitha.
>>>>>      >>
>>>>>      >>
>>>>>      >> _______________________________________________
>>>>>      >> keycloak-user mailing list
>>>>>      >> keycloak-user at lists.jboss.org <mailto:
>>>>> keycloak-user at lists.jboss.org>
>>>>>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>      >>
>>>>>      >
>>>>>
>>>>>     --
>>>>>     Bill Burke
>>>>>     JBoss, a division of Red Hat
>>>>>     http://bill.burkecentral.com
>>>>>     _______________________________________________
>>>>>     keycloak-user mailing list
>>>>>     keycloak-user at lists.jboss.org <mailto:
>>>>> keycloak-user at lists.jboss.org>
>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/304be219/attachment-0001.html 

From ton at finalist.nl  Tue Dec  1 05:32:03 2015
From: ton at finalist.nl (Ton Swieb)
Date: Tue, 1 Dec 2015 11:32:03 +0100
Subject: [keycloak-user] Consistent error Unknown Saml Response when trying
 to log in through remote IDP
Message-ID: <CAJJ5CnQdxHMQbCf6b9zP+G+O_+0ZdVqzZk2WAX9Pcw38Rf0FSA@mail.gmail.com>

Hi,

I have set up a test environment with a remote IDP (simplesamlphp) for
Keycloak (1.6.1 Final).

When I try to use the remote IDP to log in, I always get a "We're sorry,
invalid request" page.

>From the log I can see that the error comes from
SamlService.handleResponse(), where a cookie named KEYCLOAK_IDENTITY is
expected to exist and be valid, which never seems the case.
I have experimented with different configuration options for the remote
IDP, but nothing changes this.
Can anyone shed some light on this? Thanks.

--
Regards,

Ton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/c4ace870/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Dec  1 07:13:56 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 1 Dec 2015 14:13:56 +0200
Subject: [keycloak-user] Broken link to javadocs!
Message-ID: <CABjN76_qZAXa7Dd4iaczJ2N62S4YOC4Y2pRqRNPYWK-GAHRrZA@mail.gmail.com>

Hi!

I'm trying to find the keycloak javadocs but all references to it seem
broken. Did a lot of googling and it seems the material is transferred to
http://keycloak.github.io but had no luck in finding it.

Can you point me to it?

These are the pages that contain the broken links:

http://keycloak.github.io/docs/
http://keycloak.jboss.org/docs

And these are the broken links themselves:

http://keycloak.github.io/docs/javadocs/index.html
http://keycloak.github.io/docs/keycloak-server/javadocs/index.html


Regards

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/d284894d/attachment.html 

From sthorger at redhat.com  Tue Dec  1 07:17:52 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 13:17:52 +0100
Subject: [keycloak-user] Broken link to javadocs!
In-Reply-To: <CABjN76_qZAXa7Dd4iaczJ2N62S4YOC4Y2pRqRNPYWK-GAHRrZA@mail.gmail.com>
References: <CABjN76_qZAXa7Dd4iaczJ2N62S4YOC4Y2pRqRNPYWK-GAHRrZA@mail.gmail.com>
Message-ID: <CAJgngAc6Ct_-B0qkduy25V_h+6V4qQdCHjip0aeh-Hmh0bzEZQ@mail.gmail.com>

We had an issue with the javadocs download not being included in the last
release. It will be fixed in 1.7 release. So JavaDocs will be available in
a few days

On 1 December 2015 at 13:13, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hi!
>
> I'm trying to find the keycloak javadocs but all references to it seem
> broken. Did a lot of googling and it seems the material is transferred to
> http://keycloak.github.io but had no luck in finding it.
>
> Can you point me to it?
>
> These are the pages that contain the broken links:
>
> http://keycloak.github.io/docs/
> http://keycloak.jboss.org/docs
>
> And these are the broken links themselves:
>
> http://keycloak.github.io/docs/javadocs/index.html
> http://keycloak.github.io/docs/keycloak-server/javadocs/index.html
>
>
> Regards
>
> Orestis
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/7a68388b/attachment.html 

From DSzeto at investlab.com  Tue Dec  1 07:21:43 2015
From: DSzeto at investlab.com (Doug Szeto)
Date: Tue, 1 Dec 2015 12:21:43 +0000
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <565C663C.8060808@redhat.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
	<BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>,
	<565C663C.8060808@redhat.com>
Message-ID: <BY1PR0401MB150050C35CD05C16D2EDCBA3DA0F0@BY1PR0401MB1500.namprd04.prod.outlook.com>

If you want to bust the cache on a version update, a better practice is to stick the version id as a query parameter at the end of resources, see:
https://css-tricks.com/strategies-for-cache-busting-css/

ie http://localhost:8080/auth/resources/themes/login/keycloak/css/login.css?v=1.6.1.final

I thought the point of customized themes were to allow developers better control over the web resources being served without modifying the security source code. But if we can't control the url of our content, it limits our options on web optimization strategies.

I guess overriding the freemaker template is the only way to go.

--Doug

________________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Bill Burke <bburke at redhat.com>
Sent: Monday, November 30, 2015 23:07
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Theme Resources Urls

Browser caching is turned on for themed resources (admin console,
login, etc.)  This is obviously for performance reasons.

IN the past we received a HUGE amount of false bug reports of "Admin
console doesn't work", "my theme changes aren't showing", etc. after
upgrading Keycloak.  All because people didn't clear their browser
caches.  Hence, the version id.

You should not be externally linking to themed endpoints.  You can use a
different URL to ping the server for "is alive" i.e.
/<root>/realms/{realm-name}


On 11/30/2015 9:56 AM, Doug Szeto wrote:
> What do you mean by 'You can't customize the url format'?
>
> Is there a design decision reason why it is more secure to have your
> keycloak version exposed in the middle of your theme resource urls?
>
> Or would it be easier if you had a pull request?
>
> --Doug
>
>
>
> ------------------------------------------------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Monday, November 30, 2015 15:35
> *To:* Doug Szeto
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Theme Resources Urls
> You can't customize the url format. Not sure how it would help during
> upgrades? I'd say the opposite as you end up with cached versions for
> the old release not being updated.
>
> On 28 November 2015 at 03:54, Doug Szeto <DSzeto at investlab.com
> <mailto:DSzeto at investlab.com>> wrote:
>
>
>     Hi,
>     I have created a custom theme as specific in your docs here:
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
>     It functions in the browser, in that these configs tell you where
>     the theme customization resources are stored locally, but the end
>     result is the resources are served from the url format pattern of:
>
>     http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css
>
>     Is there a way to customize the theme url format to scrub the
>     version number off the css/image/js resources? This will help out in
>     monitoring and upgrades.
>
>     Thanks,
>     --Doug
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From orestis.tsakiridis at telestax.com  Tue Dec  1 07:25:20 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 1 Dec 2015 14:25:20 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
Message-ID: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>

Hello,

I'm trying to create some migration scripts that will port users from
Application1 into keycloak. Users in Application1 already have usernames,
passwords etc. I use the admin rest api to create the users.

The problem i'm facing is that user passwords in Application1 database are
already hashed using md5. So, i don't really know the actual passwords
(security wise that makes sense).

The only solution i've come down to is store the password as they are in
keycloak (md5ed) and tell the users to use the hashed value instead of the
plaintext one wieh signing in. Then, force them to reset passwords. Not the
best UX  :-(

Is there a way to tell keycloak that "these passwords are already hashed in
md5" so, "store them as they are" and "when a user tries to sign in, first
hash his password with md5 and the compare to the value stored in db"  or
sth like that?

Any alternatives come to mind ?


Regards

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/c96c1668/attachment.html 

From sthorger at redhat.com  Tue Dec  1 07:27:32 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 13:27:32 +0100
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <BY1PR0401MB150050C35CD05C16D2EDCBA3DA0F0@BY1PR0401MB1500.namprd04.prod.outlook.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
	<BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<565C663C.8060808@redhat.com>
	<BY1PR0401MB150050C35CD05C16D2EDCBA3DA0F0@BY1PR0401MB1500.namprd04.prod.outlook.com>
Message-ID: <CAJgngAeHJZ+90qRr95K=M65XYs2ZQ4bzB_n+FkEG-GHrH4k25A@mail.gmail.com>

Query param is an alternative practice. There's pros and cons with both
approaches.

The idea of customized themes is so you can customize the themes. To change
the look and feel, add a logo, add an extra field to the forms, etc..

Can you elaborate on exactly why you need to change the URL?

On 1 December 2015 at 13:21, Doug Szeto <DSzeto at investlab.com> wrote:

> If you want to bust the cache on a version update, a better practice is to
> stick the version id as a query parameter at the end of resources, see:
> https://css-tricks.com/strategies-for-cache-busting-css/
>
> ie
> http://localhost:8080/auth/resources/themes/login/keycloak/css/login.css?v=1.6.1.final
>
> I thought the point of customized themes were to allow developers better
> control over the web resources being served without modifying the security
> source code. But if we can't control the url of our content, it limits our
> options on web optimization strategies.
>
> I guess overriding the freemaker template is the only way to go.
>
> --Doug
>
> ________________________________________
> From: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> on behalf of Bill Burke <
> bburke at redhat.com>
> Sent: Monday, November 30, 2015 23:07
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Theme Resources Urls
>
> Browser caching is turned on for themed resources (admin console,
> login, etc.)  This is obviously for performance reasons.
>
> IN the past we received a HUGE amount of false bug reports of "Admin
> console doesn't work", "my theme changes aren't showing", etc. after
> upgrading Keycloak.  All because people didn't clear their browser
> caches.  Hence, the version id.
>
> You should not be externally linking to themed endpoints.  You can use a
> different URL to ping the server for "is alive" i.e.
> /<root>/realms/{realm-name}
>
>
> On 11/30/2015 9:56 AM, Doug Szeto wrote:
> > What do you mean by 'You can't customize the url format'?
> >
> > Is there a design decision reason why it is more secure to have your
> > keycloak version exposed in the middle of your theme resource urls?
> >
> > Or would it be easier if you had a pull request?
> >
> > --Doug
> >
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Stian Thorgersen <sthorger at redhat.com>
> > *Sent:* Monday, November 30, 2015 15:35
> > *To:* Doug Szeto
> > *Cc:* keycloak-user at lists.jboss.org
> > *Subject:* Re: [keycloak-user] Theme Resources Urls
> > You can't customize the url format. Not sure how it would help during
> > upgrades? I'd say the opposite as you end up with cached versions for
> > the old release not being updated.
> >
> > On 28 November 2015 at 03:54, Doug Szeto <DSzeto at investlab.com
> > <mailto:DSzeto at investlab.com>> wrote:
> >
> >
> >     Hi,
> >     I have created a custom theme as specific in your docs here:
> >
> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
> >     It functions in the browser, in that these configs tell you where
> >     the theme customization resources are stored locally, but the end
> >     result is the resources are served from the url format pattern of:
> >
> >
> http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css
> >
> >     Is there a way to customize the theme url format to scrub the
> >     version number off the css/image/js resources? This will help out in
> >     monitoring and upgrades.
> >
> >     Thanks,
> >     --Doug
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/d035b62a/attachment-0001.html 

From sthorger at redhat.com  Tue Dec  1 07:29:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 13:29:15 +0100
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
Message-ID: <CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>

We are planning to add a Password Hashing SPI, which will allow plugging in
additional hashing mechanisms. It's not ready quite yet though.

On 1 December 2015 at 13:25, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello,
>
> I'm trying to create some migration scripts that will port users from
> Application1 into keycloak. Users in Application1 already have usernames,
> passwords etc. I use the admin rest api to create the users.
>
> The problem i'm facing is that user passwords in Application1 database are
> already hashed using md5. So, i don't really know the actual passwords
> (security wise that makes sense).
>
> The only solution i've come down to is store the password as they are in
> keycloak (md5ed) and tell the users to use the hashed value instead of the
> plaintext one wieh signing in. Then, force them to reset passwords. Not the
> best UX  :-(
>
> Is there a way to tell keycloak that "these passwords are already hashed
> in md5" so, "store them as they are" and "when a user tries to sign in,
> first hash his password with md5 and the compare to the value stored in
> db"  or sth like that?
>
> Any alternatives come to mind ?
>
>
> Regards
>
> Orestis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/f85c9619/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Dec  1 07:36:46 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 1 Dec 2015 14:36:46 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
Message-ID: <CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>

Ok, so i guess i'll have to go with a workaround, password reset, etc as
i've described.

Thanks Stian

On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We are planning to add a Password Hashing SPI, which will allow plugging
> in additional hashing mechanisms. It's not ready quite yet though.
>
> On 1 December 2015 at 13:25, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Hello,
>>
>> I'm trying to create some migration scripts that will port users from
>> Application1 into keycloak. Users in Application1 already have usernames,
>> passwords etc. I use the admin rest api to create the users.
>>
>> The problem i'm facing is that user passwords in Application1 database
>> are already hashed using md5. So, i don't really know the actual passwords
>> (security wise that makes sense).
>>
>> The only solution i've come down to is store the password as they are in
>> keycloak (md5ed) and tell the users to use the hashed value instead of the
>> plaintext one wieh signing in. Then, force them to reset passwords. Not the
>> best UX  :-(
>>
>> Is there a way to tell keycloak that "these passwords are already hashed
>> in md5" so, "store them as they are" and "when a user tries to sign in,
>> first hash his password with md5 and the compare to the value stored in
>> db"  or sth like that?
>>
>> Any alternatives come to mind ?
>>
>>
>> Regards
>>
>> Orestis
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/3d2734e6/attachment.html 

From sthorger at redhat.com  Tue Dec  1 08:12:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 14:12:24 +0100
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
Message-ID: <CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>

So looks like we will indeed have password hash spi in 1.8. It'll be
released in early January.

If you can't wait for that I think it would be better to not import users
with a password at all and instead send reset password links to their email
address. That would assume all users have emails registered. Or you could
also modify the password authenticator and make it run md5 the value of the
input password for users that haven't updated their password yet.

On 1 December 2015 at 13:36, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Ok, so i guess i'll have to go with a workaround, password reset, etc as
> i've described.
>
> Thanks Stian
>
> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> We are planning to add a Password Hashing SPI, which will allow plugging
>> in additional hashing mechanisms. It's not ready quite yet though.
>>
>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello,
>>>
>>> I'm trying to create some migration scripts that will port users from
>>> Application1 into keycloak. Users in Application1 already have usernames,
>>> passwords etc. I use the admin rest api to create the users.
>>>
>>> The problem i'm facing is that user passwords in Application1 database
>>> are already hashed using md5. So, i don't really know the actual passwords
>>> (security wise that makes sense).
>>>
>>> The only solution i've come down to is store the password as they are in
>>> keycloak (md5ed) and tell the users to use the hashed value instead of the
>>> plaintext one wieh signing in. Then, force them to reset passwords. Not the
>>> best UX  :-(
>>>
>>> Is there a way to tell keycloak that "these passwords are already hashed
>>> in md5" so, "store them as they are" and "when a user tries to sign in,
>>> first hash his password with md5 and the compare to the value stored in
>>> db"  or sth like that?
>>>
>>> Any alternatives come to mind ?
>>>
>>>
>>> Regards
>>>
>>> Orestis
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/f74ddc5e/attachment.html 

From pavel.masloff at gmail.com  Tue Dec  1 08:49:27 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Tue, 1 Dec 2015 14:49:27 +0100
Subject: [keycloak-user] (no subject)
Message-ID: <CAF9aV_qu=bad6RbmyWh1rAZEXsdeXwn+zirmS9QGM2E_FyA33w@mail.gmail.com>

Hi everyone,


How does a Java service (secured with Keycloak) checks the validity of
token? Does it have all the necessary info in keycloak.json or does it make
an extra call to the keycloak auth server?

Thank you.

Regards,
Pavel Maslov, MS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/3c7e02c0/attachment.html 

From sthorger at redhat.com  Tue Dec  1 09:00:53 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 15:00:53 +0100
Subject: [keycloak-user] (no subject)
In-Reply-To: <CAF9aV_qu=bad6RbmyWh1rAZEXsdeXwn+zirmS9QGM2E_FyA33w@mail.gmail.com>
References: <CAF9aV_qu=bad6RbmyWh1rAZEXsdeXwn+zirmS9QGM2E_FyA33w@mail.gmail.com>
Message-ID: <CAJgngAf7vYZmK8ONkVGPopLGjJv1XqY8CMjmcCKf+pEFGx7=bw@mail.gmail.com>

Our adapters check the validity of the token by checking the signature
(using the realm public key) and also checks the expiration times of the
token as well.

On 1 December 2015 at 14:49, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> Hi everyone,
>
>
> How does a Java service (secured with Keycloak) checks the validity of
> token? Does it have all the necessary info in keycloak.json or does it make
> an extra call to the keycloak auth server?
>
> Thank you.
>
> Regards,
> Pavel Maslov, MS
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/14177726/attachment-0001.html 

From orestis.tsakiridis at telestax.com  Tue Dec  1 09:39:00 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 1 Dec 2015 16:39:00 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
Message-ID: <CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>

Thanks Stian.

Can you send me some documentation or source code pointers about "modifying
the password authenticator" ? Are we talking about a Java class, overriding
login form ? sth else?



On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> So looks like we will indeed have password hash spi in 1.8. It'll be
> released in early January.
>
> If you can't wait for that I think it would be better to not import users
> with a password at all and instead send reset password links to their email
> address. That would assume all users have emails registered. Or you could
> also modify the password authenticator and make it run md5 the value of the
> input password for users that haven't updated their password yet.
>
> On 1 December 2015 at 13:36, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Ok, so i guess i'll have to go with a workaround, password reset, etc as
>> i've described.
>>
>> Thanks Stian
>>
>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> We are planning to add a Password Hashing SPI, which will allow plugging
>>> in additional hashing mechanisms. It's not ready quite yet though.
>>>
>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm trying to create some migration scripts that will port users from
>>>> Application1 into keycloak. Users in Application1 already have usernames,
>>>> passwords etc. I use the admin rest api to create the users.
>>>>
>>>> The problem i'm facing is that user passwords in Application1 database
>>>> are already hashed using md5. So, i don't really know the actual passwords
>>>> (security wise that makes sense).
>>>>
>>>> The only solution i've come down to is store the password as they are
>>>> in keycloak (md5ed) and tell the users to use the hashed value instead of
>>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not
>>>> the best UX  :-(
>>>>
>>>> Is there a way to tell keycloak that "these passwords are already
>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>> in, first hash his password with md5 and the compare to the value stored in
>>>> db"  or sth like that?
>>>>
>>>> Any alternatives come to mind ?
>>>>
>>>>
>>>> Regards
>>>>
>>>> Orestis
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/f792ad8a/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Dec  1 09:39:56 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 1 Dec 2015 16:39:56 +0200
Subject: [keycloak-user] Broken link to javadocs!
In-Reply-To: <CAJgngAc6Ct_-B0qkduy25V_h+6V4qQdCHjip0aeh-Hmh0bzEZQ@mail.gmail.com>
References: <CABjN76_qZAXa7Dd4iaczJ2N62S4YOC4Y2pRqRNPYWK-GAHRrZA@mail.gmail.com>
	<CAJgngAc6Ct_-B0qkduy25V_h+6V4qQdCHjip0aeh-Hmh0bzEZQ@mail.gmail.com>
Message-ID: <CABjN76_bKAuiN2hqOKUD2i+2TQ5WjR3B-C5402m_gwy1ufnqbQ@mail.gmail.com>

Got it. Thanks.

On Tue, Dec 1, 2015 at 2:17 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We had an issue with the javadocs download not being included in the last
> release. It will be fixed in 1.7 release. So JavaDocs will be available in
> a few days
>
> On 1 December 2015 at 13:13, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Hi!
>>
>> I'm trying to find the keycloak javadocs but all references to it seem
>> broken. Did a lot of googling and it seems the material is transferred to
>> http://keycloak.github.io but had no luck in finding it.
>>
>> Can you point me to it?
>>
>> These are the pages that contain the broken links:
>>
>> http://keycloak.github.io/docs/
>> http://keycloak.jboss.org/docs
>>
>> And these are the broken links themselves:
>>
>> http://keycloak.github.io/docs/javadocs/index.html
>> http://keycloak.github.io/docs/keycloak-server/javadocs/index.html
>>
>>
>> Regards
>>
>> Orestis
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/51f6bda6/attachment.html 

From sthorger at redhat.com  Tue Dec  1 09:51:02 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Dec 2015 15:51:02 +0100
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
Message-ID: <CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>

http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html

On 1 December 2015 at 15:39, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Thanks Stian.
>
> Can you send me some documentation or source code pointers about
> "modifying the password authenticator" ? Are we talking about a Java class,
> overriding login form ? sth else?
>
>
>
> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> So looks like we will indeed have password hash spi in 1.8. It'll be
>> released in early January.
>>
>> If you can't wait for that I think it would be better to not import users
>> with a password at all and instead send reset password links to their email
>> address. That would assume all users have emails registered. Or you could
>> also modify the password authenticator and make it run md5 the value of the
>> input password for users that haven't updated their password yet.
>>
>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Ok, so i guess i'll have to go with a workaround, password reset, etc as
>>> i've described.
>>>
>>> Thanks Stian
>>>
>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> We are planning to add a Password Hashing SPI, which will allow
>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>
>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm trying to create some migration scripts that will port users from
>>>>> Application1 into keycloak. Users in Application1 already have usernames,
>>>>> passwords etc. I use the admin rest api to create the users.
>>>>>
>>>>> The problem i'm facing is that user passwords in Application1 database
>>>>> are already hashed using md5. So, i don't really know the actual passwords
>>>>> (security wise that makes sense).
>>>>>
>>>>> The only solution i've come down to is store the password as they are
>>>>> in keycloak (md5ed) and tell the users to use the hashed value instead of
>>>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not
>>>>> the best UX  :-(
>>>>>
>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>> db"  or sth like that?
>>>>>
>>>>> Any alternatives come to mind ?
>>>>>
>>>>>
>>>>> Regards
>>>>>
>>>>> Orestis
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/04fd2ac3/attachment.html 

From pblair at clearme.com  Tue Dec  1 10:02:30 2015
From: pblair at clearme.com (Paul Blair)
Date: Tue, 1 Dec 2015 15:02:30 +0000
Subject: [keycloak-user] Problem with HA configuration
Message-ID: <D28320B6.102DC%pblair@clearme.com>

I've been using Docker with the HA configuration as described here: http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html

I ran into the same problem as David Willson describes in the comments, namely a NullPointerException at org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25). Looking at the code, it seems as though a UserSessionPersister was coming back null.

I added to keycloak-server.json the following:

    "userSessionPersister": {
        "provider" : "jpa"
    },

and now everything starts ok. Is this the appropriate fix for a clustered configuration?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/0f514f99/attachment-0001.html 

From mstrukel at redhat.com  Tue Dec  1 11:52:39 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 1 Dec 2015 17:52:39 +0100
Subject: [keycloak-user] Problem with HA configuration
In-Reply-To: <D28320B6.102DC%pblair@clearme.com>
References: <D28320B6.102DC%pblair@clearme.com>
Message-ID: <CA+1OW+gaSMfZvDZFJW_Hnxj=-AG6Rm97r_3GvrTj48yq_TdDdQ@mail.gmail.com>

That's my blog!

Sorry to not respond to those comments on the blog, I had no idea people
commented ... no email notification ...

I haven't tried the docker image for a while, but you may have figured it
out.

That looks like an appropriate fix to me.


On Tue, Dec 1, 2015 at 4:02 PM, Paul Blair <pblair at clearme.com> wrote:

> I've been using Docker with the HA configuration as described here:
> http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html
>
> I ran into the same problem as David Willson describes in the comments,
> namely a NullPointerException at
> org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25).
> Looking at the code, it seems as though a UserSessionPersister was coming
> back null.
>
> I added to keycloak-server.json the following:
>
>     "userSessionPersister": {
>         "provider" : "jpa"
>     },
>
> and now everything starts ok. Is this the appropriate fix for a clustered
> configuration?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/fab5704d/attachment.html 

From mstrukel at redhat.com  Tue Dec  1 11:54:05 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Tue, 1 Dec 2015 17:54:05 +0100
Subject: [keycloak-user] Problem with HA configuration
In-Reply-To: <CA+1OW+gaSMfZvDZFJW_Hnxj=-AG6Rm97r_3GvrTj48yq_TdDdQ@mail.gmail.com>
References: <D28320B6.102DC%pblair@clearme.com>
	<CA+1OW+gaSMfZvDZFJW_Hnxj=-AG6Rm97r_3GvrTj48yq_TdDdQ@mail.gmail.com>
Message-ID: <CA+1OW+jFVxpG5hV9VK_ZcQLuX6XkzTLnOJy_Q+0rAf0ZVGbj8Q@mail.gmail.com>

Feel free to add a comment with your solution to the blog.

Thanks.

On Tue, Dec 1, 2015 at 5:52 PM, Marko Strukelj <mstrukel at redhat.com> wrote:

> That's my blog!
>
> Sorry to not respond to those comments on the blog, I had no idea people
> commented ... no email notification ...
>
> I haven't tried the docker image for a while, but you may have figured it
> out.
>
> That looks like an appropriate fix to me.
>
>
> On Tue, Dec 1, 2015 at 4:02 PM, Paul Blair <pblair at clearme.com> wrote:
>
>> I've been using Docker with the HA configuration as described here:
>> http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html
>>
>> I ran into the same problem as David Willson describes in the comments,
>> namely a NullPointerException at
>> org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25).
>> Looking at the code, it seems as though a UserSessionPersister was coming
>> back null.
>>
>> I added to keycloak-server.json the following:
>>
>>     "userSessionPersister": {
>>         "provider" : "jpa"
>>     },
>>
>> and now everything starts ok. Is this the appropriate fix for a clustered
>> configuration?
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/5fe6cc36/attachment.html 

From jahenao at itroisolutions.com  Tue Dec  1 13:20:39 2015
From: jahenao at itroisolutions.com (Jairo Alonso Henao Rojas)
Date: Tue, 1 Dec 2015 18:20:39 +0000
Subject: [keycloak-user] Could my application know when a user is removed?
Message-ID: <BY2PR04MB10900333799F66F6A9BA726D00F0@BY2PR04MB109.namprd04.prod.outlook.com>

Hello,

Could my application know when a user is removed ?, Can I put something to listen?

I need to clean multiple records when a user is removed in Keycloak

Thanks,



Jairo Henao Rojas
IT ROI Solutions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151201/0a9122ac/attachment.html 

From adrianmatei at gmail.com  Wed Dec  2 00:26:27 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 2 Dec 2015 06:26:27 +0100
Subject: [keycloak-user] Spring Security Tags after login redirection to
	non-protected resource
Message-ID: <CAG=THF1VeKpVB_X9EEJ-o206o-YfDEYju1=Q3TGhfq2EPknHiA@mail.gmail.com>

hi guys,

any ideas how to make Spring security tags in jsp recognize that I am
logged in after being redirected from keycloak to a non-protected resource?

Thanks,
Adrian


On Mon, Nov 30, 2015 at 10:07 AM, Adrian Matei <adrianmatei at gmail.com>
wrote:

> Hi Bill,
>
> Thank you for the reply. Yes I am using the Spring security adapter (xml
> configuration). I have received a private reply from Pavel Maslov regarding
> the sign in url:
>
>
> {{keycloakBaseUrl}}/realms/{{realmName}}/protocol/openid-connect/auth?client_id={{client_id}}&response_type=code&redirect_uri={{your-web-app}}
>
> which works great.
>
> Another problem that I am having now is that when I am logging in from a
> "not"-protected resource (permitAll in securityContext), and want to be
> redirected back to the same resource, it logs me in indeed, but the spring
> security tags in my jsps don't recognize that, until I am accessing a
> secured resource defined in security context.... Any thoughts there?
>
> Thanks,
> Adrian
>
>
> Message: 2
> Date: Fri, 27 Nov 2015 13:02:32 -0500
> From: Bill Burke <bburke at redhat.com>
> Subject: Re: [keycloak-user] Sign In button URL
> To: keycloak-user at lists.jboss.org
> Message-ID: <56589AB8.5030708 at redhat.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> How is your Spring web app handling OpenID Connect or SAML
> requests/respones?  We do have a Spring security adapter.
>
> Initial OAuth2 request:
>
> /realms/{realm-name}/protocol/openid-connect/auth
>
> Code to Token request:
> /realms/{realm-name}/protocol/openid-connect/token
>
>
> On 11/27/2015 11:19 AM, Adrian Matei wrote:
> > hi guys,
> >
> > can still help a poor guy Friday in the afternoon?
> >
> > What is the url I need to have the sign in button pointing to, in my
> > Spring web app, that will ask me to login via keycloak and redirect me
> > back exactly to the page I made the request from?
> >
> > Thanks,
> > Adrian
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/cce64a70/attachment.html 

From mposolda at redhat.com  Wed Dec  2 02:56:33 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 2 Dec 2015 08:56:33 +0100
Subject: [keycloak-user] How to validate required for custom fields
In-Reply-To: <BY2PR04MB1099C9EAE0EF7CD231DD618D0030@BY2PR04MB109.namprd04.prod.outlook.com>
References: <BY1PR0401MB122487E85FF2F03E0E8ABF5ED0120@BY1PR0401MB1224.namprd04.prod.outlook.com>
	<564C4FD2.2020203@redhat.com>
	<BY2PR04MB1099C9EAE0EF7CD231DD618D0030@BY2PR04MB109.namprd04.prod.outlook.com>
Message-ID: <565EA431.5090302@redhat.com>

Thanks for pointing this. I fixed the typo in the docs and will be ok 
for next release.

Marek

On 27/11/15 23:49, Jairo Alonso Henao Rojas wrote:
>
> Thanks,
>
> I was following the user guide but my problem was another, in the 
> section 33.5.2 - 'Packaging the action', says the JAR file must 
> contain a file called 'org.keycloak.authentication.ForActionFactory'.
>
> The correct file name is 
> 'org.keycloak.authentication.*FormActionFactory*', this is a mistake 
> of the guide.
>
> Now this works for me.
>
> **
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Wednesday, November 18, 2015 5:16 AM
> *To:* Jairo Alonso Henao Rojas <jahenao at itroisolutions.com>; 
> keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] How to validate required for custom fields
>
> You can create custom validator for registration form via the 
> Authentication Flows SPI : 
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3448 
> .
>
> Adding those custom validations works just for registration form, but 
> not for account management or update-profile pages. In the future, we 
> plan to improve so that you can attach custom validation on all 3 
> places and you won't need to code your own validator for supporting 
> such common thing like marking some custom field to be mandatory.
>
> Marek
>
> On 13/11/15 00:04, Jairo Alonso Henao Rojas wrote:
>
>     Hello,
>
>     I added several custom fields in the registration form, how I can
>     do for them to be required?
>
>     See attached fields in register form.
>
>     Thanks
>
>     **
>
>     *Jairo Henao Rojas*
>
>
>
>
>     _______________________________________________
>
>     keycloak-user mailing list
>
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/83c2b265/attachment-0001.html 

From mposolda at redhat.com  Wed Dec  2 03:07:32 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 2 Dec 2015 09:07:32 +0100
Subject: [keycloak-user] Could my application know when a user is
	removed?
In-Reply-To: <BY2PR04MB10900333799F66F6A9BA726D00F0@BY2PR04MB109.namprd04.prod.outlook.com>
References: <BY2PR04MB10900333799F66F6A9BA726D00F0@BY2PR04MB109.namprd04.prod.outlook.com>
Message-ID: <565EA6C4.1060500@redhat.com>

We have admin events for "listen" to various events like remove user. 
See the docs: 
http://keycloak.github.io/docs/userguide/keycloak-server/html/events.html

Marek

On 01/12/15 19:20, Jairo Alonso Henao Rojas wrote:
>
> Hello,
>
> Could my application know when a user is removed ?, Can I put 
> something to listen?
>
> I need to clean multiple records when a user is removed in Keycloak
>
> Thanks,
>
> **
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/7f8c7446/attachment.html 

From sthorger at redhat.com  Wed Dec  2 03:32:18 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 2 Dec 2015 09:32:18 +0100
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAJgngAeWViawmHmh1JQgNv2FO71QamfWU6t+eyeBf0e7TuhJdQ@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
	<565C5683.5030805@redhat.com>
	<CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>
	<CAJgngAd5eY478MpMst19Mnt1stF22LdZzJyze7AV6_MTr5sJFQ@mail.gmail.com>
	<CAPj1eSyFvUHW_dmtkLqFaF8B6caNMBYkCSU7oBsQAmACjKAXoQ@mail.gmail.com>
	<CAJgngAeWViawmHmh1JQgNv2FO71QamfWU6t+eyeBf0e7TuhJdQ@mail.gmail.com>
Message-ID: <CAJgngAd6ace-DPhSGR+-9Mpgw1MWSHosfoRS8AiA5dYKxugWiw@mail.gmail.com>

Been digging into this some more and turns out there's a pretty nasty bug
[1] in the way we our caches are implemented. It's a simple fix though and
will be resolved for 1.7.

[1] https://issues.jboss.org/browse/KEYCLOAK-2179

On 1 December 2015 at 10:40, Stian Thorgersen <sthorger at redhat.com> wrote:

> We can make those classes serializable. Create a JIRA for it. It's to late
> for 1.7 release though so won't be fixed until 1.8.
>
> We also don't do any testing with ASYNC (as we know it will be
> problematic, especially since Keycloak doesn't require sticky sessions) or
> replicated caches, as we recommend using sync + invalidation caches.
>
> On 30 November 2015 at 17:56, Lohitha Chiranjeewa <kalc04 at gmail.com>
> wrote:
>
>> I agree that there could be inconsistent behavior with ASYNC mode
>> depending on what your use case is.
>>
>> However, shouldn't the classes I mentioned be made serializable in any
>> case? They are directly referenced from the classes inside infinispan cache
>> model package.
>> On Nov 30, 2015 7:56 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>
>>> I wouldn't not recommend setting async as you may get unpredictable
>>> behavior
>>>
>>> On 30 November 2015 at 15:07, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>> wrote:
>>>
>>>> Yes, the 'mode' of 'realms' and 'users' caches were changed to 'ASYNC'.
>>>> This causes the app to store the invalidations temporarily w/o sending to
>>>> other nodes and flush them all only when a threshold value is arrived. I
>>>> think this storage method causes the Serialization issue.
>>>>
>>>> On Mon, Nov 30, 2015 at 7:30 PM, Bill Burke <bburke at redhat.com> wrote:
>>>>
>>>>> Did you change caching configuration?
>>>>>
>>>>> On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
>>>>>
>>>>>> Issue came up with Realm and User caches. Not User Sessions.
>>>>>>
>>>>>> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
>>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>>
>>>>>>     Or is this related to UserSession cache?
>>>>>>
>>>>>>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>>>>>>      > We don't replicate at all.  Why would this be an issue?
>>>>>>      >
>>>>>>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>>>>>>      >> When Infinispan caching is enabled in ASYNC mode, exceptions
>>>>>> get
>>>>>>     logged
>>>>>>      >> at startup due to serialization issues. Basically the
>>>>>> following
>>>>>>     classes
>>>>>>      >> have to implement the Serialiazable interface:
>>>>>>      >>
>>>>>>      >> org.keycloak.models.OTPPolicy
>>>>>>      >> org.keycloak.models.
>>>>>>      >> RequiredActionProviderModel
>>>>>>      >>
>>>>>>      >> There could be other classes as well.
>>>>>>      >>
>>>>>>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>>>>>      >>
>>>>>>      >>
>>>>>>      >> Regards,
>>>>>>      >> Lohitha.
>>>>>>      >>
>>>>>>      >>
>>>>>>      >> _______________________________________________
>>>>>>      >> keycloak-user mailing list
>>>>>>      >> keycloak-user at lists.jboss.org <mailto:
>>>>>> keycloak-user at lists.jboss.org>
>>>>>>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>      >>
>>>>>>      >
>>>>>>
>>>>>>     --
>>>>>>     Bill Burke
>>>>>>     JBoss, a division of Red Hat
>>>>>>     http://bill.burkecentral.com
>>>>>>     _______________________________________________
>>>>>>     keycloak-user mailing list
>>>>>>     keycloak-user at lists.jboss.org <mailto:
>>>>>> keycloak-user at lists.jboss.org>
>>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/ea97950a/attachment.html 

From adrianmatei at gmail.com  Wed Dec  2 08:02:49 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 2 Dec 2015 14:02:49 +0100
Subject: [keycloak-user] WILL_NOT_PERFORM update of password in Active
	Directory
Message-ID: <CAG=THF3pdP6sjKnh8v6Jxxs7X16UFrVCz+mJqni8OZ=adHm+-A@mail.gmail.com>

hi,

has anybody got the following type of error when trying to add/passwords
using AD as user federation:

Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code
53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 *(WILL_NOT_PERFORM)*,
data 0
]; remaining name
'CN=ama,OU=Keycloakmanaged,OU=Test,DC=extnett,DC=xxx,DC=yy'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1478)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:179)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:386)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:383)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:519)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:383)
... 64 more



I get the same error when I try to "manually" add the *unicodePwd *via the
ApacheDirectoryStudio for example...
The connection is over SSL and both parties trust each other...

Thanks,
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/761b361d/attachment.html 

From ton at finalist.nl  Wed Dec  2 09:10:37 2015
From: ton at finalist.nl (Ton Swieb)
Date: Wed, 2 Dec 2015 15:10:37 +0100
Subject: [keycloak-user] Publicly available SAML Service Provider SSO
	Descriptor (SPSSODescriptor)
Message-ID: <CAJJ5CnQ0ALWkFo0E6dwiDAVMfw-UL1fyJJATTMSfjQAkKVmiww@mail.gmail.com>

Hi,

I am wondering if it is possible to access the SPSSODescriptor of an
identity provider on a public available URL.
Not to be confused with the IdPSSODescriptor
(/auth/realms/{realm}/protocol/saml/descriptor) which is publicly
available.
I found the API call
/auth/admin/realms/{realm}/identity-provider/instances/{identity-provider}/export
, but this API call requires authentication.
The IdP on the other end of the line needs to be able to retrieve this
descriptor without authentication.
I found a thread on the mailing list from earlier this year where the
existence of this feature is discussed, but the current status is
unclear to me.

Regards,

Ton

       From: Pedro Igor Silva <psilva at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
 To: Raghu Prabhala <prabhalar at yahoo.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
Cc: Keycloak-user <keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
 Sent: Thursday, February 19, 2015 6:33 AM
 Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot

----- Original Message -----
>* From: "Raghu Prabhala" <prabhalar at yahoo.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>>
*>* To: "Keycloak-user" <keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>>
*>* Sent: Thursday, February 19, 2015 12:20:00 AM
*>* Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
*> >* Hi,
*> >* I tested out the SAML broker functionality that is listed in the below
*>* example
*>* https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication
<https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication>
*> >* We have a very important use case that is similar to the above except that
*>* the SAML Identity broker is ADFS and a few issues are preventing me from
*>* testing it out:
*> >* 1) The ADFS IDP requires that I upload the KC SAML broker
information (SAML
*>* metadata) which is not available currently. Perhaps I can generate my own
*>* metadata using the above example but would prefer KC to provide one that is
*>* similar to IDP metadata that is listed in the documentation.
*
In this case you need a SPSSODescriptor, right ? I think we can easily
implement an endpoint to retrieve SP metadata for SAML applications.
[RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great.
Looking forward to see it near term.
>* 2) The ADFS IDP metadata has RoleDescriptor element that is not currently
*>* being parsed by the KC SAML broker. I logged my issues in the JIRA
*>* https://issues.jboss.org/browse/KEYCLOAK-883
<https://issues.jboss.org/browse/KEYCLOAK-883>
*
I've already fixed our parsers. However, the RoleDescriptor you have
in that metadata are describing WS-Federation entities that will just
be ignored.


[RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are
described under RoleDescriptor  - so I will have to build something to
handle that. Any advice on where I should start?

>* 3) The roles and other claims need to passed back to the client applications
*>* using OIDC (I am aware that Bill is making some functionality available over
*>* the next few days and hopefully it will address my requirement)
*> >* Any suggestions on how I handle the first two?
*> >* Thanks,
*>* Raghu
*> > >* _______________________________________________
*>* keycloak-user mailing list
*>* keycloak-user at lists.jboss.org
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*>* https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/18b5bf89/attachment-0001.html 

From mposolda at redhat.com  Wed Dec  2 09:30:52 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 2 Dec 2015 15:30:52 +0100
Subject: [keycloak-user] WILL_NOT_PERFORM update of password in Active
 Directory
In-Reply-To: <CAG=THF3pdP6sjKnh8v6Jxxs7X16UFrVCz+mJqni8OZ=adHm+-A@mail.gmail.com>
References: <CAG=THF3pdP6sjKnh8v6Jxxs7X16UFrVCz+mJqni8OZ=adHm+-A@mail.gmail.com>
Message-ID: <565F009C.8000109@redhat.com>

I think it's the password policy issue on AD side. See 
http://ldapwiki.willeke.com/wiki/WILL_NOT_PERFORM and especially the 
part related to your error code 0000052D

Marek

On 02/12/15 14:02, Adrian Matei wrote:
> hi,
>
> has anybody got the following type of error when trying to 
> add/passwords using AD as user federation:
>
>     Caused by: javax.naming.OperationNotSupportedException: [LDAP:
>     error code 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003
>     *(WILL_NOT_PERFORM)*, data 0
>     ]; remaining name
>     'CN=ama,OU=Keycloakmanaged,OU=Test,DC=extnett,DC=xxx,DC=yy'
>     at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
>     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
>     at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
>     at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1478)
>     at
>     com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
>     at
>     com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
>     at
>     com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:179)
>     at
>     javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>     at
>     javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
>     at
>     org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:386)
>     at
>     org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:383)
>     at
>     org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:519)
>     at
>     org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:383)
>     ... 64 more
>
>
>
> I get the same error when I try to "manually" add the /unicodePwd /via 
> the ApacheDirectoryStudio for example...
> The connection is over SSL and both parties trust each other...
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/c38bd420/attachment.html 

From bburke at redhat.com  Wed Dec  2 09:50:15 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 2 Dec 2015 09:50:15 -0500
Subject: [keycloak-user] Publicly available SAML Service Provider SSO
 Descriptor (SPSSODescriptor)
In-Reply-To: <CAJJ5CnQ0ALWkFo0E6dwiDAVMfw-UL1fyJJATTMSfjQAkKVmiww@mail.gmail.com>
References: <CAJJ5CnQ0ALWkFo0E6dwiDAVMfw-UL1fyJJATTMSfjQAkKVmiww@mail.gmail.com>
Message-ID: <565F0527.6090807@redhat.com>

Not available at this time:

https://issues.jboss.org/browse/KEYCLOAK-2189



On 12/2/2015 9:10 AM, Ton Swieb wrote:
> Hi,
>
> I am wondering if it is possible to access the SPSSODescriptor of an identity provider on a public available URL.
> Not to be confused with the IdPSSODescriptor (/auth/realms/{realm}/protocol/saml/descriptor) which is publicly available.
> I found the API call /auth/admin/realms/{realm}/identity-provider/instances/{identity-provider}/export , but this API call requires authentication.
> The IdP on the other end of the line needs to be able to retrieve this descriptor without authentication.
> I found a thread on the mailing list from earlier this year where the existence of this feature is discussed, but the current status is unclear to me.
>
> Regards,
>
> Ton

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From adrianmatei at gmail.com  Wed Dec  2 11:28:52 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Wed, 2 Dec 2015 17:28:52 +0100
Subject: [keycloak-user] WILL_NOT_PERFORM update of password in Active
	Directory
In-Reply-To: <565F009C.8000109@redhat.com>
References: <CAG=THF3pdP6sjKnh8v6Jxxs7X16UFrVCz+mJqni8OZ=adHm+-A@mail.gmail.com>
	<565F009C.8000109@redhat.com>
Message-ID: <CAG=THF2gpK0MmJxNRes=3sG5Zir3b5Ymw6vpCyZzmbF03sDOug@mail.gmail.com>

Hi Marek,
Indeed it was.

Thanks a lot,
Adrian

On Wed, Dec 2, 2015 at 3:30 PM, Marek Posolda <mposolda at redhat.com> wrote:

> I think it's the password policy issue on AD side. See
> http://ldapwiki.willeke.com/wiki/WILL_NOT_PERFORM and especially the part
> related to your error code 0000052D
>
> Marek
>
>
> On 02/12/15 14:02, Adrian Matei wrote:
>
> hi,
>
> has anybody got the following type of error when trying to add/passwords
> using AD as user federation:
>
> Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code
> 53 - 0000052D: SvcErr: DSID-031A12D2, problem 5003 *(WILL_NOT_PERFORM)*,
> data 0
> ]; remaining name
> 'CN=ama,OU=Keycloakmanaged,OU=Test,DC=extnett,DC=xxx,DC=yy'
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
> at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1478)
> at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
> at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:179)
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
> at
> javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:386)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$6.execute(LDAPOperationManager.java:383)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:519)
> at
> org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:383)
> ... 64 more
>
>
>
> I get the same error when I try to "manually" add the *unicodePwd *via
> the ApacheDirectoryStudio for example...
> The connection is over SSL and both parties trust each other...
>
> Thanks,
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/55ff773a/attachment.html 

From jahenao at itroisolutions.com  Wed Dec  2 18:01:47 2015
From: jahenao at itroisolutions.com (Jairo Alonso Henao Rojas)
Date: Wed, 2 Dec 2015 23:01:47 +0000
Subject: [keycloak-user] Could my application know when a user is
	removed?
In-Reply-To: <565EA6C4.1060500@redhat.com>
References: <BY2PR04MB10900333799F66F6A9BA726D00F0@BY2PR04MB109.namprd04.prod.outlook.com>
	<565EA6C4.1060500@redhat.com>
Message-ID: <BY2PR04MB1093B85D419FDB8F0C59938D00E0@BY2PR04MB109.namprd04.prod.outlook.com>

Thanks for your response.

Just enable administrative events and now works for me, but, Could I have a class that Keycloak invokes when the event occurs?, Am I asking too much?

If this is not possible, I will use the REST API to get DELETE events from a range of dates.


Best regards


Jairo Henao Rojas
IT ROI Solutions


From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, December 2, 2015 3:08 AM
To: Jairo Alonso Henao Rojas <jahenao at itroisolutions.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Could my application know when a user is removed?

We have admin events for "listen" to various events like remove user. See the docs: http://keycloak.github.io/docs/userguide/keycloak-server/html/events.html

Marek

On 01/12/15 19:20, Jairo Alonso Henao Rojas wrote:
Hello,

Could my application know when a user is removed ?, Can I put something to listen?

I need to clean multiple records when a user is removed in Keycloak

Thanks,



Jairo Henao Rojas
IT ROI Solutions





_______________________________________________

keycloak-user mailing list

keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151202/a8ae2a5b/attachment-0001.html 

From kalc04 at gmail.com  Thu Dec  3 00:18:00 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Thu, 3 Dec 2015 10:48:00 +0530
Subject: [keycloak-user] Infinispan caching issues because of
 unserializable classes
In-Reply-To: <CAJgngAd6ace-DPhSGR+-9Mpgw1MWSHosfoRS8AiA5dYKxugWiw@mail.gmail.com>
References: <CAPj1eSyT-GtyQNG0UEj5YZDR3gOA35enRzc1pddx9pzhFmN2fw@mail.gmail.com>
	<565C52E8.2010308@redhat.com> <565C5364.8090505@redhat.com>
	<CAPj1eSw31__zM0LUjp35R3zjUu3cfuOkYmydJ866Qvd7im+9RQ@mail.gmail.com>
	<565C5683.5030805@redhat.com>
	<CAPj1eSy_-gduR9R+=yASPAY3dqhqa5wkH_36zABnT61rN8eu1g@mail.gmail.com>
	<CAJgngAd5eY478MpMst19Mnt1stF22LdZzJyze7AV6_MTr5sJFQ@mail.gmail.com>
	<CAPj1eSyFvUHW_dmtkLqFaF8B6caNMBYkCSU7oBsQAmACjKAXoQ@mail.gmail.com>
	<CAJgngAeWViawmHmh1JQgNv2FO71QamfWU6t+eyeBf0e7TuhJdQ@mail.gmail.com>
	<CAJgngAd6ace-DPhSGR+-9Mpgw1MWSHosfoRS8AiA5dYKxugWiw@mail.gmail.com>
Message-ID: <CAPj1eSwgSVES9nt2Va-bHYcy6XLYw+-qvzxBFiy2LWKTr9xjCg@mail.gmail.com>

Many thanks for looking into this and getting the issue sorted out in quick
time Stian. We're looking forward to try out the new version.

I created a JIRA for the class serialization problem here (in case someone
wants to try out ASYNC mode): https://issues.jboss.org/browse/KEYCLOAK-2192


Regards,
Lohitha

On Wed, Dec 2, 2015 at 2:02 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Been digging into this some more and turns out there's a pretty nasty bug
> [1] in the way we our caches are implemented. It's a simple fix though and
> will be resolved for 1.7.
>
> [1] https://issues.jboss.org/browse/KEYCLOAK-2179
>
> On 1 December 2015 at 10:40, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> We can make those classes serializable. Create a JIRA for it. It's to
>> late for 1.7 release though so won't be fixed until 1.8.
>>
>> We also don't do any testing with ASYNC (as we know it will be
>> problematic, especially since Keycloak doesn't require sticky sessions) or
>> replicated caches, as we recommend using sync + invalidation caches.
>>
>> On 30 November 2015 at 17:56, Lohitha Chiranjeewa <kalc04 at gmail.com>
>> wrote:
>>
>>> I agree that there could be inconsistent behavior with ASYNC mode
>>> depending on what your use case is.
>>>
>>> However, shouldn't the classes I mentioned be made serializable in any
>>> case? They are directly referenced from the classes inside infinispan cache
>>> model package.
>>> On Nov 30, 2015 7:56 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>>
>>>> I wouldn't not recommend setting async as you may get unpredictable
>>>> behavior
>>>>
>>>> On 30 November 2015 at 15:07, Lohitha Chiranjeewa <kalc04 at gmail.com>
>>>> wrote:
>>>>
>>>>> Yes, the 'mode' of 'realms' and 'users' caches were changed to
>>>>> 'ASYNC'. This causes the app to store the invalidations temporarily w/o
>>>>> sending to other nodes and flush them all only when a threshold value is
>>>>> arrived. I think this storage method causes the Serialization issue.
>>>>>
>>>>> On Mon, Nov 30, 2015 at 7:30 PM, Bill Burke <bburke at redhat.com> wrote:
>>>>>
>>>>>> Did you change caching configuration?
>>>>>>
>>>>>> On 11/30/2015 8:50 AM, Lohitha Chiranjeewa wrote:
>>>>>>
>>>>>>> Issue came up with Realm and User caches. Not User Sessions.
>>>>>>>
>>>>>>> On Mon, Nov 30, 2015 at 7:17 PM, Bill Burke <bburke at redhat.com
>>>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>>>
>>>>>>>     Or is this related to UserSession cache?
>>>>>>>
>>>>>>>     On 11/30/2015 8:45 AM, Bill Burke wrote:
>>>>>>>      > We don't replicate at all.  Why would this be an issue?
>>>>>>>      >
>>>>>>>      > On 11/30/2015 8:41 AM, Lohitha Chiranjeewa wrote:
>>>>>>>      >> When Infinispan caching is enabled in ASYNC mode, exceptions
>>>>>>> get
>>>>>>>     logged
>>>>>>>      >> at startup due to serialization issues. Basically the
>>>>>>> following
>>>>>>>     classes
>>>>>>>      >> have to implement the Serialiazable interface:
>>>>>>>      >>
>>>>>>>      >> org.keycloak.models.OTPPolicy
>>>>>>>      >> org.keycloak.models.
>>>>>>>      >> RequiredActionProviderModel
>>>>>>>      >>
>>>>>>>      >> There could be other classes as well.
>>>>>>>      >>
>>>>>>>      >> Is this already fixed in 1.7.0 code or shall I put a JIRA?
>>>>>>>      >>
>>>>>>>      >>
>>>>>>>      >> Regards,
>>>>>>>      >> Lohitha.
>>>>>>>      >>
>>>>>>>      >>
>>>>>>>      >> _______________________________________________
>>>>>>>      >> keycloak-user mailing list
>>>>>>>      >> keycloak-user at lists.jboss.org <mailto:
>>>>>>> keycloak-user at lists.jboss.org>
>>>>>>>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>      >>
>>>>>>>      >
>>>>>>>
>>>>>>>     --
>>>>>>>     Bill Burke
>>>>>>>     JBoss, a division of Red Hat
>>>>>>>     http://bill.burkecentral.com
>>>>>>>     _______________________________________________
>>>>>>>     keycloak-user mailing list
>>>>>>>     keycloak-user at lists.jboss.org <mailto:
>>>>>>> keycloak-user at lists.jboss.org>
>>>>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/d7442c9b/attachment.html 

From sthorger at redhat.com  Thu Dec  3 02:28:48 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Dec 2015 08:28:48 +0100
Subject: [keycloak-user] Could my application know when a user is
	removed?
In-Reply-To: <BY2PR04MB1093B85D419FDB8F0C59938D00E0@BY2PR04MB109.namprd04.prod.outlook.com>
References: <BY2PR04MB10900333799F66F6A9BA726D00F0@BY2PR04MB109.namprd04.prod.outlook.com>
	<565EA6C4.1060500@redhat.com>
	<BY2PR04MB1093B85D419FDB8F0C59938D00E0@BY2PR04MB109.namprd04.prod.outlook.com>
Message-ID: <CAJgngAdstviWvaLcPTL8ZJAudLqh7f=U4MqKM6=P5bievWhcPw@mail.gmail.com>

You can create your own Event Listener that will be invoked on events.

http://keycloak.github.io/docs/userguide/keycloak-server/html/events.html
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html

Also take a look at providers/event-listener-.. in examples download

On 3 December 2015 at 00:01, Jairo Alonso Henao Rojas <
jahenao at itroisolutions.com> wrote:

> Thanks for your response.
>
>
>
> Just enable administrative events and now works for me, but, Could I have
> a class that Keycloak invokes when the event occurs?, Am I asking too much?
>
>
>
> If this is not possible, I will use the REST API to get DELETE events from
> a range of dates.
>
>
>
>
>
> Best regards
>
>
>
>
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
>
>
>
>
> *From:* Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Wednesday, December 2, 2015 3:08 AM
> *To:* Jairo Alonso Henao Rojas <jahenao at itroisolutions.com>;
> keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Could my application know when a user is
> removed?
>
>
>
> We have admin events for "listen" to various events like remove user. See
> the docs:
> http://keycloak.github.io/docs/userguide/keycloak-server/html/events.html
>
> Marek
>
> On 01/12/15 19:20, Jairo Alonso Henao Rojas wrote:
>
> Hello,
>
>
>
> Could my application know when a user is removed ?, Can I put something to
> listen?
>
>
>
> I need to clean multiple records when a user is removed in Keycloak
>
>
>
> Thanks,
>
>
>
>
>
>
>
> *Jairo Henao Rojas*
>
> IT ROI Solutions
>
>
>
>
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/557519aa/attachment.html 

From orestis.tsakiridis at telestax.com  Thu Dec  3 04:08:16 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Thu, 3 Dec 2015 11:08:16 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
Message-ID: <CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>

Ok Stian.

I will try to implement auth_spi.

Btw, if you need any early adopters for your new Password Hashing SPI
feature, we will gladly use it in our new "Restcomm as a Service"
implementation and send feedback.


Thanks

Orestis

Telestax

On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>
> On 1 December 2015 at 15:39, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Thanks Stian.
>>
>> Can you send me some documentation or source code pointers about
>> "modifying the password authenticator" ? Are we talking about a Java class,
>> overriding login form ? sth else?
>>
>>
>>
>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>> released in early January.
>>>
>>> If you can't wait for that I think it would be better to not import
>>> users with a password at all and instead send reset password links to their
>>> email address. That would assume all users have emails registered. Or you
>>> could also modify the password authenticator and make it run md5 the value
>>> of the input password for users that haven't updated their password yet.
>>>
>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>>> as i've described.
>>>>
>>>> Thanks Stian
>>>>
>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>
>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm trying to create some migration scripts that will port users from
>>>>>> Application1 into keycloak. Users in Application1 already have usernames,
>>>>>> passwords etc. I use the admin rest api to create the users.
>>>>>>
>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>> passwords (security wise that makes sense).
>>>>>>
>>>>>> The only solution i've come down to is store the password as they are
>>>>>> in keycloak (md5ed) and tell the users to use the hashed value instead of
>>>>>> the plaintext one wieh signing in. Then, force them to reset passwords. Not
>>>>>> the best UX  :-(
>>>>>>
>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>> db"  or sth like that?
>>>>>>
>>>>>> Any alternatives come to mind ?
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Orestis
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/25911947/attachment-0001.html 

From sthorger at redhat.com  Thu Dec  3 05:18:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Dec 2015 11:18:15 +0100
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
	<CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
Message-ID: <CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>

That'd be great. If you watch this
https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
master.

Hopefully it should be added within a few days.

On 3 December 2015 at 10:08, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Ok Stian.
>
> I will try to implement auth_spi.
>
> Btw, if you need any early adopters for your new Password Hashing SPI
> feature, we will gladly use it in our new "Restcomm as a Service"
> implementation and send feedback.
>
>
> Thanks
>
> Orestis
>
> Telestax
>
> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>>
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>
>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Thanks Stian.
>>>
>>> Can you send me some documentation or source code pointers about
>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>> overriding login form ? sth else?
>>>
>>>
>>>
>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>> released in early January.
>>>>
>>>> If you can't wait for that I think it would be better to not import
>>>> users with a password at all and instead send reset password links to their
>>>> email address. That would assume all users have emails registered. Or you
>>>> could also modify the password authenticator and make it run md5 the value
>>>> of the input password for users that haven't updated their password yet.
>>>>
>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>>>> as i've described.
>>>>>
>>>>> Thanks Stian
>>>>>
>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>
>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>
>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>> passwords (security wise that makes sense).
>>>>>>>
>>>>>>> The only solution i've come down to is store the password as they
>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>> Not the best UX  :-(
>>>>>>>
>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>> db"  or sth like that?
>>>>>>>
>>>>>>> Any alternatives come to mind ?
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Orestis
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/7230c5d3/attachment.html 

From orestis.tsakiridis at telestax.com  Thu Dec  3 06:22:18 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Thu, 3 Dec 2015 13:22:18 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
	<CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
	<CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>
Message-ID: <CABjN768qECttFQBoMbQTXiuGbzWgXX-r-zAu7g-FT1PdoptDMw@mail.gmail.com>

Great! I will keep an eye on it.

BR

Orestis

On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> That'd be great. If you watch this
> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
> master.
>
> Hopefully it should be added within a few days.
>
> On 3 December 2015 at 10:08, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Ok Stian.
>>
>> I will try to implement auth_spi.
>>
>> Btw, if you need any early adopters for your new Password Hashing SPI
>> feature, we will gladly use it in our new "Restcomm as a Service"
>> implementation and send feedback.
>>
>>
>> Thanks
>>
>> Orestis
>>
>> Telestax
>>
>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>>
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>
>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Thanks Stian.
>>>>
>>>> Can you send me some documentation or source code pointers about
>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>> overriding login form ? sth else?
>>>>
>>>>
>>>>
>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>>> released in early January.
>>>>>
>>>>> If you can't wait for that I think it would be better to not import
>>>>> users with a password at all and instead send reset password links to their
>>>>> email address. That would assume all users have emails registered. Or you
>>>>> could also modify the password authenticator and make it run md5 the value
>>>>> of the input password for users that haven't updated their password yet.
>>>>>
>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Ok, so i guess i'll have to go with a workaround, password reset, etc
>>>>>> as i've described.
>>>>>>
>>>>>> Thanks Stian
>>>>>>
>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>
>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>
>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>
>>>>>>>> The only solution i've come down to is store the password as they
>>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>>> Not the best UX  :-(
>>>>>>>>
>>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>>> db"  or sth like that?
>>>>>>>>
>>>>>>>> Any alternatives come to mind ?
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Orestis
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/92296fc3/attachment.html 

From sajjadmurtaza.nxb at gmail.com  Thu Dec  3 10:10:11 2015
From: sajjadmurtaza.nxb at gmail.com (Sajjad Murtaza)
Date: Thu, 3 Dec 2015 20:10:11 +0500
Subject: [keycloak-user] Need help for authentication with keyclock in
	angular app
Message-ID: <CAJEP7hTV1iZ34T82o8zzUS2HS96vr_rviD-XF9irXxSS3KwFWQ@mail.gmail.com>

Hello

I Need help for authentication with keyclock in angular app
Kindly guide me

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/2ef57aa2/attachment-0001.html 

From bburke at redhat.com  Thu Dec  3 10:11:43 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 3 Dec 2015 10:11:43 -0500
Subject: [keycloak-user] Need help for authentication with keyclock in
 angular app
In-Reply-To: <CAJEP7hTV1iZ34T82o8zzUS2HS96vr_rviD-XF9irXxSS3KwFWQ@mail.gmail.com>
References: <CAJEP7hTV1iZ34T82o8zzUS2HS96vr_rviD-XF9irXxSS3KwFWQ@mail.gmail.com>
Message-ID: <56605BAF.2040401@redhat.com>

There are example angular apps in the demo distribution.

On 12/3/2015 10:10 AM, Sajjad Murtaza wrote:
> Hello
>
> I Need help for authentication with keyclock in angular app
> Kindly guide me
>
> Thanks.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sthorger at redhat.com  Thu Dec  3 10:56:01 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Dec 2015 16:56:01 +0100
Subject: [keycloak-user] Keycloak 1.7.0.CR1 Released
Message-ID: <CAJgngAdw2WWkutZK=igoKW9u_0qiCXKhZqF0R9nSoXuQtRBaLA@mail.gmail.com>

I'm pleased to announce the release of Keycloak 1.7.0.CR1. Recently we've
gone straight to Final, but we'd like to give everyone a chance to try a
release out first. Unless there are major issues reported we will release
Final next week.

As usual we've been far from idle and have a number of highlights in this
release, including:

   - *Groups* - users can belong to one or more groups and inherit role
   mappings and attributes from the group.
   - *First Broker Login Flow* - we've introduced a number of improvements
   to first login with identity brokers as well as the ability to customize
   the flow used.
   - *Client Registration* - clients can now dynamically register
   themselves with a Keycloak server. This supports Keycloak client
   representations, OpenID Connect Dynamic Client Registration and SAML Entity
   Descriptors. Client registration are simple REST endpoints, there's also a
   Java library and a CLI is coming soon.
   - *OpenID Connect Implicit and Hybrid flows* - we've added support for
   the Implicit and Hybrid flows. It's also possible to select what flows are
   available for a specific client.
   - *Add User script* - as a first step to not having a default admin user
   we've added a script that allows creating an initial admin account.
   - *Cache fixes* - there's a number of fixes related to caching, which
   should improve performance especially in clusters.
   - *Email Sender SPI* - previously we had one SPI that created email
   content from FreeMarker and also sent emails. We've now split this into two
   separate SPIs.
   - *SAML SP WildFly subsystem* - there's now a WildFly subsystem for the
   SAML SP adapter, which makes it easier to use the SAML SP adapter on
   WildFly.
   - *WildFly 10 adapter support* - the WildFly adapter, including adapter
   subsystem, now supports WildFly 10.

For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1>
and
to download the release go to the Keycloak homepage
<http://keycloak.org/downloads>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/29ae818e/attachment.html 

From jeff.macomber at modernizingmedicine.com  Thu Dec  3 14:09:43 2015
From: jeff.macomber at modernizingmedicine.com (Jeff Macomber)
Date: Thu, 3 Dec 2015 14:09:43 -0500
Subject: [keycloak-user] Making Login URL configurable Spring Security Filter
Message-ID: <CAByzN4TjJY3MD=XTNL3R01xfifmWXFSbkXpsJjgwwbZce9zR8Q@mail.gmail.com>

Hi,

Would it be possible to request a change to the
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
so that it allows providing a different DEFAULT_LOGIN_URL?  Right now you
can change it in your Spring bean config for
org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint
but not for the Processing filter.  So you must extend the class to
configure it.  This is just a nice to have and not a blocker.

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/559ede5f/attachment.html 

From bburke at redhat.com  Thu Dec  3 14:13:22 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 3 Dec 2015 14:13:22 -0500
Subject: [keycloak-user] Making Login URL configurable Spring Security
 Filter
In-Reply-To: <CAByzN4TjJY3MD=XTNL3R01xfifmWXFSbkXpsJjgwwbZce9zR8Q@mail.gmail.com>
References: <CAByzN4TjJY3MD=XTNL3R01xfifmWXFSbkXpsJjgwwbZce9zR8Q@mail.gmail.com>
Message-ID: <56609452.7020905@redhat.com>

log a jira, ping Scott Rossillo

On 12/3/2015 2:09 PM, Jeff Macomber wrote:
> Hi,
>
> Would it be possible to request a change to the
> org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
> so that it allows providing a different DEFAULT_LOGIN_URL?  Right now
> you can change it in your Spring bean config for
> org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint
> but not for the Processing filter.  So you must extend the class to
> configure it.  This is just a nice to have and not a blocker.
>
> Jeff
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From jeff.macomber at modernizingmedicine.com  Thu Dec  3 14:21:53 2015
From: jeff.macomber at modernizingmedicine.com (Jeff Macomber)
Date: Thu, 3 Dec 2015 14:21:53 -0500
Subject: [keycloak-user] Making Login URL configurable Spring Security
	Filter
In-Reply-To: <56609452.7020905@redhat.com>
References: <CAByzN4TjJY3MD=XTNL3R01xfifmWXFSbkXpsJjgwwbZce9zR8Q@mail.gmail.com>
	<56609452.7020905@redhat.com>
Message-ID: <CAByzN4QKv6bQHOp3vxtWUtT7p8oqjqnP-kHKxT=QpOBHr3V=Qg@mail.gmail.com>

Done and Done. https://issues.jboss.org/browse/KEYCLOAK-2194

Thanks,
jeff

On Thu, Dec 3, 2015 at 2:13 PM, Bill Burke <bburke at redhat.com> wrote:

> log a jira, ping Scott Rossillo
>
> On 12/3/2015 2:09 PM, Jeff Macomber wrote:
> > Hi,
> >
> > Would it be possible to request a change to the
> >
> org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
> > so that it allows providing a different DEFAULT_LOGIN_URL?  Right now
> > you can change it in your Spring bean config for
> >
> org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint
> > but not for the Processing filter.  So you must extend the class to
> > configure it.  This is just a nice to have and not a blocker.
> >
> > Jeff
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151203/17c2413d/attachment.html 

From sajjadmurtaza.nxb at gmail.com  Thu Dec  3 23:51:13 2015
From: sajjadmurtaza.nxb at gmail.com (Sajjad Murtaza)
Date: Fri, 4 Dec 2015 09:51:13 +0500
Subject: [keycloak-user] XMLHttpRequest cannot load
	https://keycloak-dcdevelopment.rhcloud.com/
Message-ID: <CAJEP7hTh4LcBA+0bWPYG7cfhzN4MyG8CPBrvCY1g6-_7Qg_tSQ@mail.gmail.com>

Am facing following error

XMLHttpRequest cannot load
https://keycloak-dcdevelopment.rhcloud.com/auth/realms/demo/protocol/openid-connect/token.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:8080' is therefore not allowed access.


I'm trying to authenticate with keycloak.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151204/fa8d3b68/attachment.html 

From sthorger at redhat.com  Fri Dec  4 07:38:35 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Dec 2015 13:38:35 +0100
Subject: [keycloak-user] XMLHttpRequest cannot load
	https://keycloak-dcdevelopment.rhcloud.com/
In-Reply-To: <CAJEP7hTh4LcBA+0bWPYG7cfhzN4MyG8CPBrvCY1g6-_7Qg_tSQ@mail.gmail.com>
References: <CAJEP7hTh4LcBA+0bWPYG7cfhzN4MyG8CPBrvCY1g6-_7Qg_tSQ@mail.gmail.com>
Message-ID: <CAJgngAfDkNHMZRjDLEJNF0WEt0JL3aDa4j6SL+ez8Rq83-m+sA@mail.gmail.com>

Did you add origins to your client?

On 4 December 2015 at 05:51, Sajjad Murtaza <sajjadmurtaza.nxb at gmail.com>
wrote:

> Am facing following error
>
> XMLHttpRequest cannot load
> https://keycloak-dcdevelopment.rhcloud.com/auth/realms/demo/protocol/openid-connect/token.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:8080' is therefore not allowed access.
>
>
> I'm trying to authenticate with keycloak.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151204/c2784cdf/attachment-0001.html 

From sthorger at redhat.com  Fri Dec  4 07:46:10 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Dec 2015 13:46:10 +0100
Subject: [keycloak-user] XMLHttpRequest cannot load
	https://keycloak-dcdevelopment.rhcloud.com/
In-Reply-To: <CAJgngAfDkNHMZRjDLEJNF0WEt0JL3aDa4j6SL+ez8Rq83-m+sA@mail.gmail.com>
References: <CAJEP7hTh4LcBA+0bWPYG7cfhzN4MyG8CPBrvCY1g6-_7Qg_tSQ@mail.gmail.com>
	<CAJgngAfDkNHMZRjDLEJNF0WEt0JL3aDa4j6SL+ez8Rq83-m+sA@mail.gmail.com>
Message-ID: <CAJgngAe_sYM61fnsdQC=JpDrOZWu7mO_dH3AMS5OcqqsaH-jgw@mail.gmail.com>

It helps if you add more details when you ask questions. I assume you are
trying to get keycloak.js to work as you're dealing with CORS. To get that
to work you need to create a client in Keycloak then set the following
values:

* Access type: public
* Valid Redirect URIs - the URL of your application (if it's
http://localhost:8080/myapp/index.html you can set it to
http://localhost:8080/myapp/*)
* Web Origins - once you've clicked save this field pops up, make sure it
has the origin of your application (this is what enables cors requests, if
you don't know what that is google it). The origin is url schema, hostname
and port bit, without context path (so http://localhost:8080 for example)

On 4 December 2015 at 13:38, Stian Thorgersen <sthorger at redhat.com> wrote:

> Did you add origins to your client?
>
> On 4 December 2015 at 05:51, Sajjad Murtaza <sajjadmurtaza.nxb at gmail.com>
> wrote:
>
>> Am facing following error
>>
>> XMLHttpRequest cannot load
>> https://keycloak-dcdevelopment.rhcloud.com/auth/realms/demo/protocol/openid-connect/token.
>> No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:8080' is therefore not allowed access.
>>
>>
>> I'm trying to authenticate with keycloak.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151204/1ca7426c/attachment.html 

From cjwallac at gmail.com  Fri Dec  4 09:15:36 2015
From: cjwallac at gmail.com (Christopher Wallace)
Date: Fri, 04 Dec 2015 14:15:36 +0000
Subject: [keycloak-user] TOMCAT exclude protection for endpoint
Message-ID: <CAKpG1FTS6C25m2YjM96t25YQVdO2z6J0Z7F__c6nu0afR0Q14Q@mail.gmail.com>

We are using Apache TOMCAT v. 8.0.18. We have a Javascript application that
we would like to configure web.xml using KEYCLOAK to protect all root URI's
'/' except '/tracking'. Is there a way to exclude '/tracking' from being
protected either in the KEYCLOAK admin console or in the WEB.XML itself.
Some additional information is for the tracking URL we will use both HTTP
and WEBSOCKETS protocols. Our current approach was to specifically protect
all URI except for '/tracking' but that doesn't seem to be working as a
solution.

We have attached our example WEB.XML attempting to specifically protect
URLs:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <module-name>ROOT</module-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>APP</web-resource-name>
            <url-pattern>/app/*</url-pattern>
        </web-resource-collection>
        <!--API-->
        <web-resource-collection>
            <web-resource-name>API</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <!--HTML-->
        <web-resource-collection>
            <web-resource-name>HTML</web-resource-name>
            <url-pattern>*.html</url-pattern>
        </web-resource-collection>
<auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>
 <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>worktrac</realm-name>
    </login-config>
    <security-role>
        <role-name>user</role-name>
    </security-role>
</web-app>

We appreciate your feedback and thoughts on a solution.
- Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151204/a4184529/attachment.html 

From bburke at redhat.com  Fri Dec  4 11:08:41 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 4 Dec 2015 11:08:41 -0500
Subject: [keycloak-user] TOMCAT exclude protection for endpoint
In-Reply-To: <CAKpG1FTS6C25m2YjM96t25YQVdO2z6J0Z7F__c6nu0afR0Q14Q@mail.gmail.com>
References: <CAKpG1FTS6C25m2YjM96t25YQVdO2z6J0Z7F__c6nu0afR0Q14Q@mail.gmail.com>
Message-ID: <5661BA89.6010506@redhat.com>

Keycloak authentication is only triggered if there is a security 
constraint for that particular URL.  We completely rely on web.xml/the 
server container for this and there is currently no additional metadata.

Keycloak 1.6 has a filter implementation.  You could possible override 
that to bypass authentication depending on the URL if standard web.xml 
security constraints are working as expected.

On 12/4/2015 9:15 AM, Christopher Wallace wrote:
> We are using Apache TOMCAT v. 8.0.18. We have a Javascript application
> that we would like to configure web.xml using KEYCLOAK to protect all
> root URI's '/' except '/tracking'. Is there a way to exclude '/tracking'
> from being protected either in the KEYCLOAK admin console or in the
> WEB.XML itself. Some additional information is for the tracking URL we
> will use both HTTP and WEBSOCKETS protocols. Our current approach was to
> specifically protect all URI except for '/tracking' but that doesn't
> seem to be working as a solution.
>
> We have attached our example WEB.XML attempting to specifically protect
> URLs:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>           version="3.0">
>      <module-name>ROOT</module-name>
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>APP</web-resource-name>
>              <url-pattern>/app/*</url-pattern>
>          </web-resource-collection>
>          <!--API-->
>          <web-resource-collection>
>              <web-resource-name>API</web-resource-name>
>              <url-pattern>/api/*</url-pattern>
>          </web-resource-collection>
>          <!--HTML-->
>          <web-resource-collection>
>              <web-resource-name>HTML</web-resource-name>
>              <url-pattern>*.html</url-pattern>
>          </web-resource-collection>
> <auth-constraint>
>              <role-name>user</role-name>
>          </auth-constraint>
>      </security-constraint>
>   <login-config>
>          <auth-method>KEYCLOAK</auth-method>
>          <realm-name>worktrac</realm-name>
>      </login-config>
>      <security-role>
>          <role-name>user</role-name>
>      </security-role>
> </web-app>
>
> We appreciate your feedback and thoughts on a solution.
> - Chris
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From M.Notarnicola at klopotek.it  Fri Dec  4 12:15:27 2015
From: M.Notarnicola at klopotek.it (Notarnicola, Mara)
Date: Fri, 4 Dec 2015 17:15:27 +0000
Subject: [keycloak-user]  info about brute force detection
Message-ID: <9c1aae39c8f84dbabb43030f94d8675a@Taylor.core.klopotek.local>

Dear all,
I have enabled brute force detection on my keycloak application server.
I used keycloak 1.5.0 Final version.
After several trials I saw that the number of failures of the users are saved in session, so if the server will be restarted the counter starts from 0 again.
Why you don't save it into db?

Mara
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151204/ce5c26ae/attachment.html 

From ssilvert at redhat.com  Fri Dec  4 14:26:59 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 04 Dec 2015 14:26:59 -0500
Subject: [keycloak-user] info about brute force detection
In-Reply-To: <9c1aae39c8f84dbabb43030f94d8675a@Taylor.core.klopotek.local>
References: <9c1aae39c8f84dbabb43030f94d8675a@Taylor.core.klopotek.local>
Message-ID: <5661E903.1050903@redhat.com>

On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>
> Dear all,
>
> I have enabled brute force detection on my keycloak application server.
>
> I used keycloak 1.5.0 Final version.
>
> After several trials I saw that the number of failures of the users 
> are saved in session, so if the server will be restarted the counter 
> starts from 0 again.
>
> Why you don't save it into db?
>
I didn't design this, but I think it's because brute force detection is 
designed to thwart guessing of credentials over a relatively short time 
period.  In production you don't restart the server very often.

> Mara
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151204/8d819e97/attachment-0001.html 

From bruno at abstractj.org  Fri Dec  4 15:01:55 2015
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 4 Dec 2015 18:01:55 -0200
Subject: [keycloak-user] info about brute force detection
In-Reply-To: <5661E903.1050903@redhat.com>
References: <9c1aae39c8f84dbabb43030f94d8675a@Taylor.core.klopotek.local>
	<5661E903.1050903@redhat.com>
Message-ID: <CAM5SUC6YHFtzPSfBLNu1f=P0eM+xhc40V4+VEKD705WF_ndfFA@mail.gmail.com>

In addition, is pretty much possible to configure fail2ban to read the
log files and store it into the database for example
(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).

I can be wrong, but I don't think Keycloak should have something like this.

On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com> wrote:
> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>
> Dear all,
>
> I have enabled brute force detection on my keycloak application server.
>
> I used keycloak 1.5.0 Final version.
>
> After several trials I saw that the number of failures of the users are
> saved in session, so if the server will be restarted the counter starts from
> 0 again.
>
> Why you don?t save it into db?
>
> I didn't design this, but I think it's because brute force detection is
> designed to thwart guessing of credentials over a relatively short time
> period.  In production you don't restart the server very often.
>
>
>
> Mara
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj


From pavel.masloff at gmail.com  Sun Dec  6 17:39:37 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Sun, 6 Dec 2015 23:39:37 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
Message-ID: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>

Hi everyone,


Do Keycloak adapters support user authorization? I mean, of course they do
:) For example, the API I have secured with Keycloak receives a Keycloak
access token from the client. How can I validate the token (check user
roles) in my code? I am interested in the Java (wildfly) and Javascript
adapters.

Manually I am using jwt.io to check the token. I am just curious if the
Keycloak adapters support smth similar out of the box.

Thank you for your answers.


Regards,
Pavel Maslov, MS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151206/443b5272/attachment.html 

From bburke at redhat.com  Sun Dec  6 21:51:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 6 Dec 2015 21:51:20 -0500
Subject: [keycloak-user] info about brute force detection
In-Reply-To: <CAM5SUC6YHFtzPSfBLNu1f=P0eM+xhc40V4+VEKD705WF_ndfFA@mail.gmail.com>
References: <9c1aae39c8f84dbabb43030f94d8675a@Taylor.core.klopotek.local>
	<5661E903.1050903@redhat.com>
	<CAM5SUC6YHFtzPSfBLNu1f=P0eM+xhc40V4+VEKD705WF_ndfFA@mail.gmail.com>
Message-ID: <5664F428.7060201@redhat.com>

It will be useful in the future to warn people of rogue nations logging 
in.  i.e.  Somebody from China logged into your account, was it you?  It 
used to be an experimental feature, then people started asking for it 
because they wanted to disable accounts that failed to produce right 
password 3 times or so.  Weak, I know, but people wanted it.



On 12/4/2015 3:01 PM, Bruno Oliveira wrote:
> In addition, is pretty much possible to configure fail2ban to read the
> log files and store it into the database for example
> (http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>
> I can be wrong, but I don't think Keycloak should have something like this.
>
> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com> wrote:
>> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>>
>> Dear all,
>>
>> I have enabled brute force detection on my keycloak application server.
>>
>> I used keycloak 1.5.0 Final version.
>>
>> After several trials I saw that the number of failures of the users are
>> saved in session, so if the server will be restarted the counter starts from
>> 0 again.
>>
>> Why you don?t save it into db?
>>
>> I didn't design this, but I think it's because brute force detection is
>> designed to thwart guessing of credentials over a relatively short time
>> period.  In production you don't restart the server very often.
>>
>>
>>
>> Mara
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Sun Dec  6 21:53:49 2015
From: bburke at redhat.com (Bill Burke)
Date: Sun, 6 Dec 2015 21:53:49 -0500
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
Message-ID: <5664F4BD.4000309@redhat.com>

For Java HttpServletRequest.isUserInRole() works.  If you typecast the 
principal to KeycloakPrincipal you can obtain the AccessToken.

On 12/6/2015 5:39 PM, Pavel Maslov wrote:
> Hi everyone,
>
>
> Do Keycloak adapters support user authorization? I mean, of course they
> do :) For example, the API I have secured with Keycloak receives a
> Keycloak access token from the client. How can I validate the token
> (check user roles) in my code? I am interested in the Java (wildfly) and
> Javascript adapters.
>
> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
> curious if the Keycloak adapters support smth similar out of the box.
>
> Thank you for your answers.
>
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sthorger at redhat.com  Mon Dec  7 02:46:03 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Dec 2015 08:46:03 +0100
Subject: [keycloak-user] TOMCAT exclude protection for endpoint
In-Reply-To: <CAKpG1FTS6C25m2YjM96t25YQVdO2z6J0Z7F__c6nu0afR0Q14Q@mail.gmail.com>
References: <CAKpG1FTS6C25m2YjM96t25YQVdO2z6J0Z7F__c6nu0afR0Q14Q@mail.gmail.com>
Message-ID: <CAJgngAdZYeYaJSk7NKESDE-QzP2=ceMKGvOf0P0SKEBSZkZfkQ@mail.gmail.com>

If you have a javascript applicaiton why are you not using the javascript
adapter?

On 4 December 2015 at 15:15, Christopher Wallace <cjwallac at gmail.com> wrote:

> We are using Apache TOMCAT v. 8.0.18. We have a Javascript application
> that we would like to configure web.xml using KEYCLOAK to protect all root
> URI's '/' except '/tracking'. Is there a way to exclude '/tracking' from
> being protected either in the KEYCLOAK admin console or in the WEB.XML
> itself. Some additional information is for the tracking URL we will use
> both HTTP and WEBSOCKETS protocols. Our current approach was to
> specifically protect all URI except for '/tracking' but that doesn't seem
> to be working as a solution.
>
> We have attached our example WEB.XML attempting to specifically protect
> URLs:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>          version="3.0">
>     <module-name>ROOT</module-name>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>APP</web-resource-name>
>             <url-pattern>/app/*</url-pattern>
>         </web-resource-collection>
>         <!--API-->
>         <web-resource-collection>
>             <web-resource-name>API</web-resource-name>
>             <url-pattern>/api/*</url-pattern>
>         </web-resource-collection>
>         <!--HTML-->
>         <web-resource-collection>
>             <web-resource-name>HTML</web-resource-name>
>             <url-pattern>*.html</url-pattern>
>         </web-resource-collection>
> <auth-constraint>
>             <role-name>user</role-name>
>         </auth-constraint>
>     </security-constraint>
>  <login-config>
>         <auth-method>KEYCLOAK</auth-method>
>         <realm-name>worktrac</realm-name>
>     </login-config>
>     <security-role>
>         <role-name>user</role-name>
>     </security-role>
> </web-app>
>
> We appreciate your feedback and thoughts on a solution.
> - Chris
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/37ba70c5/attachment.html 

From rushil.vaish at gmail.com  Mon Dec  7 04:08:24 2015
From: rushil.vaish at gmail.com (Rushil Agarwal)
Date: Mon, 7 Dec 2015 03:08:24 -0600
Subject: [keycloak-user] Getting currently logged in user -Angular JS
Message-ID: <CAJ9in0Hjw7BtyTXBoKZ8YY38VuUvM=jT9F_LQDUJZ527JfAPJA@mail.gmail.com>

Hi Team,

I am using Keycloak for Authenticating my Angular web based application.
Trying to grasp currently logged in user which I am not able to.

All i know is through KeycloakSecurityContext i may get, but how to use it
not sure.

Kindly help.
Thanks in advance..!!


*With best regards :-*
Rushil Agarwal
Mobile: +91 78298 86000

Please don't print this e-mail unless you really need to. SAVE PAPER TO
SAVE TREES
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/b119afdd/attachment.html 

From sthorger at redhat.com  Mon Dec  7 05:03:53 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Dec 2015 11:03:53 +0100
Subject: [keycloak-user] Getting currently logged in user -Angular JS
In-Reply-To: <CAJ9in0Hjw7BtyTXBoKZ8YY38VuUvM=jT9F_LQDUJZ527JfAPJA@mail.gmail.com>
References: <CAJ9in0Hjw7BtyTXBoKZ8YY38VuUvM=jT9F_LQDUJZ527JfAPJA@mail.gmail.com>
Message-ID: <CAJgngAdQyw602xwqQ9L2huN=bHrH5jKHxMkvU41Ox7611jg0VQ@mail.gmail.com>

For Angular app you should use the JavaScript adapter. Please look at our
examples, there's a Angular example in there. Also, look at the JavaScript
adapter documentation.

On 7 December 2015 at 10:08, Rushil Agarwal <rushil.vaish at gmail.com> wrote:

> Hi Team,
>
> I am using Keycloak for Authenticating my Angular web based application.
> Trying to grasp currently logged in user which I am not able to.
>
> All i know is through KeycloakSecurityContext i may get, but how to use it
> not sure.
>
> Kindly help.
> Thanks in advance..!!
>
>
> *With best regards :-*
> Rushil Agarwal
> Mobile: +91 78298 86000
>
> Please don't print this e-mail unless you really need to. SAVE PAPER TO
> SAVE TREES
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/e449cc9f/attachment-0001.html 

From pavel.masloff at gmail.com  Mon Dec  7 05:30:51 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Mon, 7 Dec 2015 11:30:51 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <5664F4BD.4000309@redhat.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com>
Message-ID: <CAF9aV_o=H=irvtAZhcSxHW1VrSL+RUWKOazBuUvPg2u++_Yy8w@mail.gmail.com>

Hi Bill,


I added the *org.keycloak.KeycloakPrincipal* definition in order to get the
token:


KeycloakPrincipal kcPrincipal = (KeycloakPrincipal) srvl.getUserPrincipal();
String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();

but cannot deploy the project to the Wildfly server:

10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service
thread 1-2) Deploying javax.ws.rs.core.Application: class
si.liis.apitime.service.ApiTimeApplication
10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./apitime-rest:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_85]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_85]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
Caused by: java.lang.NoClassDefFoundError: com/google/zxing/WriterException
at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
[rt.jar:1.7.0_85]
at java.lang.Class.privateGetPublicMethods(Class.java:2743)
[rt.jar:1.7.0_85]
at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
at
org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
at
org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
at
org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
at
org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
... 3 more

10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
address: ([("deployment" => "apitime-rest.war")]) - failure description:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
    Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}
10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
the following failure message:
{"JBAS014671: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
to start service
    Caused by: java.lang.NoClassDefFoundError:
com/google/zxing/WriterException"}}



I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
Any solution?
Thanks.


Regards,
Pavel Maslov, MS

On Mon, Dec 7, 2015 at 3:53 AM, Bill Burke <bburke at redhat.com> wrote:

> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
> principal to KeycloakPrincipal you can obtain the AccessToken.
>
> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
> > Hi everyone,
> >
> >
> > Do Keycloak adapters support user authorization? I mean, of course they
> > do :) For example, the API I have secured with Keycloak receives a
> > Keycloak access token from the client. How can I validate the token
> > (check user roles) in my code? I am interested in the Java (wildfly) and
> > Javascript adapters.
> >
> > Manually I am using jwt.io <http://jwt.io> to check the token. I am just
> > curious if the Keycloak adapters support smth similar out of the box.
> >
> > Thank you for your answers.
> >
> >
> > Regards,
> > Pavel Maslov, MS
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/5ebaec12/attachment.html 

From rushil.vaish at gmail.com  Mon Dec  7 07:46:18 2015
From: rushil.vaish at gmail.com (Rushil Agarwal)
Date: Mon, 7 Dec 2015 06:46:18 -0600
Subject: [keycloak-user] Getting currently logged in user -Angular JS
In-Reply-To: <CAJgngAdQyw602xwqQ9L2huN=bHrH5jKHxMkvU41Ox7611jg0VQ@mail.gmail.com>
References: <CAJ9in0Hjw7BtyTXBoKZ8YY38VuUvM=jT9F_LQDUJZ527JfAPJA@mail.gmail.com>
	<CAJgngAdQyw602xwqQ9L2huN=bHrH5jKHxMkvU41Ox7611jg0VQ@mail.gmail.com>
Message-ID: <CAJ9in0FViE7aXCkriZUR=YydoCxbKAS690hG4BSDtb0QkweguQ@mail.gmail.com>

Hi Stian,

Thanks for the reply.
I found only one Angular examples at
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app

But in this example also they are not fetching logged in user ID

I also went through JavaScript adapter documentation where i got to know
Subject property of Keycloak can help me  to get the user id but how to
write it in code I am not getting. Tried many solutions but not getting
userid.

I am using below code as if now to authenticate through Keycloak.

var keycloakAuth = new Keycloak('javascript/keycloak.json');
                keycloakAuth.init({ onLoad: 'login-required'
}).success(function () {
                }).error(function () {
                        });

Kindly suggest how can i get logged in userid here.

On Mon, Dec 7, 2015 at 4:03 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> For Angular app you should use the JavaScript adapter. Please look at our
> examples, there's a Angular example in there. Also, look at the JavaScript
> adapter documentation.
>
> On 7 December 2015 at 10:08, Rushil Agarwal <rushil.vaish at gmail.com>
> wrote:
>
>> Hi Team,
>>
>> I am using Keycloak for Authenticating my Angular web based application.
>> Trying to grasp currently logged in user which I am not able to.
>>
>> All i know is through KeycloakSecurityContext i may get, but how to use
>> it not sure.
>>
>> Kindly help.
>> Thanks in advance..!!
>>
>>
>> *With best regards :-*
>> Rushil Agarwal
>> Mobile: +91 78298 86000
>>
>> Please don't print this e-mail unless you really need to. SAVE PAPER TO
>> SAVE TREES
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
-- 
*With best regards :-*

Rushil Agarwal

Mobile: +91 78298 86000

Please don't print this e-mail unless you really need to. SAVE PAPER TO
SAVE TREES
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/60e38329/attachment.html 

From sthorger at redhat.com  Mon Dec  7 13:49:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Dec 2015 19:49:19 +0100
Subject: [keycloak-user] Getting currently logged in user -Angular JS
In-Reply-To: <CAJ9in0FViE7aXCkriZUR=YydoCxbKAS690hG4BSDtb0QkweguQ@mail.gmail.com>
References: <CAJ9in0Hjw7BtyTXBoKZ8YY38VuUvM=jT9F_LQDUJZ527JfAPJA@mail.gmail.com>
	<CAJgngAdQyw602xwqQ9L2huN=bHrH5jKHxMkvU41Ox7611jg0VQ@mail.gmail.com>
	<CAJ9in0FViE7aXCkriZUR=YydoCxbKAS690hG4BSDtb0QkweguQ@mail.gmail.com>
Message-ID: <CAJgngAcp32owEyhaPxeFzzLsGozm+zXPhkBqz=uUwKknWtJXOQ@mail.gmail.com>

- Look at
- tokenParsed and idToken, those are both javascript objects and contain
all the properties about the user that is mapped in the token

On 7 December 2015 at 13:46, Rushil Agarwal <rushil.vaish at gmail.com> wrote:

> Hi Stian,
>
> Thanks for the reply.
> I found only one Angular examples at
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app
>
> But in this example also they are not fetching logged in user ID
>
> I also went through JavaScript adapter documentation where i got to know
> Subject property of Keycloak can help me  to get the user id but how to
> write it in code I am not getting. Tried many solutions but not getting
> userid.
>
> I am using below code as if now to authenticate through Keycloak.
>
> var keycloakAuth = new Keycloak('javascript/keycloak.json');
>                 keycloakAuth.init({ onLoad: 'login-required'
> }).success(function () {
>                 }).error(function () {
>                         });
>
> Kindly suggest how can i get logged in userid here.
>
> On Mon, Dec 7, 2015 at 4:03 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> For Angular app you should use the JavaScript adapter. Please look at our
>> examples, there's a Angular example in there. Also, look at the JavaScript
>> adapter documentation.
>>
>> On 7 December 2015 at 10:08, Rushil Agarwal <rushil.vaish at gmail.com>
>> wrote:
>>
>>> Hi Team,
>>>
>>> I am using Keycloak for Authenticating my Angular web based application.
>>> Trying to grasp currently logged in user which I am not able to.
>>>
>>> All i know is through KeycloakSecurityContext i may get, but how to use
>>> it not sure.
>>>
>>> Kindly help.
>>> Thanks in advance..!!
>>>
>>>
>>> *With best regards :-*
>>> Rushil Agarwal
>>> Mobile: +91 78298 86000
>>>
>>> Please don't print this e-mail unless you really need to. SAVE PAPER TO
>>> SAVE TREES
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> --
> *With best regards :-*
>
> Rushil Agarwal
>
> Mobile: +91 78298 86000
>
> Please don't print this e-mail unless you really need to. SAVE PAPER TO
> SAVE TREES
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/320e9388/attachment-0001.html 

From internetreporter at gmail.com  Mon Dec  7 14:48:52 2015
From: internetreporter at gmail.com (internet media)
Date: Mon, 7 Dec 2015 13:48:52 -0600
Subject: [keycloak-user] Apply group membership filter on ldap login
Message-ID: <CAA-pbQoVJvLxLTrv0k4qORqQUGNBRFwyDr-La0RZskQv05xvqg@mail.gmail.com>

I am using keycloak 1.6.1.Final with Active Directory/LDAP. I am have not
seen any examples of authenticating users within a group membership
(memberOf). I also looked at the tests but no luck. Any help will be
appreciated. I just need to be able to set up a user federation using
ldap/AD and restrict only to users of a certain group.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/95d19e74/attachment.html 

From bbazian at mbopartners.com  Mon Dec  7 15:32:37 2015
From: bbazian at mbopartners.com (Ben Bazian)
Date: Mon, 7 Dec 2015 20:32:37 +0000
Subject: [keycloak-user] Salesforce as an SP with SAML
Message-ID: <860E8DAFFC76794694CFF405F8A1E71F0278CE45@416429-EXCH1.mbopartners.com>

I am trying to setup SSO into Salesforce using SAML.   I tried to insert an IDP initiated SSO URL as https://myserveraddress/auth/realms/web/protocol/saml/clients/salesforce-sb-saml, the last part being the ClientID but that too does not work.  I get an error on the server that the client is not found.  Server is running 1.5.0.Final.

Has anyone successfully integrated SF?  What do I need the address to be?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151207/4da585c5/attachment.html 

From bburke at redhat.com  Mon Dec  7 18:14:27 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 7 Dec 2015 18:14:27 -0500
Subject: [keycloak-user] Apply group membership filter on ldap login
In-Reply-To: <CAA-pbQoVJvLxLTrv0k4qORqQUGNBRFwyDr-La0RZskQv05xvqg@mail.gmail.com>
References: <CAA-pbQoVJvLxLTrv0k4qORqQUGNBRFwyDr-La0RZskQv05xvqg@mail.gmail.com>
Message-ID: <566612D3.60208@redhat.com>

You want to allow login only for users that belong to a specific group? 
  We don't have any nice way of doing that.  You'd have to write an auth 
flow extension.

On 12/7/2015 2:48 PM, internet media wrote:
> I am using keycloak 1.6.1.Final with Active Directory/LDAP. I am have
> not seen any examples of authenticating users within a group membership
> (memberOf). I also looked at the tests but no luck. Any help will be
> appreciated. I just need to be able to set up a user federation using
> ldap/AD and restrict only to users of a certain group.
>
> Thanks.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From kalc04 at gmail.com  Tue Dec  8 03:37:52 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 8 Dec 2015 14:07:52 +0530
Subject: [keycloak-user] Keycloak 1.7.0.CR1 Released
In-Reply-To: <CAJgngAdw2WWkutZK=igoKW9u_0qiCXKhZqF0R9nSoXuQtRBaLA@mail.gmail.com>
References: <CAJgngAdw2WWkutZK=igoKW9u_0qiCXKhZqF0R9nSoXuQtRBaLA@mail.gmail.com>
Message-ID: <CAPj1eSxLjaq_eA83POAreODywytxVLY36x1DMm-zuHGCfheSXA@mail.gmail.com>

1.2.0 to 1.7.0 Migration works fine + Removal of unnecessary cache
invalidations has resulted in a considerable performance improvement. So
far no visible issues.

Thanks guys!

On Thu, Dec 3, 2015 at 9:26 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I'm pleased to announce the release of Keycloak 1.7.0.CR1. Recently we've
> gone straight to Final, but we'd like to give everyone a chance to try a
> release out first. Unless there are major issues reported we will release
> Final next week.
>
> As usual we've been far from idle and have a number of highlights in this
> release, including:
>
>    - *Groups* - users can belong to one or more groups and inherit role
>    mappings and attributes from the group.
>    - *First Broker Login Flow* - we've introduced a number of
>    improvements to first login with identity brokers as well as the ability to
>    customize the flow used.
>    - *Client Registration* - clients can now dynamically register
>    themselves with a Keycloak server. This supports Keycloak client
>    representations, OpenID Connect Dynamic Client Registration and SAML Entity
>    Descriptors. Client registration are simple REST endpoints, there's also a
>    Java library and a CLI is coming soon.
>    - *OpenID Connect Implicit and Hybrid flows* - we've added support for
>    the Implicit and Hybrid flows. It's also possible to select what flows are
>    available for a specific client.
>    - *Add User script* - as a first step to not having a default admin
>    user we've added a script that allows creating an initial admin account.
>    - *Cache fixes* - there's a number of fixes related to caching, which
>    should improve performance especially in clusters.
>    - *Email Sender SPI* - previously we had one SPI that created email
>    content from FreeMarker and also sent emails. We've now split this into two
>    separate SPIs.
>    - *SAML SP WildFly subsystem* - there's now a WildFly subsystem for
>    the SAML SP adapter, which makes it easier to use the SAML SP adapter on
>    WildFly.
>    - *WildFly 10 adapter support* - the WildFly adapter, including
>    adapter subsystem, now supports WildFly 10.
>
> For the full list of issues resolved check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1> and
> to download the release go to the Keycloak homepage
> <http://keycloak.org/downloads>.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/792164c7/attachment.html 

From hr.stoyanov at peruncs.com  Tue Dec  8 04:31:19 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Tue, 8 Dec 2015 09:31:19 +0000
Subject: [keycloak-user] Keycloak 1.6.1 fails to start in WF 9.0.2
Message-ID: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>

Hi all. I want to run KC 1.6.1. against a PostgreSQL 9.4 server. The
WF9.0.2 logs show no error, yet KC is not available at http://localhost:8080
- I get 4040 Page not found. Also, none of the KC tables are created either
as one would expect upon first run. Below is the log, the standalone.xml
and keycloak-sertver.json are also attached. Any clue? Thanks.
========================================================================
2015-12-08 09:15:29,324 DEBUG [org.jboss.as.config] (MSC service thread
1-8) VM Arguments: -D[Standalone] -XX:+UseCompressedOops
-XX:+UseCompressedOops -Xmx1024m
-Dorg.jboss.boot.log.file=/opt/wildfly-9.0.2.Final/standalone/log/server.log
-Dlogging.configuration=file:/opt/wildfly-9.0.2.Final/standalone/configuration/
logging.properties
2015-12-08 09:15:30,726 INFO
 [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
-- 15) WFLYCTL0028: Attribute 'job-repository-type' in the resource at
address '/subsystem=batch' is deprecated, and may be removed in future
version. See the attribute description in the output of the read-resour
ce-description operation to learn more about the deprecation.
2015-12-08 09:15:30,729 INFO
 [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
-- 2) WFLYCTL0028: Attribute 'enabled' in the resource at address
'/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be
removed in future version. See the attribute description in the output of
the read-resource-description operation to learn more about the deprecation.
2015-12-08 09:15:30,789 INFO  [org.jboss.as.server] (Controller Boot
Thread) WFLYSRV0039: Creating http management service using socket-binding
(management-http)
2015-12-08 09:15:30,812 INFO  [org.xnio] (MSC service thread 1-7) XNIO
version 3.3.1.Final
2015-12-08 09:15:30,825 INFO  [org.xnio.nio] (MSC service thread 1-7) XNIO
NIO Implementation Version 3.3.1.Final
2015-12-08 09:15:30,891 INFO  [org.wildfly.extension.io] (ServerService
Thread Pool -- 43) WFLYIO001: Worker 'default' has auto-configured to 8
core threads with 64 task threads based on your 4 available processors
2015-12-08 09:15:30,897 INFO  [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 44) WFLYCLINF0001: Activating Infinispan
subsystem.
2015-12-08 09:15:30,900 INFO  [org.wildfly.iiop.openjdk] (ServerService
Thread Pool -- 45) WFLYIIOP0001: Activating IIOP Subsystem
2015-12-08 09:15:30,912 INFO
 [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver
(version 1.3)
2015-12-08 09:15:30,934 INFO
 [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
org.mariadb.jdbc.Driver (version 1.2)
2015-12-08 09:15:30,962 INFO
 [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
org.postgresql.Driver (version 9.4)
2015-12-08 09:15:30,964 INFO  [org.jboss.remoting] (MSC service thread 1-7)
JBoss Remoting version 4.0.9.Final
2015-12-08 09:15:31,093 WARN  [org.jboss.as.txn] (ServerService Thread Pool
-- 63) WFLYTX0013: Node identifier property is set to the default value.
Please make sure it is unique.
2015-12-08 09:15:31,113 INFO  [org.jboss.as.security] (ServerService Thread
Pool -- 62) WFLYSEC0002: Activating Security Subsystem
2015-12-08 09:15:31,126 INFO  [org.jboss.as.security] (MSC service thread
1-5) WFLYSEC0001: Current PicketBox version=4.9.2.Final
2015-12-08 09:15:31,140 INFO  [org.jboss.as.jsf] (ServerService Thread Pool
-- 51) WFLYJSF0007: Activated the following JSF Implementations: [main]
2015-12-08 09:15:31,153 INFO
 [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
com.mysql.jdbc.Driver (version 5.1)
2015-12-08 09:15:31,155 INFO  [org.jboss.as.connector] (MSC service thread
1-7) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
2015-12-08 09:15:31,168 INFO  [org.jboss.as.naming] (ServerService Thread
Pool -- 55) WFLYNAM0001: Activating Naming Subsystem
2015-12-08 09:15:31,181 INFO  [org.jboss.as.webservices] (ServerService
Thread Pool -- 65) WFLYWS0002: Activating WebServices Extension
2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
h2
2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-6) WFLYJCA0018: Started Driver service with driver-name =
postgres
2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
mysql
2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
mariadb
2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-8) WFLYUT0003: Undertow 1.2.9.Final starting
2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow]
(ServerService Thread Pool -- 64) WFLYUT0003: Undertow 1.2.9.Final starting
2015-12-08 09:15:31,300 INFO  [org.jboss.as.naming] (MSC service thread
1-6) WFLYNAM0003: Starting Naming Service
2015-12-08 09:15:31,300 INFO  [org.jboss.as.mail.extension] (MSC service
thread 1-8) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
2015-12-08 09:15:31,459 INFO  [org.wildfly.extension.undertow]
(ServerService Thread Pool -- 64) WFLYUT0014: Creating file handler for
path /opt/wildfly-9.0.2.Final/welcome-content
2015-12-08 09:15:31,488 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-4) WFLYUT0012: Started server default-server.
2015-12-08 09:15:31,496 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-4) WFLYUT0018: Host default-host starting
2015-12-08 09:15:31,595 INFO  [org.wildfly.extension.undertow] (MSC service
thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on
/0:0:0:0:0:0:0:0:8080
2015-12-08 09:15:31,786 INFO  [org.wildfly.iiop.openjdk] (MSC service
thread 1-7) WFLYIIOP0009: CORBA ORB Service started
2015-12-08 09:15:31,799 INFO
 [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2)
WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
2015-12-08 09:15:31,818 INFO
 [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4)
WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
2015-12-08 09:15:31,820 INFO
 [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
WFLYJCA0001: Bound data source [java:jboss/datasources/S4GDS]
2015-12-08 09:15:32,005 WARN  [org.jboss.as.messaging] (MSC service thread
1-6) WFLYMSG0075: AIO wasn't located on this platform, it will fall back to
using pure Java NIO. Your platform is Linux, install LibAIO to enable the
AIO journal.
2015-12-08 09:15:32,026 INFO  [org.jboss.as.server.deployment.scanner] (MSC
service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService for
directory /opt/wildfly-9.0.2.Final/standalone/deployments
2015-12-08 09:15:32,028 INFO  [org.jboss.as.server.deployment] (MSC service
thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war"
(runtime-name: "keycloak-server.war")
2015-12-08 09:15:32,147 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221000: live server is starting with configuration
HornetQ Configuration
(clustered=false,backup=false,sharedStore=true,journalDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingjournal,bindingsDirectory=/opt/wildfly-
9.0.2.Final/standalone/data/messagingbindings,largeMessagesDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messaginglargemessages,pagingDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingpaging)
2015-12-08 09:15:32,157 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221006: Waiting to obtain live lock
2015-12-08 09:15:32,405 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221013: Using NIO Journal
2015-12-08 09:15:32,471 INFO  [org.jboss.ws.common.management] (MSC service
thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server
5.0.0.Final
2015-12-08 09:15:32,494 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221043: Adding protocol support CORE
2015-12-08 09:15:32,502 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221043: Adding protocol support AMQP
2015-12-08 09:15:32,514 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221043: Adding protocol support STOMP
2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221034: Waiting to obtain live lock
2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221035: Live Server Obtained live lock
2015-12-08 09:15:32,780 INFO
 [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread
Pool -- 72) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf'
7.2.3.Final
2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
1-5) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
handled by http-acceptor-throughput acceptor
2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
1-1) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
handled by http-acceptor acceptor
2015-12-08 09:15:33,143 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221007: Server is now live
2015-12-08 09:15:33,144 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221001: HornetQ Server version 2.4.7.Final
(2.4.7.Final, 124) [e4688d93-96cc-11e5-b241-fb4ba7767374]
2015-12-08 09:15:33,149 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 73) HQ221003: trying to deploy queue jms.queue.DLQ
2015-12-08 09:15:33,194 INFO  [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 72) WFLYCLINF0002: Started users cache from
keycloak container
2015-12-08 09:15:33,195 INFO  [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 74) WFLYCLINF0002: Started sessions cache
from keycloak container
2015-12-08 09:15:33,197 INFO  [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 71) WFLYCLINF0002: Started loginFailures
cache from keycloak container
2015-12-08 09:15:33,208 INFO  [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 75) WFLYCLINF0002: Started realms cache from
keycloak container
2015-12-08 09:15:33,227 INFO  [org.jboss.as.messaging] (ServerService
Thread Pool -- 77) WFLYMSG0002: Bound messaging object to jndi name
java:/ConnectionFactory
2015-12-08 09:15:33,235 INFO  [org.jboss.as.messaging] (ServerService
Thread Pool -- 76) WFLYMSG0002: Bound messaging object to jndi name
java:jboss/exported/jms/RemoteConnectionFactory
2015-12-08 09:15:33,237 INFO  [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221003: trying to deploy queue jms.queue.ExpiryQueue
2015-12-08 09:15:33,301 INFO  [org.jboss.as.connector.deployment] (MSC
service thread 1-7) WFLYJCA0007: Registered connection factory java:/JmsXA
2015-12-08 09:15:33,377 INFO  [org.hornetq.ra] (MSC service thread 1-7)
HornetQ resource adaptor started
2015-12-08 09:15:33,377 INFO
 [org.jboss.as.connector.services.resourceadapters.ResourceAdapterActivatorService$ResourceAdapterActivator]
(MSC service thread 1-7) IJ020002: Deployed: file://RaActivatorhornetq-ra
2015-12-08 09:15:33,379 INFO  [org.jboss.as.connector.deployment] (MSC
service thread 1-8) WFLYJCA0002: Bound JCA ConnectionFactory [java:/JmsXA]
2015-12-08 09:15:33,379 INFO  [org.jboss.as.messaging] (MSC service thread
1-6) WFLYMSG0002: Bound messaging object to jndi name
java:jboss/DefaultJMSConnectionFactory
2015-12-08 09:15:33,554 INFO  [org.jboss.as.server] (ServerService Thread
Pool -- 67) WFLYSRV0010: *Deployed "keycloak-server.war" (runtime-name :
"keycloak-server.war")*
2015-12-08 09:15:33,761 INFO  [org.jboss.as] (Controller Boot Thread)
WFLYSRV0060: Http management interface listening on http://
[0:0:0:0:0:0:0:0]:9990/management
2015-12-08 09:15:33,762 INFO  [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://[0:0:0:0:0:0:0:0]:9990
2015-12-08 09:15:33,762 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: WildFly Full 9.0.2.Final (WildFly Core 1.0.2.Final) started
(with errors) in 4942ms - Started 365 of 618 services (3 services failed or
missing dependencies, 319 services are lazy, passive or on-demand)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/0e9f6c47/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: configuration.xml
Type: text/xml
Size: 32553 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/0e9f6c47/attachment-0001.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak-server.json
Type: application/json
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/0e9f6c47/attachment-0001.bin 

From hr.stoyanov at peruncs.com  Tue Dec  8 04:34:18 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Tue, 8 Dec 2015 01:34:18 -0800
Subject: [keycloak-user] loak 1.6.1 fails to start in WF 9.0.2
Message-ID: <CAHiHDeTAEkgGxi46TzbDLD-yfBvFzPsfscdLq4Cr0fq2vtwYDA@mail.gmail.com>

.... I mean KC is not available at http://localhost:8080/auth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/69556abc/attachment.html 

From sthorger at redhat.com  Tue Dec  8 04:35:52 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 8 Dec 2015 10:35:52 +0100
Subject: [keycloak-user] Keycloak 1.6.1 fails to start in WF 9.0.2
In-Reply-To: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>
References: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>
Message-ID: <CAJgngAfBj9GmLmCkrSCWPMCkXWc90USsd90vdj6irZLtmOHEFg@mail.gmail.com>

The last line says there's an error starting. My guess it's go something to
do with the DB config. Try using default H2 db start it with that and see
if it works. Then change to your PostgreSQL db.

On 8 December 2015 at 10:31, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:

> Hi all. I want to run KC 1.6.1. against a PostgreSQL 9.4 server. The
> WF9.0.2 logs show no error, yet KC is not available at
> http://localhost:8080 - I get 4040 Page not found. Also, none of the KC
> tables are created either as one would expect upon first run. Below is the
> log, the standalone.xml and keycloak-sertver.json are also attached. Any
> clue? Thanks.
> ========================================================================
> 2015-12-08 09:15:29,324 DEBUG [org.jboss.as.config] (MSC service thread
> 1-8) VM Arguments: -D[Standalone] -XX:+UseCompressedOops
> -XX:+UseCompressedOops -Xmx1024m
> -Dorg.jboss.boot.log.file=/opt/wildfly-9.0.2.Final/standalone/log/server.log
> -Dlogging.configuration=file:/opt/wildfly-9.0.2.Final/standalone/configuration/
> logging.properties
> 2015-12-08 09:15:30,726 INFO
>  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
> -- 15) WFLYCTL0028: Attribute 'job-repository-type' in the resource at
> address '/subsystem=batch' is deprecated, and may be removed in future
> version. See the attribute description in the output of the read-resour
> ce-description operation to learn more about the deprecation.
> 2015-12-08 09:15:30,729 INFO
>  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
> -- 2) WFLYCTL0028: Attribute 'enabled' in the resource at address
> '/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the
> deprecation.
> 2015-12-08 09:15:30,789 INFO  [org.jboss.as.server] (Controller Boot
> Thread) WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 2015-12-08 09:15:30,812 INFO  [org.xnio] (MSC service thread 1-7) XNIO
> version 3.3.1.Final
> 2015-12-08 09:15:30,825 INFO  [org.xnio.nio] (MSC service thread 1-7) XNIO
> NIO Implementation Version 3.3.1.Final
> 2015-12-08 09:15:30,891 INFO  [org.wildfly.extension.io] (ServerService
> Thread Pool -- 43) WFLYIO001: Worker 'default' has auto-configured to 8
> core threads with 64 task threads based on your 4 available processors
> 2015-12-08 09:15:30,897 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 44) WFLYCLINF0001: Activating Infinispan
> subsystem.
> 2015-12-08 09:15:30,900 INFO  [org.wildfly.iiop.openjdk] (ServerService
> Thread Pool -- 45) WFLYIIOP0001: Activating IIOP Subsystem
> 2015-12-08 09:15:30,912 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver
> (version 1.3)
> 2015-12-08 09:15:30,934 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> org.mariadb.jdbc.Driver (version 1.2)
> 2015-12-08 09:15:30,962 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> org.postgresql.Driver (version 9.4)
> 2015-12-08 09:15:30,964 INFO  [org.jboss.remoting] (MSC service thread
> 1-7) JBoss Remoting version 4.0.9.Final
> 2015-12-08 09:15:31,093 WARN  [org.jboss.as.txn] (ServerService Thread
> Pool -- 63) WFLYTX0013: Node identifier property is set to the default
> value. Please make sure it is unique.
> 2015-12-08 09:15:31,113 INFO  [org.jboss.as.security] (ServerService
> Thread Pool -- 62) WFLYSEC0002: Activating Security Subsystem
> 2015-12-08 09:15:31,126 INFO  [org.jboss.as.security] (MSC service thread
> 1-5) WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 2015-12-08 09:15:31,140 INFO  [org.jboss.as.jsf] (ServerService Thread
> Pool -- 51) WFLYJSF0007: Activated the following JSF Implementations: [main]
> 2015-12-08 09:15:31,153 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> com.mysql.jdbc.Driver (version 5.1)
> 2015-12-08 09:15:31,155 INFO  [org.jboss.as.connector] (MSC service thread
> 1-7) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 2015-12-08 09:15:31,168 INFO  [org.jboss.as.naming] (ServerService Thread
> Pool -- 55) WFLYNAM0001: Activating Naming Subsystem
> 2015-12-08 09:15:31,181 INFO  [org.jboss.as.webservices] (ServerService
> Thread Pool -- 65) WFLYWS0002: Activating WebServices Extension
> 2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
> h2
> 2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-6) WFLYJCA0018: Started Driver service with driver-name =
> postgres
> 2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
> mysql
> 2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
> mariadb
> 2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-8) WFLYUT0003: Undertow 1.2.9.Final starting
> 2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 64) WFLYUT0003: Undertow 1.2.9.Final starting
> 2015-12-08 09:15:31,300 INFO  [org.jboss.as.naming] (MSC service thread
> 1-6) WFLYNAM0003: Starting Naming Service
> 2015-12-08 09:15:31,300 INFO  [org.jboss.as.mail.extension] (MSC service
> thread 1-8) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 2015-12-08 09:15:31,459 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 64) WFLYUT0014: Creating file handler for
> path /opt/wildfly-9.0.2.Final/welcome-content
> 2015-12-08 09:15:31,488 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-4) WFLYUT0012: Started server default-server.
> 2015-12-08 09:15:31,496 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-4) WFLYUT0018: Host default-host starting
> 2015-12-08 09:15:31,595 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on
> /0:0:0:0:0:0:0:0:8080
> 2015-12-08 09:15:31,786 INFO  [org.wildfly.iiop.openjdk] (MSC service
> thread 1-7) WFLYIIOP0009: CORBA ORB Service started
> 2015-12-08 09:15:31,799 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2)
> WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 2015-12-08 09:15:31,818 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4)
> WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
> 2015-12-08 09:15:31,820 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
> WFLYJCA0001: Bound data source [java:jboss/datasources/S4GDS]
> 2015-12-08 09:15:32,005 WARN  [org.jboss.as.messaging] (MSC service thread
> 1-6) WFLYMSG0075: AIO wasn't located on this platform, it will fall back to
> using pure Java NIO. Your platform is Linux, install LibAIO to enable the
> AIO journal.
> 2015-12-08 09:15:32,026 INFO  [org.jboss.as.server.deployment.scanner]
> (MSC service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService
> for directory /opt/wildfly-9.0.2.Final/standalone/deployments
> 2015-12-08 09:15:32,028 INFO  [org.jboss.as.server.deployment] (MSC
> service thread 1-4) WFLYSRV0027: Starting deployment of
> "keycloak-server.war" (runtime-name: "keycloak-server.war")
> 2015-12-08 09:15:32,147 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221000: live server is starting with configuration
> HornetQ Configuration
> (clustered=false,backup=false,sharedStore=true,journalDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingjournal,bindingsDirectory=/opt/wildfly-
>
> 9.0.2.Final/standalone/data/messagingbindings,largeMessagesDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messaginglargemessages,pagingDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingpaging)
> 2015-12-08 09:15:32,157 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221006: Waiting to obtain live lock
> 2015-12-08 09:15:32,405 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221013: Using NIO Journal
> 2015-12-08 09:15:32,471 INFO  [org.jboss.ws.common.management] (MSC
> service thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF
> Server 5.0.0.Final
> 2015-12-08 09:15:32,494 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support CORE
> 2015-12-08 09:15:32,502 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support AMQP
> 2015-12-08 09:15:32,514 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support STOMP
> 2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221034: Waiting to obtain live lock
> 2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221035: Live Server Obtained live lock
> 2015-12-08 09:15:32,780 INFO
>  [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread
> Pool -- 72) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf'
> 7.2.3.Final
> 2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
> 1-5) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
> handled by http-acceptor-throughput acceptor
> 2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
> 1-1) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
> handled by http-acceptor acceptor
> 2015-12-08 09:15:33,143 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221007: Server is now live
> 2015-12-08 09:15:33,144 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221001: HornetQ Server version 2.4.7.Final
> (2.4.7.Final, 124) [e4688d93-96cc-11e5-b241-fb4ba7767374]
> 2015-12-08 09:15:33,149 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 73) HQ221003: trying to deploy queue jms.queue.DLQ
> 2015-12-08 09:15:33,194 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 72) WFLYCLINF0002: Started users cache from
> keycloak container
> 2015-12-08 09:15:33,195 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 74) WFLYCLINF0002: Started sessions cache
> from keycloak container
> 2015-12-08 09:15:33,197 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 71) WFLYCLINF0002: Started loginFailures
> cache from keycloak container
> 2015-12-08 09:15:33,208 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 75) WFLYCLINF0002: Started realms cache from
> keycloak container
> 2015-12-08 09:15:33,227 INFO  [org.jboss.as.messaging] (ServerService
> Thread Pool -- 77) WFLYMSG0002: Bound messaging object to jndi name
> java:/ConnectionFactory
> 2015-12-08 09:15:33,235 INFO  [org.jboss.as.messaging] (ServerService
> Thread Pool -- 76) WFLYMSG0002: Bound messaging object to jndi name
> java:jboss/exported/jms/RemoteConnectionFactory
> 2015-12-08 09:15:33,237 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221003: trying to deploy queue jms.queue.ExpiryQueue
> 2015-12-08 09:15:33,301 INFO  [org.jboss.as.connector.deployment] (MSC
> service thread 1-7) WFLYJCA0007: Registered connection factory java:/JmsXA
> 2015-12-08 09:15:33,377 INFO  [org.hornetq.ra] (MSC service thread 1-7)
> HornetQ resource adaptor started
> 2015-12-08 09:15:33,377 INFO
>  [org.jboss.as.connector.services.resourceadapters.ResourceAdapterActivatorService$ResourceAdapterActivator]
> (MSC service thread 1-7) IJ020002: Deployed: file://RaActivatorhornetq-ra
> 2015-12-08 09:15:33,379 INFO  [org.jboss.as.connector.deployment] (MSC
> service thread 1-8) WFLYJCA0002: Bound JCA ConnectionFactory [java:/JmsXA]
> 2015-12-08 09:15:33,379 INFO  [org.jboss.as.messaging] (MSC service thread
> 1-6) WFLYMSG0002: Bound messaging object to jndi name
> java:jboss/DefaultJMSConnectionFactory
> 2015-12-08 09:15:33,554 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 67) WFLYSRV0010: *Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")*
> 2015-12-08 09:15:33,761 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0060: Http management interface listening on http://
> [0:0:0:0:0:0:0:0]:9990/management
> 2015-12-08 09:15:33,762 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0051: Admin console listening on http://[0:0:0:0:0:0:0:0]:9990
> 2015-12-08 09:15:33,762 ERROR [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0026: WildFly Full 9.0.2.Final (WildFly Core 1.0.2.Final) started
> (with errors) in 4942ms - Started 365 of 618 services (3 services failed or
> missing dependencies, 319 services are lazy, passive or on-demand)
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/985b9800/attachment-0001.html 

From pavel.masloff at gmail.com  Tue Dec  8 04:39:18 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Tue, 8 Dec 2015 10:39:18 +0100
Subject: [keycloak-user] Keycloak 1.6.1 fails to start in WF 9.0.2
In-Reply-To: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>
References: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>
Message-ID: <CAF9aV_p_=9U0R5F1jRWhfG1mDW_N-B5dYewqV=Mq3tPgfnHS8Q@mail.gmail.com>

Hey Hristo,


You can try my docker image [1]. It's using Keycloak 1.6.1, Postgres 9.4.

HTH.
Pavel

Regards,
Pavel Maslov, MS

On Tue, Dec 8, 2015 at 10:31 AM, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:

> Hi all. I want to run KC 1.6.1. against a PostgreSQL 9.4 server. The
> WF9.0.2 logs show no error, yet KC is not available at
> http://localhost:8080 - I get 4040 Page not found. Also, none of the KC
> tables are created either as one would expect upon first run. Below is the
> log, the standalone.xml and keycloak-sertver.json are also attached. Any
> clue? Thanks.
> ========================================================================
> 2015-12-08 09:15:29,324 DEBUG [org.jboss.as.config] (MSC service thread
> 1-8) VM Arguments: -D[Standalone] -XX:+UseCompressedOops
> -XX:+UseCompressedOops -Xmx1024m
> -Dorg.jboss.boot.log.file=/opt/wildfly-9.0.2.Final/standalone/log/server.log
> -Dlogging.configuration=file:/opt/wildfly-9.0.2.Final/standalone/configuration/
> logging.properties
> 2015-12-08 09:15:30,726 INFO
>  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
> -- 15) WFLYCTL0028: Attribute 'job-repository-type' in the resource at
> address '/subsystem=batch' is deprecated, and may be removed in future
> version. See the attribute description in the output of the read-resour
> ce-description operation to learn more about the deprecation.
> 2015-12-08 09:15:30,729 INFO
>  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
> -- 2) WFLYCTL0028: Attribute 'enabled' in the resource at address
> '/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the
> deprecation.
> 2015-12-08 09:15:30,789 INFO  [org.jboss.as.server] (Controller Boot
> Thread) WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 2015-12-08 09:15:30,812 INFO  [org.xnio] (MSC service thread 1-7) XNIO
> version 3.3.1.Final
> 2015-12-08 09:15:30,825 INFO  [org.xnio.nio] (MSC service thread 1-7) XNIO
> NIO Implementation Version 3.3.1.Final
> 2015-12-08 09:15:30,891 INFO  [org.wildfly.extension.io] (ServerService
> Thread Pool -- 43) WFLYIO001: Worker 'default' has auto-configured to 8
> core threads with 64 task threads based on your 4 available processors
> 2015-12-08 09:15:30,897 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 44) WFLYCLINF0001: Activating Infinispan
> subsystem.
> 2015-12-08 09:15:30,900 INFO  [org.wildfly.iiop.openjdk] (ServerService
> Thread Pool -- 45) WFLYIIOP0001: Activating IIOP Subsystem
> 2015-12-08 09:15:30,912 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver
> (version 1.3)
> 2015-12-08 09:15:30,934 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> org.mariadb.jdbc.Driver (version 1.2)
> 2015-12-08 09:15:30,962 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> org.postgresql.Driver (version 9.4)
> 2015-12-08 09:15:30,964 INFO  [org.jboss.remoting] (MSC service thread
> 1-7) JBoss Remoting version 4.0.9.Final
> 2015-12-08 09:15:31,093 WARN  [org.jboss.as.txn] (ServerService Thread
> Pool -- 63) WFLYTX0013: Node identifier property is set to the default
> value. Please make sure it is unique.
> 2015-12-08 09:15:31,113 INFO  [org.jboss.as.security] (ServerService
> Thread Pool -- 62) WFLYSEC0002: Activating Security Subsystem
> 2015-12-08 09:15:31,126 INFO  [org.jboss.as.security] (MSC service thread
> 1-5) WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 2015-12-08 09:15:31,140 INFO  [org.jboss.as.jsf] (ServerService Thread
> Pool -- 51) WFLYJSF0007: Activated the following JSF Implementations: [main]
> 2015-12-08 09:15:31,153 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> com.mysql.jdbc.Driver (version 5.1)
> 2015-12-08 09:15:31,155 INFO  [org.jboss.as.connector] (MSC service thread
> 1-7) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 2015-12-08 09:15:31,168 INFO  [org.jboss.as.naming] (ServerService Thread
> Pool -- 55) WFLYNAM0001: Activating Naming Subsystem
> 2015-12-08 09:15:31,181 INFO  [org.jboss.as.webservices] (ServerService
> Thread Pool -- 65) WFLYWS0002: Activating WebServices Extension
> 2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
> h2
> 2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-6) WFLYJCA0018: Started Driver service with driver-name =
> postgres
> 2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
> mysql
> 2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
> mariadb
> 2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-8) WFLYUT0003: Undertow 1.2.9.Final starting
> 2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 64) WFLYUT0003: Undertow 1.2.9.Final starting
> 2015-12-08 09:15:31,300 INFO  [org.jboss.as.naming] (MSC service thread
> 1-6) WFLYNAM0003: Starting Naming Service
> 2015-12-08 09:15:31,300 INFO  [org.jboss.as.mail.extension] (MSC service
> thread 1-8) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 2015-12-08 09:15:31,459 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 64) WFLYUT0014: Creating file handler for
> path /opt/wildfly-9.0.2.Final/welcome-content
> 2015-12-08 09:15:31,488 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-4) WFLYUT0012: Started server default-server.
> 2015-12-08 09:15:31,496 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-4) WFLYUT0018: Host default-host starting
> 2015-12-08 09:15:31,595 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on
> /0:0:0:0:0:0:0:0:8080
> 2015-12-08 09:15:31,786 INFO  [org.wildfly.iiop.openjdk] (MSC service
> thread 1-7) WFLYIIOP0009: CORBA ORB Service started
> 2015-12-08 09:15:31,799 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2)
> WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 2015-12-08 09:15:31,818 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4)
> WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
> 2015-12-08 09:15:31,820 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
> WFLYJCA0001: Bound data source [java:jboss/datasources/S4GDS]
> 2015-12-08 09:15:32,005 WARN  [org.jboss.as.messaging] (MSC service thread
> 1-6) WFLYMSG0075: AIO wasn't located on this platform, it will fall back to
> using pure Java NIO. Your platform is Linux, install LibAIO to enable the
> AIO journal.
> 2015-12-08 09:15:32,026 INFO  [org.jboss.as.server.deployment.scanner]
> (MSC service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService
> for directory /opt/wildfly-9.0.2.Final/standalone/deployments
> 2015-12-08 09:15:32,028 INFO  [org.jboss.as.server.deployment] (MSC
> service thread 1-4) WFLYSRV0027: Starting deployment of
> "keycloak-server.war" (runtime-name: "keycloak-server.war")
> 2015-12-08 09:15:32,147 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221000: live server is starting with configuration
> HornetQ Configuration
> (clustered=false,backup=false,sharedStore=true,journalDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingjournal,bindingsDirectory=/opt/wildfly-
>
> 9.0.2.Final/standalone/data/messagingbindings,largeMessagesDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messaginglargemessages,pagingDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingpaging)
> 2015-12-08 09:15:32,157 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221006: Waiting to obtain live lock
> 2015-12-08 09:15:32,405 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221013: Using NIO Journal
> 2015-12-08 09:15:32,471 INFO  [org.jboss.ws.common.management] (MSC
> service thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF
> Server 5.0.0.Final
> 2015-12-08 09:15:32,494 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support CORE
> 2015-12-08 09:15:32,502 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support AMQP
> 2015-12-08 09:15:32,514 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support STOMP
> 2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221034: Waiting to obtain live lock
> 2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221035: Live Server Obtained live lock
> 2015-12-08 09:15:32,780 INFO
>  [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread
> Pool -- 72) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf'
> 7.2.3.Final
> 2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
> 1-5) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
> handled by http-acceptor-throughput acceptor
> 2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
> 1-1) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
> handled by http-acceptor acceptor
> 2015-12-08 09:15:33,143 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221007: Server is now live
> 2015-12-08 09:15:33,144 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221001: HornetQ Server version 2.4.7.Final
> (2.4.7.Final, 124) [e4688d93-96cc-11e5-b241-fb4ba7767374]
> 2015-12-08 09:15:33,149 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 73) HQ221003: trying to deploy queue jms.queue.DLQ
> 2015-12-08 09:15:33,194 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 72) WFLYCLINF0002: Started users cache from
> keycloak container
> 2015-12-08 09:15:33,195 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 74) WFLYCLINF0002: Started sessions cache
> from keycloak container
> 2015-12-08 09:15:33,197 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 71) WFLYCLINF0002: Started loginFailures
> cache from keycloak container
> 2015-12-08 09:15:33,208 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 75) WFLYCLINF0002: Started realms cache from
> keycloak container
> 2015-12-08 09:15:33,227 INFO  [org.jboss.as.messaging] (ServerService
> Thread Pool -- 77) WFLYMSG0002: Bound messaging object to jndi name
> java:/ConnectionFactory
> 2015-12-08 09:15:33,235 INFO  [org.jboss.as.messaging] (ServerService
> Thread Pool -- 76) WFLYMSG0002: Bound messaging object to jndi name
> java:jboss/exported/jms/RemoteConnectionFactory
> 2015-12-08 09:15:33,237 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221003: trying to deploy queue jms.queue.ExpiryQueue
> 2015-12-08 09:15:33,301 INFO  [org.jboss.as.connector.deployment] (MSC
> service thread 1-7) WFLYJCA0007: Registered connection factory java:/JmsXA
> 2015-12-08 09:15:33,377 INFO  [org.hornetq.ra] (MSC service thread 1-7)
> HornetQ resource adaptor started
> 2015-12-08 09:15:33,377 INFO
>  [org.jboss.as.connector.services.resourceadapters.ResourceAdapterActivatorService$ResourceAdapterActivator]
> (MSC service thread 1-7) IJ020002: Deployed: file://RaActivatorhornetq-ra
> 2015-12-08 09:15:33,379 INFO  [org.jboss.as.connector.deployment] (MSC
> service thread 1-8) WFLYJCA0002: Bound JCA ConnectionFactory [java:/JmsXA]
> 2015-12-08 09:15:33,379 INFO  [org.jboss.as.messaging] (MSC service thread
> 1-6) WFLYMSG0002: Bound messaging object to jndi name
> java:jboss/DefaultJMSConnectionFactory
> 2015-12-08 09:15:33,554 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 67) WFLYSRV0010: *Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")*
> 2015-12-08 09:15:33,761 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0060: Http management interface listening on http://
> [0:0:0:0:0:0:0:0]:9990/management
> 2015-12-08 09:15:33,762 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0051: Admin console listening on http://[0:0:0:0:0:0:0:0]:9990
> 2015-12-08 09:15:33,762 ERROR [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0026: WildFly Full 9.0.2.Final (WildFly Core 1.0.2.Final) started
> (with errors) in 4942ms - Started 365 of 618 services (3 services failed or
> missing dependencies, 319 services are lazy, passive or on-demand)
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/607826a1/attachment-0001.html 

From pavel.masloff at gmail.com  Tue Dec  8 04:39:42 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Tue, 8 Dec 2015 10:39:42 +0100
Subject: [keycloak-user] Keycloak 1.6.1 fails to start in WF 9.0.2
In-Reply-To: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>
References: <CAHiHDeSfwZV4=BRs_ZOYzoJwhO9XSdCqXT5vSYCnfouGrkj3FA@mail.gmail.com>
Message-ID: <CAF9aV_rD_qhRHceBcpyXofkGXfZazdxiBtDF7S7SphUzyRnO3w@mail.gmail.com>

[1] https://github.com/maslick/keycloak-docker

Regards,
Pavel Maslov, MS

On Tue, Dec 8, 2015 at 10:31 AM, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:

> Hi all. I want to run KC 1.6.1. against a PostgreSQL 9.4 server. The
> WF9.0.2 logs show no error, yet KC is not available at
> http://localhost:8080 - I get 4040 Page not found. Also, none of the KC
> tables are created either as one would expect upon first run. Below is the
> log, the standalone.xml and keycloak-sertver.json are also attached. Any
> clue? Thanks.
> ========================================================================
> 2015-12-08 09:15:29,324 DEBUG [org.jboss.as.config] (MSC service thread
> 1-8) VM Arguments: -D[Standalone] -XX:+UseCompressedOops
> -XX:+UseCompressedOops -Xmx1024m
> -Dorg.jboss.boot.log.file=/opt/wildfly-9.0.2.Final/standalone/log/server.log
> -Dlogging.configuration=file:/opt/wildfly-9.0.2.Final/standalone/configuration/
> logging.properties
> 2015-12-08 09:15:30,726 INFO
>  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
> -- 15) WFLYCTL0028: Attribute 'job-repository-type' in the resource at
> address '/subsystem=batch' is deprecated, and may be removed in future
> version. See the attribute description in the output of the read-resour
> ce-description operation to learn more about the deprecation.
> 2015-12-08 09:15:30,729 INFO
>  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
> -- 2) WFLYCTL0028: Attribute 'enabled' in the resource at address
> '/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the
> deprecation.
> 2015-12-08 09:15:30,789 INFO  [org.jboss.as.server] (Controller Boot
> Thread) WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 2015-12-08 09:15:30,812 INFO  [org.xnio] (MSC service thread 1-7) XNIO
> version 3.3.1.Final
> 2015-12-08 09:15:30,825 INFO  [org.xnio.nio] (MSC service thread 1-7) XNIO
> NIO Implementation Version 3.3.1.Final
> 2015-12-08 09:15:30,891 INFO  [org.wildfly.extension.io] (ServerService
> Thread Pool -- 43) WFLYIO001: Worker 'default' has auto-configured to 8
> core threads with 64 task threads based on your 4 available processors
> 2015-12-08 09:15:30,897 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 44) WFLYCLINF0001: Activating Infinispan
> subsystem.
> 2015-12-08 09:15:30,900 INFO  [org.wildfly.iiop.openjdk] (ServerService
> Thread Pool -- 45) WFLYIIOP0001: Activating IIOP Subsystem
> 2015-12-08 09:15:30,912 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver
> (version 1.3)
> 2015-12-08 09:15:30,934 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> org.mariadb.jdbc.Driver (version 1.2)
> 2015-12-08 09:15:30,962 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> org.postgresql.Driver (version 9.4)
> 2015-12-08 09:15:30,964 INFO  [org.jboss.remoting] (MSC service thread
> 1-7) JBoss Remoting version 4.0.9.Final
> 2015-12-08 09:15:31,093 WARN  [org.jboss.as.txn] (ServerService Thread
> Pool -- 63) WFLYTX0013: Node identifier property is set to the default
> value. Please make sure it is unique.
> 2015-12-08 09:15:31,113 INFO  [org.jboss.as.security] (ServerService
> Thread Pool -- 62) WFLYSEC0002: Activating Security Subsystem
> 2015-12-08 09:15:31,126 INFO  [org.jboss.as.security] (MSC service thread
> 1-5) WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 2015-12-08 09:15:31,140 INFO  [org.jboss.as.jsf] (ServerService Thread
> Pool -- 51) WFLYJSF0007: Activated the following JSF Implementations: [main]
> 2015-12-08 09:15:31,153 INFO
>  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
> -- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
> com.mysql.jdbc.Driver (version 5.1)
> 2015-12-08 09:15:31,155 INFO  [org.jboss.as.connector] (MSC service thread
> 1-7) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 2015-12-08 09:15:31,168 INFO  [org.jboss.as.naming] (ServerService Thread
> Pool -- 55) WFLYNAM0001: Activating Naming Subsystem
> 2015-12-08 09:15:31,181 INFO  [org.jboss.as.webservices] (ServerService
> Thread Pool -- 65) WFLYWS0002: Activating WebServices Extension
> 2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
> h2
> 2015-12-08 09:15:31,188 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-6) WFLYJCA0018: Started Driver service with driver-name =
> postgres
> 2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
> mysql
> 2015-12-08 09:15:31,189 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC
> service thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
> mariadb
> 2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-8) WFLYUT0003: Undertow 1.2.9.Final starting
> 2015-12-08 09:15:31,198 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 64) WFLYUT0003: Undertow 1.2.9.Final starting
> 2015-12-08 09:15:31,300 INFO  [org.jboss.as.naming] (MSC service thread
> 1-6) WFLYNAM0003: Starting Naming Service
> 2015-12-08 09:15:31,300 INFO  [org.jboss.as.mail.extension] (MSC service
> thread 1-8) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 2015-12-08 09:15:31,459 INFO  [org.wildfly.extension.undertow]
> (ServerService Thread Pool -- 64) WFLYUT0014: Creating file handler for
> path /opt/wildfly-9.0.2.Final/welcome-content
> 2015-12-08 09:15:31,488 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-4) WFLYUT0012: Started server default-server.
> 2015-12-08 09:15:31,496 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-4) WFLYUT0018: Host default-host starting
> 2015-12-08 09:15:31,595 INFO  [org.wildfly.extension.undertow] (MSC
> service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on
> /0:0:0:0:0:0:0:0:8080
> 2015-12-08 09:15:31,786 INFO  [org.wildfly.iiop.openjdk] (MSC service
> thread 1-7) WFLYIIOP0009: CORBA ORB Service started
> 2015-12-08 09:15:31,799 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2)
> WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 2015-12-08 09:15:31,818 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4)
> WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
> 2015-12-08 09:15:31,820 INFO
>  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
> WFLYJCA0001: Bound data source [java:jboss/datasources/S4GDS]
> 2015-12-08 09:15:32,005 WARN  [org.jboss.as.messaging] (MSC service thread
> 1-6) WFLYMSG0075: AIO wasn't located on this platform, it will fall back to
> using pure Java NIO. Your platform is Linux, install LibAIO to enable the
> AIO journal.
> 2015-12-08 09:15:32,026 INFO  [org.jboss.as.server.deployment.scanner]
> (MSC service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService
> for directory /opt/wildfly-9.0.2.Final/standalone/deployments
> 2015-12-08 09:15:32,028 INFO  [org.jboss.as.server.deployment] (MSC
> service thread 1-4) WFLYSRV0027: Starting deployment of
> "keycloak-server.war" (runtime-name: "keycloak-server.war")
> 2015-12-08 09:15:32,147 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221000: live server is starting with configuration
> HornetQ Configuration
> (clustered=false,backup=false,sharedStore=true,journalDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingjournal,bindingsDirectory=/opt/wildfly-
>
> 9.0.2.Final/standalone/data/messagingbindings,largeMessagesDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messaginglargemessages,pagingDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingpaging)
> 2015-12-08 09:15:32,157 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221006: Waiting to obtain live lock
> 2015-12-08 09:15:32,405 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221013: Using NIO Journal
> 2015-12-08 09:15:32,471 INFO  [org.jboss.ws.common.management] (MSC
> service thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF
> Server 5.0.0.Final
> 2015-12-08 09:15:32,494 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support CORE
> 2015-12-08 09:15:32,502 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support AMQP
> 2015-12-08 09:15:32,514 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221043: Adding protocol support STOMP
> 2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221034: Waiting to obtain live lock
> 2015-12-08 09:15:32,647 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221035: Live Server Obtained live lock
> 2015-12-08 09:15:32,780 INFO
>  [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread
> Pool -- 72) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf'
> 7.2.3.Final
> 2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
> 1-5) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
> handled by http-acceptor-throughput acceptor
> 2015-12-08 09:15:33,038 INFO  [org.jboss.messaging] (MSC service thread
> 1-1) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
> handled by http-acceptor acceptor
> 2015-12-08 09:15:33,143 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221007: Server is now live
> 2015-12-08 09:15:33,144 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221001: HornetQ Server version 2.4.7.Final
> (2.4.7.Final, 124) [e4688d93-96cc-11e5-b241-fb4ba7767374]
> 2015-12-08 09:15:33,149 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 73) HQ221003: trying to deploy queue jms.queue.DLQ
> 2015-12-08 09:15:33,194 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 72) WFLYCLINF0002: Started users cache from
> keycloak container
> 2015-12-08 09:15:33,195 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 74) WFLYCLINF0002: Started sessions cache
> from keycloak container
> 2015-12-08 09:15:33,197 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 71) WFLYCLINF0002: Started loginFailures
> cache from keycloak container
> 2015-12-08 09:15:33,208 INFO  [org.jboss.as.clustering.infinispan]
> (ServerService Thread Pool -- 75) WFLYCLINF0002: Started realms cache from
> keycloak container
> 2015-12-08 09:15:33,227 INFO  [org.jboss.as.messaging] (ServerService
> Thread Pool -- 77) WFLYMSG0002: Bound messaging object to jndi name
> java:/ConnectionFactory
> 2015-12-08 09:15:33,235 INFO  [org.jboss.as.messaging] (ServerService
> Thread Pool -- 76) WFLYMSG0002: Bound messaging object to jndi name
> java:jboss/exported/jms/RemoteConnectionFactory
> 2015-12-08 09:15:33,237 INFO  [org.hornetq.core.server] (ServerService
> Thread Pool -- 70) HQ221003: trying to deploy queue jms.queue.ExpiryQueue
> 2015-12-08 09:15:33,301 INFO  [org.jboss.as.connector.deployment] (MSC
> service thread 1-7) WFLYJCA0007: Registered connection factory java:/JmsXA
> 2015-12-08 09:15:33,377 INFO  [org.hornetq.ra] (MSC service thread 1-7)
> HornetQ resource adaptor started
> 2015-12-08 09:15:33,377 INFO
>  [org.jboss.as.connector.services.resourceadapters.ResourceAdapterActivatorService$ResourceAdapterActivator]
> (MSC service thread 1-7) IJ020002: Deployed: file://RaActivatorhornetq-ra
> 2015-12-08 09:15:33,379 INFO  [org.jboss.as.connector.deployment] (MSC
> service thread 1-8) WFLYJCA0002: Bound JCA ConnectionFactory [java:/JmsXA]
> 2015-12-08 09:15:33,379 INFO  [org.jboss.as.messaging] (MSC service thread
> 1-6) WFLYMSG0002: Bound messaging object to jndi name
> java:jboss/DefaultJMSConnectionFactory
> 2015-12-08 09:15:33,554 INFO  [org.jboss.as.server] (ServerService Thread
> Pool -- 67) WFLYSRV0010: *Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")*
> 2015-12-08 09:15:33,761 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0060: Http management interface listening on http://
> [0:0:0:0:0:0:0:0]:9990/management
> 2015-12-08 09:15:33,762 INFO  [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0051: Admin console listening on http://[0:0:0:0:0:0:0:0]:9990
> 2015-12-08 09:15:33,762 ERROR [org.jboss.as] (Controller Boot Thread)
> WFLYSRV0026: WildFly Full 9.0.2.Final (WildFly Core 1.0.2.Final) started
> (with errors) in 4942ms - Started 365 of 618 services (3 services failed or
> missing dependencies, 319 services are lazy, passive or on-demand)
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/b19cc929/attachment-0001.html 

From dirk.franssen at gmail.com  Tue Dec  8 06:09:41 2015
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Tue, 8 Dec 2015 12:09:41 +0100
Subject: [keycloak-user] Config cascading services
Message-ID: <CALT3SxhXVUfXMhNYaLVsGqiZed_M637O5bErGJ3j0kCztcke7w@mail.gmail.com>

Hi,

how would one configure Keycloak to obtain following scenario's?

Scenario 1:

client A: public (angular app)
client B: bearer-only (microservice)
client C: bearer-only (microservice)

- microservice B is allowed to call microservice C, but an authenticated
user in the js app A should be forbidden to call microservice C directly.

Scenario 2:

client A: public (angular app)
client B: confidential (1 war with a REST service AND a JSF application,
both using the same EJB business layer which is accessing microservice C)
client C: bearer-only (microservice)

- a user authenticated in the angular app can use the REST service of app B
and will see the results of microservice C, but the user may not call
microservice C directly
- a user authenticated in the JSF application will see the results of
microservice C when using the JSF application, but should not be able to
use microservice C directly (if the user would reuse the same access_token)
- should there be different roles for the REST part and the JSF part of app
B (for accessing microservice C)?

Kind regards,
Dirk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/726df084/attachment.html 

From mposolda at redhat.com  Tue Dec  8 06:37:23 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 8 Dec 2015 12:37:23 +0100
Subject: [keycloak-user] Apply group membership filter on ldap login
In-Reply-To: <566612D3.60208@redhat.com>
References: <CAA-pbQoVJvLxLTrv0k4qORqQUGNBRFwyDr-La0RZskQv05xvqg@mail.gmail.com>
	<566612D3.60208@redhat.com>
Message-ID: <5666C0F3.2000501@redhat.com>

For 1.8, I plan to add the custom LDAP filter for user searching, so you 
will have possibility to filter users found from LDAP by "memberOf" 
value or any other custom filter (so far, they are filtered just by 
objectClass ). More people asked for that already.

If you need it already for 1.7, you will need to create UserAttribute 
LDAP mapper for "memberOf" attribute and then write the custom auth flow 
extension as Bill mentioned.

Marek

On 08/12/15 00:14, Bill Burke wrote:
> You want to allow login only for users that belong to a specific group?
>    We don't have any nice way of doing that.  You'd have to write an auth
> flow extension.
>
> On 12/7/2015 2:48 PM, internet media wrote:
>> I am using keycloak 1.6.1.Final with Active Directory/LDAP. I am have
>> not seen any examples of authenticating users within a group membership
>> (memberOf). I also looked at the tests but no luck. Any help will be
>> appreciated. I just need to be able to set up a user federation using
>> ldap/AD and restrict only to users of a certain group.
>>
>> Thanks.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From lkrzyzan at redhat.com  Tue Dec  8 06:49:08 2015
From: lkrzyzan at redhat.com (Libor Krzyzanek)
Date: Tue, 8 Dec 2015 12:49:08 +0100
Subject: [keycloak-user] Keycloak 1.7.0.CR1 Released
In-Reply-To: <CAJgngAdw2WWkutZK=igoKW9u_0qiCXKhZqF0R9nSoXuQtRBaLA@mail.gmail.com>
References: <CAJgngAdw2WWkutZK=igoKW9u_0qiCXKhZqF0R9nSoXuQtRBaLA@mail.gmail.com>
Message-ID: <2594C622-1B8D-4B44-84EF-93E4DAB886E1@redhat.com>

Hi,
thank you very much for CR release.

we tried upgrade from 1.6 on EAP 6.4 + Postgres and everything seems to be working so far.

Thanks,

Libor Krzy?anek
jboss.org Development Team

> On Dec 3, 2015, at 4:56 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> I'm pleased to announce the release of Keycloak 1.7.0.CR1. Recently we've gone straight to Final, but we'd like to give everyone a chance to try a release out first. Unless there are major issues reported we will release Final next week.
> 
> As usual we've been far from idle and have a number of highlights in this release, including:
> 
> Groups - users can belong to one or more groups and inherit role mappings and attributes from the group.
> First Broker Login Flow - we've introduced a number of improvements to first login with identity brokers as well as the ability to customize the flow used.
> Client Registration - clients can now dynamically register themselves with a Keycloak server. This supports Keycloak client representations, OpenID Connect Dynamic Client Registration and SAML Entity Descriptors. Client registration are simple REST endpoints, there's also a Java library and a CLI is coming soon.
> OpenID Connect Implicit and Hybrid flows - we've added support for the Implicit and Hybrid flows. It's also possible to select what flows are available for a specific client.
> Add User script - as a first step to not having a default admin user we've added a script that allows creating an initial admin account.
> Cache fixes - there's a number of fixes related to caching, which should improve performance especially in clusters.
> Email Sender SPI - previously we had one SPI that created email content from FreeMarker and also sent emails. We've now split this into two separate SPIs.
> SAML SP WildFly subsystem - there's now a WildFly subsystem for the SAML SP adapter, which makes it easier to use the SAML SP adapter on WildFly.
> WildFly 10 adapter support - the WildFly adapter, including adapter subsystem, now supports WildFly 10.
> 
> For the full list of issues resolved check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1> and to download the release go to the Keycloak homepage <http://keycloak.org/downloads>.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/91cf4234/attachment.html 

From sthorger at redhat.com  Tue Dec  8 08:40:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 8 Dec 2015 14:40:51 +0100
Subject: [keycloak-user] Keycloak 1.7.0.Final Released
Message-ID: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>

This release contains no changes since 1.7.0.CR1 as there where no major
bugs reported. Thanks to everyone that did give CR1 a try and provided
feedback.

For new features in this release check out the blog post about Keycloak
1.7.0.CR1 release
<http://blog.keycloak.org/2015/12/keycloak-170cr1-released.html>

For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1>
and
to download the release go to the Keycloak homepage
<http://keycloak.org/downloads>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/fc19bf6a/attachment.html 

From pavel.masloff at gmail.com  Tue Dec  8 08:47:52 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Tue, 8 Dec 2015 14:47:52 +0100
Subject: [keycloak-user] Keycloak 1.7.0.Final Released
In-Reply-To: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>
References: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>
Message-ID: <CAF9aV_rP3_7AwEk-vCvh05K_L4Npt+L0uSCZenhNQyF+QY4zHQ@mail.gmail.com>

Could you upload the new release to
http://repo1.maven.org/maven2/org/keycloak/keycloak-server-dist/
Right now I can only see 1.7.0.CR1/
<http://repo1.maven.org/maven2/org/keycloak/keycloak-server-dist/1.7.0.CR1/>

Thanks.

Regards,
Pavel Maslov, MS

On Tue, Dec 8, 2015 at 2:40 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> This release contains no changes since 1.7.0.CR1 as there where no major
> bugs reported. Thanks to everyone that did give CR1 a try and provided
> feedback.
>
> For new features in this release check out the blog post about Keycloak
> 1.7.0.CR1 release
> <http://blog.keycloak.org/2015/12/keycloak-170cr1-released.html>
>
> For the full list of issues resolved check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1> and
> to download the release go to the Keycloak homepage
> <http://keycloak.org/downloads>.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/64c54653/attachment.html 

From pavel.masloff at gmail.com  Tue Dec  8 08:55:11 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Tue, 8 Dec 2015 14:55:11 +0100
Subject: [keycloak-user] Keycloak 1.7.0.Final Released
In-Reply-To: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>
References: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>
Message-ID: <CAF9aV_paafyObbyWGkrbTTU_QV2FJxU3qGpokntVU9X83oN3_g@mail.gmail.com>

Hi Stian,


Where has the --silent parameter in the add-user.sh file gone?

-s, --silent                        Activate the silent mode (no output to
                                        the console)

Thanks.

Regards,
Pavel Maslov, MS

On Tue, Dec 8, 2015 at 2:40 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> This release contains no changes since 1.7.0.CR1 as there where no major
> bugs reported. Thanks to everyone that did give CR1 a try and provided
> feedback.
>
> For new features in this release check out the blog post about Keycloak
> 1.7.0.CR1 release
> <http://blog.keycloak.org/2015/12/keycloak-170cr1-released.html>
>
> For the full list of issues resolved check out JIRA
> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1> and
> to download the release go to the Keycloak homepage
> <http://keycloak.org/downloads>.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/4876d661/attachment-0001.html 

From giovanni.baruzzi at syntlogo.de  Tue Dec  8 09:29:30 2015
From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi)
Date: Tue, 8 Dec 2015 15:29:30 +0100
Subject: [keycloak-user] info about brute force detection
Message-ID: <D28CA7DA.1DA7E%giovanni.baruzzi@syntlogo.de>

The question of Mara was perfectly legitimated and the answers are not
really acceptable.
I have the opinion that the number of failures needs to be persisted and the
designer should not make assumption about the times and periods for server
restarts
Secondly, where should be such a brute detection implemented if not in
Keycloak?
In effect is is implemented, but the implementation can be made better.
FYI information we implemented it using the functionalities of the LDAP
server.

Regards,
Giovanni


>>In addition, is pretty much possible to configure fail2ban to read the
>>log files and store it into the database for example
>>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>>
>>I can be wrong, but I don't think Keycloak should have something like this.
>>
On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com
<https://lists.jboss.org/mailman/listinfo/keycloak-user> > wrote:
> On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>
> Dear all,
>
> I have enabled brute force detection on my keycloak application server.
>
> I used keycloak 1.5.0 Final version.
>
> After several trials I saw that the number of failures of the users are
> saved in session, so if the server will be restarted the counter starts from
> 0 again.
>
> Why you don?t save it into db?
>
> I didn't design this, but I think it's because brute force detection is
> designed to thwart guessing of credentials over a relatively short time
> period.  In production you don't restart the server very often.
>
>
>
> Mara
>
>
>
> _______


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/da32ccb5/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5133 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/da32ccb5/attachment.bin 

From bbazian at mbopartners.com  Tue Dec  8 09:42:38 2015
From: bbazian at mbopartners.com (Ben Bazian)
Date: Tue, 8 Dec 2015 14:42:38 +0000
Subject: [keycloak-user] Salesforce SSO
Message-ID: <860E8DAFFC76794694CFF405F8A1E71F02792BA6@416429-EXCH1.mbopartners.com>

Sorry for the double post but figured I would try one more time.  Has anyone successfully setup Keycloak as an IDP into Salesforce?  I have it working with OpenID but the way Salesforce implements it is not acceptable.  Would like to use SAML instead.  I am seeing nothing via a web search on this.

Any and all help appreciated.

__________________________
BEN BAZIAN
Director, Information Systems
MBO Partners

[cid:image001.png at 01D057F2.BE72C880]

t: 703.793.6010
f: 703.793.6079
e: bbazian at mbopartners.com
w: mbopartners.com

Notice: This email and any files transmitted with it are confidential. They are intended solely for the use of the individual addressed.  If you have received this email in error please notify postmaster at mbopartners.com<mailto:postmaster at mbopartners.com> and permanently delete the e-mail and files.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/4ff60789/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5334 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/4ff60789/attachment-0001.png 

From pavel.masloff at gmail.com  Tue Dec  8 09:46:09 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Tue, 8 Dec 2015 15:46:09 +0100
Subject: [keycloak-user] Keycloak 1.7.0.Final Released
In-Reply-To: <CAF9aV_paafyObbyWGkrbTTU_QV2FJxU3qGpokntVU9X83oN3_g@mail.gmail.com>
References: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>
	<CAF9aV_paafyObbyWGkrbTTU_QV2FJxU3qGpokntVU9X83oN3_g@mail.gmail.com>
Message-ID: <CAF9aV_pPM1NstSBTgD2cnFwU7s0jxSTARTfQ+Q8uaL6nOQh7TQ@mail.gmail.com>

Ok. I've figured it out. Before I was using it like this:

$ ./add-user admin admin --silent

Now you can simply do this:
$ ./add-user -u admin -p admin

Regards,
Pavel Maslov, MS

On Tue, Dec 8, 2015 at 2:55 PM, Pavel Maslov <pavel.masloff at gmail.com>
wrote:

> Hi Stian,
>
>
> Where has the --silent parameter in the add-user.sh file gone?
>
> -s, --silent                        Activate the silent mode (no output to
>                                         the console)
>
> Thanks.
>
> Regards,
> Pavel Maslov, MS
>
> On Tue, Dec 8, 2015 at 2:40 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> This release contains no changes since 1.7.0.CR1 as there where no major
>> bugs reported. Thanks to everyone that did give CR1 a try and provided
>> feedback.
>>
>> For new features in this release check out the blog post about Keycloak
>> 1.7.0.CR1 release
>> <http://blog.keycloak.org/2015/12/keycloak-170cr1-released.html>
>>
>> For the full list of issues resolved check out JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1> and
>> to download the release go to the Keycloak homepage
>> <http://keycloak.org/downloads>.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/330e21b1/attachment.html 

From sthorger at redhat.com  Tue Dec  8 10:07:16 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 8 Dec 2015 16:07:16 +0100
Subject: [keycloak-user] Keycloak 1.7.0.Final Released
In-Reply-To: <CAF9aV_paafyObbyWGkrbTTU_QV2FJxU3qGpokntVU9X83oN3_g@mail.gmail.com>
References: <CAJgngAecN4ZRD_+YbR037KPo0cv1rh-SQKHS2E9KB0686Z1UXg@mail.gmail.com>
	<CAF9aV_paafyObbyWGkrbTTU_QV2FJxU3qGpokntVU9X83oN3_g@mail.gmail.com>
Message-ID: <CAJgngAcezZ5mi9U1hya2GqTomaNZNCSMQrQDDFyWLoqviV8GAA@mail.gmail.com>

add-user.sh now adds users for Keycloak. If you need to add users to
WildFly console you should run "add-user.sh --container [OPTIONS]"

On 8 December 2015 at 14:55, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> Hi Stian,
>
>
> Where has the --silent parameter in the add-user.sh file gone?
>
> -s, --silent                        Activate the silent mode (no output to
>                                         the console)
>
> Thanks.
>
> Regards,
> Pavel Maslov, MS
>
> On Tue, Dec 8, 2015 at 2:40 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> This release contains no changes since 1.7.0.CR1 as there where no major
>> bugs reported. Thanks to everyone that did give CR1 a try and provided
>> feedback.
>>
>> For new features in this release check out the blog post about Keycloak
>> 1.7.0.CR1 release
>> <http://blog.keycloak.org/2015/12/keycloak-170cr1-released.html>
>>
>> For the full list of issues resolved check out JIRA
>> <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%201.7.0.CR1> and
>> to download the release go to the Keycloak homepage
>> <http://keycloak.org/downloads>.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/a629fbb0/attachment.html 

From sthorger at redhat.com  Tue Dec  8 10:15:50 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 8 Dec 2015 16:15:50 +0100
Subject: [keycloak-user] info about brute force detection
In-Reply-To: <D28CA7DA.1DA7E%giovanni.baruzzi@syntlogo.de>
References: <D28CA7DA.1DA7E%giovanni.baruzzi@syntlogo.de>
Message-ID: <CAJgngAcVUtWejM5_2anqDn5H4tbWGh0i-q31F2YrkfqMbJzRSA@mail.gmail.com>

There's no assumption here that the server won't be restarted in
production. However, when this was designed we decided it was good enough
to store failed login attempts in memory. Reasoning behind that is we try
to prevent changing users if possible. It's also good enough in our eyes as
server restarts will be uncommon in production and it would be very
unlikely that the server is restarted frequently enough for a brute force
attack to succeed.

However, if this really isn't good enough for you then feel free to create
a feature request asking for an option to be able to persist failed log-in
attempts. We don't have resources to implement it at the moment though, so
it would have to be a community contribution it you want it soon.

On 8 December 2015 at 15:29, Giovanni Baruzzi <giovanni.baruzzi at syntlogo.de>
wrote:

> The question of Mara was perfectly legitimated and the answers are not really acceptable.
>
> I have the opinion that the number of failures needs to be persisted and the designer should not make assumption about the times and periods for server restarts
>
> Secondly, where should be such a brute detection implemented if not in Keycloak?
>
> In effect is is implemented, but the implementation can be made better.
>
> FYI information we implemented it using the functionalities of the LDAP server.
>
>
> Regards,
>
> Giovanni
>
>
>
> >>In addition, is pretty much possible to configure fail2ban to read the
> >>log files and store it into the database for example
> >>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
> >>
> >>I can be wrong, but I don't think Keycloak should have something like this.
> >>
> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
> >* On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
> *>>* Dear all,
> *>>* I have enabled brute force detection on my keycloak application server.
> *>>* I used keycloak 1.5.0 Final version.
> *>>* After several trials I saw that the number of failures of the users are
> *>* saved in session, so if the server will be restarted the counter starts from
> *>* 0 again.
> *>>* Why you don?t save it into db?
> *>>* I didn't design this, but I think it's because brute force detection is
> *>* designed to thwart guessing of credentials over a relatively short time
> *>* period.  In production you don't restart the server very often.
> *>>>>* Mara
> *>>>>* _______*
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/2ad0f3a0/attachment.html 

From sthorger at redhat.com  Tue Dec  8 10:17:06 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 8 Dec 2015 16:17:06 +0100
Subject: [keycloak-user] info about brute force detection
In-Reply-To: <CAJgngAcVUtWejM5_2anqDn5H4tbWGh0i-q31F2YrkfqMbJzRSA@mail.gmail.com>
References: <D28CA7DA.1DA7E%giovanni.baruzzi@syntlogo.de>
	<CAJgngAcVUtWejM5_2anqDn5H4tbWGh0i-q31F2YrkfqMbJzRSA@mail.gmail.com>
Message-ID: <CAJgngAfv+Shf=ZveaT1uKMg4Bpzjvja8zeNsYE-iMUtKB0H6+A@mail.gmail.com>

You can also increase the number of owners for the cache which will mean
that login failures will survive a single node restart.

On 8 December 2015 at 16:15, Stian Thorgersen <sthorger at redhat.com> wrote:

> There's no assumption here that the server won't be restarted in
> production. However, when this was designed we decided it was good enough
> to store failed login attempts in memory. Reasoning behind that is we try
> to prevent changing users if possible. It's also good enough in our eyes as
> server restarts will be uncommon in production and it would be very
> unlikely that the server is restarted frequently enough for a brute force
> attack to succeed.
>
> However, if this really isn't good enough for you then feel free to create
> a feature request asking for an option to be able to persist failed log-in
> attempts. We don't have resources to implement it at the moment though, so
> it would have to be a community contribution it you want it soon.
>
> On 8 December 2015 at 15:29, Giovanni Baruzzi <
> giovanni.baruzzi at syntlogo.de> wrote:
>
>> The question of Mara was perfectly legitimated and the answers are not really acceptable.
>>
>> I have the opinion that the number of failures needs to be persisted and the designer should not make assumption about the times and periods for server restarts
>>
>> Secondly, where should be such a brute detection implemented if not in Keycloak?
>>
>> In effect is is implemented, but the implementation can be made better.
>>
>> FYI information we implemented it using the functionalities of the LDAP server.
>>
>>
>> Regards,
>>
>> Giovanni
>>
>>
>>
>> >>In addition, is pretty much possible to configure fail2ban to read the
>> >>log files and store it into the database for example
>> >>(http://www.fail2ban.org/wiki/index.php/Commands#DATABASE).
>> >>
>> >>I can be wrong, but I don't think Keycloak should have something like this.
>> >>
>> On Fri, Dec 4, 2015 at 5:26 PM, Stan Silvert <ssilvert at redhat.com <https://lists.jboss.org/mailman/listinfo/keycloak-user>> wrote:
>> >* On 12/4/2015 12:15 PM, Notarnicola, Mara wrote:
>> *>>* Dear all,
>> *>>* I have enabled brute force detection on my keycloak application server.
>> *>>* I used keycloak 1.5.0 Final version.
>> *>>* After several trials I saw that the number of failures of the users are
>> *>* saved in session, so if the server will be restarted the counter starts from
>> *>* 0 again.
>> *>>* Why you don?t save it into db?
>> *>>* I didn't design this, but I think it's because brute force detection is
>> *>* designed to thwart guessing of credentials over a relatively short time
>> *>* period.  In production you don't restart the server very often.
>> *>>>>* Mara
>> *>>>>* _______*
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/4d3f1088/attachment-0001.html 

From pblair at clearme.com  Tue Dec  8 10:36:10 2015
From: pblair at clearme.com (Paul Blair)
Date: Tue, 8 Dec 2015 15:36:10 +0000
Subject: [keycloak-user] Another question about brute-force detection
Message-ID: <D28C631C.104A5%pblair@clearme.com>

Currently, all of our clients will be logging in with service accounts using signed JWT as described here: http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html .

Does brute-force detection accomplish anything under this scenario?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/22d2a7f2/attachment.html 

From ton at finalist.nl  Tue Dec  8 10:48:06 2015
From: ton at finalist.nl (Ton Swieb)
Date: Tue, 8 Dec 2015 16:48:06 +0100
Subject: [keycloak-user] Keycloak OAuth2 bearer token without using direct
	access grant
Message-ID: <CAJJ5CnTOAkzq2Miqz9x7uucWttzQT+uj7tzwMk2FfyFbM9Oveg@mail.gmail.com>

Hi,

How can I obtain a bearer token from keycloak without using the direct
access grant (
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
).

I have configured a SAML Identity Broker in Keycloak which handles the
login for my realm. As a result I do not have a username/password
combination to POST it to:

/{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token

How would I obtain a bearer token in this situation?

Kind regards,

Ton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/23238eeb/attachment.html 

From mposolda at redhat.com  Tue Dec  8 11:11:06 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 8 Dec 2015 17:11:06 +0100
Subject: [keycloak-user] Salesforce SSO
In-Reply-To: <860E8DAFFC76794694CFF405F8A1E71F02792BA6@416429-EXCH1.mbopartners.com>
References: <860E8DAFFC76794694CFF405F8A1E71F02792BA6@416429-EXCH1.mbopartners.com>
Message-ID: <5667011A.6070009@redhat.com>

A few years ago, I did setup of Picketlink as IDP and Salesforce as SP. 
Some docs is here: 
https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP 
.

I didn't yet try with Keycloak and I guess the docs may be outdated. But 
hopefully you can use it as a starting point. At least the setup on 
Salesforce side.

AFAIR the Salesforce signs all the messages including SAML requests. So 
for the setup on Keycloak side, you may need to enable flag "Client 
Signature Required" for the SAML client in admin console and then go to 
tab "SAML Keys" and import the certificate from Salesforce. But not sure 
at 100%...

Good luck,
Marek

On 08/12/15 15:42, Ben Bazian wrote:
>
> Sorry for the double post but figured I would try one more time.  Has 
> anyone successfully setup Keycloak as an IDP into Salesforce?  I have 
> it working with OpenID but the way Salesforce implements it is not 
> acceptable.  Would like to use SAML instead.  I am seeing nothing via 
> a web search on this.
>
> Any and all help appreciated.
>
> __________________________
>
> *BEN BAZIAN*
>
> *Director, Information Systems*
>
> MBO Partners
>
> cid:image001.png at 01D057F2.BE72C880
>
> *t*: 703.793.6010
>
> *f*: 703.793.6079
>
> *e*: bbazian at mbopartners.com
>
> *w*: mbopartners.com
>
> Notice: This email and any files transmitted with it are confidential. 
> They are intended solely for the use of the individual addressed.  If 
> you have received this email in error please notify 
> postmaster at mbopartners.com <mailto:postmaster at mbopartners.com> and 
> permanently delete the e-mail and files.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/ad732567/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 5334 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/ad732567/attachment.png 

From mposolda at redhat.com  Tue Dec  8 11:15:43 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 8 Dec 2015 17:15:43 +0100
Subject: [keycloak-user] Keycloak OAuth2 bearer token without using
 direct access grant
In-Reply-To: <CAJJ5CnTOAkzq2Miqz9x7uucWttzQT+uj7tzwMk2FfyFbM9Oveg@mail.gmail.com>
References: <CAJJ5CnTOAkzq2Miqz9x7uucWttzQT+uj7tzwMk2FfyFbM9Oveg@mail.gmail.com>
Message-ID: <5667022F.4020308@redhat.com>

After finish of OIDC authentication, Keycloak will redirect to your 
application with the "code" parameter. Keycloak will always do this, it 
doesn't matter if you authenticated through SAML identity broker or 
username/password form or any other method. Then you theoretically need 
to exchange the code for access-token in backchannel request, however as 
long as you use our adapters, you don't need to care about it as adapter 
will do it for you.

We have examples (using adapters) where you can also see how is bearer 
access token retrieved and then used for additional REST calls to REST 
endpoints secured by bearer token. See the demo example and the 
"customer-portal" and "product-portal" applications.

Marek

On 08/12/15 16:48, Ton Swieb wrote:
> Hi,
>
> How can I obtain a bearer token from keycloak without using the direct 
> access grant 
> (http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html).
>
> I have configured a SAML Identity Broker in Keycloak which handles the 
> login for my realm. As a result I do not have a username/password 
> combination to POST it to:
>
> |/{keycloak-root}/realms/{realm-name}/protocol/openid-connect/toke|n
>
> How would I obtain a bearer token in this situation?
>
> Kind regards,
>
> Ton
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/06861a7b/attachment-0001.html 

From ton at finalist.nl  Tue Dec  8 11:55:19 2015
From: ton at finalist.nl (Ton Swieb)
Date: Tue, 8 Dec 2015 17:55:19 +0100
Subject: [keycloak-user] Keycloak OAuth2 bearer token without using
 direct access grant
In-Reply-To: <5667022F.4020308@redhat.com>
References: <CAJJ5CnTOAkzq2Miqz9x7uucWttzQT+uj7tzwMk2FfyFbM9Oveg@mail.gmail.com>
	<5667022F.4020308@redhat.com>
Message-ID: <CAJJ5CnTk99ecn-yMw8WJ0--KE9Gyrcc-4Fq0Dhhr0dzr80hX9w@mail.gmail.com>

Hi Marek,

Thank you for your answer. I understand that I should use an adapter, but
it is unclear to me how that will work in my situation.

I will try to clarify.
I am using JBoss Apiman which uses JBoss Keycloak to manage its realm. Both
JBoss Apiman and JBoss Keycloak run on the same Wildfly application server.
Apiman runs on wildfly so my assumption is that an adapter is already used
to secure the Apiman GUI and to do the back channelling.

But next to the Apiman GUI there is a Apiman gateway which uses a Keycloak
OAuth plugin to enforce a security policy on managed api calls. The gateway
itself is not secured by OAuth and is not known as a client in a keycloak
realm. But the Keycloak OAuth plugin does expect a bearer token.

I am unsure where I could apply an adapter to acomplish this and which
adapter it should be.

My setup is similair to the one discussed here:
http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
with the difference that I use a third party login. So I cannot use direct
access grants.

Regards,

Ton


2015-12-08 17:15 GMT+01:00 Marek Posolda <mposolda at redhat.com>:

> After finish of OIDC authentication, Keycloak will redirect to your
> application with the "code" parameter. Keycloak will always do this, it
> doesn't matter if you authenticated through SAML identity broker or
> username/password form or any other method. Then you theoretically need to
> exchange the code for access-token in backchannel request, however as long
> as you use our adapters, you don't need to care about it as adapter will do
> it for you.
>
> We have examples (using adapters) where you can also see how is bearer
> access token retrieved and then used for additional REST calls to REST
> endpoints secured by bearer token. See the demo example and the
> "customer-portal" and "product-portal" applications.
>
> Marek
>
> On 08/12/15 16:48, Ton Swieb wrote:
>
> Hi,
>
> How can I obtain a bearer token from keycloak without using the direct
> access grant (
> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
> ).
>
> I have configured a SAML Identity Broker in Keycloak which handles the
> login for my realm. As a result I do not have a username/password
> combination to POST it to:
>
> /{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token
>
> How would I obtain a bearer token in this situation?
>
> Kind regards,
>
> Ton
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/364f4f70/attachment.html 

From lars.noldan at drillinginfo.com  Tue Dec  8 14:49:21 2015
From: lars.noldan at drillinginfo.com (Lars Noldan)
Date: Tue, 8 Dec 2015 13:49:21 -0600
Subject: [keycloak-user] KeyCloak users
Message-ID: <CAMu7ToqY9D40Vz_eY4qA4DHLNxomoTq6QDfY=N-u=vWV4hKaYw@mail.gmail.com>

Hello All,

We are currently using another authz/authn solution in front of our
applications that I don't think is as flexible or as scalable as keycloak.
On technical merit alone I can likely make a case to shift our SSO solution
over, however I was asked "What companies are using keycloak in the wild."
which is a fair question considering the solution we are currently using is
supported by a very large vendor.

I would like to ask if any of you, the users would be willing to drop me a
note saying "We Use Keycloak at $Company."
I don't need to know which applications, urls, or anything specific about
your usage.

Please feel free to e-mail me direct if you aren't comfortable responding
to the whole list.

Thank you for your time.

-- 
Lars Noldan
lars.noldan at drillinginfo.com
Application Support Manager
Drillinginfo, inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151208/0c7b2ec1/attachment.html 

From pblair at clearme.com  Tue Dec  8 21:20:09 2015
From: pblair at clearme.com (Paul Blair)
Date: Wed, 9 Dec 2015 02:20:09 +0000
Subject: [keycloak-user] Secured application configuration question
Message-ID: <D28CFA0B.10A66%pblair@clearme.com>

I'm setting up apiman with Keycloak and have a question that the folks on the apiman user list suggested I ask here.

In the Wildfly configuration for apiman, I see several entries like this (one for each war file):

      <kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0" name="apiman.war">
        <kc:realm>apiman</kc:realm>
        <kc:resource>apiman</kc:resource>
        <kc:credential name="secret">password</kc:credential>

I'm noticing that they fill in the word "password" here, but in their instructions they don't specify to replace it with a particular password. My guess is that this credential is used only for applications that request REST Direct Access Grants, and that since apiman doesn't do that, they can use a dummy password in this configuration.

Is it correct that this credential is used only for Direct Access Grants?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/d3ccf684/attachment.html 

From Ken.Kong at invenco.com  Tue Dec  8 22:55:53 2015
From: Ken.Kong at invenco.com (Ken Kong)
Date: Wed, 9 Dec 2015 16:55:53 +1300
Subject: [keycloak-user] realm admin user group for Keycloak 1.7.0 CR1
Message-ID: <DFE9119B0D4B4A41944385095E86BABF0405CFBE@exchange1>

Hi,

Does the user group work with the Client Roles realm-management? I
created a realm admin user group that has role mapped to realm-admin in
realm-management Client Roles. Then I assigned a user to the group. When
the user logged in the realm, the user doesn't have access to the
requested resource.

 

Steps (screenshots attached):

1.       Create a realm admin user group, go to Role Mapping tab, choose
realm-management from Client Roles drop down list and assign realm-admin


 

 

 

 

2.       Create a user and assign it to the user group

 

 

 

 

3.       User log in to the realm but can't access the realm admin

 

 

 


 

Ken Kong

Senior Java Developer

Invenco Group Limited

O: +64 9 905 5661

Ken.Kong at invenco.com <mailto:Ken.Kong at invenco.com> 

 

www.invenco.com <http://www.invenco.com> 

	

 

	

Disclaimer: This email is confidential and may be legally privileged.
If you are not the intended recipient you must not use any of the
information in it and must delete the email immediately.





 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/dffdd4e7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 92031 bytes
Desc: image010.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/dffdd4e7/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 24286 bytes
Desc: image002.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/dffdd4e7/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 22379 bytes
Desc: image005.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/dffdd4e7/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 23047 bytes
Desc: image009.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/dffdd4e7/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 16080 bytes
Desc: image011.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/dffdd4e7/attachment-0007.jpe 

From anunay.sinha at arvindinternet.com  Wed Dec  9 05:47:05 2015
From: anunay.sinha at arvindinternet.com (Anunay Sinha)
Date: Wed, 9 Dec 2015 16:17:05 +0530
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
Message-ID: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>

Hi
I need help to figure out how to manage my kecloak.json files in between
different environments. Since I have a keycloak server deployed on my dev,
qa and preprod, and am using jenkins for CI.
Now what i don't know is how this keycloak.json gets loaded.
If I knew that, I can have something like keycloak_dev.json,
keycloak_qa.json and kecloak_preprod.json, picking up the correct config
file as per my environment.

Is my understanding and approach is correct. If so can you help me how I
can get these respect jsons loaded.


-- 
- Anunay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/a303c55e/attachment.html 

From dirk.franssen at gmail.com  Wed Dec  9 06:08:24 2015
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Wed, 9 Dec 2015 12:08:24 +0100
Subject: [keycloak-user] realm admin user group for Keycloak 1.7.0 CR1
In-Reply-To: <DFE9119B0D4B4A41944385095E86BABF0405CFBE@exchange1>
References: <DFE9119B0D4B4A41944385095E86BABF0405CFBE@exchange1>
Message-ID: <CALT3SxirrNe8=19PLRy=uZ0cx9Q5a7o+Or3Lisq2UViHdCBvmQ@mail.gmail.com>

Hi,

it seems that the docker automated build for 'keycloak-adapter-wildfly' is
broken for about the last 3 months:
https://hub.docker.com/r/jboss/keycloak-adapter-wildfly/builds/

Is it possible to fix this?

Thanks,
Dirk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/9541df85/attachment.html 

From thomas.darimont at googlemail.com  Wed Dec  9 06:15:42 2015
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 9 Dec 2015 12:15:42 +0100
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
In-Reply-To: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
References: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
Message-ID: <CAK-7U1ik+MAP0kGtdu0xn5KxBiNH8w3gsEwUCi42-ptgvOT7CQ@mail.gmail.com>

Hello,

You could lookup the appropriate keycloak.json file with a custom
org.keycloak.adapters.KeycloakConfigResolver
c.f. based on a system property or env. variable.

See PathBasedKeycloakConfigResolver.java in the multi-tenant example.
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant

Cheers,
Thomas

2015-12-09 11:47 GMT+01:00 Anunay Sinha <anunay.sinha at arvindinternet.com>:

> Hi
> I need help to figure out how to manage my kecloak.json files in between
> different environments. Since I have a keycloak server deployed on my dev,
> qa and preprod, and am using jenkins for CI.
> Now what i don't know is how this keycloak.json gets loaded.
> If I knew that, I can have something like keycloak_dev.json,
> keycloak_qa.json and kecloak_preprod.json, picking up the correct config
> file as per my environment.
>
> Is my understanding and approach is correct. If so can you help me how I
> can get these respect jsons loaded.
>
>
> --
> - Anunay
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/d37a4e77/attachment.html 

From dirk.franssen at gmail.com  Wed Dec  9 06:16:49 2015
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Wed, 9 Dec 2015 12:16:49 +0100
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
In-Reply-To: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
References: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
Message-ID: <CALT3SxgnnydqDK3HpNFimecU5D=E2HE0-zLioHWahZj2wwoQ1w@mail.gmail.com>

Hi Anunay,

perhaps you can have a look at the multi tenant example for inspiration and
use an evironment variable to set eg 'environment=prod'?

Kind regards,
Dirk

On Wed, Dec 9, 2015 at 11:47 AM, Anunay Sinha <
anunay.sinha at arvindinternet.com> wrote:

> Hi
> I need help to figure out how to manage my kecloak.json files in between
> different environments. Since I have a keycloak server deployed on my dev,
> qa and preprod, and am using jenkins for CI.
> Now what i don't know is how this keycloak.json gets loaded.
> If I knew that, I can have something like keycloak_dev.json,
> keycloak_qa.json and kecloak_preprod.json, picking up the correct config
> file as per my environment.
>
> Is my understanding and approach is correct. If so can you help me how I
> can get these respect jsons loaded.
>
>
> --
> - Anunay
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/298f8c4e/attachment.html 

From pavel.masloff at gmail.com  Wed Dec  9 06:18:03 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Wed, 9 Dec 2015 12:18:03 +0100
Subject: [keycloak-user] realm admin user group for Keycloak 1.7.0 CR1
In-Reply-To: <CALT3SxirrNe8=19PLRy=uZ0cx9Q5a7o+Or3Lisq2UViHdCBvmQ@mail.gmail.com>
References: <DFE9119B0D4B4A41944385095E86BABF0405CFBE@exchange1>
	<CALT3SxirrNe8=19PLRy=uZ0cx9Q5a7o+Or3Lisq2UViHdCBvmQ@mail.gmail.com>
Message-ID: <CAF9aV_oXUJONFWguqEhD4RU2qsVj+OOBwY3Jysf66zAADUr-5A@mail.gmail.com>

Hi Dirk,

You can use this Docker image [1], which I prepared for Keycloak adapter
1.3.1 (run on Wildfly 8.2.0)


[1] https://gist.github.com/maslick/f8f9ee6f8c8fd3f2a0e1

Regards,
Pavel Maslov, MS

On Wed, Dec 9, 2015 at 12:08 PM, Dirk Franssen <dirk.franssen at gmail.com>
wrote:

> Hi,
>
> it seems that the docker automated build for 'keycloak-adapter-wildfly' is
> broken for about the last 3 months:
> https://hub.docker.com/r/jboss/keycloak-adapter-wildfly/builds/
>
> Is it possible to fix this?
>
> Thanks,
> Dirk
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/de0cc623/attachment.html 

From juraci at kroehling.de  Wed Dec  9 07:23:55 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Wed, 9 Dec 2015 13:23:55 +0100
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
In-Reply-To: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
References: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
Message-ID: <56681D5B.5080208@kroehling.de>

For which adapter is that? For the JavaScript adapter, we did a servlet 
that returns the appropriate keycloak.json file:

http://git.io/vRdJi

For the Wildfly adapter, we use a system property, which is determined 
at runtime:

http://git.io/vRdJx
http://git.io/vRdJH

- Juca.

On 09.12.2015 11:47, Anunay Sinha wrote:
> Hi
> I need help to figure out how to manage my kecloak.json files in between
> different environments. Since I have a keycloak server deployed on my
> dev, qa and preprod, and am using jenkins for CI.
> Now what i don't know is how this keycloak.json gets loaded.
> If I knew that, I can have something like keycloak_dev.json,
> keycloak_qa.json and kecloak_preprod.json, picking up the correct config
> file as per my environment.
>
> Is my understanding and approach is correct. If so can you help me how I
> can get these respect jsons loaded.
>
> --
> - Anunay
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dirk.franssen at gmail.com  Wed Dec  9 07:27:40 2015
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Wed, 9 Dec 2015 13:27:40 +0100
Subject: [keycloak-user] realm admin user group for Keycloak 1.7.0 CR1
In-Reply-To: <CAF9aV_oXUJONFWguqEhD4RU2qsVj+OOBwY3Jysf66zAADUr-5A@mail.gmail.com>
References: <DFE9119B0D4B4A41944385095E86BABF0405CFBE@exchange1>
	<CALT3SxirrNe8=19PLRy=uZ0cx9Q5a7o+Or3Lisq2UViHdCBvmQ@mail.gmail.com>
	<CAF9aV_oXUJONFWguqEhD4RU2qsVj+OOBwY3Jysf66zAADUr-5A@mail.gmail.com>
Message-ID: <CALT3Sxi8XjOLR6sPrTce0HxXTUVzHzJBD5Dzo_agPB6187NN-A@mail.gmail.com>

Thanks for the link, but it is always good to keep up with the latest and
the greatest :-).
I created and fixed issue 38 with pull request
https://github.com/jboss-dockerfiles/keycloak/pull/39
Hopefully it gets merged soon...

Regards,
Dirk

On Wed, Dec 9, 2015 at 12:18 PM, Pavel Maslov <pavel.masloff at gmail.com>
wrote:

> Hi Dirk,
>
> You can use this Docker image [1], which I prepared for Keycloak adapter
> 1.3.1 (run on Wildfly 8.2.0)
>
>
> [1] https://gist.github.com/maslick/f8f9ee6f8c8fd3f2a0e1
>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 9, 2015 at 12:08 PM, Dirk Franssen <dirk.franssen at gmail.com>
> wrote:
>
>> Hi,
>>
>> it seems that the docker automated build for 'keycloak-adapter-wildfly'
>> is broken for about the last 3 months:
>> https://hub.docker.com/r/jboss/keycloak-adapter-wildfly/builds/
>>
>> Is it possible to fix this?
>>
>> Thanks,
>> Dirk
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/d64a6ebf/attachment-0001.html 

From juraci at kroehling.de  Wed Dec  9 07:40:20 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Wed, 9 Dec 2015 13:40:20 +0100
Subject: [keycloak-user] Secured application configuration question
In-Reply-To: <D28CFA0B.10A66%pblair@clearme.com>
References: <D28CFA0B.10A66%pblair@clearme.com>
Message-ID: <56682134.3060503@kroehling.de>

I don't know about the specifics of apiman, but this secret is not used 
only for direct access grants, in general. All in all, I'm not a big fan 
of shipping with a default secret/password (or any security "token").

If that also makes you feel not comfortable, you might want to try to 
change the "credential" for the "apiman" client on the "apiman" realm 
via the Keycloak admin console:

- login to the auth console (admin:admin are the default credentials)
- select the apiman realm on the top-left
- select "Clients" and then "apiman"
- select the second tab, "Credentials"
- "Regenerate secret"

This new secret should go into the standalone.xml, as value for all 
"kc:credential[name=secret]" whose realm/resource are "apiman".

- Juca.

On 09.12.2015 03:20, Paul Blair wrote:
> I'm setting up apiman with Keycloak and have a question that the folks
> on the apiman user list suggested I ask here.
>
> In the Wildfly configuration for apiman, I see several entries like this
> (one for each war file):
>
>        <kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0"
> name="apiman.war">
>          <kc:realm>apiman</kc:realm>
>          <kc:resource>apiman</kc:resource>
>          <kc:credential name="secret">password</kc:credential>
>
> I'm noticing that they fill in the word "password" here, but in their
> instructions they don't specify to replace it with a particular
> password. My guess is that this credential is used only for applications
> that request REST Direct Access Grants, and that since apiman doesn't do
> that, they can use a dummy password in this configuration.
>
> Is it correct that this credential is used only for Direct Access Grants?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From DSzeto at investlab.com  Wed Dec  9 08:56:42 2015
From: DSzeto at investlab.com (Doug Szeto)
Date: Wed, 9 Dec 2015 13:56:42 +0000
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <CAJgngAeHJZ+90qRr95K=M65XYs2ZQ4bzB_n+FkEG-GHrH4k25A@mail.gmail.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
	<BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<565C663C.8060808@redhat.com>
	<BY1PR0401MB150050C35CD05C16D2EDCBA3DA0F0@BY1PR0401MB1500.namprd04.prod.outlook.com>,
	<CAJgngAeHJZ+90qRr95K=M65XYs2ZQ4bzB_n+FkEG-GHrH4k25A@mail.gmail.com>
Message-ID: <BY1PR0401MB1500A1EF941900763DEAF641DAE80@BY1PR0401MB1500.namprd04.prod.outlook.com>

We're looking to use Keycloak in an enterprise environment that reinforces tight web restrictions. There are network guys combing over every url, and dev ops guys doing other things with urls, and software developers integrating Keycloak.

Customized theming is a big selling point because business people can change up the look without worrying about most web attacks. But operations people dislike tying urls to your release cycle, especially when there are hot fixes.

Your Freemaker template is a little strange too because it rewrites resource links as absolute urls, and make it behave strange behind reverse proxies.

I understand your reasons for defaults, but allowing another flag for prefixing custom theme web resources would integrate more easily with other environments.

--Doug

________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Tuesday, December 1, 2015 20:27
To: Doug Szeto
Cc: Bill Burke; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Theme Resources Urls

Query param is an alternative practice. There's pros and cons with both approaches.

The idea of customized themes is so you can customize the themes. To change the look and feel, add a logo, add an extra field to the forms, etc..

Can you elaborate on exactly why you need to change the URL?

On 1 December 2015 at 13:21, Doug Szeto <DSzeto at investlab.com<mailto:DSzeto at investlab.com>> wrote:
If you want to bust the cache on a version update, a better practice is to stick the version id as a query parameter at the end of resources, see:
https://css-tricks.com/strategies-for-cache-busting-css/

ie http://localhost:8080/auth/resources/themes/login/keycloak/css/login.css?v=1.6.1.final

I thought the point of customized themes were to allow developers better control over the web resources being served without modifying the security source code. But if we can't control the url of our content, it limits our options on web optimization strategies.

I guess overriding the freemaker template is the only way to go.

--Doug

________________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>>
Sent: Monday, November 30, 2015 23:07
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Theme Resources Urls

Browser caching is turned on for themed resources (admin console,
login, etc.)  This is obviously for performance reasons.

IN the past we received a HUGE amount of false bug reports of "Admin
console doesn't work", "my theme changes aren't showing", etc. after
upgrading Keycloak.  All because people didn't clear their browser
caches.  Hence, the version id.

You should not be externally linking to themed endpoints.  You can use a
different URL to ping the server for "is alive" i.e.
/<root>/realms/{realm-name}


On 11/30/2015 9:56 AM, Doug Szeto wrote:
> What do you mean by 'You can't customize the url format'?
>
> Is there a design decision reason why it is more secure to have your
> keycloak version exposed in the middle of your theme resource urls?
>
> Or would it be easier if you had a pull request?
>
> --Doug
>
>
>
> ------------------------------------------------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> *Sent:* Monday, November 30, 2015 15:35
> *To:* Doug Szeto
> *Cc:* keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Theme Resources Urls
> You can't customize the url format. Not sure how it would help during
> upgrades? I'd say the opposite as you end up with cached versions for
> the old release not being updated.
>
> On 28 November 2015 at 03:54, Doug Szeto <DSzeto at investlab.com<mailto:DSzeto at investlab.com>
> <mailto:DSzeto at investlab.com<mailto:DSzeto at investlab.com>>> wrote:
>
>
>     Hi,
>     I have created a custom theme as specific in your docs here:
>     http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
>     It functions in the browser, in that these configs tell you where
>     the theme customization resources are stored locally, but the end
>     result is the resources are served from the url format pattern of:
>
>     http://localhost:8080/auth/resources/1.6.1.final/login/keycloak/css/login.css
>
>     Is there a way to customize the theme url format to scrub the
>     version number off the css/image/js resources? This will help out in
>     monitoring and upgrades.
>
>     Thanks,
>     --Doug
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org> <mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/53952652/attachment.html 

From bburke at redhat.com  Wed Dec  9 10:34:56 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 9 Dec 2015 10:34:56 -0500
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
In-Reply-To: <56681D5B.5080208@kroehling.de>
References: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
	<56681D5B.5080208@kroehling.de>
Message-ID: <56684A20.9090409@redhat.com>

If your applications/clients are Wildfly/JBoss servlet applications, you 
can use the client subsystem and not ever even crack open the WAR.



On 12/9/2015 7:23 AM, Juraci Paix?o Kr?hling wrote:
> For which adapter is that? For the JavaScript adapter, we did a servlet
> that returns the appropriate keycloak.json file:
>
> http://git.io/vRdJi
>
> For the Wildfly adapter, we use a system property, which is determined
> at runtime:
>
> http://git.io/vRdJx
> http://git.io/vRdJH
>
> - Juca.
>
> On 09.12.2015 11:47, Anunay Sinha wrote:
>> Hi
>> I need help to figure out how to manage my kecloak.json files in between
>> different environments. Since I have a keycloak server deployed on my
>> dev, qa and preprod, and am using jenkins for CI.
>> Now what i don't know is how this keycloak.json gets loaded.
>> If I knew that, I can have something like keycloak_dev.json,
>> keycloak_qa.json and kecloak_preprod.json, picking up the correct config
>> file as per my environment.
>>
>> Is my understanding and approach is correct. If so can you help me how I
>> can get these respect jsons loaded.
>>
>> --
>> - Anunay
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From thomas.darimont at googlemail.com  Wed Dec  9 10:43:47 2015
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 9 Dec 2015 16:43:47 +0100
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
In-Reply-To: <56684A20.9090409@redhat.com>
References: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
	<56681D5B.5080208@kroehling.de> <56684A20.9090409@redhat.com>
Message-ID: <CAK-7U1hJuf7yK9Fgm=QWxFksTgNuneSrWeHsdE27yQQOhEX+3g@mail.gmail.com>

@Bill Burke, do you have an example for that?

2015-12-09 16:34 GMT+01:00 Bill Burke <bburke at redhat.com>:

> If your applications/clients are Wildfly/JBoss servlet applications, you
> can use the client subsystem and not ever even crack open the WAR.
>
>
>
> On 12/9/2015 7:23 AM, Juraci Paix?o Kr?hling wrote:
> > For which adapter is that? For the JavaScript adapter, we did a servlet
> > that returns the appropriate keycloak.json file:
> >
> > http://git.io/vRdJi
> >
> > For the Wildfly adapter, we use a system property, which is determined
> > at runtime:
> >
> > http://git.io/vRdJx
> > http://git.io/vRdJH
> >
> > - Juca.
> >
> > On 09.12.2015 11:47, Anunay Sinha wrote:
> >> Hi
> >> I need help to figure out how to manage my kecloak.json files in between
> >> different environments. Since I have a keycloak server deployed on my
> >> dev, qa and preprod, and am using jenkins for CI.
> >> Now what i don't know is how this keycloak.json gets loaded.
> >> If I knew that, I can have something like keycloak_dev.json,
> >> keycloak_qa.json and kecloak_preprod.json, picking up the correct config
> >> file as per my environment.
> >>
> >> Is my understanding and approach is correct. If so can you help me how I
> >> can get these respect jsons loaded.
> >>
> >> --
> >> - Anunay
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/6bdacabf/attachment-0001.html 

From gerbermichi at me.com  Wed Dec  9 10:44:48 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Wed, 09 Dec 2015 16:44:48 +0100
Subject: [keycloak-user] Refresh token error
Message-ID: <C7D4B1EC-9030-44BC-9CE1-0296FA5478E8@me.com>

Hi 

A tester in our team had the following error:

2015-12-09 15:46:39,702 WARN  [org.keycloak.events] (default task-94) type=REFRESH_TOKEN_ERROR, realmId=6b201710-e4df-4c80-9b03-852d97c63eb7, clientId=web, userId=1, ipAddress=172.25.104.2, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=153e0143-b0f1-4714-821a-9bb50fce301f, client_auth_method=client-secret
2015-12-09 15:46:39,702 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-92) Refresh token failure status: 400 {"error_description":"Session not active","error":"invalid_grant"}

I can't reproduce it, do you have any idea what the cause could be?

Micheel

From ton at finalist.nl  Wed Dec  9 10:47:39 2015
From: ton at finalist.nl (Ton Swieb)
Date: Wed, 9 Dec 2015 16:47:39 +0100
Subject: [keycloak-user] Keycloak OAuth2 bearer token without using
 direct access grant
In-Reply-To: <CAJJ5CnTk99ecn-yMw8WJ0--KE9Gyrcc-4Fq0Dhhr0dzr80hX9w@mail.gmail.com>
References: <CAJJ5CnTOAkzq2Miqz9x7uucWttzQT+uj7tzwMk2FfyFbM9Oveg@mail.gmail.com>
	<5667022F.4020308@redhat.com>
	<CAJJ5CnTk99ecn-yMw8WJ0--KE9Gyrcc-4Fq0Dhhr0dzr80hX9w@mail.gmail.com>
Message-ID: <CAJJ5CnRgknROzaLHMdVC+j5bY_b30OV1FqEjobwsvm+kuDnO1w@mail.gmail.com>

Hi Marek,

I got it working using the JS-Console example which uses the javascript
adapter.
I extended the JS-Console example with a function that does something like:
        var client = new XMLHttpRequest();
        client.open("GET", url, false);
        client.setRequestHeader("Accept", "application/json");
        client.setRequestHeader("Authorization", "Bearer " +
keycloak.token);
        client.send();

The keycloak.token is available after a call to keycloak.login()

Thanks for pointing me in that direction.

Regards,

Ton

2015-12-08 17:55 GMT+01:00 Ton Swieb <ton at finalist.nl>:

> Hi Marek,
>
> Thank you for your answer. I understand that I should use an adapter, but
> it is unclear to me how that will work in my situation.
>
> I will try to clarify.
> I am using JBoss Apiman which uses JBoss Keycloak to manage its realm.
> Both JBoss Apiman and JBoss Keycloak run on the same Wildfly application
> server. Apiman runs on wildfly so my assumption is that an adapter is
> already used to secure the Apiman GUI and to do the back channelling.
>
> But next to the Apiman GUI there is a Apiman gateway which uses a Keycloak
> OAuth plugin to enforce a security policy on managed api calls. The gateway
> itself is not secured by OAuth and is not known as a client in a keycloak
> realm. But the Keycloak OAuth plugin does expect a bearer token.
>
> I am unsure where I could apply an adapter to acomplish this and which
> adapter it should be.
>
> My setup is similair to the one discussed here:
> http://www.apiman.io/blog/gateway/security/oauth2/keycloak/authentication/authorization/2015/06/09/keycloak-oauth2.html
> with the difference that I use a third party login. So I cannot use direct
> access grants.
>
> Regards,
>
> Ton
>
>
> 2015-12-08 17:15 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
>
>> After finish of OIDC authentication, Keycloak will redirect to your
>> application with the "code" parameter. Keycloak will always do this, it
>> doesn't matter if you authenticated through SAML identity broker or
>> username/password form or any other method. Then you theoretically need to
>> exchange the code for access-token in backchannel request, however as long
>> as you use our adapters, you don't need to care about it as adapter will do
>> it for you.
>>
>> We have examples (using adapters) where you can also see how is bearer
>> access token retrieved and then used for additional REST calls to REST
>> endpoints secured by bearer token. See the demo example and the
>> "customer-portal" and "product-portal" applications.
>>
>> Marek
>>
>> On 08/12/15 16:48, Ton Swieb wrote:
>>
>> Hi,
>>
>> How can I obtain a bearer token from keycloak without using the direct
>> access grant (
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html
>> ).
>>
>> I have configured a SAML Identity Broker in Keycloak which handles the
>> login for my realm. As a result I do not have a username/password
>> combination to POST it to:
>>
>> /{keycloak-root}/realms/{realm-name}/protocol/openid-connect/token
>>
>> How would I obtain a bearer token in this situation?
>>
>> Kind regards,
>>
>> Ton
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151209/37c54417/attachment.html 

From bburke at redhat.com  Wed Dec  9 10:47:47 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 9 Dec 2015 10:47:47 -0500
Subject: [keycloak-user] Theme Resources Urls
In-Reply-To: <BY1PR0401MB1500A1EF941900763DEAF641DAE80@BY1PR0401MB1500.namprd04.prod.outlook.com>
References: <BY1PR0401MB150003E5C405B653461141F9DA020@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<CAJgngAet=2KdTDaa+7xFS9i+z79ZqUQiLCeC4=u=SWDkDoQWDg@mail.gmail.com>
	<BY1PR0401MB15000C31D3AA574C26F6D51CDA000@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<565C663C.8060808@redhat.com>
	<BY1PR0401MB150050C35CD05C16D2EDCBA3DA0F0@BY1PR0401MB1500.namprd04.prod.outlook.com>
	<CAJgngAeHJZ+90qRr95K=M65XYs2ZQ4bzB_n+FkEG-GHrH4k25A@mail.gmail.com>
	<BY1PR0401MB1500A1EF941900763DEAF641DAE80@BY1PR0401MB1500.namprd04.prod.outlook.com>
Message-ID: <56684D23.3060307@redhat.com>



On 12/9/2015 8:56 AM, Doug Szeto wrote:
> We're looking to use Keycloak in an enterprise environment that
> reinforces tight web restrictions. There are network guys combing over
> every url, and dev ops guys doing other things with urls, and software
> developers integrating Keycloak.
>
> Customized theming is a big selling point because business people can
> change up the look without worrying about most web attacks. But
> operations people dislike tying urls to your release cycle, especially
> when there are hot fixes.
>
> Your Freemaker template is a little strange too because it
> rewrites resource links as absolute urls, and make it behave strange
> behind reverse proxies.
>
> I understand your reasons for defaults, but allowing another flag for
> prefixing custom theme web resources would integrate more easily with
> other environments.
>

Other than possibly the absolute urls used by the Freemarker template, 
all this doesn't sound like a technical issue you are having, but rather 
possibly misguided opinions of your ops people.  You are the only one 
that has complained.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From juraci at kroehling.de  Wed Dec  9 10:49:47 2015
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Wed, 9 Dec 2015 16:49:47 +0100
Subject: [keycloak-user] Guidelines for deployment of keycloak based
 applications for different environments
In-Reply-To: <CAK-7U1hJuf7yK9Fgm=QWxFksTgNuneSrWeHsdE27yQQOhEX+3g@mail.gmail.com>
References: <CANCBORTQGDqzM1zKwO9Pwy=_3d=gju4Bn+6Q_Rj=a69D6_fpoQ@mail.gmail.com>
	<56681D5B.5080208@kroehling.de> <56684A20.9090409@redhat.com>
	<CAK-7U1hJuf7yK9Fgm=QWxFksTgNuneSrWeHsdE27yQQOhEX+3g@mail.gmail.com>
Message-ID: <56684D9B.50403@kroehling.de>

The third link from my previous email uses the subsystem:

http://git.io/vRdJH

- Juca.


On 09.12.2015 16:43, Thomas Darimont wrote:
> @Bill Burke, do you have an example for that?
>
> 2015-12-09 16:34 GMT+01:00 Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>>:
>
>     If your applications/clients are Wildfly/JBoss servlet applications, you
>     can use the client subsystem and not ever even crack open the WAR.
>
>
>
>     On 12/9/2015 7:23 AM, Juraci Paix?o Kr?hling wrote:
>      > For which adapter is that? For the JavaScript adapter, we did a
>     servlet
>      > that returns the appropriate keycloak.json file:
>      >
>      > http://git.io/vRdJi
>      >
>      > For the Wildfly adapter, we use a system property, which is
>     determined
>      > at runtime:
>      >
>      > http://git.io/vRdJx
>      > http://git.io/vRdJH
>      >
>      > - Juca.
>      >
>      > On 09.12.2015 11:47, Anunay Sinha wrote:
>      >> Hi
>      >> I need help to figure out how to manage my kecloak.json files in
>     between
>      >> different environments. Since I have a keycloak server deployed
>     on my
>      >> dev, qa and preprod, and am using jenkins for CI.
>      >> Now what i don't know is how this keycloak.json gets loaded.
>      >> If I knew that, I can have something like keycloak_dev.json,
>      >> keycloak_qa.json and kecloak_preprod.json, picking up the
>     correct config
>      >> file as per my environment.
>      >>
>      >> Is my understanding and approach is correct. If so can you help
>     me how I
>      >> can get these respect jsons loaded.
>      >>
>      >> --
>      >> - Anunay
>      >>
>      >>
>      >> _______________________________________________
>      >> keycloak-user mailing list
>      >> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >>
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bburke at redhat.com  Wed Dec  9 10:58:24 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 9 Dec 2015 10:58:24 -0500
Subject: [keycloak-user] Refresh token error
In-Reply-To: <C7D4B1EC-9030-44BC-9CE1-0296FA5478E8@me.com>
References: <C7D4B1EC-9030-44BC-9CE1-0296FA5478E8@me.com>
Message-ID: <56684FA0.40706@redhat.com>

The session timed out and was removed.  See the error description.

On 12/9/2015 10:44 AM, Michael Gerber wrote:
> Hi
>
> A tester in our team had the following error:
>
> 2015-12-09 15:46:39,702 WARN  [org.keycloak.events] (default task-94) type=REFRESH_TOKEN_ERROR, realmId=6b201710-e4df-4c80-9b03-852d97c63eb7, clientId=web, userId=1, ipAddress=172.25.104.2, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=153e0143-b0f1-4714-821a-9bb50fce301f, client_auth_method=client-secret
> 2015-12-09 15:46:39,702 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-92) Refresh token failure status: 400 {"error_description":"Session not active","error":"invalid_grant"}
>
> I can't reproduce it, do you have any idea what the cause could be?
>
> Micheel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ornot2008 at yahoo.com  Thu Dec 10 04:30:06 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Thu, 10 Dec 2015 09:30:06 +0000 (UTC)
Subject: [keycloak-user] Is there any way to map thousands of id from IDP to
 several roles in brokering
References: <1493914661.189174.1449739806153.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <1493914661.189174.1449739806153.JavaMail.yahoo@mail.yahoo.com>

Hi, there ,
Let me try to describe the case first.?
We are using SAML 2.0 ID broker to authenticate the users. ??From the returned assertions, we can only get the user's ID number. ?So far as we know ,there will be thousands of users . In ID provider system,there is no role concept ,so not possible to return us the Role claim.?
Now we want to assign roles to those users in keycloak . ?We made a rule .For example, if the ID number is less than 100, we assign Role A to this user.If ID number is between 101 and 1000, we assign Role B to it , and so on.?
Of course We can do this manually one by one in admin console. but for thousands of?users, it doesn't make much sense. ?
We notice there is a Mapper button when configuring the ID provider, is there any wayto achieve our goal with that mechanism? ?

Thanks a lot.
Mai



?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/2bfefeab/attachment-0001.html 

From mposolda at redhat.com  Thu Dec 10 06:58:03 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 10 Dec 2015 12:58:03 +0100
Subject: [keycloak-user] Is there any way to map thousands of id from
 IDP to several roles in brokering
In-Reply-To: <1493914661.189174.1449739806153.JavaMail.yahoo@mail.yahoo.com>
References: <1493914661.189174.1449739806153.JavaMail.yahoo.ref@mail.yahoo.com>
	<1493914661.189174.1449739806153.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <566968CB.1030006@redhat.com>

You may need to write custom IdentityProviderMapper. See the docs for 
how to implement custom SPI: 
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html

Also you can take a look at our provider examples.

Marek

On 10/12/15 10:30, Mai Zi wrote:
> Hi, there ,
>
> Let me try to describe the case first.
>
> We are using SAML 2.0 ID broker to authenticate the users.
> From the returned assertions, we can only get the user's ID number.
> So far as we know ,there will be thousands of users . In ID provider 
> system,
> there is no role concept ,so not possible to return us the Role claim.
>
> Now we want to assign roles to those users in keycloak .  We made a rule .
> For example, if the ID number is less than 100, we assign Role A to 
> this user.
> If ID number is between 101 and 1000, we assign Role B to it , and so on.
>
> Of course We can do this manually one by one in admin console. but for 
> thousands of
> users, it doesn't make much sense.
>
> We notice there is a Mapper button when configuring the ID provider, 
> is there any way
> to achieve our goal with that mechanism?
>
>
> Thanks a lot.
>
> Mai
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/032ad8aa/attachment.html 

From juraj.janosik77 at gmail.com  Thu Dec 10 08:24:12 2015
From: juraj.janosik77 at gmail.com (Juraj Janosik)
Date: Thu, 10 Dec 2015 14:24:12 +0100
Subject: [keycloak-user] Clarify "Create a new client" via Admin REST API
In-Reply-To: <CALQqei0b396xq1hx=HBDGT9qx9YroDSB2e31zh-O1ecEa8S7WA@mail.gmail.com>
References: <CALQqei0b396xq1hx=HBDGT9qx9YroDSB2e31zh-O1ecEa8S7WA@mail.gmail.com>
Message-ID: <CALQqei3QWgwMBmb6vKe09w0zEnwE-CrxhTiTwRUfN-HVVaskAg@mail.gmail.com>

Hi all,

please, could somebody clarify issue (see bottom of the mail) discovered in
version 1.6.1.Final?
The same behavior is detected in version 1.7.0.Final.

This behavior differs from a Create a New User where the JSON body
parameter "id" is skipped.

Thanks a lot.

Best regards,
Juraj

2015-11-12 10:32 GMT+01:00 Juraj Janosik <juraj.janosik77 at gmail.com>:

> Hi,
> I want to clarify the "Create a new client" via REST API
> especially for body parameter "id" from "ClientRepresentation".
> If I set the parameter "id" in the request body (see example below),
> the value is set to the client. No new id value is generated for the
> client, which is the typically behavior of "Create a new role for the
> realm or client
> <http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_role_for_the_realm_or_client>"
> and "Create a new user
> <http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user>".
> Is this a correct behavior?
>
> Tested data example:
> "Create Client":
> "method":"POST","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients"
> "body":
> "{
> "id":"3",
> "clientId":"testclient-3",
> "name": "testclient-3",
> "description": "TESTCLIENT-3",
> "enabled": true,
> "redirectUris":[ "\\" ],
> "publicClient": true
> }"
> "headers":
> [["Content-Type","application/json"],
> ["Authorization","Bearer <ACCESS_TOKEN>]]
>
> Output for GET clients looks like:
>  {
>         "*id": "3"*,
>         "clientId": "testclient-3",
>         "name": "testclient-3",
>         "description": "TESTCLIENT-3",
>         "surrogateAuthRequired": false,
>         "enabled": true,
>         "clientAuthenticatorType": "client-secret",
>         "redirectUris":
>         [
>             "\"
>         ],
>         "webOrigins":
>         [
>         ],
>         "notBefore": 0,
>         "bearerOnly": false,
>         "consentRequired": false,
>         "serviceAccountsEnabled": false,
>         "directGrantsOnly": false,
>         "publicClient": true,
>         "frontchannelLogout": false,
>         "attributes":
>         {
>         },
> ...
>
> Thanks a lot.
>
> Best Regards,
> Juraj
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/c6bd3bef/attachment.html 

From bbazian at mbopartners.com  Thu Dec 10 08:35:34 2015
From: bbazian at mbopartners.com (Ben Bazian)
Date: Thu, 10 Dec 2015 13:35:34 +0000
Subject: [keycloak-user] SAML Metadata export
Message-ID: <860E8DAFFC76794694CFF405F8A1E71F027ABD2C@416429-EXCH1.mbopartners.com>

How can I export the metadata for a SAML client in XML format?  I do not see the installation tab on SAML, only OpenID.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/e4196fa7/attachment.html 

From bburke at redhat.com  Thu Dec 10 09:08:13 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 10 Dec 2015 09:08:13 -0500
Subject: [keycloak-user] SAML Metadata export
In-Reply-To: <860E8DAFFC76794694CFF405F8A1E71F027ABD2C@416429-EXCH1.mbopartners.com>
References: <860E8DAFFC76794694CFF405F8A1E71F027ABD2C@416429-EXCH1.mbopartners.com>
Message-ID: <5669874D.5060309@redhat.com>

Got a jira for that for 1.8

On 12/10/2015 8:35 AM, Ben Bazian wrote:
> How can I export the metadata for a SAML client in XML format?  I do not
> see the installation tab on SAML, only OpenID.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Thu Dec 10 09:13:01 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 10 Dec 2015 09:13:01 -0500
Subject: [keycloak-user] Is there any way to map thousands of id from
 IDP to several roles in brokering
In-Reply-To: <1493914661.189174.1449739806153.JavaMail.yahoo@mail.yahoo.com>
References: <1493914661.189174.1449739806153.JavaMail.yahoo.ref@mail.yahoo.com>
	<1493914661.189174.1449739806153.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <5669886D.90604@redhat.com>

So, you are using brokering correct?  This is completely undocumented, 
but you can write your own broker mapper that is invoked when the user 
is imported.

Here's some examples:

https://github.com/keycloak/keycloak/tree/master/broker/saml/src/main/java/org/keycloak/broker/saml/mappers


https://github.com/keycloak/keycloak/blob/master/broker/saml/src/main/resources/META-INF/services/org.keycloak.broker.provider.IdentityProviderMapper

On 12/10/2015 4:30 AM, Mai Zi wrote:
> Hi, there ,
>
> Let me try to describe the case first.
>
> We are using SAML 2.0 ID broker to authenticate the users.
>  From the returned assertions, we can only get the user's ID number.
> So far as we know ,there will be thousands of users . In ID provider system,
> there is no role concept ,so not possible to return us the Role claim.
>
> Now we want to assign roles to those users in keycloak .  We made a rule .
> For example, if the ID number is less than 100, we assign Role A to this
> user.
> If ID number is between 101 and 1000, we assign Role B to it , and so on.
>
> Of course We can do this manually one by one in admin console. but for
> thousands of
> users, it doesn't make much sense.
>
> We notice there is a Mapper button when configuring the ID provider, is
> there any way
> to achieve our goal with that mechanism?
>
>
> Thanks a lot.
>
> Mai
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Thu Dec 10 10:30:06 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 10 Dec 2015 16:30:06 +0100
Subject: [keycloak-user] Clarify "Create a new client" via Admin REST API
In-Reply-To: <CALQqei3QWgwMBmb6vKe09w0zEnwE-CrxhTiTwRUfN-HVVaskAg@mail.gmail.com>
References: <CALQqei0b396xq1hx=HBDGT9qx9YroDSB2e31zh-O1ecEa8S7WA@mail.gmail.com>
	<CALQqei3QWgwMBmb6vKe09w0zEnwE-CrxhTiTwRUfN-HVVaskAg@mail.gmail.com>
Message-ID: <56699A7E.8020106@redhat.com>

I think it should be same consistent behaviour on all places. Probably 
we should make it to what is used for clients (id is allowed) and 
improve realms and users to allow it too.

Feel free to create JIRA for this.

Marek

On 10/12/15 14:24, Juraj Janosik wrote:
> Hi all,
>
> please, could somebody clarify issue (see bottom of the mail) 
> discovered in version 1.6.1.Final?
> The same behavior is detected in version 1.7.0.Final.
>
> This behavior differs from a Create a New User where the JSON body 
> parameter "id" is skipped.
>
> Thanks a lot.
>
> Best regards,
> Juraj
>
> 2015-11-12 10:32 GMT+01:00 Juraj Janosik <juraj.janosik77 at gmail.com 
> <mailto:juraj.janosik77 at gmail.com>>:
>
>     Hi,
>     I want to clarify the "Create a new client" via REST API
>     especially for body parameter "id" from "ClientRepresentation".
>     If I set the parameter "id" in the request body (see example below),
>     the value is set to the client. No new id value is generated for
>     the client, which is the typically behavior of "Create a new role
>     for the realm or client
>     <http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_role_for_the_realm_or_client>"
>     and "Create a new user
>     <http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user>".
>     Is this a correct behavior?
>
>     Tested data example:
>     "Create Client":
>     "method":"POST","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients"
>     "body":
>     "{
>     "id":"3",
>     "clientId":"testclient-3",
>     "name": "testclient-3",
>     "description": "TESTCLIENT-3",
>     "enabled": true,
>     "redirectUris":[ "\\" ],
>     "publicClient": true
>     }"
>     "headers":
>     [["Content-Type","application/json"],
>     ["Authorization","Bearer <ACCESS_TOKEN>]]
>
>     Output for GET clients looks like:
>      {
>             "*id": "3"*,
>             "clientId": "testclient-3",
>             "name": "testclient-3",
>             "description": "TESTCLIENT-3",
>             "surrogateAuthRequired": false,
>             "enabled": true,
>             "clientAuthenticatorType": "client-secret",
>             "redirectUris":
>             [
>                 "\"
>             ],
>             "webOrigins":
>             [
>             ],
>             "notBefore": 0,
>             "bearerOnly": false,
>             "consentRequired": false,
>             "serviceAccountsEnabled": false,
>             "directGrantsOnly": false,
>             "publicClient": true,
>             "frontchannelLogout": false,
>             "attributes":
>             {
>             },
>     ...
>
>     Thanks a lot.
>
>     Best Regards,
>     Juraj
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/80e2bc78/attachment-0001.html 

From gerbermichi at me.com  Thu Dec 10 10:41:41 2015
From: gerbermichi at me.com (Michael Gerber)
Date: Thu, 10 Dec 2015 15:41:41 +0000 (GMT)
Subject: [keycloak-user] Keep error message by language change
Message-ID: <899968c6-071c-4112-a2e2-865c93425bb8@me.com>

Hi all

The error message get lost if a user changes the language. Is it possible to keep it?

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/10d017ef/attachment.html 

From bburke at redhat.com  Thu Dec 10 10:54:09 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 10 Dec 2015 10:54:09 -0500
Subject: [keycloak-user] Keep error message by language change
In-Reply-To: <899968c6-071c-4112-a2e2-865c93425bb8@me.com>
References: <899968c6-071c-4112-a2e2-865c93425bb8@me.com>
Message-ID: <5669A021.2060903@redhat.com>

Why would somebody change the language in the middle of an interaction? 
  Keycloak usually cleans up if it is a "dead end" error.  This means 
all the information is gone.

On 12/10/2015 10:41 AM, Michael Gerber wrote:
> Hi all
>
> The error message get lost if a user changes the language. Is it
> possible to keep it?
>
> Michael
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bmcwhirt at redhat.com  Thu Dec 10 15:22:12 2015
From: bmcwhirt at redhat.com (Bob McWhirter)
Date: Thu, 10 Dec 2015 15:22:12 -0500
Subject: [keycloak-user] Keycloak Server -swarm.jar
Message-ID: <CA+45JvE38EZhhMchfBHBbe2RDo-fRa97x43sAiDWsSCdTYWs+A@mail.gmail.com>

For those of you not familiar with WildFly Swarm, it?s a project that
intends to support microservices by taking your application components,
along with just-enough WildFly, and bundling them all into a standalone
uberjar.

Keycloak counts as ?part of WildFly? since it?s implemented mostly as a
WildFly subsystem.

Therefore, WildFly Swarm now supports adding Keycloak Server to your
microservice (we?ve supported the client-adapter for a while now, already).

To that end, we are also producing an handy, all-in-one uberjar for
Keycloak Server.

http://repository-projectodd.forge.cloudbees.com/snapshot/org/wildfly/swarm/keycloak-server-service/1.0.0.Alpha6-SNAPSHOT/keycloak-server-service-1.0.0.Alpha6-20151210.185045-1-swarm.jar

Just download that .jar, and `java -jar` it and visit
http://localhost:8080/auth/

It still uses the H2 database, and by default creates or uses a database
located at $PWD/keycloak.db, but you can also use the
-Dwildfly.swarm.keycloak.server.db=/path/to/keycloakdatabase property to
change that.

Please feel free to give it a test, and for more information about WildFly
Swarm, we hang out in #wildfly-swarm on FreeNode IRC.

Thanks!

-Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151210/17b13043/attachment.html 

From marc.boorshtein at tremolosecurity.com  Thu Dec 10 15:33:36 2015
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Thu, 10 Dec 2015 15:33:36 -0500
Subject: [keycloak-user] Relationship of Groups to Roles?
Message-ID: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>

I'm trying to wrap my head around the use cases where each would be
used.  If I understand it correctly, a role a unit of authorization.
Roles can have entitlements, either defined by Keycloak or an
application.  A role can have other roles as members.  It can also
have groups and individual users.  Groups aren't directly linked to
entitlements, but are instead used to simply create a way to create a
set of users (and groups).  Is this an accurate representation?

I ask because I want to build some integrations between OpenUnison and
MyVirtualDirectory.  Both work primarily on the LDAP concepts of
users, groups and users.  Beyond SSO integration between OpenUnison
and Keycloak, I'm looking at creating a provisioning target so
OpenUnison workflows can provision access to Keycloak roles  as well
as an insert for MyVirtualDirectory that can represent Keycloak roles
and users as LDAP Objects for legacy applications.

Thanks


Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com

From bburke at redhat.com  Thu Dec 10 15:50:06 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 10 Dec 2015 15:50:06 -0500
Subject: [keycloak-user] Relationship of Groups to Roles?
In-Reply-To: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
References: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
Message-ID: <5669E57E.7010507@redhat.com>

I'm sure people will confuse Groups and Roles.  Groups in LDAP generally 
seem to be equivalent to Roles in Java EE.  But that's not the case in 
keycloak

Roles in Keycloak are similar to Java EE roles.  Users are granted a 
role, and become members of a Group.  Groups in Keycloak are a 
collection of users.  Groups can have roles and attributes assigned to 
them that user members inherit.

Clients/Applications work with roles, not with groups.   Applications 
assign privileges to roles, not users or groups.  Keycloak currently 
does not have the concept of Permissions/Entitlements.  Applications 
have to handle how privileges are assigned to a role themselves.

On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
> I'm trying to wrap my head around the use cases where each would be
> used.  If I understand it correctly, a role a unit of authorization.
> Roles can have entitlements, either defined by Keycloak or an
> application.  A role can have other roles as members.  It can also
> have groups and individual users.  Groups aren't directly linked to
> entitlements, but are instead used to simply create a way to create a
> set of users (and groups).  Is this an accurate representation?
>
> I ask because I want to build some integrations between OpenUnison and
> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
> users, groups and users.  Beyond SSO integration between OpenUnison
> and Keycloak, I'm looking at creating a provisioning target so
> OpenUnison workflows can provision access to Keycloak roles  as well
> as an insert for MyVirtualDirectory that can represent Keycloak roles
> and users as LDAP Objects for legacy applications.
>
> Thanks
>
>
> Marc Boorshtein
> CTO Tremolo Security
> marc.boorshtein at tremolosecurity.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From marc.boorshtein at tremolosecurity.com  Thu Dec 10 16:09:29 2015
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Thu, 10 Dec 2015 16:09:29 -0500
Subject: [keycloak-user] Relationship of Groups to Roles?
In-Reply-To: <5669E57E.7010507@redhat.com>
References: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
	<5669E57E.7010507@redhat.com>
Message-ID: <CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>

>
> Roles in Keycloak are similar to Java EE roles.  Users are granted a
> role, and become members of a Group.  Groups in Keycloak are a
> collection of users.  Groups can have roles and attributes assigned to
> them that user members inherit.
>

OK, so let me see if i'm conceptualizing this correctly.  I've created
a role called "MyRole".  I have a group called "MyGroup" and a user
named Matt Mosley (mmosley).  I can grant mmosley the role MyRole
directly or I can add mmosley to MyGroup and grant MyGroup MyRole?
Additionally if the group MyGroup has an attribute x with the value y
then mmosley, once assigned to MyGroup, would inherit the group
attribute x=y?


> Clients/Applications work with roles, not with groups.   Applications
> assign privileges to roles, not users or groups.  Keycloak currently
> does not have the concept of Permissions/Entitlements.  Applications
> have to handle how privileges are assigned to a role themselves.
>

I think we're saying the same thing here.  Roles are the integration
point with KeyCloak (not groups) and its the application that gives a
role meaning.

So if I were to create a directory structure for an LDAP tree it would
probably look something like:

ou=keycloack
  - ou=users
    - uid=mmosley
  - ou=groups
   - cn=MyGroup
  - ou=roles
    - cn=myrole
    - ou=app1
      - cn=anAppSpecificRole

OpenUnison doesn't have the concept of "roles" vs "groups".  So I
would probably have all roles start with a "role." and groups start
with a "group." so I can differentiate between them.

Am I on the right track?  I've got Keycloak up and running so I'll
play around with the apis too but didn't want to do that in a vacuum.

Thanks


> On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
>> I'm trying to wrap my head around the use cases where each would be
>> used.  If I understand it correctly, a role a unit of authorization.
>> Roles can have entitlements, either defined by Keycloak or an
>> application.  A role can have other roles as members.  It can also
>> have groups and individual users.  Groups aren't directly linked to
>> entitlements, but are instead used to simply create a way to create a
>> set of users (and groups).  Is this an accurate representation?
>>
>> I ask because I want to build some integrations between OpenUnison and
>> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
>> users, groups and users.  Beyond SSO integration between OpenUnison
>> and Keycloak, I'm looking at creating a provisioning target so
>> OpenUnison workflows can provision access to Keycloak roles  as well
>> as an insert for MyVirtualDirectory that can represent Keycloak roles
>> and users as LDAP Objects for legacy applications.
>>
>> Thanks
>>
>>
>> Marc Boorshtein
>> CTO Tremolo Security
>> marc.boorshtein at tremolosecurity.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From fabricio.milone at shinetech.com  Thu Dec 10 23:11:34 2015
From: fabricio.milone at shinetech.com (Fabricio Milone)
Date: Fri, 11 Dec 2015 15:11:34 +1100
Subject: [keycloak-user] Direct access to Send reset password email
Message-ID: <CAOjtoUNbHNYeXRxd-3qY9zezjeUxvNSDPcL0avtC9OMaNVusPA@mail.gmail.com>

Hi all,

I?ve been working on adding custom endpoints under the realm level to
perform some new functions like user registration and send password reset
email without going through the keycloak?s default web view. I?ve read the
discussion regarding add custom REST paths, but I wouldn?t like to go off
topic there.

Why I am doing this?

This is needed because I have to hit the keycloak server directly from the
native Android UI, without going through the Keycloak default login/reset
creds screen and get an user registered or an email to reset the password
(among other possible future use cases).

What I got so far?

I?ve added a custom endpoint class (ForgotPasswordEndpoint) to
org.keycloak.protocol.oidc.endpoints package in order to add a new path
/auth/realms/{realm}/forgotten-password-email that sends an email to the
specified user in a form attribute without going through the web view. I am
also generating a key to be able to execute a client session required
action of UPDATE_PASSWORD, so when the user clicks the link it will be
asked to update  its password.


What I?m not sure is about the approach I used to get this done. Let?s
clear that up:

   - Created a new endpoint class similar to TokenEndpoint.java which sends
   an email with a link to update the user password.
   - The link is generated using the UriBuilder for the base path and the
   ClientSessionCode class for the access code, using the given realm, session
   and any other necessary data.
   - I am adding a required action to the clientSession
   (ClientSessionModel, created with the given UserModel) of the type
   UserModel.RequiredAction.UPDATE_PASSWORD.
   - Once the user clicks on the link, the normal updated account starts,
   without any modification.

That?s the less invasive way I?ve found so far. However, today I have been
trying to implement an SPI to achieve this (still trying to understand how
to do that)

Is there a clean/proper way to generate a valid code/execution id as it is
generated on the normal forgotten password email?

What is the right way to make a direct call to get a reset password email?


Thank you in advance.

Regards,

Fabricio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/9d537abd/attachment-0001.html 

From brian at excelwithbusiness.com  Fri Dec 11 03:30:11 2015
From: brian at excelwithbusiness.com (Brian Thai)
Date: Fri, 11 Dec 2015 00:30:11 -0800
Subject: [keycloak-user] Token Validation
Message-ID: <CADEg99-9TAPmdVieKNE5NyCjJ95RSiZjFoutqSM84kH=hkSHWw@mail.gmail.com>

Hi All,

I have just started to work with keycloak 1.7.0 and I have a PHP rest
service that I want to write an adapter for. I have read the docs and the
code but I don't understand how the token is validated from the rest
service.

I understand that with a js client they would be redirected to keycloak to
obtain an access token which will be passed to my rest api. At that point I
should validate the token, and I see that keycloak provides a rest endpoint
for validation:
http://docs.jboss.org/keycloak/docs/1.0-rc-1/rest-api/realms/%7Brealm%7D/tokens/validate/index.html

I get held from cors because the realm itself does not have configuration
for setting the 'Access-Control-Allow-Origin' header. Can anyone point me
in the right direction?

Thanks,
-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/4d1f913c/attachment.html 

From ado.boj.83 at gmail.com  Fri Dec 11 04:55:01 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Fri, 11 Dec 2015 10:55:01 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
Message-ID: <CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>

Hi all,

I tried to validate this issue on 1.7.0.Final, but I have question:

After send two different REST-APIs:
1.) PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
and
2.) PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
with body ["VERIFY_EMAIL"]

I got for both REST APIs email with Subject "Update Your Account" and link
generated in email:

http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022

What is in different when I generate Verify Email via GUI
when Subject is "Verify email" and link generated in email:

http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5


Should it be so now correct or something was changed or something is
incorrect on my side?

Thanks.




On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <issues at jboss.org>
wrote:

> Stian Thorgersen
> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> *updated* [image:
> Bug] KEYCLOAK-2063 <https://issues.jboss.org/browse/KEYCLOAK-2063>
> Keycloak <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
> generated via REST API - Send an email-verification email to the user
> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
> Thorgersen <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add Comment
> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
> Atlassian logo]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/65b9e40a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1084 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/65b9e40a/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/65b9e40a/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1017 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/65b9e40a/attachment-0005.png 

From juraj.janosik77 at gmail.com  Fri Dec 11 05:04:11 2015
From: juraj.janosik77 at gmail.com (Juraj Janosik)
Date: Fri, 11 Dec 2015 11:04:11 +0100
Subject: [keycloak-user] Clarify "Create a new client" via Admin REST API
In-Reply-To: <56699A7E.8020106@redhat.com>
References: <CALQqei0b396xq1hx=HBDGT9qx9YroDSB2e31zh-O1ecEa8S7WA@mail.gmail.com>
	<CALQqei3QWgwMBmb6vKe09w0zEnwE-CrxhTiTwRUfN-HVVaskAg@mail.gmail.com>
	<56699A7E.8020106@redhat.com>
Message-ID: <CALQqei3ZEi6a01XF8zmTxEK2kdOm0+SQZ9gh0KfpX5NntOVZTA@mail.gmail.com>

Hi,

JIRA issue created for this topic:
https://issues.jboss.org/browse/KEYCLOAK-2217

But please check another new JIRA issues handling "Update User" scenarios:

https://issues.jboss.org/browse/KEYCLOAK-2216 : Update User (admin REST
API): some attributes added via POST/PUT method are deleted.

https://issues.jboss.org/browse/KEYCLOAK-2218 : Update User (Attribute
"enabled" via Admin REST API): JSON body without attribute "username"
causes HTTP 500 - Internal Server Error

Best Regards,
Juraj

2015-12-10 16:30 GMT+01:00 Marek Posolda <mposolda at redhat.com>:

> I think it should be same consistent behaviour on all places. Probably we
> should make it to what is used for clients (id is allowed) and improve
> realms and users to allow it too.
>
> Feel free to create JIRA for this.
>
> Marek
>
>
> On 10/12/15 14:24, Juraj Janosik wrote:
>
> Hi all,
>
> please, could somebody clarify issue (see bottom of the mail) discovered
> in version 1.6.1.Final?
> The same behavior is detected in version 1.7.0.Final.
>
> This behavior differs from a Create a New User where the JSON body
> parameter "id" is skipped.
>
> Thanks a lot.
>
> Best regards,
> Juraj
>
> 2015-11-12 10:32 GMT+01:00 Juraj Janosik < <juraj.janosik77 at gmail.com>
> juraj.janosik77 at gmail.com>:
>
>> Hi,
>> I want to clarify the "Create a new client" via REST API
>> especially for body parameter "id" from "ClientRepresentation".
>> If I set the parameter "id" in the request body (see example below),
>> the value is set to the client. No new id value is generated for the
>> client, which is the typically behavior of "Create a new role for the
>> realm or client
>> <http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_role_for_the_realm_or_client>"
>> and "Create a new user
>> <http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user>".
>> Is this a correct behavior?
>>
>> Tested data example:
>> "Create Client":
>> "method":"POST","url":"<URL>:<PORT>/auth/admin/realms/<REALM>/clients"
>> "body":
>> "{
>> "id":"3",
>> "clientId":"testclient-3",
>> "name": "testclient-3",
>> "description": "TESTCLIENT-3",
>> "enabled": true,
>> "redirectUris":[ "\\" ],
>> "publicClient": true
>> }"
>> "headers":
>> [["Content-Type","application/json"],
>> ["Authorization","Bearer <ACCESS_TOKEN>]]
>>
>> Output for GET clients looks like:
>>  {
>>         "*id": "3"*,
>>         "clientId": "testclient-3",
>>         "name": "testclient-3",
>>         "description": "TESTCLIENT-3",
>>         "surrogateAuthRequired": false,
>>         "enabled": true,
>>         "clientAuthenticatorType": "client-secret",
>>         "redirectUris":
>>         [
>>             "\"
>>         ],
>>         "webOrigins":
>>         [
>>         ],
>>         "notBefore": 0,
>>         "bearerOnly": false,
>>         "consentRequired": false,
>>         "serviceAccountsEnabled": false,
>>         "directGrantsOnly": false,
>>         "publicClient": true,
>>         "frontchannelLogout": false,
>>         "attributes":
>>         {
>>         },
>> ...
>>
>> Thanks a lot.
>>
>> Best Regards,
>> Juraj
>>
>>
>>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/522bea44/attachment.html 

From mposolda at redhat.com  Fri Dec 11 06:48:19 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 11 Dec 2015 12:48:19 +0100
Subject: [keycloak-user] Relationship of Groups to Roles?
In-Reply-To: <CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>
References: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
	<5669E57E.7010507@redhat.com>
	<CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>
Message-ID: <566AB803.1030302@redhat.com>

On 10/12/15 22:09, Marc Boorshtein wrote:
>> Roles in Keycloak are similar to Java EE roles.  Users are granted a
>> role, and become members of a Group.  Groups in Keycloak are a
>> collection of users.  Groups can have roles and attributes assigned to
>> them that user members inherit.
>>
> OK, so let me see if i'm conceptualizing this correctly.  I've created
> a role called "MyRole".  I have a group called "MyGroup" and a user
> named Matt Mosley (mmosley).  I can grant mmosley the role MyRole
> directly or I can add mmosley to MyGroup and grant MyGroup MyRole?
If you grant mmosley the role MyRole directly, it will be granted just 
to this user. If you grant MyRole to MyGroup, then the MyRole will be 
granted to each user added to the MyGroup. So you will just put 2 users 
to MyGroup: "mmosley", "mmosley2" and both will inherit MyRole.
> Additionally if the group MyGroup has an attribute x with the value y
> then mmosley, once assigned to MyGroup, would inherit the group
> attribute x=y?
yes
>
>
>> Clients/Applications work with roles, not with groups.   Applications
>> assign privileges to roles, not users or groups.  Keycloak currently
>> does not have the concept of Permissions/Entitlements.  Applications
>> have to handle how privileges are assigned to a role themselves.
>>
> I think we're saying the same thing here.  Roles are the integration
> point with KeyCloak (not groups) and its the application that gives a
> role meaning.
>
> So if I were to create a directory structure for an LDAP tree it would
> probably look something like:
>
> ou=keycloack
>    - ou=users
>      - uid=mmosley
>    - ou=groups
>     - cn=MyGroup
>    - ou=roles
>      - cn=myrole
>      - ou=app1
>        - cn=anAppSpecificRole
>
> OpenUnison doesn't have the concept of "roles" vs "groups".  So I
> would probably have all roles start with a "role." and groups start
> with a "group." so I can differentiate between them.
I am starting on adding LDAP Group Mapper to Keycloak and it will be 
(hopefully) available in 1.8. Mapper will allow you to specify in which 
DN are your groups and in which DN(s) are your roles (LDAP RoleMapper is 
already available, but I am planning some changes to 1.8, but it should 
remain backwards compatible).

So for your LDAP tree example, if you configure mappers like:
- Group Mapper: ou=groups,ou=keycloak
- Role Mappper for realm roles: ou=roles,ou=keycloak
- Role Mapper for client roles of client "app1": 
ou=app1,ou=roles,ou=keycloak

you will be able to map the environment. And you don't need to care 
about the names of roles, groups etc. because:
- LDAP group "cn=MyGroup,ou=groups,ou=keycloak" will be automatically 
treated as Keycloak group
- LDAP group "cn=myrole,ou=users,ou=keycloak" will be treated as 
Keycloak realm role
- LDAP group "cn=anAppSpecificRole,cn=app1,ou=roles,ou=keycloak" will be 
treated as client role of "app1" client

The Role Mapper is already available, so you can already try it out with 
1.7.

Marek
>
> Am I on the right track?  I've got Keycloak up and running so I'll
> play around with the apis too but didn't want to do that in a vacuum.
>
> Thanks
>
>
>> On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
>>> I'm trying to wrap my head around the use cases where each would be
>>> used.  If I understand it correctly, a role a unit of authorization.
>>> Roles can have entitlements, either defined by Keycloak or an
>>> application.  A role can have other roles as members.  It can also
>>> have groups and individual users.  Groups aren't directly linked to
>>> entitlements, but are instead used to simply create a way to create a
>>> set of users (and groups).  Is this an accurate representation?
>>>
>>> I ask because I want to build some integrations between OpenUnison and
>>> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
>>> users, groups and users.  Beyond SSO integration between OpenUnison
>>> and Keycloak, I'm looking at creating a provisioning target so
>>> OpenUnison workflows can provision access to Keycloak roles  as well
>>> as an insert for MyVirtualDirectory that can represent Keycloak roles
>>> and users as LDAP Objects for legacy applications.
>>>
>>> Thanks
>>>
>>>
>>> Marc Boorshtein
>>> CTO Tremolo Security
>>> marc.boorshtein at tremolosecurity.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From marc.boorshtein at tremolosecurity.com  Fri Dec 11 06:57:39 2015
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Fri, 11 Dec 2015 06:57:39 -0500
Subject: [keycloak-user] Relationship of Groups to Roles?
In-Reply-To: <566AB803.1030302@redhat.com>
References: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
	<5669E57E.7010507@redhat.com>
	<CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>
	<566AB803.1030302@redhat.com>
Message-ID: <CAH2S7UCW_-26xcsA_5+p15QS4EA-xDaR45ddQ_fsJYQQ97yQYQ@mail.gmail.com>

On Dec 11, 2015 6:48 AM, "Marek Posolda" <
> I am starting on adding LDAP Group Mapper to Keycloak and it will be
(hopefully) available in 1.8. Mapper will allow you to specify in which DN
are your groups and in which DN(s) are your roles (LDAP RoleMapper is
already available, but I am planning some changes to 1.8, but it should
remain backwards compatible).

Very nice, but this is so a legacy application can use keycloak via ldap.
It would be great if an application that only knows how to speak ldap could
use keycloak for authorization information. You can tell the app to look at
my virtual directory which in turn would make the web services calls. If I
use an http/2 implementation it would scale well too.

>
> So for your LDAP tree example, if you configure mappers like:
> - Group Mapper: ou=groups,ou=keycloak
> - Role Mappper for realm roles: ou=roles,ou=keycloak
> - Role Mapper for client roles of client "app1":
ou=app1,ou=roles,ou=keycloak
>
> you will be able to map the environment. And you don't need to care about
the names of roles, groups etc. because:
> - LDAP group "cn=MyGroup,ou=groups,ou=keycloak" will be automatically
treated as Keycloak group
> - LDAP group "cn=myrole,ou=users,ou=keycloak" will be treated as Keycloak
realm role
> - LDAP group "cn=anAppSpecificRole,cn=app1,ou=roles,ou=keycloak" will be
treated as client role of "app1" client
>
> The Role Mapper is already available, so you can already try it out with
1.7.
>
> Marek
>
>>
>> Am I on the right track?  I've got Keycloak up and running so I'll
>> play around with the apis too but didn't want to do that in a vacuum.
>>
>> Thanks
>>
>>
>>> On 12/10/2015 3:33 PM, Marc Boorshtein wrote:
>>>>
>>>> I'm trying to wrap my head around the use cases where each would be
>>>> used.  If I understand it correctly, a role a unit of authorization.
>>>> Roles can have entitlements, either defined by Keycloak or an
>>>> application.  A role can have other roles as members.  It can also
>>>> have groups and individual users.  Groups aren't directly linked to
>>>> entitlements, but are instead used to simply create a way to create a
>>>> set of users (and groups).  Is this an accurate representation?
>>>>
>>>> I ask because I want to build some integrations between OpenUnison and
>>>> MyVirtualDirectory.  Both work primarily on the LDAP concepts of
>>>> users, groups and users.  Beyond SSO integration between OpenUnison
>>>> and Keycloak, I'm looking at creating a provisioning target so
>>>> OpenUnison workflows can provision access to Keycloak roles  as well
>>>> as an insert for MyVirtualDirectory that can represent Keycloak roles
>>>> and users as LDAP Objects for legacy applications.
>>>>
>>>> Thanks
>>>>
>>>>
>>>> Marc Boorshtein
>>>> CTO Tremolo Security
>>>> marc.boorshtein at tremolosecurity.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151211/222e4ea4/attachment-0001.html 

From niko at n-k.de  Fri Dec 11 08:14:15 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Fri, 11 Dec 2015 14:14:15 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
Message-ID: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>

Hi,

in my current project, it?s not wanted to use Infinispan as cache in a cluster.
However, I have to deal with the user session and token information.
And as I can remember, in early versions of Keycloak was an option, to store this information via JPA or MongoDB instead of Infinispan.
Also, I saw there is a User Sessions SPI, and also a User Cache SPI and Realm Cache SPI.
If I implement those SPIs, can I get rid of Infinispan replication in a cluster?
And are there some examples or good starting points? (documentation?)

Regards,
- Niko



From bburke at redhat.com  Fri Dec 11 08:48:53 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 11 Dec 2015 08:48:53 -0500
Subject: [keycloak-user] Relationship of Groups to Roles?
In-Reply-To: <CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>
References: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
	<5669E57E.7010507@redhat.com>
	<CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>
Message-ID: <566AD445.8070107@redhat.com>



On 12/10/2015 4:09 PM, Marc Boorshtein wrote:
>>
>> Roles in Keycloak are similar to Java EE roles.  Users are granted a
>> role, and become members of a Group.  Groups in Keycloak are a
>> collection of users.  Groups can have roles and attributes assigned to
>> them that user members inherit.
>>
>
> OK, so let me see if i'm conceptualizing this correctly.  I've created
> a role called "MyRole".  I have a group called "MyGroup" and a user
> named Matt Mosley (mmosley).  I can grant mmosley the role MyRole
> directly or I can add mmosley to MyGroup and grant MyGroup MyRole?
> Additionally if the group MyGroup has an attribute x with the value y
> then mmosley, once assigned to MyGroup, would inherit the group
> attribute x=y?
>
>
>> Clients/Applications work with roles, not with groups.   Applications
>> assign privileges to roles, not users or groups.  Keycloak currently
>> does not have the concept of Permissions/Entitlements.  Applications
>> have to handle how privileges are assigned to a role themselves.
>>
>
> I think we're saying the same thing here.  Roles are the integration
> point with KeyCloak (not groups) and its the application that gives a
> role meaning.
>
> So if I were to create a directory structure for an LDAP tree it would
> probably look something like:
>
> ou=keycloack
>    - ou=users
>      - uid=mmosley
>    - ou=groups
>     - cn=MyGroup
>    - ou=roles
>      - cn=myrole
>      - ou=app1
>        - cn=anAppSpecificRole
>
> OpenUnison doesn't have the concept of "roles" vs "groups".  So I
> would probably have all roles start with a "role." and groups start
> with a "group." so I can differentiate between them.
>
> Am I on the right track?  I've got Keycloak up and running so I'll
> play around with the apis too but didn't want to do that in a vacuum.
>


Yes, you are on the right track.  we're always open to suggestions on 
how to model things better too.

Also You could certainly populate group membership information in your 
tokens/saml assertions and combine the concepts of group/role.  But 
Keycloak itself has separate meanings for them.

Also, Pedro is working a permission service based on UMA.  You should be 
seeing alphas/betas coming out soon.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Fri Dec 11 09:28:20 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 11 Dec 2015 09:28:20 -0500
Subject: [keycloak-user] Token Validation
In-Reply-To: <CADEg99-9TAPmdVieKNE5NyCjJ95RSiZjFoutqSM84kH=hkSHWw@mail.gmail.com>
References: <CADEg99-9TAPmdVieKNE5NyCjJ95RSiZjFoutqSM84kH=hkSHWw@mail.gmail.com>
Message-ID: <566ADD84.3000300@redhat.com>

You want to write a PHP adapter?  You can either validate the token 
yourself, or invoke the Keycloak REst service to validate it for you.

Keycloak tokens are Json Web Signatures (JWS).

https://tools.ietf.org/html/rfc7515

The content of this signature is a Keycloak extension of Json Web Token:

http://jwt.io/

We have all the standard fields, with additional ones for role mappings 
and group membership depending on how you've configured the client in 
the admin console.

As for CORS this is something your PHP adapter has to handle.  You can 
configure the Keycloak token to embed what origins are allowed, but the 
adapter has to handle setting all the appropriate headers.

BTW, we would definitely welcome a PHP adapter contribution!

On 12/11/2015 3:30 AM, Brian Thai wrote:
> Hi All,
>
> I have just started to work with keycloak 1.7.0 and I have a PHP rest
> service that I want to write an adapter for. I have read the docs and
> the code but I don't understand how the token is validated from the rest
> service.
>
> I understand that with a js client they would be redirected to keycloak
> to obtain an access token which will be passed to my rest api. At that
> point I should validate the token, and I see that keycloak provides a
> rest endpoint for validation:
> http://docs.jboss.org/keycloak/docs/1.0-rc-1/rest-api/realms/%7Brealm%7D/tokens/validate/index.html
>
> I get held from cors because the realm itself does not have
> configuration for setting the 'Access-Control-Allow-Origin' header. Can
> anyone point me in the right direction?
>
> Thanks,
> -Brian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Fri Dec 11 09:30:36 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 11 Dec 2015 09:30:36 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
Message-ID: <566ADE0C.2010704@redhat.com>

Yes, you can replace Infinispan... No, we will not support you :)  We 
had to reduce the scope of Keycloak.  Same reason why we only support 
running the server on Wildfly/EAP now.  Its just too much extra work.

On 12/11/2015 8:14 AM, Niko K?bler wrote:
> Hi,
>
> in my current project, it?s not wanted to use Infinispan as cache in a cluster.
> However, I have to deal with the user session and token information.
> And as I can remember, in early versions of Keycloak was an option, to store this information via JPA or MongoDB instead of Infinispan.
> Also, I saw there is a User Sessions SPI, and also a User Cache SPI and Realm Cache SPI.
> If I implement those SPIs, can I get rid of Infinispan replication in a cluster?
> And are there some examples or good starting points? (documentation?)
>
> Regards,
> - Niko
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From marc.boorshtein at tremolosecurity.com  Fri Dec 11 11:05:04 2015
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Fri, 11 Dec 2015 11:05:04 -0500
Subject: [keycloak-user] Relationship of Groups to Roles?
In-Reply-To: <566AD445.8070107@redhat.com>
References: <CAH2S7UAt4Xrk3mFWnwSdeUvBw8zGFUS2FFzsXKTfM0nu5YpzNA@mail.gmail.com>
	<5669E57E.7010507@redhat.com>
	<CAH2S7UDxuSNqVK2X9SK+Wzt9epHS53bxfhJu216XmkuDL3iYag@mail.gmail.com>
	<566AD445.8070107@redhat.com>
Message-ID: <CAH2S7UDDN-Svc9cZhv9CxasE=OT_1kyS89LB2x2cR0RCwgyG3A@mail.gmail.com>

>
> Yes, you are on the right track.  we're always open to suggestions on how to
> model things better too.


Excellent.  I really like the separation of roles and groups.  It
creates a very clean logical break between the two.  I usually do this
with most of my deployments from a conceptual standpoint but the fact
that its built into keycloak is very nice.

>
> Also You could certainly populate group membership information in your
> tokens/saml assertions and combine the concepts of group/role.  But Keycloak
> itself has separate meanings for them.

Makes sense.  I tend to take an "all of the above" approach to
identity.  So few applications follow consistent standards that I'd
rather have several options then be forced to use just one.

>
> Also, Pedro is working a permission service based on UMA.  You should be
> seeing alphas/betas coming out soon.
>
>

Very nice.  Looking forward to it!

From srossillo at smartling.com  Fri Dec 11 20:55:19 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Sat, 12 Dec 2015 01:55:19 +0000
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <566ADE0C.2010704@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
Message-ID: <CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>

I highly suggest, from production experience, that you stick with
Infinispan.
On Fri, Dec 11, 2015 at 1:56 PM Bill Burke <bburke at redhat.com> wrote:

> Yes, you can replace Infinispan... No, we will not support you :)  We
> had to reduce the scope of Keycloak.  Same reason why we only support
> running the server on Wildfly/EAP now.  Its just too much extra work.
>
> On 12/11/2015 8:14 AM, Niko K?bler wrote:
> > Hi,
> >
> > in my current project, it?s not wanted to use Infinispan as cache in a
> cluster.
> > However, I have to deal with the user session and token information.
> > And as I can remember, in early versions of Keycloak was an option, to
> store this information via JPA or MongoDB instead of Infinispan.
> > Also, I saw there is a User Sessions SPI, and also a User Cache SPI and
> Realm Cache SPI.
> > If I implement those SPIs, can I get rid of Infinispan replication in a
> cluster?
> > And are there some examples or good starting points? (documentation?)
> >
> > Regards,
> > - Niko
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151212/ac640e9c/attachment.html 

From jean.merelis at gmail.com  Sat Dec 12 10:00:58 2015
From: jean.merelis at gmail.com (Jeandeson O. Merelis)
Date: Sat, 12 Dec 2015 13:00:58 -0200
Subject: [keycloak-user] Why the encoding of Java properties files have been
	converted to UTF-8?
Message-ID: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>

Why the encoding of Java properties files have been converted to UTF-8?

We had decided that the default Java properties files would be ISO-8859-1


-- 
Jeandeson O. Merelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151212/a76ec274/attachment.html 

From niko at n-k.de  Sat Dec 12 10:17:33 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Sat, 12 Dec 2015 16:17:33 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
Message-ID: <4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>

Ok, I understand.

But then I suggest, if I was right with my assumption about the SPIs, that you should remove the lines from the documentation. Also, there seems to be some relicts of classes in the code (if I?m not completely wrong).


> Am 12.12.2015 um 02:55 schrieb Scott Rossillo <srossillo at smartling.com>:
> 
> I highly suggest, from production experience, that you stick with Infinispan. 
> On Fri, Dec 11, 2015 at 1:56 PM Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>> wrote:
> Yes, you can replace Infinispan... No, we will not support you :)  We
> had to reduce the scope of Keycloak.  Same reason why we only support
> running the server on Wildfly/EAP now.  Its just too much extra work.
> 
> On 12/11/2015 8:14 AM, Niko K?bler wrote:
> > Hi,
> >
> > in my current project, it?s not wanted to use Infinispan as cache in a cluster.
> > However, I have to deal with the user session and token information.
> > And as I can remember, in early versions of Keycloak was an option, to store this information via JPA or MongoDB instead of Infinispan.
> > Also, I saw there is a User Sessions SPI, and also a User Cache SPI and Realm Cache SPI.
> > If I implement those SPIs, can I get rid of Infinispan replication in a cluster?
> > And are there some examples or good starting points? (documentation?)
> >
> > Regards,
> > - Niko
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151212/9e318a0f/attachment-0001.html 

From mposolda at redhat.com  Mon Dec 14 02:50:37 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 14 Dec 2015 08:50:37 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
Message-ID: <566E74CD.9000406@redhat.com>

On 12/12/15 16:17, Niko K?bler wrote:
> Ok, I understand.
>
> But then I suggest, if I was right with my assumption about the SPIs, 
> that you should remove the lines from the documentation.
Could you please create JIRA pointing to incorrect part in the 
documentation?
> Also, there seems to be some relicts of classes in the code (if I?m 
> not completely wrong).
Yes, in code we still have MemUserSessionProvider, which is userSession 
implementation based on pure memory. Did you mean this? This is used 
just for backwards compatibility in EAP 6.4 (because infinispan local 
mode doesn't work correctly here and doesn't support all the stuff we 
need) and will be removed.

Btv. what's your motivation to not use infinispan? If you afraid of 
cluster communication, you don't need to worry much about it, because if 
you run single keycloak through standalone.xml, the infinispan 
automatically works in LOCAL mode and there is no any cluster 
communication at all.

Or do you want persistent userSession/clientSessions, which will survive 
server restart? We already have userSessionPersister SPI, which is used 
to persist just "offline" userSessions (those used for retrieve offline 
token) but possibly we will extend it with the optional possibility to 
persist all user sessions.

Marek
>
>
>> Am 12.12.2015 um 02:55 schrieb Scott Rossillo 
>> <srossillo at smartling.com <mailto:srossillo at smartling.com>>:
>>
>> I highly suggest, from production experience, that you stick with 
>> Infinispan.
>> On Fri, Dec 11, 2015 at 1:56 PM Bill Burke <bburke at redhat.com 
>> <mailto:bburke at redhat.com>> wrote:
>>
>>     Yes, you can replace Infinispan... No, we will not support you :)  We
>>     had to reduce the scope of Keycloak.  Same reason why we only support
>>     running the server on Wildfly/EAP now.  Its just too much extra work.
>>
>>     On 12/11/2015 8:14 AM, Niko K?bler wrote:
>>     > Hi,
>>     >
>>     > in my current project, it?s not wanted to use Infinispan as
>>     cache in a cluster.
>>     > However, I have to deal with the user session and token
>>     information.
>>     > And as I can remember, in early versions of Keycloak was an
>>     option, to store this information via JPA or MongoDB instead of
>>     Infinispan.
>>     > Also, I saw there is a User Sessions SPI, and also a User Cache
>>     SPI and Realm Cache SPI.
>>     > If I implement those SPIs, can I get rid of Infinispan
>>     replication in a cluster?
>>     > And are there some examples or good starting points?
>>     (documentation?)
>>     >
>>     > Regards,
>>     > - Niko
>>     >
>>     >
>>     > _______________________________________________
>>     > keycloak-user mailing list
>>     > keycloak-user at lists.jboss.org
>>     <mailto:keycloak-user at lists.jboss.org>
>>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     >
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/7edfa65f/attachment.html 

From niko at n-k.de  Mon Dec 14 05:01:52 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Mon, 14 Dec 2015 11:01:52 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <566E74CD.9000406@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
Message-ID: <4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>

Hi Marek,

> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com>:
> 
> Btv. what's your motivation to not use infinispan? If you afraid of cluster communication, you don't need to worry much about it, because if you run single keycloak through standalone.xml, the infinispan automatically works in LOCAL mode and there is no any cluster communication at all. 

My current customer is running his apps in AWS. As known, multicast is not available in cloud infrastructures. Wildfly/Infinispan Cluster works pretty well with multicast w/o having to know too much about JGroups config. S3_PING seams to be a viable way to get a cluster running in AWS.
But additionally, my customer doesn?t have any (deep) knowledge about JBoss infrastructures and so I?m looking for a way to be able to run Keycloak in a cluster in AWS without the need to build up deeper knowlegde of JGroups config, for example in getting rid of Infinispan. But I do understand all the concerns in doing this.
I still have to test S3_PING, if it works as easy as multicast. If yes, we can use it, if no? I don?t know yet. But this gets offtopic for Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.

- Niko

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/c255d8a1/attachment.html 

From Frank.vanVeen at planonsoftware.com  Mon Dec 14 05:30:22 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Mon, 14 Dec 2015 11:30:22 +0100
Subject: [keycloak-user] Error message display
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E4925116F58F@NL-MAIL02.planon-fm.com>

Hi,

I am trying to create and display my own error messages in keycloak. In this case an error occurred in an inherited method from the UserModelDelegate.
Currently the only error message I have been able to display is "Error! An unexpected server error has occurred". This isn't very helpful for our users.

This is a screenshot of a successful operation:                  https://i.imgur.com/z9dMvxG.png
This is a screenshot of a unsuccessful operation:             https://i.imgur.com/LN89Qti.png

It would be nice if I could display "Error! The maximum length of Description is 20 characters".

Any help would be appreciated!

Sincerely,

Frank van Veen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/eee704e9/attachment.html 

From thomas.darimont at googlemail.com  Mon Dec 14 05:52:40 2015
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Mon, 14 Dec 2015 11:52:40 +0100
Subject: [keycloak-user] Cannot use Keycloak with Postgres DB
Message-ID: <CAK-7U1g8vULnv0J-N=K+4Y=_y+4iqHe9K2tGmXWxnzDeM3NQ0A@mail.gmail.com>

Starting the Keycloak Postgres HA Docker Image fails due to a problem with
loading OffilineUserSessions - see stacktrace below.

There is an already resolved?! issue
https://issues.jboss.org/browse/KEYCLOAK-1999 filed for Keycloak 1.6.0 that
shows some
workaround suggestions, but I think disabling the support for offline
sessions is not a fix to the actual problem...

Would be great to have a real fix, since this hinders the Keycloak Server
to start.

Just verified this with:
- jboss/keycloak-ha-postgres:latest
- jboss/keycloak-ha-postgres:1.7.0.Release
- jboss/keycloak-ha-postgres:1.6.1.Release
- jboss/keycloak-ha-postgres:1.6.0.Release

Steps to reproduce:

# Start Postgres Instance:
docker run --name kc-db -e POSTGRES_DATABASE=keycloak -e
POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e
POSTGRES_ROOT_PASSWORD=password -p 25432:5432 -d postgres

# Start KC Server
docker run --name kc-server1 --link kc-db:postgres -e
POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e
POSTGRES_PASSWORD=password -p 8101:8080 jboss/keycloak-ha-postgres

#Exception during start:
...
10:33:54,461 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 62) WFLYCLINF0002: Started offlineSessions cache from
keycloak container
10:33:54,472 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 62) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at
org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer$1.run(InfinispanUserSessionInitializer.java:100)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.getOrCreateInitializerState(InfinispanUserSessionInitializer.java:97)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:148)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:78)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$3.run(InfinispanUserSessionProviderFactory.java:111)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:102)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.onEvent(InfinispanUserSessionProviderFactory.java:86)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:47)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:87)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 19 more

10:33:54,516 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/4ead2d79/attachment-0001.html 

From bburke at redhat.com  Mon Dec 14 09:58:43 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 14 Dec 2015 09:58:43 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
Message-ID: <566ED923.10306@redhat.com>



On 12/14/2015 5:01 AM, Niko K?bler wrote:
> Hi Marek,
>
>> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com
>> <mailto:mposolda at redhat.com>>:
>>
>> Btv. what's your motivation to not use infinispan? If you afraid of
>> cluster communication, you don't need to worry much about it, because
>> if you run single keycloak through standalone.xml, the infinispan
>> automatically works in LOCAL mode and there is no any cluster
>> communication at all.
>
> My current customer is running his apps in AWS. As known, multicast is
> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to know too much about JGroups
> config. S3_PING seams to be a viable way to get a cluster running in AWS.
> But additionally, my customer doesn?t have any (deep) knowledge about
> JBoss infrastructures and so I?m looking for a way to be able to run
> Keycloak in a cluster in AWS without the need to build up deeper
> knowlegde of JGroups config, for example in getting rid of Infinispan.
> But I do understand all the concerns in doing this.
> I still have to test S3_PING, if it works as easy as multicast. If yes,
> we can use it, if no? I don?t know yet. But this gets offtopic for
> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>

seems to me it would be much easier to get Infinispan working on AWS 
than to write and maintain an entire new caching mechanism and hope we 
don't refactor the cache SPI.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Mon Dec 14 10:09:02 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 14 Dec 2015 10:09:02 -0500
Subject: [keycloak-user] Error message display
In-Reply-To: <16DCFFB91025EF4DB80D3ECCA6E097E4925116F58F@NL-MAIL02.planon-fm.com>
References: <16DCFFB91025EF4DB80D3ECCA6E097E4925116F58F@NL-MAIL02.planon-fm.com>
Message-ID: <566EDB8E.4000809@redhat.com>

What are you doing?  Registration?  Login?  What?  You have to handle 
the error there and redirect to the appropriate error page:

org.keycloak.services.ErrorPage {

     public static Response error(KeycloakSession session, String 
message, Object... parameters) {
         return 
session.getProvider(LoginFormsProvider.class).setError(message, 
parameters).createErrorPage();
     }


}

Where message corresponds to a message bundle and parameters are passed 
into this.


On 12/14/2015 5:30 AM, Frank van Veen wrote:
> Hi,
>
> I am trying to create and display my own error messages in keycloak. In
> this case an error occurred in an inherited method from the
> UserModelDelegate.
>
> Currently the only error message I have been able to display is
> ?*Error!*An unexpected server error has occurred?. This isn?t very
> helpful for our users.
>
> This is a screenshot of a successful operation:
> https://i.imgur.com/z9dMvxG.png
>
> This is a screenshot of a unsuccessful operation:
> https://i.imgur.com/LN89Qti.png
>
> It would be nice if I could display ?Error! The maximum length of
> Description is 20 characters?.
>
> Any help would be appreciated!
>
> Sincerely,
>
> Frank van Veen
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From mposolda at redhat.com  Mon Dec 14 10:55:28 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 14 Dec 2015 16:55:28 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <566ED923.10306@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com>
Message-ID: <566EE670.9090001@redhat.com>

On 14/12/15 15:58, Bill Burke wrote:
>
> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>> Hi Marek,
>>
>>> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com
>>> <mailto:mposolda at redhat.com>>:
>>>
>>> Btv. what's your motivation to not use infinispan? If you afraid of
>>> cluster communication, you don't need to worry much about it, because
>>> if you run single keycloak through standalone.xml, the infinispan
>>> automatically works in LOCAL mode and there is no any cluster
>>> communication at all.
>> My current customer is running his apps in AWS. As known, multicast is
>> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
>> pretty well with multicast w/o having to know too much about JGroups
>> config. S3_PING seams to be a viable way to get a cluster running in AWS.
>> But additionally, my customer doesn?t have any (deep) knowledge about
>> JBoss infrastructures and so I?m looking for a way to be able to run
>> Keycloak in a cluster in AWS without the need to build up deeper
>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>> But I do understand all the concerns in doing this.
>> I still have to test S3_PING, if it works as easy as multicast. If yes,
>> we can use it, if no? I don?t know yet. But this gets offtopic for
>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>>
> seems to me it would be much easier to get Infinispan working on AWS
> than to write and maintain an entire new caching mechanism and hope we
> don't refactor the cache SPI.
>
>
+1

I am sure infinispan/JGroups has possibility to run in non-multicast 
environment. You may just need to figure how exactly to configure it. So 
I agree that this issue is more related to Wildfly/Infinispan itself 
than to Keycloak.

You may need to use jgroups protocols like TCP instead of default UDP 
and maybe TCPPING (this requires to manually list all your cluster 
nodes. But still, it's much better option IMO than rewriting UserSession 
SPI)

Marek

From mposolda at redhat.com  Mon Dec 14 10:59:41 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 14 Dec 2015 16:59:41 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <566EE670.9090001@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com> <566EE670.9090001@redhat.com>
Message-ID: <566EE76D.2090001@redhat.com>

On 14/12/15 16:55, Marek Posolda wrote:
> On 14/12/15 15:58, Bill Burke wrote:
>> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>>> Hi Marek,
>>>
>>>> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com
>>>> <mailto:mposolda at redhat.com>>:
>>>>
>>>> Btv. what's your motivation to not use infinispan? If you afraid of
>>>> cluster communication, you don't need to worry much about it, because
>>>> if you run single keycloak through standalone.xml, the infinispan
>>>> automatically works in LOCAL mode and there is no any cluster
>>>> communication at all.
>>> My current customer is running his apps in AWS. As known, multicast is
>>> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
>>> pretty well with multicast w/o having to know too much about JGroups
>>> config. S3_PING seams to be a viable way to get a cluster running in AWS.
>>> But additionally, my customer doesn?t have any (deep) knowledge about
>>> JBoss infrastructures and so I?m looking for a way to be able to run
>>> Keycloak in a cluster in AWS without the need to build up deeper
>>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>>> But I do understand all the concerns in doing this.
>>> I still have to test S3_PING, if it works as easy as multicast. If yes,
>>> we can use it, if no? I don?t know yet. But this gets offtopic for
>>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>>>
>> seems to me it would be much easier to get Infinispan working on AWS
>> than to write and maintain an entire new caching mechanism and hope we
>> don't refactor the cache SPI.
>>
>>
> +1
>
> I am sure infinispan/JGroups has possibility to run in non-multicast
> environment. You may just need to figure how exactly to configure it. So
> I agree that this issue is more related to Wildfly/Infinispan itself
> than to Keycloak.
>
> You may need to use jgroups protocols like TCP instead of default UDP
> and maybe TCPPING (this requires to manually list all your cluster
> nodes. But still, it's much better option IMO than rewriting UserSession
> SPI)
Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but it's 
not official part of jgroups.

Marek
>
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Mon Dec 14 11:15:51 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 14 Dec 2015 17:15:51 +0100
Subject: [keycloak-user] Cannot use Keycloak with Postgres DB
In-Reply-To: <CAK-7U1g8vULnv0J-N=K+4Y=_y+4iqHe9K2tGmXWxnzDeM3NQ0A@mail.gmail.com>
References: <CAK-7U1g8vULnv0J-N=K+4Y=_y+4iqHe9K2tGmXWxnzDeM3NQ0A@mail.gmail.com>
Message-ID: <566EEB37.3070702@redhat.com>

There is missing declaration of userSessionPersister in the 
keycloak-server.json file. I bet that if you add this:

"userSessionPersister": {
     "provider": "jpa"
},

to the file 
https://github.com/jboss-dockerfiles/keycloak/blob/master/server-ha-postgres/keycloak-server.json, 
the things will start to work.

Will be cool if you could doublecheck and possibly send PR if it helps :-)

The even more proper solution will be to avoid having 
keycloak-server.json in the docker image, as the file becomes outdated 
during each update in Keycloak. Docker image should have some script or 
something to edit the existing file "on the fly" and update it to use 
cluster.
Actually not sure if separate keycloak-server.json is still needed as in 
latest Keycloak, keycloak-server.json already contains configuration for 
connections-infinispan (which it wasn't before AFAIK)

Marek

On 14/12/15 11:52, Thomas Darimont wrote:
> Starting the Keycloak Postgres HA Docker Image fails due to a problem 
> with loading OffilineUserSessions - see stacktrace below.
>
> There is an already resolved?! issue 
> https://issues.jboss.org/browse/KEYCLOAK-1999 filed for Keycloak 1.6.0 
> that shows some
> workaround suggestions, but I think disabling the support for offline 
> sessions is not a fix to the actual problem...
>
> Would be great to have a real fix, since this hinders the Keycloak 
> Server to start.
>
> Just verified this with:
> - jboss/keycloak-ha-postgres:latest
> - jboss/keycloak-ha-postgres:1.7.0.Release
> - jboss/keycloak-ha-postgres:1.6.1.Release
> - jboss/keycloak-ha-postgres:1.6.0.Release
>
> Steps to reproduce:
>
> # Start Postgres Instance:
> docker run --name kc-db -e POSTGRES_DATABASE=keycloak -e 
> POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e 
> POSTGRES_ROOT_PASSWORD=password -p 25432:5432 -d postgres
>
> # Start KC Server
> docker run --name kc-server1 --link kc-db:postgres -e 
> POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e 
> POSTGRES_PASSWORD=password -p 8101:8080 jboss/keycloak-ha-postgres
>
> #Exception during start:
> ...
> 10:33:54,461 INFO  [org.jboss.as.clustering.infinispan] (ServerService 
> Thread Pool -- 62) WFLYCLINF0002: Started offlineSessions cache from 
> keycloak container
> 10:33:54,472 ERROR [org.jboss.msc.service.fail] (ServerService Thread 
> Pool -- 62) MSC000001: Failed to start service 
> jboss.undertow.deployment.default-server.default-host./auth: 
> org.jboss.msc.service.StartException in service 
> jboss.undertow.deployment.default-server.default-host./auth: 
> java.lang.RuntimeException: Failed to construct public 
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.RuntimeException: Failed to construct public 
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at 
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
> at 
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
> at 
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
> at 
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
> at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at 
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at 
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> at 
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at 
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
> at 
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
> at 
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> at 
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> ... 6 more
> Caused by: java.lang.NullPointerException
> at 
> org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25)
> at 
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer$1.run(InfinispanUserSessionInitializer.java:100)
> at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
> at 
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.getOrCreateInitializerState(InfinispanUserSessionInitializer.java:97)
> at 
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:148)
> at 
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:78)
> at 
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$3.run(InfinispanUserSessionProviderFactory.java:111)
> at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
> at 
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:102)
> at 
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.onEvent(InfinispanUserSessionProviderFactory.java:86)
> at 
> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:47)
> at 
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:87)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> at 
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> ... 19 more
>
> 10:33:54,516 ERROR [org.jboss.as.controller.management-operation] 
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - 
> address: ([("deployment" => "keycloak-server.war")]) -
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/24c63ae7/attachment-0001.html 

From mstrukel at redhat.com  Mon Dec 14 16:09:57 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Mon, 14 Dec 2015 22:09:57 +0100
Subject: [keycloak-user] Cannot use Keycloak with Postgres DB
In-Reply-To: <566EEB37.3070702@redhat.com>
References: <CAK-7U1g8vULnv0J-N=K+4Y=_y+4iqHe9K2tGmXWxnzDeM3NQ0A@mail.gmail.com>
	<566EEB37.3070702@redhat.com>
Message-ID: <CA+1OW+g5Rsgi9ncsRGKd2_p3DjaQ-iv_uYXAd=jdG3CL6AeguA@mail.gmail.com>

Yeah, we have to fix server-ha-postgres. Overriding keycloak-server.json
has probably become redundant.
On Dec 14, 2015 5:18 PM, "Marek Posolda" <mposolda at redhat.com> wrote:

> There is missing declaration of userSessionPersister in the
> keycloak-server.json file. I bet that if you add this:
>
> "userSessionPersister": {
>     "provider": "jpa"
> },
>
> to the file
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server-ha-postgres/keycloak-server.json,
> the things will start to work.
>
> Will be cool if you could doublecheck and possibly send PR if it helps :-)
>
>
> The even more proper solution will be to avoid having keycloak-server.json
> in the docker image, as the file becomes outdated during each update in
> Keycloak. Docker image should have some script or something to edit the
> existing file "on the fly" and update it to use cluster.
> Actually not sure if separate keycloak-server.json is still needed as in
> latest Keycloak, keycloak-server.json already contains configuration for
> connections-infinispan (which it wasn't before AFAIK)
>
> Marek
>
> On 14/12/15 11:52, Thomas Darimont wrote:
>
> Starting the Keycloak Postgres HA Docker Image fails due to a problem with
> loading OffilineUserSessions - see stacktrace below.
>
> There is an already resolved?! issue
> https://issues.jboss.org/browse/KEYCLOAK-1999 filed for Keycloak 1.6.0
> that shows some
> workaround suggestions, but I think disabling the support for offline
> sessions is not a fix to the actual problem...
>
> Would be great to have a real fix, since this hinders the Keycloak Server
> to start.
>
> Just verified this with:
> - jboss/keycloak-ha-postgres:latest
> - jboss/keycloak-ha-postgres:1.7.0.Release
> - jboss/keycloak-ha-postgres:1.6.1.Release
> - jboss/keycloak-ha-postgres:1.6.0.Release
>
> Steps to reproduce:
>
> # Start Postgres Instance:
> docker run --name kc-db -e POSTGRES_DATABASE=keycloak -e
> POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e
> POSTGRES_ROOT_PASSWORD=password -p 25432:5432 -d postgres
>
> # Start KC Server
> docker run --name kc-server1 --link kc-db:postgres -e
> POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e
> POSTGRES_PASSWORD=password -p 8101:8080 jboss/keycloak-ha-postgres
>
> #Exception during start:
> ...
> 10:33:54,461 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 10:33:54,472 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 62) MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.RuntimeException: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.lang.RuntimeException: Failed to construct public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:160)
> at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
> ... 6 more
> Caused by: java.lang.NullPointerException
> at
> org.keycloak.models.sessions.infinispan.initializer.OfflineUserSessionLoader.init(OfflineUserSessionLoader.java:25)
> at
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer$1.run(InfinispanUserSessionInitializer.java:100)
> at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
> at
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.getOrCreateInitializerState(InfinispanUserSessionInitializer.java:97)
> at
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:148)
> at
> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:78)
> at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$3.run(InfinispanUserSessionProviderFactory.java:111)
> at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:244)
> at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:102)
> at
> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.onEvent(InfinispanUserSessionProviderFactory.java:86)
> at
> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:47)
> at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:87)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
> ... 19 more
>
> 10:33:54,516 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]) -
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/e4963cec/attachment.html 

From srossillo at smartling.com  Mon Dec 14 16:24:33 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 14 Dec 2015 16:24:33 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <566EE76D.2090001@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com> <566EE670.9090001@redhat.com>
	<566EE76D.2090001@redhat.com>
Message-ID: <622AE9A5-3E81-4CA5-B4B6-CACD84051DB2@smartling.com>

AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.

It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.

TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).

Best,  
Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com> wrote:
> 
> On 14/12/15 16:55, Marek Posolda wrote:
>> On 14/12/15 15:58, Bill Burke wrote:
>>> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>>>> Hi Marek,
>>>> 
>>>>> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com
>>>>> <mailto:mposolda at redhat.com>>:
>>>>> 
>>>>> Btv. what's your motivation to not use infinispan? If you afraid of
>>>>> cluster communication, you don't need to worry much about it, because
>>>>> if you run single keycloak through standalone.xml, the infinispan
>>>>> automatically works in LOCAL mode and there is no any cluster
>>>>> communication at all.
>>>> My current customer is running his apps in AWS. As known, multicast is
>>>> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
>>>> pretty well with multicast w/o having to know too much about JGroups
>>>> config. S3_PING seams to be a viable way to get a cluster running in AWS.
>>>> But additionally, my customer doesn?t have any (deep) knowledge about
>>>> JBoss infrastructures and so I?m looking for a way to be able to run
>>>> Keycloak in a cluster in AWS without the need to build up deeper
>>>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>>>> But I do understand all the concerns in doing this.
>>>> I still have to test S3_PING, if it works as easy as multicast. If yes,
>>>> we can use it, if no? I don?t know yet. But this gets offtopic for
>>>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>>>> 
>>> seems to me it would be much easier to get Infinispan working on AWS
>>> than to write and maintain an entire new caching mechanism and hope we
>>> don't refactor the cache SPI.
>>> 
>>> 
>> +1
>> 
>> I am sure infinispan/JGroups has possibility to run in non-multicast
>> environment. You may just need to figure how exactly to configure it. So
>> I agree that this issue is more related to Wildfly/Infinispan itself
>> than to Keycloak.
>> 
>> You may need to use jgroups protocols like TCP instead of default UDP
>> and maybe TCPPING (this requires to manually list all your cluster
>> nodes. But still, it's much better option IMO than rewriting UserSession
>> SPI)
> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but it's 
> not official part of jgroups.
> 
> Marek
>> 
>> Marek
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/1fd7c6d6/attachment-0001.html 

From mposolda at redhat.com  Mon Dec 14 17:32:08 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 14 Dec 2015 23:32:08 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <622AE9A5-3E81-4CA5-B4B6-CACD84051DB2@smartling.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com>
	<566EE670.9090001@redhat.com> <566EE76D.2090001@redhat.com>
	<622AE9A5-3E81-4CA5-B4B6-CACD84051DB2@smartling.com>
Message-ID: <566F4368.9060508@redhat.com>

CCing Alan Field from RH Infinispan team and forwarding his question:

I'd like to know which configuration files you are using and why is is
harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
interested in how big a cluster you are using in AWS.



On 14/12/15 22:24, Scott Rossillo wrote:
> AWS was why we didn?t use Infinispan to begin with.  That and it?s 
> even more complicated when you deploy using Amazon?s Docker service 
> (ECS) or Beanstalk.
>
> It?s too bad Infinispan  / JGroups are beasts when the out of the box 
> configuration can?t be used. I?m planning to document this as we fix 
> but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the 
> Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
>
> TCPPING will bite you on AWS if Amazon decides to replace one of your 
> instances (which it does occasionally w/ECS or Beanstalk).
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
>
> Powered by Sigstr <http://www.sigstr.com/>
>
>> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com 
>> <mailto:mposolda at redhat.com>> wrote:
>>
>> On 14/12/15 16:55, Marek Posolda wrote:
>>> On 14/12/15 15:58, Bill Burke wrote:
>>>> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>>>>> Hi Marek,
>>>>>
>>>>>> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com 
>>>>>> <mailto:mposolda at redhat.com>
>>>>>> <mailto:mposolda at redhat.com>>:
>>>>>>
>>>>>> Btv. what's your motivation to not use infinispan? If you afraid of
>>>>>> cluster communication, you don't need to worry much about it, because
>>>>>> if you run single keycloak through standalone.xml, the infinispan
>>>>>> automatically works in LOCAL mode and there is no any cluster
>>>>>> communication at all.
>>>>> My current customer is running his apps in AWS. As known, multicast is
>>>>> not available in cloud infrastructures. Wildfly/Infinispan Cluster 
>>>>> works
>>>>> pretty well with multicast w/o having to know too much about JGroups
>>>>> config. S3_PING seams to be a viable way to get a cluster running 
>>>>> in AWS.
>>>>> But additionally, my customer doesn?t have any (deep) knowledge about
>>>>> JBoss infrastructures and so I?m looking for a way to be able to run
>>>>> Keycloak in a cluster in AWS without the need to build up deeper
>>>>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>>>>> But I do understand all the concerns in doing this.
>>>>> I still have to test S3_PING, if it works as easy as multicast. If 
>>>>> yes,
>>>>> we can use it, if no? I don?t know yet. But this gets offtopic for
>>>>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>>>>>
>>>> seems to me it would be much easier to get Infinispan working on AWS
>>>> than to write and maintain an entire new caching mechanism and hope we
>>>> don't refactor the cache SPI.
>>>>
>>>>
>>> +1
>>>
>>> I am sure infinispan/JGroups has possibility to run in non-multicast
>>> environment. You may just need to figure how exactly to configure it. So
>>> I agree that this issue is more related to Wildfly/Infinispan itself
>>> than to Keycloak.
>>>
>>> You may need to use jgroups protocols like TCP instead of default UDP
>>> and maybe TCPPING (this requires to manually list all your cluster
>>> nodes. But still, it's much better option IMO than rewriting UserSession
>>> SPI)
>> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING
>> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but it's
>> not official part of jgroups.
>>
>> Marek
>>>
>>> Marek
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/7134ffd0/attachment.html 

From srossillo at smartling.com  Mon Dec 14 18:31:30 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 14 Dec 2015 18:31:30 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <566F4368.9060508@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<566ADE0C.2010704@redhat.com>
	<CALAqdu9jJZ9-RbvKW04ucD1B0zwkrsEGAGH3VUnNnxC33=HS6g@mail.gmail.com>
	<4B40CDCA-C131-4810-A1CB-4321062657EC@n-k.de>
	<566E74CD.9000406@redhat.com>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com> <566EE670.9090001@redhat.com>
	<566EE76D.2090001@redhat.com>
	<622AE9A5-3E81-4CA5-B4B6-CACD84051DB2@smartling.com>
	<566F4368.9060508@redhat.com>
Message-ID: <44B0D4D7-9D5D-4DCD-BF82-4AF9A1182609@smartling.com>

There are two issues:

1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.

2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.

Take for example a simple 2 node cluster:

Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.

The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.

So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.

I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.

Let me know what you think.

Best,
Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com> wrote:
> 
> CCing Alan Field from RH Infinispan team and forwarding his question: 
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
> 
> 
> 
> On 14/12/15 22:24, Scott Rossillo wrote:
>> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
>> 
>> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
>> 
>> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
>> 
>> Best,  
>> Scott
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>  <http://www.sigstr.com/>
>>> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>> 
>>> On 14/12/15 16:55, Marek Posolda wrote:
>>>> On 14/12/15 15:58, Bill Burke wrote:
>>>>> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>>>>>> Hi Marek,
>>>>>> 
>>>>>>> Am 14.12.2015 um 08:50 schrieb Marek Posolda < <mailto:mposolda at redhat.com>mposolda at redhat.com <mailto:mposolda at redhat.com>
>>>>>>> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
>>>>>>> 
>>>>>>> Btv. what's your motivation to not use infinispan? If you afraid of
>>>>>>> cluster communication, you don't need to worry much about it, because
>>>>>>> if you run single keycloak through standalone.xml, the infinispan
>>>>>>> automatically works in LOCAL mode and there is no any cluster
>>>>>>> communication at all.
>>>>>> My current customer is running his apps in AWS. As known, multicast is
>>>>>> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
>>>>>> pretty well with multicast w/o having to know too much about JGroups
>>>>>> config. S3_PING seams to be a viable way to get a cluster running in AWS.
>>>>>> But additionally, my customer doesn?t have any (deep) knowledge about
>>>>>> JBoss infrastructures and so I?m looking for a way to be able to run
>>>>>> Keycloak in a cluster in AWS without the need to build up deeper
>>>>>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>>>>>> But I do understand all the concerns in doing this.
>>>>>> I still have to test S3_PING, if it works as easy as multicast. If yes,
>>>>>> we can use it, if no? I don?t know yet. But this gets offtopic for
>>>>>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>>>>>> 
>>>>> seems to me it would be much easier to get Infinispan working on AWS
>>>>> than to write and maintain an entire new caching mechanism and hope we
>>>>> don't refactor the cache SPI.
>>>>> 
>>>>> 
>>>> +1
>>>> 
>>>> I am sure infinispan/JGroups has possibility to run in non-multicast
>>>> environment. You may just need to figure how exactly to configure it. So
>>>> I agree that this issue is more related to Wildfly/Infinispan itself
>>>> than to Keycloak.
>>>> 
>>>> You may need to use jgroups protocols like TCP instead of default UDP
>>>> and maybe TCPPING (this requires to manually list all your cluster
>>>> nodes. But still, it's much better option IMO than rewriting UserSession
>>>> SPI)
>>> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
>>> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
>>> not official part of jgroups.
>>> 
>>> Marek
>>>> 
>>>> Marek
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151214/50954224/attachment-0001.html 

From helder.jaspion at gmail.com  Tue Dec 15 06:09:31 2015
From: helder.jaspion at gmail.com (Helder dos S. Alves)
Date: Tue, 15 Dec 2015 09:09:31 -0200
Subject: [keycloak-user] Different theme for each client
Message-ID: <CADuzBwaFBWMfwNygm_T6d=WQxuN2YdTUqsYOHx+bqc7cTedAjQ@mail.gmail.com>

Hi.

I need to have a different theme for each of the clients of a realm.
If a user came from one client, I have to show a keycloak page with the
logo and skin of that client.
Is it possible with Keycloak? How?

Thanks in advance.


Helder S. Alves
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/a4b1b5af/attachment.html 

From revanth at arvindinternet.com  Tue Dec 15 06:14:30 2015
From: revanth at arvindinternet.com (Revanth Ayalasomayajula)
Date: Tue, 15 Dec 2015 16:44:30 +0530
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CADuzBwaFBWMfwNygm_T6d=WQxuN2YdTUqsYOHx+bqc7cTedAjQ@mail.gmail.com>
References: <CADuzBwaFBWMfwNygm_T6d=WQxuN2YdTUqsYOHx+bqc7cTedAjQ@mail.gmail.com>
Message-ID: <CAA1skqWPr-k+9zgj=DsHijac34TkmFCus0HtrJxrP723PNjshw@mail.gmail.com>

+1 for this feature.
?

On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
helder.jaspion at gmail.com> wrote:

> Hi.
>
> I need to have a different theme for each of the clients of a realm.
> If a user came from one client, I have to show a keycloak page with the
> logo and skin of that client.
> Is it possible with Keycloak? How?
>
> Thanks in advance.
>
>
> Helder S. Alves
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/a2295c1a/attachment.html 

From johan.bos at c6.eu  Tue Dec 15 08:36:53 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Tue, 15 Dec 2015 14:36:53 +0100
Subject: [keycloak-user] authentication provider and login override questions
Message-ID: <56701775.9020705@c6.eu>

Hi,

I can see KeyCloak allows to define authentications based on SAML protocol.
My requirements are:
a set of application/client secured by a KeyCloak server
role/group defined in Keycloak
user/pass synchro from ActiveDirectory (optional - surely some mapping 
to retrieve some information)

We need keycloak and like it: for the user management and authentication 
solution it provides to an application, in a simple way.

1) When an SSO is already in place.
As the apps we provide sometime, but not always is being integrated in a 
customer env. that already using an SSO solution, I would like to know 
if my understanding is right:
does the authentication module in keycloak where you can define an SAML 
providers will delegate the SSO/login part to an external solution that 
will handle for him the authentication?
Possible SSO is: "Ping", it says they are SAML compatible, does it means 
I only need the SSO URL and logout URL to try it?

2)  Since keycloak provides for SSO the login pages.
How do you integrate it with an application (angular/J2ee) that already 
have its own? Without removing it.

Do you keep on basic J2EE setup so any client url would be secure, then 
once authorized, the apps will continue to bring up its own login page?
Does it mean the app should have a filter to implies some auto-connect 
so client side does not try to bring the login and instead consider the 
user connected?
or does it mean using keycloak.js and follow some angular example where 
upon loading we first make everything from the JS side and make no 
change on the Java Apps?

3) I tried to override the login flow, to make my own authenticator. I 
could see multiple way to do it. My requirement is to have a 
supplementary field on the login page, because I need to authenticate 
and validate my username/pass/repo to a REST API that must be access in 
a secured way all the time, prior to give access to my clients/realm.

In order to make this, I ended up providing my own template (ftl) but 
then I could no longer use the login.username in it since the 
createResponse (normal cases) is the only one to take the formDatas and 
load in attributes the LoginBean with it. I was using my-page.ftl so 
could not use the createLogin, instead I was using createForm
So even when I set the attribute with "login" key based on the 
loginBean, login.username was triggering an error.
     forms.setAttribute("login", new LoginBean(formData));

So Whatever, I simply used "username" directly and it worked, but I 
don't know to which extend nor why. I have some missing on freemarker 
api and how you compiling it with POJO beans in a Map.

3bis) For my suppl. field, I need a dropdown box and freemarker would 
need a collection to loop over. I though I would have to pass a list of 
POJO (to create a dropbox) to the "attributes" that is being used to 
compile my template. In my template, I used "#list", but I could not get 
it to recognize my bean nor loop on it. It always consider it as not 
present.

Here a sample of my authenticator that produce the new login form:

//repositories being a java.util.List<Repository> and Repository is a 
POJO with name and description attribute (get method implemented)
//context being the AuthenticationFlowContext
I simply do:
LoginFormsProvider forms = context.form();
forms.setAttribute("repositories", repositories);
forms.setAttribute("repository", "<default_value>");

I do this before doing the forms.createForm("my-login.ftl")

Here what I added to the my-login.ftl which is the copy of login.ftl 
with a new field,

//...I remove the label for the field, which work nice...

                         <#if repository??>
                             <select id="repository" 
class="${properties.kcInputClass!}" name="repository" value="${repository}">
                         <#else>
                             <select id="repository" 
class="${properties.kcInputClass!}" name="repository" autofocus>
                         </#if>
                         <#if repositories??>
                             <#list repositories as repo>
                                 <#if repository?? && repository == 
repo.name>
                                     <option value="${repo.name}" 
selected="true">${repo.description}</option>
                                 <#else>
                                     <option 
value="${repo.name}">${repo.description}</option>
                                 </#if>
                             </#list>
                         <#else>
                             <option value="demo">demo</option>
                         </#if>
                         </select>
What Do I get wrong? I always have only the demo option.

-- 
Regards,

Johan Bos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/481c2f4a/attachment.vcf 

From bbazian at mbopartners.com  Tue Dec 15 08:44:30 2015
From: bbazian at mbopartners.com (Ben Bazian)
Date: Tue, 15 Dec 2015 13:44:30 +0000
Subject: [keycloak-user] SAML requires reauthentication
Message-ID: <860E8DAFFC76794694CFF405F8A1E71F027D942C@416429-EXCH1.mbopartners.com>

Scenario:

Use SP initiated URL (same if I use IDP initiated) to log into Salesforce.  Open new tab and use same URL and instead of passing right through it once again prompts to authenticate through Keycloak.  This behavior occurs even in the same tab.  I would expect the behavior to be that as long as the browser is open it should not prompt for credentials.

Is there a setting somewhere that I missed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/a9870a20/attachment.html 

From pblair at clearme.com  Tue Dec 15 09:47:16 2015
From: pblair at clearme.com (Paul Blair)
Date: Tue, 15 Dec 2015 14:47:16 +0000
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <44B0D4D7-9D5D-4DCD-BF82-4AF9A1182609@smartling.com>
Message-ID: <D2959174.10C56%pblair@clearme.com>

I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration.

Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.

From: Scott Rossillo <srossillo at smartling.com<mailto:srossillo at smartling.com>>
Date: Mon, 14 Dec 2015 18:31:30 -0500
To: Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>>, <afield at redhat.com<mailto:afield at redhat.com>>
Cc: keycloak-user <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?

There are two issues:

1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.

2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.

Take for example a simple 2 node cluster:

Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.

The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.

So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.

I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.

Let me know what you think.

Best,
Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[Powered by Sigstr]<http://www.sigstr.com/>

On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

CCing Alan Field from RH Infinispan team and forwarding his question:

I'd like to know which configuration files you are using and why is is
harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
interested in how big a cluster you are using in AWS.




On 14/12/15 22:24, Scott Rossillo wrote:
AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.

It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.

TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).

Best,
Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com<mailto:srossillo at smartling.com>

[Powered by Sigstr]<http://www.sigstr.com/>

On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

On 14/12/15 16:55, Marek Posolda wrote:
On 14/12/15 15:58, Bill Burke wrote:
On 12/14/2015 5:01 AM, Niko K?bler wrote:
Hi Marek,

Am 14.12.2015 um 08:50 schrieb Marek Posolda <<mailto:mposolda at redhat.com>mposolda at redhat.com<mailto:mposolda at redhat.com>
<mailto:mposolda at redhat.com>>:

Btv. what's your motivation to not use infinispan? If you afraid of
cluster communication, you don't need to worry much about it, because
if you run single keycloak through standalone.xml, the infinispan
automatically works in LOCAL mode and there is no any cluster
communication at all.
My current customer is running his apps in AWS. As known, multicast is
not available in cloud infrastructures. Wildfly/Infinispan Cluster works
pretty well with multicast w/o having to know too much about JGroups
config. S3_PING seams to be a viable way to get a cluster running in AWS.
But additionally, my customer doesn?t have any (deep) knowledge about
JBoss infrastructures and so I?m looking for a way to be able to run
Keycloak in a cluster in AWS without the need to build up deeper
knowlegde of JGroups config, for example in getting rid of Infinispan.
But I do understand all the concerns in doing this.
I still have to test S3_PING, if it works as easy as multicast. If yes,
we can use it, if no? I don?t know yet. But this gets offtopic for
Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.

seems to me it would be much easier to get Infinispan working on AWS
than to write and maintain an entire new caching mechanism and hope we
don't refactor the cache SPI.


+1

I am sure infinispan/JGroups has possibility to run in non-multicast
environment. You may just need to figure how exactly to configure it. So
I agree that this issue is more related to Wildfly/Infinispan itself
than to Keycloak.

You may need to use jgroups protocols like TCP instead of default UDP
and maybe TCPPING (this requires to manually list all your cluster
nodes. But still, it's much better option IMO than rewriting UserSession
SPI)
Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING
http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but it's
not official part of jgroups.

Marek

Marek
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/1a9de3f9/attachment-0001.html 

From bburke at redhat.com  Tue Dec 15 09:52:06 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 15 Dec 2015 09:52:06 -0500
Subject: [keycloak-user] SAML requires reauthentication
In-Reply-To: <860E8DAFFC76794694CFF405F8A1E71F027D942C@416429-EXCH1.mbopartners.com>
References: <860E8DAFFC76794694CFF405F8A1E71F027D942C@416429-EXCH1.mbopartners.com>
Message-ID: <56702916.3010002@redhat.com>

I haven't had a chance to try and reproduce this yet.  Busy with a 
couple of other things.

On 12/15/2015 8:44 AM, Ben Bazian wrote:
> Scenario:
>
> Use SP initiated URL (same if I use IDP initiated) to log into
> Salesforce.  Open new tab and use same URL and instead of passing right
> through it once again prompts to authenticate through Keycloak.  This
> behavior occurs even in the same tab.  I would expect the behavior to be
> that as long as the browser is open it should not prompt for credentials.
>
> Is there a setting somewhere that I missed?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Tue Dec 15 09:55:32 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 15 Dec 2015 09:55:32 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <330092490.26880881.1450140912300.JavaMail.zimbra@redhat.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com>
	<566EE670.9090001@redhat.com> <566EE76D.2090001@redhat.com>
	<622AE9A5-3E81-4CA5-B4B6-CACD84051DB2@smartling.com>
	<566F4368.9060508@redhat.com>
	<44B0D4D7-9D5D-4DCD-BF82-4AF9A1182609@smartling.com>
	<330092490.26880881.1450140912300.JavaMail.zimbra@redhat.com>
Message-ID: <567029E4.4030805@redhat.com>

See Alan Field's response.  He's being moderated and...I've forgotten 
the moderator password. :)

On 12/14/2015 7:55 PM, Alan Field wrote:
> Hey Scott,
>
> ------------------------------------------------------------------------
>
>     *From: *"Scott Rossillo" <srossillo at smartling.com>
>     *To: *"Marek Posolda" <mposolda at redhat.com>, afield at redhat.com
>     *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>, "Bill Burke"
>     <bburke at redhat.com>
>     *Sent: *Monday, December 14, 2015 6:31:30 PM
>     *Subject: *Re: [keycloak-user] Replace use of Infinispan with User
>     Session844129162306s SPI ?
>
>     There are two issues:
>
>     1. Infinispan relies on JGroups, which is difficult to configure
>     correctly with the various ping techniques that aren?t UDP
>     multicast. I can elaborate on each one that we tested but it?s just
>     generally complex to get right. That?s not to say it?s impossible or
>     the biggest reason this is complicated on ECS or _insert container
>     service here_, see #2 for that.
>
>
> The Infinispan server and JBoss EAP include a TCP-based stack in the
> configuration to run on EC2 that looks like this:
>
> <stack name="s3">
> <transport type="TCP" socket-binding="jgroups-tcp"/>
> <protocol type="S3_PING">
> <property name="location">${jgroups.s3.bucket:}</property>
> <property name="access_key">${jgroups.s3.access_key:}</property>
> <property
> name="secret_access_key">${jgroups.s3.secret_access_key:}</property>
> <property
> name="pre_signed_delete_url">${jgroups.s3.pre_signed_delete_url:}</property>
> <property
> name="pre_signed_put_url">${jgroups.s3.pre_signed_put_url:}</property>
> <property name="prefix">${jgroups.s3.prefix:}</property>
> </protocol>
> <protocol type="MERGE3"/>
> <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
> <protocol type="FD_ALL"/>
> <protocol type="VERIFY_SUSPECT"/>
> <protocol type="pbcast.NAKACK2">
> <property name="use_mcast_xmit">false</property>
> </protocol>
> <protocol type="UNICAST3"/>
> <protocol type="pbcast.STABLE"/>
> <protocol type="pbcast.GMS"/>
> <protocol type="MFC"/>
> <protocol type="FRAG2"/>
> </stack>
>
>
> With this in the configuration file, you can start the server with the
> following system properties defined:
>
>
> bin/clustered.sh -Djboss.node.name=node0
> -Djboss.socket.binding.port-offset=0 -Djboss.default.jgroups.stack=s3
> -Djgroups.s3.bucket=<s3_bucket_name>
> -Djgroups.s3.access_key=<access_key>
> -Djgroups.s3.secret_access_key=<secret_access_key>
>
>
> This will cause the server to start and the nodes will write to a file
> in the S3 bucket to allow the nodes to discover each other. I do not see
> this stack defined in the configuration used by WildFly 9, but it should
> work there as well. It is also possible to use the JGroups Gossip Router
> for discovery, but it requires running a separate process that all of
> the nodes contact during the discovery phase.
>
>
>
>     2. It is difficult to do discovery correctly with JGroups and
>     Docker. Non-privileged Docker instances - the default and recommend
>     type - do not implicitly know their host?s IP. This causes IP
>     mismatches between what JGroups thinks the machine?s IP is and what
>     it actually is when connecting to hosts on different machines.  This
>     is the main issue and it?s not the fault of JGroups per se, but
>     there?s no simple work around.
>
>     Take for example a simple 2 node cluster:
>
>     Node 1 comes up on the docker0 interface of host A with the IP
>     address 172.16.0.4. The host A IP is 10.10.0.100.
>     Node 2 comes up on the docker0 interface of host B with the IP
>     address 172.16.0.8. The host B IP is 10.10.0.108.
>
>     The 172.16 network is not routable between hosts (by design). Docker
>     does port forwarding for ports we wish to expose to this works fine
>     for HTTP/HTTPS but not the cluster traffic.
>
>     So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
>     advertises 172.16.0.8. The two cannot talk to each other by default.
>     However, using the hard coded IPs and TCP PING, we can
>     set external_addr on Node 1 to 10.10.0.100 and external_addr on Node
>     2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108.
>     This will cause the nodes to discover each other. However, they will
>     not form a cluster. The nodes will reject the handshake thinking
>     they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
>
>     I?d like to discuss further and I can share where we?ve gotten so
>     far with workarounds to this but it may be better to get into the
>     weeds on another list.
>
>     Let me know what you think.
>
> This issue is a little trickier, and I think we should probably move the
> discussion to the jgroups-users list which you can subscribe to here.
> [1] Bela Ban may have some ideas about how to set the binding address or
> interface to get around this. The Fabric8 project is also using a
> JGroups discovery protocol that relies on Kubernetes, but I don't think
> ECS uses Kubernetes.
>
> Thanks,
> Alan
>
> [1] https://lists.sourceforge.net/lists/listinfo/javagroups-users
>
>
>     Best,
>     Scott
>
>     Scott Rossillo
>     Smartling | Senior Software Engineer
>     srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>     Powered by Sigstr <http://www.sigstr.com/>
>
>         On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com
>         <mailto:mposolda at redhat.com>> wrote:
>
>         CCing Alan Field from RH Infinispan team and forwarding his
>         question:
>
>         I'd like to know which configuration files you are using and why is is
>         harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
>         interested in how big a cluster you are using in AWS.
>
>
>
>         On 14/12/15 22:24, Scott Rossillo wrote:
>
>             AWS was why we didn?t use Infinispan to begin with.  That
>             and it?s even more complicated when you deploy using
>             Amazon?s Docker service (ECS) or Beanstalk.
>
>             It?s too bad Infinispan  / JGroups are beasts when the out
>             of the box configuration can?t be used. I?m planning to
>             document this as we fix but I?d avoid S3_PING and use
>             JDBC_PING. You already need JDBC for the Keycloak DB, unless
>             you?re using Mongo and it?s easier to test locally.
>
>             TCPPING will bite you on AWS if Amazon decides to replace
>             one of your instances (which it does occasionally w/ECS or
>             Beanstalk).
>
>             Best,
>             Scott
>
>             Scott Rossillo
>             Smartling | Senior Software Engineer
>             srossillo at smartling.com <mailto:srossillo at smartling.com>
>
>             Powered by Sigstr <http://www.sigstr.com/>
>
>                 On Dec 14, 2015, at 10:59 AM, Marek Posolda
>                 <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
>                 On 14/12/15 16:55, Marek Posolda wrote:
>
>                     On 14/12/15 15:58, Bill Burke wrote:
>
>                         On 12/14/2015 5:01 AM, Niko K?bler wrote:
>
>                             Hi Marek,
>
>                                 Am 14.12.2015 um 08:50 schrieb Marek
>                                 Posolda <mposolda at redhat.com
>                                 <mailto:mposolda at redhat.com>>:
>
>                                 Btv. what's your motivation to not use
>                                 infinispan? If you afraid of
>                                 cluster communication, you don't need to
>                                 worry much about it, because
>                                 if you run single keycloak through
>                                 standalone.xml, the infinispan
>                                 automatically works in LOCAL mode and
>                                 there is no any cluster
>                                 communication at all.
>
>                             My current customer is running his apps in
>                             AWS. As known, multicast is
>                             not available in cloud infrastructures.
>                             Wildfly/Infinispan Cluster works
>                             pretty well with multicast w/o having to
>                             know too much about JGroups
>                             config. S3_PING seams to be a viable way to
>                             get a cluster running in AWS.
>                             But additionally, my customer doesn?t have
>                             any (deep) knowledge about
>                             JBoss infrastructures and so I?m looking for
>                             a way to be able to run
>                             Keycloak in a cluster in AWS without the
>                             need to build up deeper
>                             knowlegde of JGroups config, for example in
>                             getting rid of Infinispan.
>                             But I do understand all the concerns in
>                             doing this.
>                             I still have to test S3_PING, if it works as
>                             easy as multicast. If yes,
>                             we can use it, if no? I don?t know yet. But
>                             this gets offtopic for
>                             Keycloak mailinglist, it?s more related to
>                             pure Wildfly/Infinispan.
>
>                         seems to me it would be much easier to get
>                         Infinispan working on AWS
>                         than to write and maintain an entire new caching
>                         mechanism and hope we
>                         don't refactor the cache SPI.
>
>
>                     +1
>
>                     I am sure infinispan/JGroups has possibility to run
>                     in non-multicast
>                     environment. You may just need to figure how exactly
>                     to configure it. So
>                     I agree that this issue is more related to
>                     Wildfly/Infinispan itself
>                     than to Keycloak.
>
>                     You may need to use jgroups protocols like TCP
>                     instead of default UDP
>                     and maybe TCPPING (this requires to manually list
>                     all your cluster
>                     nodes. But still, it's much better option IMO than
>                     rewriting UserSession
>                     SPI)
>
>                 Btv. if TCPPING or S3_PING is an issue, there is also
>                 AWS_PING
>                 http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100
>                 , but it's
>                 not official part of jgroups.
>
>                 Marek
>
>
>                     Marek
>                     _______________________________________________
>                     keycloak-user mailing list
>                     keycloak-user at lists.jboss.org
>                     <mailto:keycloak-user at lists.jboss.org>
>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From orestis.tsakiridis at telestax.com  Tue Dec 15 10:54:52 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 15 Dec 2015 17:54:52 +0200
Subject: [keycloak-user] Automated testing for keycloak secured applications
Message-ID: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>

Hello,

I try to build automated tests for a keycloak secured REST application. I
plan to use arquilian as a test platform.

Do i need to have a working keycloak server to be used in the tests ?  Or
is it possible to embed keycloak in the temporary deployment created by
arquilian?

Btw, my endpoints don't use web.xml based security rules. I instead use

RSATokenVerifier.verifyToken() to manually verify the token.

Thus, i suppose that being able to manually create auth tokens from my test
cases (and not relying on a keycloak server) would also work.


Regards

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/428c6ed0/attachment.html 

From bburke at redhat.com  Tue Dec 15 11:00:58 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 15 Dec 2015 11:00:58 -0500
Subject: [keycloak-user] Automated testing for keycloak secured
 applications
In-Reply-To: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
Message-ID: <5670393A.2010605@redhat.com>



On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
> Hello,
>
> I try to build automated tests for a keycloak secured REST application.
> I plan to use arquilian as a test platform.
>
> Do i need to have a working keycloak server to be used in the tests ?
> Or is it possible to embed keycloak in the temporary deployment created
> by arquilian?
>

That's a real good point.  Not sure how we are tackling this.

> Btw, my endpoints don't use web.xml based security rules. I instead use
>
> RSATokenVerifier.verifyToken() to manually verify the token.
>
> Thus, i suppose that being able to manually create auth tokens from my
> test cases (and not relying on a keycloak server) would also work.
>

FYI, Keycloak client adapters do have a filter implementations now that 
you can use.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From orestis.tsakiridis at telestax.com  Tue Dec 15 11:11:20 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 15 Dec 2015 18:11:20 +0200
Subject: [keycloak-user] Automated testing for keycloak secured
	applications
In-Reply-To: <5670393A.2010605@redhat.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
	<5670393A.2010605@redhat.com>
Message-ID: <CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>

I see.

So, i'll need to have a separate working keycloak server available for
testing. No workarounds. Did i got this right ?





On Tue, Dec 15, 2015 at 6:00 PM, Bill Burke <bburke at redhat.com> wrote:

>
>
> On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
> > Hello,
> >
> > I try to build automated tests for a keycloak secured REST application.
> > I plan to use arquilian as a test platform.
> >
> > Do i need to have a working keycloak server to be used in the tests ?
> > Or is it possible to embed keycloak in the temporary deployment created
> > by arquilian?
> >
>
> That's a real good point.  Not sure how we are tackling this.
>
> > Btw, my endpoints don't use web.xml based security rules. I instead use
> >
> > RSATokenVerifier.verifyToken() to manually verify the token.
> >
> > Thus, i suppose that being able to manually create auth tokens from my
> > test cases (and not relying on a keycloak server) would also work.
> >
>
> FYI, Keycloak client adapters do have a filter implementations now that
> you can use.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/49b9f746/attachment-0001.html 

From bburke at redhat.com  Tue Dec 15 11:14:05 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 15 Dec 2015 11:14:05 -0500
Subject: [keycloak-user] Automated testing for keycloak secured
 applications
In-Reply-To: <CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
	<5670393A.2010605@redhat.com>
	<CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
Message-ID: <56703C4D.8050908@redhat.com>

I'm saying I personally don't know :)  I'm pretty sure our testsuite 
does something with arquillian, not exactly sure what though.

testsuite/integration-arquillian

This is something we'll need to nail down and document well.  Sorry its 
not that way already.

On 12/15/2015 11:11 AM, Orestis Tsakiridis wrote:
> I see.
>
> So, i'll need to have a separate working keycloak server available for
> testing. No workarounds. Did i got this right ?
>
>
>
>
>
> On Tue, Dec 15, 2015 at 6:00 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>
>
>     On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
>     > Hello,
>     >
>     > I try to build automated tests for a keycloak secured REST application.
>     > I plan to use arquilian as a test platform.
>     >
>     > Do i need to have a working keycloak server to be used in the tests ?
>     > Or is it possible to embed keycloak in the temporary deployment created
>     > by arquilian?
>     >
>
>     That's a real good point.  Not sure how we are tackling this.
>
>     > Btw, my endpoints don't use web.xml based security rules. I instead use
>     >
>     > RSATokenVerifier.verifyToken() to manually verify the token.
>     >
>     > Thus, i suppose that being able to manually create auth tokens from my
>     > test cases (and not relying on a keycloak server) would also work.
>     >
>
>     FYI, Keycloak client adapters do have a filter implementations now that
>     you can use.
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bmcwhirt at redhat.com  Tue Dec 15 11:15:58 2015
From: bmcwhirt at redhat.com (Bob McWhirter)
Date: Tue, 15 Dec 2015 11:15:58 -0500
Subject: [keycloak-user] Automated testing for keycloak secured
	applications
In-Reply-To: <CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
	<5670393A.2010605@redhat.com>
	<CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
Message-ID: <CA+45JvGMLcr446yq-vbpZKyLC+RBkokNs=c0D1FzDo-hZPTVhw@mail.gmail.com>

Let me suggest the WildFly Swarm Keycloak Server.

We use it in testing secured Swarm apps.

It?s an executable .jar with maven coordinates, and can be executed with
the maven-exec-plugin in your pre-integration-test phase, or you can use
the wildfly-swarm-plugin to start/stop it.

See here for an example:

https://github.com/wildfly-swarm/wildfly-swarm-examples/blob/master/ribbon-secured/test/pom.xml#L117-L140

We?ll document this better shortly.

-Bob

On Tue, Dec 15, 2015 at 11:11 AM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> I see.
>
> So, i'll need to have a separate working keycloak server available for
> testing. No workarounds. Did i got this right ?
>
>
>
>
>
> On Tue, Dec 15, 2015 at 6:00 PM, Bill Burke <bburke at redhat.com> wrote:
>
>>
>>
>> On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
>> > Hello,
>> >
>> > I try to build automated tests for a keycloak secured REST application.
>> > I plan to use arquilian as a test platform.
>> >
>> > Do i need to have a working keycloak server to be used in the tests ?
>> > Or is it possible to embed keycloak in the temporary deployment created
>> > by arquilian?
>> >
>>
>> That's a real good point.  Not sure how we are tackling this.
>>
>> > Btw, my endpoints don't use web.xml based security rules. I instead use
>> >
>> > RSATokenVerifier.verifyToken() to manually verify the token.
>> >
>> > Thus, i suppose that being able to manually create auth tokens from my
>> > test cases (and not relying on a keycloak server) would also work.
>> >
>>
>> FYI, Keycloak client adapters do have a filter implementations now that
>> you can use.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/1c38596d/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Dec 15 11:19:19 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 15 Dec 2015 18:19:19 +0200
Subject: [keycloak-user] Automated testing for keycloak secured
	applications
In-Reply-To: <56703C4D.8050908@redhat.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
	<5670393A.2010605@redhat.com>
	<CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
	<56703C4D.8050908@redhat.com>
Message-ID: <CABjN76_p6pSVwew-xXnT+cuNDf-QHwm3vspbZbpu4sV50hdzyg@mail.gmail.com>

Thanks Bill. I will look into it.

You''ve already done a lot, so, already grateful there.


Regards

Orestis

On Tue, Dec 15, 2015 at 6:14 PM, Bill Burke <bburke at redhat.com> wrote:

> I'm saying I personally don't know :)  I'm pretty sure our testsuite does
> something with arquillian, not exactly sure what though.
>
> testsuite/integration-arquillian
>
> This is something we'll need to nail down and document well.  Sorry its
> not that way already.
>
> On 12/15/2015 11:11 AM, Orestis Tsakiridis wrote:
>
>> I see.
>>
>> So, i'll need to have a separate working keycloak server available for
>> testing. No workarounds. Did i got this right ?
>>
>>
>>
>>
>>
>> On Tue, Dec 15, 2015 at 6:00 PM, Bill Burke <bburke at redhat.com
>> <mailto:bburke at redhat.com>> wrote:
>>
>>
>>
>>     On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
>>     > Hello,
>>     >
>>     > I try to build automated tests for a keycloak secured REST
>> application.
>>     > I plan to use arquilian as a test platform.
>>     >
>>     > Do i need to have a working keycloak server to be used in the tests
>> ?
>>     > Or is it possible to embed keycloak in the temporary deployment
>> created
>>     > by arquilian?
>>     >
>>
>>     That's a real good point.  Not sure how we are tackling this.
>>
>>     > Btw, my endpoints don't use web.xml based security rules. I instead
>> use
>>     >
>>     > RSATokenVerifier.verifyToken() to manually verify the token.
>>     >
>>     > Thus, i suppose that being able to manually create auth tokens from
>> my
>>     > test cases (and not relying on a keycloak server) would also work.
>>     >
>>
>>     FYI, Keycloak client adapters do have a filter implementations now
>> that
>>     you can use.
>>
>>
>>     --
>>     Bill Burke
>>     JBoss, a division of Red Hat
>>     http://bill.burkecentral.com
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/5fedda3c/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Dec 15 11:25:16 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 15 Dec 2015 18:25:16 +0200
Subject: [keycloak-user] Automated testing for keycloak secured
	applications
In-Reply-To: <CA+45JvGMLcr446yq-vbpZKyLC+RBkokNs=c0D1FzDo-hZPTVhw@mail.gmail.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
	<5670393A.2010605@redhat.com>
	<CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
	<CA+45JvGMLcr446yq-vbpZKyLC+RBkokNs=c0D1FzDo-hZPTVhw@mail.gmail.com>
Message-ID: <CABjN768i9Hv9JnyzywWdPwfquGDDHcr1CEVnRFA6xTR21hZyDg@mail.gmail.com>

Thanks Bob, that might be the way to go.

Will definitely try it.


On Tue, Dec 15, 2015 at 6:15 PM, Bob McWhirter <bmcwhirt at redhat.com> wrote:

> Let me suggest the WildFly Swarm Keycloak Server.
>
> We use it in testing secured Swarm apps.
>
> It?s an executable .jar with maven coordinates, and can be executed with
> the maven-exec-plugin in your pre-integration-test phase, or you can use
> the wildfly-swarm-plugin to start/stop it.
>
> See here for an example:
>
>
> https://github.com/wildfly-swarm/wildfly-swarm-examples/blob/master/ribbon-secured/test/pom.xml#L117-L140
>
> We?ll document this better shortly.
>
> -Bob
>
> On Tue, Dec 15, 2015 at 11:11 AM, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> I see.
>>
>> So, i'll need to have a separate working keycloak server available for
>> testing. No workarounds. Did i got this right ?
>>
>>
>>
>>
>>
>> On Tue, Dec 15, 2015 at 6:00 PM, Bill Burke <bburke at redhat.com> wrote:
>>
>>>
>>>
>>> On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
>>> > Hello,
>>> >
>>> > I try to build automated tests for a keycloak secured REST application.
>>> > I plan to use arquilian as a test platform.
>>> >
>>> > Do i need to have a working keycloak server to be used in the tests ?
>>> > Or is it possible to embed keycloak in the temporary deployment created
>>> > by arquilian?
>>> >
>>>
>>> That's a real good point.  Not sure how we are tackling this.
>>>
>>> > Btw, my endpoints don't use web.xml based security rules. I instead use
>>> >
>>> > RSATokenVerifier.verifyToken() to manually verify the token.
>>> >
>>> > Thus, i suppose that being able to manually create auth tokens from my
>>> > test cases (and not relying on a keycloak server) would also work.
>>> >
>>>
>>> FYI, Keycloak client adapters do have a filter implementations now that
>>> you can use.
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/00ef6b23/attachment-0001.html 

From bburke at redhat.com  Tue Dec 15 11:35:19 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 15 Dec 2015 11:35:19 -0500
Subject: [keycloak-user] authentication provider and login override
 questions
In-Reply-To: <56701775.9020705@c6.eu>
References: <56701775.9020705@c6.eu>
Message-ID: <56704147.9050106@redhat.com>



On 12/15/2015 8:36 AM, Johan Bos wrote:
> Hi,
>
> I can see KeyCloak allows to define authentications based on SAML protocol.
> My requirements are:
> a set of application/client secured by a KeyCloak server
> role/group defined in Keycloak
> user/pass synchro from ActiveDirectory (optional - surely some mapping
> to retrieve some information)
>
> We need keycloak and like it: for the user management and authentication
> solution it provides to an application, in a simple way.
>
> 1) When an SSO is already in place.
> As the apps we provide sometime, but not always is being integrated in a
> customer env. that already using an SSO solution, I would like to know
> if my understanding is right:
> does the authentication module in keycloak where you can define an SAML
> providers will delegate the SSO/login part to an external solution that
> will handle for him the authentication?
> Possible SSO is: "Ping", it says they are SAML compatible, does it means
> I only need the SSO URL and logout URL to try it?
>

Are you sure you need Keycloak server?  Your best bet, IMO, is to just 
use the already deployed SSO solution if you can't swap it out for 
Keycloak.  Our SAML client adapter should work with that SSO solution.

> 2)  Since keycloak provides for SSO the login pages.
> How do you integrate it with an application (angular/J2ee) that already
> have its own? Without removing it.
>

Keycloak login pages are themable.  You can change their look and feel. 
  You can't reuse an existing app's login pages.


> Do you keep on basic J2EE setup so any client url would be secure, then
> once authorized, the apps will continue to bring up its own login page?
> Does it mean the app should have a filter to implies some auto-connect
> so client side does not try to bring the login and instead consider the
> user connected?
> or does it mean using keycloak.js and follow some angular example where
> upon loading we first make everything from the JS side and make no
> change on the Java Apps?
>

Use keycloak.js with your angular appp.  There are examples that come 
with the distribution that show how to do this.

> 3) I tried to override the login flow, to make my own authenticator. I
> could see multiple way to do it. My requirement is to have a
> supplementary field on the login page, because I need to authenticate
> and validate my username/pass/repo to a REST API that must be access in
> a secured way all the time, prior to give access to my clients/realm.
>
> In order to make this, I ended up providing my own template (ftl) but
> then I could no longer use the login.username in it since the
> createResponse (normal cases) is the only one to take the formDatas and
> load in attributes the LoginBean with it. I was using my-page.ftl so
> could not use the createLogin, instead I was using createForm
> So even when I set the attribute with "login" key based on the
> loginBean, login.username was triggering an error.
>      forms.setAttribute("login", new LoginBean(formData));
>
> So Whatever, I simply used "username" directly and it worked, but I
> don't know to which extend nor why. I have some missing on freemarker
> api and how you compiling it with POJO beans in a Map.
>

I am not following you at all :)


> 3bis) For my suppl. field, I need a dropdown box and freemarker would
> need a collection to loop over. I though I would have to pass a list of
> POJO (to create a dropbox) to the "attributes" that is being used to
> compile my template. In my template, I used "#list", but I could not get
> it to recognize my bean nor loop on it. It always consider it as not
> present.
>
> Here a sample of my authenticator that produce the new login form:
>

I could not reproduce your problem.  I did the following to the 
examples/providers/authenticator example:

* Edit line 42 of SecretQuestionAuthenticator:

         Response challenge = context.form().setAttribute("foo", 
"bar").createForm("secret-question.ftl");


* Edit line 11 of secret-question.ftl

<label for="totp" class="${properties.kcLabelClass!}">What is your mom's 
first name ${foo}</label>

added ${foo} and it prints out fine.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From johan.bos at c6.eu  Tue Dec 15 12:07:49 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Tue, 15 Dec 2015 18:07:49 +0100
Subject: [keycloak-user] authentication provider and login override
 questions
In-Reply-To: <56704147.9050106@redhat.com>
References: <56701775.9020705@c6.eu> <56704147.9050106@redhat.com>
Message-ID: <567048E5.8010604@c6.eu>

See inline,

Le 15/12/2015 17:35, Bill Burke a ?crit :
>
> On 12/15/2015 8:36 AM, Johan Bos wrote:
>> Hi,
>>
>> I can see KeyCloak allows to define authentications based on SAML protocol.
>> My requirements are:
>> a set of application/client secured by a KeyCloak server
>> role/group defined in Keycloak
>> user/pass synchro from ActiveDirectory (optional - surely some mapping
>> to retrieve some information)
>>
>> We need keycloak and like it: for the user management and authentication
>> solution it provides to an application, in a simple way.
>>
>> 1) When an SSO is already in place.
>> As the apps we provide sometime, but not always is being integrated in a
>> customer env. that already using an SSO solution, I would like to know
>> if my understanding is right:
>> does the authentication module in keycloak where you can define an SAML
>> providers will delegate the SSO/login part to an external solution that
>> will handle for him the authentication?
>> Possible SSO is: "Ping", it says they are SAML compatible, does it means
>> I only need the SSO URL and logout URL to try it?
>>
> Are you sure you need Keycloak server?  Your best bet, IMO, is to just
> use the already deployed SSO solution if you can't swap it out for
> Keycloak.  Our SAML client adapter should work with that SSO solution.
Well yes, since we are not only focusing on that customer and we want to 
propose a solution that handle user/group/auth by itself.
So my understanding is right about the client adapter, it delegates.
I am testing Keycloak and other solution but that does not provide OOTB 
solution for user/group management, would be shiro, we used it before 
and it is well for integration into an existing ecosystem but when there 
is none, we want something to propose and keycloak remove a good part of 
the authentication issue.
>> 2)  Since keycloak provides for SSO the login pages.
>> How do you integrate it with an application (angular/J2ee) that already
>> have its own? Without removing it.
>>
> Keycloak login pages are themable.  You can change their look and feel.
>    You can't reuse an existing app's login pages.
>
I understood that, so I means that a good part of handling on our apps 
to manage keycloak is needed to have an autoconnect flow that avoid our 
internal login.
>> Do you keep on basic J2EE setup so any client url would be secure, then
>> once authorized, the apps will continue to bring up its own login page?
>> Does it mean the app should have a filter to implies some auto-connect
>> so client side does not try to bring the login and instead consider the
>> user connected?
>> or does it mean using keycloak.js and follow some angular example where
>> upon loading we first make everything from the JS side and make no
>> change on the Java Apps?
>>
> Use keycloak.js with your angular appp.  There are examples that come
> with the distribution that show how to do this.
I will. My question was more, is it the right approach or can this be 
done on the J2EE part with servlet filter only.
I suppose only me can answer this.
>> 3) I tried to override the login flow, to make my own authenticator. I
>> could see multiple way to do it. My requirement is to have a
>> supplementary field on the login page, because I need to authenticate
>> and validate my username/pass/repo to a REST API that must be access in
>> a secured way all the time, prior to give access to my clients/realm.
>>
>> In order to make this, I ended up providing my own template (ftl) but
>> then I could no longer use the login.username in it since the
>> createResponse (normal cases) is the only one to take the formDatas and
>> load in attributes the LoginBean with it. I was using my-page.ftl so
>> could not use the createLogin, instead I was using createForm
>> So even when I set the attribute with "login" key based on the
>> loginBean, login.username was triggering an error.
>>       forms.setAttribute("login", new LoginBean(formData));
>>
>> So Whatever, I simply used "username" directly and it worked, but I
>> don't know to which extend nor why. I have some missing on freemarker
>> api and how you compiling it with POJO beans in a Map.
>>
> I am not following you at all :)
That was more a code diving question that I had to make to understand 
the way it works. Even after that I still don't get why from your login 
template you can access login.username, and I can't with mine.
>
>> 3bis) For my suppl. field, I need a dropdown box and freemarker would
>> need a collection to loop over. I though I would have to pass a list of
>> POJO (to create a dropbox) to the "attributes" that is being used to
>> compile my template. In my template, I used "#list", but I could not get
>> it to recognize my bean nor loop on it. It always consider it as not
>> present.
>>
>> Here a sample of my authenticator that produce the new login form:
>>
> I could not reproduce your problem.  I did the following to the
> examples/providers/authenticator example:
>
> * Edit line 42 of SecretQuestionAuthenticator:
>
>           Response challenge = context.form().setAttribute("foo",
> "bar").createForm("secret-question.ftl");
>
>
> * Edit line 11 of secret-question.ftl
>
> <label for="totp" class="${properties.kcLabelClass!}">What is your mom's
> first name ${foo}</label>
>
> added ${foo} and it prints out fine.
>
Yes, that the basic string, it works for me too, when I pass from my 
example the default value for repository.
But my Object being not just a string, instead a List<Repository> repos 
where Repository has name attribute

context.form().setAttribute("repositories",
repos )
context.form().setAttribute("repository",
"default" )


I then tried in my template to do something like
#list repositories as repo
${repo.name}

The If test is not seeing the "repositories" corresponding value object.

Can we only use string? If so, how do you pass for the social 
registration the list of social providers?
>
>

Thanks for you prompt answer and the hard time you got to follow me.

-- 
Regards,

Johan Bos


-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/9127d0ba/attachment.vcf 

From niko at n-k.de  Tue Dec 15 13:53:18 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 15 Dec 2015 19:53:18 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <D2959174.10C56%pblair@clearme.com>
References: <D2959174.10C56%pblair@clearme.com>
Message-ID: <9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>

We will go for the first run with EC2 and S3_PING, but w/o Docker.
If we/you/whoever will find a proper solution (possibly on the jgroups mailinglist), we will test this.

Seams that everybody is aware of the Docker/Cloud/Multicast issues, but no-one has a proper solution, only workarounds. :(



> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com>:
> 
> I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration. 
> 
> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.
> 
> From: Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> Date: Mon, 14 Dec 2015 18:31:30 -0500
> To: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>, <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> There are two issues:
> 
> 1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.
> 
> 2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.
> 
> Take for example a simple 2 node cluster:
> 
> Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.
> 
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
> 
> I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.
> 
> Let me know what you think.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
>> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>> 
>> CCing Alan Field from RH Infinispan team and forwarding his question: 
>> I'd like to know which configuration files you are using and why is is
>> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
>> interested in how big a cluster you are using in AWS.
>> 
>> 
>> 
>> On 14/12/15 22:24, Scott Rossillo wrote:
>>> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
>>> 
>>> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
>>> 
>>> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
>>> 
>>> Best,  
>>> Scott
>>> 
>>> Scott Rossillo
>>> Smartling | Senior Software Engineer
>>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>>> 
>>>  <http://www.sigstr.com/>
>>>> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>>> 
>>>> On 14/12/15 16:55, Marek Posolda wrote:
>>>>> On 14/12/15 15:58, Bill Burke wrote:
>>>>>> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>>>>>>> Hi Marek,
>>>>>>> 
>>>>>>>> Am 14.12.2015 um 08:50 schrieb Marek Posolda < <mailto:mposolda at redhat.com>mposolda at redhat.com <mailto:mposolda at redhat.com>
>>>>>>>> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
>>>>>>>> 
>>>>>>>> Btv. what's your motivation to not use infinispan? If you afraid of
>>>>>>>> cluster communication, you don't need to worry much about it, because
>>>>>>>> if you run single keycloak through standalone.xml, the infinispan
>>>>>>>> automatically works in LOCAL mode and there is no any cluster
>>>>>>>> communication at all.
>>>>>>> My current customer is running his apps in AWS. As known, multicast is
>>>>>>> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
>>>>>>> pretty well with multicast w/o having to know too much about JGroups
>>>>>>> config. S3_PING seams to be a viable way to get a cluster running in AWS.
>>>>>>> But additionally, my customer doesn?t have any (deep) knowledge about
>>>>>>> JBoss infrastructures and so I?m looking for a way to be able to run
>>>>>>> Keycloak in a cluster in AWS without the need to build up deeper
>>>>>>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>>>>>>> But I do understand all the concerns in doing this.
>>>>>>> I still have to test S3_PING, if it works as easy as multicast. If yes,
>>>>>>> we can use it, if no? I don?t know yet. But this gets offtopic for
>>>>>>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>>>>>>> 
>>>>>> seems to me it would be much easier to get Infinispan working on AWS
>>>>>> than to write and maintain an entire new caching mechanism and hope we
>>>>>> don't refactor the cache SPI.
>>>>>> 
>>>>>> 
>>>>> +1
>>>>> 
>>>>> I am sure infinispan/JGroups has possibility to run in non-multicast
>>>>> environment. You may just need to figure how exactly to configure it. So
>>>>> I agree that this issue is more related to Wildfly/Infinispan itself
>>>>> than to Keycloak.
>>>>> 
>>>>> You may need to use jgroups protocols like TCP instead of default UDP
>>>>> and maybe TCPPING (this requires to manually list all your cluster
>>>>> nodes. But still, it's much better option IMO than rewriting UserSession
>>>>> SPI)
>>>> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
>>>> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
>>>> not official part of jgroups.
>>>> 
>>>> Marek
>>>>> 
>>>>> Marek
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>> 
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> 
>> 
> 
> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/607d237f/attachment-0001.html 

From afield at redhat.com  Tue Dec 15 14:13:55 2015
From: afield at redhat.com (Alan Field)
Date: Tue, 15 Dec 2015 14:13:55 -0500 (EST)
Subject: [keycloak-user] Replace use of Infinispan with User
	Sessions	SPI ?
In-Reply-To: <9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
Message-ID: <933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>

Just to be clear, I have successfully tested Infinispan library and server mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses. None of the cloud providers support multicast. The Docker case is a little different though, because of the issues with getting access to the IP address. 

Thanks, 
Alan 

----- Original Message -----

> From: "Niko K?bler" <niko at n-k.de>
> To: "Paul Blair" <pblair at clearme.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, December 15, 2015 1:53:18 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI
> ?

> We will go for the first run with EC2 and S3_PING, but w/o Docker.
> If we/you/whoever will find a proper solution (possibly on the jgroups
> mailinglist), we will test this.

> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but
> no-one has a proper solution, only workarounds. :(

> > Am 15.12.2015 um 15:47 schrieb Paul Blair < pblair at clearme.com >:
> 

> > I've also been working on setting up clustered Keycloak on Docker
> > containers
> > in EC2 and would be interested in any potential solutions for this
> > configuration.
> 

> > Alternatively I've set up on EC2 without Docker with S3_PING. I'd be
> > interested in hearing about the issues with this configuration.
> 

> > From: Scott Rossillo < srossillo at smartling.com >
> 
> > Date: Mon, 14 Dec 2015 18:31:30 -0500
> 
> > To: Marek Posolda < mposolda at redhat.com >, < afield at redhat.com >
> 
> > Cc: keycloak-user < keycloak-user at lists.jboss.org >
> 
> > Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions
> > SPI
> > ?
> 

> > There are two issues:
> 

> > 1. Infinispan relies on JGroups, which is difficult to configure correctly
> > with the various ping techniques that aren?t UDP multicast. I can elaborate
> > on each one that we tested but it?s just generally complex to get right.
> > That?s not to say it?s impossible or the biggest reason this is complicated
> > on ECS or _insert container service here_, see #2 for that.
> 

> > 2. It is difficult to do discovery correctly with JGroups and Docker.
> > Non-privileged Docker instances - the default and recommend type - do not
> > implicitly know their host?s IP. This causes IP mismatches between what
> > JGroups thinks the machine?s IP is and what it actually is when connecting
> > to hosts on different machines. This is the main issue and it?s not the
> > fault of JGroups per se, but there?s no simple work around.
> 

> > Take for example a simple 2 node cluster:
> 

> > Node 1 comes up on the docker0 interface of host A with the IP address
> > 172.16.0.4. The host A IP is 10.10.0.100.
> 
> > Node 2 comes up on the docker0 interface of host B with the IP address
> > 172.16.0.8. The host B IP is 10.10.0.108.
> 

> > The 172.16 network is not routable between hosts (by design). Docker does
> > port forwarding for ports we wish to expose to this works fine for
> > HTTP/HTTPS but not the cluster traffic.
> 

> > So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> > advertises 172.16.0.8. The two cannot talk to each other by default.
> > However, using the hard coded IPs and TCP PING, we can set external_addr on
> > Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set
> > initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to
> > discover each other. However, they will not form a cluster. The nodes will
> > reject the handshake thinking they?re not actually 10.10.0.100 or
> > 10.10.0.108 respectively.
> 

> > I?d like to discuss further and I can share where we?ve gotten so far with
> > workarounds to this but it may be better to get into the weeds on another
> > list.
> 

> > Let me know what you think.
> 

> > Best,
> 
> > Scott
> 

> > Scott Rossillo
> 
> > Smartling | Senior Software Engineer
> 
> > srossillo at smartling.com
> 

> > > On Dec 14, 2015, at 5:32 PM, Marek Posolda < mposolda at redhat.com > wrote:
> > 
> 

> > > CCing Alan Field from RH Infinispan team and forwarding his question:
> > 
> 
> > > I'd like to know which configuration files you are using and why is is
> > 
> 
> > > harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also
> > > be
> > 
> 
> > > interested in how big a cluster you are using in AWS.
> > 
> 

> > > On 14/12/15 22:24, Scott Rossillo wrote:
> > 
> 

> > > > AWS was why we didn?t use Infinispan to begin with. That and it?s even
> > > > more
> > > > complicated when you deploy using Amazon?s Docker service (ECS) or
> > > > Beanstalk.
> > > 
> > 
> 

> > > > It?s too bad Infinispan / JGroups are beasts when the out of the box
> > > > configuration can?t be used. I?m planning to document this as we fix
> > > > but
> > > > I?d
> > > > avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak
> > > > DB,
> > > > unless you?re using Mongo and it?s easier to test locally.
> > > 
> > 
> 

> > > > TCPPING will bite you on AWS if Amazon decides to replace one of your
> > > > instances (which it does occasionally w/ECS or Beanstalk).
> > > 
> > 
> 

> > > > Best,
> > > 
> > 
> 
> > > > Scott
> > > 
> > 
> 

> > > > Scott Rossillo
> > > 
> > 
> 
> > > > Smartling | Senior Software Engineer
> > > 
> > 
> 
> > > > srossillo at smartling.com
> > > 
> > 
> 

> > > > > On Dec 14, 2015, at 10:59 AM, Marek Posolda < mposolda at redhat.com >
> > > > > wrote:
> > > > 
> > > 
> > 
> 

> > > > > On 14/12/15 16:55, Marek Posolda wrote:
> > > > 
> > > 
> > 
> 

> > > > > > On 14/12/15 15:58, Bill Burke wrote:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > On 12/14/2015 5:01 AM, Niko K?bler wrote:
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Hi Marek,
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > Am 14.12.2015 um 08:50 schrieb Marek Posolda <
> > > > > > > > > mposolda at redhat.com
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > < mailto:mposolda at redhat.com >>:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > Btv. what's your motivation to not use infinispan? If you
> > > > > > > > > afraid
> > > > > > > > > of
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > cluster communication, you don't need to worry much about it,
> > > > > > > > > because
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > if you run single keycloak through standalone.xml, the
> > > > > > > > > infinispan
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > automatically works in LOCAL mode and there is no any cluster
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > communication at all.
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > My current customer is running his apps in AWS. As known,
> > > > > > > > multicast
> > > > > > > > is
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > not available in cloud infrastructures. Wildfly/Infinispan
> > > > > > > > Cluster
> > > > > > > > works
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > pretty well with multicast w/o having to know too much about
> > > > > > > > JGroups
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > config. S3_PING seams to be a viable way to get a cluster
> > > > > > > > running
> > > > > > > > in
> > > > > > > > AWS.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > But additionally, my customer doesn?t have any (deep) knowledge
> > > > > > > > about
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > JBoss infrastructures and so I?m looking for a way to be able
> > > > > > > > to
> > > > > > > > run
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Keycloak in a cluster in AWS without the need to build up
> > > > > > > > deeper
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > knowlegde of JGroups config, for example in getting rid of
> > > > > > > > Infinispan.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > But I do understand all the concerns in doing this.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > I still have to test S3_PING, if it works as easy as multicast.
> > > > > > > > If
> > > > > > > > yes,
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > we can use it, if no? I don?t know yet. But this gets offtopic
> > > > > > > > for
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Keycloak mailinglist, it?s more related to pure
> > > > > > > > Wildfly/Infinispan.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > seems to me it would be much easier to get Infinispan working on
> > > > > > > AWS
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > than to write and maintain an entire new caching mechanism and
> > > > > > > hope
> > > > > > > we
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > don't refactor the cache SPI.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > +1
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > I am sure infinispan/JGroups has possibility to run in
> > > > > > non-multicast
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > environment. You may just need to figure how exactly to configure
> > > > > > it.
> > > > > > So
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > I agree that this issue is more related to Wildfly/Infinispan
> > > > > > itself
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > than to Keycloak.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > You may need to use jgroups protocols like TCP instead of default
> > > > > > UDP
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > and maybe TCPPING (this requires to manually list all your cluster
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > nodes. But still, it's much better option IMO than rewriting
> > > > > > UserSession
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > SPI)
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING
> > > > 
> > > 
> > 
> 
> > > > > http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but
> > > > > it's
> > > > 
> > > 
> > 
> 
> > > > > not official part of jgroups.
> > > > 
> > > 
> > 
> 

> > > > > Marek
> > > > 
> > > 
> > 
> 

> > > > > > Marek
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > _______________________________________________
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user mailing list
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user at lists.jboss.org
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > _______________________________________________
> > > > 
> > > 
> > 
> 
> > > > > keycloak-user mailing list
> > > > 
> > > 
> > 
> 
> > > > > keycloak-user at lists.jboss.org
> > > > 
> > > 
> > 
> 
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > 
> 

> > _______________________________________________ keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> > _______________________________________________
> 
> > keycloak-user mailing list
> 
> > keycloak-user at lists.jboss.org
> 
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/70745953/attachment-0001.html 

From afield at redhat.com  Tue Dec 15 14:52:11 2015
From: afield at redhat.com (Alan Field)
Date: Tue, 15 Dec 2015 14:52:11 -0500 (EST)
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <44B0D4D7-9D5D-4DCD-BF82-4AF9A1182609@smartling.com>
References: <7F55D909-660B-45E6-8A10-AD70F4543084@n-k.de>
	<4485A112-7A21-4C2E-9FE4-597CCF590036@n-k.de>
	<566ED923.10306@redhat.com> <566EE670.9090001@redhat.com>
	<566EE76D.2090001@redhat.com>
	<622AE9A5-3E81-4CA5-B4B6-CACD84051DB2@smartling.com>
	<566F4368.9060508@redhat.com>
	<44B0D4D7-9D5D-4DCD-BF82-4AF9A1182609@smartling.com>
Message-ID: <1682508053.27338952.1450209131594.JavaMail.zimbra@redhat.com>

Hey Scott, 

(I'm resending this with a little more information, since I can now post without being moderated) :-) 

----- Original Message -----

> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Marek Posolda" <mposolda at redhat.com>, afield at redhat.com
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>, "Bill Burke"
> <bburke at redhat.com>
> Sent: Monday, December 14, 2015 6:31:30 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI
> ?

> There are two issues:

> 1. Infinispan relies on JGroups, which is difficult to configure correctly
> with the various ping techniques that aren?t UDP multicast. I can elaborate
> on each one that we tested but it?s just generally complex to get right.
> That?s not to say it?s impossible or the biggest reason this is complicated
> on ECS or _insert container service here_, see #2 for that.

The Infinispan server and JBoss EAP include a TCP-based stack in the configuration to run on EC2 that looks like this: 

<stack name="s3"> 
<transport type="TCP" socket-binding="jgroups-tcp"/> 
<protocol type="S3_PING"> 
<property name="location">${jgroups.s3.bucket:}</property> 
<property name="access_key">${jgroups.s3.access_key:}</property> 
<property name="secret_access_key">${jgroups.s3.secret_access_key:}</property> 
<property name="pre_signed_delete_url">${jgroups.s3.pre_signed_delete_url:}</property> 
<property name="pre_signed_put_url">${jgroups.s3.pre_signed_put_url:}</property> 
<property name="prefix">${jgroups.s3.prefix:}</property> 
</protocol> 
<protocol type="MERGE3"/> 
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/> 
<protocol type="FD_ALL"/> 
<protocol type="VERIFY_SUSPECT"/> 
<protocol type="pbcast.NAKACK2"> 
<property name="use_mcast_xmit">false</property> 
</protocol> 
<protocol type="UNICAST3"/> 
<protocol type="pbcast.STABLE"/> 
<protocol type="pbcast.GMS"/> 
<protocol type="MFC"/> 
<protocol type="FRAG2"/> 
</stack> 

With this in the configuration file, you can start the server with the following system properties defined: 

bin/clustered.sh -Djboss.node.name=node0 -Djboss.socket.binding.port-offset=0 -Djboss.default.jgroups.stack=s3 -Djgroups.s3.bucket=<s3_bucket_name> -Djgroups.s3.access_key=<access_key> -Djgroups.s3.secret_access_key=<secret_access_key> -Djboss.bind.address=$IP -Djboss.bind.address.management=$IP 

This will cause the server to start and the nodes will write to a file in the S3 bucket to allow the nodes to discover each other. I do not see this stack defined in the configuration used by WildFly 9, but it should work there as well. It is also possible to use the JGroups Gossip Router for discovery, but it requires running a separate process that all of the nodes contact during the discovery phase. I have the following in my .bashrc to set the IP environment variable: 

export IP=`GET http://169.254.169.254/latest/meta-data/local-ipv4` 

I have verified that I can cluster plain EC2 instances on the internal IP addresses: (i.e. 172.31.4.165 and 172.31.18.207) These addresses are not publically accessible though, but this cluster can be a cache for applications running in EC2. 

> 2. It is difficult to do discovery correctly with JGroups and Docker.
> Non-privileged Docker instances - the default and recommend type - do not
> implicitly know their host?s IP. This causes IP mismatches between what
> JGroups thinks the machine?s IP is and what it actually is when connecting
> to hosts on different machines. This is the main issue and it?s not the
> fault of JGroups per se, but there?s no simple work around.

> Take for example a simple 2 node cluster:

> Node 1 comes up on the docker0 interface of host A with the IP address
> 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address
> 172.16.0.8. The host B IP is 10.10.0.108.

> The 172.16 network is not routable between hosts (by design). Docker does
> port forwarding for ports we wish to expose to this works fine for
> HTTP/HTTPS but not the cluster traffic.

I've been trying to dig through the documentation to find out how you create multi-container applications that need to network with each other on Amazon's ECS, but so far I haven't gotten very far. Feel free to send me pointers, if you have any. 

> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> advertises 172.16.0.8. The two cannot talk to each other by default.
> However, using the hard coded IPs and TCP PING, we can set external_addr on
> Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set
> initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to
> discover each other. However, they will not form a cluster. The nodes will
> reject the handshake thinking they?re not actually 10.10.0.100 or
> 10.10.0.108 respectively.

> I?d like to discuss further and I can share where we?ve gotten so far with
> workarounds to this but it may be better to get into the weeds on another
> list.

> Let me know what you think.

This issue is a little trickier, and I think we should probably move the discussion to the jgroups-users list which you can subscribe to here. [1] Bela Ban may have some ideas about how to set the binding address or interface to get around this. The Fabric8 project is also using a JGroups discovery protocol that relies on Kubernetes, but I don't think ECS uses Kubernetes. 

Thanks, 
Alan 

[1] https://lists.sourceforge.net/lists/listinfo/javagroups-users 

> Best,
> Scott

> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com

> > On Dec 14, 2015, at 5:32 PM, Marek Posolda < mposolda at redhat.com > wrote:
> 

> > CCing Alan Field from RH Infinispan team and forwarding his question:
> 
> > I'd like to know which configuration files you are using and why is is
> 
> > harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> 
> > interested in how big a cluster you are using in AWS.
> 

> > On 14/12/15 22:24, Scott Rossillo wrote:
> 

> > > AWS was why we didn?t use Infinispan to begin with. That and it?s even
> > > more
> > > complicated when you deploy using Amazon?s Docker service (ECS) or
> > > Beanstalk.
> > 
> 

> > > It?s too bad Infinispan / JGroups are beasts when the out of the box
> > > configuration can?t be used. I?m planning to document this as we fix but
> > > I?d
> > > avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak
> > > DB,
> > > unless you?re using Mongo and it?s easier to test locally.
> > 
> 

> > > TCPPING will bite you on AWS if Amazon decides to replace one of your
> > > instances (which it does occasionally w/ECS or Beanstalk).
> > 
> 

> > > Best,
> > 
> 
> > > Scott
> > 
> 

> > > Scott Rossillo
> > 
> 
> > > Smartling | Senior Software Engineer
> > 
> 
> > > srossillo at smartling.com
> > 
> 

> > > > On Dec 14, 2015, at 10:59 AM, Marek Posolda < mposolda at redhat.com >
> > > > wrote:
> > > 
> > 
> 

> > > > On 14/12/15 16:55, Marek Posolda wrote:
> > > 
> > 
> 

> > > > > On 14/12/15 15:58, Bill Burke wrote:
> > > > 
> > > 
> > 
> 

> > > > > > On 12/14/2015 5:01 AM, Niko K?bler wrote:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Hi Marek,
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Am 14.12.2015 um 08:50 schrieb Marek Posolda <
> > > > > > > > mposolda at redhat.com
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > < mailto:mposolda at redhat.com >>:
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Btv. what's your motivation to not use infinispan? If you
> > > > > > > > afraid
> > > > > > > > of
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > cluster communication, you don't need to worry much about it,
> > > > > > > > because
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > if you run single keycloak through standalone.xml, the
> > > > > > > > infinispan
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > automatically works in LOCAL mode and there is no any cluster
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > communication at all.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > My current customer is running his apps in AWS. As known,
> > > > > > > multicast
> > > > > > > is
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > not available in cloud infrastructures. Wildfly/Infinispan
> > > > > > > Cluster
> > > > > > > works
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > pretty well with multicast w/o having to know too much about
> > > > > > > JGroups
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > config. S3_PING seams to be a viable way to get a cluster running
> > > > > > > in
> > > > > > > AWS.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > But additionally, my customer doesn?t have any (deep) knowledge
> > > > > > > about
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > JBoss infrastructures and so I?m looking for a way to be able to
> > > > > > > run
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > Keycloak in a cluster in AWS without the need to build up deeper
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > knowlegde of JGroups config, for example in getting rid of
> > > > > > > Infinispan.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > But I do understand all the concerns in doing this.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > I still have to test S3_PING, if it works as easy as multicast.
> > > > > > > If
> > > > > > > yes,
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > we can use it, if no? I don?t know yet. But this gets offtopic
> > > > > > > for
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > Keycloak mailinglist, it?s more related to pure
> > > > > > > Wildfly/Infinispan.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > seems to me it would be much easier to get Infinispan working on
> > > > > > AWS
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > than to write and maintain an entire new caching mechanism and hope
> > > > > > we
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > don't refactor the cache SPI.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > +1
> > > > 
> > > 
> > 
> 

> > > > > I am sure infinispan/JGroups has possibility to run in non-multicast
> > > > 
> > > 
> > 
> 
> > > > > environment. You may just need to figure how exactly to configure it.
> > > > > So
> > > > 
> > > 
> > 
> 
> > > > > I agree that this issue is more related to Wildfly/Infinispan itself
> > > > 
> > > 
> > 
> 
> > > > > than to Keycloak.
> > > > 
> > > 
> > 
> 

> > > > > You may need to use jgroups protocols like TCP instead of default UDP
> > > > 
> > > 
> > 
> 
> > > > > and maybe TCPPING (this requires to manually list all your cluster
> > > > 
> > > 
> > 
> 
> > > > > nodes. But still, it's much better option IMO than rewriting
> > > > > UserSession
> > > > 
> > > 
> > 
> 
> > > > > SPI)
> > > > 
> > > 
> > 
> 

> > > > Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING
> > > 
> > 
> 
> > > > http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but it's
> > > 
> > 
> 
> > > > not official part of jgroups.
> > > 
> > 
> 

> > > > Marek
> > > 
> > 
> 

> > > > > Marek
> > > > 
> > > 
> > 
> 
> > > > > _______________________________________________
> > > > 
> > > 
> > 
> 
> > > > > keycloak-user mailing list
> > > > 
> > > 
> > 
> 
> > > > > keycloak-user at lists.jboss.org
> > > > 
> > > 
> > 
> 
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > 
> 

> > > > _______________________________________________
> > > 
> > 
> 
> > > > keycloak-user mailing list
> > > 
> > 
> 
> > > > keycloak-user at lists.jboss.org
> > > 
> > 
> 
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/79f3ec71/attachment-0001.html 

From tdudgeon.ml at gmail.com  Wed Dec 16 04:51:18 2015
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 16 Dec 2015 09:51:18 +0000
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <5664F4BD.4000309@redhat.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com>
Message-ID: <56713416.4090003@gmail.com>

Its not clear to me how you get the assigned roles from the AccessToken.
For instance, is the realm has configured the user to have roles "user" 
and "editor" how do I find these in the AccessToken?

Tim

On 07/12/2015 02:53, Bill Burke wrote:
> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
> principal to KeycloakPrincipal you can obtain the AccessToken.
>
> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>> Hi everyone,
>>
>>
>> Do Keycloak adapters support user authorization? I mean, of course they
>> do :) For example, the API I have secured with Keycloak receives a
>> Keycloak access token from the client. How can I validate the token
>> (check user roles) in my code? I am interested in the Java (wildfly) and
>> Javascript adapters.
>>
>> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
>> curious if the Keycloak adapters support smth similar out of the box.
>>
>> Thank you for your answers.
>>
>>
>> Regards,
>> Pavel Maslov, MS
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>


From andyyar66 at gmail.com  Wed Dec 16 06:40:47 2015
From: andyyar66 at gmail.com (Andy Yar)
Date: Wed, 16 Dec 2015 12:40:47 +0100
Subject: [keycloak-user] Spring Security adapter single logout
Message-ID: <CAMBdEymOWrx9haVxddeermiB9kFTTBcOZOod5Y34pz8htyLeJA@mail.gmail.com>

Hello,
I'm using 1.7.0 final integrated with Spring Security (which itself is
integrated into Grails) using OpenID Connect method. I've been kind of
stuck with single (back-channel, k_logout) logout for a while.

It seems it's handled by the preAuthActions filter which simply invalidates
local sessions via a call to an injected HttpSessionManager. This manager
stores active sessions in its instance and puts/removes them as a reaction
on HttpSessionEvent.

It looks like the HttpSessionManager has to be registered as JEE Listener
in order to receive HttpSessionEvents. However, then you end up with two
different instances - the listener and the bean in preAuthActions. Thus
invalidation process can't reach the sessions stored in listener's instance
and can't invalidate them at all.

A big sorry if I miss something very obvious.

Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/0bb39fe8/attachment.html 

From bburke at redhat.com  Wed Dec 16 09:09:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 16 Dec 2015 09:09:04 -0500
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <56713416.4090003@gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
Message-ID: <56717080.4040206@redhat.com>

AccessToken.getResourceAccess or AccessToken.getRealmAccess

On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
> Its not clear to me how you get the assigned roles from the AccessToken.
> For instance, is the realm has configured the user to have roles "user"
> and "editor" how do I find these in the AccessToken?
>
> Tim
>
> On 07/12/2015 02:53, Bill Burke wrote:
>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>
>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>> Hi everyone,
>>>
>>>
>>> Do Keycloak adapters support user authorization? I mean, of course they
>>> do :) For example, the API I have secured with Keycloak receives a
>>> Keycloak access token from the client. How can I validate the token
>>> (check user roles) in my code? I am interested in the Java (wildfly) and
>>> Javascript adapters.
>>>
>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
>>> curious if the Keycloak adapters support smth similar out of the box.
>>>
>>> Thank you for your answers.
>>>
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From johan.bos at c6.eu  Wed Dec 16 09:17:26 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Wed, 16 Dec 2015 15:17:26 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <56717080.4040206@redhat.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com>
Message-ID: <56717276.3020604@c6.eu>

Why is HttpRequest.isUserInRole(<role>) not capable to return true when 
the role is present in the AccessToken.getRealmAccess?

Regards,

Johan Bos

Le 16/12/2015 15:09, Bill Burke a ?crit :
> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>
> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>> Its not clear to me how you get the assigned roles from the AccessToken.
>> For instance, is the realm has configured the user to have roles "user"
>> and "editor" how do I find these in the AccessToken?
>>
>> Tim
>>
>> On 07/12/2015 02:53, Bill Burke wrote:
>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>
>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>> Hi everyone,
>>>>
>>>>
>>>> Do Keycloak adapters support user authorization? I mean, of course they
>>>> do :) For example, the API I have secured with Keycloak receives a
>>>> Keycloak access token from the client. How can I validate the token
>>>> (check user roles) in my code? I am interested in the Java (wildfly) and
>>>> Javascript adapters.
>>>>
>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am just
>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>
>>>> Thank you for your answers.
>>>>
>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/51fa4244/attachment.vcf 

From erik.mulder at docdatapayments.com  Wed Dec 16 09:37:22 2015
From: erik.mulder at docdatapayments.com (Erik Mulder)
Date: Wed, 16 Dec 2015 15:37:22 +0100
Subject: [keycloak-user] Get the user of the current request from the
	KeycloakSession?
Message-ID: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>

Seems like a simple scenario, but I can't figure it out: I have an
instance of the KeycloakSession and I want to get the UserModel for the
current request. Is this possible?

Context: I'm creating a custom REST service that runs inside keycloak
and needs to get some data that is related to the current authenticated
user. For instance the realm and client I can get through the
session.getContext().getClient/Realm(). I would expect a getUser() there
too, but I can't find it anywhere 'in' the session.

If this isn't possible, shouldn't it be? Or if not, why not?


From bburke at redhat.com  Wed Dec 16 09:45:57 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 16 Dec 2015 09:45:57 -0500
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <56717276.3020604@c6.eu>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
Message-ID: <56717925.1060406@redhat.com>

See use-resource-role-mappings switch:

If set to true, the getResourceAccess("resource-name") roles will be 
mapped into isUserInRole, otherwise getRealmAccess is mapped into 
isUserInRole

Not the best I know.  We've been meaning to add some sort of role 
mapping facility to the adapter.

On 12/16/2015 9:17 AM, Johan Bos wrote:
> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
> the role is present in the AccessToken.getRealmAccess?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:09, Bill Burke a ?crit :
>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>
>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>> Its not clear to me how you get the assigned roles from the AccessToken.
>>> For instance, is the realm has configured the user to have roles "user"
>>> and "editor" how do I find these in the AccessToken?
>>>
>>> Tim
>>>
>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>
>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Dec 16 09:52:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 16 Dec 2015 09:52:30 -0500
Subject: [keycloak-user] Get the user of the current request from the
 KeycloakSession?
In-Reply-To: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
Message-ID: <56717AAE.5020400@redhat.com>

On 12/16/2015 9:37 AM, Erik Mulder wrote:
> Seems like a simple scenario, but I can't figure it out: I have an
> instance of the KeycloakSession and I want to get the UserModel for the
> current request. Is this possible?
>
> Context: I'm creating a custom REST service that runs inside keycloak
> and needs to get some data that is related to the current authenticated
> user. For instance the realm and client I can get through the
> session.getContext().getClient/Realm(). I would expect a getUser() there
> too, but I can't find it anywhere 'in' the session.
>
> If this isn't possible, shouldn't it be? Or if not, why not?
>

I'm assuming this REST request is from a browser Javascript client? 
Login sessions are maintained only through a cookie.  You'd have to 
login through the browser first, then read the cookie.

BTW, cookies are a really bad way of securing a REST interface.  Your 
REST interface becomes vulnerable to CSRF attacks.  I suggest you use a 
token to secure your REST interface.  If you are already using 
keycloak.js to login in, you can obtain the token from the Keycloak 
javascript interface and use that to invoke your service.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From dirk.franssen at gmail.com  Wed Dec 16 10:30:20 2015
From: dirk.franssen at gmail.com (Dirk Franssen)
Date: Wed, 16 Dec 2015 16:30:20 +0100
Subject: [keycloak-user]  cascaded microservice security
Message-ID: <CALT3SxgsL9fde0RF6PYz_vWDpGfKtxJ=maZjRmCaMwyO0JgpYQ@mail.gmail.com>

Hi,

as I didn't receive any feedback on this question yet, I will resend it
(perhaps due to pending subscription)

On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen at gmail.com>
 wrote:

> Hi,
>
> how would one configure Keycloak to obtain following scenario's?
>
> Scenario 1:
>
> client A: public (angular app)
> client B: bearer-only (microservice)
> client C: bearer-only (microservice)
>
> - microservice B is allowed to call microservice C, but an authenticated
> user in the js app A should be forbidden to call microservice C directly.
>
> Scenario 2:
>
> client A: public (angular app)
> client B: confidential (1 war with a REST service AND a JSF application,
> both using the same EJB business layer which is accessing microservice C)
> client C: bearer-only (microservice)
>
> - a user authenticated in the angular app can use the REST service of app
> B and will see the results of microservice C, but the user may not call
> microservice C directly
> - a user authenticated in the JSF application will see the results of
> microservice C when using the JSF application, but should not be able to
> use microservice C directly (if the user would reuse the same access_token)
> - should there be different roles for the REST part and the JSF part of
> app B (for accessing microservice C)?
>
> Kind regards,
> Dirk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/36ff4489/attachment-0001.html 

From johan.bos at c6.eu  Wed Dec 16 10:33:14 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Wed, 16 Dec 2015 16:33:14 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <56717925.1060406@redhat.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com>
Message-ID: <5671843A.7010006@c6.eu>

So it is one or the other.
The switch is at realm level or per clients?

As I tend to make realm role for securing the clients only and 
client/resource roles for internal client management, I should be fine

Still It would help to have some merging/mapping so from client we don't 
have to so much rely on KeyCloak implementation to test roles... Issue 
is that realm role can have same name as client role. But once there is 
always some pitfall to avoid.

Thanks

Regards,

Johan Bos

Le 16/12/2015 15:45, Bill Burke a ?crit :
> See use-resource-role-mappings switch:
>
> If set to true, the getResourceAccess("resource-name") roles will be
> mapped into isUserInRole, otherwise getRealmAccess is mapped into
> isUserInRole
>
> Not the best I know.  We've been meaning to add some sort of role
> mapping facility to the adapter.
>
> On 12/16/2015 9:17 AM, Johan Bos wrote:
>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>> the role is present in the AccessToken.getRealmAccess?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>
>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>> Its not clear to me how you get the assigned roles from the AccessToken.
>>>> For instance, is the realm has configured the user to have roles "user"
>>>> and "editor" how do I find these in the AccessToken?
>>>>
>>>> Tim
>>>>
>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>> Hi everyone,
>>>>>>
>>>>>>
>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>> they
>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>> (wildfly) and
>>>>>> Javascript adapters.
>>>>>>
>>>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
>>>>>> just
>>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>>
>>>>>> Thank you for your answers.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Pavel Maslov, MS
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/95b77409/attachment.vcf 

From erik.mulder at docdatapayments.com  Wed Dec 16 10:34:19 2015
From: erik.mulder at docdatapayments.com (Erik Mulder)
Date: Wed, 16 Dec 2015 16:34:19 +0100
Subject: [keycloak-user] Get the user of the current request from the
 KeycloakSession?
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
	<56717AAE.5020400@redhat.com>
Message-ID: <9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>

Thanks, but I'm not sure I understand you correctly. Let me clearify:
- I'm extending the Keycloak REST webservices with some custom
resources, for instance:
http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
piece of code from Pedro made this possible)
- I'm implementing an SPI (also from Pedro's change) that gets a
KeycloakSession object to 'work with'.
- I do authenticate on the keycloak server using a token (OpenID
Connect) that I got from a previous succesful login.
- Somewhere in the Keycloak internals this token is validated and a
User(Model/Session) is found that corresponds to this token.
- <assumption>: This User is saved somewhere in the session context

Now, my question is: How can I get hold of this User(Model/Session),
given that I have just a KeycloakSession object?

Through debugging I see that session.sessions() has a UserSessionEntity
for my current request, but since there might be more at the same time,
how can I relate my current request to the one User that is associated
with it?



On 16/12/15 15:52, Bill Burke wrote:
> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> Seems like a simple scenario, but I can't figure it out: I have an
>> instance of the KeycloakSession and I want to get the UserModel for the
>> current request. Is this possible?
>>
>> Context: I'm creating a custom REST service that runs inside keycloak
>> and needs to get some data that is related to the current authenticated
>> user. For instance the realm and client I can get through the
>> session.getContext().getClient/Realm(). I would expect a getUser() there
>> too, but I can't find it anywhere 'in' the session.
>>
>> If this isn't possible, shouldn't it be? Or if not, why not?
>>
> I'm assuming this REST request is from a browser Javascript client? 
> Login sessions are maintained only through a cookie.  You'd have to 
> login through the browser first, then read the cookie.
>
> BTW, cookies are a really bad way of securing a REST interface.  Your 
> REST interface becomes vulnerable to CSRF attacks.  I suggest you use a 
> token to secure your REST interface.  If you are already using 
> keycloak.js to login in, you can obtain the token from the Keycloak 
> javascript interface and use that to invoke your service.
>
>



From johan.bos at c6.eu  Wed Dec 16 10:45:16 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Wed, 16 Dec 2015 16:45:16 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <5671843A.7010006@c6.eu>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
Message-ID: <5671870C.8040405@c6.eu>

oh when you said:

use-resource-role-mappings

it is only available through the keycloak.json

Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?

Regards,

Johan Bos

Le 16/12/2015 16:33, Johan Bos a ?crit :
> So it is one or the other.
> The switch is at realm level or per clients?
>
> As I tend to make realm role for securing the clients only and 
> client/resource roles for internal client management, I should be fine
>
> Still It would help to have some merging/mapping so from client we 
> don't have to so much rely on KeyCloak implementation to test roles... 
> Issue is that realm role can have same name as client role. But once 
> there is always some pitfall to avoid.
>
> Thanks
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:45, Bill Burke a ?crit :
>> See use-resource-role-mappings switch:
>>
>> If set to true, the getResourceAccess("resource-name") roles will be
>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>> isUserInRole
>>
>> Not the best I know.  We've been meaning to add some sort of role
>> mapping facility to the adapter.
>>
>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>>> the role is present in the AccessToken.getRealmAccess?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>
>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>> Its not clear to me how you get the assigned roles from the 
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles 
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>> For Java HttpServletRequest.isUserInRole() works.  If you 
>>>>>> typecast the
>>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>>
>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>> Hi everyone,
>>>>>>>
>>>>>>>
>>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>>> they
>>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>>> (wildfly) and
>>>>>>> Javascript adapters.
>>>>>>>
>>>>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
>>>>>>> just
>>>>>>> curious if the Keycloak adapters support smth similar out of the 
>>>>>>> box.
>>>>>>>
>>>>>>> Thank you for your answers.
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Pavel Maslov, MS
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/268c1214/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/268c1214/attachment.vcf 

From srossillo at smartling.com  Wed Dec 16 14:19:27 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 16 Dec 2015 14:19:27 -0500
Subject: [keycloak-user] Replace use of Infinispan with User
	Sessions	SPI ?
In-Reply-To: <933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
Message-ID: <270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>

Hi Alan,

Thanks for the informative email. The steps you outlined are similar to what I?ve tested with ECS.  The gossip router is definitely a no-go for production since it?s a single point of failure.

I am testing this down at the JGroups level right now and got it working with ECS. There were two issues. On TCP you have to specify the external_addr to match the EC2 host otherwise the nodes won?t form a cluster. Secondly, FD_SOCK attempts to connect back on a random port. With Docker instances, this fails. Using a known client_bind_port works well.

Here?s the code I?m testing with: https://github.com/foo4u/aws-infinispan-poc <https://github.com/foo4u/aws-infinispan-poc>

Most interesting are probably:

https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>
https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml>

With this set up the nodes on different machines communicate without issue. I still have to add in something other than TCP_PING, but that wasn?t the main issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination. Plus I already need an RDBMS for Keycloak.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
 <http://www.sigstr.com/>
> On Dec 15, 2015, at 2:13 PM, Alan Field <afield at redhat.com> wrote:
> 
> Just to be clear, I have successfully tested Infinispan library and server mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses. None of the cloud providers support multicast. The Docker case is a little different though, because of the issues with getting access to the IP address. 
> 
> Thanks,
> Alan
> 
> From: "Niko K?bler" <niko at n-k.de>
> To: "Paul Blair" <pblair at clearme.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, December 15, 2015 1:53:18 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> We will go for the first run with EC2 and S3_PING, but w/o Docker.
> If we/you/whoever will find a proper solution (possibly on the jgroups mailinglist), we will test this.
> 
> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but no-one has a proper solution, only workarounds. :(
> 
> 
> 
> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com <mailto:pblair at clearme.com>>:
> 
> I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration. 
> 
> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.
> 
> From: Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> Date: Mon, 14 Dec 2015 18:31:30 -0500
> To: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>, <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> There are two issues:
> 
> 1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.
> 
> 2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.
> 
> Take for example a simple 2 node cluster:
> 
> Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.
> 
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
> 
> I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.
> 
> Let me know what you think.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> CCing Alan Field from RH Infinispan team and forwarding his question: 
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
> 
> 
> 
> On 14/12/15 22:24, Scott Rossillo wrote:
> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
> 
> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
> 
> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
> 
> Best,  
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> On 14/12/15 16:55, Marek Posolda wrote:
> On 14/12/15 15:58, Bill Burke wrote:
> On 12/14/2015 5:01 AM, Niko K?bler wrote:
> Hi Marek,
> 
> Am 14.12.2015 um 08:50 schrieb Marek Posolda < <mailto:mposolda at redhat.com>mposolda at redhat.com <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
> 
> Btv. what's your motivation to not use infinispan? If you afraid of
> cluster communication, you don't need to worry much about it, because
> if you run single keycloak through standalone.xml, the infinispan
> automatically works in LOCAL mode and there is no any cluster
> communication at all.
> My current customer is running his apps in AWS. As known, multicast is
> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to know too much about JGroups
> config. S3_PING seams to be a viable way to get a cluster running in AWS.
> But additionally, my customer doesn?t have any (deep) knowledge about
> JBoss infrastructures and so I?m looking for a way to be able to run
> Keycloak in a cluster in AWS without the need to build up deeper
> knowlegde of JGroups config, for example in getting rid of Infinispan.
> But I do understand all the concerns in doing this.
> I still have to test S3_PING, if it works as easy as multicast. If yes,
> we can use it, if no? I don?t know yet. But this gets offtopic for
> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
> 
> seems to me it would be much easier to get Infinispan working on AWS
> than to write and maintain an entire new caching mechanism and hope we
> don't refactor the cache SPI.
> 
> 
> +1
> 
> I am sure infinispan/JGroups has possibility to run in non-multicast
> environment. You may just need to figure how exactly to configure it. So
> I agree that this issue is more related to Wildfly/Infinispan itself
> than to Keycloak.
> 
> You may need to use jgroups protocols like TCP instead of default UDP
> and maybe TCPPING (this requires to manually list all your cluster
> nodes. But still, it's much better option IMO than rewriting UserSession
> SPI)
> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
> not official part of jgroups.
> 
> Marek
> 
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/2a2edbf8/attachment-0001.html 

From srossillo at smartling.com  Wed Dec 16 15:19:49 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 16 Dec 2015 15:19:49 -0500
Subject: [keycloak-user] cascaded microservice security
In-Reply-To: <CALT3SxgsL9fde0RF6PYz_vWDpGfKtxJ=maZjRmCaMwyO0JgpYQ@mail.gmail.com>
References: <CALT3SxgsL9fde0RF6PYz_vWDpGfKtxJ=maZjRmCaMwyO0JgpYQ@mail.gmail.com>
Message-ID: <D8FC198F-B603-45BF-9230-12E8F02400E2@smartling.com>

It seems you?re trying to enforce that only client B can call client C. This isn?t really something considered by OpenID Connect Spec. Are you using the access token from client A to call client C (from B)? If so, the client adapter can?t help you here. If your intent is just to protect service C from being called directly, just secure it behind a firewall so that only client B may access it.

It?s also not very clear what you?re try to accomplish by ?protecting? access to client C.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 16, 2015, at 10:30 AM, Dirk Franssen <dirk.franssen at gmail.com> wrote:
> 
> Hi,
> 
> as I didn't receive any feedback on this question yet, I will resend it (perhaps due to pending subscription)
> 
> On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen at gmail.com <mailto:dirk.franssen at gmail.com>> wrote:
> Hi,
> 
> how would one configure Keycloak to obtain following scenario's?
> 
> Scenario 1:
> 
> client A: public (angular app)
> client B: bearer-only (microservice)
> client C: bearer-only (microservice)
> 
> - microservice B is allowed to call microservice C, but an authenticated user in the js app A should be forbidden to call microservice C directly.
> 
> Scenario 2:
> 
> client A: public (angular app)
> client B: confidential (1 war with a REST service AND a JSF application, both using the same EJB business layer which is accessing microservice C)
> client C: bearer-only (microservice)
> 
> - a user authenticated in the angular app can use the REST service of app B and will see the results of microservice C, but the user may not call microservice C directly
> - a user authenticated in the JSF application will see the results of microservice C when using the JSF application, but should not be able to use microservice C directly (if the user would reuse the same access_token)
> - should there be different roles for the REST part and the JSF part of app B (for accessing microservice C)?
> 
> Kind regards,
> Dirk
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/d66adac3/attachment.html 

From srossillo at smartling.com  Wed Dec 16 15:28:13 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 16 Dec 2015 15:28:13 -0500
Subject: [keycloak-user] Spring Security adapter single logout
In-Reply-To: <CAMBdEymOWrx9haVxddeermiB9kFTTBcOZOod5Y34pz8htyLeJA@mail.gmail.com>
References: <CAMBdEymOWrx9haVxddeermiB9kFTTBcOZOod5Y34pz8htyLeJA@mail.gmail.com>
Message-ID: <DB148321-17F9-464E-9D8E-85DA3A5E3636@smartling.com>


Spring typically registers any beans implementing HttpSessionListener with the servlet container. This may be an application server specific issue. What application server are you using?


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 16, 2015, at 6:40 AM, Andy Yar <andyyar66 at gmail.com> wrote:
> 
> Hello,
> I'm using 1.7.0 final integrated with Spring Security (which itself is integrated into Grails) using OpenID Connect method. I've been kind of stuck with single (back-channel, k_logout) logout for a while.
> 
> It seems it's handled by the preAuthActions filter which simply invalidates local sessions via a call to an injected HttpSessionManager. This manager stores active sessions in its instance and puts/removes them as a reaction on HttpSessionEvent.
> 
> It looks like the HttpSessionManager has to be registered as JEE Listener in order to receive HttpSessionEvents. However, then you end up with two different instances - the listener and the bean in preAuthActions. Thus invalidation process can't reach the sessions stored in listener's instance and can't invalidate them at all.
> 
> A big sorry if I miss something very obvious.
> 
> Andy
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/096416f5/attachment.html 

From afield at redhat.com  Wed Dec 16 15:33:39 2015
From: afield at redhat.com (Alan Field)
Date: Wed, 16 Dec 2015 15:33:39 -0500 (EST)
Subject: [keycloak-user] Replace use of Infinispan with User
	Sessions	SPI ?
In-Reply-To: <270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
Message-ID: <820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>

Hey Scott, 

Thanks for following up and showing me your code. I have some questions inline for you: 

----- Original Message -----

> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: "Niko K?bler" <niko at n-k.de>, "keycloak-user"
> <keycloak-user at lists.jboss.org>
> Sent: Wednesday, December 16, 2015 2:19:27 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI
> ?

> Hi Alan,

> Thanks for the informative email. The steps you outlined are similar to what
> I?ve tested with ECS. The gossip router is definitely a no-go for production
> since it?s a single point of failure.

It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes. 

> I am testing this down at the JGroups level right now and got it working with
> ECS. There were two issues. On TCP you have to specify the external_addr to
> match the EC2 host otherwise the nodes won?t form a cluster. Secondly,
> FD_SOCK attempts to connect back on a random port. With Docker instances,
> this fails. Using a known client_bind_port works well.

Which IP address from your example is retrieved with this command: 

EXTERNAL_HOST_IP= $( curl http://169.254.169.254/latest/meta-data/local-ipv4 ) " 

Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this command in EC2, I get the internal IP address for the instance, but not the public IP address. In your example, that would be the 172.16.0.4 address. Also which address is used for the bind_addr when you use -Djgroups.bind_addr=global? 

> Here?s the code I?m testing with: https://github.com/foo4u/aws-infinispan-poc

> Most interesting are probably:

> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh

How are you setting the JGROUPS_INITIAL_HOSTS environment variable? 

> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml

> With this set up the nodes on different machines communicate without issue. I
> still have to add in something other than TCP_PING, but that wasn?t the main
> issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination.
> Plus I already need an RDBMS for Keycloak.

For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine. 

Thanks, 
Alan 

> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com

> > On Dec 15, 2015, at 2:13 PM, Alan Field < afield at redhat.com > wrote:
> 

> > Just to be clear, I have successfully tested Infinispan library and server
> > mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses.
> > None of the cloud providers support multicast. The Docker case is a little
> > different though, because of the issues with getting access to the IP
> > address.
> 

> > Thanks,
> 
> > Alan
> 

> > ----- Original Message -----
> 

> > > From: "Niko K?bler" < niko at n-k.de >
> > 
> 
> > > To: "Paul Blair" < pblair at clearme.com >
> > 
> 
> > > Cc: "keycloak-user" < keycloak-user at lists.jboss.org >
> > 
> 
> > > Sent: Tuesday, December 15, 2015 1:53:18 PM
> > 
> 
> > > Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions
> > > SPI
> > > ?
> > 
> 

> > > We will go for the first run with EC2 and S3_PING, but w/o Docker.
> > 
> 
> > > If we/you/whoever will find a proper solution (possibly on the jgroups
> > > mailinglist), we will test this.
> > 
> 

> > > Seams that everybody is aware of the Docker/Cloud/Multicast issues, but
> > > no-one has a proper solution, only workarounds. :(
> > 
> 

> > > > Am 15.12.2015 um 15:47 schrieb Paul Blair < pblair at clearme.com >:
> > > 
> > 
> 

> > > > I've also been working on setting up clustered Keycloak on Docker
> > > > containers
> > > > in EC2 and would be interested in any potential solutions for this
> > > > configuration.
> > > 
> > 
> 

> > > > Alternatively I've set up on EC2 without Docker with S3_PING. I'd be
> > > > interested in hearing about the issues with this configuration.
> > > 
> > 
> 

> > > > From: Scott Rossillo < srossillo at smartling.com >
> > > 
> > 
> 
> > > > Date: Mon, 14 Dec 2015 18:31:30 -0500
> > > 
> > 
> 
> > > > To: Marek Posolda < mposolda at redhat.com >, < afield at redhat.com >
> > > 
> > 
> 
> > > > Cc: keycloak-user < keycloak-user at lists.jboss.org >
> > > 
> > 
> 
> > > > Subject: Re: [keycloak-user] Replace use of Infinispan with User
> > > > Sessions
> > > > SPI
> > > > ?
> > > 
> > 
> 

> > > > There are two issues:
> > > 
> > 
> 

> > > > 1. Infinispan relies on JGroups, which is difficult to configure
> > > > correctly
> > > > with the various ping techniques that aren?t UDP multicast. I can
> > > > elaborate
> > > > on each one that we tested but it?s just generally complex to get
> > > > right.
> > > > That?s not to say it?s impossible or the biggest reason this is
> > > > complicated
> > > > on ECS or _insert container service here_, see #2 for that.
> > > 
> > 
> 

> > > > 2. It is difficult to do discovery correctly with JGroups and Docker.
> > > > Non-privileged Docker instances - the default and recommend type - do
> > > > not
> > > > implicitly know their host?s IP. This causes IP mismatches between what
> > > > JGroups thinks the machine?s IP is and what it actually is when
> > > > connecting
> > > > to hosts on different machines. This is the main issue and it?s not the
> > > > fault of JGroups per se, but there?s no simple work around.
> > > 
> > 
> 

> > > > Take for example a simple 2 node cluster:
> > > 
> > 
> 

> > > > Node 1 comes up on the docker0 interface of host A with the IP address
> > > > 172.16.0.4. The host A IP is 10.10.0.100.
> > > 
> > 
> 
> > > > Node 2 comes up on the docker0 interface of host B with the IP address
> > > > 172.16.0.8. The host B IP is 10.10.0.108.
> > > 
> > 
> 

> > > > The 172.16 network is not routable between hosts (by design). Docker
> > > > does
> > > > port forwarding for ports we wish to expose to this works fine for
> > > > HTTP/HTTPS but not the cluster traffic.
> > > 
> > 
> 

> > > > So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> > > > advertises 172.16.0.8. The two cannot talk to each other by default.
> > > > However, using the hard coded IPs and TCP PING, we can set
> > > > external_addr
> > > > on
> > > > Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and
> > > > set
> > > > initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to
> > > > discover each other. However, they will not form a cluster. The nodes
> > > > will
> > > > reject the handshake thinking they?re not actually 10.10.0.100 or
> > > > 10.10.0.108 respectively.
> > > 
> > 
> 

> > > > I?d like to discuss further and I can share where we?ve gotten so far
> > > > with
> > > > workarounds to this but it may be better to get into the weeds on
> > > > another
> > > > list.
> > > 
> > 
> 

> > > > Let me know what you think.
> > > 
> > 
> 

> > > > Best,
> > > 
> > 
> 
> > > > Scott
> > > 
> > 
> 

> > > > Scott Rossillo
> > > 
> > 
> 
> > > > Smartling | Senior Software Engineer
> > > 
> > 
> 
> > > > srossillo at smartling.com
> > > 
> > 
> 

> > > > > On Dec 14, 2015, at 5:32 PM, Marek Posolda < mposolda at redhat.com >
> > > > > wrote:
> > > > 
> > > 
> > 
> 

> > > > > CCing Alan Field from RH Infinispan team and forwarding his question:
> > > > 
> > > 
> > 
> 
> > > > > I'd like to know which configuration files you are using and why is
> > > > > is
> > > > 
> > > 
> > 
> 
> > > > > harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd
> > > > > also
> > > > > be
> > > > 
> > > 
> > 
> 
> > > > > interested in how big a cluster you are using in AWS.
> > > > 
> > > 
> > 
> 

> > > > > On 14/12/15 22:24, Scott Rossillo wrote:
> > > > 
> > > 
> > 
> 

> > > > > > AWS was why we didn?t use Infinispan to begin with. That and it?s
> > > > > > even
> > > > > > more
> > > > > > complicated when you deploy using Amazon?s Docker service (ECS) or
> > > > > > Beanstalk.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > It?s too bad Infinispan / JGroups are beasts when the out of the
> > > > > > box
> > > > > > configuration can?t be used. I?m planning to document this as we
> > > > > > fix
> > > > > > but
> > > > > > I?d
> > > > > > avoid S3_PING and use JDBC_PING. You already need JDBC for the
> > > > > > Keycloak
> > > > > > DB,
> > > > > > unless you?re using Mongo and it?s easier to test locally.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > TCPPING will bite you on AWS if Amazon decides to replace one of
> > > > > > your
> > > > > > instances (which it does occasionally w/ECS or Beanstalk).
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Best,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Scott
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Scott Rossillo
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Smartling | Senior Software Engineer
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > srossillo at smartling.com
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > On Dec 14, 2015, at 10:59 AM, Marek Posolda < mposolda at redhat.com
> > > > > > > >
> > > > > > > wrote:
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > On 14/12/15 16:55, Marek Posolda wrote:
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > On 14/12/15 15:58, Bill Burke wrote:
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > On 12/14/2015 5:01 AM, Niko K?bler wrote:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > Hi Marek,
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > Am 14.12.2015 um 08:50 schrieb Marek Posolda <
> > > > > > > > > > > mposolda at redhat.com
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > < mailto:mposolda at redhat.com >>:
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > Btv. what's your motivation to not use infinispan? If you
> > > > > > > > > > > afraid
> > > > > > > > > > > of
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > cluster communication, you don't need to worry much about
> > > > > > > > > > > it,
> > > > > > > > > > > because
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > if you run single keycloak through standalone.xml, the
> > > > > > > > > > > infinispan
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > automatically works in LOCAL mode and there is no any
> > > > > > > > > > > cluster
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > communication at all.
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > My current customer is running his apps in AWS. As known,
> > > > > > > > > > multicast
> > > > > > > > > > is
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > not available in cloud infrastructures. Wildfly/Infinispan
> > > > > > > > > > Cluster
> > > > > > > > > > works
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > pretty well with multicast w/o having to know too much
> > > > > > > > > > about
> > > > > > > > > > JGroups
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > config. S3_PING seams to be a viable way to get a cluster
> > > > > > > > > > running
> > > > > > > > > > in
> > > > > > > > > > AWS.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > But additionally, my customer doesn?t have any (deep)
> > > > > > > > > > knowledge
> > > > > > > > > > about
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > JBoss infrastructures and so I?m looking for a way to be
> > > > > > > > > > able
> > > > > > > > > > to
> > > > > > > > > > run
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > Keycloak in a cluster in AWS without the need to build up
> > > > > > > > > > deeper
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > knowlegde of JGroups config, for example in getting rid of
> > > > > > > > > > Infinispan.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > But I do understand all the concerns in doing this.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > I still have to test S3_PING, if it works as easy as
> > > > > > > > > > multicast.
> > > > > > > > > > If
> > > > > > > > > > yes,
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > we can use it, if no? I don?t know yet. But this gets
> > > > > > > > > > offtopic
> > > > > > > > > > for
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > Keycloak mailinglist, it?s more related to pure
> > > > > > > > > > Wildfly/Infinispan.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > seems to me it would be much easier to get Infinispan working
> > > > > > > > > on
> > > > > > > > > AWS
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > than to write and maintain an entire new caching mechanism
> > > > > > > > > and
> > > > > > > > > hope
> > > > > > > > > we
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > don't refactor the cache SPI.
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > +1
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > I am sure infinispan/JGroups has possibility to run in
> > > > > > > > non-multicast
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > environment. You may just need to figure how exactly to
> > > > > > > > configure
> > > > > > > > it.
> > > > > > > > So
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > I agree that this issue is more related to Wildfly/Infinispan
> > > > > > > > itself
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > than to Keycloak.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > You may need to use jgroups protocols like TCP instead of
> > > > > > > > default
> > > > > > > > UDP
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > and maybe TCPPING (this requires to manually list all your
> > > > > > > > cluster
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > nodes. But still, it's much better option IMO than rewriting
> > > > > > > > UserSession
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > SPI)
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 ,
> > > > > > > but
> > > > > > > it's
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > not official part of jgroups.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Marek
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Marek
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > _______________________________________________
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > keycloak-user mailing list
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > _______________________________________________
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > keycloak-user mailing list
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > _______________________________________________ keycloak-user mailing
> > > > list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> 
> > > > _______________________________________________
> > > 
> > 
> 
> > > > keycloak-user mailing list
> > > 
> > 
> 
> > > > keycloak-user at lists.jboss.org
> > > 
> > 
> 
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> 

> > > _______________________________________________
> > 
> 
> > > keycloak-user mailing list
> > 
> 
> > > keycloak-user at lists.jboss.org
> > 
> 
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> > _______________________________________________
> 
> > keycloak-user mailing list
> 
> > keycloak-user at lists.jboss.org
> 
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/bd611b6a/attachment-0001.html 

From davidillsley at gmail.com  Wed Dec 16 15:35:30 2015
From: davidillsley at gmail.com (David Illsley)
Date: Wed, 16 Dec 2015 20:35:30 +0000
Subject: [keycloak-user] Keycloak Server -swarm.jar
In-Reply-To: <CA+45JvE38EZhhMchfBHBbe2RDo-fRa97x43sAiDWsSCdTYWs+A@mail.gmail.com>
References: <CA+45JvE38EZhhMchfBHBbe2RDo-fRa97x43sAiDWsSCdTYWs+A@mail.gmail.com>
Message-ID: <CA+E3Fw0bZYON6_tboZSZ6kd5Vd8J-588C2+4_HNoO4WFZ896mg@mail.gmail.com>

Nice. https://github.com/davidillsley/keycloak-swarm-heroku based on that
allows you to easily deploy to heroku (I assume it won't work with multiple
dynos because infinispan, but I haven't tried it).

On Thu, Dec 10, 2015 at 8:22 PM, Bob McWhirter <bmcwhirt at redhat.com> wrote:

> For those of you not familiar with WildFly Swarm, it?s a project that
> intends to support microservices by taking your application components,
> along with just-enough WildFly, and bundling them all into a standalone
> uberjar.
>
> Keycloak counts as ?part of WildFly? since it?s implemented mostly as a
> WildFly subsystem.
>
> Therefore, WildFly Swarm now supports adding Keycloak Server to your
> microservice (we?ve supported the client-adapter for a while now, already).
>
> To that end, we are also producing an handy, all-in-one uberjar for
> Keycloak Server.
>
>
> http://repository-projectodd.forge.cloudbees.com/snapshot/org/wildfly/swarm/keycloak-server-service/1.0.0.Alpha6-SNAPSHOT/keycloak-server-service-1.0.0.Alpha6-20151210.185045-1-swarm.jar
>
> Just download that .jar, and `java -jar` it and visit
> http://localhost:8080/auth/
>
> It still uses the H2 database, and by default creates or uses a database
> located at $PWD/keycloak.db, but you can also use the
> -Dwildfly.swarm.keycloak.server.db=/path/to/keycloakdatabase property to
> change that.
>
> Please feel free to give it a test, and for more information about WildFly
> Swarm, we hang out in #wildfly-swarm on FreeNode IRC.
>
> Thanks!
>
> -Bob
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/af2bd593/attachment.html 

From srossillo at smartling.com  Wed Dec 16 15:45:40 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 16 Dec 2015 15:45:40 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
Message-ID: <1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>

Hi Alan,

> It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.

True, it?s mainly about maintaining extra components.

> Which IP address from your example is retrieved with this command:
> EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)?

I get the Amazon EC2 instance?s internal IP. This is what I want. There?s another endpoint for public but I don?t want to use it. What?s good about this is when called from inside a Docker container, I manage to get the actual internal IP for the EC2 instance.

> How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?

Since this was a test with just 2 known hosts, I injected them as a Docker environment variable with two fixed IPs. Once we switch to JDBC_PING, this will be removed.

> For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.

S3_PING, like Gossip Router adds an external dependency on another service. S3 has had consistency issues 3 times in 2015 (at least in US East). I don?t want to rely another component when I already need the database to be up. Less components, less chance of failure. Also, there are ton of variables to set with S3 and it requires preliminary work. I want something that scales well from dev to QA to prod. JDBC_PING has a datasource_jndi_name property. I can just reuse the data source I set up for Keycloak.

I hope I got all your questions.

Best,
Scott

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 16, 2015, at 3:33 PM, Alan Field <afield at redhat.com> wrote:
> 
> Hey Scott,
> 
> Thanks for following up and showing me your code. I have some questions inline for you:
> 
> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: "Niko K?bler" <niko at n-k.de>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, December 16, 2015 2:19:27 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> Hi Alan,
> 
> Thanks for the informative email. The steps you outlined are similar to what I?ve tested with ECS.  The gossip router is definitely a no-go for production since it?s a single point of failure.
> It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
> 
> I am testing this down at the JGroups level right now and got it working with ECS. There were two issues. On TCP you have to specify the external_addr to match the EC2 host otherwise the nodes won?t form a cluster. Secondly, FD_SOCK attempts to connect back on a random port. With Docker instances, this fails. Using a known client_bind_port works well.
> Which IP address from your example is retrieved with this command:
> 
> EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)"
> 
> Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this command in EC2, I get the internal IP address for the instance, but not the public IP address. In your example, that would be the 172.16.0.4 address. Also which address is used for the bind_addr when you use -Djgroups.bind_addr=global? 
> 
> Here?s the code I?m testing with: https://github.com/foo4u/aws-infinispan-poc <https://github.com/foo4u/aws-infinispan-poc>
> 
> Most interesting are probably:
> 
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>
> How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml>
> 
> With this set up the nodes on different machines communicate without issue. I still have to add in something other than TCP_PING, but that wasn?t the main issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination. Plus I already need an RDBMS for Keycloak.
> For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
> 
> Thanks,
> Alan
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
>  <http://www.sigstr.com/>
> On Dec 15, 2015, at 2:13 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
> 
> Just to be clear, I have successfully tested Infinispan library and server mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses. None of the cloud providers support multicast. The Docker case is a little different though, because of the issues with getting access to the IP address. 
> 
> Thanks,
> Alan
> 
> From: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>
> To: "Paul Blair" <pblair at clearme.com <mailto:pblair at clearme.com>>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Sent: Tuesday, December 15, 2015 1:53:18 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> We will go for the first run with EC2 and S3_PING, but w/o Docker.
> If we/you/whoever will find a proper solution (possibly on the jgroups mailinglist), we will test this.
> 
> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but no-one has a proper solution, only workarounds. :(
> 
> 
> 
> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com <mailto:pblair at clearme.com>>:
> 
> I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration. 
> 
> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.
> 
> From: Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> Date: Mon, 14 Dec 2015 18:31:30 -0500
> To: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>, <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> There are two issues:
> 
> 1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.
> 
> 2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.
> 
> Take for example a simple 2 node cluster:
> 
> Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.
> 
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
> 
> I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.
> 
> Let me know what you think.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> CCing Alan Field from RH Infinispan team and forwarding his question: 
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
> 
> 
> 
> On 14/12/15 22:24, Scott Rossillo wrote:
> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
> 
> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
> 
> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
> 
> Best,  
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> On 14/12/15 16:55, Marek Posolda wrote:
> On 14/12/15 15:58, Bill Burke wrote:
> On 12/14/2015 5:01 AM, Niko K?bler wrote:
> Hi Marek,
> 
> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
> 
> Btv. what's your motivation to not use infinispan? If you afraid of
> cluster communication, you don't need to worry much about it, because
> if you run single keycloak through standalone.xml, the infinispan
> automatically works in LOCAL mode and there is no any cluster
> communication at all.
> My current customer is running his apps in AWS. As known, multicast is
> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to know too much about JGroups
> config. S3_PING seams to be a viable way to get a cluster running in AWS.
> But additionally, my customer doesn?t have any (deep) knowledge about
> JBoss infrastructures and so I?m looking for a way to be able to run
> Keycloak in a cluster in AWS without the need to build up deeper
> knowlegde of JGroups config, for example in getting rid of Infinispan.
> But I do understand all the concerns in doing this.
> I still have to test S3_PING, if it works as easy as multicast. If yes,
> we can use it, if no? I don?t know yet. But this gets offtopic for
> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
> 
> seems to me it would be much easier to get Infinispan working on AWS
> than to write and maintain an entire new caching mechanism and hope we
> don't refactor the cache SPI.
> 
> 
> +1
> 
> I am sure infinispan/JGroups has possibility to run in non-multicast
> environment. You may just need to figure how exactly to configure it. So
> I agree that this issue is more related to Wildfly/Infinispan itself
> than to Keycloak.
> 
> You may need to use jgroups protocols like TCP instead of default UDP
> and maybe TCPPING (this requires to manually list all your cluster
> nodes. But still, it's much better option IMO than rewriting UserSession
> SPI)
> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
> not official part of jgroups.
> 
> Marek
> 
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/a4794d60/attachment-0001.html 

From bburke at redhat.com  Wed Dec 16 16:00:28 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 16 Dec 2015 16:00:28 -0500
Subject: [keycloak-user] cascaded microservice security
In-Reply-To: <CALT3SxgsL9fde0RF6PYz_vWDpGfKtxJ=maZjRmCaMwyO0JgpYQ@mail.gmail.com>
References: <CALT3SxgsL9fde0RF6PYz_vWDpGfKtxJ=maZjRmCaMwyO0JgpYQ@mail.gmail.com>
Message-ID: <5671D0EC.6030502@redhat.com>



On 12/16/2015 10:30 AM, Dirk Franssen wrote:
> Hi,
>
> as I didn't receive any feedback on this question yet, I will resend it
> (perhaps due to pending subscription)
>
> On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen at gmail.com
> <mailto:dirk.franssen at gmail.com>> wrote:
>
>     Hi,
>
>     how would one configure Keycloak to obtain following scenario's?
>
>     Scenario 1:
>
>     client A: public (angular app)
>     client B: bearer-only (microservice)
>     client C: bearer-only (microservice)
>
>     - microservice B is allowed to call microservice C, but an
>     authenticated user in the js app A should be forbidden to call
>     microservice C directly.
>

Clients request to obtain tokens on behalf of a user.  Via the scope 
setting in the admin console for the client, you can control what roles 
are embedded in the token.  So, in this example, it really depends how 
the token was created.  If Client A asks for the token, you can 
completely control what roles are embedded in the token, so you can only 
allow access to B.  But, if you are expecting to re-use the token to 
make an extra communication to C, then it won't work.  Keycloak doesn't 
have a "token exchange" service where you can take one token and convert 
it to another.


>     Scenario 2:
>
>     client A: public (angular app)
>     client B: confidential (1 war with a REST service AND a JSF
>     application, both using the same EJB business layer which is
>     accessing microservice C)
>     client C: bearer-only (microservice)
>
>     - a user authenticated in the angular app can use the REST service
>     of app B and will see the results of microservice C, but the user
>     may not call microservice C directly
>     - a user authenticated in the JSF application will see the results
>     of microservice C when using the JSF application, but should not be
>     able to use microservice C directly (if the user would reuse the
>     same access_token)
>     - should there be different roles for the REST part and the JSF part
>     of app B (for accessing microservice C)?
>

Play around with AdminConsole->Clients->Client->Scope Mapping.  It will 
get you some of what you want, but not all.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Dec 16 16:06:56 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 16 Dec 2015 16:06:56 -0500
Subject: [keycloak-user] Get the user of the current request from the
 KeycloakSession?
In-Reply-To: <9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
	<56717AAE.5020400@redhat.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
Message-ID: <5671D270.9090000@redhat.com>

Sorry I misunderstood you.  Sometimes I'm not sure if people understand 
basic stuff or not :)

Without knowing what Pedro did for you, I can't help you as its not 
something that is in the current codebase.

On 12/16/2015 10:34 AM, Erik Mulder wrote:
> Thanks, but I'm not sure I understand you correctly. Let me clearify:
> - I'm extending the Keycloak REST webservices with some custom
> resources, for instance:
> http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
> piece of code from Pedro made this possible)
> - I'm implementing an SPI (also from Pedro's change) that gets a
> KeycloakSession object to 'work with'.
> - I do authenticate on the keycloak server using a token (OpenID
> Connect) that I got from a previous succesful login.
> - Somewhere in the Keycloak internals this token is validated and a
> User(Model/Session) is found that corresponds to this token.
> - <assumption>: This User is saved somewhere in the session context
>
> Now, my question is: How can I get hold of this User(Model/Session),
> given that I have just a KeycloakSession object?
>
> Through debugging I see that session.sessions() has a UserSessionEntity
> for my current request, but since there might be more at the same time,
> how can I relate my current request to the one User that is associated
> with it?
>
>
>
> On 16/12/15 15:52, Bill Burke wrote:
>> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>>> Seems like a simple scenario, but I can't figure it out: I have an
>>> instance of the KeycloakSession and I want to get the UserModel for the
>>> current request. Is this possible?
>>>
>>> Context: I'm creating a custom REST service that runs inside keycloak
>>> and needs to get some data that is related to the current authenticated
>>> user. For instance the realm and client I can get through the
>>> session.getContext().getClient/Realm(). I would expect a getUser() there
>>> too, but I can't find it anywhere 'in' the session.
>>>
>>> If this isn't possible, shouldn't it be? Or if not, why not?
>>>
>> I'm assuming this REST request is from a browser Javascript client?
>> Login sessions are maintained only through a cookie.  You'd have to
>> login through the browser first, then read the cookie.
>>
>> BTW, cookies are a really bad way of securing a REST interface.  Your
>> REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
>> token to secure your REST interface.  If you are already using
>> keycloak.js to login in, you can obtain the token from the Keycloak
>> javascript interface and use that to invoke your service.
>>
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Dec 16 16:09:37 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 16 Dec 2015 16:09:37 -0500
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <5671870C.8040405@c6.eu>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
Message-ID: <5671D311.7050801@redhat.com>

I don't understand your question...This is a keycloak.json setting.

On 12/16/2015 10:45 AM, Johan Bos wrote:
> oh when you said:
>
> use-resource-role-mappings
>
> it is only available through the keycloak.json
>
> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 16:33, Johan Bos a ?crit :
>> So it is one or the other.
>> The switch is at realm level or per clients?
>>
>> As I tend to make realm role for securing the clients only and
>> client/resource roles for internal client management, I should be fine
>>
>> Still It would help to have some merging/mapping so from client we
>> don't have to so much rely on KeyCloak implementation to test roles...
>> Issue is that realm role can have same name as client role. But once
>> there is always some pitfall to avoid.
>>
>> Thanks
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the getResourceAccess("resource-name") roles will be
>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>> isUserInRole
>>>
>>> Not the best I know.  We've been meaning to add some sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>>>> the role is present in the AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>> Its not clear to me how you get the assigned roles from the
>>>>>> AccessToken.
>>>>>> For instance, is the realm has configured the user to have roles
>>>>>> "user"
>>>>>> and "editor" how do I find these in the AccessToken?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>> For Java HttpServletRequest.isUserInRole() works.  If you
>>>>>>> typecast the
>>>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>>>
>>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>> Hi everyone,
>>>>>>>>
>>>>>>>>
>>>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>>>> they
>>>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>>>> (wildfly) and
>>>>>>>> Javascript adapters.
>>>>>>>>
>>>>>>>> Manually I am using jwt.io <http://jwt.io> to check the token. I am
>>>>>>>> just
>>>>>>>> curious if the Keycloak adapters support smth similar out of the
>>>>>>>> box.
>>>>>>>>
>>>>>>>> Thank you for your answers.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Pavel Maslov, MS
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From afield at redhat.com  Wed Dec 16 16:11:09 2015
From: afield at redhat.com (Alan Field)
Date: Wed, 16 Dec 2015 16:11:09 -0500 (EST)
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
	<1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
Message-ID: <1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>

Hey Scott, 

Thanks, I think you answered all of my questions, but I'm confused by something you said in your first email: 

" 
The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic. 

So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. 
" 

My understanding is that the 172.16 addresses are the Amazon EC2 instance?s internal IP, so I'm confused why this didn't work for you before. Is the difference that you were setting jgroups.bind_addr to this address and now you are setting it to global and setting external_addr to the instance?s internal IP? Just trying to understand what the problem was and how you fixed it! 

Thanks again, 
Alan 

----- Original Message -----

> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: "Niko K?bler" <niko at n-k.de>, "keycloak-user"
> <keycloak-user at lists.jboss.org>
> Sent: Wednesday, December 16, 2015 3:45:40 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI
> ?

> Hi Alan,

> > It is possible to use the TUNNEL with multiple gossip routers to avoid
> > this, but I understand not wanting to have to setup and maintain the extra
> > gossip router processes.

> True, it?s mainly about maintaining extra components.

> > Which IP address from your example is retrieved with this command:
> > EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4
> > )?

> I get the Amazon EC2 instance?s internal IP. This is what I want. There?s
> another endpoint for public but I don?t want to use it. What?s good about
> this is when called from inside a Docker container, I manage to get the
> actual internal IP for the EC2 instance.

> > How are you setting the JGROUPS_INITIAL_HOSTS environment variable?

> Since this was a test with just 2 known hosts, I injected them as a Docker
> environment variable with two fixed IPs. Once we switch to JDBC_PING, this
> will be removed.

> > For my curiosity, can you tell me more about why you don't want to use
> > S3_PING? Is it the cost or something else? Just wondering and JDBC_PING
> > should work fine.

> S3_PING, like Gossip Router adds an external dependency on another service.
> S3 has had consistency issues 3 times in 2015 (at least in US East). I don?t
> want to rely another component when I already need the database to be up.
> Less components, less chance of failure. Also, there are ton of variables to
> set with S3 and it requires preliminary work. I want something that scales
> well from dev to QA to prod. JDBC_PING has a datasource_jndi_name property.
> I can just reuse the data source I set up for Keycloak.

> I hope I got all your questions.

> Best,
> Scott

> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com

> > On Dec 16, 2015, at 3:33 PM, Alan Field < afield at redhat.com > wrote:
> 

> > Hey Scott,
> 

> > Thanks for following up and showing me your code. I have some questions
> > inline for you:
> 

> > ----- Original Message -----
> 

> > > From: "Scott Rossillo" < srossillo at smartling.com >
> > 
> 
> > > To: "Alan Field" < afield at redhat.com >
> > 
> 
> > > Cc: "Niko K?bler" < niko at n-k.de >, "keycloak-user" <
> > > keycloak-user at lists.jboss.org >
> > 
> 
> > > Sent: Wednesday, December 16, 2015 2:19:27 PM
> > 
> 
> > > Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions
> > > SPI
> > > ?
> > 
> 

> > > Hi Alan,
> > 
> 

> > > Thanks for the informative email. The steps you outlined are similar to
> > > what
> > > I?ve tested with ECS. The gossip router is definitely a no-go for
> > > production
> > > since it?s a single point of failure.
> > 
> 

> > It is possible to use the TUNNEL with multiple gossip routers to avoid
> > this,
> > but I understand not wanting to have to setup and maintain the extra gossip
> > router processes.
> 

> > > I am testing this down at the JGroups level right now and got it working
> > > with
> > > ECS. There were two issues. On TCP you have to specify the external_addr
> > > to
> > > match the EC2 host otherwise the nodes won?t form a cluster. Secondly,
> > > FD_SOCK attempts to connect back on a random port. With Docker instances,
> > > this fails. Using a known client_bind_port works well.
> > 
> 

> > Which IP address from your example is retrieved with this command:
> 

> > EXTERNAL_HOST_IP= $( curl
> > http://169.254.169.254/latest/meta-data/local-ipv4
> > ) "
> 

> > Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this
> > command in EC2, I get the internal IP address for the instance, but not the
> > public IP address. In your example, that would be the 172.16.0.4 address.
> > Also which address is used for the bind_addr when you use
> > -Djgroups.bind_addr=global?
> 

> > > Here?s the code I?m testing with:
> > > https://github.com/foo4u/aws-infinispan-poc
> > 
> 

> > > Most interesting are probably:
> > 
> 

> > > https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh
> > 
> 

> > How are you setting the JGROUPS_INITIAL_HOSTS environment variable?
> 

> > > https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml
> > 
> 

> > > With this set up the nodes on different machines communicate without
> > > issue.
> > > I
> > > still have to add in something other than TCP_PING, but that wasn?t the
> > > main
> > > issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination.
> > > Plus I already need an RDBMS for Keycloak.
> > 
> 

> > For my curiosity, can you tell me more about why you don't want to use
> > S3_PING? Is it the cost or something else? Just wondering and JDBC_PING
> > should work fine.
> 

> > Thanks,
> 
> > Alan
> 

> > > Scott Rossillo
> > 
> 
> > > Smartling | Senior Software Engineer
> > 
> 
> > > srossillo at smartling.com
> > 
> 

> > > > On Dec 15, 2015, at 2:13 PM, Alan Field < afield at redhat.com > wrote:
> > > 
> > 
> 

> > > > Just to be clear, I have successfully tested Infinispan library and
> > > > server
> > > > mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP
> > > > addresses.
> > > > None of the cloud providers support multicast. The Docker case is a
> > > > little
> > > > different though, because of the issues with getting access to the IP
> > > > address.
> > > 
> > 
> 

> > > > Thanks,
> > > 
> > 
> 
> > > > Alan
> > > 
> > 
> 

> > > > ----- Original Message -----
> > > 
> > 
> 

> > > > > From: "Niko K?bler" < niko at n-k.de >
> > > > 
> > > 
> > 
> 
> > > > > To: "Paul Blair" < pblair at clearme.com >
> > > > 
> > > 
> > 
> 
> > > > > Cc: "keycloak-user" < keycloak-user at lists.jboss.org >
> > > > 
> > > 
> > 
> 
> > > > > Sent: Tuesday, December 15, 2015 1:53:18 PM
> > > > 
> > > 
> > 
> 
> > > > > Subject: Re: [keycloak-user] Replace use of Infinispan with User
> > > > > Sessions
> > > > > SPI
> > > > > ?
> > > > 
> > > 
> > 
> 

> > > > > We will go for the first run with EC2 and S3_PING, but w/o Docker.
> > > > 
> > > 
> > 
> 
> > > > > If we/you/whoever will find a proper solution (possibly on the
> > > > > jgroups
> > > > > mailinglist), we will test this.
> > > > 
> > > 
> > 
> 

> > > > > Seams that everybody is aware of the Docker/Cloud/Multicast issues,
> > > > > but
> > > > > no-one has a proper solution, only workarounds. :(
> > > > 
> > > 
> > 
> 

> > > > > > Am 15.12.2015 um 15:47 schrieb Paul Blair < pblair at clearme.com >:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > I've also been working on setting up clustered Keycloak on Docker
> > > > > > containers
> > > > > > in EC2 and would be interested in any potential solutions for this
> > > > > > configuration.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Alternatively I've set up on EC2 without Docker with S3_PING. I'd
> > > > > > be
> > > > > > interested in hearing about the issues with this configuration.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > From: Scott Rossillo < srossillo at smartling.com >
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Date: Mon, 14 Dec 2015 18:31:30 -0500
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > To: Marek Posolda < mposolda at redhat.com >, < afield at redhat.com >
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Cc: keycloak-user < keycloak-user at lists.jboss.org >
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Subject: Re: [keycloak-user] Replace use of Infinispan with User
> > > > > > Sessions
> > > > > > SPI
> > > > > > ?
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > There are two issues:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > 1. Infinispan relies on JGroups, which is difficult to configure
> > > > > > correctly
> > > > > > with the various ping techniques that aren?t UDP multicast. I can
> > > > > > elaborate
> > > > > > on each one that we tested but it?s just generally complex to get
> > > > > > right.
> > > > > > That?s not to say it?s impossible or the biggest reason this is
> > > > > > complicated
> > > > > > on ECS or _insert container service here_, see #2 for that.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > 2. It is difficult to do discovery correctly with JGroups and
> > > > > > Docker.
> > > > > > Non-privileged Docker instances - the default and recommend type -
> > > > > > do
> > > > > > not
> > > > > > implicitly know their host?s IP. This causes IP mismatches between
> > > > > > what
> > > > > > JGroups thinks the machine?s IP is and what it actually is when
> > > > > > connecting
> > > > > > to hosts on different machines. This is the main issue and it?s not
> > > > > > the
> > > > > > fault of JGroups per se, but there?s no simple work around.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Take for example a simple 2 node cluster:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Node 1 comes up on the docker0 interface of host A with the IP
> > > > > > address
> > > > > > 172.16.0.4. The host A IP is 10.10.0.100.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Node 2 comes up on the docker0 interface of host B with the IP
> > > > > > address
> > > > > > 172.16.0.8. The host B IP is 10.10.0.108.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > The 172.16 network is not routable between hosts (by design).
> > > > > > Docker
> > > > > > does
> > > > > > port forwarding for ports we wish to expose to this works fine for
> > > > > > HTTP/HTTPS but not the cluster traffic.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > So Node 1 will advertise itself as having IP 172.16.0.4 while Node
> > > > > > 2
> > > > > > advertises 172.16.0.8. The two cannot talk to each other by
> > > > > > default.
> > > > > > However, using the hard coded IPs and TCP PING, we can set
> > > > > > external_addr
> > > > > > on
> > > > > > Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108
> > > > > > and
> > > > > > set
> > > > > > initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the
> > > > > > nodes
> > > > > > to
> > > > > > discover each other. However, they will not form a cluster. The
> > > > > > nodes
> > > > > > will
> > > > > > reject the handshake thinking they?re not actually 10.10.0.100 or
> > > > > > 10.10.0.108 respectively.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > I?d like to discuss further and I can share where we?ve gotten so
> > > > > > far
> > > > > > with
> > > > > > workarounds to this but it may be better to get into the weeds on
> > > > > > another
> > > > > > list.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Let me know what you think.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Best,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Scott
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Scott Rossillo
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Smartling | Senior Software Engineer
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > srossillo at smartling.com
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > On Dec 14, 2015, at 5:32 PM, Marek Posolda < mposolda at redhat.com
> > > > > > > >
> > > > > > > wrote:
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > CCing Alan Field from RH Infinispan team and forwarding his
> > > > > > > question:
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > I'd like to know which configuration files you are using and why
> > > > > > > is
> > > > > > > is
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > harder to use with Amazon?s Docker service (ECS) or Beanstalk.
> > > > > > > I'd
> > > > > > > also
> > > > > > > be
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > interested in how big a cluster you are using in AWS.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > On 14/12/15 22:24, Scott Rossillo wrote:
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > AWS was why we didn?t use Infinispan to begin with. That and
> > > > > > > > it?s
> > > > > > > > even
> > > > > > > > more
> > > > > > > > complicated when you deploy using Amazon?s Docker service (ECS)
> > > > > > > > or
> > > > > > > > Beanstalk.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > It?s too bad Infinispan / JGroups are beasts when the out of
> > > > > > > > the
> > > > > > > > box
> > > > > > > > configuration can?t be used. I?m planning to document this as
> > > > > > > > we
> > > > > > > > fix
> > > > > > > > but
> > > > > > > > I?d
> > > > > > > > avoid S3_PING and use JDBC_PING. You already need JDBC for the
> > > > > > > > Keycloak
> > > > > > > > DB,
> > > > > > > > unless you?re using Mongo and it?s easier to test locally.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > TCPPING will bite you on AWS if Amazon decides to replace one
> > > > > > > > of
> > > > > > > > your
> > > > > > > > instances (which it does occasionally w/ECS or Beanstalk).
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Best,
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Scott
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Scott Rossillo
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Smartling | Senior Software Engineer
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > srossillo at smartling.com
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > On Dec 14, 2015, at 10:59 AM, Marek Posolda <
> > > > > > > > > mposolda at redhat.com
> > > > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > On 14/12/15 16:55, Marek Posolda wrote:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > On 14/12/15 15:58, Bill Burke wrote:
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > On 12/14/2015 5:01 AM, Niko K?bler wrote:
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > Hi Marek,
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > Am 14.12.2015 um 08:50 schrieb Marek Posolda <
> > > > > > > > > > > > > mposolda at redhat.com
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > < mailto:mposolda at redhat.com >>:
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > Btv. what's your motivation to not use infinispan? If
> > > > > > > > > > > > > you
> > > > > > > > > > > > > afraid
> > > > > > > > > > > > > of
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > cluster communication, you don't need to worry much
> > > > > > > > > > > > > about
> > > > > > > > > > > > > it,
> > > > > > > > > > > > > because
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > if you run single keycloak through standalone.xml,
> > > > > > > > > > > > > the
> > > > > > > > > > > > > infinispan
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > automatically works in LOCAL mode and there is no any
> > > > > > > > > > > > > cluster
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > communication at all.
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > My current customer is running his apps in AWS. As
> > > > > > > > > > > > known,
> > > > > > > > > > > > multicast
> > > > > > > > > > > > is
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > not available in cloud infrastructures.
> > > > > > > > > > > > Wildfly/Infinispan
> > > > > > > > > > > > Cluster
> > > > > > > > > > > > works
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > pretty well with multicast w/o having to know too much
> > > > > > > > > > > > about
> > > > > > > > > > > > JGroups
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > config. S3_PING seams to be a viable way to get a
> > > > > > > > > > > > cluster
> > > > > > > > > > > > running
> > > > > > > > > > > > in
> > > > > > > > > > > > AWS.
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > But additionally, my customer doesn?t have any (deep)
> > > > > > > > > > > > knowledge
> > > > > > > > > > > > about
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > JBoss infrastructures and so I?m looking for a way to
> > > > > > > > > > > > be
> > > > > > > > > > > > able
> > > > > > > > > > > > to
> > > > > > > > > > > > run
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > Keycloak in a cluster in AWS without the need to build
> > > > > > > > > > > > up
> > > > > > > > > > > > deeper
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > knowlegde of JGroups config, for example in getting rid
> > > > > > > > > > > > of
> > > > > > > > > > > > Infinispan.
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > But I do understand all the concerns in doing this.
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > I still have to test S3_PING, if it works as easy as
> > > > > > > > > > > > multicast.
> > > > > > > > > > > > If
> > > > > > > > > > > > yes,
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > we can use it, if no? I don?t know yet. But this gets
> > > > > > > > > > > > offtopic
> > > > > > > > > > > > for
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > Keycloak mailinglist, it?s more related to pure
> > > > > > > > > > > > Wildfly/Infinispan.
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > seems to me it would be much easier to get Infinispan
> > > > > > > > > > > working
> > > > > > > > > > > on
> > > > > > > > > > > AWS
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > than to write and maintain an entire new caching
> > > > > > > > > > > mechanism
> > > > > > > > > > > and
> > > > > > > > > > > hope
> > > > > > > > > > > we
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > don't refactor the cache SPI.
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > +1
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > I am sure infinispan/JGroups has possibility to run in
> > > > > > > > > > non-multicast
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > environment. You may just need to figure how exactly to
> > > > > > > > > > configure
> > > > > > > > > > it.
> > > > > > > > > > So
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > I agree that this issue is more related to
> > > > > > > > > > Wildfly/Infinispan
> > > > > > > > > > itself
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > than to Keycloak.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > You may need to use jgroups protocols like TCP instead of
> > > > > > > > > > default
> > > > > > > > > > UDP
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > and maybe TCPPING (this requires to manually list all your
> > > > > > > > > > cluster
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > nodes. But still, it's much better option IMO than
> > > > > > > > > > rewriting
> > > > > > > > > > UserSession
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > SPI)
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > Btv. if TCPPING or S3_PING is an issue, there is also
> > > > > > > > > AWS_PING
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100
> > > > > > > > > ,
> > > > > > > > > but
> > > > > > > > > it's
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > not official part of jgroups.
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > Marek
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > Marek
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > _______________________________________________
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > keycloak-user mailing list
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > _______________________________________________
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > keycloak-user mailing list
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > _______________________________________________ keycloak-user
> > > > > > mailing
> > > > > > list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > _______________________________________________
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user mailing list
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user at lists.jboss.org
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > _______________________________________________
> > > > 
> > > 
> > 
> 
> > > > > keycloak-user mailing list
> > > > 
> > > 
> > 
> 
> > > > > keycloak-user at lists.jboss.org
> > > > 
> > > 
> > 
> 
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > 
> 
> > > > _______________________________________________
> > > 
> > 
> 
> > > > keycloak-user mailing list
> > > 
> > 
> 
> > > > keycloak-user at lists.jboss.org
> > > 
> > 
> 
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/0306fdec/attachment-0001.html 

From srossillo at smartling.com  Wed Dec 16 16:17:29 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 16 Dec 2015 16:17:29 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
	<1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
	<1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>
Message-ID: <C3F28BDA-DED7-4AF4-99ED-E5B8355FF03A@smartling.com>

Ah, sorry, my originally contrived example wasn?t using Amazon but just my local Docker machine IP.

In the case of my ECS tests, 172.16.0.0/16 is the Docker network?s IP, which is local to the machine / EC2 instance. Using ECS, my VPC has an IP range of 172.31.0.0/16, so the bind_addr has to be on this network. On my small cluster, that?s either 172.31.44.109 or 172.31.45.191.

Does that clear it up?

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 16, 2015, at 4:11 PM, Alan Field <afield at redhat.com> wrote:
> 
> Hey Scott,
> 
> Thanks, I think you answered all of my questions, but I'm confused by something you said in your first email:
> 
> "
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. 
> "
> 
> My understanding is that the 172.16 addresses are the Amazon EC2 instance?s internal IP, so I'm confused why this didn't work for you before. Is the difference that you were setting jgroups.bind_addr to this address and now you are setting it to global and setting external_addr to the instance?s internal IP? Just trying to understand what the problem was and how you fixed it!
> 
> Thanks again,
> Alan
> 
> 
> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: "Niko K?bler" <niko at n-k.de>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, December 16, 2015 3:45:40 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> Hi Alan,
> 
> > It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
> 
> True, it?s mainly about maintaining extra components.
> 
> > Which IP address from your example is retrieved with this command:
> > EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)?
> 
> I get the Amazon EC2 instance?s internal IP. This is what I want. There?s another endpoint for public but I don?t want to use it. What?s good about this is when called from inside a Docker container, I manage to get the actual internal IP for the EC2 instance.
> 
> > How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
> 
> Since this was a test with just 2 known hosts, I injected them as a Docker environment variable with two fixed IPs. Once we switch to JDBC_PING, this will be removed.
> 
> > For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
> 
> S3_PING, like Gossip Router adds an external dependency on another service. S3 has had consistency issues 3 times in 2015 (at least in US East). I don?t want to rely another component when I already need the database to be up. Less components, less chance of failure. Also, there are ton of variables to set with S3 and it requires preliminary work. I want something that scales well from dev to QA to prod. JDBC_PING has a datasource_jndi_name property. I can just reuse the data source I set up for Keycloak.
> 
> I hope I got all your questions.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 16, 2015, at 3:33 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
> 
> Hey Scott,
> 
> Thanks for following up and showing me your code. I have some questions inline for you:
> 
> From: "Scott Rossillo" <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> To: "Alan Field" <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>, "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Sent: Wednesday, December 16, 2015 2:19:27 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> Hi Alan,
> 
> Thanks for the informative email. The steps you outlined are similar to what I?ve tested with ECS.  The gossip router is definitely a no-go for production since it?s a single point of failure.
> It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
> 
> I am testing this down at the JGroups level right now and got it working with ECS. There were two issues. On TCP you have to specify the external_addr to match the EC2 host otherwise the nodes won?t form a cluster. Secondly, FD_SOCK attempts to connect back on a random port. With Docker instances, this fails. Using a known client_bind_port works well.
> Which IP address from your example is retrieved with this command:
> 
> EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)"
> 
> Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this command in EC2, I get the internal IP address for the instance, but not the public IP address. In your example, that would be the 172.16.0.4 address. Also which address is used for the bind_addr when you use -Djgroups.bind_addr=global? 
> 
> Here?s the code I?m testing with: https://github.com/foo4u/aws-infinispan-poc <https://github.com/foo4u/aws-infinispan-poc>
> 
> Most interesting are probably:
> 
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>
> How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml>
> 
> With this set up the nodes on different machines communicate without issue. I still have to add in something other than TCP_PING, but that wasn?t the main issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination. Plus I already need an RDBMS for Keycloak.
> For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
> 
> Thanks,
> Alan
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
>  <http://www.sigstr.com/>
> On Dec 15, 2015, at 2:13 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
> 
> Just to be clear, I have successfully tested Infinispan library and server mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses. None of the cloud providers support multicast. The Docker case is a little different though, because of the issues with getting access to the IP address. 
> 
> Thanks,
> Alan
> 
> From: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>
> To: "Paul Blair" <pblair at clearme.com <mailto:pblair at clearme.com>>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Sent: Tuesday, December 15, 2015 1:53:18 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> We will go for the first run with EC2 and S3_PING, but w/o Docker.
> If we/you/whoever will find a proper solution (possibly on the jgroups mailinglist), we will test this.
> 
> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but no-one has a proper solution, only workarounds. :(
> 
> 
> 
> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com <mailto:pblair at clearme.com>>:
> 
> I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration. 
> 
> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.
> 
> From: Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> Date: Mon, 14 Dec 2015 18:31:30 -0500
> To: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>, <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> There are two issues:
> 
> 1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.
> 
> 2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.
> 
> Take for example a simple 2 node cluster:
> 
> Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.
> 
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
> 
> I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.
> 
> Let me know what you think.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> CCing Alan Field from RH Infinispan team and forwarding his question: 
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
> 
> 
> 
> On 14/12/15 22:24, Scott Rossillo wrote:
> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
> 
> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
> 
> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
> 
> Best,  
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> On 14/12/15 16:55, Marek Posolda wrote:
> On 14/12/15 15:58, Bill Burke wrote:
> On 12/14/2015 5:01 AM, Niko K?bler wrote:
> Hi Marek,
> 
> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
> 
> Btv. what's your motivation to not use infinispan? If you afraid of
> cluster communication, you don't need to worry much about it, because
> if you run single keycloak through standalone.xml, the infinispan
> automatically works in LOCAL mode and there is no any cluster
> communication at all.
> My current customer is running his apps in AWS. As known, multicast is
> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to know too much about JGroups
> config. S3_PING seams to be a viable way to get a cluster running in AWS.
> But additionally, my customer doesn?t have any (deep) knowledge about
> JBoss infrastructures and so I?m looking for a way to be able to run
> Keycloak in a cluster in AWS without the need to build up deeper
> knowlegde of JGroups config, for example in getting rid of Infinispan.
> But I do understand all the concerns in doing this.
> I still have to test S3_PING, if it works as easy as multicast. If yes,
> we can use it, if no? I don?t know yet. But this gets offtopic for
> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
> 
> seems to me it would be much easier to get Infinispan working on AWS
> than to write and maintain an entire new caching mechanism and hope we
> don't refactor the cache SPI.
> 
> 
> +1
> 
> I am sure infinispan/JGroups has possibility to run in non-multicast
> environment. You may just need to figure how exactly to configure it. So
> I agree that this issue is more related to Wildfly/Infinispan itself
> than to Keycloak.
> 
> You may need to use jgroups protocols like TCP instead of default UDP
> and maybe TCPPING (this requires to manually list all your cluster
> nodes. But still, it's much better option IMO than rewriting UserSession
> SPI)
> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
> not official part of jgroups.
> 
> Marek
> 
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/597fc024/attachment-0001.html 

From afield at redhat.com  Wed Dec 16 16:21:27 2015
From: afield at redhat.com (Alan Field)
Date: Wed, 16 Dec 2015 16:21:27 -0500 (EST)
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
 SPI ?
In-Reply-To: <C3F28BDA-DED7-4AF4-99ED-E5B8355FF03A@smartling.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
	<1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
	<1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>
	<C3F28BDA-DED7-4AF4-99ED-E5B8355FF03A@smartling.com>
Message-ID: <951119783.28023953.1450300887169.JavaMail.zimbra@redhat.com>

Almost... 

I guess if the EC2 instance IP works for the bind address, why do you need to set external_addr? 

Thanks for bearing with me on this! :-) 

Alan 

----- Original Message -----

> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: "Niko K?bler" <niko at n-k.de>, "keycloak-user"
> <keycloak-user at lists.jboss.org>
> Sent: Wednesday, December 16, 2015 4:17:29 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI
> ?

> Ah, sorry, my originally contrived example wasn?t using Amazon but just my
> local Docker machine IP.

> In the case of my ECS tests, 172.16.0.0/16 is the Docker network?s IP, which
> is local to the machine / EC2 instance. Using ECS, my VPC has an IP range of
> 172.31.0.0/16, so the bind_addr has to be on this network. On my small
> cluster, that?s either 172.31.44.109 or 172.31.45.191.

> Does that clear it up?

> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com

> > On Dec 16, 2015, at 4:11 PM, Alan Field < afield at redhat.com > wrote:
> 

> > Hey Scott,
> 

> > Thanks, I think you answered all of my questions, but I'm confused by
> > something you said in your first email:
> 

> > "
> 
> > The 172.16 network is not routable between hosts (by design). Docker does
> > port forwarding for ports we wish to expose to this works fine for
> > HTTP/HTTPS but not the cluster traffic.
> 

> > So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> > advertises 172.16.0.8. The two cannot talk to each other by default.
> 
> > "
> 

> > My understanding is that the 172.16 addresses are the Amazon EC2 instance?s
> > internal IP, so I'm confused why this didn't work for you before. Is the
> > difference that you were setting jgroups.bind_addr to this address and now
> > you are setting it to global and setting external_addr to the instance?s
> > internal IP? Just trying to understand what the problem was and how you
> > fixed it!
> 

> > Thanks again,
> 
> > Alan
> 

> > ----- Original Message -----
> 

> > > From: "Scott Rossillo" < srossillo at smartling.com >
> > 
> 
> > > To: "Alan Field" < afield at redhat.com >
> > 
> 
> > > Cc: "Niko K?bler" < niko at n-k.de >, "keycloak-user" <
> > > keycloak-user at lists.jboss.org >
> > 
> 
> > > Sent: Wednesday, December 16, 2015 3:45:40 PM
> > 
> 
> > > Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions
> > > SPI
> > > ?
> > 
> 

> > > Hi Alan,
> > 
> 

> > > > It is possible to use the TUNNEL with multiple gossip routers to avoid
> > > > this, but I understand not wanting to have to setup and maintain the
> > > > extra
> > > > gossip router processes.
> > 
> 

> > > True, it?s mainly about maintaining extra components.
> > 
> 

> > > > Which IP address from your example is retrieved with this command:
> > 
> 
> > > > EXTERNAL_HOST_IP=$(curl
> > > > http://169.254.169.254/latest/meta-data/local-ipv4
> > > > )?
> > 
> 

> > > I get the Amazon EC2 instance?s internal IP. This is what I want. There?s
> > > another endpoint for public but I don?t want to use it. What?s good about
> > > this is when called from inside a Docker container, I manage to get the
> > > actual internal IP for the EC2 instance.
> > 
> 

> > > > How are you setting the JGROUPS_INITIAL_HOSTS environment variable?
> > 
> 

> > > Since this was a test with just 2 known hosts, I injected them as a
> > > Docker
> > > environment variable with two fixed IPs. Once we switch to JDBC_PING,
> > > this
> > > will be removed.
> > 
> 

> > > > For my curiosity, can you tell me more about why you don't want to use
> > > > S3_PING? Is it the cost or something else? Just wondering and JDBC_PING
> > > > should work fine.
> > 
> 

> > > S3_PING, like Gossip Router adds an external dependency on another
> > > service.
> > > S3 has had consistency issues 3 times in 2015 (at least in US East). I
> > > don?t
> > > want to rely another component when I already need the database to be up.
> > > Less components, less chance of failure. Also, there are ton of variables
> > > to
> > > set with S3 and it requires preliminary work. I want something that
> > > scales
> > > well from dev to QA to prod. JDBC_PING has a datasource_jndi_name
> > > property.
> > > I can just reuse the data source I set up for Keycloak.
> > 
> 

> > > I hope I got all your questions.
> > 
> 

> > > Best,
> > 
> 
> > > Scott
> > 
> 

> > > Scott Rossillo
> > 
> 
> > > Smartling | Senior Software Engineer
> > 
> 
> > > srossillo at smartling.com
> > 
> 

> > > > On Dec 16, 2015, at 3:33 PM, Alan Field < afield at redhat.com > wrote:
> > > 
> > 
> 

> > > > Hey Scott,
> > > 
> > 
> 

> > > > Thanks for following up and showing me your code. I have some questions
> > > > inline for you:
> > > 
> > 
> 

> > > > ----- Original Message -----
> > > 
> > 
> 

> > > > > From: "Scott Rossillo" < srossillo at smartling.com >
> > > > 
> > > 
> > 
> 
> > > > > To: "Alan Field" < afield at redhat.com >
> > > > 
> > > 
> > 
> 
> > > > > Cc: "Niko K?bler" < niko at n-k.de >, "keycloak-user" <
> > > > > keycloak-user at lists.jboss.org >
> > > > 
> > > 
> > 
> 
> > > > > Sent: Wednesday, December 16, 2015 2:19:27 PM
> > > > 
> > > 
> > 
> 
> > > > > Subject: Re: [keycloak-user] Replace use of Infinispan with User
> > > > > Sessions
> > > > > SPI
> > > > > ?
> > > > 
> > > 
> > 
> 

> > > > > Hi Alan,
> > > > 
> > > 
> > 
> 

> > > > > Thanks for the informative email. The steps you outlined are similar
> > > > > to
> > > > > what
> > > > > I?ve tested with ECS. The gossip router is definitely a no-go for
> > > > > production
> > > > > since it?s a single point of failure.
> > > > 
> > > 
> > 
> 

> > > > It is possible to use the TUNNEL with multiple gossip routers to avoid
> > > > this,
> > > > but I understand not wanting to have to setup and maintain the extra
> > > > gossip
> > > > router processes.
> > > 
> > 
> 

> > > > > I am testing this down at the JGroups level right now and got it
> > > > > working
> > > > > with
> > > > > ECS. There were two issues. On TCP you have to specify the
> > > > > external_addr
> > > > > to
> > > > > match the EC2 host otherwise the nodes won?t form a cluster.
> > > > > Secondly,
> > > > > FD_SOCK attempts to connect back on a random port. With Docker
> > > > > instances,
> > > > > this fails. Using a known client_bind_port works well.
> > > > 
> > > 
> > 
> 

> > > > Which IP address from your example is retrieved with this command:
> > > 
> > 
> 

> > > > EXTERNAL_HOST_IP= $( curl
> > > > http://169.254.169.254/latest/meta-data/local-ipv4
> > > > ) "
> > > 
> > 
> 

> > > > Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use
> > > > this
> > > > command in EC2, I get the internal IP address for the instance, but not
> > > > the
> > > > public IP address. In your example, that would be the 172.16.0.4
> > > > address.
> > > > Also which address is used for the bind_addr when you use
> > > > -Djgroups.bind_addr=global?
> > > 
> > 
> 

> > > > > Here?s the code I?m testing with:
> > > > > https://github.com/foo4u/aws-infinispan-poc
> > > > 
> > > 
> > 
> 

> > > > > Most interesting are probably:
> > > > 
> > > 
> > 
> 

> > > > > https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh
> > > > 
> > > 
> > 
> 

> > > > How are you setting the JGROUPS_INITIAL_HOSTS environment variable?
> > > 
> > 
> 

> > > > > https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml
> > > > 
> > > 
> > 
> 

> > > > > With this set up the nodes on different machines communicate without
> > > > > issue.
> > > > > I
> > > > > still have to add in something other than TCP_PING, but that wasn?t
> > > > > the
> > > > > main
> > > > > issue. Will use JDBC_PING most likely. Not a fan of S3 for
> > > > > coordination.
> > > > > Plus I already need an RDBMS for Keycloak.
> > > > 
> > > 
> > 
> 

> > > > For my curiosity, can you tell me more about why you don't want to use
> > > > S3_PING? Is it the cost or something else? Just wondering and JDBC_PING
> > > > should work fine.
> > > 
> > 
> 

> > > > Thanks,
> > > 
> > 
> 
> > > > Alan
> > > 
> > 
> 

> > > > > Scott Rossillo
> > > > 
> > > 
> > 
> 
> > > > > Smartling | Senior Software Engineer
> > > > 
> > > 
> > 
> 
> > > > > srossillo at smartling.com
> > > > 
> > > 
> > 
> 

> > > > > > On Dec 15, 2015, at 2:13 PM, Alan Field < afield at redhat.com >
> > > > > > wrote:
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Just to be clear, I have successfully tested Infinispan library and
> > > > > > server
> > > > > > mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP
> > > > > > addresses.
> > > > > > None of the cloud providers support multicast. The Docker case is a
> > > > > > little
> > > > > > different though, because of the issues with getting access to the
> > > > > > IP
> > > > > > address.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Thanks,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Alan
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > ----- Original Message -----
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > From: "Niko K?bler" < niko at n-k.de >
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > To: "Paul Blair" < pblair at clearme.com >
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > Cc: "keycloak-user" < keycloak-user at lists.jboss.org >
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > Sent: Tuesday, December 15, 2015 1:53:18 PM
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > Subject: Re: [keycloak-user] Replace use of Infinispan with User
> > > > > > > Sessions
> > > > > > > SPI
> > > > > > > ?
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > We will go for the first run with EC2 and S3_PING, but w/o
> > > > > > > Docker.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > If we/you/whoever will find a proper solution (possibly on the
> > > > > > > jgroups
> > > > > > > mailinglist), we will test this.
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > Seams that everybody is aware of the Docker/Cloud/Multicast
> > > > > > > issues,
> > > > > > > but
> > > > > > > no-one has a proper solution, only workarounds. :(
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Am 15.12.2015 um 15:47 schrieb Paul Blair < pblair at clearme.com
> > > > > > > > >:
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > I've also been working on setting up clustered Keycloak on
> > > > > > > > Docker
> > > > > > > > containers
> > > > > > > > in EC2 and would be interested in any potential solutions for
> > > > > > > > this
> > > > > > > > configuration.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Alternatively I've set up on EC2 without Docker with S3_PING.
> > > > > > > > I'd
> > > > > > > > be
> > > > > > > > interested in hearing about the issues with this configuration.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > From: Scott Rossillo < srossillo at smartling.com >
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Date: Mon, 14 Dec 2015 18:31:30 -0500
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > To: Marek Posolda < mposolda at redhat.com >, < afield at redhat.com
> > > > > > > > >
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Cc: keycloak-user < keycloak-user at lists.jboss.org >
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Subject: Re: [keycloak-user] Replace use of Infinispan with
> > > > > > > > User
> > > > > > > > Sessions
> > > > > > > > SPI
> > > > > > > > ?
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > There are two issues:
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > 1. Infinispan relies on JGroups, which is difficult to
> > > > > > > > configure
> > > > > > > > correctly
> > > > > > > > with the various ping techniques that aren?t UDP multicast. I
> > > > > > > > can
> > > > > > > > elaborate
> > > > > > > > on each one that we tested but it?s just generally complex to
> > > > > > > > get
> > > > > > > > right.
> > > > > > > > That?s not to say it?s impossible or the biggest reason this is
> > > > > > > > complicated
> > > > > > > > on ECS or _insert container service here_, see #2 for that.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > 2. It is difficult to do discovery correctly with JGroups and
> > > > > > > > Docker.
> > > > > > > > Non-privileged Docker instances - the default and recommend
> > > > > > > > type
> > > > > > > > -
> > > > > > > > do
> > > > > > > > not
> > > > > > > > implicitly know their host?s IP. This causes IP mismatches
> > > > > > > > between
> > > > > > > > what
> > > > > > > > JGroups thinks the machine?s IP is and what it actually is when
> > > > > > > > connecting
> > > > > > > > to hosts on different machines. This is the main issue and it?s
> > > > > > > > not
> > > > > > > > the
> > > > > > > > fault of JGroups per se, but there?s no simple work around.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Take for example a simple 2 node cluster:
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Node 1 comes up on the docker0 interface of host A with the IP
> > > > > > > > address
> > > > > > > > 172.16.0.4. The host A IP is 10.10.0.100.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Node 2 comes up on the docker0 interface of host B with the IP
> > > > > > > > address
> > > > > > > > 172.16.0.8. The host B IP is 10.10.0.108.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > The 172.16 network is not routable between hosts (by design).
> > > > > > > > Docker
> > > > > > > > does
> > > > > > > > port forwarding for ports we wish to expose to this works fine
> > > > > > > > for
> > > > > > > > HTTP/HTTPS but not the cluster traffic.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > So Node 1 will advertise itself as having IP 172.16.0.4 while
> > > > > > > > Node
> > > > > > > > 2
> > > > > > > > advertises 172.16.0.8. The two cannot talk to each other by
> > > > > > > > default.
> > > > > > > > However, using the hard coded IPs and TCP PING, we can set
> > > > > > > > external_addr
> > > > > > > > on
> > > > > > > > Node 1 to 10.10.0.100 and external_addr on Node 2 to
> > > > > > > > 10.10.0.108
> > > > > > > > and
> > > > > > > > set
> > > > > > > > initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the
> > > > > > > > nodes
> > > > > > > > to
> > > > > > > > discover each other. However, they will not form a cluster. The
> > > > > > > > nodes
> > > > > > > > will
> > > > > > > > reject the handshake thinking they?re not actually 10.10.0.100
> > > > > > > > or
> > > > > > > > 10.10.0.108 respectively.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > I?d like to discuss further and I can share where we?ve gotten
> > > > > > > > so
> > > > > > > > far
> > > > > > > > with
> > > > > > > > workarounds to this but it may be better to get into the weeds
> > > > > > > > on
> > > > > > > > another
> > > > > > > > list.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Let me know what you think.
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Best,
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Scott
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > Scott Rossillo
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > Smartling | Senior Software Engineer
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > srossillo at smartling.com
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > On Dec 14, 2015, at 5:32 PM, Marek Posolda <
> > > > > > > > > mposolda at redhat.com
> > > > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > CCing Alan Field from RH Infinispan team and forwarding his
> > > > > > > > > question:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > I'd like to know which configuration files you are using and
> > > > > > > > > why
> > > > > > > > > is
> > > > > > > > > is
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > harder to use with Amazon?s Docker service (ECS) or
> > > > > > > > > Beanstalk.
> > > > > > > > > I'd
> > > > > > > > > also
> > > > > > > > > be
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > interested in how big a cluster you are using in AWS.
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > On 14/12/15 22:24, Scott Rossillo wrote:
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > AWS was why we didn?t use Infinispan to begin with. That
> > > > > > > > > > and
> > > > > > > > > > it?s
> > > > > > > > > > even
> > > > > > > > > > more
> > > > > > > > > > complicated when you deploy using Amazon?s Docker service
> > > > > > > > > > (ECS)
> > > > > > > > > > or
> > > > > > > > > > Beanstalk.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > It?s too bad Infinispan / JGroups are beasts when the out
> > > > > > > > > > of
> > > > > > > > > > the
> > > > > > > > > > box
> > > > > > > > > > configuration can?t be used. I?m planning to document this
> > > > > > > > > > as
> > > > > > > > > > we
> > > > > > > > > > fix
> > > > > > > > > > but
> > > > > > > > > > I?d
> > > > > > > > > > avoid S3_PING and use JDBC_PING. You already need JDBC for
> > > > > > > > > > the
> > > > > > > > > > Keycloak
> > > > > > > > > > DB,
> > > > > > > > > > unless you?re using Mongo and it?s easier to test locally.
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > TCPPING will bite you on AWS if Amazon decides to replace
> > > > > > > > > > one
> > > > > > > > > > of
> > > > > > > > > > your
> > > > > > > > > > instances (which it does occasionally w/ECS or Beanstalk).
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > Best,
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > Scott
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > Scott Rossillo
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > Smartling | Senior Software Engineer
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > srossillo at smartling.com
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > On Dec 14, 2015, at 10:59 AM, Marek Posolda <
> > > > > > > > > > > mposolda at redhat.com
> > > > > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > On 14/12/15 16:55, Marek Posolda wrote:
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > On 14/12/15 15:58, Bill Burke wrote:
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > On 12/14/2015 5:01 AM, Niko K?bler wrote:
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > > Hi Marek,
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > > > Am 14.12.2015 um 08:50 schrieb Marek Posolda <
> > > > > > > > > > > > > > > mposolda at redhat.com
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > > < mailto:mposolda at redhat.com >>:
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > > > Btv. what's your motivation to not use
> > > > > > > > > > > > > > > infinispan?
> > > > > > > > > > > > > > > If
> > > > > > > > > > > > > > > you
> > > > > > > > > > > > > > > afraid
> > > > > > > > > > > > > > > of
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > > cluster communication, you don't need to worry
> > > > > > > > > > > > > > > much
> > > > > > > > > > > > > > > about
> > > > > > > > > > > > > > > it,
> > > > > > > > > > > > > > > because
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > > if you run single keycloak through
> > > > > > > > > > > > > > > standalone.xml,
> > > > > > > > > > > > > > > the
> > > > > > > > > > > > > > > infinispan
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > > automatically works in LOCAL mode and there is no
> > > > > > > > > > > > > > > any
> > > > > > > > > > > > > > > cluster
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > > communication at all.
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > > My current customer is running his apps in AWS. As
> > > > > > > > > > > > > > known,
> > > > > > > > > > > > > > multicast
> > > > > > > > > > > > > > is
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > not available in cloud infrastructures.
> > > > > > > > > > > > > > Wildfly/Infinispan
> > > > > > > > > > > > > > Cluster
> > > > > > > > > > > > > > works
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > pretty well with multicast w/o having to know too
> > > > > > > > > > > > > > much
> > > > > > > > > > > > > > about
> > > > > > > > > > > > > > JGroups
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > config. S3_PING seams to be a viable way to get a
> > > > > > > > > > > > > > cluster
> > > > > > > > > > > > > > running
> > > > > > > > > > > > > > in
> > > > > > > > > > > > > > AWS.
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > But additionally, my customer doesn?t have any
> > > > > > > > > > > > > > (deep)
> > > > > > > > > > > > > > knowledge
> > > > > > > > > > > > > > about
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > JBoss infrastructures and so I?m looking for a way
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > be
> > > > > > > > > > > > > > able
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > run
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > Keycloak in a cluster in AWS without the need to
> > > > > > > > > > > > > > build
> > > > > > > > > > > > > > up
> > > > > > > > > > > > > > deeper
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > knowlegde of JGroups config, for example in getting
> > > > > > > > > > > > > > rid
> > > > > > > > > > > > > > of
> > > > > > > > > > > > > > Infinispan.
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > But I do understand all the concerns in doing this.
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > I still have to test S3_PING, if it works as easy
> > > > > > > > > > > > > > as
> > > > > > > > > > > > > > multicast.
> > > > > > > > > > > > > > If
> > > > > > > > > > > > > > yes,
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > we can use it, if no? I don?t know yet. But this
> > > > > > > > > > > > > > gets
> > > > > > > > > > > > > > offtopic
> > > > > > > > > > > > > > for
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > > Keycloak mailinglist, it?s more related to pure
> > > > > > > > > > > > > > Wildfly/Infinispan.
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > > seems to me it would be much easier to get Infinispan
> > > > > > > > > > > > > working
> > > > > > > > > > > > > on
> > > > > > > > > > > > > AWS
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > than to write and maintain an entire new caching
> > > > > > > > > > > > > mechanism
> > > > > > > > > > > > > and
> > > > > > > > > > > > > hope
> > > > > > > > > > > > > we
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > > don't refactor the cache SPI.
> > > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > +1
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > I am sure infinispan/JGroups has possibility to run in
> > > > > > > > > > > > non-multicast
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > environment. You may just need to figure how exactly to
> > > > > > > > > > > > configure
> > > > > > > > > > > > it.
> > > > > > > > > > > > So
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > I agree that this issue is more related to
> > > > > > > > > > > > Wildfly/Infinispan
> > > > > > > > > > > > itself
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > than to Keycloak.
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > You may need to use jgroups protocols like TCP instead
> > > > > > > > > > > > of
> > > > > > > > > > > > default
> > > > > > > > > > > > UDP
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > and maybe TCPPING (this requires to manually list all
> > > > > > > > > > > > your
> > > > > > > > > > > > cluster
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > nodes. But still, it's much better option IMO than
> > > > > > > > > > > > rewriting
> > > > > > > > > > > > UserSession
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > SPI)
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > Btv. if TCPPING or S3_PING is an issue, there is also
> > > > > > > > > > > AWS_PING
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100
> > > > > > > > > > > ,
> > > > > > > > > > > but
> > > > > > > > > > > it's
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > not official part of jgroups.
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > Marek
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > > Marek
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > keycloak-user mailing list
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > > > > _______________________________________________
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > keycloak-user mailing list
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > > > > 
> > > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > > _______________________________________________ keycloak-user
> > > > > > > > mailing
> > > > > > > > list
> > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > _______________________________________________
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > keycloak-user mailing list
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > keycloak-user at lists.jboss.org
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > > _______________________________________________
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > keycloak-user mailing list
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > _______________________________________________
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user mailing list
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user at lists.jboss.org
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > 
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/46f228a4/attachment-0001.html 

From fabricio.milone at shinetech.com  Wed Dec 16 16:40:39 2015
From: fabricio.milone at shinetech.com (Fabricio Milone)
Date: Thu, 17 Dec 2015 08:40:39 +1100
Subject: [keycloak-user] Get the user of the current request from the
	KeycloakSession?
In-Reply-To: <9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
	<56717AAE.5020400@redhat.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
Message-ID: <CAOjtoUOST62tT0m6Op2kDd6g8dvfDn+jatr54AG9B9iOvcjG2Q@mail.gmail.com>

Hi Erik,

I did something similar but in my case I have the username as a form
attribute in the request, so if it possible in your scenario to get the
username as a string, this is one possible solution:

UserModel user = session.users().getUserByUsername(*username*,
session.realms().getRealmByName(realm.getName()));

Not 100% sure if that's what you need, I hope it is :)

Regards,
Fab

On 17 December 2015 at 02:34, Erik Mulder <erik.mulder at docdatapayments.com>
wrote:

> Thanks, but I'm not sure I understand you correctly. Let me clearify:
> - I'm extending the Keycloak REST webservices with some custom
> resources, for instance:
> http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
> piece of code from Pedro made this possible)
> - I'm implementing an SPI (also from Pedro's change) that gets a
> KeycloakSession object to 'work with'.
> - I do authenticate on the keycloak server using a token (OpenID
> Connect) that I got from a previous succesful login.
> - Somewhere in the Keycloak internals this token is validated and a
> User(Model/Session) is found that corresponds to this token.
> - <assumption>: This User is saved somewhere in the session context
>
> Now, my question is: How can I get hold of this User(Model/Session),
> given that I have just a KeycloakSession object?
>
> Through debugging I see that session.sessions() has a UserSessionEntity
> for my current request, but since there might be more at the same time,
> how can I relate my current request to the one User that is associated
> with it?
>
>
>
> On 16/12/15 15:52, Bill Burke wrote:
> > On 12/16/2015 9:37 AM, Erik Mulder wrote:
> >> Seems like a simple scenario, but I can't figure it out: I have an
> >> instance of the KeycloakSession and I want to get the UserModel for the
> >> current request. Is this possible?
> >>
> >> Context: I'm creating a custom REST service that runs inside keycloak
> >> and needs to get some data that is related to the current authenticated
> >> user. For instance the realm and client I can get through the
> >> session.getContext().getClient/Realm(). I would expect a getUser() there
> >> too, but I can't find it anywhere 'in' the session.
> >>
> >> If this isn't possible, shouldn't it be? Or if not, why not?
> >>
> > I'm assuming this REST request is from a browser Javascript client?
> > Login sessions are maintained only through a cookie.  You'd have to
> > login through the browser first, then read the cookie.
> >
> > BTW, cookies are a really bad way of securing a REST interface.  Your
> > REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
> > token to secure your REST interface.  If you are already using
> > keycloak.js to login in, you can obtain the token from the Keycloak
> > javascript interface and use that to invoke your service.
> >
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/f20af2b0/attachment.html 

From johan.bos at c6.eu  Wed Dec 16 16:51:47 2015
From: johan.bos at c6.eu (Johan B.)
Date: Wed, 16 Dec 2015 22:51:47 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <5671870C.8040405@c6.eu>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
Message-ID: <CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>

You answered it. I was not familiar with the whole setting list. My
question was: does something in the ui make the setting change or is it a
manual setup?
I think you are saying it is only manual and it is fine.
It would probably best for future version to have all these extra adapter
setting avail. From admin UI so people has the switch/checkbox or input
form to make direct application change to the json
Moreover since you have a download installation button and a json setting
viewer

Le mercredi 16 d?cembre 2015, Johan Bos <johan.bos at c6.eu> a ?crit :

> oh when you said:
>
> use-resource-role-mappings
>
> it is only available through the keycloak.json
>
> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 16:33, Johan Bos a ?crit :
>
> So it is one or the other.
> The switch is at realm level or per clients?
>
> As I tend to make realm role for securing the clients only and
> client/resource roles for internal client management, I should be fine
>
> Still It would help to have some merging/mapping so from client we don't
> have to so much rely on KeyCloak implementation to test roles... Issue is
> that realm role can have same name as client role. But once there is always
> some pitfall to avoid.
>
> Thanks
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:45, Bill Burke a ?crit :
>
> See use-resource-role-mappings switch:
>
> If set to true, the getResourceAccess("resource-name") roles will be
> mapped into isUserInRole, otherwise getRealmAccess is mapped into
> isUserInRole
>
> Not the best I know.  We've been meaning to add some sort of role
> mapping facility to the adapter.
>
> On 12/16/2015 9:17 AM, Johan Bos wrote:
>
> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
> the role is present in the AccessToken.getRealmAccess?
>
> Regards,
>
> Johan Bos
>
> Le 16/12/2015 15:09, Bill Burke a ?crit :
>
> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>
> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>
> Its not clear to me how you get the assigned roles from the AccessToken.
> For instance, is the realm has configured the user to have roles "user"
> and "editor" how do I find these in the AccessToken?
>
> Tim
>
> On 07/12/2015 02:53, Bill Burke wrote:
>
> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
> principal to KeycloakPrincipal you can obtain the AccessToken.
>
> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>
> Hi everyone,
>
>
> Do Keycloak adapters support user authorization? I mean, of course
> they
> do :) For example, the API I have secured with Keycloak receives a
> Keycloak access token from the client. How can I validate the token
> (check user roles) in my code? I am interested in the Java
> (wildfly) and
> Javascript adapters.
>
> Manually I am using jwt.io <http://jwt.io> <http://jwt.io> to check the
> token. I am
> just
> curious if the Keycloak adapters support smth similar out of the box.
>
> Thank you for your answers.
>
>
> Regards,
> Pavel Maslov, MS
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <javascript:_e(%7B%7D,'cvml','keycloak-user at lists.jboss.org');>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <javascript:_e(%7B%7D,'cvml','keycloak-user at lists.jboss.org');>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> <javascript:_e(%7B%7D,'cvml','keycloak-user at lists.jboss.org');>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.org <javascript:_e(%7B%7D,'cvml','keycloak-user at lists.jboss.org');>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/f2a2ad3a/attachment.html 

From srossillo at smartling.com  Wed Dec 16 17:11:24 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 16 Dec 2015 17:11:24 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <951119783.28023953.1450300887169.JavaMail.zimbra@redhat.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
	<1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
	<1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>
	<C3F28BDA-DED7-4AF4-99ED-E5B8355FF03A@smartling.com>
	<951119783.28023953.1450300887169.JavaMail.zimbra@redhat.com>
Message-ID: <022CC9BB-3994-4E27-B3F5-A094833CC488@smartling.com>


I actually set the jgroups.bind_addr to global. I need the EC2 instance's address for jgroups.external.addr, see:

https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 16, 2015, at 4:21 PM, Alan Field <afield at redhat.com> wrote:
> 
> Almost...
> 
> I guess if the EC2 instance IP works for the bind address, why do you need to set external_addr?
> 
> Thanks for bearing with me on this! :-)
> 
> Alan
> 
> From: "Scott Rossillo" <srossillo at smartling.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: "Niko K?bler" <niko at n-k.de>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, December 16, 2015 4:17:29 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> Ah, sorry, my originally contrived example wasn?t using Amazon but just my local Docker machine IP.
> 
> In the case of my ECS tests, 172.16.0.0/16 is the Docker network?s IP, which is local to the machine / EC2 instance. Using ECS, my VPC has an IP range of 172.31.0.0/16, so the bind_addr has to be on this network. On my small cluster, that?s either 172.31.44.109 or 172.31.45.191.
> 
> Does that clear it up?
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 16, 2015, at 4:11 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
> 
> Hey Scott,
> 
> Thanks, I think you answered all of my questions, but I'm confused by something you said in your first email:
> 
> "
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. 
> "
> 
> My understanding is that the 172.16 addresses are the Amazon EC2 instance?s internal IP, so I'm confused why this didn't work for you before. Is the difference that you were setting jgroups.bind_addr to this address and now you are setting it to global and setting external_addr to the instance?s internal IP? Just trying to understand what the problem was and how you fixed it!
> 
> Thanks again,
> Alan
> 
> 
> From: "Scott Rossillo" <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> To: "Alan Field" <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>, "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Sent: Wednesday, December 16, 2015 3:45:40 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> Hi Alan,
> 
> > It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
> 
> True, it?s mainly about maintaining extra components.
> 
> > Which IP address from your example is retrieved with this command:
> > EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)?
> 
> I get the Amazon EC2 instance?s internal IP. This is what I want. There?s another endpoint for public but I don?t want to use it. What?s good about this is when called from inside a Docker container, I manage to get the actual internal IP for the EC2 instance.
> 
> > How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
> 
> Since this was a test with just 2 known hosts, I injected them as a Docker environment variable with two fixed IPs. Once we switch to JDBC_PING, this will be removed.
> 
> > For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
> 
> S3_PING, like Gossip Router adds an external dependency on another service. S3 has had consistency issues 3 times in 2015 (at least in US East). I don?t want to rely another component when I already need the database to be up. Less components, less chance of failure. Also, there are ton of variables to set with S3 and it requires preliminary work. I want something that scales well from dev to QA to prod. JDBC_PING has a datasource_jndi_name property. I can just reuse the data source I set up for Keycloak.
> 
> I hope I got all your questions.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 16, 2015, at 3:33 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
> 
> Hey Scott,
> 
> Thanks for following up and showing me your code. I have some questions inline for you:
> 
> From: "Scott Rossillo" <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> To: "Alan Field" <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>, "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Sent: Wednesday, December 16, 2015 2:19:27 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> Hi Alan,
> 
> Thanks for the informative email. The steps you outlined are similar to what I?ve tested with ECS.  The gossip router is definitely a no-go for production since it?s a single point of failure.
> It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
> 
> I am testing this down at the JGroups level right now and got it working with ECS. There were two issues. On TCP you have to specify the external_addr to match the EC2 host otherwise the nodes won?t form a cluster. Secondly, FD_SOCK attempts to connect back on a random port. With Docker instances, this fails. Using a known client_bind_port works well.
> Which IP address from your example is retrieved with this command:
> 
> EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)"
> 
> Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this command in EC2, I get the internal IP address for the instance, but not the public IP address. In your example, that would be the 172.16.0.4 address. Also which address is used for the bind_addr when you use -Djgroups.bind_addr=global? 
> 
> Here?s the code I?m testing with: https://github.com/foo4u/aws-infinispan-poc <https://github.com/foo4u/aws-infinispan-poc>
> 
> Most interesting are probably:
> 
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>
> How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml>
> 
> With this set up the nodes on different machines communicate without issue. I still have to add in something other than TCP_PING, but that wasn?t the main issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination. Plus I already need an RDBMS for Keycloak.
> For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
> 
> Thanks,
> Alan
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
>  <http://www.sigstr.com/>
> On Dec 15, 2015, at 2:13 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
> 
> Just to be clear, I have successfully tested Infinispan library and server mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses. None of the cloud providers support multicast. The Docker case is a little different though, because of the issues with getting access to the IP address. 
> 
> Thanks,
> Alan
> 
> From: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>
> To: "Paul Blair" <pblair at clearme.com <mailto:pblair at clearme.com>>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Sent: Tuesday, December 15, 2015 1:53:18 PM
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
> 
> We will go for the first run with EC2 and S3_PING, but w/o Docker.
> If we/you/whoever will find a proper solution (possibly on the jgroups mailinglist), we will test this.
> 
> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but no-one has a proper solution, only workarounds. :(
> 
> 
> 
> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com <mailto:pblair at clearme.com>>:
> 
> I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration. 
> 
> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.
> 
> From: Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
> Date: Mon, 14 Dec 2015 18:31:30 -0500
> To: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>, <afield at redhat.com <mailto:afield at redhat.com>>
> Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
> 
> There are two issues:
> 
> 1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.
> 
> 2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.
> 
> Take for example a simple 2 node cluster:
> 
> Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.
> 
> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
> 
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
> 
> I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.
> 
> Let me know what you think.
> 
> Best,
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> CCing Alan Field from RH Infinispan team and forwarding his question: 
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
> 
> 
> 
> On 14/12/15 22:24, Scott Rossillo wrote:
> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
> 
> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
> 
> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
> 
> Best,  
> Scott
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> 
> On 14/12/15 16:55, Marek Posolda wrote:
> On 14/12/15 15:58, Bill Burke wrote:
> On 12/14/2015 5:01 AM, Niko K?bler wrote:
> Hi Marek,
> 
> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>
> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
> 
> Btv. what's your motivation to not use infinispan? If you afraid of
> cluster communication, you don't need to worry much about it, because
> if you run single keycloak through standalone.xml, the infinispan
> automatically works in LOCAL mode and there is no any cluster
> communication at all.
> My current customer is running his apps in AWS. As known, multicast is
> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to know too much about JGroups
> config. S3_PING seams to be a viable way to get a cluster running in AWS.
> But additionally, my customer doesn?t have any (deep) knowledge about
> JBoss infrastructures and so I?m looking for a way to be able to run
> Keycloak in a cluster in AWS without the need to build up deeper
> knowlegde of JGroups config, for example in getting rid of Infinispan.
> But I do understand all the concerns in doing this.
> I still have to test S3_PING, if it works as easy as multicast. If yes,
> we can use it, if no? I don?t know yet. But this gets offtopic for
> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
> 
> seems to me it would be much easier to get Infinispan working on AWS
> than to write and maintain an entire new caching mechanism and hope we
> don't refactor the cache SPI.
> 
> 
> +1
> 
> I am sure infinispan/JGroups has possibility to run in non-multicast
> environment. You may just need to figure how exactly to configure it. So
> I agree that this issue is more related to Wildfly/Infinispan itself
> than to Keycloak.
> 
> You may need to use jgroups protocols like TCP instead of default UDP
> and maybe TCPPING (this requires to manually list all your cluster
> nodes. But still, it's much better option IMO than rewriting UserSession
> SPI)
> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
> not official part of jgroups.
> 
> Marek
> 
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/0354cbbc/attachment-0001.html 

From erik.mulder at docdatapayments.com  Thu Dec 17 04:06:55 2015
From: erik.mulder at docdatapayments.com (Erik Mulder)
Date: Thu, 17 Dec 2015 10:06:55 +0100
Subject: [keycloak-user] Get the user of the current request from the
 KeycloakSession?
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
	<56717AAE.5020400@redhat.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
	<CAOjtoUOST62tT0m6Op2kDd6g8dvfDn+jatr54AG9B9iOvcjG2Q@mail.gmail.com>
Message-ID: <9A5619B792BBA041AE094585791BB71C0137B668B0D4@DDPEX01.DDP.dcloud.local>

Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I have nothing else in scope than the KeycloakSession object.
@Bill: My question is independent from the changes of Pedro.

So let's try it once more: how can I get the User(Model) of the authenticated user of the current request, if I just have a reference to the KeycloakSession? It seems to me that this should be possible, but there seems to be no way to do it. Maybe there should be a getUser() added on the KeycloakContext?


On 16/12/15 22:40, Fabricio Milone wrote:
Hi Erik,

I did something similar but in my case I have the username as a form attribute in the request, so if it possible in your scenario to get the username as a string, this is one possible solution:

UserModel user = session.users().getUserByUsername(username, session.realms().getRealmByName(realm.getName()));

Not 100% sure if that's what you need, I hope it is :)

Regards,
Fab

On 17 December 2015 at 02:34, Erik Mulder <erik.mulder at docdatapayments.com<mailto:erik.mulder at docdatapayments.com>> wrote:
Thanks, but I'm not sure I understand you correctly. Let me clearify:
- I'm extending the Keycloak REST webservices with some custom
resources, for instance:
http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
piece of code from Pedro made this possible)
- I'm implementing an SPI (also from Pedro's change) that gets a
KeycloakSession object to 'work with'.
- I do authenticate on the keycloak server using a token (OpenID
Connect) that I got from a previous succesful login.
- Somewhere in the Keycloak internals this token is validated and a
User(Model/Session) is found that corresponds to this token.
- <assumption>: This User is saved somewhere in the session context

Now, my question is: How can I get hold of this User(Model/Session),
given that I have just a KeycloakSession object?

Through debugging I see that session.sessions() has a UserSessionEntity
for my current request, but since there might be more at the same time,
how can I relate my current request to the one User that is associated
with it?



On 16/12/15 15:52, Bill Burke wrote:
> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> Seems like a simple scenario, but I can't figure it out: I have an
>> instance of the KeycloakSession and I want to get the UserModel for the
>> current request. Is this possible?
>>
>> Context: I'm creating a custom REST service that runs inside keycloak
>> and needs to get some data that is related to the current authenticated
>> user. For instance the realm and client I can get through the
>> session.getContext().getClient/Realm(). I would expect a getUser() there
>> too, but I can't find it anywhere 'in' the session.
>>
>> If this isn't possible, shouldn't it be? Or if not, why not?
>>
> I'm assuming this REST request is from a browser Javascript client?
> Login sessions are maintained only through a cookie.  You'd have to
> login through the browser first, then read the cookie.
>
> BTW, cookies are a really bad way of securing a REST interface.  Your
> REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
> token to secure your REST interface.  If you are already using
> keycloak.js to login in, you can obtain the token from the Keycloak
> javascript interface and use that to invoke your service.
>
>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/9bdb6077/attachment.html 

From sthorger at redhat.com  Thu Dec 17 04:26:58 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 10:26:58 +0100
Subject: [keycloak-user] Another question about brute-force detection
In-Reply-To: <D28C631C.104A5%pblair@clearme.com>
References: <D28C631C.104A5%pblair@clearme.com>
Message-ID: <CAJgngAf5yiLMrNRZGqUB_PNfKPzyKtUGtfK1iiUW+gLOAavN5g@mail.gmail.com>

Currently brute force protection is not enabled for service accounts, but
there's an outstanding issue to enable this:
https://issues.jboss.org/browse/KEYCLOAK-2003

On 8 December 2015 at 16:36, Paul Blair <pblair at clearme.com> wrote:

> Currently, all of our clients will be logging in with service accounts
> using signed JWT as described here:
> http://blog.keycloak.org/2015/10/authentication-of-clients-with-signed.html
>  .
>
> Does brute-force detection accomplish anything under this scenario?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/f94a400e/attachment.html 

From sthorger at redhat.com  Thu Dec 17 04:39:12 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 10:39:12 +0100
Subject: [keycloak-user] Keep error message by language change
In-Reply-To: <5669A021.2060903@redhat.com>
References: <899968c6-071c-4112-a2e2-865c93425bb8@me.com>
	<5669A021.2060903@redhat.com>
Message-ID: <CAJgngAf7MVgAQpUR7MWuh9bOwHVo21wpz7A7iS4AgiDK_-11ZQ@mail.gmail.com>

It makes sense to fix this. A user may not bother changing the language at
first as they know enough English (or whatever the default language for the
realm is set to) to understand username/password, but when an error message
is displayed they don't understand it.

Bill: would it be feasible to fix it?

On 10 December 2015 at 16:54, Bill Burke <bburke at redhat.com> wrote:

> Why would somebody change the language in the middle of an interaction?
>   Keycloak usually cleans up if it is a "dead end" error.  This means
> all the information is gone.
>
> On 12/10/2015 10:41 AM, Michael Gerber wrote:
> > Hi all
> >
> > The error message get lost if a user changes the language. Is it
> > possible to keep it?
> >
> > Michael
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/2541f5ae/attachment.html 

From pavel.masloff at gmail.com  Thu Dec 17 04:39:49 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Thu, 17 Dec 2015 10:39:49 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
Message-ID: <CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>

Guys, I am repeating my question here. Any ideas on this?

I added the *org.keycloak.KeycloakPrincipal* definition in order to get the
> token:
>
>
> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
> srvl.getUserPrincipal();
> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
>
> but cannot deploy the project to the Wildfly server:
>
> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
> service thread 1-2) Deploying javax.ws.rs.core.Application: class
> si.liis.apitime.service.ApiTimeApplication
> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
> MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.default-host./apitime-rest:
> org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
> to start service
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_85]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_85]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/WriterException
> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
> [rt.jar:1.7.0_85]
> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
> [rt.jar:1.7.0_85]
> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
> at
> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
> at
> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
> at
> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
> at
> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
> at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
> at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
> at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
> at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
> at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
> at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
> ... 3 more
>
> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
> address: ([("deployment" => "apitime-rest.war")]) - failure description:
> {"JBAS014671: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
> to start service
>     Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
> the following failure message:
> {"JBAS014671: Failed services" =>
> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
> "org.jboss.msc.service.StartException in service
> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
> to start service
>     Caused by: java.lang.NoClassDefFoundError:
> com/google/zxing/WriterException"}}
>
>
>
> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
> Any solution?
> Thanks.
>
>
Regards,
Pavel Maslov, MS

On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:

> You answered it. I was not familiar with the whole setting list. My
> question was: does something in the ui make the setting change or is it a
> manual setup?
> I think you are saying it is only manual and it is fine.
> It would probably best for future version to have all these extra adapter
> setting avail. From admin UI so people has the switch/checkbox or input
> form to make direct application change to the json
> Moreover since you have a download installation button and a json setting
> viewer
>
> Le mercredi 16 d?cembre 2015, Johan Bos <johan.bos at c6.eu> a ?crit :
>
>> oh when you said:
>>
>> use-resource-role-mappings
>>
>> it is only available through the keycloak.json
>>
>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>
>> So it is one or the other.
>> The switch is at realm level or per clients?
>>
>> As I tend to make realm role for securing the clients only and
>> client/resource roles for internal client management, I should be fine
>>
>> Still It would help to have some merging/mapping so from client we don't
>> have to so much rely on KeyCloak implementation to test roles... Issue is
>> that realm role can have same name as client role. But once there is always
>> some pitfall to avoid.
>>
>> Thanks
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>
>> See use-resource-role-mappings switch:
>>
>> If set to true, the getResourceAccess("resource-name") roles will be
>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>> isUserInRole
>>
>> Not the best I know.  We've been meaning to add some sort of role
>> mapping facility to the adapter.
>>
>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>
>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>> the role is present in the AccessToken.getRealmAccess?
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>
>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>
>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>
>> Its not clear to me how you get the assigned roles from the AccessToken.
>> For instance, is the realm has configured the user to have roles "user"
>> and "editor" how do I find these in the AccessToken?
>>
>> Tim
>>
>> On 07/12/2015 02:53, Bill Burke wrote:
>>
>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>
>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>
>> Hi everyone,
>>
>>
>> Do Keycloak adapters support user authorization? I mean, of course
>> they
>> do :) For example, the API I have secured with Keycloak receives a
>> Keycloak access token from the client. How can I validate the token
>> (check user roles) in my code? I am interested in the Java
>> (wildfly) and
>> Javascript adapters.
>>
>> Manually I am using jwt.io <http://jwt.io> <http://jwt.io> to check the
>> token. I am
>> just
>> curious if the Keycloak adapters support smth similar out of the box.
>>
>> Thank you for your answers.
>>
>>
>> Regards,
>> Pavel Maslov, MS
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/c1ddf21a/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 04:44:17 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 10:44:17 +0100
Subject: [keycloak-user] Direct access to Send reset password email
In-Reply-To: <CAOjtoUNbHNYeXRxd-3qY9zezjeUxvNSDPcL0avtC9OMaNVusPA@mail.gmail.com>
References: <CAOjtoUNbHNYeXRxd-3qY9zezjeUxvNSDPcL0avtC9OMaNVusPA@mail.gmail.com>
Message-ID: <CAJgngAfFi97788cCeWawzHLPA-=+8+gxhq4_vjKB63Z_fAA_fA@mail.gmail.com>

This is just going to be your first headache trying to reproduce everything
Keycloak does in a native Android UI. I'd highly recommend you use a
webview with a custom theme instead.

Examples of flows that you are not going to be able to do:

* OTP
* Required actions
* Registration
* Social logins
* Recover password
* ...

On 11 December 2015 at 05:11, Fabricio Milone <fabricio.milone at shinetech.com
> wrote:

> Hi all,
>
> I?ve been working on adding custom endpoints under the realm level to
> perform some new functions like user registration and send password reset
> email without going through the keycloak?s default web view. I?ve read the
> discussion regarding add custom REST paths, but I wouldn?t like to go off
> topic there.
>
> Why I am doing this?
>
> This is needed because I have to hit the keycloak server directly from the
> native Android UI, without going through the Keycloak default login/reset
> creds screen and get an user registered or an email to reset the password
> (among other possible future use cases).
>
> What I got so far?
>
> I?ve added a custom endpoint class (ForgotPasswordEndpoint) to
> org.keycloak.protocol.oidc.endpoints package in order to add a new path
> /auth/realms/{realm}/forgotten-password-email that sends an email to the
> specified user in a form attribute without going through the web view. I am
> also generating a key to be able to execute a client session required
> action of UPDATE_PASSWORD, so when the user clicks the link it will be
> asked to update  its password.
>
>
> What I?m not sure is about the approach I used to get this done. Let?s
> clear that up:
>
>    - Created a new endpoint class similar to TokenEndpoint.java which
>    sends an email with a link to update the user password.
>    - The link is generated using the UriBuilder for the base path and the
>    ClientSessionCode class for the access code, using the given realm, session
>    and any other necessary data.
>    - I am adding a required action to the clientSession
>    (ClientSessionModel, created with the given UserModel) of the type
>    UserModel.RequiredAction.UPDATE_PASSWORD.
>    - Once the user clicks on the link, the normal updated account starts,
>    without any modification.
>
> That?s the less invasive way I?ve found so far. However, today I have been
> trying to implement an SPI to achieve this (still trying to understand how
> to do that)
>
> Is there a clean/proper way to generate a valid code/execution id as it is
> generated on the normal forgotten password email?
>
> What is the right way to make a direct call to get a reset password email?
>
>
> Thank you in advance.
>
> Regards,
>
> Fabricio
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/b493eb8b/attachment.html 

From sthorger at redhat.com  Thu Dec 17 04:45:57 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 10:45:57 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
Message-ID: <CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>

I don't understand what you are saying here. Can you please reformulate the
question?

On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Hi all,
>
> I tried to validate this issue on 1.7.0.Final, but I have question:
>
> After send two different REST-APIs:
> 1.) PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
> and
> 2.) PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
> with body ["VERIFY_EMAIL"]
>
> I got for both REST APIs email with Subject "Update Your Account" and link
> generated in email:
>
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>
> What is in different when I generate Verify Email via GUI
> when Subject is "Verify email" and link generated in email:
>
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>
>
> Should it be so now correct or something was changed or something is
> incorrect on my side?
>
> Thanks.
>
>
>
>
> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <issues at jboss.org
> > wrote:
>
>> Stian Thorgersen
>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> *updated* [image:
>> Bug] KEYCLOAK-2063 <https://issues.jboss.org/browse/KEYCLOAK-2063>
>> Keycloak <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>> generated via REST API - Send an email-verification email to the user
>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>> Thorgersen
>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add Comment
>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>> Atlassian logo]
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/36c6f7d9/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 04:51:50 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 10:51:50 +0100
Subject: [keycloak-user] Token Validation
In-Reply-To: <566ADD84.3000300@redhat.com>
References: <CADEg99-9TAPmdVieKNE5NyCjJ95RSiZjFoutqSM84kH=hkSHWw@mail.gmail.com>
	<566ADD84.3000300@redhat.com>
Message-ID: <CAJgngAfvevLzPP7XAheOjMvxNYpZ4J714JucLAvQpM2naevB0w@mail.gmail.com>

On 11 December 2015 at 15:28, Bill Burke <bburke at redhat.com> wrote:

> You want to write a PHP adapter?  You can either validate the token
> yourself, or invoke the Keycloak REst service to validate it for you.
>
> Keycloak tokens are Json Web Signatures (JWS).
>
> https://tools.ietf.org/html/rfc7515
>
> The content of this signature is a Keycloak extension of Json Web Token:
>
> http://jwt.io/
>
> We have all the standard fields, with additional ones for role mappings
> and group membership depending on how you've configured the client in
> the admin console.
>
> As for CORS this is something your PHP adapter has to handle.  You can
> configure the Keycloak token to embed what origins are allowed, but the
> adapter has to handle setting all the appropriate headers.
>
> BTW, we would definitely welcome a PHP adapter contribution!
>

+1000 Anyone interested in contributing this, ping us and we will help as
much as we can :)


>
> On 12/11/2015 3:30 AM, Brian Thai wrote:
> > Hi All,
> >
> > I have just started to work with keycloak 1.7.0 and I have a PHP rest
> > service that I want to write an adapter for. I have read the docs and
> > the code but I don't understand how the token is validated from the rest
> > service.
> >
> > I understand that with a js client they would be redirected to keycloak
> > to obtain an access token which will be passed to my rest api. At that
> > point I should validate the token, and I see that keycloak provides a
> > rest endpoint for validation:
> >
> http://docs.jboss.org/keycloak/docs/1.0-rc-1/rest-api/realms/%7Brealm%7D/tokens/validate/index.html
> >
> > I get held from cors because the realm itself does not have
> > configuration for setting the 'Access-Control-Allow-Origin' header. Can
> > anyone point me in the right direction?
> >
> > Thanks,
> > -Brian
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/30c43ea5/attachment.html 

From johan.bos at c6.eu  Thu Dec 17 04:56:30 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Thu, 17 Dec 2015 10:56:30 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
Message-ID: <567286CE.2080002@c6.eu>

You don't get these error if you remove the 2 code lines?
When deploying your apps, it is not enough to add the keycloak core 
dependency to access the keycloak principal, you also need to add all 
possible dependency the keycloak lib is relying onto.

Basically on latest version of keycloak, I added almost everything that 
comes in the adapter zip to my project/api dependency for runtime.
No idea how it was dealt with in previous version. Only dealt with 
keycloak 1.6 and 1.7.

Since you had to provide some lib to your server (mine was tomcat 7) to 
dealt with the keycloak implantation to secure my app, as soon as I 
needed to acces keycloak token from my app code, I was required to add 
the libs the adapter for tomcat 7 is providing.

Regards,

Johan Bos

Le 17/12/2015 10:39, Pavel Maslov a ?crit :
> Guys, I am repeating my question here. Any ideas on this?
>
>     I added the *org.keycloak.KeycloakPrincipal* definition in order
>     to get the token:
>
>
>     KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>     srvl.getUserPrincipal();
>     String token =
>     kcPrincipal.getKeycloakSecurityContext().getTokenString();
>
>     but cannot deploy the project to the Wildfly server:
>
>     10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
>     (MSC service thread 1-2) Deploying javax.ws.rs.core.Application:
>     class si.liis.apitime.service.ApiTimeApplication
>     10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service
>     thread 1-2) MSC000001: Failed to start service
>     jboss.undertow.deployment.default-server.default-host./apitime-rest:
>     org.jboss.msc.service.StartException in service
>     jboss.undertow.deployment.default-server.default-host./apitime-rest:
>     Failed to start service
>     at
>     org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>     [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>     at
>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>     [rt.jar:1.7.0_85]
>     at
>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>     [rt.jar:1.7.0_85]
>     at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>     Caused by: java.lang.NoClassDefFoundError:
>     com/google/zxing/WriterException
>     at java.lang.Class.getDeclaredMethods0(Native Method)
>     [rt.jar:1.7.0_85]
>     at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>     [rt.jar:1.7.0_85]
>     at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>     [rt.jar:1.7.0_85]
>     at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>     at
>     org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>     at
>     org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>     at
>     org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>     at
>     org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>     at
>     org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>     at
>     org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>     at
>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>     at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>     at
>     io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>     at
>     org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>     at
>     io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>     at
>     io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>     at
>     io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>     at
>     io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>     at
>     org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>     at
>     org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>     [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>     at
>     org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>     [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>     ... 3 more
>
>     10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>     (management-handler-thread - 1) JBAS014613: Operation ("redeploy")
>     failed - address: ([("deployment" => "apitime-rest.war")]) -
>     failure description: {"JBAS014671: Failed services" =>
>     {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>     => "org.jboss.msc.service.StartException in service
>     jboss.undertow.deployment.default-server.default-host./apitime-rest:
>     Failed to start service
>         Caused by: java.lang.NoClassDefFoundError:
>     com/google/zxing/WriterException"}}
>     10:23:31,285 ERROR [org.jboss.as.server]
>     (management-handler-thread - 1) JBAS015860: Redeploy of deployment
>     "apitime-rest.war" was rolled back with the following failure
>     message:
>     {"JBAS014671: Failed services" =>
>     {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>     => "org.jboss.msc.service.StartException in service
>     jboss.undertow.deployment.default-server.default-host./apitime-rest:
>     Failed to start service
>         Caused by: java.lang.NoClassDefFoundError:
>     com/google/zxing/WriterException"}}
>
>
>     I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>     Any solution?
>     Thanks.
>
>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu 
> <mailto:johan.bos at c6.eu>> wrote:
>
>     You answered it. I was not familiar with the whole setting list.
>     My question was: does something in the ui make the setting change
>     or is it a manual setup?
>     I think you are saying it is only manual and it is fine.
>     It would probably best for future version to have all these extra
>     adapter setting avail. From admin UI so people has the
>     switch/checkbox or input form to make direct application change to
>     the json
>     Moreover since you have a download installation button and a json
>     setting viewer
>
>     Le mercredi 16 d?cembre 2015, Johan Bos <johan.bos at c6.eu
>     <mailto:johan.bos at c6.eu>> a ?crit :
>
>         oh when you said:
>
>         use-resource-role-mappings
>
>         it is only available through the keycloak.json
>
>         Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>
>         Regards,
>
>         Johan Bos
>
>         Le 16/12/2015 16:33, Johan Bos a ?crit :
>>         So it is one or the other.
>>         The switch is at realm level or per clients?
>>
>>         As I tend to make realm role for securing the clients only
>>         and client/resource roles for internal client management, I
>>         should be fine
>>
>>         Still It would help to have some merging/mapping so from
>>         client we don't have to so much rely on KeyCloak
>>         implementation to test roles... Issue is that realm role can
>>         have same name as client role. But once there is always some
>>         pitfall to avoid.
>>
>>         Thanks
>>
>>         Regards,
>>
>>         Johan Bos
>>
>>         Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>         See use-resource-role-mappings switch:
>>>
>>>         If set to true, the getResourceAccess("resource-name") roles
>>>         will be
>>>         mapped into isUserInRole, otherwise getRealmAccess is mapped
>>>         into
>>>         isUserInRole
>>>
>>>         Not the best I know.  We've been meaning to add some sort of
>>>         role
>>>         mapping facility to the adapter.
>>>
>>>         On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>         Why is HttpRequest.isUserInRole(<role>) not capable to
>>>>         return true when
>>>>         the role is present in the AccessToken.getRealmAccess?
>>>>
>>>>         Regards,
>>>>
>>>>         Johan Bos
>>>>
>>>>         Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>         AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>>         On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>>         Its not clear to me how you get the assigned roles from
>>>>>>         the AccessToken.
>>>>>>         For instance, is the realm has configured the user to
>>>>>>         have roles "user"
>>>>>>         and "editor" how do I find these in the AccessToken?
>>>>>>
>>>>>>         Tim
>>>>>>
>>>>>>         On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>>         For Java HttpServletRequest.isUserInRole() works.  If
>>>>>>>         you typecast the
>>>>>>>         principal to KeycloakPrincipal you can obtain the
>>>>>>>         AccessToken.
>>>>>>>
>>>>>>>         On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>>         Hi everyone,
>>>>>>>>
>>>>>>>>
>>>>>>>>         Do Keycloak adapters support user authorization? I
>>>>>>>>         mean, of course
>>>>>>>>         they
>>>>>>>>         do :) For example, the API I have secured with Keycloak
>>>>>>>>         receives a
>>>>>>>>         Keycloak access token from the client. How can I
>>>>>>>>         validate the token
>>>>>>>>         (check user roles) in my code? I am interested in the Java
>>>>>>>>         (wildfly) and
>>>>>>>>         Javascript adapters.
>>>>>>>>
>>>>>>>>         Manually I am using jwt.io <http://jwt.io>
>>>>>>>>         <http://jwt.io> <http://jwt.io> to check the token. I am
>>>>>>>>         just
>>>>>>>>         curious if the Keycloak adapters support smth similar
>>>>>>>>         out of the box.
>>>>>>>>
>>>>>>>>         Thank you for your answers.
>>>>>>>>
>>>>>>>>
>>>>>>>>         Regards,
>>>>>>>>         Pavel Maslov, MS
>>>>>>>>
>>>>>>>>
>>>>>>>>         _______________________________________________
>>>>>>>>         keycloak-user mailing list
>>>>>>>>         keycloak-user at lists.jboss.org
>>>>>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>         _______________________________________________
>>>>>>         keycloak-user mailing list
>>>>>>         keycloak-user at lists.jboss.org
>>>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>
>>>>
>>>>         _______________________________________________
>>>>         keycloak-user mailing list
>>>>         keycloak-user at lists.jboss.org
>>>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/2f08dfd7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/2f08dfd7/attachment-0001.vcf 

From pavel.masloff at gmail.com  Thu Dec 17 05:01:37 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Thu, 17 Dec 2015 11:01:37 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <567286CE.2080002@c6.eu>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
Message-ID: <CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>

Hi Jonah,

You don't get these error if you remove the 2 code lines?
>
Exactly. However, once I include these 2 lines, I cannot deploy the war
file to the Wildfly server.

I have to point out that there are no errors during build/packaging.

Regards,
Pavel Maslov, MS

On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:

> You don't get these error if you remove the 2 code lines?
> When deploying your apps, it is not enough to add the keycloak core
> dependency to access the keycloak principal, you also need to add all
> possible dependency the keycloak lib is relying onto.
>
> Basically on latest version of keycloak, I added almost everything that
> comes in the adapter zip to my project/api dependency for runtime.
> No idea how it was dealt with in previous version. Only dealt with
> keycloak 1.6 and 1.7.
>
> Since you had to provide some lib to your server (mine was tomcat 7) to
> dealt with the keycloak implantation to secure my app, as soon as I needed
> to acces keycloak token from my app code, I was required to add the libs
> the adapter for tomcat 7 is providing.
>
> Regards,
>
> Johan Bos
>
> Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>
> Guys, I am repeating my question here. Any ideas on this?
>
> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>> the token:
>>
>>
>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>> srvl.getUserPrincipal();
>> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>
>> but cannot deploy the project to the Wildfly server:
>>
>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>> si.liis.apitime.service.ApiTimeApplication
>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
>> MSC000001: Failed to start service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>> org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_85]
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_85]
>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>> Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException
>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>> [rt.jar:1.7.0_85]
>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>> at
>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>> at
>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>> at
>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>> at
>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>> at
>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>> at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>> at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>> at
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>> at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>> at
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>> at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>> at
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> at
>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>> ... 3 more
>>
>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>> {"JBAS014671: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>>     Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
>> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
>> the following failure message:
>> {"JBAS014671: Failed services" =>
>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>> "org.jboss.msc.service.StartException in service
>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>> to start service
>>     Caused by: java.lang.NoClassDefFoundError:
>> com/google/zxing/WriterException"}}
>>
>>
>>
>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>> Any solution?
>> Thanks.
>>
>>
> Regards,
> Pavel Maslov, MS
>
> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>
>> You answered it. I was not familiar with the whole setting list. My
>> question was: does something in the ui make the setting change or is it a
>> manual setup?
>> I think you are saying it is only manual and it is fine.
>> It would probably best for future version to have all these extra adapter
>> setting avail. From admin UI so people has the switch/checkbox or input
>> form to make direct application change to the json
>> Moreover since you have a download installation button and a json setting
>> viewer
>>
>> Le mercredi 16 d?cembre 2015, Johan Bos < <johan.bos at c6.eu>
>> johan.bos at c6.eu> a ?crit :
>>
>>> oh when you said:
>>>
>>> use-resource-role-mappings
>>>
>>> it is only available through the keycloak.json
>>>
>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>
>>> So it is one or the other.
>>> The switch is at realm level or per clients?
>>>
>>> As I tend to make realm role for securing the clients only and
>>> client/resource roles for internal client management, I should be fine
>>>
>>> Still It would help to have some merging/mapping so from client we don't
>>> have to so much rely on KeyCloak implementation to test roles... Issue is
>>> that realm role can have same name as client role. But once there is always
>>> some pitfall to avoid.
>>>
>>> Thanks
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>
>>> See use-resource-role-mappings switch:
>>>
>>> If set to true, the getResourceAccess("resource-name") roles will be
>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>> isUserInRole
>>>
>>> Not the best I know.  We've been meaning to add some sort of role
>>> mapping facility to the adapter.
>>>
>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>
>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>>> the role is present in the AccessToken.getRealmAccess?
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>
>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>
>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>
>>> Its not clear to me how you get the assigned roles from the AccessToken.
>>> For instance, is the realm has configured the user to have roles "user"
>>> and "editor" how do I find these in the AccessToken?
>>>
>>> Tim
>>>
>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>
>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>
>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>
>>> Hi everyone,
>>>
>>>
>>> Do Keycloak adapters support user authorization? I mean, of course
>>> they
>>> do :) For example, the API I have secured with Keycloak receives a
>>> Keycloak access token from the client. How can I validate the token
>>> (check user roles) in my code? I am interested in the Java
>>> (wildfly) and
>>> Javascript adapters.
>>>
>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>> <http://jwt.io> to check the token. I am
>>> just
>>> curious if the Keycloak adapters support smth similar out of the box.
>>>
>>> Thank you for your answers.
>>>
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/e2a0ffeb/attachment-0001.html 

From thomas.raehalme at aitiofinland.com  Thu Dec 17 05:22:08 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Thu, 17 Dec 2015 12:22:08 +0200
Subject: [keycloak-user] Token Validation
In-Reply-To: <CAJgngAfvevLzPP7XAheOjMvxNYpZ4J714JucLAvQpM2naevB0w@mail.gmail.com>
References: <CADEg99-9TAPmdVieKNE5NyCjJ95RSiZjFoutqSM84kH=hkSHWw@mail.gmail.com>
	<566ADD84.3000300@redhat.com>
	<CAJgngAfvevLzPP7XAheOjMvxNYpZ4J714JucLAvQpM2naevB0w@mail.gmail.com>
Message-ID: <CAPyAMoZRPocsZ3QcZ4udbqs=Py41aXrzT=czaE-OsCbwghweBg@mail.gmail.com>

On Thu, Dec 17, 2015 at 11:51 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:
>
> On 11 December 2015 at 15:28, Bill Burke <bburke at redhat.com> wrote:
>
>> You want to write a PHP adapter?  You can either validate the token
>> yourself, or invoke the Keycloak REst service to validate it for you.
>>
>> Keycloak tokens are Json Web Signatures (JWS).
>>
>> https://tools.ietf.org/html/rfc7515
>>
>> The content of this signature is a Keycloak extension of Json Web Token:
>>
>> http://jwt.io/
>>
>> We have all the standard fields, with additional ones for role mappings
>> and group membership depending on how you've configured the client in
>> the admin console.
>>
>> As for CORS this is something your PHP adapter has to handle.  You can
>> configure the Keycloak token to embed what origins are allowed, but the
>> adapter has to handle setting all the appropriate headers.
>>
>> BTW, we would definitely welcome a PHP adapter contribution!
>>
>
> +1000 Anyone interested in contributing this, ping us and we will help as
> much as we can :)
>

Here is something I contributed to PHP League's OAuth 2.0 Client while
doing a PoC for a customer:
https://github.com/stevenmaguire/oauth2-keycloak

I don't really work with PHP so I didn't have a chance to take it any
further.

Don't know if it's of any use, but please feel free to use it if it is.

Best regards,
Thoams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/58cb9177/attachment.html 

From sthorger at redhat.com  Thu Dec 17 05:33:13 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 11:33:13 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
Message-ID: <CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>

If you are using WildFly you should install the client adapter subsystem
(see the docs for instructions). That way you don't have to add any
dependencies into your WAR.

On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> Hi Jonah,
>
> You don't get these error if you remove the 2 code lines?
>>
> Exactly. However, once I include these 2 lines, I cannot deploy the war
> file to the Wildfly server.
>
> I have to point out that there are no errors during build/packaging.
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:
>
>> You don't get these error if you remove the 2 code lines?
>> When deploying your apps, it is not enough to add the keycloak core
>> dependency to access the keycloak principal, you also need to add all
>> possible dependency the keycloak lib is relying onto.
>>
>> Basically on latest version of keycloak, I added almost everything that
>> comes in the adapter zip to my project/api dependency for runtime.
>> No idea how it was dealt with in previous version. Only dealt with
>> keycloak 1.6 and 1.7.
>>
>> Since you had to provide some lib to your server (mine was tomcat 7) to
>> dealt with the keycloak implantation to secure my app, as soon as I needed
>> to acces keycloak token from my app code, I was required to add the libs
>> the adapter for tomcat 7 is providing.
>>
>> Regards,
>>
>> Johan Bos
>>
>> Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>
>> Guys, I am repeating my question here. Any ideas on this?
>>
>> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>>> the token:
>>>
>>>
>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>> srvl.getUserPrincipal();
>>> String token = kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>
>>> but cannot deploy the project to the Wildfly server:
>>>
>>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>> si.liis.apitime.service.ApiTimeApplication
>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
>>> MSC000001: Failed to start service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>> org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>> at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_85]
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>> Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException
>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>> [rt.jar:1.7.0_85]
>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>> at
>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>> at
>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>> at
>>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>> at
>>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>> at
>>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>> at
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>> at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>> at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>> at
>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>> at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>> at
>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>> at
>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>> at
>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>> at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>> at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>> at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> at
>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>> ... 3 more
>>>
>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>>> {"JBAS014671: Failed services" =>
>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>> "org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>>     Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException"}}
>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread - 1)
>>> JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back with
>>> the following failure message:
>>> {"JBAS014671: Failed services" =>
>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>> "org.jboss.msc.service.StartException in service
>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>> to start service
>>>     Caused by: java.lang.NoClassDefFoundError:
>>> com/google/zxing/WriterException"}}
>>>
>>>
>>>
>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>> Any solution?
>>> Thanks.
>>>
>>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>>
>>> You answered it. I was not familiar with the whole setting list. My
>>> question was: does something in the ui make the setting change or is it a
>>> manual setup?
>>> I think you are saying it is only manual and it is fine.
>>> It would probably best for future version to have all these extra
>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>> input form to make direct application change to the json
>>> Moreover since you have a download installation button and a json
>>> setting viewer
>>>
>>> Le mercredi 16 d?cembre 2015, Johan Bos < <johan.bos at c6.eu>
>>> johan.bos at c6.eu> a ?crit :
>>>
>>>> oh when you said:
>>>>
>>>> use-resource-role-mappings
>>>>
>>>> it is only available through the keycloak.json
>>>>
>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>>
>>>> So it is one or the other.
>>>> The switch is at realm level or per clients?
>>>>
>>>> As I tend to make realm role for securing the clients only and
>>>> client/resource roles for internal client management, I should be fine
>>>>
>>>> Still It would help to have some merging/mapping so from client we
>>>> don't have to so much rely on KeyCloak implementation to test roles...
>>>> Issue is that realm role can have same name as client role. But once there
>>>> is always some pitfall to avoid.
>>>>
>>>> Thanks
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>
>>>> See use-resource-role-mappings switch:
>>>>
>>>> If set to true, the getResourceAccess("resource-name") roles will be
>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>> isUserInRole
>>>>
>>>> Not the best I know.  We've been meaning to add some sort of role
>>>> mapping facility to the adapter.
>>>>
>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>
>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true when
>>>> the role is present in the AccessToken.getRealmAccess?
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>
>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>
>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>
>>>> Its not clear to me how you get the assigned roles from the
>>>> AccessToken.
>>>> For instance, is the realm has configured the user to have roles "user"
>>>> and "editor" how do I find these in the AccessToken?
>>>>
>>>> Tim
>>>>
>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>
>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>
>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>>
>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>> they
>>>> do :) For example, the API I have secured with Keycloak receives a
>>>> Keycloak access token from the client. How can I validate the token
>>>> (check user roles) in my code? I am interested in the Java
>>>> (wildfly) and
>>>> Javascript adapters.
>>>>
>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>> <http://jwt.io> to check the token. I am
>>>> just
>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>
>>>> Thank you for your answers.
>>>>
>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/ee106b1d/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 05:33:45 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 11:33:45 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
	<CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
Message-ID: <CAJgngAefdVpyAr85pZo7pBK-8Yk5+y8jz2i9-vt+OxpcCx67-Q@mail.gmail.com>

>From the stack trace you added earlier it looks like you've added some
dependencies to your WAR you shouldn't add.

On 17 December 2015 at 11:33, Stian Thorgersen <sthorger at redhat.com> wrote:

> If you are using WildFly you should install the client adapter subsystem
> (see the docs for instructions). That way you don't have to add any
> dependencies into your WAR.
>
> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff at gmail.com>
> wrote:
>
>> Hi Jonah,
>>
>> You don't get these error if you remove the 2 code lines?
>>>
>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>> file to the Wildfly server.
>>
>> I have to point out that there are no errors during build/packaging.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:
>>
>>> You don't get these error if you remove the 2 code lines?
>>> When deploying your apps, it is not enough to add the keycloak core
>>> dependency to access the keycloak principal, you also need to add all
>>> possible dependency the keycloak lib is relying onto.
>>>
>>> Basically on latest version of keycloak, I added almost everything that
>>> comes in the adapter zip to my project/api dependency for runtime.
>>> No idea how it was dealt with in previous version. Only dealt with
>>> keycloak 1.6 and 1.7.
>>>
>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>> to acces keycloak token from my app code, I was required to add the libs
>>> the adapter for tomcat 7 is providing.
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>>
>>> Guys, I am repeating my question here. Any ideas on this?
>>>
>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>>>> the token:
>>>>
>>>>
>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>> srvl.getUserPrincipal();
>>>> String token =
>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>
>>>> but cannot deploy the project to the Wildfly server:
>>>>
>>>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>> si.liis.apitime.service.ApiTimeApplication
>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>> 1-2) MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>> org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_85]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException
>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>> at
>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>> at
>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>> at
>>>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>> at
>>>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>> at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>> at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>> at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>> at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>> at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>> at
>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>> at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>> at
>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>> at
>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>> at
>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> ... 3 more
>>>>
>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>>>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>>>> {"JBAS014671: Failed services" =>
>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
>>>> with the following failure message:
>>>> {"JBAS014671: Failed services" =>
>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>>
>>>>
>>>>
>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>> Any solution?
>>>> Thanks.
>>>>
>>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>>>
>>>> You answered it. I was not familiar with the whole setting list. My
>>>> question was: does something in the ui make the setting change or is it a
>>>> manual setup?
>>>> I think you are saying it is only manual and it is fine.
>>>> It would probably best for future version to have all these extra
>>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>>> input form to make direct application change to the json
>>>> Moreover since you have a download installation button and a json
>>>> setting viewer
>>>>
>>>> Le mercredi 16 d?cembre 2015, Johan Bos < <johan.bos at c6.eu>
>>>> johan.bos at c6.eu> a ?crit :
>>>>
>>>>> oh when you said:
>>>>>
>>>>> use-resource-role-mappings
>>>>>
>>>>> it is only available through the keycloak.json
>>>>>
>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>>>
>>>>> So it is one or the other.
>>>>> The switch is at realm level or per clients?
>>>>>
>>>>> As I tend to make realm role for securing the clients only and
>>>>> client/resource roles for internal client management, I should be fine
>>>>>
>>>>> Still It would help to have some merging/mapping so from client we
>>>>> don't have to so much rely on KeyCloak implementation to test roles...
>>>>> Issue is that realm role can have same name as client role. But once there
>>>>> is always some pitfall to avoid.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>>
>>>>> See use-resource-role-mappings switch:
>>>>>
>>>>> If set to true, the getResourceAccess("resource-name") roles will be
>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>> isUserInRole
>>>>>
>>>>> Not the best I know.  We've been meaning to add some sort of role
>>>>> mapping facility to the adapter.
>>>>>
>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>
>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>>> when
>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>
>>>>> Its not clear to me how you get the assigned roles from the
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>
>>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>>> <http://jwt.io> to check the token. I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/e4d1c141/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 05:35:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 11:35:19 +0100
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
Message-ID: <CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>

Property files, including messages, should all be in ISO-8859-1. Which
files are encoded as UTF-8?

On 12 December 2015 at 16:00, Jeandeson O. Merelis <jean.merelis at gmail.com>
wrote:

> Why the encoding of Java properties files have been converted to UTF-8?
>
> We had decided that the default Java properties files would be ISO-8859-1
>
>
> --
> Jeandeson O. Merelis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/3badb1e5/attachment.html 

From johan.bos at c6.eu  Thu Dec 17 05:36:12 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Thu, 17 Dec 2015 11:36:12 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
Message-ID: <5672901C.2090609@c6.eu>

Then you should do as it requests: add the required dependency until you 
got the all and deploy with no error.

Why would it give you error during build?
The dependency of keycloak is not something you inherit in your project 
simply by adding the keycloak core lib.
It mainly depends on how you build it. Third party dependencies are not 
always a requirement to build a project.
As most of the unseen issue in deployment dependency management comes 
from dependency only required at runtime.
Your build does'nt what the keycloak principal means other than the 
direct keycloak lib.

This is basic Java project dependency: compile/runtime/provided are the 
different option you have using mavenized project.
When using a lib from maven repo, you have the pom come with it and just 
going through it, give you an idea of what you are missing.

Regards,

Johan Bos

Le 17/12/2015 11:01, Pavel Maslov a ?crit :
> Hi Jonah,
>
>     You don't get these error if you remove the 2 code lines?
>
> Exactly. However, once I include these 2 lines, I cannot deploy the 
> war file to the Wildfly server.
>
> I have to point out that there are no errors during build/packaging.
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu 
> <mailto:johan.bos at c6.eu>> wrote:
>
>     You don't get these error if you remove the 2 code lines?
>     When deploying your apps, it is not enough to add the keycloak
>     core dependency to access the keycloak principal, you also need to
>     add all possible dependency the keycloak lib is relying onto.
>
>     Basically on latest version of keycloak, I added almost everything
>     that comes in the adapter zip to my project/api dependency for
>     runtime.
>     No idea how it was dealt with in previous version. Only dealt with
>     keycloak 1.6 and 1.7.
>
>     Since you had to provide some lib to your server (mine was tomcat
>     7) to dealt with the keycloak implantation to secure my app, as
>     soon as I needed to acces keycloak token from my app code, I was
>     required to add the libs the adapter for tomcat 7 is providing.
>
>     Regards,
>
>     Johan Bos
>
>     Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>     Guys, I am repeating my question here. Any ideas on this?
>>
>>         I added the *org.keycloak.KeycloakPrincipal* definition in
>>         order to get the token:
>>
>>
>>         KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>         srvl.getUserPrincipal();
>>         String token =
>>         kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>
>>         but cannot deploy the project to the Wildfly server:
>>
>>         10:23:31,250 INFO
>>          [org.jboss.resteasy.spi.ResteasyDeployment] (MSC service
>>         thread 1-2) Deploying javax.ws.rs.core.Application: class
>>         si.liis.apitime.service.ApiTimeApplication
>>         10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service
>>         thread 1-2) MSC000001: Failed to start service
>>         jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>         org.jboss.msc.service.StartException in service
>>         jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>         Failed to start service
>>         at
>>         org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>         [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>         at
>>         java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>         [rt.jar:1.7.0_85]
>>         at
>>         java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>         [rt.jar:1.7.0_85]
>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>         Caused by: java.lang.NoClassDefFoundError:
>>         com/google/zxing/WriterException
>>         at java.lang.Class.getDeclaredMethods0(Native Method)
>>         [rt.jar:1.7.0_85]
>>         at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>         [rt.jar:1.7.0_85]
>>         at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>         [rt.jar:1.7.0_85]
>>         at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>         at
>>         org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>         at
>>         org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>         at
>>         org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>         at
>>         org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>         at
>>         org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>         at
>>         org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>         at
>>         org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>         at
>>         org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>         at
>>         io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>         at
>>         org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>         at
>>         io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>         at
>>         io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>         at
>>         io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>         at
>>         io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>         at
>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>         at
>>         org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>         at
>>         org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>         [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>         at
>>         org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>         [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>         ... 3 more
>>
>>         10:23:31,285 ERROR
>>         [org.jboss.as.controller.management-operation]
>>         (management-handler-thread - 1) JBAS014613: Operation
>>         ("redeploy") failed - address: ([("deployment" =>
>>         "apitime-rest.war")]) - failure description: {"JBAS014671:
>>         Failed services" =>
>>         {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>>         => "org.jboss.msc.service.StartException in service
>>         jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>         Failed to start service
>>             Caused by: java.lang.NoClassDefFoundError:
>>         com/google/zxing/WriterException"}}
>>         10:23:31,285 ERROR [org.jboss.as.server]
>>         (management-handler-thread - 1) JBAS015860: Redeploy of
>>         deployment "apitime-rest.war" was rolled back with the
>>         following failure message:
>>         {"JBAS014671: Failed services" =>
>>         {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>>         => "org.jboss.msc.service.StartException in service
>>         jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>         Failed to start service
>>             Caused by: java.lang.NoClassDefFoundError:
>>         com/google/zxing/WriterException"}}
>>
>>
>>         I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>         Any solution?
>>         Thanks.
>>
>>
>>     Regards,
>>     Pavel Maslov, MS
>>
>>     On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu
>>     <mailto:johan.bos at c6.eu>> wrote:
>>
>>         You answered it. I was not familiar with the whole setting
>>         list. My question was: does something in the ui make the
>>         setting change or is it a manual setup?
>>         I think you are saying it is only manual and it is fine.
>>         It would probably best for future version to have all these
>>         extra adapter setting avail. From admin UI so people has the
>>         switch/checkbox or input form to make direct application
>>         change to the json
>>         Moreover since you have a download installation button and a
>>         json setting viewer
>>
>>         Le mercredi 16 d?cembre 2015, Johan Bos <johan.bos at c6.eu
>>         <mailto:johan.bos at c6.eu>> a ?crit :
>>
>>             oh when you said:
>>
>>             use-resource-role-mappings
>>
>>             it is only available through the keycloak.json
>>
>>             Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>
>>             Regards,
>>
>>             Johan Bos
>>
>>             Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>             So it is one or the other.
>>>             The switch is at realm level or per clients?
>>>
>>>             As I tend to make realm role for securing the clients
>>>             only and client/resource roles for internal client
>>>             management, I should be fine
>>>
>>>             Still It would help to have some merging/mapping so from
>>>             client we don't have to so much rely on KeyCloak
>>>             implementation to test roles... Issue is that realm role
>>>             can have same name as client role. But once there is
>>>             always some pitfall to avoid.
>>>
>>>             Thanks
>>>
>>>             Regards,
>>>
>>>             Johan Bos
>>>
>>>             Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>             See use-resource-role-mappings switch:
>>>>
>>>>             If set to true, the getResourceAccess("resource-name")
>>>>             roles will be
>>>>             mapped into isUserInRole, otherwise getRealmAccess is
>>>>             mapped into
>>>>             isUserInRole
>>>>
>>>>             Not the best I know.  We've been meaning to add some
>>>>             sort of role
>>>>             mapping facility to the adapter.
>>>>
>>>>             On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>             Why is HttpRequest.isUserInRole(<role>) not capable to
>>>>>             return true when
>>>>>             the role is present in the AccessToken.getRealmAccess?
>>>>>
>>>>>             Regards,
>>>>>
>>>>>             Johan Bos
>>>>>
>>>>>             Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>>             AccessToken.getResourceAccess or
>>>>>>             AccessToken.getRealmAccess
>>>>>>
>>>>>>             On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>>>             Its not clear to me how you get the assigned roles
>>>>>>>             from the AccessToken.
>>>>>>>             For instance, is the realm has configured the user
>>>>>>>             to have roles "user"
>>>>>>>             and "editor" how do I find these in the AccessToken?
>>>>>>>
>>>>>>>             Tim
>>>>>>>
>>>>>>>             On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>>>             For Java HttpServletRequest.isUserInRole() works. 
>>>>>>>>             If you typecast the
>>>>>>>>             principal to KeycloakPrincipal you can obtain the
>>>>>>>>             AccessToken.
>>>>>>>>
>>>>>>>>             On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>>>             Hi everyone,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             Do Keycloak adapters support user authorization? I
>>>>>>>>>             mean, of course
>>>>>>>>>             they
>>>>>>>>>             do :) For example, the API I have secured with
>>>>>>>>>             Keycloak receives a
>>>>>>>>>             Keycloak access token from the client. How can I
>>>>>>>>>             validate the token
>>>>>>>>>             (check user roles) in my code? I am interested in
>>>>>>>>>             the Java
>>>>>>>>>             (wildfly) and
>>>>>>>>>             Javascript adapters.
>>>>>>>>>
>>>>>>>>>             Manually I am using jwt.io <http://jwt.io>
>>>>>>>>>             <http://jwt.io> <http://jwt.io> to check the
>>>>>>>>>             token. I am
>>>>>>>>>             just
>>>>>>>>>             curious if the Keycloak adapters support smth
>>>>>>>>>             similar out of the box.
>>>>>>>>>
>>>>>>>>>             Thank you for your answers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             Regards,
>>>>>>>>>             Pavel Maslov, MS
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>             _______________________________________________
>>>>>>>>>             keycloak-user mailing list
>>>>>>>>>             keycloak-user at lists.jboss.org
>>>>>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>             _______________________________________________
>>>>>>>             keycloak-user mailing list
>>>>>>>             keycloak-user at lists.jboss.org
>>>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             keycloak-user mailing list
>>>>>             keycloak-user at lists.jboss.org
>>>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-user mailing list
>>>             keycloak-user at lists.jboss.org
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/8e969549/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/8e969549/attachment-0001.vcf 

From sthorger at redhat.com  Thu Dec 17 05:40:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 11:40:22 +0100
Subject: [keycloak-user] Get the user of the current request from the
	KeycloakSession?
In-Reply-To: <9A5619B792BBA041AE094585791BB71C0137B668B0D4@DDPEX01.DDP.dcloud.local>
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
	<56717AAE.5020400@redhat.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
	<CAOjtoUOST62tT0m6Op2kDd6g8dvfDn+jatr54AG9B9iOvcjG2Q@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D4@DDPEX01.DDP.dcloud.local>
Message-ID: <CAJgngAf2TvrZ_XcZMVfHio+t-irUhGizZhO20Fsd=MLgmhg6-Q@mail.gmail.com>

There's no way to get the user from the KeycloakContext. Some endpoints
rely on bearer token for authentication (admin endpoints), some on the
server-side cookie (account) and others use a special code in the query
params (authentication flows).

Assuming you are creating a REST endpoint that requires authentication
using a bearer token you need to manually extract and verify the token.
This is how the admin endpoints does it:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L139

On 17 December 2015 at 10:06, Erik Mulder <erik.mulder at docdatapayments.com>
wrote:

> Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I
> have nothing else in scope than the KeycloakSession object.
> @Bill: My question is independent from the changes of Pedro.
>
> So let's try it once more: how can I get the User(Model) of the
> authenticated user of the current request, if I just have a reference to
> the KeycloakSession? It seems to me that this should be possible, but there
> seems to be no way to do it. Maybe there should be a getUser() added on the
> KeycloakContext?
>
>
>
> On 16/12/15 22:40, Fabricio Milone wrote:
>
> Hi Erik,
>
> I did something similar but in my case I have the username as a form
> attribute in the request, so if it possible in your scenario to get the
> username as a string, this is one possible solution:
>
> UserModel user = session.users().getUserByUsername(*username*,
> session.realms().getRealmByName(realm.getName()));
>
> Not 100% sure if that's what you need, I hope it is :)
>
> Regards,
> Fab
>
> On 17 December 2015 at 02:34, Erik Mulder <erik.mulder at docdatapayments.com
> > wrote:
>
>> Thanks, but I'm not sure I understand you correctly. Let me clearify:
>> - I'm extending the Keycloak REST webservices with some custom
>> resources, for instance:
>> http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
>> piece of code from Pedro made this possible)
>> - I'm implementing an SPI (also from Pedro's change) that gets a
>> KeycloakSession object to 'work with'.
>> - I do authenticate on the keycloak server using a token (OpenID
>> Connect) that I got from a previous succesful login.
>> - Somewhere in the Keycloak internals this token is validated and a
>> User(Model/Session) is found that corresponds to this token.
>> - <assumption>: This User is saved somewhere in the session context
>>
>> Now, my question is: How can I get hold of this User(Model/Session),
>> given that I have just a KeycloakSession object?
>>
>> Through debugging I see that session.sessions() has a UserSessionEntity
>> for my current request, but since there might be more at the same time,
>> how can I relate my current request to the one User that is associated
>> with it?
>>
>>
>>
>> On 16/12/15 15:52, Bill Burke wrote:
>> > On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> >> Seems like a simple scenario, but I can't figure it out: I have an
>> >> instance of the KeycloakSession and I want to get the UserModel for the
>> >> current request. Is this possible?
>> >>
>> >> Context: I'm creating a custom REST service that runs inside keycloak
>> >> and needs to get some data that is related to the current authenticated
>> >> user. For instance the realm and client I can get through the
>> >> session.getContext().getClient/Realm(). I would expect a getUser()
>> there
>> >> too, but I can't find it anywhere 'in' the session.
>> >>
>> >> If this isn't possible, shouldn't it be? Or if not, why not?
>> >>
>> > I'm assuming this REST request is from a browser Javascript client?
>> > Login sessions are maintained only through a cookie.  You'd have to
>> > login through the browser first, then read the cookie.
>> >
>> > BTW, cookies are a really bad way of securing a REST interface.  Your
>> > REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
>> > token to secure your REST interface.  If you are already using
>> > keycloak.js to login in, you can obtain the token from the Keycloak
>> > javascript interface and use that to invoke your service.
>> >
>> >
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/979cb58f/attachment.html 

From johan.bos at c6.eu  Thu Dec 17 05:41:54 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Thu, 17 Dec 2015 11:41:54 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAJgngAefdVpyAr85pZo7pBK-8Yk5+y8jz2i9-vt+OxpcCx67-Q@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
	<CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
	<CAJgngAefdVpyAr85pZo7pBK-8Yk5+y8jz2i9-vt+OxpcCx67-Q@mail.gmail.com>
Message-ID: <56729172.7010709@c6.eu>

I had the same issue when deploying in eclipse IDE my webapp.
Even if my runtime env. Tomcat 7 had the adapters for keycloak well 
installed into the lib folder, It was detecting it.
But as soon as I needed to make reference to keycloak principal in my 
project and wanted to debug it (inspect what the info in token I could 
used), I got runtime invocation exception.
I solved it by editing the runtime tomcat classpath from eclipse and add 
the needed adapter jars, but not all.
Like you said, some are used by the app server during init that should 
not be part of the runtime dep. otherwise you can also get 
NoClassDefFound on something you don't need.

Regards,

Johan Bos

Le 17/12/2015 11:33, Stian Thorgersen a ?crit :
> From the stack trace you added earlier it looks like you've added some 
> dependencies to your WAR you shouldn't add.
>
> On 17 December 2015 at 11:33, Stian Thorgersen <sthorger at redhat.com 
> <mailto:sthorger at redhat.com>> wrote:
>
>     If you are using WildFly you should install the client adapter
>     subsystem (see the docs for instructions). That way you don't have
>     to add any dependencies into your WAR.
>
>     On 17 December 2015 at 11:01, Pavel Maslov
>     <pavel.masloff at gmail.com <mailto:pavel.masloff at gmail.com>> wrote:
>
>         Hi Jonah,
>
>             You don't get these error if you remove the 2 code lines?
>
>         Exactly. However, once I include these 2 lines, I cannot
>         deploy the war file to the Wildfly server.
>
>         I have to point out that there are no errors during
>         build/packaging.
>
>         Regards,
>         Pavel Maslov, MS
>
>         On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu
>         <mailto:johan.bos at c6.eu>> wrote:
>
>             You don't get these error if you remove the 2 code lines?
>             When deploying your apps, it is not enough to add the
>             keycloak core dependency to access the keycloak principal,
>             you also need to add all possible dependency the keycloak
>             lib is relying onto.
>
>             Basically on latest version of keycloak, I added almost
>             everything that comes in the adapter zip to my project/api
>             dependency for runtime.
>             No idea how it was dealt with in previous version. Only
>             dealt with keycloak 1.6 and 1.7.
>
>             Since you had to provide some lib to your server (mine was
>             tomcat 7) to dealt with the keycloak implantation to
>             secure my app, as soon as I needed to acces keycloak token
>             from my app code, I was required to add the libs the
>             adapter for tomcat 7 is providing.
>
>             Regards,
>
>             Johan Bos
>
>             Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>             Guys, I am repeating my question here. Any ideas on this?
>>
>>                 I added the
>>                 *org.keycloak.KeycloakPrincipal* definition in order
>>                 to get the token:
>>
>>
>>                 KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>                 srvl.getUserPrincipal();
>>                 String token =
>>                 kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>
>>                 but cannot deploy the project to the Wildfly server:
>>
>>                 10:23:31,250 INFO
>>                  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>                 service thread 1-2) Deploying
>>                 javax.ws.rs.core.Application: class
>>                 si.liis.apitime.service.ApiTimeApplication
>>                 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC
>>                 service thread 1-2) MSC000001: Failed to start
>>                 service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 org.jboss.msc.service.StartException in service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 Failed to start service
>>                 at
>>                 org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>                 [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>                 at
>>                 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>                 [rt.jar:1.7.0_85]
>>                 at java.lang.Thread.run(Thread.java:745)
>>                 [rt.jar:1.7.0_85]
>>                 Caused by: java.lang.NoClassDefFoundError:
>>                 com/google/zxing/WriterException
>>                 at java.lang.Class.getDeclaredMethods0(Native Method)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>                 [rt.jar:1.7.0_85]
>>                 at java.lang.Class.getMethods(Class.java:1480)
>>                 [rt.jar:1.7.0_85]
>>                 at
>>                 org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>                 at
>>                 org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>                 at
>>                 org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>                 at
>>                 org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>                 at
>>                 org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>                 at
>>                 org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>                 at
>>                 org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>                 at
>>                 org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>                 at
>>                 io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>                 at
>>                 org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>                 at
>>                 io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>                 at
>>                 io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>                 at
>>                 io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>                 at
>>                 io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>                 at
>>                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>                 at
>>                 org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>                 at
>>                 org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>                 [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>                 at
>>                 org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>                 [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>                 ... 3 more
>>
>>                 10:23:31,285 ERROR
>>                 [org.jboss.as.controller.management-operation]
>>                 (management-handler-thread - 1) JBAS014613: Operation
>>                 ("redeploy") failed - address: ([("deployment" =>
>>                 "apitime-rest.war")]) - failure description:
>>                 {"JBAS014671: Failed services" =>
>>                 {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>>                 => "org.jboss.msc.service.StartException in service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 Failed to start service
>>                     Caused by: java.lang.NoClassDefFoundError:
>>                 com/google/zxing/WriterException"}}
>>                 10:23:31,285 ERROR [org.jboss.as.server]
>>                 (management-handler-thread - 1) JBAS015860: Redeploy
>>                 of deployment "apitime-rest.war" was rolled back with
>>                 the following failure message:
>>                 {"JBAS014671: Failed services" =>
>>                 {"jboss.undertow.deployment.default-server.default-host./apitime-rest"
>>                 => "org.jboss.msc.service.StartException in service
>>                 jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>                 Failed to start service
>>                     Caused by: java.lang.NoClassDefFoundError:
>>                 com/google/zxing/WriterException"}}
>>
>>
>>                 I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>                 Any solution?
>>                 Thanks.
>>
>>
>>             Regards,
>>             Pavel Maslov, MS
>>
>>             On Wed, Dec 16, 2015 at 10:51 PM, Johan B.
>>             <johan.bos at c6.eu <mailto:johan.bos at c6.eu>> wrote:
>>
>>                 You answered it. I was not familiar with the whole
>>                 setting list. My question was: does something in the
>>                 ui make the setting change or is it a manual setup?
>>                 I think you are saying it is only manual and it is fine.
>>                 It would probably best for future version to have all
>>                 these extra adapter setting avail. From admin UI so
>>                 people has the switch/checkbox or input form to make
>>                 direct application change to the json
>>                 Moreover since you have a download installation
>>                 button and a json setting viewer
>>
>>                 Le mercredi 16 d?cembre 2015, Johan Bos
>>                 <johan.bos at c6.eu <mailto:johan.bos at c6.eu>> a ?crit :
>>
>>                     oh when you said:
>>
>>                     use-resource-role-mappings
>>
>>                     it is only available through the keycloak.json
>>
>>                     Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>
>>                     Regards,
>>
>>                     Johan Bos
>>
>>                     Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>                     So it is one or the other.
>>>                     The switch is at realm level or per clients?
>>>
>>>                     As I tend to make realm role for securing the
>>>                     clients only and client/resource roles for
>>>                     internal client management, I should be fine
>>>
>>>                     Still It would help to have some merging/mapping
>>>                     so from client we don't have to so much rely on
>>>                     KeyCloak implementation to test roles... Issue
>>>                     is that realm role can have same name as client
>>>                     role. But once there is always some pitfall to
>>>                     avoid.
>>>
>>>                     Thanks
>>>
>>>                     Regards,
>>>
>>>                     Johan Bos
>>>
>>>                     Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>                     See use-resource-role-mappings switch:
>>>>
>>>>                     If set to true, the
>>>>                     getResourceAccess("resource-name") roles will be
>>>>                     mapped into isUserInRole, otherwise
>>>>                     getRealmAccess is mapped into
>>>>                     isUserInRole
>>>>
>>>>                     Not the best I know.  We've been meaning to add
>>>>                     some sort of role
>>>>                     mapping facility to the adapter.
>>>>
>>>>                     On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>                     Why is HttpRequest.isUserInRole(<role>) not
>>>>>                     capable to return true when
>>>>>                     the role is present in the
>>>>>                     AccessToken.getRealmAccess?
>>>>>
>>>>>                     Regards,
>>>>>
>>>>>                     Johan Bos
>>>>>
>>>>>                     Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>>                     AccessToken.getResourceAccess or
>>>>>>                     AccessToken.getRealmAccess
>>>>>>
>>>>>>                     On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>>>                     Its not clear to me how you get the assigned
>>>>>>>                     roles from the AccessToken.
>>>>>>>                     For instance, is the realm has configured
>>>>>>>                     the user to have roles "user"
>>>>>>>                     and "editor" how do I find these in the
>>>>>>>                     AccessToken?
>>>>>>>
>>>>>>>                     Tim
>>>>>>>
>>>>>>>                     On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>>>                     For Java HttpServletRequest.isUserInRole()
>>>>>>>>                     works.  If you typecast the
>>>>>>>>                     principal to KeycloakPrincipal you can
>>>>>>>>                     obtain the AccessToken.
>>>>>>>>
>>>>>>>>                     On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>>>>                     Hi everyone,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                     Do Keycloak adapters support user
>>>>>>>>>                     authorization? I mean, of course
>>>>>>>>>                     they
>>>>>>>>>                     do :) For example, the API I have secured
>>>>>>>>>                     with Keycloak receives a
>>>>>>>>>                     Keycloak access token from the client. How
>>>>>>>>>                     can I validate the token
>>>>>>>>>                     (check user roles) in my code? I am
>>>>>>>>>                     interested in the Java
>>>>>>>>>                     (wildfly) and
>>>>>>>>>                     Javascript adapters.
>>>>>>>>>
>>>>>>>>>                     Manually I am using jwt.io <http://jwt.io>
>>>>>>>>>                     <http://jwt.io> <http://jwt.io> to check
>>>>>>>>>                     the token. I am
>>>>>>>>>                     just
>>>>>>>>>                     curious if the Keycloak adapters support
>>>>>>>>>                     smth similar out of the box.
>>>>>>>>>
>>>>>>>>>                     Thank you for your answers.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                     Regards,
>>>>>>>>>                     Pavel Maslov, MS
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                     _______________________________________________
>>>>>>>>>
>>>>>>>>>                     keycloak-user mailing list
>>>>>>>>>                     keycloak-user at lists.jboss.org
>>>>>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>                     _______________________________________________
>>>>>>>                     keycloak-user mailing list
>>>>>>>                     keycloak-user at lists.jboss.org
>>>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     keycloak-user mailing list
>>>>>                     keycloak-user at lists.jboss.org
>>>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>
>>>
>>>
>>>                     _______________________________________________
>>>                     keycloak-user mailing list
>>>                     keycloak-user at lists.jboss.org
>>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>                 _______________________________________________
>>                 keycloak-user mailing list
>>                 keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/69f5464c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/69f5464c/attachment-0001.vcf 

From pavel.masloff at gmail.com  Thu Dec 17 05:49:56 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Thu, 17 Dec 2015 11:49:56 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
	<CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
Message-ID: <CAF9aV_r2bem+-JTkf7SSndB6ZD1WV11WgDS=5f4s_CpktUZgBA@mail.gmail.com>

I added these two lines to a working REST service which is already secured
with Keycloak. The only thing is that I am checking user's roles using
*annotations*. What I want to do now is handle this manually (by creating a
test servlet that will pul user's roles out of the token).

>From the log I can see that it's missing com/google/zxing:

> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
> WriterException"

I have no idea what it means.


Regards,
Pavel Maslov, MS

On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> If you are using WildFly you should install the client adapter subsystem
> (see the docs for instructions). That way you don't have to add any
> dependencies into your WAR.
>
> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff at gmail.com>
> wrote:
>
>> Hi Jonah,
>>
>> You don't get these error if you remove the 2 code lines?
>>>
>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>> file to the Wildfly server.
>>
>> I have to point out that there are no errors during build/packaging.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:
>>
>>> You don't get these error if you remove the 2 code lines?
>>> When deploying your apps, it is not enough to add the keycloak core
>>> dependency to access the keycloak principal, you also need to add all
>>> possible dependency the keycloak lib is relying onto.
>>>
>>> Basically on latest version of keycloak, I added almost everything that
>>> comes in the adapter zip to my project/api dependency for runtime.
>>> No idea how it was dealt with in previous version. Only dealt with
>>> keycloak 1.6 and 1.7.
>>>
>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>> to acces keycloak token from my app code, I was required to add the libs
>>> the adapter for tomcat 7 is providing.
>>>
>>> Regards,
>>>
>>> Johan Bos
>>>
>>> Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>>
>>> Guys, I am repeating my question here. Any ideas on this?
>>>
>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to get
>>>> the token:
>>>>
>>>>
>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>> srvl.getUserPrincipal();
>>>> String token =
>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>
>>>> but cannot deploy the project to the Wildfly server:
>>>>
>>>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>> si.liis.apitime.service.ApiTimeApplication
>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>> 1-2) MSC000001: Failed to start service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>> org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_85]
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>> Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException
>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>> [rt.jar:1.7.0_85]
>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>> at
>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>> at
>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>> at
>>>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>> at
>>>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>> at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>> at
>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>> at
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>> at
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>> at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>> at
>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>> at
>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>> at
>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>> at
>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>> at
>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>> at
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> at
>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>> ... 3 more
>>>>
>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>>>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>>>> {"JBAS014671: Failed services" =>
>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
>>>> with the following failure message:
>>>> {"JBAS014671: Failed services" =>
>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>> "org.jboss.msc.service.StartException in service
>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>> to start service
>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>> com/google/zxing/WriterException"}}
>>>>
>>>>
>>>>
>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>> Any solution?
>>>> Thanks.
>>>>
>>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>>>
>>>> You answered it. I was not familiar with the whole setting list. My
>>>> question was: does something in the ui make the setting change or is it a
>>>> manual setup?
>>>> I think you are saying it is only manual and it is fine.
>>>> It would probably best for future version to have all these extra
>>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>>> input form to make direct application change to the json
>>>> Moreover since you have a download installation button and a json
>>>> setting viewer
>>>>
>>>> Le mercredi 16 d?cembre 2015, Johan Bos < <johan.bos at c6.eu>
>>>> johan.bos at c6.eu> a ?crit :
>>>>
>>>>> oh when you said:
>>>>>
>>>>> use-resource-role-mappings
>>>>>
>>>>> it is only available through the keycloak.json
>>>>>
>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>>>
>>>>> So it is one or the other.
>>>>> The switch is at realm level or per clients?
>>>>>
>>>>> As I tend to make realm role for securing the clients only and
>>>>> client/resource roles for internal client management, I should be fine
>>>>>
>>>>> Still It would help to have some merging/mapping so from client we
>>>>> don't have to so much rely on KeyCloak implementation to test roles...
>>>>> Issue is that realm role can have same name as client role. But once there
>>>>> is always some pitfall to avoid.
>>>>>
>>>>> Thanks
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>>
>>>>> See use-resource-role-mappings switch:
>>>>>
>>>>> If set to true, the getResourceAccess("resource-name") roles will be
>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>> isUserInRole
>>>>>
>>>>> Not the best I know.  We've been meaning to add some sort of role
>>>>> mapping facility to the adapter.
>>>>>
>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>
>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>>> when
>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Johan Bos
>>>>>
>>>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>
>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>
>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>
>>>>> Its not clear to me how you get the assigned roles from the
>>>>> AccessToken.
>>>>> For instance, is the realm has configured the user to have roles
>>>>> "user"
>>>>> and "editor" how do I find these in the AccessToken?
>>>>>
>>>>> Tim
>>>>>
>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>
>>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast the
>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>
>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>>
>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>> they
>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>> Keycloak access token from the client. How can I validate the token
>>>>> (check user roles) in my code? I am interested in the Java
>>>>> (wildfly) and
>>>>> Javascript adapters.
>>>>>
>>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>>> <http://jwt.io> to check the token. I am
>>>>> just
>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>
>>>>> Thank you for your answers.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Pavel Maslov, MS
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/34ba9d16/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 06:02:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 12:02:15 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAF9aV_r2bem+-JTkf7SSndB6ZD1WV11WgDS=5f4s_CpktUZgBA@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
	<CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
	<CAF9aV_r2bem+-JTkf7SSndB6ZD1WV11WgDS=5f4s_CpktUZgBA@mail.gmail.com>
Message-ID: <CAJgngAfjRqs5ndTUUwudXJX_SirUqxnEM3LBmuVjXj6N9eTsfg@mail.gmail.com>

The class it's complaining about above is only used by QRCodeResource,
which is part of the Keycloak server. This means you are including Keycloak
server side dependencies into your WAR.

On 17 December 2015 at 11:49, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> I added these two lines to a working REST service which is already secured
> with Keycloak. The only thing is that I am checking user's roles using
> *annotations*. What I want to do now is handle this manually (by creating
> a test servlet that will pul user's roles out of the token).
>
> From the log I can see that it's missing com/google/zxing:
>
>> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
>> WriterException"
>
> I have no idea what it means.
>
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> If you are using WildFly you should install the client adapter subsystem
>> (see the docs for instructions). That way you don't have to add any
>> dependencies into your WAR.
>>
>> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff at gmail.com>
>> wrote:
>>
>>> Hi Jonah,
>>>
>>> You don't get these error if you remove the 2 code lines?
>>>>
>>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>>> file to the Wildfly server.
>>>
>>> I have to point out that there are no errors during build/packaging.
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:
>>>
>>>> You don't get these error if you remove the 2 code lines?
>>>> When deploying your apps, it is not enough to add the keycloak core
>>>> dependency to access the keycloak principal, you also need to add all
>>>> possible dependency the keycloak lib is relying onto.
>>>>
>>>> Basically on latest version of keycloak, I added almost everything that
>>>> comes in the adapter zip to my project/api dependency for runtime.
>>>> No idea how it was dealt with in previous version. Only dealt with
>>>> keycloak 1.6 and 1.7.
>>>>
>>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>>> to acces keycloak token from my app code, I was required to add the libs
>>>> the adapter for tomcat 7 is providing.
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>>>
>>>> Guys, I am repeating my question here. Any ideas on this?
>>>>
>>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to
>>>>> get the token:
>>>>>
>>>>>
>>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>>> srvl.getUserPrincipal();
>>>>> String token =
>>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>>
>>>>> but cannot deploy the project to the Wildfly server:
>>>>>
>>>>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>>> si.liis.apitime.service.ApiTimeApplication
>>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>>> 1-2) MSC000001: Failed to start service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>>> org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>>> to start service
>>>>> at
>>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>> [rt.jar:1.7.0_85]
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>> [rt.jar:1.7.0_85]
>>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>>> Caused by: java.lang.NoClassDefFoundError:
>>>>> com/google/zxing/WriterException
>>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>>> [rt.jar:1.7.0_85]
>>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>>> [rt.jar:1.7.0_85]
>>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>>> at
>>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>>> at
>>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>>> at
>>>>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>>> at
>>>>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>>> at
>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>> at
>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>> at
>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>>> at
>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>> at
>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>>> at
>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>>> at
>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>>> at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>>> at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>>> at
>>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>> at
>>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>> ... 3 more
>>>>>
>>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>>>>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>>>>> {"JBAS014671: Failed services" =>
>>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>>> "org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>>> to start service
>>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>>> com/google/zxing/WriterException"}}
>>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
>>>>> with the following failure message:
>>>>> {"JBAS014671: Failed services" =>
>>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>>> "org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>>> to start service
>>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>>> com/google/zxing/WriterException"}}
>>>>>
>>>>>
>>>>>
>>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>>> Any solution?
>>>>> Thanks.
>>>>>
>>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>>>>
>>>>> You answered it. I was not familiar with the whole setting list. My
>>>>> question was: does something in the ui make the setting change or is it a
>>>>> manual setup?
>>>>> I think you are saying it is only manual and it is fine.
>>>>> It would probably best for future version to have all these extra
>>>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>>>> input form to make direct application change to the json
>>>>> Moreover since you have a download installation button and a json
>>>>> setting viewer
>>>>>
>>>>> Le mercredi 16 d?cembre 2015, Johan Bos < <johan.bos at c6.eu>
>>>>> johan.bos at c6.eu> a ?crit :
>>>>>
>>>>>> oh when you said:
>>>>>>
>>>>>> use-resource-role-mappings
>>>>>>
>>>>>> it is only available through the keycloak.json
>>>>>>
>>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Johan Bos
>>>>>>
>>>>>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>>>>
>>>>>> So it is one or the other.
>>>>>> The switch is at realm level or per clients?
>>>>>>
>>>>>> As I tend to make realm role for securing the clients only and
>>>>>> client/resource roles for internal client management, I should be fine
>>>>>>
>>>>>> Still It would help to have some merging/mapping so from client we
>>>>>> don't have to so much rely on KeyCloak implementation to test roles...
>>>>>> Issue is that realm role can have same name as client role. But once there
>>>>>> is always some pitfall to avoid.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Johan Bos
>>>>>>
>>>>>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>>>
>>>>>> See use-resource-role-mappings switch:
>>>>>>
>>>>>> If set to true, the getResourceAccess("resource-name") roles will be
>>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>>> isUserInRole
>>>>>>
>>>>>> Not the best I know.  We've been meaning to add some sort of role
>>>>>> mapping facility to the adapter.
>>>>>>
>>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>>
>>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>>>> when
>>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Johan Bos
>>>>>>
>>>>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>>
>>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>>
>>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>>
>>>>>> Its not clear to me how you get the assigned roles from the
>>>>>> AccessToken.
>>>>>> For instance, is the realm has configured the user to have roles
>>>>>> "user"
>>>>>> and "editor" how do I find these in the AccessToken?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>
>>>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast
>>>>>> the
>>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>>
>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>
>>>>>> Hi everyone,
>>>>>>
>>>>>>
>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>> they
>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>> (wildfly) and
>>>>>> Javascript adapters.
>>>>>>
>>>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>>>> <http://jwt.io> to check the token. I am
>>>>>> just
>>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>>
>>>>>> Thank you for your answers.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Pavel Maslov, MS
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/305187a7/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 06:05:08 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 12:05:08 +0100
Subject: [keycloak-user] Keycloak Server -swarm.jar
In-Reply-To: <CA+45JvE38EZhhMchfBHBbe2RDo-fRa97x43sAiDWsSCdTYWs+A@mail.gmail.com>
References: <CA+45JvE38EZhhMchfBHBbe2RDo-fRa97x43sAiDWsSCdTYWs+A@mail.gmail.com>
Message-ID: <CAJgngAfq_T7So7RmKXcsieVvTcQnfRH6HV8Lh3cCWc=zYH1+zg@mail.gmail.com>

Isn't including Keycloak server in the microservice incompatible with the
whole idea of microservices in the first place?

We recommend that people run a dedicated Keycloak server rather than
embedding Keycloak server into their applications.

On 10 December 2015 at 21:22, Bob McWhirter <bmcwhirt at redhat.com> wrote:

> For those of you not familiar with WildFly Swarm, it?s a project that
> intends to support microservices by taking your application components,
> along with just-enough WildFly, and bundling them all into a standalone
> uberjar.
>
> Keycloak counts as ?part of WildFly? since it?s implemented mostly as a
> WildFly subsystem.
>
> Therefore, WildFly Swarm now supports adding Keycloak Server to your
> microservice (we?ve supported the client-adapter for a while now, already).
>
> To that end, we are also producing an handy, all-in-one uberjar for
> Keycloak Server.
>
>
> http://repository-projectodd.forge.cloudbees.com/snapshot/org/wildfly/swarm/keycloak-server-service/1.0.0.Alpha6-SNAPSHOT/keycloak-server-service-1.0.0.Alpha6-20151210.185045-1-swarm.jar
>
> Just download that .jar, and `java -jar` it and visit
> http://localhost:8080/auth/
>
> It still uses the H2 database, and by default creates or uses a database
> located at $PWD/keycloak.db, but you can also use the
> -Dwildfly.swarm.keycloak.server.db=/path/to/keycloakdatabase property to
> change that.
>
> Please feel free to give it a test, and for more information about WildFly
> Swarm, we hang out in #wildfly-swarm on FreeNode IRC.
>
> Thanks!
>
> -Bob
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/efe88cd1/attachment.html 

From jean.merelis at gmail.com  Thu Dec 17 06:06:52 2015
From: jean.merelis at gmail.com (Jeandeson O. Merelis)
Date: Thu, 17 Dec 2015 09:06:52 -0200
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
Message-ID: <CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>

Apparently all properties files in
https://github.com/keycloak/keycloak/tree/master/forms/common-themes

https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties

https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties

https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties

https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties

2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:

> Property files, including messages, should all be in ISO-8859-1. Which
> files are encoded as UTF-8?
>
> On 12 December 2015 at 16:00, Jeandeson O. Merelis <jean.merelis at gmail.com
> > wrote:
>
>> Why the encoding of Java properties files have been converted to UTF-8?
>>
>> We had decided that the default Java properties files would be ISO-8859-1
>>
>>
>> --
>> Jeandeson O. Merelis
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Jeandeson O. Merelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/9cb84df9/attachment.html 

From mstrukel at redhat.com  Thu Dec 17 06:13:19 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Thu, 17 Dec 2015 12:13:19 +0100
Subject: [keycloak-user] [Authorization] Get user roles from token
In-Reply-To: <CAF9aV_r2bem+-JTkf7SSndB6ZD1WV11WgDS=5f4s_CpktUZgBA@mail.gmail.com>
References: <CAF9aV_pJuz1hmUYdx8R9zM4iOqOv07J_O9dmfZpJ0W+JW6Te7w@mail.gmail.com>
	<5664F4BD.4000309@redhat.com> <56713416.4090003@gmail.com>
	<56717080.4040206@redhat.com> <56717276.3020604@c6.eu>
	<56717925.1060406@redhat.com> <5671843A.7010006@c6.eu>
	<5671870C.8040405@c6.eu>
	<CAOPwi_mQTuteHTANETmoyqJ1msQ5CHmQxqgPBiX+MQYJSSXk6g@mail.gmail.com>
	<CAF9aV_qE-rrAX6aGv-FbNmapx4Ps9XBcQMgOe9Ds3Rt_H51mGQ@mail.gmail.com>
	<567286CE.2080002@c6.eu>
	<CAF9aV_oMYESD5P5OigW7NMS2y+Hv9BdxNKQRPzUzQzdBeuW60A@mail.gmail.com>
	<CAJgngAek-Qn32OxEcM2SukYCaj5JQNm=YW9TkEMxqf5KRK3-_g@mail.gmail.com>
	<CAF9aV_r2bem+-JTkf7SSndB6ZD1WV11WgDS=5f4s_CpktUZgBA@mail.gmail.com>
Message-ID: <CA+1OW+h1P5mYgtpWD2PBy2aAar1m+UjN7u88nrXPY=svc2kRFQ@mail.gmail.com>

This class is not made available to application .wars. It's only used by
keycloak-server.war, and only available to it.

It's apparently required during annotation processing - meaning that the
annotation requiring it isn't supposed to be used from application .war.

The way to normally treat this kind of exception is to add
WEB-INF/jboss-deployment-structure.xml to your .war, and in it declare a
dependency on the module - like this:

<jboss-deployment-structure>
    <deployment>
        <dependencies>

            <module name="com.google.zxing.core"/>

        </dependencies>
    </deployment>
</jboss-deployment-structure>


The modules live under KEYCLOAK_HOME/modules.

Possibly you may make a case for why this class should be
automatically available to every Keycloak protected application.

However, your problem here may be that you're trying to do something
that's not meant to be done this way, and so this may not be the
solution you need.


On Thu, Dec 17, 2015 at 11:49 AM, Pavel Maslov <pavel.masloff at gmail.com>
wrote:

> I added these two lines to a working REST service which is already secured
> with Keycloak. The only thing is that I am checking user's roles using
> *annotations*. What I want to do now is handle this manually (by creating
> a test servlet that will pul user's roles out of the token).
>
> From the log I can see that it's missing com/google/zxing:
>
>> Caused by: java.lang.NoClassDefFoundError: com/google/zxing/
>> WriterException"
>
> I have no idea what it means.
>
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 11:33 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> If you are using WildFly you should install the client adapter subsystem
>> (see the docs for instructions). That way you don't have to add any
>> dependencies into your WAR.
>>
>> On 17 December 2015 at 11:01, Pavel Maslov <pavel.masloff at gmail.com>
>> wrote:
>>
>>> Hi Jonah,
>>>
>>> You don't get these error if you remove the 2 code lines?
>>>>
>>> Exactly. However, once I include these 2 lines, I cannot deploy the war
>>> file to the Wildfly server.
>>>
>>> I have to point out that there are no errors during build/packaging.
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Thu, Dec 17, 2015 at 10:56 AM, Johan Bos <johan.bos at c6.eu> wrote:
>>>
>>>> You don't get these error if you remove the 2 code lines?
>>>> When deploying your apps, it is not enough to add the keycloak core
>>>> dependency to access the keycloak principal, you also need to add all
>>>> possible dependency the keycloak lib is relying onto.
>>>>
>>>> Basically on latest version of keycloak, I added almost everything that
>>>> comes in the adapter zip to my project/api dependency for runtime.
>>>> No idea how it was dealt with in previous version. Only dealt with
>>>> keycloak 1.6 and 1.7.
>>>>
>>>> Since you had to provide some lib to your server (mine was tomcat 7) to
>>>> dealt with the keycloak implantation to secure my app, as soon as I needed
>>>> to acces keycloak token from my app code, I was required to add the libs
>>>> the adapter for tomcat 7 is providing.
>>>>
>>>> Regards,
>>>>
>>>> Johan Bos
>>>>
>>>> Le 17/12/2015 10:39, Pavel Maslov a ?crit :
>>>>
>>>> Guys, I am repeating my question here. Any ideas on this?
>>>>
>>>> I added the *org.keycloak.KeycloakPrincipal* definition in order to
>>>>> get the token:
>>>>>
>>>>>
>>>>> KeycloakPrincipal kcPrincipal = (KeycloakPrincipal)
>>>>> srvl.getUserPrincipal();
>>>>> String token =
>>>>> kcPrincipal.getKeycloakSecurityContext().getTokenString();
>>>>>
>>>>> but cannot deploy the project to the Wildfly server:
>>>>>
>>>>> 10:23:31,250 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (MSC
>>>>> service thread 1-2) Deploying javax.ws.rs.core.Application: class
>>>>> si.liis.apitime.service.ApiTimeApplication
>>>>> 10:23:31,282 ERROR [org.jboss.msc.service.fail] (MSC service thread
>>>>> 1-2) MSC000001: Failed to start service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest:
>>>>> org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>>> to start service
>>>>> at
>>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
>>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>> [rt.jar:1.7.0_85]
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>> [rt.jar:1.7.0_85]
>>>>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85]
>>>>> Caused by: java.lang.NoClassDefFoundError:
>>>>> com/google/zxing/WriterException
>>>>> at java.lang.Class.getDeclaredMethods0(Native Method) [rt.jar:1.7.0_85]
>>>>> at java.lang.Class.privateGetDeclaredMethods(Class.java:2625)
>>>>> [rt.jar:1.7.0_85]
>>>>> at java.lang.Class.privateGetPublicMethods(Class.java:2743)
>>>>> [rt.jar:1.7.0_85]
>>>>> at java.lang.Class.getMethods(Class.java:1480) [rt.jar:1.7.0_85]
>>>>> at
>>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.fromAnnotations(ResourceBuilder.java:747)
>>>>> at
>>>>> org.jboss.resteasy.spi.metadata.ResourceBuilder.rootResourceFromAnnotations(ResourceBuilder.java:700)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.resourcefactory.POJOResourceFactory.<init>(POJOResourceFactory.java:29)
>>>>> at
>>>>> org.jboss.resteasy.core.ResourceMethodRegistry.addPerRequestResource(ResourceMethodRegistry.java:75)
>>>>> at
>>>>> org.jboss.resteasy.spi.ResteasyDeployment.registration(ResteasyDeployment.java:400)
>>>>> at
>>>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:241)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)
>>>>> at
>>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>>>>> at
>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>>>>> at
>>>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:79)
>>>>> at
>>>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>>>>> at
>>>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:220)
>>>>> at
>>>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:125)
>>>>> at
>>>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:508)
>>>>> at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:88)
>>>>> at
>>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
>>>>> at
>>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
>>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>> at
>>>>> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
>>>>> [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
>>>>> ... 3 more
>>>>>
>>>>> 10:23:31,285 ERROR [org.jboss.as.controller.management-operation]
>>>>> (management-handler-thread - 1) JBAS014613: Operation ("redeploy") failed -
>>>>> address: ([("deployment" => "apitime-rest.war")]) - failure description:
>>>>> {"JBAS014671: Failed services" =>
>>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>>> "org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>>> to start service
>>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>>> com/google/zxing/WriterException"}}
>>>>> 10:23:31,285 ERROR [org.jboss.as.server] (management-handler-thread -
>>>>> 1) JBAS015860: Redeploy of deployment "apitime-rest.war" was rolled back
>>>>> with the following failure message:
>>>>> {"JBAS014671: Failed services" =>
>>>>> {"jboss.undertow.deployment.default-server.default-host./apitime-rest" =>
>>>>> "org.jboss.msc.service.StartException in service
>>>>> jboss.undertow.deployment.default-server.default-host./apitime-rest: Failed
>>>>> to start service
>>>>>     Caused by: java.lang.NoClassDefFoundError:
>>>>> com/google/zxing/WriterException"}}
>>>>>
>>>>>
>>>>>
>>>>> I am using Wildfly 8.2.0 with Keycloak adapter 1.3.1.
>>>>> Any solution?
>>>>> Thanks.
>>>>>
>>>>>
>>>> Regards,
>>>> Pavel Maslov, MS
>>>>
>>>> On Wed, Dec 16, 2015 at 10:51 PM, Johan B. <johan.bos at c6.eu> wrote:
>>>>
>>>>> You answered it. I was not familiar with the whole setting list. My
>>>>> question was: does something in the ui make the setting change or is it a
>>>>> manual setup?
>>>>> I think you are saying it is only manual and it is fine.
>>>>> It would probably best for future version to have all these extra
>>>>> adapter setting avail. From admin UI so people has the switch/checkbox or
>>>>> input form to make direct application change to the json
>>>>> Moreover since you have a download installation button and a json
>>>>> setting viewer
>>>>>
>>>>> Le mercredi 16 d?cembre 2015, Johan Bos < <johan.bos at c6.eu>
>>>>> johan.bos at c6.eu> a ?crit :
>>>>>
>>>>>> oh when you said:
>>>>>>
>>>>>> use-resource-role-mappings
>>>>>>
>>>>>> it is only available through the keycloak.json
>>>>>>
>>>>>> Nothing from Keycloak Admin UI allows you to set the options, so have the installation file ready with everything ?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Johan Bos
>>>>>>
>>>>>> Le 16/12/2015 16:33, Johan Bos a ?crit :
>>>>>>
>>>>>> So it is one or the other.
>>>>>> The switch is at realm level or per clients?
>>>>>>
>>>>>> As I tend to make realm role for securing the clients only and
>>>>>> client/resource roles for internal client management, I should be fine
>>>>>>
>>>>>> Still It would help to have some merging/mapping so from client we
>>>>>> don't have to so much rely on KeyCloak implementation to test roles...
>>>>>> Issue is that realm role can have same name as client role. But once there
>>>>>> is always some pitfall to avoid.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Johan Bos
>>>>>>
>>>>>> Le 16/12/2015 15:45, Bill Burke a ?crit :
>>>>>>
>>>>>> See use-resource-role-mappings switch:
>>>>>>
>>>>>> If set to true, the getResourceAccess("resource-name") roles will be
>>>>>> mapped into isUserInRole, otherwise getRealmAccess is mapped into
>>>>>> isUserInRole
>>>>>>
>>>>>> Not the best I know.  We've been meaning to add some sort of role
>>>>>> mapping facility to the adapter.
>>>>>>
>>>>>> On 12/16/2015 9:17 AM, Johan Bos wrote:
>>>>>>
>>>>>> Why is HttpRequest.isUserInRole(<role>) not capable to return true
>>>>>> when
>>>>>> the role is present in the AccessToken.getRealmAccess?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Johan Bos
>>>>>>
>>>>>> Le 16/12/2015 15:09, Bill Burke a ?crit :
>>>>>>
>>>>>> AccessToken.getResourceAccess or AccessToken.getRealmAccess
>>>>>>
>>>>>> On 12/16/2015 4:51 AM, Tim Dudgeon wrote:
>>>>>>
>>>>>> Its not clear to me how you get the assigned roles from the
>>>>>> AccessToken.
>>>>>> For instance, is the realm has configured the user to have roles
>>>>>> "user"
>>>>>> and "editor" how do I find these in the AccessToken?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On 07/12/2015 02:53, Bill Burke wrote:
>>>>>>
>>>>>> For Java HttpServletRequest.isUserInRole() works.  If you typecast
>>>>>> the
>>>>>> principal to KeycloakPrincipal you can obtain the AccessToken.
>>>>>>
>>>>>> On 12/6/2015 5:39 PM, Pavel Maslov wrote:
>>>>>>
>>>>>> Hi everyone,
>>>>>>
>>>>>>
>>>>>> Do Keycloak adapters support user authorization? I mean, of course
>>>>>> they
>>>>>> do :) For example, the API I have secured with Keycloak receives a
>>>>>> Keycloak access token from the client. How can I validate the token
>>>>>> (check user roles) in my code? I am interested in the Java
>>>>>> (wildfly) and
>>>>>> Javascript adapters.
>>>>>>
>>>>>> Manually I am using jwt.io <http://jwt.io><http://jwt.io>
>>>>>> <http://jwt.io> to check the token. I am
>>>>>> just
>>>>>> curious if the Keycloak adapters support smth similar out of the box.
>>>>>>
>>>>>> Thank you for your answers.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Pavel Maslov, MS
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/0cd02a4c/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 08:05:36 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 14:05:36 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CAA1skqWPr-k+9zgj=DsHijac34TkmFCus0HtrJxrP723PNjshw@mail.gmail.com>
References: <CADuzBwaFBWMfwNygm_T6d=WQxuN2YdTUqsYOHx+bqc7cTedAjQ@mail.gmail.com>
	<CAA1skqWPr-k+9zgj=DsHijac34TkmFCus0HtrJxrP723PNjshw@mail.gmail.com>
Message-ID: <CAJgngAdjt4S98Hiu6tna75QyTT8EihymXZT2dt3Q+gWjzrWwDQ@mail.gmail.com>

Having different clients login to the same SSO realm with different branded
login pages just doesn't make sense. If we add the concept of a SSO
domain/zone or something within a realm, where a group of clients have
separate themes and SSO session that would make sense.

On 15 December 2015 at 12:14, Revanth Ayalasomayajula <
revanth at arvindinternet.com> wrote:

> +1 for this feature.
> ?
>
> On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
> helder.jaspion at gmail.com> wrote:
>
>> Hi.
>>
>> I need to have a different theme for each of the clients of a realm.
>> If a user came from one client, I have to show a keycloak page with the
>> logo and skin of that client.
>> Is it possible with Keycloak? How?
>>
>> Thanks in advance.
>>
>>
>> Helder S. Alves
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/2e83f57d/attachment.html 

From sthorger at redhat.com  Thu Dec 17 08:07:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 14:07:42 +0100
Subject: [keycloak-user] Automated testing for keycloak secured
	applications
In-Reply-To: <CABjN768i9Hv9JnyzywWdPwfquGDDHcr1CEVnRFA6xTR21hZyDg@mail.gmail.com>
References: <CABjN76_WXfvXFuBR=c9v1Y=6dD4ON_-jDYQOeBzCRg2jnW5cjw@mail.gmail.com>
	<5670393A.2010605@redhat.com>
	<CABjN76_w+PS8x7ep8NsSOkhy7XE8HFgk4aO9OdEHvZrW69+u9w@mail.gmail.com>
	<CA+45JvGMLcr446yq-vbpZKyLC+RBkokNs=c0D1FzDo-hZPTVhw@mail.gmail.com>
	<CABjN768i9Hv9JnyzywWdPwfquGDDHcr1CEVnRFA6xTR21hZyDg@mail.gmail.com>
Message-ID: <CAJgngAf_nHd56bKFpw1DmXV9z4-D0FTz4SaQHvVzw9PHS1XUvw@mail.gmail.com>

Personally I'd go for using a full Keycloak server. Arquillian can
start/stop it alongside your WildFly container (if that's what you're
deploying your apps to). Or you can also use MVN to unzip and start a KC
server.

On 15 December 2015 at 17:25, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Thanks Bob, that might be the way to go.
>
> Will definitely try it.
>
>
>
> On Tue, Dec 15, 2015 at 6:15 PM, Bob McWhirter <bmcwhirt at redhat.com>
> wrote:
>
>> Let me suggest the WildFly Swarm Keycloak Server.
>>
>> We use it in testing secured Swarm apps.
>>
>> It?s an executable .jar with maven coordinates, and can be executed with
>> the maven-exec-plugin in your pre-integration-test phase, or you can use
>> the wildfly-swarm-plugin to start/stop it.
>>
>> See here for an example:
>>
>>
>> https://github.com/wildfly-swarm/wildfly-swarm-examples/blob/master/ribbon-secured/test/pom.xml#L117-L140
>>
>> We?ll document this better shortly.
>>
>> -Bob
>>
>> On Tue, Dec 15, 2015 at 11:11 AM, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> I see.
>>>
>>> So, i'll need to have a separate working keycloak server available for
>>> testing. No workarounds. Did i got this right ?
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Dec 15, 2015 at 6:00 PM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>>
>>>>
>>>> On 12/15/2015 10:54 AM, Orestis Tsakiridis wrote:
>>>> > Hello,
>>>> >
>>>> > I try to build automated tests for a keycloak secured REST
>>>> application.
>>>> > I plan to use arquilian as a test platform.
>>>> >
>>>> > Do i need to have a working keycloak server to be used in the tests ?
>>>> > Or is it possible to embed keycloak in the temporary deployment
>>>> created
>>>> > by arquilian?
>>>> >
>>>>
>>>> That's a real good point.  Not sure how we are tackling this.
>>>>
>>>> > Btw, my endpoints don't use web.xml based security rules. I instead
>>>> use
>>>> >
>>>> > RSATokenVerifier.verifyToken() to manually verify the token.
>>>> >
>>>> > Thus, i suppose that being able to manually create auth tokens from my
>>>> > test cases (and not relying on a keycloak server) would also work.
>>>> >
>>>>
>>>> FYI, Keycloak client adapters do have a filter implementations now that
>>>> you can use.
>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/9f8404f6/attachment.html 

From sthorger at redhat.com  Thu Dec 17 08:18:02 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 14:18:02 +0100
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
	<CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
Message-ID: <CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>

Can you give me a specific example? All the files as I can see are ISO
encoded. For example:
https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties#L58

On 17 December 2015 at 12:06, Jeandeson O. Merelis <jean.merelis at gmail.com>
wrote:

> Apparently all properties files in
> https://github.com/keycloak/keycloak/tree/master/forms/common-themes
>
>
> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties
>
>
> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>
>
> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties
>
>
> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>
> 2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Property files, including messages, should all be in ISO-8859-1. Which
>> files are encoded as UTF-8?
>>
>> On 12 December 2015 at 16:00, Jeandeson O. Merelis <
>> jean.merelis at gmail.com> wrote:
>>
>>> Why the encoding of Java properties files have been converted to UTF-8?
>>>
>>> We had decided that the default Java properties files would be
>>> ISO-8859-1
>>>
>>>
>>> --
>>> Jeandeson O. Merelis
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Jeandeson O. Merelis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/47b53a73/attachment.html 

From erik.mulder at docdatapayments.com  Thu Dec 17 08:44:51 2015
From: erik.mulder at docdatapayments.com (Erik Mulder)
Date: Thu, 17 Dec 2015 14:44:51 +0100
Subject: [keycloak-user] Get the user of the current request from the
 KeycloakSession?
References: <9A5619B792BBA041AE094585791BB71C0137B668B0D2@DDPEX01.DDP.dcloud.local>
	<56717AAE.5020400@redhat.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D3@DDPEX01.DDP.dcloud.local>
	<CAOjtoUOST62tT0m6Op2kDd6g8dvfDn+jatr54AG9B9iOvcjG2Q@mail.gmail.com>
	<9A5619B792BBA041AE094585791BB71C0137B668B0D4@DDPEX01.DDP.dcloud.local>
	<CAJgngAf2TvrZ_XcZMVfHio+t-irUhGizZhO20Fsd=MLgmhg6-Q@mail.gmail.com>
Message-ID: <9A5619B792BBA041AE094585791BB71C0137B668B0D5@DDPEX01.DDP.dcloud.local>

> There's no way to get the user from the KeycloakContext.

Thanks for your clear answer. Digging through the sources I gradually concluded something along those lines.

The way I will solve this is to add the AdminAuth object to the RealmAdminResourceProviderFactory.create() (the admin REST service extension). The AdminAuth already contains all relevant data (realm, token, user, client) and is available at the point where my custom REST service is called. I'll make a PR of this later for anyone to be able to extend the Keycloak REST services.


On 17/12/15 11:40, Stian Thorgersen wrote:
There's no way to get the user from the KeycloakContext. Some endpoints rely on bearer token for authentication (admin endpoints), some on the server-side cookie (account) and others use a special code in the query params (authentication flows).

Assuming you are creating a REST endpoint that requires authentication using a bearer token you need to manually extract and verify the token. This is how the admin endpoints does it:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L139

On 17 December 2015 at 10:06, Erik Mulder <erik.mulder at docdatapayments.com<mailto:erik.mulder at docdatapayments.com>> wrote:
Thanks Fabricio, that sounds like the sort of thing I'm looking for, but I have nothing else in scope than the KeycloakSession object.
@Bill: My question is independent from the changes of Pedro.

So let's try it once more: how can I get the User(Model) of the authenticated user of the current request, if I just have a reference to the KeycloakSession? It seems to me that this should be possible, but there seems to be no way to do it. Maybe there should be a getUser() added on the KeycloakContext?



On 16/12/15 22:40, Fabricio Milone wrote:
Hi Erik,

I did something similar but in my case I have the username as a form attribute in the request, so if it possible in your scenario to get the username as a string, this is one possible solution:

UserModel user = session.users().getUserByUsername(username, session.realms().getRealmByName(realm.getName()));

Not 100% sure if that's what you need, I hope it is :)

Regards,
Fab

On 17 December 2015 at 02:34, Erik Mulder <<mailto:erik.mulder at docdatapayments.com>erik.mulder at docdatapayments.com<mailto:erik.mulder at docdatapayments.com>> wrote:
Thanks, but I'm not sure I understand you correctly. Let me clearify:
- I'm extending the Keycloak REST webservices with some custom
resources, for instance:
http://127.0.0.1:8080/auth/realms/<realmId>/docdata/<myResource> (a
piece of code from Pedro made this possible)
- I'm implementing an SPI (also from Pedro's change) that gets a
KeycloakSession object to 'work with'.
- I do authenticate on the keycloak server using a token (OpenID
Connect) that I got from a previous succesful login.
- Somewhere in the Keycloak internals this token is validated and a
User(Model/Session) is found that corresponds to this token.
- <assumption>: This User is saved somewhere in the session context

Now, my question is: How can I get hold of this User(Model/Session),
given that I have just a KeycloakSession object?

Through debugging I see that session.sessions() has a UserSessionEntity
for my current request, but since there might be more at the same time,
how can I relate my current request to the one User that is associated
with it?



On 16/12/15 15:52, Bill Burke wrote:
> On 12/16/2015 9:37 AM, Erik Mulder wrote:
>> Seems like a simple scenario, but I can't figure it out: I have an
>> instance of the KeycloakSession and I want to get the UserModel for the
>> current request. Is this possible?
>>
>> Context: I'm creating a custom REST service that runs inside keycloak
>> and needs to get some data that is related to the current authenticated
>> user. For instance the realm and client I can get through the
>> session.getContext().getClient/Realm(). I would expect a getUser() there
>> too, but I can't find it anywhere 'in' the session.
>>
>> If this isn't possible, shouldn't it be? Or if not, why not?
>>
> I'm assuming this REST request is from a browser Javascript client?
> Login sessions are maintained only through a cookie.  You'd have to
> login through the browser first, then read the cookie.
>
> BTW, cookies are a really bad way of securing a REST interface.  Your
> REST interface becomes vulnerable to CSRF attacks.  I suggest you use a
> token to secure your REST interface.  If you are already using
> keycloak.js to login in, you can obtain the token from the Keycloak
> javascript interface and use that to invoke your service.
>
>


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/8f76171d/attachment-0001.html 

From prabhalar at yahoo.com  Thu Dec 17 08:44:59 2015
From: prabhalar at yahoo.com (Raghuram Prabhala)
Date: Thu, 17 Dec 2015 13:44:59 +0000 (UTC)
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CAJgngAdjt4S98Hiu6tna75QyTT8EihymXZT2dt3Q+gWjzrWwDQ@mail.gmail.com>
References: <CAJgngAdjt4S98Hiu6tna75QyTT8EihymXZT2dt3Q+gWjzrWwDQ@mail.gmail.com>
Message-ID: <1814471454.94879.1450359899474.JavaMail.yahoo@mail.yahoo.com>

Stian - Even we have a similar requirement of having different themes, but for different divisions within the firm. Some of them have additional functionality of changing even the password. Can you suggest some way of achieving the above functionality considering that all the other functionality is the same for all divisions?
Thanks,Raghu
      From: Stian Thorgersen <sthorger at redhat.com>
 To: Revanth Ayalasomayajula <revanth at arvindinternet.com> 
Cc: keycloak-user <keycloak-user at lists.jboss.org>
 Sent: Thursday, December 17, 2015 8:05 AM
 Subject: Re: [keycloak-user] Different theme for each client
   
Having different clients login to the same SSO realm with different branded login pages just doesn't make sense. If we add the concept of a SSO domain/zone or something within a realm, where a group of clients have separate themes and SSO session that would make sense.
On 15 December 2015 at 12:14, Revanth Ayalasomayajula <revanth at arvindinternet.com> wrote:

+1 for this feature.?
On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <helder.jaspion at gmail.com> wrote:

Hi.
I need to have a different theme for each of the clients of a realm.If a user came from one client, I have to show a keycloak page with the logo and skin of that client.Is it possible with Keycloak? How?
Thanks in advance.

Helder S. Alves

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/3c1b3bae/attachment.html 

From bbazian at mbopartners.com  Thu Dec 17 09:06:25 2015
From: bbazian at mbopartners.com (Ben Bazian)
Date: Thu, 17 Dec 2015 14:06:25 +0000
Subject: [keycloak-user] Active Directory "User must change Password on next
	logom"
Message-ID: <860E8DAFFC76794694CFF405F8A1E71F027F27DB@416429-EXCH1.mbopartners.com>

I was doing some testing and notice that if this flag is set a user cannot authenticate?  Is there a way to have Keycloak trigger the password change dialog?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/e3314c63/attachment.html 

From bmcwhirt at redhat.com  Thu Dec 17 09:16:29 2015
From: bmcwhirt at redhat.com (Bob McWhirter)
Date: Thu, 17 Dec 2015 09:16:29 -0500
Subject: [keycloak-user] Keycloak Server -swarm.jar
In-Reply-To: <CAJgngAfq_T7So7RmKXcsieVvTcQnfRH6HV8Lh3cCWc=zYH1+zg@mail.gmail.com>
References: <CA+45JvE38EZhhMchfBHBbe2RDo-fRa97x43sAiDWsSCdTYWs+A@mail.gmail.com>
	<CAJgngAfq_T7So7RmKXcsieVvTcQnfRH6HV8Lh3cCWc=zYH1+zg@mail.gmail.com>
Message-ID: <CA+45JvHc9mXrRNYxiUB7kXySm3Xi7ecc3jGN=Ypsdis9DdB=NQ@mail.gmail.com>

Sure, I agree, and that?s probably the way to do it.

But having an easy-to-download (via Maven Coordinates) and run (java -jar
keycloak-swarm.jar) version is also useful in many cases, such as Swarm?s
own testing.

I think Hawkular has even started using the keycloak-swarm.jar for their
bits, instead of embedding into Hawkular server.

-Bob

On Thu, Dec 17, 2015 at 6:05 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Isn't including Keycloak server in the microservice incompatible with the
> whole idea of microservices in the first place?
>
> We recommend that people run a dedicated Keycloak server rather than
> embedding Keycloak server into their applications.
>
> On 10 December 2015 at 21:22, Bob McWhirter <bmcwhirt at redhat.com> wrote:
>
>> For those of you not familiar with WildFly Swarm, it?s a project that
>> intends to support microservices by taking your application components,
>> along with just-enough WildFly, and bundling them all into a standalone
>> uberjar.
>>
>> Keycloak counts as ?part of WildFly? since it?s implemented mostly as a
>> WildFly subsystem.
>>
>> Therefore, WildFly Swarm now supports adding Keycloak Server to your
>> microservice (we?ve supported the client-adapter for a while now, already).
>>
>> To that end, we are also producing an handy, all-in-one uberjar for
>> Keycloak Server.
>>
>>
>> http://repository-projectodd.forge.cloudbees.com/snapshot/org/wildfly/swarm/keycloak-server-service/1.0.0.Alpha6-SNAPSHOT/keycloak-server-service-1.0.0.Alpha6-20151210.185045-1-swarm.jar
>>
>> Just download that .jar, and `java -jar` it and visit
>> http://localhost:8080/auth/
>>
>> It still uses the H2 database, and by default creates or uses a database
>> located at $PWD/keycloak.db, but you can also use the
>> -Dwildfly.swarm.keycloak.server.db=/path/to/keycloakdatabase property to
>> change that.
>>
>> Please feel free to give it a test, and for more information about
>> WildFly Swarm, we hang out in #wildfly-swarm on FreeNode IRC.
>>
>> Thanks!
>>
>> -Bob
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/58aab2f4/attachment.html 

From jean.merelis at gmail.com  Thu Dec 17 09:20:45 2015
From: jean.merelis at gmail.com (Jeandeson O. Merelis)
Date: Thu, 17 Dec 2015 12:20:45 -0200
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
	<CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
	<CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>
Message-ID: <CAAjz7KJ0LBrZvLGSfqZpXQCd1HypF7gbkK214kgao-O0SDhwig@mail.gmail.com>

Is your repository updated?
I just new clone the keycloak again and the files are as UTF-8

2015-12-17 11:18 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:

> Can you give me a specific example? All the files as I can see are ISO
> encoded. For example:
>
> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties#L58
>
> On 17 December 2015 at 12:06, Jeandeson O. Merelis <jean.merelis at gmail.com
> > wrote:
>
>> Apparently all properties files in
>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes
>>
>>
>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties
>>
>>
>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>
>>
>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties
>>
>>
>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>
>> 2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> Property files, including messages, should all be in ISO-8859-1. Which
>>> files are encoded as UTF-8?
>>>
>>> On 12 December 2015 at 16:00, Jeandeson O. Merelis <
>>> jean.merelis at gmail.com> wrote:
>>>
>>>> Why the encoding of Java properties files have been converted to UTF-8?
>>>>
>>>> We had decided that the default Java properties files would be
>>>> ISO-8859-1
>>>>
>>>>
>>>> --
>>>> Jeandeson O. Merelis
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>> --
>> Jeandeson O. Merelis
>>
>
>


-- 
Jeandeson O. Merelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/584f6a43/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 09:28:35 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 15:28:35 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <1814471454.94879.1450359899474.JavaMail.yahoo@mail.yahoo.com>
References: <CAJgngAdjt4S98Hiu6tna75QyTT8EihymXZT2dt3Q+gWjzrWwDQ@mail.gmail.com>
	<1814471454.94879.1450359899474.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>

On 17 December 2015 at 14:44, Raghuram Prabhala <prabhalar at yahoo.com> wrote:

> Stian - Even we have a similar requirement of having different themes, but
> for different divisions within the firm. Some of them have additional
> functionality of changing even the password. Can you suggest some way of
> achieving the above functionality considering that all the other
> functionality is the same for all divisions?
>

Not actually sure what you mean here. It just doesn't make sense to show a
user two login pages that look different (and possible have different
things enabled/disable) if they use the same realm and SSO session.


>
> Thanks,
> Raghu
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *To:* Revanth Ayalasomayajula <revanth at arvindinternet.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Sent:* Thursday, December 17, 2015 8:05 AM
> *Subject:* Re: [keycloak-user] Different theme for each client
>
> Having different clients login to the same SSO realm with different
> branded login pages just doesn't make sense. If we add the concept of a SSO
> domain/zone or something within a realm, where a group of clients have
> separate themes and SSO session that would make sense.
>
> On 15 December 2015 at 12:14, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
> +1 for this feature.
> ?
>
> On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
> helder.jaspion at gmail.com> wrote:
>
> Hi.
>
> I need to have a different theme for each of the clients of a realm.
> If a user came from one client, I have to show a keycloak page with the
> logo and skin of that client.
> Is it possible with Keycloak? How?
>
> Thanks in advance.
>
>
> Helder S. Alves
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/cb3e31c7/attachment.html 

From sthorger at redhat.com  Thu Dec 17 09:32:35 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 15:32:35 +0100
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAAjz7KJ0LBrZvLGSfqZpXQCd1HypF7gbkK214kgao-O0SDhwig@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
	<CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
	<CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>
	<CAAjz7KJ0LBrZvLGSfqZpXQCd1HypF7gbkK214kgao-O0SDhwig@mail.gmail.com>
Message-ID: <CAJgngAcqYUGefY3roWREJbC55mduuBRxa7cSEk2gw=mT9+ketQ@mail.gmail.com>

Look at the link I pasted that's in master - \u00FC clearly shows it's
using ISO encoding

On 17 December 2015 at 15:20, Jeandeson O. Merelis <jean.merelis at gmail.com>
wrote:

> Is your repository updated?
> I just new clone the keycloak again and the files are as UTF-8
>
> 2015-12-17 11:18 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Can you give me a specific example? All the files as I can see are ISO
>> encoded. For example:
>>
>> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties#L58
>>
>> On 17 December 2015 at 12:06, Jeandeson O. Merelis <
>> jean.merelis at gmail.com> wrote:
>>
>>> Apparently all properties files in
>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes
>>>
>>>
>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties
>>>
>>>
>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>
>>>
>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties
>>>
>>>
>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>
>>> 2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> Property files, including messages, should all be in ISO-8859-1. Which
>>>> files are encoded as UTF-8?
>>>>
>>>> On 12 December 2015 at 16:00, Jeandeson O. Merelis <
>>>> jean.merelis at gmail.com> wrote:
>>>>
>>>>> Why the encoding of Java properties files have been converted to UTF-8?
>>>>>
>>>>> We had decided that the default Java properties files would be
>>>>> ISO-8859-1
>>>>>
>>>>>
>>>>> --
>>>>> Jeandeson O. Merelis
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jeandeson O. Merelis
>>>
>>
>>
>
>
> --
> Jeandeson O. Merelis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/da7e2f7e/attachment.html 

From jean.merelis at gmail.com  Thu Dec 17 10:29:13 2015
From: jean.merelis at gmail.com (Jeandeson O. Merelis)
Date: Thu, 17 Dec 2015 13:29:13 -0200
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAJgngAcqYUGefY3roWREJbC55mduuBRxa7cSEk2gw=mT9+ketQ@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
	<CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
	<CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>
	<CAAjz7KJ0LBrZvLGSfqZpXQCd1HypF7gbkK214kgao-O0SDhwig@mail.gmail.com>
	<CAJgngAcqYUGefY3roWREJbC55mduuBRxa7cSEk2gw=mT9+ketQ@mail.gmail.com>
Message-ID: <CAAjz7KKOBe1XkXMiuY0W1=K1+sYMa1G=xNWf23rmfR9pCRwXBA@mail.gmail.com>

Yep. But the file isn't realy ISO encoding.
For instance, open that file with your Intelj and check the encoding

2015-12-17 12:32 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:

> Look at the link I pasted that's in master - \u00FC clearly shows it's
> using ISO encoding
>
> On 17 December 2015 at 15:20, Jeandeson O. Merelis <jean.merelis at gmail.com
> > wrote:
>
>> Is your repository updated?
>> I just new clone the keycloak again and the files are as UTF-8
>>
>> 2015-12-17 11:18 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> Can you give me a specific example? All the files as I can see are ISO
>>> encoded. For example:
>>>
>>> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties#L58
>>>
>>> On 17 December 2015 at 12:06, Jeandeson O. Merelis <
>>> jean.merelis at gmail.com> wrote:
>>>
>>>> Apparently all properties files in
>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes
>>>>
>>>>
>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties
>>>>
>>>>
>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>>
>>>>
>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties
>>>>
>>>>
>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>>
>>>> 2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>>
>>>>> Property files, including messages, should all be in ISO-8859-1.
>>>>> Which files are encoded as UTF-8?
>>>>>
>>>>> On 12 December 2015 at 16:00, Jeandeson O. Merelis <
>>>>> jean.merelis at gmail.com> wrote:
>>>>>
>>>>>> Why the encoding of Java properties files have been converted to
>>>>>> UTF-8?
>>>>>>
>>>>>> We had decided that the default Java properties files would be
>>>>>> ISO-8859-1
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jeandeson O. Merelis
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jeandeson O. Merelis
>>>>
>>>
>>>
>>
>>
>> --
>> Jeandeson O. Merelis
>>
>
>


-- 
Jeandeson O. Merelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/57289bd1/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 10:37:21 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 16:37:21 +0100
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAAjz7KKOBe1XkXMiuY0W1=K1+sYMa1G=xNWf23rmfR9pCRwXBA@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
	<CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
	<CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>
	<CAAjz7KJ0LBrZvLGSfqZpXQCd1HypF7gbkK214kgao-O0SDhwig@mail.gmail.com>
	<CAJgngAcqYUGefY3roWREJbC55mduuBRxa7cSEk2gw=mT9+ketQ@mail.gmail.com>
	<CAAjz7KKOBe1XkXMiuY0W1=K1+sYMa1G=xNWf23rmfR9pCRwXBA@mail.gmail.com>
Message-ID: <CAJgngAfdRhYmpYGE9Z3wdGoh6mEyVm7A4gMUsLhi4ikoiEMbww@mail.gmail.com>

IntelliJ displays the configuration you've configured for a properties
file, not the encoding of the actual file. There are no special headers or
anything for a properties file that sets the encoding of the file it's just
a matter of how special characters are encoded. If you look at the example
I pointed you to you can see it's clearly using ISO.. encoding and not
UTF-8.

On 17 December 2015 at 16:29, Jeandeson O. Merelis <jean.merelis at gmail.com>
wrote:

> Yep. But the file isn't realy ISO encoding.
> For instance, open that file with your Intelj and check the encoding
>
> 2015-12-17 12:32 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>
>> Look at the link I pasted that's in master - \u00FC clearly shows it's
>> using ISO encoding
>>
>> On 17 December 2015 at 15:20, Jeandeson O. Merelis <
>> jean.merelis at gmail.com> wrote:
>>
>>> Is your repository updated?
>>> I just new clone the keycloak again and the files are as UTF-8
>>>
>>> 2015-12-17 11:18 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>
>>>> Can you give me a specific example? All the files as I can see are ISO
>>>> encoded. For example:
>>>>
>>>> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties#L58
>>>>
>>>> On 17 December 2015 at 12:06, Jeandeson O. Merelis <
>>>> jean.merelis at gmail.com> wrote:
>>>>
>>>>> Apparently all properties files in
>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes
>>>>>
>>>>>
>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties
>>>>>
>>>>>
>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>>>
>>>>>
>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties
>>>>>
>>>>>
>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>>>
>>>>> 2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>>>
>>>>>> Property files, including messages, should all be in ISO-8859-1.
>>>>>> Which files are encoded as UTF-8?
>>>>>>
>>>>>> On 12 December 2015 at 16:00, Jeandeson O. Merelis <
>>>>>> jean.merelis at gmail.com> wrote:
>>>>>>
>>>>>>> Why the encoding of Java properties files have been converted to
>>>>>>> UTF-8?
>>>>>>>
>>>>>>> We had decided that the default Java properties files would be
>>>>>>> ISO-8859-1
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Jeandeson O. Merelis
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jeandeson O. Merelis
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jeandeson O. Merelis
>>>
>>
>>
>
>
> --
> Jeandeson O. Merelis
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/8da98370/attachment.html 

From xied75 at gmail.com  Thu Dec 17 10:38:27 2015
From: xied75 at gmail.com (Dong Xie)
Date: Thu, 17 Dec 2015 15:38:27 +0000
Subject: [keycloak-user] out of box experiences and automation
Message-ID: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>

Dear all,

I wonder how do I work around needing to browse the web page and login with admin + admin to change the password? We are deploying keycloak in an automated flow thus no human interaction is expected.

Thanks very much for your help!

Best,

Dong

Sent from Mail for Windows 10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/192ceca3/attachment.html 

From sthorger at redhat.com  Thu Dec 17 10:41:09 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 16:41:09 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
Message-ID: <CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>

>From 1.7 you can add a admin user using the add-user script. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136

On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:

> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/f942d9a3/attachment.html 

From xied75 at gmail.com  Thu Dec 17 10:49:37 2015
From: xied75 at gmail.com (Dong Xie)
Date: Thu, 17 Dec 2015 15:49:37 +0000
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
Message-ID: <5672d990.8555c20a.af895.fffffcbd@mx.google.com>

That?s exactly what I used, so before I can expose the keycloak to the world, I need to get into the node, call the script, restart server, login with the new admin, calling REST api to remove the admin, sounds like a lot of work?

Can we not config an init access token or something similar to smooth the thing, for our poor DevOps life?

Any help would be great!

Best,

Dong

Sent from Mail for Windows 10



From: Stian Thorgersen
Sent: 17 December 2015 15:41
To: Dong Xie
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] out of box experiences and automation


>From 1.7 you can add a admin user using the add-user script. See?http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136

On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
Dear all,
?
I wonder how do I work around needing to browse the web page and login with admin + admin to change the password? We are deploying keycloak in an automated flow thus no human interaction is expected.
?
Thanks very much for your help!
?
Best,
?
Dong
?
Sent from Mail for Windows 10

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/506d377e/attachment-0001.html 

From sthorger at redhat.com  Thu Dec 17 10:57:56 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 16:57:56 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672d990.8555c20a.af895.fffffcbd@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
Message-ID: <CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>

You don't need to restart the server, you can call the script before
starting the server in the first place.

Why do you need to remove the admin? Do you not need to have at least one
admin account on the server.

What do you mean about init access token?

On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:

> That?s exactly what I used, so before I can expose the keycloak to the
> world, I need to get into the node, call the script, restart server, login
> with the new admin, calling REST api to remove the admin, sounds like a lot
> of work?
>
>
>
> Can we not config an init access token or something similar to smooth the
> thing, for our poor DevOps life?
>
>
>
> Any help would be great!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:41
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> From 1.7 you can add a admin user using the add-user script. See
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>
>
> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>
> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/ddc6796b/attachment.html 

From jean.merelis at gmail.com  Thu Dec 17 11:03:04 2015
From: jean.merelis at gmail.com (Jeandeson O. Merelis)
Date: Thu, 17 Dec 2015 14:03:04 -0200
Subject: [keycloak-user] Why the encoding of Java properties files have
 been converted to UTF-8?
In-Reply-To: <CAJgngAfdRhYmpYGE9Z3wdGoh6mEyVm7A4gMUsLhi4ikoiEMbww@mail.gmail.com>
References: <CAAjz7KL-hL+BuErkTtS6JyC4=3PHsiewrmtD-S+a_2EYwz4m1Q@mail.gmail.com>
	<CAJgngAcBdQnEH3ZyFOG8N7sQV7R6ZLVEkZrqERPnuxg25F6pyA@mail.gmail.com>
	<CAAjz7KK0nDTTUiTuz74NkJTQ3rT4MXstR9Uf_JmdhFUzpGRQQQ@mail.gmail.com>
	<CAJgngAfAn5K3ZtzsrfS-S1ExOFrdTYFmJjezhODHk+GYJUAn5A@mail.gmail.com>
	<CAAjz7KJ0LBrZvLGSfqZpXQCd1HypF7gbkK214kgao-O0SDhwig@mail.gmail.com>
	<CAJgngAcqYUGefY3roWREJbC55mduuBRxa7cSEk2gw=mT9+ketQ@mail.gmail.com>
	<CAAjz7KKOBe1XkXMiuY0W1=K1+sYMa1G=xNWf23rmfR9pCRwXBA@mail.gmail.com>
	<CAJgngAfdRhYmpYGE9Z3wdGoh6mEyVm7A4gMUsLhi4ikoiEMbww@mail.gmail.com>
Message-ID: <CAAjz7K+sK_=Y1PEGSDEz67DtLeqX2afg6Jp_jhWu3o4NE9W--g@mail.gmail.com>

You're right. Forgive me for this mess.

2015-12-17 13:37 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:

> IntelliJ displays the configuration you've configured for a properties
> file, not the encoding of the actual file. There are no special headers or
> anything for a properties file that sets the encoding of the file it's just
> a matter of how special characters are encoded. If you look at the example
> I pointed you to you can see it's clearly using ISO.. encoding and not
> UTF-8.
>
> On 17 December 2015 at 16:29, Jeandeson O. Merelis <jean.merelis at gmail.com
> > wrote:
>
>> Yep. But the file isn't realy ISO encoding.
>> For instance, open that file with your Intelj and check the encoding
>>
>> 2015-12-17 12:32 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>
>>> Look at the link I pasted that's in master - \u00FC clearly shows it's
>>> using ISO encoding
>>>
>>> On 17 December 2015 at 15:20, Jeandeson O. Merelis <
>>> jean.merelis at gmail.com> wrote:
>>>
>>>> Is your repository updated?
>>>> I just new clone the keycloak again and the files are as UTF-8
>>>>
>>>> 2015-12-17 11:18 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>>
>>>>> Can you give me a specific example? All the files as I can see are ISO
>>>>> encoded. For example:
>>>>>
>>>>> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/account/messages/messages_de.properties#L58
>>>>>
>>>>> On 17 December 2015 at 12:06, Jeandeson O. Merelis <
>>>>> jean.merelis at gmail.com> wrote:
>>>>>
>>>>>> Apparently all properties files in
>>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes
>>>>>>
>>>>>>
>>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/account/messages/*.properties
>>>>>>
>>>>>>
>>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>>>>
>>>>>>
>>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/login/messages/*.properties
>>>>>>
>>>>>>
>>>>>> https://github.com/keycloak/keycloak/tree/master/forms/common-themes/src/main/resources/theme/base/admin/messages/*.properties
>>>>>>
>>>>>> 2015-12-17 8:35 GMT-02:00 Stian Thorgersen <sthorger at redhat.com>:
>>>>>>
>>>>>>> Property files, including messages, should all be in ISO-8859-1.
>>>>>>> Which files are encoded as UTF-8?
>>>>>>>
>>>>>>> On 12 December 2015 at 16:00, Jeandeson O. Merelis <
>>>>>>> jean.merelis at gmail.com> wrote:
>>>>>>>
>>>>>>>> Why the encoding of Java properties files have been converted to
>>>>>>>> UTF-8?
>>>>>>>>
>>>>>>>> We had decided that the default Java properties files would be
>>>>>>>> ISO-8859-1
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jeandeson O. Merelis
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jeandeson O. Merelis
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jeandeson O. Merelis
>>>>
>>>
>>>
>>
>>
>> --
>> Jeandeson O. Merelis
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Jeandeson O. Merelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/4a94512e/attachment.html 

From xied75 at gmail.com  Thu Dec 17 11:05:00 2015
From: xied75 at gmail.com (Dong Xie)
Date: Thu, 17 Dec 2015 16:05:00 +0000
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
Message-ID: <5672dd2c.89dec20a.7b97c.057c@mx.google.com>

Keycloak is deployed as docker container into cloud, once the container starts, the keycloak server starts, I can?t stop it being called or call the script before the container starts, unless I bother to make a customised docker image, which is not ideal. Since there is no human action involved, no one will reset the admin password via browser, unless you mean I can call REST API to fully setup admin user. Also when I add new user if I add it into master realm it will be as powerful as admin, at least that?s what I observed? Therefore leaving the admin there is only going to be a security hole, and the best practice is to get rid of as fast as I can.

Best,

Dong

Sent from Mail for Windows 10



From: Stian Thorgersen
Sent: 17 December 2015 15:57
To: Dong Xie
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] out of box experiences and automation


You don't need to restart the server, you can call the script before starting the server in the first place.

Why do you need to remove the admin? Do you not need to have at least one admin account on the server.

What do you mean about init access token?

On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
That?s exactly what I used, so before I can expose the keycloak to the world, I need to get into the node, call the script, restart server, login with the new admin, calling REST api to remove the admin, sounds like a lot of work?
?
Can we not config an init access token or something similar to smooth the thing, for our poor DevOps life?
?
Any help would be great!
?
Best,
?
Dong
?
Sent from Mail for Windows 10
?
?

From: Stian Thorgersen
Sent: 17 December 2015 15:41
To: Dong Xie
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] out of box experiences and automation
?
?
>From 1.7 you can add a admin user using the add-user script. See?http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
?
On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
Dear all,
?
I wonder how do I work around needing to browse the web page and login with admin + admin to change the password? We are deploying keycloak in an automated flow thus no human interaction is expected.
?
Thanks very much for your help!
?
Best,
?
Dong
?
Sent from Mail for Windows 10

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
?
?
?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/f14ba0b8/attachment-0001.html 

From pavel.masloff at gmail.com  Thu Dec 17 11:20:31 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Thu, 17 Dec 2015 17:20:31 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672dd2c.89dec20a.7b97c.057c@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
Message-ID: <CAF9aV_oXTc8b=SZAA=BXVFi+sVaPkeAoHRneY3jvJUN===e8gA@mail.gmail.com>

Hey Dong,

Take a look at my Docker image [1], particularly at this line:

RUN /opt/jboss/keycloak/bin/add-user.sh -u admin -p admin

[1] https://github.com/maslick/keycloak-docker

Regards,
Pavel Maslov, MS

On Thu, Dec 17, 2015 at 5:05 PM, Dong Xie <xied75 at gmail.com> wrote:

> Keycloak is deployed as docker container into cloud, once the container
> starts, the keycloak server starts, I can?t stop it being called or call
> the script before the container starts, unless I bother to make a
> customised docker image, which is not ideal. Since there is no human action
> involved, no one will reset the admin password via browser, unless you mean
> I can call REST API to fully setup admin user. Also when I add new user if
> I add it into master realm it will be as powerful as admin, at least that?s
> what I observed? Therefore leaving the admin there is only going to be a
> security hole, and the best practice is to get rid of as fast as I can.
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:57
>
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> You don't need to restart the server, you can call the script before
> starting the server in the first place.
>
>
>
> Why do you need to remove the admin? Do you not need to have at least one
> admin account on the server.
>
>
>
> What do you mean about init access token?
>
>
>
> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>
> That?s exactly what I used, so before I can expose the keycloak to the
> world, I need to get into the node, call the script, restart server, login
> with the new admin, calling REST api to remove the admin, sounds like a lot
> of work?
>
>
>
> Can we not config an init access token or something similar to smooth the
> thing, for our poor DevOps life?
>
>
>
> Any help would be great!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:41
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> From 1.7 you can add a admin user using the add-user script. See
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>
>
> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>
> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/df589ae5/attachment.html 

From sthorger at redhat.com  Thu Dec 17 11:43:06 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 17 Dec 2015 17:43:06 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672dd2c.89dec20a.7b97c.057c@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
Message-ID: <CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>

We will soon remove the built-in admin/admin user account. For the Docker
image you will either have to:

1. Pass the admin username and password with environment variables
2. Access via localhost (port forwarding) to create an initial user account

That'll be added in 1.8.

On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:

> Keycloak is deployed as docker container into cloud, once the container
> starts, the keycloak server starts, I can?t stop it being called or call
> the script before the container starts, unless I bother to make a
> customised docker image, which is not ideal. Since there is no human action
> involved, no one will reset the admin password via browser, unless you mean
> I can call REST API to fully setup admin user. Also when I add new user if
> I add it into master realm it will be as powerful as admin, at least that?s
> what I observed? Therefore leaving the admin there is only going to be a
> security hole, and the best practice is to get rid of as fast as I can.
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:57
>
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> You don't need to restart the server, you can call the script before
> starting the server in the first place.
>
>
>
> Why do you need to remove the admin? Do you not need to have at least one
> admin account on the server.
>
>
>
> What do you mean about init access token?
>
>
>
> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>
> That?s exactly what I used, so before I can expose the keycloak to the
> world, I need to get into the node, call the script, restart server, login
> with the new admin, calling REST api to remove the admin, sounds like a lot
> of work?
>
>
>
> Can we not config an init access token or something similar to smooth the
> thing, for our poor DevOps life?
>
>
>
> Any help would be great!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:41
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> From 1.7 you can add a admin user using the add-user script. See
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>
>
> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>
> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/244b710b/attachment-0001.html 

From xied75 at gmail.com  Thu Dec 17 11:48:22 2015
From: xied75 at gmail.com (Dong Xie)
Date: Thu, 17 Dec 2015 16:48:22 +0000
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
	<CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
Message-ID: <5672e756.6408c20a.7346.18e7@mx.google.com>

That is great news, when is 1.8 release time?

Also is that possible to take ENV var to enable SSL and take the configuration of certs files via a container volume? Hope those has been in the plan, if not I?m happy to raise the issue in JIRA and see if I can contribute towards it.

Best regards,

Dong

Sent from Mail for Windows 10



From: Stian Thorgersen
Sent: 17 December 2015 16:43
To: Dong Xie
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] out of box experiences and automation


We will soon remove the built-in admin/admin user account. For the Docker image you will either have to:

1. Pass the admin username and password with environment variables
2. Access via localhost (port forwarding) to create an initial user account

That'll be added in 1.8.

On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
Keycloak is deployed as docker container into cloud, once the container starts, the keycloak server starts, I can?t stop it being called or call the script before the container starts, unless I bother to make a customised docker image, which is not ideal. Since there is no human action involved, no one will reset the admin password via browser, unless you mean I can call REST API to fully setup admin user. Also when I add new user if I add it into master realm it will be as powerful as admin, at least that?s what I observed? Therefore leaving the admin there is only going to be a security hole, and the best practice is to get rid of as fast as I can.
?
Best,
?
Dong
?
Sent from Mail for Windows 10
?
?

From: Stian Thorgersen
Sent: 17 December 2015 15:57

To: Dong Xie
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] out of box experiences and automation
?
?
You don't need to restart the server, you can call the script before starting the server in the first place.
?
Why do you need to remove the admin? Do you not need to have at least one admin account on the server.
?
What do you mean about init access token?
?
On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
That?s exactly what I used, so before I can expose the keycloak to the world, I need to get into the node, call the script, restart server, login with the new admin, calling REST api to remove the admin, sounds like a lot of work?
?
Can we not config an init access token or something similar to smooth the thing, for our poor DevOps life?
?
Any help would be great!
?
Best,
?
Dong
?
Sent from Mail for Windows 10
?
?

From: Stian Thorgersen
Sent: 17 December 2015 15:41
To: Dong Xie
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] out of box experiences and automation
?
?
>From 1.7 you can add a admin user using the add-user script. See?http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
?
On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
Dear all,
?
I wonder how do I work around needing to browse the web page and login with admin + admin to change the password? We are deploying keycloak in an automated flow thus no human interaction is expected.
?
Thanks very much for your help!
?
Best,
?
Dong
?
Sent from Mail for Windows 10

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
?
?
?
?
?
?

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/e3ec0a73/attachment.html 

From pavel.masloff at gmail.com  Thu Dec 17 12:01:38 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Thu, 17 Dec 2015 18:01:38 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672e756.6408c20a.7346.18e7@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
	<CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
	<5672e756.6408c20a.7346.18e7@mx.google.com>
Message-ID: <CAF9aV_p+gDt0ugJ-q+6JHxvBMOZJ4Fa+tqEUxbxqz6=pDtXZwA@mail.gmail.com>

Dong, note that Keycloak and  Keycloak Docker image are two different
projects. You can, however, customize the official docker image depending
on your requirements.

Regards,
Pavel Maslov, MS

On Thu, Dec 17, 2015 at 5:48 PM, Dong Xie <xied75 at gmail.com> wrote:

> That is great news, when is 1.8 release time?
>
>
>
> Also is that possible to take ENV var to enable SSL and take the
> configuration of certs files via a container volume? Hope those has been in
> the plan, if not I?m happy to raise the issue in JIRA and see if I can
> contribute towards it.
>
>
>
> Best regards,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 16:43
>
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> We will soon remove the built-in admin/admin user account. For the Docker
> image you will either have to:
>
>
>
> 1. Pass the admin username and password with environment variables
>
> 2. Access via localhost (port forwarding) to create an initial user account
>
>
>
> That'll be added in 1.8.
>
>
>
> On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
>
> Keycloak is deployed as docker container into cloud, once the container
> starts, the keycloak server starts, I can?t stop it being called or call
> the script before the container starts, unless I bother to make a
> customised docker image, which is not ideal. Since there is no human action
> involved, no one will reset the admin password via browser, unless you mean
> I can call REST API to fully setup admin user. Also when I add new user if
> I add it into master realm it will be as powerful as admin, at least that?s
> what I observed? Therefore leaving the admin there is only going to be a
> security hole, and the best practice is to get rid of as fast as I can.
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:57
>
>
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> You don't need to restart the server, you can call the script before
> starting the server in the first place.
>
>
>
> Why do you need to remove the admin? Do you not need to have at least one
> admin account on the server.
>
>
>
> What do you mean about init access token?
>
>
>
> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>
> That?s exactly what I used, so before I can expose the keycloak to the
> world, I need to get into the node, call the script, restart server, login
> with the new admin, calling REST api to remove the admin, sounds like a lot
> of work?
>
>
>
> Can we not config an init access token or something similar to smooth the
> thing, for our poor DevOps life?
>
>
>
> Any help would be great!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:41
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> >From 1.7 you can add a admin user using the add-user script. See
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>
>
> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>
> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/2ad6624e/attachment-0001.html 

From hr.stoyanov at peruncs.com  Thu Dec 17 14:42:55 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Thu, 17 Dec 2015 11:42:55 -0800
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
Message-ID: <CAHiHDeRQdfqOw2VqJ06skGesupaOxFzMW5VUckAzHVjogakGEw@mail.gmail.com>

Dong,
I struggled with the same issues... The only way to crush the complexity of
Wildfly  and Keycloak is Ansible. I use Ansible templates and Keycloak
imports to consistently rebuild my setup. Works with Docker pretty darn
well too. But the key is Ansible.

/Hristo Stoyanov
On Dec 17, 2015 11:26 AM, "Dong Xie" <xied75 at gmail.com> wrote:

> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151217/414781a1/attachment.html 

From prabhalar at yahoo.com  Thu Dec 17 21:08:03 2015
From: prabhalar at yahoo.com (Raghuram Prabhala)
Date: Fri, 18 Dec 2015 02:08:03 +0000 (UTC)
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
References: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
Message-ID: <1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>

Pe
 It depends upon the application that the user accesses. We have several scenarios where the same set of users login to different applications in different divisions, some internet facing that have a totally different look from our intranet ones and it also depends upon whether the applications look for multi factor authentication as well.
This is a very common scenario - We typically have different themes presented to the users based on what the client applications request (different themes can be requested utilizing different http parameters)
Perhaps we can define different realms for different themes but it becomes very cumbersome



      From: Stian Thorgersen <sthorger at redhat.com>
 To: Raghuram Prabhala <prabhalar at yahoo.com> 
Cc: Revanth Ayalasomayajula <revanth at arvindinternet.com>; keycloak-user <keycloak-user at lists.jboss.org>
 Sent: Thursday, December 17, 2015 9:28 AM
 Subject: Re: [keycloak-user] Different theme for each client
   


On 17 December 2015 at 14:44, Raghuram Prabhala <prabhalar at yahoo.com> wrote:

Stian - Even we have a similar requirement of having different themes, but for different divisions within the firm. Some of them have additional functionality of changing even the password. Can you suggest some way of achieving the above functionality considering that all the other functionality is the same for all divisions?

Not actually sure what you mean here. It just doesn't make sense to show a user two login pages that look different (and possible have different things enabled/disable) if they use the same realm and SSO session.?

Thanks,Raghu
      From: Stian Thorgersen <sthorger at redhat.com>
 To: Revanth Ayalasomayajula <revanth at arvindinternet.com> 
Cc: keycloak-user <keycloak-user at lists.jboss.org>
 Sent: Thursday, December 17, 2015 8:05 AM
 Subject: Re: [keycloak-user] Different theme for each client
  
Having different clients login to the same SSO realm with different branded login pages just doesn't make sense. If we add the concept of a SSO domain/zone or something within a realm, where a group of clients have separate themes and SSO session that would make sense.
On 15 December 2015 at 12:14, Revanth Ayalasomayajula <revanth at arvindinternet.com> wrote:

+1 for this feature.?
On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <helder.jaspion at gmail.com> wrote:

Hi.
I need to have a different theme for each of the clients of a realm.If a user came from one client, I have to show a keycloak page with the logo and skin of that client.Is it possible with Keycloak? How?
Thanks in advance.

Helder S. Alves

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

   



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/d0ef4661/attachment.html 

From sthorger at redhat.com  Fri Dec 18 02:23:51 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 08:23:51 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>
References: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
	<1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <CAJgngAdjekKQ0W-QYEyLpB=RkYfspNi+_ny5aAycXUxOPvKMcg@mail.gmail.com>

The best solution to that is either the ability to share users between
realms or more likely the ability to define a SSO group within a realm.
Each SSO group would have independent SSO sessions and could also have
separate themes associated with it. It's not something we have resources
for right now though.

Simply displaying a different theme per-client just doesn't make any sense
at all. Users log-in to a SSO realm, not an individual client. So I'm
against adding something like that unless we add the ability to log-in to
clients or groups of clients individually.

On 18 December 2015 at 03:08, Raghuram Prabhala <prabhalar at yahoo.com> wrote:

> Pe
>
> It depends upon the application that the user accesses. We have several
> scenarios where the same set of users login to different applications in
> different divisions, some internet facing that have a totally different
> look from our intranet ones and it also depends upon whether the
> applications look for multi factor authentication as well.
>
> This is a very common scenario - We typically have different themes
> presented to the users based on what the client applications request
> (different themes can be requested utilizing different http parameters)
>
> Perhaps we can define different realms for different themes but it becomes
> very cumbersome
>
>
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *To:* Raghuram Prabhala <prabhalar at yahoo.com>
> *Cc:* Revanth Ayalasomayajula <revanth at arvindinternet.com>; keycloak-user
> <keycloak-user at lists.jboss.org>
> *Sent:* Thursday, December 17, 2015 9:28 AM
>
> *Subject:* Re: [keycloak-user] Different theme for each client
>
>
>
> On 17 December 2015 at 14:44, Raghuram Prabhala <prabhalar at yahoo.com>
> wrote:
>
> Stian - Even we have a similar requirement of having different themes, but
> for different divisions within the firm. Some of them have additional
> functionality of changing even the password. Can you suggest some way of
> achieving the above functionality considering that all the other
> functionality is the same for all divisions?
>
>
> Not actually sure what you mean here. It just doesn't make sense to show a
> user two login pages that look different (and possible have different
> things enabled/disable) if they use the same realm and SSO session.
>
>
>
> Thanks,
> Raghu
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *To:* Revanth Ayalasomayajula <revanth at arvindinternet.com>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Sent:* Thursday, December 17, 2015 8:05 AM
> *Subject:* Re: [keycloak-user] Different theme for each client
>
> Having different clients login to the same SSO realm with different
> branded login pages just doesn't make sense. If we add the concept of a SSO
> domain/zone or something within a realm, where a group of clients have
> separate themes and SSO session that would make sense.
>
> On 15 December 2015 at 12:14, Revanth Ayalasomayajula <
> revanth at arvindinternet.com> wrote:
>
> +1 for this feature.
> ?
>
> On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
> helder.jaspion at gmail.com> wrote:
>
> Hi.
>
> I need to have a different theme for each of the clients of a realm.
> If a user came from one client, I have to show a keycloak page with the
> logo and skin of that client.
> Is it possible with Keycloak? How?
>
> Thanks in advance.
>
>
> Helder S. Alves
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/0fa8790d/attachment-0001.html 

From sthorger at redhat.com  Fri Dec 18 02:31:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 08:31:24 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <5672e756.6408c20a.7346.18e7@mx.google.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
	<CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
	<5672e756.6408c20a.7346.18e7@mx.google.com>
Message-ID: <CAJgngAf_NLsHeL-c7-VhECXPUtNPcrcHunEUL9tVeCorKUSr1w@mail.gmail.com>

On 17 December 2015 at 17:48, Dong Xie <xied75 at gmail.com> wrote:

> That is great news, when is 1.8 release time?
>
>
>
> Also is that possible to take ENV var to enable SSL and take the
> configuration of certs files via a container volume? Hope those has been in
> the plan, if not I?m happy to raise the issue in JIRA and see if I can
> contribute towards it.
>

We haven't planned to add that, but it would be nice to have. So feel free
to create a JIRA. A PR would be even better :)


>
>
> Best regards,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 16:43
>
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> We will soon remove the built-in admin/admin user account. For the Docker
> image you will either have to:
>
>
>
> 1. Pass the admin username and password with environment variables
>
> 2. Access via localhost (port forwarding) to create an initial user account
>
>
>
> That'll be added in 1.8.
>
>
>
> On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
>
> Keycloak is deployed as docker container into cloud, once the container
> starts, the keycloak server starts, I can?t stop it being called or call
> the script before the container starts, unless I bother to make a
> customised docker image, which is not ideal. Since there is no human action
> involved, no one will reset the admin password via browser, unless you mean
> I can call REST API to fully setup admin user. Also when I add new user if
> I add it into master realm it will be as powerful as admin, at least that?s
> what I observed? Therefore leaving the admin there is only going to be a
> security hole, and the best practice is to get rid of as fast as I can.
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:57
>
>
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> You don't need to restart the server, you can call the script before
> starting the server in the first place.
>
>
>
> Why do you need to remove the admin? Do you not need to have at least one
> admin account on the server.
>
>
>
> What do you mean about init access token?
>
>
>
> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>
> That?s exactly what I used, so before I can expose the keycloak to the
> world, I need to get into the node, call the script, restart server, login
> with the new admin, calling REST api to remove the admin, sounds like a lot
> of work?
>
>
>
> Can we not config an init access token or something similar to smooth the
> thing, for our poor DevOps life?
>
>
>
> Any help would be great!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
>
>
>
> *From: *Stian Thorgersen
> *Sent: *17 December 2015 15:41
> *To: *Dong Xie
> *Cc: *keycloak-user at lists.jboss.org
> *Subject: *Re: [keycloak-user] out of box experiences and automation
>
>
>
>
>
> >From 1.7 you can add a admin user using the add-user script. See
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>
>
>
> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>
> Dear all,
>
>
>
> I wonder how do I work around needing to browse the web page and login
> with admin + admin to change the password? We are deploying keycloak in an
> automated flow thus no human interaction is expected.
>
>
>
> Thanks very much for your help!
>
>
>
> Best,
>
>
>
> Dong
>
>
>
> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/babafed8/attachment.html 

From sthorger at redhat.com  Fri Dec 18 02:32:39 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 08:32:39 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAHiHDeRQdfqOw2VqJ06skGesupaOxFzMW5VUckAzHVjogakGEw@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAHiHDeRQdfqOw2VqJ06skGesupaOxFzMW5VUckAzHVjogakGEw@mail.gmail.com>
Message-ID: <CAJgngAdOGQ8ypmScWnLN1d4YW1X6rGtgseCms02X2DHotMTc7w@mail.gmail.com>

On 17 December 2015 at 20:42, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:

> Dong,
> I struggled with the same issues... The only way to crush the complexity
> of Wildfly  and Keycloak is Ansible. I use Ansible templates and Keycloak
> imports to consistently rebuild my setup. Works with Docker pretty darn
> well too. But the key is Ansible.
>
Only way? Sounds like you work for Ansible ;)

What exact things were you struggling with? We really do want to give users
a good experience with Keycloak and would like to make it easier to install
and configure if we can.


> /Hristo Stoyanov
> On Dec 17, 2015 11:26 AM, "Dong Xie" <xied75 at gmail.com> wrote:
>
>> Dear all,
>>
>>
>>
>> I wonder how do I work around needing to browse the web page and login
>> with admin + admin to change the password? We are deploying keycloak in an
>> automated flow thus no human interaction is expected.
>>
>>
>>
>> Thanks very much for your help!
>>
>>
>>
>> Best,
>>
>>
>>
>> Dong
>>
>>
>>
>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>> Windows 10
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/13538ebe/attachment.html 

From sthorger at redhat.com  Fri Dec 18 02:34:36 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 08:34:36 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAF9aV_p+gDt0ugJ-q+6JHxvBMOZJ4Fa+tqEUxbxqz6=pDtXZwA@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
	<CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
	<5672e756.6408c20a.7346.18e7@mx.google.com>
	<CAF9aV_p+gDt0ugJ-q+6JHxvBMOZJ4Fa+tqEUxbxqz6=pDtXZwA@mail.gmail.com>
Message-ID: <CAJgngAdoKJ=kvg5jFsPAObVr0LF8_8Konv9zXW=wRjFK-cW6tA@mail.gmail.com>

Why do you say Keycloak and Keycloak Docker image are two different
projects? Keycloak Docker image is provided and maintained by the Keycloak
team and is such part of the Keycloak project itself.

On 17 December 2015 at 18:01, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> Dong, note that Keycloak and  Keycloak Docker image are two different
> projects. You can, however, customize the official docker image depending
> on your requirements.
>
> Regards,
> Pavel Maslov, MS
>
> On Thu, Dec 17, 2015 at 5:48 PM, Dong Xie <xied75 at gmail.com> wrote:
>
>> That is great news, when is 1.8 release time?
>>
>>
>>
>> Also is that possible to take ENV var to enable SSL and take the
>> configuration of certs files via a container volume? Hope those has been in
>> the plan, if not I?m happy to raise the issue in JIRA and see if I can
>> contribute towards it.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Dong
>>
>>
>>
>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>> Windows 10
>>
>>
>>
>>
>>
>>
>> *From: *Stian Thorgersen
>> *Sent: *17 December 2015 16:43
>>
>> *To: *Dong Xie
>> *Cc: *keycloak-user at lists.jboss.org
>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>
>>
>>
>>
>>
>> We will soon remove the built-in admin/admin user account. For the Docker
>> image you will either have to:
>>
>>
>>
>> 1. Pass the admin username and password with environment variables
>>
>> 2. Access via localhost (port forwarding) to create an initial user
>> account
>>
>>
>>
>> That'll be added in 1.8.
>>
>>
>>
>> On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
>>
>> Keycloak is deployed as docker container into cloud, once the container
>> starts, the keycloak server starts, I can?t stop it being called or call
>> the script before the container starts, unless I bother to make a
>> customised docker image, which is not ideal. Since there is no human action
>> involved, no one will reset the admin password via browser, unless you mean
>> I can call REST API to fully setup admin user. Also when I add new user if
>> I add it into master realm it will be as powerful as admin, at least that?s
>> what I observed? Therefore leaving the admin there is only going to be a
>> security hole, and the best practice is to get rid of as fast as I can.
>>
>>
>>
>> Best,
>>
>>
>>
>> Dong
>>
>>
>>
>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>> Windows 10
>>
>>
>>
>>
>>
>>
>> *From: *Stian Thorgersen
>> *Sent: *17 December 2015 15:57
>>
>>
>> *To: *Dong Xie
>> *Cc: *keycloak-user at lists.jboss.org
>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>
>>
>>
>>
>>
>> You don't need to restart the server, you can call the script before
>> starting the server in the first place.
>>
>>
>>
>> Why do you need to remove the admin? Do you not need to have at least one
>> admin account on the server.
>>
>>
>>
>> What do you mean about init access token?
>>
>>
>>
>> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>>
>> That?s exactly what I used, so before I can expose the keycloak to the
>> world, I need to get into the node, call the script, restart server, login
>> with the new admin, calling REST api to remove the admin, sounds like a lot
>> of work?
>>
>>
>>
>> Can we not config an init access token or something similar to smooth the
>> thing, for our poor DevOps life?
>>
>>
>>
>> Any help would be great!
>>
>>
>>
>> Best,
>>
>>
>>
>> Dong
>>
>>
>>
>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>> Windows 10
>>
>>
>>
>>
>>
>>
>> *From: *Stian Thorgersen
>> *Sent: *17 December 2015 15:41
>> *To: *Dong Xie
>> *Cc: *keycloak-user at lists.jboss.org
>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>
>>
>>
>>
>>
>> >From 1.7 you can add a admin user using the add-user script. See
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>
>>
>>
>> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>>
>> Dear all,
>>
>>
>>
>> I wonder how do I work around needing to browse the web page and login
>> with admin + admin to change the password? We are deploying keycloak in an
>> automated flow thus no human interaction is expected.
>>
>>
>>
>> Thanks very much for your help!
>>
>>
>>
>> Best,
>>
>>
>>
>> Dong
>>
>>
>>
>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>> Windows 10
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/43152375/attachment-0001.html 

From sthorger at redhat.com  Fri Dec 18 02:56:47 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 08:56:47 +0100
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <022CC9BB-3994-4E27-B3F5-A094833CC488@smartling.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
	<1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
	<1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>
	<C3F28BDA-DED7-4AF4-99ED-E5B8355FF03A@smartling.com>
	<951119783.28023953.1450300887169.JavaMail.zimbra@redhat.com>
	<022CC9BB-3994-4E27-B3F5-A094833CC488@smartling.com>
Message-ID: <CAJgngAdFLfcV4xVKJZV8Gje4DDFzehxiDYSczNv=2qAypbEkow@mail.gmail.com>

If anyone (Scott?) wants to contribute how to configure KC clustering on
EC2 to our documentation that'd be great :)

On 16 December 2015 at 23:11, Scott Rossillo <srossillo at smartling.com>
wrote:

>
> I actually set the jgroups.bind_addr to global. I need the EC2 instance's
> address for jgroups.external.addr, see:
>
>
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 16, 2015, at 4:21 PM, Alan Field <afield at redhat.com> wrote:
>
> Almost...
>
> I guess if the EC2 instance IP works for the bind address, why do you need
> to set external_addr?
>
> Thanks for bearing with me on this! :-)
>
> Alan
>
> ------------------------------
>
> *From: *"Scott Rossillo" <srossillo at smartling.com>
> *To: *"Alan Field" <afield at redhat.com>
> *Cc: *"Niko K?bler" <niko at n-k.de>, "keycloak-user" <
> keycloak-user at lists.jboss.org>
> *Sent: *Wednesday, December 16, 2015 4:17:29 PM
> *Subject: *Re: [keycloak-user] Replace use of Infinispan with User
> Sessions SPI ?
>
> Ah, sorry, my originally contrived example wasn?t using Amazon but just my
> local Docker machine IP.
>
> In the case of my ECS tests, 172.16.0.0/16 is the Docker network?s IP,
> which is local to the machine / EC2 instance. Using ECS, my VPC has an IP
> range of 172.31.0.0/16, so the bind_addr has to be on this network. On my
> small cluster, that?s either 172.31.44.109 or 172.31.45.191.
>
> Does that clear it up?
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 16, 2015, at 4:11 PM, Alan Field <afield at redhat.com> wrote:
>
> Hey Scott,
>
> Thanks, I think you answered all of my questions, but I'm confused by
> something you said in your first email:
>
> "
> The 172.16 network is not routable between hosts (by design). Docker does
> port forwarding for ports we wish to expose to this works fine for
> HTTP/HTTPS but not the cluster traffic.
>
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> advertises 172.16.0.8. The two cannot talk to each other by default.
> "
>
> My understanding is that the 172.16 addresses are the Amazon EC2
> instance?s internal IP, so I'm confused why this didn't work for you
> before. Is the difference that you were setting jgroups.bind_addr to this
> address and now you are setting it to global and setting external_addr to
> the instance?s internal IP? Just trying to understand what the problem was
> and how you fixed it!
>
> Thanks again,
> Alan
>
>
> ------------------------------
>
> *From: *"Scott Rossillo" <srossillo at smartling.com>
> *To: *"Alan Field" <afield at redhat.com>
> *Cc: *"Niko K?bler" <niko at n-k.de>, "keycloak-user" <
> keycloak-user at lists.jboss.org>
> *Sent: *Wednesday, December 16, 2015 3:45:40 PM
> *Subject: *Re: [keycloak-user] Replace use of Infinispan with User
> Sessions SPI ?
>
> Hi Alan,
>
> > It is possible to use the TUNNEL with multiple gossip routers to avoid
> this, but I understand not wanting to have to setup and maintain the extra
> gossip router processes.
>
> True, it?s mainly about maintaining extra components.
>
> > Which IP address from your example is retrieved with this command:
> > EXTERNAL_HOST_IP=$(curl
> http://169.254.169.254/latest/meta-data/local-ipv4)?
>
> I get the Amazon EC2 instance?s internal IP. This is what I want. There?s
> another endpoint for public but I don?t want to use it. What?s good about
> this is when called from inside a Docker container, I manage to get the
> actual internal IP for the EC2 instance.
>
> > How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
>
> Since this was a test with just 2 known hosts, I injected them as a Docker
> environment variable with two fixed IPs. Once we switch to JDBC_PING, this
> will be removed.
>
> > For my curiosity, can you tell me more about why you don't want to use
> S3_PING? Is it the cost or something else? Just wondering and JDBC_PING
> should work fine.
>
> S3_PING, like Gossip Router adds an external dependency on another
> service. S3 has had consistency issues 3 times in 2015 (at least in US
> East). I don?t want to rely another component when I already need the
> database to be up. Less components, less chance of failure. Also, there are
> ton of variables to set with S3 and it requires preliminary work. I want
> something that scales well from dev to QA to prod. JDBC_PING has a
> datasource_jndi_name property. I can just reuse the data source I set up
> for Keycloak.
>
> I hope I got all your questions.
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 16, 2015, at 3:33 PM, Alan Field <afield at redhat.com> wrote:
>
> Hey Scott,
>
> Thanks for following up and showing me your code. I have some questions
> inline for you:
>
> ------------------------------
>
> *From: *"Scott Rossillo" <srossillo at smartling.com>
> *To: *"Alan Field" <afield at redhat.com>
> *Cc: *"Niko K?bler" <niko at n-k.de>, "keycloak-user" <
> keycloak-user at lists.jboss.org>
> *Sent: *Wednesday, December 16, 2015 2:19:27 PM
> *Subject: *Re: [keycloak-user] Replace use of Infinispan with User
> Sessions        SPI ?
>
> Hi Alan,
>
> Thanks for the informative email. The steps you outlined are similar to
> what I?ve tested with ECS.  The gossip router is definitely a no-go for
> production since it?s a single point of failure.
>
> It is possible to use the TUNNEL with multiple gossip routers to avoid
> this, but I understand not wanting to have to setup and maintain the extra
> gossip router processes.
>
>
> I am testing this down at the JGroups level right now and got it working
> with ECS. There were two issues. On TCP you have to specify
> the external_addr to match the EC2 host otherwise the nodes won?t form a
> cluster. Secondly, FD_SOCK attempts to connect back on a random port. With
> Docker instances, this fails. Using a known client_bind_port works well.
>
> Which IP address from your example is retrieved with this command:
>
> EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4
> )"
>
> Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this
> command in EC2, I get the internal IP address for the instance, but not the
> public IP address. In your example, that would be the 172.16.0.4 address.
> Also which address is used for the bind_addr when you use
> -Djgroups.bind_addr=global?
>
>
> Here?s the code I?m testing with:
> https://github.com/foo4u/aws-infinispan-poc
>
> Most interesting are probably:
>
>
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh
>
> How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
>
>
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml
>
> With this set up the nodes on different machines communicate without
> issue. I still have to add in something other than TCP_PING, but that
> wasn?t the main issue. Will use JDBC_PING most likely. Not a fan of S3 for
> coordination. Plus I already need an RDBMS for Keycloak.
>
> For my curiosity, can you tell me more about why you don't want to use
> S3_PING? Is it the cost or something else? Just wondering and JDBC_PING
> should work fine.
>
> Thanks,
> Alan
>
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Latest News + Events]
> <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 15, 2015, at 2:13 PM, Alan Field <afield at redhat.com> wrote:
>
> Just to be clear, I have successfully tested Infinispan library and server
> mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses.
> None of the cloud providers support multicast. The Docker case is a little
> different though, because of the issues with getting access to the IP
> address.
>
> Thanks,
> Alan
>
> ------------------------------
>
> *From: *"Niko K?bler" <niko at n-k.de>
> *To: *"Paul Blair" <pblair at clearme.com>
> *Cc: *"keycloak-user" <keycloak-user at lists.jboss.org>
> *Sent: *Tuesday, December 15, 2015 1:53:18 PM
> *Subject: *Re: [keycloak-user] Replace use of Infinispan with User
> Sessions        SPI ?
>
> We will go for the first run with EC2 and S3_PING, but w/o Docker.
> If we/you/whoever will find a proper solution (possibly on the jgroups
> mailinglist), we will test this.
>
> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but
> no-one has a proper solution, only workarounds. :(
>
>
>
> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com>:
>
> I've also been working on setting up clustered Keycloak on Docker
> containers in EC2 and would be interested in any potential solutions for
> this configuration.
>
> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be
> interested in hearing about the issues with this configuration.
>
> From: Scott Rossillo <srossillo at smartling.com>
> Date: Mon, 14 Dec 2015 18:31:30 -0500
> To: Marek Posolda <mposolda at redhat.com>, <afield at redhat.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions
> SPI ?
>
> There are two issues:
>
> 1. Infinispan relies on JGroups, which is difficult to configure correctly
> with the various ping techniques that aren?t UDP multicast. I can elaborate
> on each one that we tested but it?s just generally complex to get right.
> That?s not to say it?s impossible or the biggest reason this is complicated
> on ECS or _insert container service here_, see #2 for that.
>
> 2. It is difficult to do discovery correctly with JGroups and Docker.
> Non-privileged Docker instances - the default and recommend type - do not
> implicitly know their host?s IP. This causes IP mismatches between what
> JGroups thinks the machine?s IP is and what it actually is when connecting
> to hosts on different machines.  This is the main issue and it?s not the
> fault of JGroups per se, but there?s no simple work around.
>
> Take for example a simple 2 node cluster:
>
> Node 1 comes up on the docker0 interface of host A with the IP address
> 172.16.0.4. The host A IP is 10.10.0.100.
> Node 2 comes up on the docker0 interface of host B with the IP address
> 172.16.0.8. The host B IP is 10.10.0.108.
>
> The 172.16 network is not routable between hosts (by design). Docker does
> port forwarding for ports we wish to expose to this works fine for
> HTTP/HTTPS but not the cluster traffic.
>
> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2
> advertises 172.16.0.8. The two cannot talk to each other by default.
> However, using the hard coded IPs and TCP PING, we can set external_addr on
> Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set
> initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to
> discover each other. However, they will not form a cluster. The nodes will
> reject the handshake thinking they?re not actually 10.10.0.100 or
> 10.10.0.108 respectively.
>
> I?d like to discuss further and I can share where we?ve gotten so far with
> workarounds to this but it may be better to get into the weeds on another
> list.
>
> Let me know what you think.
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com> wrote:
>
> CCing Alan Field from RH Infinispan team and forwarding his question:
>
> I'd like to know which configuration files you are using and why is is
> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
> interested in how big a cluster you are using in AWS.
>
>
>
>
> On 14/12/15 22:24, Scott Rossillo wrote:
>
> AWS was why we didn?t use Infinispan to begin with.  That and it?s even
> more complicated when you deploy using Amazon?s Docker service (ECS) or
> Beanstalk.
>
> It?s too bad Infinispan  / JGroups are beasts when the out of the box
> configuration can?t be used. I?m planning to document this as we fix but
> I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak
> DB, unless you?re using Mongo and it?s easier to test locally.
>
> TCPPING will bite you on AWS if Amazon decides to replace one of your
> instances (which it does occasionally w/ECS or Beanstalk).
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
> On 14/12/15 16:55, Marek Posolda wrote:
>
> On 14/12/15 15:58, Bill Burke wrote:
>
> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>
> Hi Marek,
>
> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com <mposolda at redhat.com>>>:
>
> Btv. what's your motivation to not use infinispan? If you afraid of
> cluster communication, you don't need to worry much about it, because
> if you run single keycloak through standalone.xml, the infinispan
> automatically works in LOCAL mode and there is no any cluster
> communication at all.
>
> My current customer is running his apps in AWS. As known, multicast is
> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
> pretty well with multicast w/o having to know too much about JGroups
> config. S3_PING seams to be a viable way to get a cluster running in AWS.
> But additionally, my customer doesn?t have any (deep) knowledge about
> JBoss infrastructures and so I?m looking for a way to be able to run
> Keycloak in a cluster in AWS without the need to build up deeper
> knowlegde of JGroups config, for example in getting rid of Infinispan.
> But I do understand all the concerns in doing this.
> I still have to test S3_PING, if it works as easy as multicast. If yes,
> we can use it, if no? I don?t know yet. But this gets offtopic for
> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>
> seems to me it would be much easier to get Infinispan working on AWS
> than to write and maintain an entire new caching mechanism and hope we
> don't refactor the cache SPI.
>
>
> +1
>
> I am sure infinispan/JGroups has possibility to run in non-multicast
> environment. You may just need to figure how exactly to configure it. So
> I agree that this issue is more related to Wildfly/Infinispan itself
> than to Keycloak.
>
> You may need to use jgroups protocols like TCP instead of default UDP
> and maybe TCPPING (this requires to manually list all your cluster
> nodes. But still, it's much better option IMO than rewriting UserSession
> SPI)
>
> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING
> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 , but it's
> not official part of jgroups.
>
> Marek
>
>
> Marek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________ keycloak-user mailing list
>  keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/67be3ffb/attachment-0001.html 

From hr.stoyanov at peruncs.com  Fri Dec 18 03:20:40 2015
From: hr.stoyanov at peruncs.com (Hristo Stoyanov)
Date: Fri, 18 Dec 2015 00:20:40 -0800
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAJgngAdOGQ8ypmScWnLN1d4YW1X6rGtgseCms02X2DHotMTc7w@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAHiHDeRQdfqOw2VqJ06skGesupaOxFzMW5VUckAzHVjogakGEw@mail.gmail.com>
	<CAJgngAdOGQ8ypmScWnLN1d4YW1X6rGtgseCms02X2DHotMTc7w@mail.gmail.com>
Message-ID: <CAHiHDeTgu5PnGSTShmsJui69HeQWaPrmqEU8qXNmx=6=eDH++g@mail.gmail.com>

Stian,
I have no affiliation with Ansible, but you do ... since recently :-)

What I do is:
1. I configured KC with passwords, URLs for the apps, certificates,
Facebook tokens, etc.
2 I exported it into json dump files.
3. I repeated  1-2 until I had enough data for DEV, QA and PROD -  all
different environments . Note that some parts of the exports remain the
same - roles, groups.
4. I templetized the exported json files so that Ansible can substitute the
environment sensitive bits and deploy to DEV, QA and PROD.

Same applies to the wildfly's standalone.xml - parametrize different
versions for DEV, QA, PROD.

It is royal pain to create the J2 templates, initially, but not as much as
trying to do it with jboss-cli (which I tried too, the Infinispan KC jboss
cli script killed me!).

None of this is ideal , but expecting devops to click around HTML UIs  or
manually hack xml/json these days is not OK.

Docker by itself is too weak for this sort of deep  configurations. 1.9
adds parameters, one can use env variables, but otherwise you are left with
shell scripting/perl, regex in your Dockerfile ...

This still might sounds like an overkill, but when you add jgroups,
cluster, network interfaces ,databases , firewall.... You start to realize
why Red Hat acquired Ansible :-)

/Hristo Stoyanov
On Dec 17, 2015 11:32 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:

>
>
> On 17 December 2015 at 20:42, Hristo Stoyanov <hr.stoyanov at peruncs.com>
> wrote:
>
>> Dong,
>> I struggled with the same issues... The only way to crush the complexity
>> of Wildfly  and Keycloak is Ansible. I use Ansible templates and Keycloak
>> imports to consistently rebuild my setup. Works with Docker pretty darn
>> well too. But the key is Ansible.
>>
> Only way? Sounds like you work for Ansible ;)
>
> What exact things were you struggling with? We really do want to give
> users a good experience with Keycloak and would like to make it easier to
> install and configure if we can.
>
>
>> /Hristo Stoyanov
>> On Dec 17, 2015 11:26 AM, "Dong Xie" <xied75 at gmail.com> wrote:
>>
>>> Dear all,
>>>
>>>
>>>
>>> I wonder how do I work around needing to browse the web page and login
>>> with admin + admin to change the password? We are deploying keycloak in an
>>> automated flow thus no human interaction is expected.
>>>
>>>
>>>
>>> Thanks very much for your help!
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>>
>>> Dong
>>>
>>>
>>>
>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>> Windows 10
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/e0c2bb11/attachment.html 

From pavel.masloff at gmail.com  Fri Dec 18 03:27:35 2015
From: pavel.masloff at gmail.com (Pavel Maslov)
Date: Fri, 18 Dec 2015 09:27:35 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAJgngAdoKJ=kvg5jFsPAObVr0LF8_8Konv9zXW=wRjFK-cW6tA@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
	<CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
	<5672e756.6408c20a.7346.18e7@mx.google.com>
	<CAF9aV_p+gDt0ugJ-q+6JHxvBMOZJ4Fa+tqEUxbxqz6=pDtXZwA@mail.gmail.com>
	<CAJgngAdoKJ=kvg5jFsPAObVr0LF8_8Konv9zXW=wRjFK-cW6tA@mail.gmail.com>
Message-ID: <CAF9aV_pfxzkPHut3hAG-XgMdr+ovtFpWtnrWzw14Zoc3+Y6pUA@mail.gmail.com>

Hi, Stian

Didn't know that, sorry. What I meant is people have different use-cases,
you guys provide a base image. Keycloak users are free to extend the base
image. For example, I was forced to create my own docker image, because the
base image doesn't provide external database support, nor SSL.

Regards,
Pavel Maslov, MS

On Fri, Dec 18, 2015 at 8:34 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Why do you say Keycloak and Keycloak Docker image are two different
> projects? Keycloak Docker image is provided and maintained by the Keycloak
> team and is such part of the Keycloak project itself.
>
> On 17 December 2015 at 18:01, Pavel Maslov <pavel.masloff at gmail.com>
> wrote:
>
>> Dong, note that Keycloak and  Keycloak Docker image are two different
>> projects. You can, however, customize the official docker image depending
>> on your requirements.
>>
>> Regards,
>> Pavel Maslov, MS
>>
>> On Thu, Dec 17, 2015 at 5:48 PM, Dong Xie <xied75 at gmail.com> wrote:
>>
>>> That is great news, when is 1.8 release time?
>>>
>>>
>>>
>>> Also is that possible to take ENV var to enable SSL and take the
>>> configuration of certs files via a container volume? Hope those has been in
>>> the plan, if not I?m happy to raise the issue in JIRA and see if I can
>>> contribute towards it.
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Dong
>>>
>>>
>>>
>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>> Windows 10
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From: *Stian Thorgersen
>>> *Sent: *17 December 2015 16:43
>>>
>>> *To: *Dong Xie
>>> *Cc: *keycloak-user at lists.jboss.org
>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>
>>>
>>>
>>>
>>>
>>> We will soon remove the built-in admin/admin user account. For the
>>> Docker image you will either have to:
>>>
>>>
>>>
>>> 1. Pass the admin username and password with environment variables
>>>
>>> 2. Access via localhost (port forwarding) to create an initial user
>>> account
>>>
>>>
>>>
>>> That'll be added in 1.8.
>>>
>>>
>>>
>>> On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
>>>
>>> Keycloak is deployed as docker container into cloud, once the container
>>> starts, the keycloak server starts, I can?t stop it being called or call
>>> the script before the container starts, unless I bother to make a
>>> customised docker image, which is not ideal. Since there is no human action
>>> involved, no one will reset the admin password via browser, unless you mean
>>> I can call REST API to fully setup admin user. Also when I add new user if
>>> I add it into master realm it will be as powerful as admin, at least that?s
>>> what I observed? Therefore leaving the admin there is only going to be a
>>> security hole, and the best practice is to get rid of as fast as I can.
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>>
>>> Dong
>>>
>>>
>>>
>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>> Windows 10
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From: *Stian Thorgersen
>>> *Sent: *17 December 2015 15:57
>>>
>>>
>>> *To: *Dong Xie
>>> *Cc: *keycloak-user at lists.jboss.org
>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>
>>>
>>>
>>>
>>>
>>> You don't need to restart the server, you can call the script before
>>> starting the server in the first place.
>>>
>>>
>>>
>>> Why do you need to remove the admin? Do you not need to have at least
>>> one admin account on the server.
>>>
>>>
>>>
>>> What do you mean about init access token?
>>>
>>>
>>>
>>> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>>>
>>> That?s exactly what I used, so before I can expose the keycloak to the
>>> world, I need to get into the node, call the script, restart server, login
>>> with the new admin, calling REST api to remove the admin, sounds like a lot
>>> of work?
>>>
>>>
>>>
>>> Can we not config an init access token or something similar to smooth
>>> the thing, for our poor DevOps life?
>>>
>>>
>>>
>>> Any help would be great!
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>>
>>> Dong
>>>
>>>
>>>
>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>> Windows 10
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From: *Stian Thorgersen
>>> *Sent: *17 December 2015 15:41
>>> *To: *Dong Xie
>>> *Cc: *keycloak-user at lists.jboss.org
>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>
>>>
>>>
>>>
>>>
>>> >From 1.7 you can add a admin user using the add-user script. See
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>>
>>>
>>>
>>> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>>>
>>> Dear all,
>>>
>>>
>>>
>>> I wonder how do I work around needing to browse the web page and login
>>> with admin + admin to change the password? We are deploying keycloak in an
>>> automated flow thus no human interaction is expected.
>>>
>>>
>>>
>>> Thanks very much for your help!
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>>
>>> Dong
>>>
>>>
>>>
>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>> Windows 10
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/ae753718/attachment-0001.html 

From sthorger at redhat.com  Fri Dec 18 03:32:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 09:32:22 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAHiHDeTgu5PnGSTShmsJui69HeQWaPrmqEU8qXNmx=6=eDH++g@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAHiHDeRQdfqOw2VqJ06skGesupaOxFzMW5VUckAzHVjogakGEw@mail.gmail.com>
	<CAJgngAdOGQ8ypmScWnLN1d4YW1X6rGtgseCms02X2DHotMTc7w@mail.gmail.com>
	<CAHiHDeTgu5PnGSTShmsJui69HeQWaPrmqEU8qXNmx=6=eDH++g@mail.gmail.com>
Message-ID: <CAJgngAc=1HA2YstugEgnxfVWnrV_aYuvH2DDSR+OHxvk_23W8A@mail.gmail.com>

On 18 December 2015 at 09:20, Hristo Stoyanov <hr.stoyanov at peruncs.com>
wrote:

> Stian,
> I have no affiliation with Ansible, but you do ... since recently :-)
>
That's true - I forgot about that

> What I do is:
> 1. I configured KC with passwords, URLs for the apps, certificates,
> Facebook tokens, etc.
> 2 I exported it into json dump files.
> 3. I repeated  1-2 until I had enough data for DEV, QA and PROD -  all
> different environments . Note that some parts of the exports remain the
> same - roles, groups.
> 4. I templetized the exported json files so that Ansible can substitute
> the environment sensitive bits and deploy to DEV, QA and PROD.
>
> Same applies to the wildfly's standalone.xml - parametrize different
> versions for DEV, QA, PROD.
>
> It is royal pain to create the J2 templates, initially, but not as much as
> trying to do it with jboss-cli (which I tried too, the Infinispan KC jboss
> cli script killed me!).
>
> None of this is ideal , but expecting devops to click around HTML UIs  or
> manually hack xml/json these days is not OK.
>
The plan in the long run is to move everything in keycloak-server.json to
standalone.xml so it all server config can be done in one place. Doesn't
sound like you're a big fan of JBoss CLI though. With JBoss CLI offline
mode I would think it's still a better way to modify standalone.xml than
templating. I full appreciate that it's not the easiest tool to master
(I've never been able to achieve anything with it without Googling for a
recipe first).

WDYM about Infinispan KC jboss cli script? Are you installing KC into an
existing WF with the overlay?

For realm config, clients, etc.. we are also planning on adding an Admin
CLI that lets you create those from the CLI without touching the HTML UI.
It would require a running server though as it would be calling admin rest
endpoints rather than DB directly.

> Docker by itself is too weak for this sort of deep  configurations. 1.9
> adds parameters, one can use env variables, but otherwise you are left with
> shell scripting/perl, regex in your Dockerfile ...
>
> This still might sounds like an overkill, but when you add jgroups,
> cluster, network interfaces ,databases , firewall.... You start to realize
> why Red Hat acquired Ansible :-)
>
Yup, I think it's easy for us developers to forget how difficult it can be
to configure and install to a real environment.

Any suggestions on improvements we can make are more than welcome :)


>
>
> /Hristo Stoyanov
> On Dec 17, 2015 11:32 PM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>>
>>
>> On 17 December 2015 at 20:42, Hristo Stoyanov <hr.stoyanov at peruncs.com>
>> wrote:
>>
>>> Dong,
>>> I struggled with the same issues... The only way to crush the complexity
>>> of Wildfly  and Keycloak is Ansible. I use Ansible templates and Keycloak
>>> imports to consistently rebuild my setup. Works with Docker pretty darn
>>> well too. But the key is Ansible.
>>>
>> Only way? Sounds like you work for Ansible ;)
>>
>> What exact things were you struggling with? We really do want to give
>> users a good experience with Keycloak and would like to make it easier to
>> install and configure if we can.
>>
>>
>>> /Hristo Stoyanov
>>> On Dec 17, 2015 11:26 AM, "Dong Xie" <xied75 at gmail.com> wrote:
>>>
>>>> Dear all,
>>>>
>>>>
>>>>
>>>> I wonder how do I work around needing to browse the web page and login
>>>> with admin + admin to change the password? We are deploying keycloak in an
>>>> automated flow thus no human interaction is expected.
>>>>
>>>>
>>>>
>>>> Thanks very much for your help!
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/8ffd7148/attachment.html 

From sthorger at redhat.com  Fri Dec 18 03:33:57 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 09:33:57 +0100
Subject: [keycloak-user] out of box experiences and automation
In-Reply-To: <CAF9aV_pfxzkPHut3hAG-XgMdr+ovtFpWtnrWzw14Zoc3+Y6pUA@mail.gmail.com>
References: <5672d6f2.42661c0a.ff609.fffff3fc@mx.google.com>
	<CAJgngAcpVGRWScDhEqAq=6o1Q3rFuOMeZLJCWE-AFroVA+yhGg@mail.gmail.com>
	<5672d990.8555c20a.af895.fffffcbd@mx.google.com>
	<CAJgngAcSD+BsE7+0A9RktHVazXcJtbyzb7WgnxTKkZAS-3df0Q@mail.gmail.com>
	<5672dd2c.89dec20a.7b97c.057c@mx.google.com>
	<CAJgngAdOBkF1KtSz2ZXsw2xF0kZw=iit4OUY649EzEQYbrT3tQ@mail.gmail.com>
	<5672e756.6408c20a.7346.18e7@mx.google.com>
	<CAF9aV_p+gDt0ugJ-q+6JHxvBMOZJ4Fa+tqEUxbxqz6=pDtXZwA@mail.gmail.com>
	<CAJgngAdoKJ=kvg5jFsPAObVr0LF8_8Konv9zXW=wRjFK-cW6tA@mail.gmail.com>
	<CAF9aV_pfxzkPHut3hAG-XgMdr+ovtFpWtnrWzw14Zoc3+Y6pUA@mail.gmail.com>
Message-ID: <CAJgngAen3WAGk9w6EftJ8+yxLTrGEdTbNWqqKVL2-nhLm8o1jA@mail.gmail.com>

On 18 December 2015 at 09:27, Pavel Maslov <pavel.masloff at gmail.com> wrote:

> Hi, Stian
>
> Didn't know that, sorry. What I meant is people have different use-cases,
> you guys provide a base image. Keycloak users are free to extend the base
> image. For example, I was forced to create my own docker image, because the
> base image doesn't provide external database support, nor SSL.
>

We do have images for MySQL and PostgreSQL, but you're right they are still
base images and I'd expect people to extend it for real use.

SSL support would be nice to add though. As suggested it could be done with
env variables and container volumes.


>
> Regards,
> Pavel Maslov, MS
>
> On Fri, Dec 18, 2015 at 8:34 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Why do you say Keycloak and Keycloak Docker image are two different
>> projects? Keycloak Docker image is provided and maintained by the Keycloak
>> team and is such part of the Keycloak project itself.
>>
>> On 17 December 2015 at 18:01, Pavel Maslov <pavel.masloff at gmail.com>
>> wrote:
>>
>>> Dong, note that Keycloak and  Keycloak Docker image are two different
>>> projects. You can, however, customize the official docker image depending
>>> on your requirements.
>>>
>>> Regards,
>>> Pavel Maslov, MS
>>>
>>> On Thu, Dec 17, 2015 at 5:48 PM, Dong Xie <xied75 at gmail.com> wrote:
>>>
>>>> That is great news, when is 1.8 release time?
>>>>
>>>>
>>>>
>>>> Also is that possible to take ENV var to enable SSL and take the
>>>> configuration of certs files via a container volume? Hope those has been in
>>>> the plan, if not I?m happy to raise the issue in JIRA and see if I can
>>>> contribute towards it.
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Stian Thorgersen
>>>> *Sent: *17 December 2015 16:43
>>>>
>>>> *To: *Dong Xie
>>>> *Cc: *keycloak-user at lists.jboss.org
>>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> We will soon remove the built-in admin/admin user account. For the
>>>> Docker image you will either have to:
>>>>
>>>>
>>>>
>>>> 1. Pass the admin username and password with environment variables
>>>>
>>>> 2. Access via localhost (port forwarding) to create an initial user
>>>> account
>>>>
>>>>
>>>>
>>>> That'll be added in 1.8.
>>>>
>>>>
>>>>
>>>> On 17 December 2015 at 17:05, Dong Xie <xied75 at gmail.com> wrote:
>>>>
>>>> Keycloak is deployed as docker container into cloud, once the container
>>>> starts, the keycloak server starts, I can?t stop it being called or call
>>>> the script before the container starts, unless I bother to make a
>>>> customised docker image, which is not ideal. Since there is no human action
>>>> involved, no one will reset the admin password via browser, unless you mean
>>>> I can call REST API to fully setup admin user. Also when I add new user if
>>>> I add it into master realm it will be as powerful as admin, at least that?s
>>>> what I observed? Therefore leaving the admin there is only going to be a
>>>> security hole, and the best practice is to get rid of as fast as I can.
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Stian Thorgersen
>>>> *Sent: *17 December 2015 15:57
>>>>
>>>>
>>>> *To: *Dong Xie
>>>> *Cc: *keycloak-user at lists.jboss.org
>>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> You don't need to restart the server, you can call the script before
>>>> starting the server in the first place.
>>>>
>>>>
>>>>
>>>> Why do you need to remove the admin? Do you not need to have at least
>>>> one admin account on the server.
>>>>
>>>>
>>>>
>>>> What do you mean about init access token?
>>>>
>>>>
>>>>
>>>> On 17 December 2015 at 16:49, Dong Xie <xied75 at gmail.com> wrote:
>>>>
>>>> That?s exactly what I used, so before I can expose the keycloak to the
>>>> world, I need to get into the node, call the script, restart server, login
>>>> with the new admin, calling REST api to remove the admin, sounds like a lot
>>>> of work?
>>>>
>>>>
>>>>
>>>> Can we not config an init access token or something similar to smooth
>>>> the thing, for our poor DevOps life?
>>>>
>>>>
>>>>
>>>> Any help would be great!
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Stian Thorgersen
>>>> *Sent: *17 December 2015 15:41
>>>> *To: *Dong Xie
>>>> *Cc: *keycloak-user at lists.jboss.org
>>>> *Subject: *Re: [keycloak-user] out of box experiences and automation
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> >From 1.7 you can add a admin user using the add-user script. See
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e136
>>>>
>>>>
>>>>
>>>> On 17 December 2015 at 16:38, Dong Xie <xied75 at gmail.com> wrote:
>>>>
>>>> Dear all,
>>>>
>>>>
>>>>
>>>> I wonder how do I work around needing to browse the web page and login
>>>> with admin + admin to change the password? We are deploying keycloak in an
>>>> automated flow thus no human interaction is expected.
>>>>
>>>>
>>>>
>>>> Thanks very much for your help!
>>>>
>>>>
>>>>
>>>> Best,
>>>>
>>>>
>>>>
>>>> Dong
>>>>
>>>>
>>>>
>>>> Sent from Mail <http://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows 10
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/795dd15f/attachment-0001.html 

From mposolda at redhat.com  Fri Dec 18 03:35:03 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Dec 2015 09:35:03 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CAJgngAdjekKQ0W-QYEyLpB=RkYfspNi+_ny5aAycXUxOPvKMcg@mail.gmail.com>
References: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
	<1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>
	<CAJgngAdjekKQ0W-QYEyLpB=RkYfspNi+_ny5aAycXUxOPvKMcg@mail.gmail.com>
Message-ID: <5673C537.8090103@redhat.com>

On 18/12/15 08:23, Stian Thorgersen wrote:
> The best solution to that is either the ability to share users between 
> realms or more likely the ability to define a SSO group within a 
> realm. Each SSO group would have independent SSO sessions and could 
> also have separate themes associated with it. It's not something we 
> have resources for right now though.
I wonder if we can have something like 
"different-realm-user-federation-provider" ? We had something like this 
in the early days of Keycloak.

For example, if you have 2 realms "blueRealm" and "greenRealm" . The 
greenRealm will have defined federation provider, which will delegate 
retrieving users to blueRealm. Then all applications configured against 
greenRealm will see green login screen, but they will be able to 
authenticate with users+passwords from blueRealm.

Marek

>
> Simply displaying a different theme per-client just doesn't make any 
> sense at all. Users log-in to a SSO realm, not an individual client. 
> So I'm against adding something like that unless we add the ability to 
> log-in to clients or groups of clients individually.
>
> On 18 December 2015 at 03:08, Raghuram Prabhala <prabhalar at yahoo.com 
> <mailto:prabhalar at yahoo.com>> wrote:
>
>     Pe
>
>     It depends upon the application that the user accesses. We have
>     several scenarios where the same set of users login to different
>     applications in different divisions, some internet facing that
>     have a totally different look from our intranet ones and it also
>     depends upon whether the applications look for multi factor
>     authentication as well.
>
>     This is a very common scenario - We typically have different
>     themes presented to the users based on what the client
>     applications request (different themes can be requested utilizing
>     different http parameters)
>
>     Perhaps we can define different realms for different themes but it
>     becomes very cumbersome
>
>
>
>     ------------------------------------------------------------------------
>     *From:* Stian Thorgersen <sthorger at redhat.com
>     <mailto:sthorger at redhat.com>>
>     *To:* Raghuram Prabhala <prabhalar at yahoo.com
>     <mailto:prabhalar at yahoo.com>>
>     *Cc:* Revanth Ayalasomayajula <revanth at arvindinternet.com
>     <mailto:revanth at arvindinternet.com>>; keycloak-user
>     <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>     *Sent:* Thursday, December 17, 2015 9:28 AM
>
>     *Subject:* Re: [keycloak-user] Different theme for each client
>
>
>
>     On 17 December 2015 at 14:44, Raghuram Prabhala
>     <prabhalar at yahoo.com <mailto:prabhalar at yahoo.com>> wrote:
>
>         Stian - Even we have a similar requirement of having different
>         themes, but for different divisions within the firm. Some of
>         them have additional functionality of changing even the
>         password. Can you suggest some way of achieving the above
>         functionality considering that all the other functionality is
>         the same for all divisions?
>
>
>     Not actually sure what you mean here. It just doesn't make sense
>     to show a user two login pages that look different (and possible
>     have different things enabled/disable) if they use the same realm
>     and SSO session.
>
>
>         Thanks,
>         Raghu
>
>         ------------------------------------------------------------------------
>         *From:* Stian Thorgersen <sthorger at redhat.com
>         <mailto:sthorger at redhat.com>>
>         *To:* Revanth Ayalasomayajula <revanth at arvindinternet.com
>         <mailto:revanth at arvindinternet.com>>
>         *Cc:* keycloak-user <keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>>
>         *Sent:* Thursday, December 17, 2015 8:05 AM
>         *Subject:* Re: [keycloak-user] Different theme for each client
>
>         Having different clients login to the same SSO realm with
>         different branded login pages just doesn't make sense. If we
>         add the concept of a SSO domain/zone or something within a
>         realm, where a group of clients have separate themes and SSO
>         session that would make sense.
>
>         On 15 December 2015 at 12:14, Revanth Ayalasomayajula
>         <revanth at arvindinternet.com
>         <mailto:revanth at arvindinternet.com>> wrote:
>
>             +1 for this feature.
>             ?
>
>             On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves
>             <helder.jaspion at gmail.com
>             <mailto:helder.jaspion at gmail.com>> wrote:
>
>                 Hi.
>
>                 I need to have a different theme for each of the
>                 clients of a realm.
>                 If a user came from one client, I have to show a
>                 keycloak page with the logo and skin of that client.
>                 Is it possible with Keycloak? How?
>
>                 Thanks in advance.
>
>
>                 Helder S. Alves
>
>                 _______________________________________________
>                 keycloak-user mailing list
>                 keycloak-user at lists.jboss.org
>                 <mailto:keycloak-user at lists.jboss.org>
>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>             _______________________________________________
>             keycloak-user mailing list
>             keycloak-user at lists.jboss.org
>             <mailto:keycloak-user at lists.jboss.org>
>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/d3e94588/attachment-0001.html 

From sthorger at redhat.com  Fri Dec 18 03:39:22 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 09:39:22 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <5673C537.8090103@redhat.com>
References: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
	<1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>
	<CAJgngAdjekKQ0W-QYEyLpB=RkYfspNi+_ny5aAycXUxOPvKMcg@mail.gmail.com>
	<5673C537.8090103@redhat.com>
Message-ID: <CAJgngAears5=RHMAsAPNNwi0QYe2sZNxmY=a_Enwq5NcvwHxYg@mail.gmail.com>

On 18 December 2015 at 09:35, Marek Posolda <mposolda at redhat.com> wrote:

> On 18/12/15 08:23, Stian Thorgersen wrote:
>
> The best solution to that is either the ability to share users between
> realms or more likely the ability to define a SSO group within a realm.
> Each SSO group would have independent SSO sessions and could also have
> separate themes associated with it. It's not something we have resources
> for right now though.
>
> I wonder if we can have something like
> "different-realm-user-federation-provider" ? We had something like this in
> the early days of Keycloak.
>
> For example, if you have 2 realms "blueRealm" and "greenRealm" . The
> greenRealm will have defined federation provider, which will delegate
> retrieving users to blueRealm. Then all applications configured against
> greenRealm will see green login screen, but they will be able to
> authenticate with users+passwords from blueRealm.
>

That's not very elegant at least not ATM as we would end up duplicating the
users in the DB.


>
> Marek
>
>
>
> Simply displaying a different theme per-client just doesn't make any sense
> at all. Users log-in to a SSO realm, not an individual client. So I'm
> against adding something like that unless we add the ability to log-in to
> clients or groups of clients individually.
>
> On 18 December 2015 at 03:08, Raghuram Prabhala <prabhalar at yahoo.com>
> wrote:
>
>> Pe
>>
>> It depends upon the application that the user accesses. We have several
>> scenarios where the same set of users login to different applications in
>> different divisions, some internet facing that have a totally different
>> look from our intranet ones and it also depends upon whether the
>> applications look for multi factor authentication as well.
>>
>> This is a very common scenario - We typically have different themes
>> presented to the users based on what the client applications request
>> (different themes can be requested utilizing different http parameters)
>>
>> Perhaps we can define different realms for different themes but it
>> becomes very cumbersome
>>
>>
>>
>> ------------------------------
>> *From:* Stian Thorgersen < <sthorger at redhat.com>sthorger at redhat.com>
>> *To:* Raghuram Prabhala < <prabhalar at yahoo.com>prabhalar at yahoo.com>
>> *Cc:* Revanth Ayalasomayajula < <revanth at arvindinternet.com>
>> revanth at arvindinternet.com>; keycloak-user <keycloak-user at lists.jboss.org
>> >
>> *Sent:* Thursday, December 17, 2015 9:28 AM
>>
>> *Subject:* Re: [keycloak-user] Different theme for each client
>>
>>
>>
>> On 17 December 2015 at 14:44, Raghuram Prabhala < <prabhalar at yahoo.com>
>> prabhalar at yahoo.com> wrote:
>>
>> Stian - Even we have a similar requirement of having different themes,
>> but for different divisions within the firm. Some of them have additional
>> functionality of changing even the password. Can you suggest some way of
>> achieving the above functionality considering that all the other
>> functionality is the same for all divisions?
>>
>>
>> Not actually sure what you mean here. It just doesn't make sense to show
>> a user two login pages that look different (and possible have different
>> things enabled/disable) if they use the same realm and SSO session.
>>
>>
>>
>> Thanks,
>> Raghu
>>
>> ------------------------------
>> *From:* Stian Thorgersen < <sthorger at redhat.com>sthorger at redhat.com>
>> *To:* Revanth Ayalasomayajula < <revanth at arvindinternet.com>
>> revanth at arvindinternet.com>
>> *Cc:* keycloak-user < <keycloak-user at lists.jboss.org>
>> keycloak-user at lists.jboss.org>
>> *Sent:* Thursday, December 17, 2015 8:05 AM
>> *Subject:* Re: [keycloak-user] Different theme for each client
>>
>> Having different clients login to the same SSO realm with different
>> branded login pages just doesn't make sense. If we add the concept of a SSO
>> domain/zone or something within a realm, where a group of clients have
>> separate themes and SSO session that would make sense.
>>
>> On 15 December 2015 at 12:14, Revanth Ayalasomayajula <
>> <revanth at arvindinternet.com>revanth at arvindinternet.com> wrote:
>>
>> +1 for this feature.
>> ?
>>
>> On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
>> <helder.jaspion at gmail.com>helder.jaspion at gmail.com> wrote:
>>
>> Hi.
>>
>> I need to have a different theme for each of the clients of a realm.
>> If a user came from one client, I have to show a keycloak page with the
>> logo and skin of that client.
>> Is it possible with Keycloak? How?
>>
>> Thanks in advance.
>>
>>
>> Helder S. Alves
>>
>> _______________________________________________
>> keycloak-user mailing list
>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/297de0ee/attachment-0001.html 

From mposolda at redhat.com  Fri Dec 18 03:44:20 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Dec 2015 09:44:20 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CAJgngAears5=RHMAsAPNNwi0QYe2sZNxmY=a_Enwq5NcvwHxYg@mail.gmail.com>
References: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
	<1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>
	<CAJgngAdjekKQ0W-QYEyLpB=RkYfspNi+_ny5aAycXUxOPvKMcg@mail.gmail.com>
	<5673C537.8090103@redhat.com>
	<CAJgngAears5=RHMAsAPNNwi0QYe2sZNxmY=a_Enwq5NcvwHxYg@mail.gmail.com>
Message-ID: <5673C764.8050605@redhat.com>

On 18/12/15 09:39, Stian Thorgersen wrote:
>
>
> On 18 December 2015 at 09:35, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 18/12/15 08:23, Stian Thorgersen wrote:
>>     The best solution to that is either the ability to share users
>>     between realms or more likely the ability to define a SSO group
>>     within a realm. Each SSO group would have independent SSO
>>     sessions and could also have separate themes associated with it.
>>     It's not something we have resources for right now though.
>     I wonder if we can have something like
>     "different-realm-user-federation-provider" ? We had something like
>     this in the early days of Keycloak.
>
>     For example, if you have 2 realms "blueRealm" and "greenRealm" .
>     The greenRealm will have defined federation provider, which will
>     delegate retrieving users to blueRealm. Then all applications
>     configured against greenRealm will see green login screen, but
>     they will be able to authenticate with users+passwords from
>     blueRealm.
>
>
> That's not very elegant at least not ATM as we would end up 
> duplicating the users in the DB.
Yeah. Once we address in-memory federation, it's going to be better 
though. Might be easier then introduce brand new concept of SSO groups 
within realm.

Marek
>
>
>     Marek
>
>
>>
>>     Simply displaying a different theme per-client just doesn't make
>>     any sense at all. Users log-in to a SSO realm, not an individual
>>     client. So I'm against adding something like that unless we add
>>     the ability to log-in to clients or groups of clients individually.
>>
>>     On 18 December 2015 at 03:08, Raghuram Prabhala
>>     <prabhalar at yahoo.com <mailto:prabhalar at yahoo.com>> wrote:
>>
>>         Pe
>>
>>         It depends upon the application that the user accesses. We
>>         have several scenarios where the same set of users login to
>>         different applications in different divisions, some internet
>>         facing that have a totally different look from our intranet
>>         ones and it also depends upon whether the applications look
>>         for multi factor authentication as well.
>>
>>         This is a very common scenario - We typically have different
>>         themes presented to the users based on what the client
>>         applications request (different themes can be requested
>>         utilizing different http parameters)
>>
>>         Perhaps we can define different realms for different themes
>>         but it becomes very cumbersome
>>
>>
>>
>>         ------------------------------------------------------------------------
>>         *From:* Stian Thorgersen <sthorger at redhat.com
>>         <mailto:sthorger at redhat.com>>
>>         *To:* Raghuram Prabhala <prabhalar at yahoo.com
>>         <mailto:prabhalar at yahoo.com>>
>>         *Cc:* Revanth Ayalasomayajula <revanth at arvindinternet.com
>>         <mailto:revanth at arvindinternet.com>>; keycloak-user
>>         <keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>>
>>         *Sent:* Thursday, December 17, 2015 9:28 AM
>>
>>         *Subject:* Re: [keycloak-user] Different theme for each client
>>
>>
>>
>>         On 17 December 2015 at 14:44, Raghuram Prabhala
>>         <prabhalar at yahoo.com <mailto:prabhalar at yahoo.com>> wrote:
>>
>>             Stian - Even we have a similar requirement of having
>>             different themes, but for different divisions within the
>>             firm. Some of them have additional functionality of
>>             changing even the password. Can you suggest some way of
>>             achieving the above functionality considering that all
>>             the other functionality is the same for all divisions?
>>
>>
>>         Not actually sure what you mean here. It just doesn't make
>>         sense to show a user two login pages that look different (and
>>         possible have different things enabled/disable) if they use
>>         the same realm and SSO session.
>>
>>
>>             Thanks,
>>             Raghu
>>
>>             ------------------------------------------------------------------------
>>             *From:* Stian Thorgersen <sthorger at redhat.com
>>             <mailto:sthorger at redhat.com>>
>>             *To:* Revanth Ayalasomayajula <revanth at arvindinternet.com
>>             <mailto:revanth at arvindinternet.com>>
>>             *Cc:* keycloak-user <keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>>
>>             *Sent:* Thursday, December 17, 2015 8:05 AM
>>             *Subject:* Re: [keycloak-user] Different theme for each
>>             client
>>
>>             Having different clients login to the same SSO realm with
>>             different branded login pages just doesn't make sense. If
>>             we add the concept of a SSO domain/zone or something
>>             within a realm, where a group of clients have separate
>>             themes and SSO session that would make sense.
>>
>>             On 15 December 2015 at 12:14, Revanth Ayalasomayajula
>>             <revanth at arvindinternet.com
>>             <mailto:revanth at arvindinternet.com>> wrote:
>>
>>                 +1 for this feature.
>>                 ?
>>
>>                 On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves
>>                 <helder.jaspion at gmail.com
>>                 <mailto:helder.jaspion at gmail.com>> wrote:
>>
>>                     Hi.
>>
>>                     I need to have a different theme for each of the
>>                     clients of a realm.
>>                     If a user came from one client, I have to show a
>>                     keycloak page with the logo and skin of that client.
>>                     Is it possible with Keycloak? How?
>>
>>                     Thanks in advance.
>>
>>
>>                     Helder S. Alves
>>
>>                     _______________________________________________
>>                     keycloak-user mailing list
>>                     keycloak-user at lists.jboss.org
>>                     <mailto:keycloak-user at lists.jboss.org>
>>                     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>                 _______________________________________________
>>                 keycloak-user mailing list
>>                 keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>             _______________________________________________
>>             keycloak-user mailing list
>>             keycloak-user at lists.jboss.org
>>             <mailto:keycloak-user at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/36d6adb6/attachment-0001.html 

From sthorger at redhat.com  Fri Dec 18 03:47:15 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 09:47:15 +0100
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <5673C764.8050605@redhat.com>
References: <CAJgngAcjLxQZQfToRi0LPfMJE8y0q92GnfTc8irmxu-Udhf2KQ@mail.gmail.com>
	<1530290150.388135.1450404484015.JavaMail.yahoo@mail.yahoo.com>
	<CAJgngAdjekKQ0W-QYEyLpB=RkYfspNi+_ny5aAycXUxOPvKMcg@mail.gmail.com>
	<5673C537.8090103@redhat.com>
	<CAJgngAears5=RHMAsAPNNwi0QYe2sZNxmY=a_Enwq5NcvwHxYg@mail.gmail.com>
	<5673C764.8050605@redhat.com>
Message-ID: <CAJgngAe=xisw=XwqKpU7AfNoZTCH-T=7=1Bw7TqX4xQO5d8=og@mail.gmail.com>

On 18 December 2015 at 09:44, Marek Posolda <mposolda at redhat.com> wrote:

> On 18/12/15 09:39, Stian Thorgersen wrote:
>
>
>
> On 18 December 2015 at 09:35, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 18/12/15 08:23, Stian Thorgersen wrote:
>>
>> The best solution to that is either the ability to share users between
>> realms or more likely the ability to define a SSO group within a realm.
>> Each SSO group would have independent SSO sessions and could also have
>> separate themes associated with it. It's not something we have resources
>> for right now though.
>>
>> I wonder if we can have something like
>> "different-realm-user-federation-provider" ? We had something like this in
>> the early days of Keycloak.
>>
>> For example, if you have 2 realms "blueRealm" and "greenRealm" . The
>> greenRealm will have defined federation provider, which will delegate
>> retrieving users to blueRealm. Then all applications configured against
>> greenRealm will see green login screen, but they will be able to
>> authenticate with users+passwords from blueRealm.
>>
>
> That's not very elegant at least not ATM as we would end up duplicating
> the users in the DB.
>
> Yeah. Once we address in-memory federation, it's going to be better
> though. Might be easier then introduce brand new concept of SSO groups
> within realm.
>

I think SSO groups would be useful. User federation doesn't allow sharing
anything besides users. You may for instance have a bunch of services and a
a few internal apps, but one external app. You'd like the external app to
be able to call services, but not be part of the internal SSO.


>
>
> Marek
>
>
>
>>
>> Marek
>>
>>
>>
>> Simply displaying a different theme per-client just doesn't make any
>> sense at all. Users log-in to a SSO realm, not an individual client. So I'm
>> against adding something like that unless we add the ability to log-in to
>> clients or groups of clients individually.
>>
>> On 18 December 2015 at 03:08, Raghuram Prabhala < <prabhalar at yahoo.com>
>> prabhalar at yahoo.com> wrote:
>>
>>> Pe
>>>
>>> It depends upon the application that the user accesses. We have several
>>> scenarios where the same set of users login to different applications in
>>> different divisions, some internet facing that have a totally different
>>> look from our intranet ones and it also depends upon whether the
>>> applications look for multi factor authentication as well.
>>>
>>> This is a very common scenario - We typically have different themes
>>> presented to the users based on what the client applications request
>>> (different themes can be requested utilizing different http parameters)
>>>
>>> Perhaps we can define different realms for different themes but it
>>> becomes very cumbersome
>>>
>>>
>>>
>>> ------------------------------
>>> *From:* Stian Thorgersen < <sthorger at redhat.com>sthorger at redhat.com>
>>> *To:* Raghuram Prabhala < <prabhalar at yahoo.com>prabhalar at yahoo.com>
>>> *Cc:* Revanth Ayalasomayajula < <revanth at arvindinternet.com>
>>> revanth at arvindinternet.com>; keycloak-user <
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org>
>>> *Sent:* Thursday, December 17, 2015 9:28 AM
>>>
>>> *Subject:* Re: [keycloak-user] Different theme for each client
>>>
>>>
>>>
>>> On 17 December 2015 at 14:44, Raghuram Prabhala < <prabhalar at yahoo.com>
>>> prabhalar at yahoo.com> wrote:
>>>
>>> Stian - Even we have a similar requirement of having different themes,
>>> but for different divisions within the firm. Some of them have additional
>>> functionality of changing even the password. Can you suggest some way of
>>> achieving the above functionality considering that all the other
>>> functionality is the same for all divisions?
>>>
>>>
>>> Not actually sure what you mean here. It just doesn't make sense to show
>>> a user two login pages that look different (and possible have different
>>> things enabled/disable) if they use the same realm and SSO session.
>>>
>>>
>>>
>>> Thanks,
>>> Raghu
>>>
>>> ------------------------------
>>> *From:* Stian Thorgersen < <sthorger at redhat.com>sthorger at redhat.com>
>>> *To:* Revanth Ayalasomayajula < <revanth at arvindinternet.com>
>>> revanth at arvindinternet.com>
>>> *Cc:* keycloak-user < <keycloak-user at lists.jboss.org>
>>> keycloak-user at lists.jboss.org>
>>> *Sent:* Thursday, December 17, 2015 8:05 AM
>>> *Subject:* Re: [keycloak-user] Different theme for each client
>>>
>>> Having different clients login to the same SSO realm with different
>>> branded login pages just doesn't make sense. If we add the concept of a SSO
>>> domain/zone or something within a realm, where a group of clients have
>>> separate themes and SSO session that would make sense.
>>>
>>> On 15 December 2015 at 12:14, Revanth Ayalasomayajula <
>>> <revanth at arvindinternet.com>revanth at arvindinternet.com> wrote:
>>>
>>> +1 for this feature.
>>> ?
>>>
>>> On Tue, Dec 15, 2015 at 4:39 PM, Helder dos S. Alves <
>>> <helder.jaspion at gmail.com>helder.jaspion at gmail.com> wrote:
>>>
>>> Hi.
>>>
>>> I need to have a different theme for each of the clients of a realm.
>>> If a user came from one client, I have to show a keycloak page with the
>>> logo and skin of that client.
>>> Is it possible with Keycloak? How?
>>>
>>> Thanks in advance.
>>>
>>>
>>> Helder S. Alves
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> <keycloak-user at lists.jboss.org>keycloak-user at lists.jboss.org
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/34c4fa38/attachment-0001.html 

From adrianmatei at gmail.com  Fri Dec 18 03:54:48 2015
From: adrianmatei at gmail.com (Adrian Matei)
Date: Fri, 18 Dec 2015 09:54:48 +0100
Subject: [keycloak-user] New locale in login/registration pages
Message-ID: <CAG=THF1v2Zr8TRWWjCcE-va9_MA_-CcET0Eb0UjdpFWoXDQi2A@mail.gmail.com>

Hi guys,

Can you tell me how can I add a new locale, let's say Romanian ('ro') to
the login/registration pages.
In the admin console there is only support  'en', 'de', 'pt-BR', 'it', 'es',
'ca' (why is French not supported by default since all the translations
seem to be there?) and if I look at the source code

https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js#L342

they are statically defined...

Thanks
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/aae4dd50/attachment.html 

From sthorger at redhat.com  Fri Dec 18 05:36:25 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 11:36:25 +0100
Subject: [keycloak-user] New locale in login/registration pages
In-Reply-To: <CAG=THF1v2Zr8TRWWjCcE-va9_MA_-CcET0Eb0UjdpFWoXDQi2A@mail.gmail.com>
References: <CAG=THF1v2Zr8TRWWjCcE-va9_MA_-CcET0Eb0UjdpFWoXDQi2A@mail.gmail.com>
Message-ID: <CAJgngAeAN8HUTwbuOwBf22YkQTV+mRcCZGgQ+RMtZ31pe3QTww@mail.gmail.com>

We need to improve on that. Feel free to create a JIRA

On 18 December 2015 at 09:54, Adrian Matei <adrianmatei at gmail.com> wrote:

> Hi guys,
>
> Can you tell me how can I add a new locale, let's say Romanian ('ro') to
> the login/registration pages.
> In the admin console there is only support  'en', 'de', 'pt-BR', 'it', 'es
> ', 'ca' (why is French not supported by default since all the
> translations seem to be there?) and if I look at the source code
>
>
> https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js#L342
>
> they are statically defined...
>
> Thanks
> Adrian
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/5ccf43d4/attachment.html 

From prabhalar at yahoo.com  Fri Dec 18 06:13:52 2015
From: prabhalar at yahoo.com (Raghuram Prabhala)
Date: Fri, 18 Dec 2015 11:13:52 +0000 (UTC)
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <5673C764.8050605@redhat.com>
References: <5673C764.8050605@redhat.com>
Message-ID: <16064778.487709.1450437232628.JavaMail.yahoo@mail.yahoo.com>

Perhaps the ideas below would work but I think it simply complicates things and not warranted as a single realm is what we are looking for. Based on what we saw in other commercial products, I am wondering why the themes/login pages can't be dynamically served by a Server component with everything else being the same. My apologies if I am overlooking something as I haven't really looked into the themes in KC.
      From: Marek Posolda <mposolda at redhat.com>
 To: stian at redhat.com 
Cc: Raghuram Prabhala <prabhalar at yahoo.com>; keycloak-user <keycloak-user at lists.jboss.org>
 Sent: Friday, December 18, 2015 3:44 AM
 Subject: Re: [keycloak-user] Different theme for each client
   
 On 18/12/15 09:39, Stian Thorgersen wrote:
  
 
 
 On 18 December 2015 at 09:35, Marek Posolda <mposolda at redhat.com> wrote:
 
  On 18/12/15 08:23, Stian Thorgersen wrote:
  
 The best solution to that is either the ability to share users between realms or more likely the ability to define a SSO group within a realm. Each SSO group would have independent SSO sessions and could also have separate themes associated with it. It's not something we have resources for right now though. 
  
 I wonder if we can have something like "different-realm-user-federation-provider" ? We had something like this in the early days of Keycloak.
 
 For example, if you have 2 realms "blueRealm" and "greenRealm" . The greenRealm will have defined federation provider, which will delegate retrieving users to blueRealm. Then all applications configured against greenRealm will see green login screen, but they will be able to authenticate with users+passwords from blueRealm. 
  
 
  That's not very elegant at least not ATM as we would end up duplicating the users in the DB.    
 Yeah. Once we address in-memory federation, it's going to be better though. Might be easier then introduce brand new concept of SSO groups within realm.
 
 Marek
 
    ? 
  
 Marek  
 
 
  
  Simply displaying a different theme per-client just doesn't make any sense at all. Users log-in to a SSO realm, not an individual client. So I'm against adding something like that unless we add the ability to log-in to clients or groups of clients individually.  
 On 18 December 2015 at 03:08, Raghuram Prabhala <prabhalar at yahoo.com> wrote:
 
   Pe 
 It depends upon the application that the user accesses. We have several scenarios where the same set  of users login to different applications in different divisions, some internet facing that have a totally different look from our intranet ones and it also depends upon  whether the applications look for multi factor authentication as well. 
  This is a very common scenario - We typically have different themes presented to the users based on what  the client applications request (different themes can be requested utilizing different http parameters) 
  Perhaps we can define different realms for different themes but it becomes very cumbersome
  
  
 
        From: Stian Thorgersen <sthorger at redhat.com>
 To: Raghuram Prabhala <prabhalar at yahoo.com> 
 Cc: Revanth Ayalasomayajula <revanth at arvindinternet.com>; keycloak-user <keycloak-user at lists.jboss.org>
 Sent: Thursday, December 17, 2015 9:28 AM  
 Subject: Re: [keycloak-user] Different theme for each  client
      
   
 
 On 17 December 2015 at 14:44, Raghuram Prabhala  <prabhalar at yahoo.com> wrote:
 
   Stian - Even we have a similar  requirement of having different  themes, but for different  divisions within the firm. Some of  them have additional functionality of changing even the  password. Can you suggest some way of achieving the above  functionality considering that all the  other functionality  is the same for all divisions?   
 
  Not actually sure what you mean here. It  just doesn't make sense to show a user two login pages that look different  (and possible have different things  enabled/disable) if they use the  same realm and SSO session.  ? 
   
  Thanks, Raghu 
         From: Stian Thorgersen  <sthorger at redhat.com>
 To: Revanth Ayalasomayajula  <revanth at arvindinternet.com> 
 Cc: keycloak-user <keycloak-user at lists.jboss.org>
 Sent: Thursday, December 17,  2015 8:05 AM
 Subject: Re: [keycloak-user]  Different theme for each client
    
   Having different clients login  to the same SSO realm with different  branded login pages just  doesn't make sense. If we add the  concept of a SSO domain/zone or something within a  realm, where a group of clients have separate themes and SSO  session that would make sense. 
  On 15 December 2015 at 12:14,  Revanth Ayalasomayajula <revanth at arvindinternet.com> wrote:
 
 +1 for this feature. ? 
   On Tue, Dec 15, 2015 at 4:39 PM,  Helder dos S. Alves <helder.jaspion at gmail.com> wrote:
   
    Hi. 
  I need to have a different  theme for each of the clients of a realm. If a user came from one client, I have  to show a keycloak page with the logo and skin of that client. Is it possible with Keycloak? How? 
  Thanks in advance.  
  
     Helder S. Alves
       
  _______________________________________________
 keycloak-user mailing list
 keycloak-user at lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user
 
  
  
_______________________________________________
 keycloak-user mailing list
 keycloak-user at lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user
 
  
     
 _______________________________________________
 keycloak-user mailing list
 keycloak-user at lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user 
 
         
   
      
 
         
  
  
  
 _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user 
 
    
  
   
 
 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/be7ab2fe/attachment-0001.html 

From johan.bos at c6.eu  Fri Dec 18 09:00:42 2015
From: johan.bos at c6.eu (Johan Bos)
Date: Fri, 18 Dec 2015 15:00:42 +0100
Subject: [keycloak-user] Keycloak and HDFS?
Message-ID: <5674118A.2080908@c6.eu>

Hi,

I need to secure an access to HDFS (it comes with a REST API full access 
in a standalone webserver).

The documentation on Hadoop is mainly providing security hint through 
Kerberos (kinit utility) using a Kerb Ticket-Granting-Ticket.
Once the init is done, it is mapping a Kerberos Princip to an HDFS username.

Can Keycloak take charge of this authentication part?
Is there an example I can try? Still I did not make my way on 
understanding the current flow for this.

Let say that I have App1 being J2EE app, secured with KeyCloak and as 
well as authenticating the user for this client, I would like at the 
same time, authenticate him to the HDFS (as a keycloak client in same 
realm or something else).

What would be a good start through the example for this? Does anyone has 
a possible proposal and already make such things, probably trivial.

-- 
Regards,

Johan Bos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/eb0d7d9c/attachment.vcf 

From c.gagnaire at kreactive.com  Fri Dec 18 09:01:12 2015
From: c.gagnaire at kreactive.com (charles-edouard gagnaire)
Date: Fri, 18 Dec 2015 15:01:12 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with S3_ping
Message-ID: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>

hi,

I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
The database configuration is OK no problem, but i can't manage to get the
invalidation cache working correctly.
I configured Infinispan to work with S3_ping plugin (the relevant part of
my configuration is below).

When i run both server, the connection with the database is Ok, but the
infinispan logs look like this :
On Server 1 :
...
11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS:
address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
...
11:00:18,057 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
...

On Server 2 :
...
11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS:
address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
...
11:03:41,783 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
...

In my S3 bucket, i have 2 files created :
402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list

And the content of the files is like this :
File 1 :
ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T

File 2 :
ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T

When i read the logs, it looks like the infinispan's cache can't contact
each other.
I double check my network config, and i tried connecting from one server to
the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
fine.

Is there a way to check the infinispan status of the servers?
Do you guys got any clue on how to make this works?

Thank you,
Charles-Edouard

My config looks like this :

- Standalone-ha.xml
...
<datasources>
                <driver name="postgresql" module="org.postgresql">

 <datasource-class>org.postgresql.Driver</datasource-class>

 <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
                </driver>
                <datasource jndi-name="java:jboss/datasources/PgDskeycloak"
pool-name="PgDskeycloak" enabled="true" use-java-context="true">

<connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
                    <driver>postgresql</driver>
                    <pool>
                        <min-pool-size>5</min-pool-size>
                        <initial-pool-size>5</initial-pool-size>
                        <max-pool-size>100</max-pool-size>
                        <prefill>true</prefill>
                    </pool>
                    <validation>
                        <valid-connection-checker

 class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
                        <exception-sorter

 class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
                    </validation>
                    <security>
                        <user-name>****</user-name>
                        <password>****</password>
                    </security>
                </datasource>
...
            <stacks default="tcp">
                <stack name="udp">
                    <transport type="UDP" socket-binding="jgroups-udp"/>
                    <protocol type="PING"/>
                    <protocol type="MERGE3"/>
                    <protocol type="FD_SOCK"
socket-binding="jgroups-udp-fd"/>
                    <protocol type="FD_ALL"/>
                    <protocol type="VERIFY_SUSPECT"/>
                    <protocol type="pbcast.NAKACK2"/>
                    <protocol type="UNICAST3"/>
                    <protocol type="pbcast.STABLE"/>
                    <protocol type="pbcast.GMS"/>
                    <protocol type="UFC"/>
                    <protocol type="MFC"/>
                    <protocol type="FRAG2"/>
                    <protocol type="RSVP"/>
                </stack>
                <stack name="tcp">
                    <transport type="TCP" socket-binding="jgroups-tcp"/>
                    <protocol type="S3_PING" >
                        <property name="location">****</property>
                        <property name="access_key">****</property>
                        <property name="secret_access_key">****</property>
                    </protocol>
                    <!-- <protocol type="MPING"
socket-binding="jgroups-mping"/> -->
                    <protocol type="MERGE3"/>
                    <protocol type="FD_SOCK"
socket-binding="jgroups-tcp-fd"/>
                    <protocol type="FD"/>
                    <protocol type="VERIFY_SUSPECT"/>
                    <protocol type="pbcast.NAKACK2"/>
                    <protocol type="UNICAST3"/>
                    <protocol type="pbcast.STABLE"/>
                    <protocol type="pbcast.GMS"/>
                    <protocol type="MFC"/>
                    <protocol type="FRAG2"/>
                    <protocol type="RSVP"/>
                </stack>
...
    <interfaces>
        <interface name="management">
                <nic name="eth0"/>
        </interface>
        <interface name="public">
            <nic name="eth0"/>
        </interface>
        <!-- TODO - only show this if the jacorb subsystem is added  -->
        <interface name="unsecure">
            <!--
              ~  Used for IIOP sockets in the standard configuration.
              ~                  To secure JacORB you need to setup SSL
              -->
            <nic name="eth0"/>
        </interface>
    </interfaces>

- keycloak-server.json
{
    "providers": [
        "classpath:${jboss.server.config.dir}/providers/*"
    ],

    "admin": {
        "realm": "master"
    },

    "eventsStore": {
        "provider": "jpa",
        "jpa": {
            "exclude-events": [ "REFRESH_TOKEN" ]
        }
    },

    "realm": {
        "provider": "jpa"
    },

    "user": {
        "provider": "jpa"
    },

    "userSessionPersister": {
        "provider": "jpa"
    },

    "timer": {
        "provider": "basic"
    },

    "theme": {
        "default": "keycloak",
        "staticMaxAge": 2592000,
        "cacheTemplates": true,
        "cacheThemes": true,
        "folder": {
          "dir": "${jboss.server.config.dir}/themes"
        }
    },

    "scheduled": {
        "interval": 900
    },

    "connectionsHttpClient": {
        "default": {
            "disable-trust-manager": true
        }
    },

    "connectionsJpa": {
        "default": {
            "dataSource": "java:jboss/datasources/PgDskeycloak",
            "databaseSchema": "update"
        }
    },

    "connectionsInfinispan": {
        "default" : {
            "cacheContainer" : "java:jboss/infinispan/Keycloak"
        }
    }
}

CHARLES-EDOUARD GAGNAIRE
SysAdmin
c.gagnaire at kreactive.com
p. 06.27.80.28.53LYON "Le Capitole"
97, cours Gambetta
69481 Lyon Cedex 03

PARIS
16, rue de Turbigo
75002 Paris
[image: Kreactive] <http://www.kreactive.com/>


[image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
<https://twitter.com/kreactive>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/8813fe2b/attachment-0001.html 

From mstrukel at redhat.com  Fri Dec 18 09:28:17 2015
From: mstrukel at redhat.com (Marko Strukelj)
Date: Fri, 18 Dec 2015 15:28:17 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
Message-ID: <CA+1OW+gooA4bs84ARYZnhzEcJ_rEb4mykFCjhR=Vxtr_LVaHsw@mail.gmail.com>

Some people have been successful with S3_PING on EC2:

http://lists.jboss.org/pipermail/keycloak-user/2015-December/004083.html


On Fri, Dec 18, 2015 at 3:01 PM, charles-edouard gagnaire <
c.gagnaire at kreactive.com> wrote:

> hi,
>
> I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
> The database configuration is OK no problem, but i can't manage to get the
> invalidation cache working correctly.
> I configured Infinispan to work with S3_ping plugin (the relevant part of
> my configuration is below).
>
> When i run both server, the connection with the database is Ok, but the
> infinispan logs look like this :
> On Server 1 :
> ...
> 11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
> ...
> 11:00:18,057 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> ...
>
> On Server 2 :
> ...
> 11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
> ...
> 11:03:41,783 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> ...
>
> In my S3 bucket, i have 2 files created :
> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
>
> And the content of the files is like this :
> File 1 :
> ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
>
> File 2 :
> ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
>
> When i read the logs, it looks like the infinispan's cache can't contact
> each other.
> I double check my network config, and i tried connecting from one server
> to the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
> fine.
>
> Is there a way to check the infinispan status of the servers?
> Do you guys got any clue on how to make this works?
>
> Thank you,
> Charles-Edouard
>
> My config looks like this :
>
> - Standalone-ha.xml
> ...
> <datasources>
>                 <driver name="postgresql" module="org.postgresql">
>
>  <datasource-class>org.postgresql.Driver</datasource-class>
>
>  <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>                 </driver>
>                 <datasource
> jndi-name="java:jboss/datasources/PgDskeycloak" pool-name="PgDskeycloak"
> enabled="true" use-java-context="true">
>
> <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
>                     <driver>postgresql</driver>
>                     <pool>
>                         <min-pool-size>5</min-pool-size>
>                         <initial-pool-size>5</initial-pool-size>
>                         <max-pool-size>100</max-pool-size>
>                         <prefill>true</prefill>
>                     </pool>
>                     <validation>
>                         <valid-connection-checker
>
>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
>                         <exception-sorter
>
>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
>                     </validation>
>                     <security>
>                         <user-name>****</user-name>
>                         <password>****</password>
>                     </security>
>                 </datasource>
> ...
>             <stacks default="tcp">
>                 <stack name="udp">
>                     <transport type="UDP" socket-binding="jgroups-udp"/>
>                     <protocol type="PING"/>
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"
> socket-binding="jgroups-udp-fd"/>
>                     <protocol type="FD_ALL"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="UFC"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
>                 <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>                     <protocol type="S3_PING" >
>                         <property name="location">****</property>
>                         <property name="access_key">****</property>
>                         <property name="secret_access_key">****</property>
>                     </protocol>
>                     <!-- <protocol type="MPING"
> socket-binding="jgroups-mping"/> -->
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"
> socket-binding="jgroups-tcp-fd"/>
>                     <protocol type="FD"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
> ...
>     <interfaces>
>         <interface name="management">
>                 <nic name="eth0"/>
>         </interface>
>         <interface name="public">
>             <nic name="eth0"/>
>         </interface>
>         <!-- TODO - only show this if the jacorb subsystem is added  -->
>         <interface name="unsecure">
>             <!--
>               ~  Used for IIOP sockets in the standard configuration.
>               ~                  To secure JacORB you need to setup SSL
>               -->
>             <nic name="eth0"/>
>         </interface>
>     </interfaces>
>
> - keycloak-server.json
> {
>     "providers": [
>         "classpath:${jboss.server.config.dir}/providers/*"
>     ],
>
>     "admin": {
>         "realm": "master"
>     },
>
>     "eventsStore": {
>         "provider": "jpa",
>         "jpa": {
>             "exclude-events": [ "REFRESH_TOKEN" ]
>         }
>     },
>
>     "realm": {
>         "provider": "jpa"
>     },
>
>     "user": {
>         "provider": "jpa"
>     },
>
>     "userSessionPersister": {
>         "provider": "jpa"
>     },
>
>     "timer": {
>         "provider": "basic"
>     },
>
>     "theme": {
>         "default": "keycloak",
>         "staticMaxAge": 2592000,
>         "cacheTemplates": true,
>         "cacheThemes": true,
>         "folder": {
>           "dir": "${jboss.server.config.dir}/themes"
>         }
>     },
>
>     "scheduled": {
>         "interval": 900
>     },
>
>     "connectionsHttpClient": {
>         "default": {
>             "disable-trust-manager": true
>         }
>     },
>
>     "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/PgDskeycloak",
>             "databaseSchema": "update"
>         }
>     },
>
>     "connectionsInfinispan": {
>         "default" : {
>             "cacheContainer" : "java:jboss/infinispan/Keycloak"
>         }
>     }
> }
>
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03
>
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> [image: Kreactive] <http://www.kreactive.com/>
>
>
> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
> <https://twitter.com/kreactive>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/3df3a0be/attachment-0001.html 

From sthorger at redhat.com  Fri Dec 18 09:39:57 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 18 Dec 2015 15:39:57 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
Message-ID: <CAJgngAe=HMDbG99nvYJjVdYeNmcHFMVQmKB8Har0jfx2fDUELQ@mail.gmail.com>

There's just been a lengthy discussion about this. Take a look at the
thread with subject "Replace use of Infinispan with User Sessions SPI" (
http://lists.jboss.org/pipermail/keycloak-user/2015-December/004044.html).

On 18 December 2015 at 15:01, charles-edouard gagnaire <
c.gagnaire at kreactive.com> wrote:

> hi,
>
> I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
> The database configuration is OK no problem, but i can't manage to get the
> invalidation cache working correctly.
> I configured Infinispan to work with S3_ping plugin (the relevant part of
> my configuration is below).
>
> When i run both server, the connection with the database is Ok, but the
> infinispan logs look like this :
> On Server 1 :
> ...
> 11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
> ...
> 11:00:18,057 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> ...
>
> On Server 2 :
> ...
> 11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
> ...
> 11:03:41,783 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> ...
>
> In my S3 bucket, i have 2 files created :
> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
>
> And the content of the files is like this :
> File 1 :
> ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
>
> File 2 :
> ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
>
> When i read the logs, it looks like the infinispan's cache can't contact
> each other.
> I double check my network config, and i tried connecting from one server
> to the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
> fine.
>
> Is there a way to check the infinispan status of the servers?
> Do you guys got any clue on how to make this works?
>
> Thank you,
> Charles-Edouard
>
> My config looks like this :
>
> - Standalone-ha.xml
> ...
> <datasources>
>                 <driver name="postgresql" module="org.postgresql">
>
>  <datasource-class>org.postgresql.Driver</datasource-class>
>
>  <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>                 </driver>
>                 <datasource
> jndi-name="java:jboss/datasources/PgDskeycloak" pool-name="PgDskeycloak"
> enabled="true" use-java-context="true">
>
> <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
>                     <driver>postgresql</driver>
>                     <pool>
>                         <min-pool-size>5</min-pool-size>
>                         <initial-pool-size>5</initial-pool-size>
>                         <max-pool-size>100</max-pool-size>
>                         <prefill>true</prefill>
>                     </pool>
>                     <validation>
>                         <valid-connection-checker
>
>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
>                         <exception-sorter
>
>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
>                     </validation>
>                     <security>
>                         <user-name>****</user-name>
>                         <password>****</password>
>                     </security>
>                 </datasource>
> ...
>             <stacks default="tcp">
>                 <stack name="udp">
>                     <transport type="UDP" socket-binding="jgroups-udp"/>
>                     <protocol type="PING"/>
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"
> socket-binding="jgroups-udp-fd"/>
>                     <protocol type="FD_ALL"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="UFC"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
>                 <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>                     <protocol type="S3_PING" >
>                         <property name="location">****</property>
>                         <property name="access_key">****</property>
>                         <property name="secret_access_key">****</property>
>                     </protocol>
>                     <!-- <protocol type="MPING"
> socket-binding="jgroups-mping"/> -->
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"
> socket-binding="jgroups-tcp-fd"/>
>                     <protocol type="FD"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
> ...
>     <interfaces>
>         <interface name="management">
>                 <nic name="eth0"/>
>         </interface>
>         <interface name="public">
>             <nic name="eth0"/>
>         </interface>
>         <!-- TODO - only show this if the jacorb subsystem is added  -->
>         <interface name="unsecure">
>             <!--
>               ~  Used for IIOP sockets in the standard configuration.
>               ~                  To secure JacORB you need to setup SSL
>               -->
>             <nic name="eth0"/>
>         </interface>
>     </interfaces>
>
> - keycloak-server.json
> {
>     "providers": [
>         "classpath:${jboss.server.config.dir}/providers/*"
>     ],
>
>     "admin": {
>         "realm": "master"
>     },
>
>     "eventsStore": {
>         "provider": "jpa",
>         "jpa": {
>             "exclude-events": [ "REFRESH_TOKEN" ]
>         }
>     },
>
>     "realm": {
>         "provider": "jpa"
>     },
>
>     "user": {
>         "provider": "jpa"
>     },
>
>     "userSessionPersister": {
>         "provider": "jpa"
>     },
>
>     "timer": {
>         "provider": "basic"
>     },
>
>     "theme": {
>         "default": "keycloak",
>         "staticMaxAge": 2592000,
>         "cacheTemplates": true,
>         "cacheThemes": true,
>         "folder": {
>           "dir": "${jboss.server.config.dir}/themes"
>         }
>     },
>
>     "scheduled": {
>         "interval": 900
>     },
>
>     "connectionsHttpClient": {
>         "default": {
>             "disable-trust-manager": true
>         }
>     },
>
>     "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/PgDskeycloak",
>             "databaseSchema": "update"
>         }
>     },
>
>     "connectionsInfinispan": {
>         "default" : {
>             "cacheContainer" : "java:jboss/infinispan/Keycloak"
>         }
>     }
> }
>
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03
>
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> [image: Kreactive] <http://www.kreactive.com/>
>
>
> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
> <https://twitter.com/kreactive>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/7efb42ec/attachment-0001.html 

From afield at redhat.com  Fri Dec 18 09:53:41 2015
From: afield at redhat.com (Alan Field)
Date: Fri, 18 Dec 2015 09:53:41 -0500 (EST)
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
 S3_ping
In-Reply-To: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
Message-ID: <1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>

Hey Charles, 

Can you send the full logs and tell me which version of JGroups you are using? 

Thanks, 
Alan 

----- Original Message -----

> From: "charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, December 18, 2015 9:01:12 AM
> Subject: [keycloak-user] Problem running keycloak cluster on EC2 with S3_ping

> hi,

> I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
> The database configuration is OK no problem, but i can't manage to get the
> invalidation cache working correctly.
> I configured Infinispan to work with S3_ping plugin (the relevant part of my
> configuration is below).

> When i run both server, the connection with the database is Ok, but the
> infinispan logs look like this :
> On Server 1 :
> ...
> 11:00:17,592 INFO [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address= 10.1.7.103:7600
> ...
> 11:00:18,057 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> ...

> On Server 2 :
> ...
> 11:03:41,159 INFO [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address= 10.1.1.245:7600
> ...
> 11:03:41,783 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> ...

> In my S3 bucket, i have 2 files created :
> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list

> And the content of the files is like this :
> File 1 :
> ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T

> File 2 :
> ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T

> When i read the logs, it looks like the infinispan's cache can't contact each
> other.
> I double check my network config, and i tried connecting from one server to
> the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works fine.

> Is there a way to check the infinispan status of the servers?
> Do you guys got any clue on how to make this works?

> Thank you,
> Charles-Edouard

> My config looks like this :

> - Standalone-ha.xml
> ...
> <datasources>
> <driver name="postgresql" module="org.postgresql">
> <datasource-class>org.postgresql.Driver</datasource-class>
> <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
> </driver>
> <datasource jndi-name="java:jboss/datasources/PgDskeycloak"
> pool-name="PgDskeycloak" enabled="true" use-java-context="true">
> <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
> <driver>postgresql</driver>
> <pool>
> <min-pool-size>5</min-pool-size>
> <initial-pool-size>5</initial-pool-size>
> <max-pool-size>100</max-pool-size>
> <prefill>true</prefill>
> </pool>
> <validation>
> <valid-connection-checker
> class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
> <exception-sorter
> class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
> </validation>
> <security>
> <user-name>****</user-name>
> <password>****</password>
> </security>
> </datasource>
> ...
> <stacks default="tcp">
> <stack name="udp">
> <transport type="UDP" socket-binding="jgroups-udp"/>
> <protocol type="PING"/>
> <protocol type="MERGE3"/>
> <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
> <protocol type="FD_ALL"/>
> <protocol type="VERIFY_SUSPECT"/>
> <protocol type="pbcast.NAKACK2"/>
> <protocol type="UNICAST3"/>
> <protocol type="pbcast.STABLE"/>
> <protocol type="pbcast.GMS"/>
> <protocol type="UFC"/>
> <protocol type="MFC"/>
> <protocol type="FRAG2"/>
> <protocol type="RSVP"/>
> </stack>
> <stack name="tcp">
> <transport type="TCP" socket-binding="jgroups-tcp"/>
> <protocol type="S3_PING" >
> <property name="location">****</property>
> <property name="access_key">****</property>
> <property name="secret_access_key">****</property>
> </protocol>
> <!-- <protocol type="MPING" socket-binding="jgroups-mping"/> -->
> <protocol type="MERGE3"/>
> <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
> <protocol type="FD"/>
> <protocol type="VERIFY_SUSPECT"/>
> <protocol type="pbcast.NAKACK2"/>
> <protocol type="UNICAST3"/>
> <protocol type="pbcast.STABLE"/>
> <protocol type="pbcast.GMS"/>
> <protocol type="MFC"/>
> <protocol type="FRAG2"/>
> <protocol type="RSVP"/>
> </stack>
> ...
> <interfaces>
> <interface name="management">
> <nic name="eth0"/>
> </interface>
> <interface name="public">
> <nic name="eth0"/>
> </interface>
> <!-- TODO - only show this if the jacorb subsystem is added -->
> <interface name="unsecure">
> <!--
> ~ Used for IIOP sockets in the standard configuration.
> ~ To secure JacORB you need to setup SSL
> -->
> <nic name="eth0"/>
> </interface>
> </interfaces>

> - keycloak-server.json
> {
> "providers": [
> "classpath:${jboss.server.config.dir}/providers/*"
> ],

> "admin": {
> "realm": "master"
> },

> "eventsStore": {
> "provider": "jpa",
> "jpa": {
> "exclude-events": [ "REFRESH_TOKEN" ]
> }
> },

> "realm": {
> "provider": "jpa"
> },

> "user": {
> "provider": "jpa"
> },

> "userSessionPersister": {
> "provider": "jpa"
> },

> "timer": {
> "provider": "basic"
> },

> "theme": {
> "default": "keycloak",
> "staticMaxAge": 2592000,
> "cacheTemplates": true,
> "cacheThemes": true,
> "folder": {
> "dir": "${jboss.server.config.dir}/themes"
> }
> },

> "scheduled": {
> "interval": 900
> },

> "connectionsHttpClient": {
> "default": {
> "disable-trust-manager": true
> }
> },

> "connectionsJpa": {
> "default": {
> "dataSource": "java:jboss/datasources/PgDskeycloak",
> "databaseSchema": "update"
> }
> },

> "connectionsInfinispan": {
> "default" : {
> "cacheContainer" : "java:jboss/infinispan/Keycloak"
> }
> }
> }

> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53
> LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03

> PARIS
> 16, rue de Turbigo
> 75002 Paris

> 

> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/8ea67355/attachment.html 

From c.gagnaire at kreactive.com  Fri Dec 18 10:04:53 2015
From: c.gagnaire at kreactive.com (charles-edouard gagnaire)
Date: Fri, 18 Dec 2015 16:04:53 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
Message-ID: <CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>

First i want to thank you guys for the quick answers, i was still reading
the "Replace use of Infinispan with User Sessions SPI ?" discussion.

Yes of course i can send all the logs. You'll find them below.

The JGroups version is the one shipping with keycloak 1.7, but the problem
was the same with Keycloak 1.6.
Looking at the config file, it looks like i'm using : <subsystem
xmlns="urn:jboss:domain:jgroups:3.0">

I didn't mention it but i use the archive i found on Keycloak website. The
archive is "keycloak-1.7.0.Final.tar.gz".
I just untar and modify the config files, then i launched it using :
/opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml

Thank you again for your help

The logs for server 1 are :
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/keycloak-1.7.0.Final

  JAVA: /usr/lib/jvm/jre/bin/java

  JAVA_OPTS:  -server -XX:+UseCompressedOops  -server
-XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m
-Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support
was removed in 8.0
14:38:44,910 INFO  [org.jboss.modules] (main) JBoss Modules version
1.4.3.Final
14:38:45,091 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
14:38:45,163 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049:
Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
14:38:46,358 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 24) WFLYCTL0028: Attribute
'job-repository-type' in the resource at address '/subsystem=batch' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:46,360 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
resource at address '/subsystem=datasources/data-source=ExampleDS' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
resource at address '/subsystem=datasources/data-source=KeycloakDS' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:46,370 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'default-stack' in
the resource at address '/subsystem=jgroups' is deprecated, and may be
removed in future version. See the attribute description in the output of
the read-resource-description operation to learn more about the deprecation.
14:38:46,572 INFO  [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0039: Creating http management service using socket-binding
(management-http)
14:38:46,589 INFO  [org.xnio] (MSC service thread 1-4) XNIO version
3.3.1.Final
14:38:46,607 INFO  [org.xnio.nio] (MSC service thread 1-4) XNIO NIO
Implementation Version 3.3.1.Final
14:38:46,655 INFO  [org.jboss.remoting] (MSC service thread 1-4) JBoss
Remoting version 4.0.9.Final
14:38:46,687 INFO  [org.wildfly.extension.io] (ServerService Thread Pool --
38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with
32 task threads based on your 2 available processors
14:38:46,685 INFO  [org.jboss.as.connector.subsystems.datasources]
(ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
driver class org.postgresql.Driver (version 9.4)
14:38:46,715 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread
Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
14:38:46,724 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
14:38:46,744 INFO  [org.jboss.as.connector] (MSC service thread 1-4)
WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
14:38:46,746 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
postgresql
14:38:46,767 INFO  [org.jboss.as.connector.subsystems.datasources]
(ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
driver class org.h2.Driver (version 1.3)
14:38:46,769 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
14:38:46,781 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
WFLYJSF0007: Activated the following JSF Implementations: [main]
14:38:46,772 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49)
WFLYNAM0001: Activating Naming Subsystem
14:38:46,914 INFO  [org.jboss.as.security] (ServerService Thread Pool --
56) WFLYSEC0002: Activating Security Subsystem
14:38:46,916 INFO  [org.jboss.as.security] (MSC service thread 1-1)
WFLYSEC0001: Current PicketBox version=4.9.2.Final
14:38:46,932 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57)
WFLYTX0013: Node identifier property is set to the default value. Please
make sure it is unique.
14:38:46,957 INFO  [org.jboss.as.webservices] (ServerService Thread Pool --
59) WFLYWS0002: Activating WebServices Extension
14:38:46,985 INFO  [org.jboss.as.naming] (MSC service thread 1-2)
WFLYNAM0003: Starting Naming Service
14:38:46,992 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-4)
WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
14:38:47,115 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-1) WFLYUT0003: Undertow 1.2.9.Final starting
14:38:47,119 INFO  [org.wildfly.extension.undertow] (ServerService Thread
Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
14:38:47,206 INFO  [org.wildfly.extension.undertow] (ServerService Thread
Pool -- 58) WFLYUT0014: Creating file handler for path
/opt/keycloak-1.7.0.Final/welcome-content
14:38:47,229 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-4) WFLYUT0012: Started server default-server.
14:38:47,263 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-4) WFLYUT0018: Host default-host starting
14:38:47,320 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.7.103:8009
14:38:47,324 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-3) WFLYUT0006: Undertow HTTP listener default listening on /
10.1.7.103:8080
14:38:47,339 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62)
MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
14:38:47,372 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62)
MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
14:38:47,478 INFO
 [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
(MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for
java:jboss/datasources/PgDskeycloak
14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-2) WFLYJCA0001: Bound data source
[java:jboss/datasources/KeycloakDS]
14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-2) WFLYJCA0001: Bound data source
[java:jboss/datasources/ExampleDS]
14:38:47,530 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-2) WFLYJCA0001: Bound data source
[java:jboss/datasources/PgDskeycloak]
14:38:47,673 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war"
(runtime-name: "keycloak-server.war")
14:38:47,820 INFO  [org.jboss.ws.common.management] (MSC service thread
1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
-------------------------------------------------------------------
14:38:48,898 INFO  [stdout] (MSC service thread 1-2) GMS:
address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
14:38:48,899 INFO  [stdout] (MSC service thread 1-2)
-------------------------------------------------------------------
14:38:49,250 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel
keycloak
14:38:49,265 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
14:38:49,273 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local
address is ip-10-1-7-103, physical addresses are [10.1.7.103:7600]
14:38:49,277 INFO  [org.infinispan.factories.GlobalComponentRegistry]
(ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
Infinispan 'Insanely Bad Elf' 7.2.3.Final
14:38:49,521 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak
container
14:38:49,529 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
container
14:38:49,530 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak
container
14:38:49,536 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak
container
14:38:50,116 INFO  [org.keycloak.services.resources.KeycloakApplication]
(ServerService Thread Pool -- 66) Load config from
/opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
14:38:50,638 INFO  [org.hibernate.jpa.internal.util.LogHelper]
(ServerService Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo
[
        name: keycloak-default
        ...]
14:38:50,690 INFO  [org.hibernate.Version] (ServerService Thread Pool --
66) HHH000412: Hibernate Core {4.3.10.Final}
14:38:50,691 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 66) HHH000206: hibernate.properties not found
14:38:50,693 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 66) HHH000021: Bytecode provider name : javassist
14:38:50,842 INFO  [org.hibernate.annotations.common.Version]
(ServerService Thread Pool -- 66) HCANN000001: Hibernate Commons
Annotations {4.0.5.Final}
14:38:51,794 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
Pool -- 66) HHH000400: Using dialect:
org.hibernate.dialect.PostgreSQL9Dialect
14:38:51,803 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
(ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB
creation as createClob() method threw error :
java.lang.reflect.InvocationTargetException
14:38:52,120 INFO
 [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
Thread Pool -- 66) HHH000397: Using ASTQueryTranslatorFactory
14:38:52,156 INFO  [org.hibernate.validator.internal.util.Version]
(ServerService Thread Pool -- 66) HV000001: Hibernate Validator 5.1.3.Final
14:38:53,706 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from
keycloak container
14:38:53,748 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Deploying javax.ws.rs.core.Application:
class org.keycloak.services.resources.KeycloakApplication
14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding class resource
org.keycloak.services.resources.WelcomeResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding class resource
org.keycloak.services.resources.JsResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding class resource
org.keycloak.services.resources.QRCodeResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding class resource
org.keycloak.services.resources.ThemeResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding singleton resource
org.keycloak.services.resources.RealmsResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding singleton resource
org.keycloak.services.resources.ServerVersionResource from Application
class org.keycloak.services.resources.KeycloakApplication
14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding singleton resource
org.keycloak.services.resources.admin.AdminRoot from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding provider singleton
org.keycloak.services.util.ObjectMapperResolver from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,752 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 66) Adding provider singleton
org.keycloak.services.resources.ModelExceptionMapper from Application class
org.keycloak.services.resources.KeycloakApplication
14:38:53,824 INFO  [org.wildfly.extension.undertow] (ServerService Thread
Pool -- 66) WFLYUT0021: Registered web context: /auth
14:38:53,920 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61)
WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
"keycloak-server.war")
14:38:54,021 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
Http management interface listening on http://10.1.7.103:9990/management
14:38:54,021 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
Admin console listening on http://10.1.7.103:9990
14:38:54,022 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms - Started
349 of 613 services (353 services are lazy, passive or on-demand)


The logs for server 2 are :
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/keycloak-1.7.0.Final

  JAVA: /usr/lib/jvm/jre/bin/java

  JAVA_OPTS:  -server -XX:+UseCompressedOops  -server
-XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m
-Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

14:38:48,239 INFO  [org.jboss.modules] (main) JBoss Modules version
1.4.3.Final
14:38:48,723 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
14:38:48,896 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049:
Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
14:38:50,979 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 8) WFLYCTL0028: Attribute
'job-repository-type' in the resource at address '/subsystem=batch' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:50,983 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:50,986 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
resource at address '/subsystem=datasources/data-source=ExampleDS' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:51,010 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'default-stack' in
the resource at address '/subsystem=jgroups' is deprecated, and may be
removed in future version. See the attribute description in the output of
the read-resource-description operation to learn more about the deprecation.
14:38:51,044 INFO  [org.jboss.as.controller.management-deprecated]
(ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
resource at address '/subsystem=datasources/data-source=KeycloakDS' is
deprecated, and may be removed in future version. See the attribute
description in the output of the read-resource-description operation to
learn more about the deprecation.
14:38:51,452 INFO  [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0039: Creating http management service using socket-binding
(management-http)
14:38:51,499 INFO  [org.xnio] (MSC service thread 1-1) XNIO version
3.3.1.Final
14:38:51,520 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO
Implementation Version 3.3.1.Final
14:38:51,590 INFO  [org.jboss.as.connector.subsystems.datasources]
(ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
driver class org.postgresql.Driver (version 9.4)
14:38:51,603 INFO  [org.wildfly.extension.io] (ServerService Thread Pool --
38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with
16 task threads based on your 1 available processors
14:38:51,601 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
14:38:51,634 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread
Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
14:38:51,694 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49)
WFLYNAM0001: Activating Naming Subsystem
14:38:51,666 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
WFLYJSF0007: Activated the following JSF Implementations: [main]
14:38:51,696 INFO  [org.jboss.as.connector] (MSC service thread 1-2)
WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
14:38:51,932 INFO  [org.jboss.as.webservices] (ServerService Thread Pool --
59) WFLYWS0002: Activating WebServices Extension
14:38:51,970 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss
Remoting version 4.0.9.Final
14:38:51,975 INFO  [org.jboss.as.security] (ServerService Thread Pool --
56) WFLYSEC0002: Activating Security Subsystem
14:38:51,972 INFO  [org.jboss.as.connector.subsystems.datasources]
(ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
driver class org.h2.Driver (version 1.3)
14:38:51,971 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57)
WFLYTX0013: Node identifier property is set to the default value. Please
make sure it is unique.
14:38:52,140 INFO  [org.wildfly.extension.undertow] (ServerService Thread
Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
14:38:52,187 INFO  [org.jboss.as.security] (MSC service thread 1-2)
WFLYSEC0001: Current PicketBox version=4.9.2.Final
14:38:52,224 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
thread 1-1) WFLYJCA0018: Started Driver service with driver-name =
postgresql
14:38:52,225 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
14:38:52,368 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-1) WFLYUT0003: Undertow 1.2.9.Final starting
14:38:52,369 INFO  [org.jboss.as.naming] (MSC service thread 1-2)
WFLYNAM0003: Starting Naming Service
14:38:52,471 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-2)
WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
14:38:52,710 INFO  [org.wildfly.extension.undertow] (ServerService Thread
Pool -- 58) WFLYUT0014: Creating file handler for path
/opt/keycloak-1.7.0.Final/welcome-content
14:38:52,864 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-2) WFLYUT0012: Started server default-server.
14:38:53,133 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-2) WFLYUT0006: Undertow HTTP listener default listening on /
10.1.1.245:8080
14:38:53,166 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-2) WFLYUT0018: Host default-host starting
14:38:53,192 INFO  [org.wildfly.extension.undertow] (MSC service thread
1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.1.245:8009
14:38:53,211 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62)
MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
14:38:53,307 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62)
MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
14:38:53,779 INFO
 [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
(MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for
java:jboss/datasources/PgDskeycloak
14:38:53,896 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-1) WFLYJCA0001: Bound data source
[java:jboss/datasources/KeycloakDS]
14:38:53,903 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-2) WFLYJCA0001: Bound data source
[java:jboss/datasources/ExampleDS]
14:38:53,909 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-2) WFLYJCA0001: Bound data source
[java:jboss/datasources/PgDskeycloak]
14:38:54,118 INFO  [org.jboss.as.server.deployment] (MSC service thread
1-2) WFLYSRV0027: Starting deployment of "keycloak-server.war"
(runtime-name: "keycloak-server.war")
14:38:54,306 INFO  [org.jboss.ws.common.management] (MSC service thread
1-1) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
-------------------------------------------------------------------
14:38:56,139 INFO  [stdout] (MSC service thread 1-2) GMS:
address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
14:38:56,139 INFO  [stdout] (MSC service thread 1-2)
-------------------------------------------------------------------
14:38:56,606 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel
keycloak
14:38:56,623 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
14:38:56,644 INFO
 [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local
address is ip-10-1-1-245, physical addresses are [10.1.1.245:7600]
14:38:56,651 INFO  [org.infinispan.factories.GlobalComponentRegistry]
(ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
Infinispan 'Insanely Bad Elf' 7.2.3.Final
14:38:57,044 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak
container
14:38:57,050 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak
container
14:38:57,055 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak
container
14:38:57,059 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak
container
14:38:58,007 INFO  [org.keycloak.services.resources.KeycloakApplication]
(ServerService Thread Pool -- 64) Load config from
/opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
14:38:58,755 INFO  [org.hibernate.jpa.internal.util.LogHelper]
(ServerService Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo
[
        name: keycloak-default
        ...]
14:38:58,812 INFO  [org.hibernate.Version] (ServerService Thread Pool --
64) HHH000412: Hibernate Core {4.3.10.Final}
14:38:58,819 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 64) HHH000206: hibernate.properties not found
14:38:58,824 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
Pool -- 64) HHH000021: Bytecode provider name : javassist
14:38:59,268 INFO  [org.hibernate.annotations.common.Version]
(ServerService Thread Pool -- 64) HCANN000001: Hibernate Commons
Annotations {4.0.5.Final}
14:39:00,264 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
Pool -- 64) HHH000400: Using dialect:
org.hibernate.dialect.PostgreSQL9Dialect
14:39:00,272 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
(ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB
creation as createClob() method threw error :
java.lang.reflect.InvocationTargetException
14:39:00,602 INFO
 [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
Thread Pool -- 64) HHH000397: Using ASTQueryTranslatorFactory
14:39:00,634 INFO  [org.hibernate.validator.internal.util.Version]
(ServerService Thread Pool -- 64) HV000001: Hibernate Validator 5.1.3.Final
14:39:04,607 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from
keycloak container
14:39:04,665 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Deploying javax.ws.rs.core.Application:
class org.keycloak.services.resources.KeycloakApplication
14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding class resource
org.keycloak.services.resources.WelcomeResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding class resource
org.keycloak.services.resources.QRCodeResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding class resource
org.keycloak.services.resources.JsResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding class resource
org.keycloak.services.resources.ThemeResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding provider singleton
org.keycloak.services.resources.ModelExceptionMapper from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding singleton resource
org.keycloak.services.resources.RealmsResource from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding provider singleton
org.keycloak.services.util.ObjectMapperResolver from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding singleton resource
org.keycloak.services.resources.ServerVersionResource from Application
class org.keycloak.services.resources.KeycloakApplication
14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
(ServerService Thread Pool -- 64) Adding singleton resource
org.keycloak.services.resources.admin.AdminRoot from Application class
org.keycloak.services.resources.KeycloakApplication
14:39:04,757 INFO  [org.wildfly.extension.undertow] (ServerService Thread
Pool -- 64) WFLYUT0021: Registered web context: /auth
14:39:04,844 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61)
WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
"keycloak-server.war")
14:39:05,526 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
Http management interface listening on http://10.1.1.245:9990/management
14:39:05,527 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
Admin console listening on http://10.1.1.245:9990
14:39:05,531 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms -
Started 349 of 613 services (353 services are lazy, passive or on-demand)


CHARLES-EDOUARD GAGNAIRE
SysAdmin
c.gagnaire at kreactive.com
p. 06.27.80.28.53LYON "Le Capitole"
97, cours Gambetta
69481 Lyon Cedex 03

PARIS
16, rue de Turbigo
75002 Paris
[image: Kreactive] <http://www.kreactive.com/>


[image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
<https://twitter.com/kreactive>

2015-12-18 15:53 GMT+01:00 Alan Field <afield at redhat.com>:

> Hey Charles,
>
> Can you send the full logs and tell me which version of JGroups you are
> using?
>
> Thanks,
> Alan
>
> ------------------------------
>
> *From: *"charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> *To: *keycloak-user at lists.jboss.org
> *Sent: *Friday, December 18, 2015 9:01:12 AM
> *Subject: *[keycloak-user] Problem running keycloak cluster on EC2 with
> S3_ping
>
>
> hi,
>
> I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
> The database configuration is OK no problem, but i can't manage to get the
> invalidation cache working correctly.
> I configured Infinispan to work with S3_ping plugin (the relevant part of
> my configuration is below).
>
> When i run both server, the connection with the database is Ok, but the
> infinispan logs look like this :
> On Server 1 :
> ...
> 11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
> ...
> 11:00:18,057 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> ...
>
> On Server 2 :
> ...
> 11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
> ...
> 11:03:41,783 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> ...
>
> In my S3 bucket, i have 2 files created :
> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
>
> And the content of the files is like this :
> File 1 :
> ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
>
> File 2 :
> ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
>
> When i read the logs, it looks like the infinispan's cache can't contact
> each other.
> I double check my network config, and i tried connecting from one server
> to the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
> fine.
>
> Is there a way to check the infinispan status of the servers?
> Do you guys got any clue on how to make this works?
>
> Thank you,
> Charles-Edouard
>
> My config looks like this :
>
> - Standalone-ha.xml
> ...
> <datasources>
>                 <driver name="postgresql" module="org.postgresql">
>
>  <datasource-class>org.postgresql.Driver</datasource-class>
>
>  <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>                 </driver>
>                 <datasource
> jndi-name="java:jboss/datasources/PgDskeycloak" pool-name="PgDskeycloak"
> enabled="true" use-java-context="true">
>
> <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
>                     <driver>postgresql</driver>
>                     <pool>
>                         <min-pool-size>5</min-pool-size>
>                         <initial-pool-size>5</initial-pool-size>
>                         <max-pool-size>100</max-pool-size>
>                         <prefill>true</prefill>
>                     </pool>
>                     <validation>
>                         <valid-connection-checker
>
>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
>                         <exception-sorter
>
>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
>                     </validation>
>                     <security>
>                         <user-name>****</user-name>
>                         <password>****</password>
>                     </security>
>                 </datasource>
> ...
>             <stacks default="tcp">
>                 <stack name="udp">
>                     <transport type="UDP" socket-binding="jgroups-udp"/>
>                     <protocol type="PING"/>
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"
> socket-binding="jgroups-udp-fd"/>
>                     <protocol type="FD_ALL"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="UFC"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
>                 <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>                     <protocol type="S3_PING" >
>                         <property name="location">****</property>
>                         <property name="access_key">****</property>
>                         <property name="secret_access_key">****</property>
>                     </protocol>
>                     <!-- <protocol type="MPING"
> socket-binding="jgroups-mping"/> -->
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK"
> socket-binding="jgroups-tcp-fd"/>
>                     <protocol type="FD"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
> ...
>     <interfaces>
>         <interface name="management">
>                 <nic name="eth0"/>
>         </interface>
>         <interface name="public">
>             <nic name="eth0"/>
>         </interface>
>         <!-- TODO - only show this if the jacorb subsystem is added  -->
>         <interface name="unsecure">
>             <!--
>               ~  Used for IIOP sockets in the standard configuration.
>               ~                  To secure JacORB you need to setup SSL
>               -->
>             <nic name="eth0"/>
>         </interface>
>     </interfaces>
>
> - keycloak-server.json
> {
>     "providers": [
>         "classpath:${jboss.server.config.dir}/providers/*"
>     ],
>
>     "admin": {
>         "realm": "master"
>     },
>
>     "eventsStore": {
>         "provider": "jpa",
>         "jpa": {
>             "exclude-events": [ "REFRESH_TOKEN" ]
>         }
>     },
>
>     "realm": {
>         "provider": "jpa"
>     },
>
>     "user": {
>         "provider": "jpa"
>     },
>
>     "userSessionPersister": {
>         "provider": "jpa"
>     },
>
>     "timer": {
>         "provider": "basic"
>     },
>
>     "theme": {
>         "default": "keycloak",
>         "staticMaxAge": 2592000,
>         "cacheTemplates": true,
>         "cacheThemes": true,
>         "folder": {
>           "dir": "${jboss.server.config.dir}/themes"
>         }
>     },
>
>     "scheduled": {
>         "interval": 900
>     },
>
>     "connectionsHttpClient": {
>         "default": {
>             "disable-trust-manager": true
>         }
>     },
>
>     "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/PgDskeycloak",
>             "databaseSchema": "update"
>         }
>     },
>
>     "connectionsInfinispan": {
>         "default" : {
>             "cacheContainer" : "java:jboss/infinispan/Keycloak"
>         }
>     }
> }
>
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03
>
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> [image: Kreactive] <http://www.kreactive.com/>
>
>
> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
> <https://twitter.com/kreactive>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/9a129688/attachment-0001.html 

From afield at redhat.com  Fri Dec 18 10:21:54 2015
From: afield at redhat.com (Alan Field)
Date: Fri, 18 Dec 2015 10:21:54 -0500 (EST)
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
 S3_ping
In-Reply-To: <CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
Message-ID: <1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>

Hey Charles, 

Thanks for the logs. I'm not sure what is wrong, but it looks like each server is creating a cluster of 1. I'll try it with my AWS account to see if I can figure out what is wrong. 

Alan 

----- Original Message -----

> From: "charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, December 18, 2015 10:04:53 AM
> Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2 with
> S3_ping

> First i want to thank you guys for the quick answers, i was still reading the
> "Replace use of Infinispan with User Sessions SPI ?" discussion.

> Yes of course i can send all the logs. You'll find them below.

> The JGroups version is the one shipping with keycloak 1.7, but the problem
> was the same with Keycloak 1.6.
> Looking at the config file, it looks like i'm using : <subsystem
> xmlns="urn:jboss:domain:jgroups:3.0">

> I didn't mention it but i use the archive i found on Keycloak website. The
> archive is "keycloak-1.7.0.Final.tar.gz".
> I just untar and modify the config files, then i launched it using :
> /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml

> Thank you again for your help

> The logs for server 1 are :
> =========================================================================

> JBoss Bootstrap Environment

> JBOSS_HOME: /opt/keycloak-1.7.0.Final

> JAVA: /usr/lib/jvm/jre/bin/java

> JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops
> -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

> =========================================================================

> OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support
> was removed in 8.0
> 14:38:44,910 INFO [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 14:38:45,091 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:45,163 INFO [ org.jboss.as ] (MSC service thread 1-2) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:46,358 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 24) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,360 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,362 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,362 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,370 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 14:38:46,572 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039:
> Creating http management service using socket-binding (management-http)
> 14:38:46,589 INFO [org.xnio] (MSC service thread 1-4) XNIO version
> 3.3.1.Final
> 14:38:46,607 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO
> Implementation Version 3.3.1.Final
> 14:38:46,655 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss
> Remoting version 4.0.9.Final
> 14:38:46,687 INFO [ org.wildfly.extension.io ] (ServerService Thread Pool --
> 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with
> 32 task threads based on your 2 available processors
> 14:38:46,685 INFO [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> driver class org.postgresql.Driver (version 9.4)
> 14:38:46,715 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:46,724 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:46,744 INFO [org.jboss.as.connector] (MSC service thread 1-4)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:46,746 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread
> 1-2) WFLYJCA0018: Started Driver service with driver-name = postgresql
> 14:38:46,767 INFO [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 14:38:46,769 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread
> 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:46,781 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:46,772 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 14:38:46,914 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56)
> WFLYSEC0002: Activating Security Subsystem
> 14:38:46,916 INFO [org.jboss.as.security] (MSC service thread 1-1)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:46,932 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 14:38:46,957 INFO [org.jboss.as.webservices] (ServerService Thread Pool --
> 59) WFLYWS0002: Activating WebServices Extension
> 14:38:46,985 INFO [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003:
> Starting Naming Service
> 14:38:46,992 INFO [org.jboss.as.mail.extension] (MSC service thread 1-4)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:47,115 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1)
> WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,119 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool
> -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,206 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool
> -- 58) WFLYUT0014: Creating file handler for path
> /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:47,229 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4)
> WFLYUT0012: Started server default-server.
> 14:38:47,263 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4)
> WFLYUT0018: Host default-host starting
> 14:38:47,320 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> WFLYUT0006: Undertow AJP listener ajp listening on / 10.1.7.103:8009
> 14:38:47,324 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3)
> WFLYUT0006: Undertow HTTP listener default listening on / 10.1.7.103:8080
> 14:38:47,339 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:47,372 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> MODCLUSTER000032: Listening to proxy advertisements on / 224.0.1.105:23364
> 14:38:47,478 INFO
> [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> (MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for
> java:jboss/datasources/PgDskeycloak
> 14:38:47,513 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 14:38:47,513 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 14:38:47,530 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/PgDskeycloak]
> 14:38:47,673 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4)
> WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name:
> "keycloak-server.war")
> 14:38:47,820 INFO [org.jboss.ws.common.management] (MSC service thread 1-3)
> JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:48,898 INFO [stdout] (MSC service thread 1-2)
> 14:38:48,898 INFO [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:48,898 INFO [stdout] (MSC service thread 1-2) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address= 10.1.7.103:7600
> 14:38:48,899 INFO [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:49,250 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> 14:38:49,265 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> 14:38:49,273 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000079: Channel keycloak local address is
> ip-10-1-7-103, physical addresses are [ 10.1.7.103:7600 ]
> 14:38:49,277 INFO [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 62) ISPN000128: Infinispan version: Infinispan
> 'Insanely Bad Elf' 7.2.3.Final
> 14:38:49,521 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> 14:38:49,529 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 14:38:49,530 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak container
> 14:38:49,536 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> 14:38:50,116 INFO [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 66) Load config from
> /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:50,638 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService
> Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo [
> name: keycloak-default
> ...]
> 14:38:50,690 INFO [org.hibernate.Version] (ServerService Thread Pool -- 66)
> HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:50,691 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool
> -- 66) HHH000206: hibernate.properties not found
> 14:38:50,693 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool
> -- 66) HHH000021: Bytecode provider name : javassist
> 14:38:50,842 INFO [org.hibernate.annotations.common.Version] (ServerService
> Thread Pool -- 66) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 14:38:51,794 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool
> -- 66) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL9Dialect
> 14:38:51,803 INFO [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> (ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 14:38:52,120 INFO [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService Thread Pool -- 66) HHH000397: Using ASTQueryTranslatorFactory
> 14:38:52,156 INFO [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 66) HV000001: Hibernate Validator 5.1.3.Final
> 14:38:53,706 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from keycloak
> container
> 14:38:53,748 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Deploying javax.ws.rs.core.Application: class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,752 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 66) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,824 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool
> -- 66) WFLYUT0021: Registered web context: /auth
> 14:38:53,920 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 14:38:54,021 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0060: Http
> management interface listening on http://10.1.7.103:9990/management
> 14:38:54,021 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://10.1.7.103:9990
> 14:38:54,022 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms - Started
> 349 of 613 services (353 services are lazy, passive or on-demand)

> The logs for server 2 are :
> =========================================================================

> JBoss Bootstrap Environment

> JBOSS_HOME: /opt/keycloak-1.7.0.Final

> JAVA: /usr/lib/jvm/jre/bin/java

> JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops
> -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

> =========================================================================

> 14:38:48,239 INFO [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 14:38:48,723 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:48,896 INFO [ org.jboss.as ] (MSC service thread 1-2) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:50,979 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:50,983 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:50,986 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:51,010 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 14:38:51,044 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:51,452 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039:
> Creating http management service using socket-binding (management-http)
> 14:38:51,499 INFO [org.xnio] (MSC service thread 1-1) XNIO version
> 3.3.1.Final
> 14:38:51,520 INFO [org.xnio.nio] (MSC service thread 1-1) XNIO NIO
> Implementation Version 3.3.1.Final
> 14:38:51,590 INFO [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> driver class org.postgresql.Driver (version 9.4)
> 14:38:51,603 INFO [ org.wildfly.extension.io ] (ServerService Thread Pool --
> 38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with
> 16 task threads based on your 1 available processors
> 14:38:51,601 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:51,634 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:51,694 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 14:38:51,666 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:51,696 INFO [org.jboss.as.connector] (MSC service thread 1-2)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:51,932 INFO [org.jboss.as.webservices] (ServerService Thread Pool --
> 59) WFLYWS0002: Activating WebServices Extension
> 14:38:51,970 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss
> Remoting version 4.0.9.Final
> 14:38:51,975 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56)
> WFLYSEC0002: Activating Security Subsystem
> 14:38:51,972 INFO [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 14:38:51,971 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 14:38:52,140 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool
> -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,187 INFO [org.jboss.as.security] (MSC service thread 1-2)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:52,224 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread
> 1-1) WFLYJCA0018: Started Driver service with driver-name = postgresql
> 14:38:52,225 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread
> 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:52,368 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1)
> WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,369 INFO [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003:
> Starting Naming Service
> 14:38:52,471 INFO [org.jboss.as.mail.extension] (MSC service thread 1-2)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:52,710 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool
> -- 58) WFLYUT0014: Creating file handler for path
> /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:52,864 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> WFLYUT0012: Started server default-server.
> 14:38:53,133 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> WFLYUT0006: Undertow HTTP listener default listening on / 10.1.1.245:8080
> 14:38:53,166 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> WFLYUT0018: Host default-host starting
> 14:38:53,192 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> WFLYUT0006: Undertow AJP listener ajp listening on / 10.1.1.245:8009
> 14:38:53,211 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:53,307 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> MODCLUSTER000032: Listening to proxy advertisements on / 224.0.1.105:23364
> 14:38:53,779 INFO
> [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> (MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for
> java:jboss/datasources/PgDskeycloak
> 14:38:53,896 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-1) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 14:38:53,903 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 14:38:53,909 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/PgDskeycloak]
> 14:38:54,118 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2)
> WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name:
> "keycloak-server.war")
> 14:38:54,306 INFO [org.jboss.ws.common.management] (MSC service thread 1-1)
> JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:56,138 INFO [stdout] (MSC service thread 1-2)
> 14:38:56,138 INFO [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:56,139 INFO [stdout] (MSC service thread 1-2) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address= 10.1.1.245:7600
> 14:38:56,139 INFO [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:56,606 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> 14:38:56,623 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> 14:38:56,644 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 62) ISPN000079: Channel keycloak local address is
> ip-10-1-1-245, physical addresses are [ 10.1.1.245:7600 ]
> 14:38:56,651 INFO [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 62) ISPN000128: Infinispan version: Infinispan
> 'Insanely Bad Elf' 7.2.3.Final
> 14:38:57,044 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> 14:38:57,050 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak container
> 14:38:57,055 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> 14:38:57,059 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 14:38:58,007 INFO [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 64) Load config from
> /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:58,755 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService
> Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo [
> name: keycloak-default
> ...]
> 14:38:58,812 INFO [org.hibernate.Version] (ServerService Thread Pool -- 64)
> HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:58,819 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool
> -- 64) HHH000206: hibernate.properties not found
> 14:38:58,824 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool
> -- 64) HHH000021: Bytecode provider name : javassist
> 14:38:59,268 INFO [org.hibernate.annotations.common.Version] (ServerService
> Thread Pool -- 64) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 14:39:00,264 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool
> -- 64) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL9Dialect
> 14:39:00,272 INFO [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> (ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 14:39:00,602 INFO [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> (ServerService Thread Pool -- 64) HHH000397: Using ASTQueryTranslatorFactory
> 14:39:00,634 INFO [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 64) HV000001: Hibernate Validator 5.1.3.Final
> 14:39:04,607 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread
> Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from keycloak
> container
> 14:39:04,665 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Deploying javax.ws.rs.core.Application: class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService
> Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,757 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool
> -- 64) WFLYUT0021: Registered web context: /auth
> 14:39:04,844 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 14:39:05,526 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0060: Http
> management interface listening on http://10.1.1.245:9990/management
> 14:39:05,527 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://10.1.1.245:9990
> 14:39:05,531 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms - Started
> 349 of 613 services (353 services are lazy, passive or on-demand)

> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53
> LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03

> PARIS
> 16, rue de Turbigo
> 75002 Paris

> 

> 2015-12-18 15:53 GMT+01:00 Alan Field < afield at redhat.com > :

> > Hey Charles,
> 

> > Can you send the full logs and tell me which version of JGroups you are
> > using?
> 

> > Thanks,
> 
> > Alan
> 

> > > From: "charles-edouard gagnaire" < c.gagnaire at kreactive.com >
> > 
> 
> > > To: keycloak-user at lists.jboss.org
> > 
> 
> > > Sent: Friday, December 18, 2015 9:01:12 AM
> > 
> 
> > > Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
> > > S3_ping
> > 
> 

> > > hi,
> > 
> 

> > > I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
> > 
> 
> > > The database configuration is OK no problem, but i can't manage to get
> > > the
> > > invalidation cache working correctly.
> > 
> 
> > > I configured Infinispan to work with S3_ping plugin (the relevant part of
> > > my
> > > configuration is below).
> > 
> 

> > > When i run both server, the connection with the database is Ok, but the
> > > infinispan logs look like this :
> > 
> 
> > > On Server 1 :
> > 
> 
> > > ...
> > 
> 
> > > 11:00:17,592 INFO [stdout] (MSC service thread 1-1) GMS:
> > > address=ip-10-1-7-103, cluster=ee, physical address= 10.1.7.103:7600
> > 
> 
> > > ...
> > 
> 
> > > 11:00:18,057 INFO
> > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > (ServerService
> > > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > > keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> > 
> 
> > > ...
> > 
> 

> > > On Server 2 :
> > 
> 
> > > ...
> > 
> 
> > > 11:03:41,159 INFO [stdout] (MSC service thread 1-1) GMS:
> > > address=ip-10-1-1-245, cluster=ee, physical address= 10.1.1.245:7600
> > 
> 
> > > ...
> > 
> 
> > > 11:03:41,783 INFO
> > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > (ServerService
> > > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > > keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> > 
> 
> > > ...
> > 
> 

> > > In my S3 bucket, i have 2 files created :
> > 
> 
> > > 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> > 
> 
> > > a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
> > 
> 

> > > And the content of the files is like this :
> > 
> 
> > > File 1 :
> > 
> 
> > > ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
> > 
> 

> > > File 2 :
> > 
> 
> > > ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
> > 
> 

> > > When i read the logs, it looks like the infinispan's cache can't contact
> > > each
> > > other.
> > 
> 
> > > I double check my network config, and i tried connecting from one server
> > > to
> > > the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
> > > fine.
> > 
> 

> > > Is there a way to check the infinispan status of the servers?
> > 
> 
> > > Do you guys got any clue on how to make this works?
> > 
> 

> > > Thank you,
> > 
> 
> > > Charles-Edouard
> > 
> 

> > > My config looks like this :
> > 
> 

> > > - Standalone-ha.xml
> > 
> 
> > > ...
> > 
> 
> > > <datasources>
> > 
> 
> > > <driver name="postgresql" module="org.postgresql">
> > 
> 
> > > <datasource-class>org.postgresql.Driver</datasource-class>
> > 
> 
> > > <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
> > 
> 
> > > </driver>
> > 
> 
> > > <datasource jndi-name="java:jboss/datasources/PgDskeycloak"
> > > pool-name="PgDskeycloak" enabled="true" use-java-context="true">
> > 
> 
> > > <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
> > 
> 
> > > <driver>postgresql</driver>
> > 
> 
> > > <pool>
> > 
> 
> > > <min-pool-size>5</min-pool-size>
> > 
> 
> > > <initial-pool-size>5</initial-pool-size>
> > 
> 
> > > <max-pool-size>100</max-pool-size>
> > 
> 
> > > <prefill>true</prefill>
> > 
> 
> > > </pool>
> > 
> 
> > > <validation>
> > 
> 
> > > <valid-connection-checker
> > 
> 
> > > class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
> > 
> 
> > > <exception-sorter
> > 
> 
> > > class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
> > 
> 
> > > </validation>
> > 
> 
> > > <security>
> > 
> 
> > > <user-name>****</user-name>
> > 
> 
> > > <password>****</password>
> > 
> 
> > > </security>
> > 
> 
> > > </datasource>
> > 
> 
> > > ...
> > 
> 
> > > <stacks default="tcp">
> > 
> 
> > > <stack name="udp">
> > 
> 
> > > <transport type="UDP" socket-binding="jgroups-udp"/>
> > 
> 
> > > <protocol type="PING"/>
> > 
> 
> > > <protocol type="MERGE3"/>
> > 
> 
> > > <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
> > 
> 
> > > <protocol type="FD_ALL"/>
> > 
> 
> > > <protocol type="VERIFY_SUSPECT"/>
> > 
> 
> > > <protocol type="pbcast.NAKACK2"/>
> > 
> 
> > > <protocol type="UNICAST3"/>
> > 
> 
> > > <protocol type="pbcast.STABLE"/>
> > 
> 
> > > <protocol type="pbcast.GMS"/>
> > 
> 
> > > <protocol type="UFC"/>
> > 
> 
> > > <protocol type="MFC"/>
> > 
> 
> > > <protocol type="FRAG2"/>
> > 
> 
> > > <protocol type="RSVP"/>
> > 
> 
> > > </stack>
> > 
> 
> > > <stack name="tcp">
> > 
> 
> > > <transport type="TCP" socket-binding="jgroups-tcp"/>
> > 
> 
> > > <protocol type="S3_PING" >
> > 
> 
> > > <property name="location">****</property>
> > 
> 
> > > <property name="access_key">****</property>
> > 
> 
> > > <property name="secret_access_key">****</property>
> > 
> 
> > > </protocol>
> > 
> 
> > > <!-- <protocol type="MPING" socket-binding="jgroups-mping"/> -->
> > 
> 
> > > <protocol type="MERGE3"/>
> > 
> 
> > > <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
> > 
> 
> > > <protocol type="FD"/>
> > 
> 
> > > <protocol type="VERIFY_SUSPECT"/>
> > 
> 
> > > <protocol type="pbcast.NAKACK2"/>
> > 
> 
> > > <protocol type="UNICAST3"/>
> > 
> 
> > > <protocol type="pbcast.STABLE"/>
> > 
> 
> > > <protocol type="pbcast.GMS"/>
> > 
> 
> > > <protocol type="MFC"/>
> > 
> 
> > > <protocol type="FRAG2"/>
> > 
> 
> > > <protocol type="RSVP"/>
> > 
> 
> > > </stack>
> > 
> 
> > > ...
> > 
> 
> > > <interfaces>
> > 
> 
> > > <interface name="management">
> > 
> 
> > > <nic name="eth0"/>
> > 
> 
> > > </interface>
> > 
> 
> > > <interface name="public">
> > 
> 
> > > <nic name="eth0"/>
> > 
> 
> > > </interface>
> > 
> 
> > > <!-- TODO - only show this if the jacorb subsystem is added -->
> > 
> 
> > > <interface name="unsecure">
> > 
> 
> > > <!--
> > 
> 
> > > ~ Used for IIOP sockets in the standard configuration.
> > 
> 
> > > ~ To secure JacORB you need to setup SSL
> > 
> 
> > > -->
> > 
> 
> > > <nic name="eth0"/>
> > 
> 
> > > </interface>
> > 
> 
> > > </interfaces>
> > 
> 

> > > - keycloak-server.json
> > 
> 
> > > {
> > 
> 
> > > "providers": [
> > 
> 
> > > "classpath:${jboss.server.config.dir}/providers/*"
> > 
> 
> > > ],
> > 
> 

> > > "admin": {
> > 
> 
> > > "realm": "master"
> > 
> 
> > > },
> > 
> 

> > > "eventsStore": {
> > 
> 
> > > "provider": "jpa",
> > 
> 
> > > "jpa": {
> > 
> 
> > > "exclude-events": [ "REFRESH_TOKEN" ]
> > 
> 
> > > }
> > 
> 
> > > },
> > 
> 

> > > "realm": {
> > 
> 
> > > "provider": "jpa"
> > 
> 
> > > },
> > 
> 

> > > "user": {
> > 
> 
> > > "provider": "jpa"
> > 
> 
> > > },
> > 
> 

> > > "userSessionPersister": {
> > 
> 
> > > "provider": "jpa"
> > 
> 
> > > },
> > 
> 

> > > "timer": {
> > 
> 
> > > "provider": "basic"
> > 
> 
> > > },
> > 
> 

> > > "theme": {
> > 
> 
> > > "default": "keycloak",
> > 
> 
> > > "staticMaxAge": 2592000,
> > 
> 
> > > "cacheTemplates": true,
> > 
> 
> > > "cacheThemes": true,
> > 
> 
> > > "folder": {
> > 
> 
> > > "dir": "${jboss.server.config.dir}/themes"
> > 
> 
> > > }
> > 
> 
> > > },
> > 
> 

> > > "scheduled": {
> > 
> 
> > > "interval": 900
> > 
> 
> > > },
> > 
> 

> > > "connectionsHttpClient": {
> > 
> 
> > > "default": {
> > 
> 
> > > "disable-trust-manager": true
> > 
> 
> > > }
> > 
> 
> > > },
> > 
> 

> > > "connectionsJpa": {
> > 
> 
> > > "default": {
> > 
> 
> > > "dataSource": "java:jboss/datasources/PgDskeycloak",
> > 
> 
> > > "databaseSchema": "update"
> > 
> 
> > > }
> > 
> 
> > > },
> > 
> 

> > > "connectionsInfinispan": {
> > 
> 
> > > "default" : {
> > 
> 
> > > "cacheContainer" : "java:jboss/infinispan/Keycloak"
> > 
> 
> > > }
> > 
> 
> > > }
> > 
> 
> > > }
> > 
> 

> > > CHARLES-EDOUARD GAGNAIRE
> > 
> 
> > > SysAdmin
> > 
> 
> > > c.gagnaire at kreactive.com
> > 
> 
> > > p. 06.27.80.28.53
> > 
> 
> > > LYON "Le Capitole"
> > 
> 
> > > 97, cours Gambetta
> > 
> 
> > > 69481 Lyon Cedex 03
> > 
> 

> > > PARIS
> > 
> 
> > > 16, rue de Turbigo
> > 
> 
> > > 75002 Paris
> > 
> 

> > > 
> > 
> 

> > > _______________________________________________
> > 
> 
> > > keycloak-user mailing list
> > 
> 
> > > keycloak-user at lists.jboss.org
> > 
> 
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/3c4759f4/attachment-0001.html 

From afield at redhat.com  Fri Dec 18 10:55:51 2015
From: afield at redhat.com (Alan Field)
Date: Fri, 18 Dec 2015 10:55:51 -0500 (EST)
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
 S3_ping
In-Reply-To: <1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
	<1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
Message-ID: <1136942401.29453944.1450454151035.JavaMail.zimbra@redhat.com>

Hey Charles, 

I modified the standalone-ha.xml similar to your file to add the S3_PING protocol, and I was able to get two KeyCloak nodes to cluster. I did have to set the jboss.bind.address and jboss.bind.address.management. From your logs I can see that these addresses are both set in your environment as well. How are you setting these? My log is included below. 

Thanks, 
Alan 

[ec2-user at ip-172-31-4-165 keycloak-1.7.0.Final]$ bin/standalone.sh -c standalone-ha.xml -Djboss.socket.binding.port-offset=0 -Djboss.node.name=node0 -Djboss.bind.address=$IP -Djboss.bind.address.management=$IP 

========================================================================= 

JBoss Bootstrap Environment 

JBOSS_HOME: /radargun/keycloak-1.7.0.Final 

JAVA: java 

JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true 

========================================================================= 

Picked up _JAVA_OPTIONS: -Djgroups.s3.secret_access_key=ndWrqybZHIaFsEWEuMlWf5fJVffEapbu7DJgcYTd -Djgroups.s3.access_key=AKIAIVP76RKVWTPN6S6Q -Djgroups.s3.bucket=jdg-jgroups 
10:49:41,196 INFO [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final 
10:49:41,418 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 
10:49:41,497 INFO [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049: Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting 
10:49:42,524 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 19) WFLYCTL0028: Attribute 'default-stack' in the resource at address '/subsystem=jgroups' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 
10:49:42,525 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'job-repository-type' in the resource at address '/subsystem=batch' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 
10:49:42,531 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 
10:49:42,534 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=KeycloakDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation. 
10:49:42,707 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) 
10:49:42,741 INFO [org.xnio] (MSC service thread 1-2) XNIO version 3.3.1.Final 
10:49:42,750 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO Implementation Version 3.3.1.Final 
10:49:42,782 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem. 
10:49:42,782 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 16 core threads with 128 task threads based on your 8 available processors 
10:49:42,784 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss Remoting version 4.0.9.Final 
10:49:42,800 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem. 
10:49:42,819 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56) WFLYSEC0002: Activating Security Subsystem 
10:49:42,824 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57) WFLYTX0013: Node identifier property is set to the default value. Please make sure it is unique. 
10:49:42,843 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49) WFLYNAM0001: Activating Naming Subsystem 
10:49:42,841 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main] 
10:49:42,859 INFO [org.jboss.as.security] (MSC service thread 1-3) WFLYSEC0001: Current PicketBox version=4.9.2.Final 
10:49:42,922 INFO [org.jboss.as.connector] (MSC service thread 1-8) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final) 
10:49:42,976 INFO [org.jboss.as.webservices] (ServerService Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension 
10:49:42,986 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting 
10:49:42,986 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0003: Undertow 1.2.9.Final starting 
10:49:42,991 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3) 
10:49:42,994 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2 
10:49:43,118 INFO [org.jboss.as.naming] (MSC service thread 1-7) WFLYNAM0003: Starting Naming Service 
10:49:43,119 INFO [org.jboss.as.mail.extension] (MSC service thread 1-6) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] 
10:49:43,168 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for path /radargun/keycloak-1.7.0.Final/welcome-content 
10:49:43,181 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0012: Started server default-server. 
10:49:43,213 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0018: Host default-host starting 
10:49:43,294 INFO [org.wildfly.extension.undertow] (MSC service thread 1-8) WFLYUT0006: Undertow AJP listener ajp listening on /172.31.4.165:8009 
10:49:43,303 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final 
10:49:43,307 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener default listening on /172.31.4.165:8080 
10:49:43,333 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364 
10:49:43,480 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS] 
10:49:43,480 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS] 
10:49:43,739 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 
10:49:43,784 INFO [org.jboss.ws.common.management] (MSC service thread 1-8) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final 
10:49:44,786 INFO [stdout] (MSC service thread 1-1) 
10:49:44,786 INFO [stdout] (MSC service thread 1-1) ------------------------------------------------------------------- 
10:49:44,786 INFO [stdout] (MSC service thread 1-1) GMS: address=node0, cluster=ee, physical address=172.31.4.165:7600 
10:49:44,786 INFO [stdout] (MSC service thread 1-1) ------------------------------------------------------------------- 
10:49:45,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 64) ISPN000078: Starting JGroups channel keycloak 
10:49:45,055 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 64) ISPN000094: Received new cluster view for channel keycloak: [node0|0] (1) [node0] 
10:49:45,064 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 64) ISPN000079: Channel keycloak local address is node0, physical addresses are [172.31.4.165:7600] 
10:49:45,067 INFO [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread Pool -- 64) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf' 7.2.3.Final 
10:49:45,242 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0002: Started users cache from keycloak container 
10:49:45,242 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak container 
10:49:45,243 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak container 
10:49:45,243 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak container 
10:49:45,846 INFO [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 63) Load config from /radargun/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json 
10:49:46,642 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 63) HHH000204: Processing PersistenceUnitInfo [ 
name: keycloak-default 
...] 
10:49:46,695 INFO [org.hibernate.Version] (ServerService Thread Pool -- 63) HHH000412: Hibernate Core {4.3.10.Final} 
10:49:46,696 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 63) HHH000206: hibernate.properties not found 
10:49:46,697 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 63) HHH000021: Bytecode provider name : javassist 
10:49:46,856 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 63) HCANN000001: Hibernate Commons Annotations {4.0.5.Final} 
10:49:46,906 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 63) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect 
10:49:46,912 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread Pool -- 63) HHH000431: Unable to determine H2 database version, certain features may not work 
10:49:47,191 INFO [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService Thread Pool -- 63) HHH000397: Using ASTQueryTranslatorFactory 
10:49:47,223 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 63) HV000001: Hibernate Validator 5.1.3.Final 
10:49:49,112 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started offlineSessions cache from keycloak container 
10:49:49,147 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication 
10:49:49,149 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,149 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding class resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding class resource org.keycloak.services.resources.QRCodeResource from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding singleton resource org.keycloak.services.resources.ServerVersionResource from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding provider singleton org.keycloak.services.resources.ModelExceptionMapper from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,152 INFO [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 63) Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication 
10:49:49,229 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 63) WFLYUT0021: Registered web context: /auth 
10:49:49,277 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 
10:49:49,572 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://172.31.4.165:9990/management 
10:49:49,573 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://172.31.4.165:9990 
10:49:49,573 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 8688ms - Started 344 of 593 services (339 services are lazy, passive or on-demand) 
10:50:16,178 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,node0) ISPN000094: Received new cluster view for channel keycloak: [node0|1] (2) [node0, node1] 
10:50:16,650 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t2) ISPN000310: Starting cluster-wide rebalance for cache users, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[node0: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[node0: 30, node1: 30]}, unionCH=null, actualMembers=[node0, node1]} 
10:50:16,650 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[node0: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[node0: 30, node1: 30]}, unionCH=null, actualMembers=[node0, node1]} 
10:50:16,652 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80, owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]} 
10:50:16,652 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t3) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80, owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]} 
10:50:16,712 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1 
10:50:16,712 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1) ISPN000336: Finished cluster-wide rebalance for cache realms, topology id = 1 
10:50:16,758 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 1 
10:50:16,761 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 1 
10:50:22,061 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4) ISPN000310: Starting cluster-wide rebalance for cache offlineSessions, topology CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80, owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]} 
10:50:22,085 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4) ISPN000336: Finished cluster-wide rebalance for cache offlineSessions, topology id = 1 

----- Original Message -----

> From: "Alan Field" <afield at redhat.com>
> To: "charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, December 18, 2015 10:21:54 AM
> Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2 with
> S3_ping

> Hey Charles,

> Thanks for the logs. I'm not sure what is wrong, but it looks like each
> server is creating a cluster of 1. I'll try it with my AWS account to see if
> I can figure out what is wrong.

> Alan

> ----- Original Message -----

> > From: "charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> 
> > To: "Alan Field" <afield at redhat.com>
> 
> > Cc: keycloak-user at lists.jboss.org
> 
> > Sent: Friday, December 18, 2015 10:04:53 AM
> 
> > Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2 with
> > S3_ping
> 

> > First i want to thank you guys for the quick answers, i was still reading
> > the
> > "Replace use of Infinispan with User Sessions SPI ?" discussion.
> 

> > Yes of course i can send all the logs. You'll find them below.
> 

> > The JGroups version is the one shipping with keycloak 1.7, but the problem
> > was the same with Keycloak 1.6.
> 
> > Looking at the config file, it looks like i'm using : <subsystem
> > xmlns="urn:jboss:domain:jgroups:3.0">
> 

> > I didn't mention it but i use the archive i found on Keycloak website. The
> > archive is "keycloak-1.7.0.Final.tar.gz".
> 
> > I just untar and modify the config files, then i launched it using :
> > /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
> 

> > Thank you again for your help
> 

> > The logs for server 1 are :
> 
> > =========================================================================
> 

> > JBoss Bootstrap Environment
> 

> > JBOSS_HOME: /opt/keycloak-1.7.0.Final
> 

> > JAVA: /usr/lib/jvm/jre/bin/java
> 

> > JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops
> > -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> 

> > =========================================================================
> 

> > OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support
> > was removed in 8.0
> 
> > 14:38:44,910 INFO [org.jboss.modules] (main) JBoss Modules version
> > 1.4.3.Final
> 
> > 14:38:45,091 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 
> > 14:38:45,163 INFO [ org.jboss.as ] (MSC service thread 1-2) WFLYSRV0049:
> > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 
> > 14:38:46,358 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 24) WFLYCTL0028: Attribute
> > 'job-repository-type' in the resource at address '/subsystem=batch' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:46,360 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:46,362 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=ExampleDS' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:46,362 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:46,370 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'default-stack' in
> > the resource at address '/subsystem=jgroups' is deprecated, and may be
> > removed in future version. See the attribute description in the output of
> > the read-resource-description operation to learn more about the
> > deprecation.
> 
> > 14:38:46,572 INFO [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0039:
> > Creating http management service using socket-binding (management-http)
> 
> > 14:38:46,589 INFO [org.xnio] (MSC service thread 1-4) XNIO version
> > 3.3.1.Final
> 
> > 14:38:46,607 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO
> > Implementation Version 3.3.1.Final
> 
> > 14:38:46,655 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss
> > Remoting version 4.0.9.Final
> 
> > 14:38:46,687 INFO [ org.wildfly.extension.io ] (ServerService Thread Pool
> > --
> > 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with
> > 32 task threads based on your 2 available processors
> 
> > 14:38:46,685 INFO [org.jboss.as.connector.subsystems.datasources]
> > (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> > driver class org.postgresql.Driver (version 9.4)
> 
> > 14:38:46,715 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread
> > Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 
> > 14:38:46,724 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 
> > 14:38:46,744 INFO [org.jboss.as.connector] (MSC service thread 1-4)
> > WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 
> > 14:38:46,746 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > thread
> > 1-2) WFLYJCA0018: Started Driver service with driver-name = postgresql
> 
> > 14:38:46,767 INFO [org.jboss.as.connector.subsystems.datasources]
> > (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> > driver class org.h2.Driver (version 1.3)
> 
> > 14:38:46,769 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > thread
> > 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 
> > 14:38:46,781 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> > WFLYJSF0007: Activated the following JSF Implementations: [main]
> 
> > 14:38:46,772 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> > WFLYNAM0001: Activating Naming Subsystem
> 
> > 14:38:46,914 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56)
> > WFLYSEC0002: Activating Security Subsystem
> 
> > 14:38:46,916 INFO [org.jboss.as.security] (MSC service thread 1-1)
> > WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 
> > 14:38:46,932 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> > WFLYTX0013: Node identifier property is set to the default value. Please
> > make sure it is unique.
> 
> > 14:38:46,957 INFO [org.jboss.as.webservices] (ServerService Thread Pool --
> > 59) WFLYWS0002: Activating WebServices Extension
> 
> > 14:38:46,985 INFO [org.jboss.as.naming] (MSC service thread 1-2)
> > WFLYNAM0003:
> > Starting Naming Service
> 
> > 14:38:46,992 INFO [org.jboss.as.mail.extension] (MSC service thread 1-4)
> > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 
> > 14:38:47,115 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1)
> > WFLYUT0003: Undertow 1.2.9.Final starting
> 
> > 14:38:47,119 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 
> > 14:38:47,206 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 58) WFLYUT0014: Creating file handler for path
> > /opt/keycloak-1.7.0.Final/welcome-content
> 
> > 14:38:47,229 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4)
> > WFLYUT0012: Started server default-server.
> 
> > 14:38:47,263 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4)
> > WFLYUT0018: Host default-host starting
> 
> > 14:38:47,320 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> > WFLYUT0006: Undertow AJP listener ajp listening on / 10.1.7.103:8009
> 
> > 14:38:47,324 INFO [org.wildfly.extension.undertow] (MSC service thread 1-3)
> > WFLYUT0006: Undertow HTTP listener default listening on / 10.1.7.103:8080
> 
> > 14:38:47,339 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> > MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 
> > 14:38:47,372 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> > MODCLUSTER000032: Listening to proxy advertisements on / 224.0.1.105:23364
> 
> > 14:38:47,478 INFO
> > [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> > (MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for
> > java:jboss/datasources/PgDskeycloak
> 
> > 14:38:47,513 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-2) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/KeycloakDS]
> 
> > 14:38:47,513 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-2) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/ExampleDS]
> 
> > 14:38:47,530 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-2) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/PgDskeycloak]
> 
> > 14:38:47,673 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4)
> > WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name:
> > "keycloak-server.war")
> 
> > 14:38:47,820 INFO [org.jboss.ws.common.management] (MSC service thread 1-3)
> > JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 
> > 14:38:48,898 INFO [stdout] (MSC service thread 1-2)
> 
> > 14:38:48,898 INFO [stdout] (MSC service thread 1-2)
> > -------------------------------------------------------------------
> 
> > 14:38:48,898 INFO [stdout] (MSC service thread 1-2) GMS:
> > address=ip-10-1-7-103, cluster=ee, physical address= 10.1.7.103:7600
> 
> > 14:38:48,899 INFO [stdout] (MSC service thread 1-2)
> > -------------------------------------------------------------------
> 
> > 14:38:49,250 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> 
> > 14:38:49,265 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> 
> > 14:38:49,273 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 62) ISPN000079: Channel keycloak local address is
> > ip-10-1-7-103, physical addresses are [ 10.1.7.103:7600 ]
> 
> > 14:38:49,277 INFO [org.infinispan.factories.GlobalComponentRegistry]
> > (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> > Infinispan
> > 'Insanely Bad Elf' 7.2.3.Final
> 
> > 14:38:49,521 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> 
> > 14:38:49,529 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> > container
> 
> > 14:38:49,530 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak container
> 
> > 14:38:49,536 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> 
> > 14:38:50,116 INFO [org.keycloak.services.resources.KeycloakApplication]
> > (ServerService Thread Pool -- 66) Load config from
> > /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 
> > 14:38:50,638 INFO [org.hibernate.jpa.internal.util.LogHelper]
> > (ServerService
> > Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo [
> 
> > name: keycloak-default
> 
> > ...]
> 
> > 14:38:50,690 INFO [org.hibernate.Version] (ServerService Thread Pool -- 66)
> > HHH000412: Hibernate Core {4.3.10.Final}
> 
> > 14:38:50,691 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > Pool
> > -- 66) HHH000206: hibernate.properties not found
> 
> > 14:38:50,693 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > Pool
> > -- 66) HHH000021: Bytecode provider name : javassist
> 
> > 14:38:50,842 INFO [org.hibernate.annotations.common.Version] (ServerService
> > Thread Pool -- 66) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 
> > 14:38:51,794 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> > Pool
> > -- 66) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL9Dialect
> 
> > 14:38:51,803 INFO [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> > (ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB
> > creation as createClob() method threw error :
> > java.lang.reflect.InvocationTargetException
> 
> > 14:38:52,120 INFO
> > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> > (ServerService Thread Pool -- 66) HHH000397: Using
> > ASTQueryTranslatorFactory
> 
> > 14:38:52,156 INFO [org.hibernate.validator.internal.util.Version]
> > (ServerService Thread Pool -- 66) HV000001: Hibernate Validator 5.1.3.Final
> 
> > 14:38:53,706 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from keycloak
> > container
> 
> > 14:38:53,748 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Deploying javax.ws.rs.core.Application: class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding class resource
> > org.keycloak.services.resources.WelcomeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding class resource
> > org.keycloak.services.resources.JsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding class resource
> > org.keycloak.services.resources.QRCodeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding class resource
> > org.keycloak.services.resources.ThemeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding singleton resource
> > org.keycloak.services.resources.RealmsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding singleton resource
> > org.keycloak.services.resources.ServerVersionResource from Application
> > class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding singleton resource
> > org.keycloak.services.resources.admin.AdminRoot from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding provider singleton
> > org.keycloak.services.util.ObjectMapperResolver from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,752 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 66) Adding provider singleton
> > org.keycloak.services.resources.ModelExceptionMapper from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:38:53,824 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 66) WFLYUT0021: Registered web context: /auth
> 
> > 14:38:53,920 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61)
> > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > "keycloak-server.war")
> 
> > 14:38:54,021 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0060:
> > Http
> > management interface listening on http://10.1.7.103:9990/management
> 
> > 14:38:54,021 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0051:
> > Admin console listening on http://10.1.7.103:9990
> 
> > 14:38:54,022 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0025:
> > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms - Started
> > 349 of 613 services (353 services are lazy, passive or on-demand)
> 

> > The logs for server 2 are :
> 
> > =========================================================================
> 

> > JBoss Bootstrap Environment
> 

> > JBOSS_HOME: /opt/keycloak-1.7.0.Final
> 

> > JAVA: /usr/lib/jvm/jre/bin/java
> 

> > JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops
> > -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> 

> > =========================================================================
> 

> > 14:38:48,239 INFO [org.jboss.modules] (main) JBoss Modules version
> > 1.4.3.Final
> 
> > 14:38:48,723 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 
> > 14:38:48,896 INFO [ org.jboss.as ] (MSC service thread 1-2) WFLYSRV0049:
> > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 
> > 14:38:50,979 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute
> > 'job-repository-type' in the resource at address '/subsystem=batch' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:50,983 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:50,986 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=ExampleDS' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:51,010 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'default-stack' in
> > the resource at address '/subsystem=jgroups' is deprecated, and may be
> > removed in future version. See the attribute description in the output of
> > the read-resource-description operation to learn more about the
> > deprecation.
> 
> > 14:38:51,044 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 14:38:51,452 INFO [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0039:
> > Creating http management service using socket-binding (management-http)
> 
> > 14:38:51,499 INFO [org.xnio] (MSC service thread 1-1) XNIO version
> > 3.3.1.Final
> 
> > 14:38:51,520 INFO [org.xnio.nio] (MSC service thread 1-1) XNIO NIO
> > Implementation Version 3.3.1.Final
> 
> > 14:38:51,590 INFO [org.jboss.as.connector.subsystems.datasources]
> > (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> > driver class org.postgresql.Driver (version 9.4)
> 
> > 14:38:51,603 INFO [ org.wildfly.extension.io ] (ServerService Thread Pool
> > --
> > 38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with
> > 16 task threads based on your 1 available processors
> 
> > 14:38:51,601 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 
> > 14:38:51,634 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread
> > Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 
> > 14:38:51,694 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> > WFLYNAM0001: Activating Naming Subsystem
> 
> > 14:38:51,666 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> > WFLYJSF0007: Activated the following JSF Implementations: [main]
> 
> > 14:38:51,696 INFO [org.jboss.as.connector] (MSC service thread 1-2)
> > WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 
> > 14:38:51,932 INFO [org.jboss.as.webservices] (ServerService Thread Pool --
> > 59) WFLYWS0002: Activating WebServices Extension
> 
> > 14:38:51,970 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss
> > Remoting version 4.0.9.Final
> 
> > 14:38:51,975 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56)
> > WFLYSEC0002: Activating Security Subsystem
> 
> > 14:38:51,972 INFO [org.jboss.as.connector.subsystems.datasources]
> > (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> > driver class org.h2.Driver (version 1.3)
> 
> > 14:38:51,971 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> > WFLYTX0013: Node identifier property is set to the default value. Please
> > make sure it is unique.
> 
> > 14:38:52,140 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 
> > 14:38:52,187 INFO [org.jboss.as.security] (MSC service thread 1-2)
> > WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 
> > 14:38:52,224 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > thread
> > 1-1) WFLYJCA0018: Started Driver service with driver-name = postgresql
> 
> > 14:38:52,225 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > thread
> > 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> 
> > 14:38:52,368 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1)
> > WFLYUT0003: Undertow 1.2.9.Final starting
> 
> > 14:38:52,369 INFO [org.jboss.as.naming] (MSC service thread 1-2)
> > WFLYNAM0003:
> > Starting Naming Service
> 
> > 14:38:52,471 INFO [org.jboss.as.mail.extension] (MSC service thread 1-2)
> > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 
> > 14:38:52,710 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 58) WFLYUT0014: Creating file handler for path
> > /opt/keycloak-1.7.0.Final/welcome-content
> 
> > 14:38:52,864 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> > WFLYUT0012: Started server default-server.
> 
> > 14:38:53,133 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> > WFLYUT0006: Undertow HTTP listener default listening on / 10.1.1.245:8080
> 
> > 14:38:53,166 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> > WFLYUT0018: Host default-host starting
> 
> > 14:38:53,192 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> > WFLYUT0006: Undertow AJP listener ajp listening on / 10.1.1.245:8009
> 
> > 14:38:53,211 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> > MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 
> > 14:38:53,307 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> > MODCLUSTER000032: Listening to proxy advertisements on / 224.0.1.105:23364
> 
> > 14:38:53,779 INFO
> > [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> > (MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for
> > java:jboss/datasources/PgDskeycloak
> 
> > 14:38:53,896 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-1) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/KeycloakDS]
> 
> > 14:38:53,903 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-2) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/ExampleDS]
> 
> > 14:38:53,909 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-2) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/PgDskeycloak]
> 
> > 14:38:54,118 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2)
> > WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name:
> > "keycloak-server.war")
> 
> > 14:38:54,306 INFO [org.jboss.ws.common.management] (MSC service thread 1-1)
> > JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 
> > 14:38:56,138 INFO [stdout] (MSC service thread 1-2)
> 
> > 14:38:56,138 INFO [stdout] (MSC service thread 1-2)
> > -------------------------------------------------------------------
> 
> > 14:38:56,139 INFO [stdout] (MSC service thread 1-2) GMS:
> > address=ip-10-1-1-245, cluster=ee, physical address= 10.1.1.245:7600
> 
> > 14:38:56,139 INFO [stdout] (MSC service thread 1-2)
> > -------------------------------------------------------------------
> 
> > 14:38:56,606 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> 
> > 14:38:56,623 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> 
> > 14:38:56,644 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 62) ISPN000079: Channel keycloak local address is
> > ip-10-1-1-245, physical addresses are [ 10.1.1.245:7600 ]
> 
> > 14:38:56,651 INFO [org.infinispan.factories.GlobalComponentRegistry]
> > (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> > Infinispan
> > 'Insanely Bad Elf' 7.2.3.Final
> 
> > 14:38:57,044 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> 
> > 14:38:57,050 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak container
> 
> > 14:38:57,055 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> 
> > 14:38:57,059 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak
> > container
> 
> > 14:38:58,007 INFO [org.keycloak.services.resources.KeycloakApplication]
> > (ServerService Thread Pool -- 64) Load config from
> > /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 
> > 14:38:58,755 INFO [org.hibernate.jpa.internal.util.LogHelper]
> > (ServerService
> > Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo [
> 
> > name: keycloak-default
> 
> > ...]
> 
> > 14:38:58,812 INFO [org.hibernate.Version] (ServerService Thread Pool -- 64)
> > HHH000412: Hibernate Core {4.3.10.Final}
> 
> > 14:38:58,819 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > Pool
> > -- 64) HHH000206: hibernate.properties not found
> 
> > 14:38:58,824 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > Pool
> > -- 64) HHH000021: Bytecode provider name : javassist
> 
> > 14:38:59,268 INFO [org.hibernate.annotations.common.Version] (ServerService
> > Thread Pool -- 64) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 
> > 14:39:00,264 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> > Pool
> > -- 64) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL9Dialect
> 
> > 14:39:00,272 INFO [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> > (ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB
> > creation as createClob() method threw error :
> > java.lang.reflect.InvocationTargetException
> 
> > 14:39:00,602 INFO
> > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> > (ServerService Thread Pool -- 64) HHH000397: Using
> > ASTQueryTranslatorFactory
> 
> > 14:39:00,634 INFO [org.hibernate.validator.internal.util.Version]
> > (ServerService Thread Pool -- 64) HV000001: Hibernate Validator 5.1.3.Final
> 
> > 14:39:04,607 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from keycloak
> > container
> 
> > 14:39:04,665 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Deploying javax.ws.rs.core.Application: class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,667 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding class resource
> > org.keycloak.services.resources.WelcomeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,667 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding class resource
> > org.keycloak.services.resources.QRCodeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding class resource
> > org.keycloak.services.resources.JsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding class resource
> > org.keycloak.services.resources.ThemeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding provider singleton
> > org.keycloak.services.resources.ModelExceptionMapper from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding singleton resource
> > org.keycloak.services.resources.RealmsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding provider singleton
> > org.keycloak.services.util.ObjectMapperResolver from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding singleton resource
> > org.keycloak.services.resources.ServerVersionResource from Application
> > class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 64) Adding singleton resource
> > org.keycloak.services.resources.admin.AdminRoot from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 14:39:04,757 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 64) WFLYUT0021: Registered web context: /auth
> 
> > 14:39:04,844 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61)
> > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > "keycloak-server.war")
> 
> > 14:39:05,526 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0060:
> > Http
> > management interface listening on http://10.1.1.245:9990/management
> 
> > 14:39:05,527 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0051:
> > Admin console listening on http://10.1.1.245:9990
> 
> > 14:39:05,531 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0025:
> > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms -
> > Started
> > 349 of 613 services (353 services are lazy, passive or on-demand)
> 

> > CHARLES-EDOUARD GAGNAIRE
> 
> > SysAdmin
> 
> > c.gagnaire at kreactive.com
> 
> > p. 06.27.80.28.53
> 
> > LYON "Le Capitole"
> 
> > 97, cours Gambetta
> 
> > 69481 Lyon Cedex 03
> 

> > PARIS
> 
> > 16, rue de Turbigo
> 
> > 75002 Paris
> 

> > 
> 

> > 2015-12-18 15:53 GMT+01:00 Alan Field < afield at redhat.com > :
> 

> > > Hey Charles,
> > 
> 

> > > Can you send the full logs and tell me which version of JGroups you are
> > > using?
> > 
> 

> > > Thanks,
> > 
> 
> > > Alan
> > 
> 

> > > > From: "charles-edouard gagnaire" < c.gagnaire at kreactive.com >
> > > 
> > 
> 
> > > > To: keycloak-user at lists.jboss.org
> > > 
> > 
> 
> > > > Sent: Friday, December 18, 2015 9:01:12 AM
> > > 
> > 
> 
> > > > Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
> > > > S3_ping
> > > 
> > 
> 

> > > > hi,
> > > 
> > 
> 

> > > > I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
> > > 
> > 
> 
> > > > The database configuration is OK no problem, but i can't manage to get
> > > > the
> > > > invalidation cache working correctly.
> > > 
> > 
> 
> > > > I configured Infinispan to work with S3_ping plugin (the relevant part
> > > > of
> > > > my
> > > > configuration is below).
> > > 
> > 
> 

> > > > When i run both server, the connection with the database is Ok, but the
> > > > infinispan logs look like this :
> > > 
> > 
> 
> > > > On Server 1 :
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > 11:00:17,592 INFO [stdout] (MSC service thread 1-1) GMS:
> > > > address=ip-10-1-7-103, cluster=ee, physical address= 10.1.7.103:7600
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > 11:00:18,057 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > > > keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 

> > > > On Server 2 :
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > 11:03:41,159 INFO [stdout] (MSC service thread 1-1) GMS:
> > > > address=ip-10-1-1-245, cluster=ee, physical address= 10.1.1.245:7600
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > 11:03:41,783 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > > > keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 

> > > > In my S3 bucket, i have 2 files created :
> > > 
> > 
> 
> > > > 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> > > 
> > 
> 
> > > > a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
> > > 
> > 
> 

> > > > And the content of the files is like this :
> > > 
> > 
> 
> > > > File 1 :
> > > 
> > 
> 
> > > > ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
> > > 
> > 
> 

> > > > File 2 :
> > > 
> > 
> 
> > > > ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
> > > 
> > 
> 

> > > > When i read the logs, it looks like the infinispan's cache can't
> > > > contact
> > > > each
> > > > other.
> > > 
> > 
> 
> > > > I double check my network config, and i tried connecting from one
> > > > server
> > > > to
> > > > the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
> > > > fine.
> > > 
> > 
> 

> > > > Is there a way to check the infinispan status of the servers?
> > > 
> > 
> 
> > > > Do you guys got any clue on how to make this works?
> > > 
> > 
> 

> > > > Thank you,
> > > 
> > 
> 
> > > > Charles-Edouard
> > > 
> > 
> 

> > > > My config looks like this :
> > > 
> > 
> 

> > > > - Standalone-ha.xml
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > <datasources>
> > > 
> > 
> 
> > > > <driver name="postgresql" module="org.postgresql">
> > > 
> > 
> 
> > > > <datasource-class>org.postgresql.Driver</datasource-class>
> > > 
> > 
> 
> > > > <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
> > > 
> > 
> 
> > > > </driver>
> > > 
> > 
> 
> > > > <datasource jndi-name="java:jboss/datasources/PgDskeycloak"
> > > > pool-name="PgDskeycloak" enabled="true" use-java-context="true">
> > > 
> > 
> 
> > > > <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
> > > 
> > 
> 
> > > > <driver>postgresql</driver>
> > > 
> > 
> 
> > > > <pool>
> > > 
> > 
> 
> > > > <min-pool-size>5</min-pool-size>
> > > 
> > 
> 
> > > > <initial-pool-size>5</initial-pool-size>
> > > 
> > 
> 
> > > > <max-pool-size>100</max-pool-size>
> > > 
> > 
> 
> > > > <prefill>true</prefill>
> > > 
> > 
> 
> > > > </pool>
> > > 
> > 
> 
> > > > <validation>
> > > 
> > 
> 
> > > > <valid-connection-checker
> > > 
> > 
> 
> > > > class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
> > > 
> > 
> 
> > > > <exception-sorter
> > > 
> > 
> 
> > > > class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
> > > 
> > 
> 
> > > > </validation>
> > > 
> > 
> 
> > > > <security>
> > > 
> > 
> 
> > > > <user-name>****</user-name>
> > > 
> > 
> 
> > > > <password>****</password>
> > > 
> > 
> 
> > > > </security>
> > > 
> > 
> 
> > > > </datasource>
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > <stacks default="tcp">
> > > 
> > 
> 
> > > > <stack name="udp">
> > > 
> > 
> 
> > > > <transport type="UDP" socket-binding="jgroups-udp"/>
> > > 
> > 
> 
> > > > <protocol type="PING"/>
> > > 
> > 
> 
> > > > <protocol type="MERGE3"/>
> > > 
> > 
> 
> > > > <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
> > > 
> > 
> 
> > > > <protocol type="FD_ALL"/>
> > > 
> > 
> 
> > > > <protocol type="VERIFY_SUSPECT"/>
> > > 
> > 
> 
> > > > <protocol type="pbcast.NAKACK2"/>
> > > 
> > 
> 
> > > > <protocol type="UNICAST3"/>
> > > 
> > 
> 
> > > > <protocol type="pbcast.STABLE"/>
> > > 
> > 
> 
> > > > <protocol type="pbcast.GMS"/>
> > > 
> > 
> 
> > > > <protocol type="UFC"/>
> > > 
> > 
> 
> > > > <protocol type="MFC"/>
> > > 
> > 
> 
> > > > <protocol type="FRAG2"/>
> > > 
> > 
> 
> > > > <protocol type="RSVP"/>
> > > 
> > 
> 
> > > > </stack>
> > > 
> > 
> 
> > > > <stack name="tcp">
> > > 
> > 
> 
> > > > <transport type="TCP" socket-binding="jgroups-tcp"/>
> > > 
> > 
> 
> > > > <protocol type="S3_PING" >
> > > 
> > 
> 
> > > > <property name="location">****</property>
> > > 
> > 
> 
> > > > <property name="access_key">****</property>
> > > 
> > 
> 
> > > > <property name="secret_access_key">****</property>
> > > 
> > 
> 
> > > > </protocol>
> > > 
> > 
> 
> > > > <!-- <protocol type="MPING" socket-binding="jgroups-mping"/> -->
> > > 
> > 
> 
> > > > <protocol type="MERGE3"/>
> > > 
> > 
> 
> > > > <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
> > > 
> > 
> 
> > > > <protocol type="FD"/>
> > > 
> > 
> 
> > > > <protocol type="VERIFY_SUSPECT"/>
> > > 
> > 
> 
> > > > <protocol type="pbcast.NAKACK2"/>
> > > 
> > 
> 
> > > > <protocol type="UNICAST3"/>
> > > 
> > 
> 
> > > > <protocol type="pbcast.STABLE"/>
> > > 
> > 
> 
> > > > <protocol type="pbcast.GMS"/>
> > > 
> > 
> 
> > > > <protocol type="MFC"/>
> > > 
> > 
> 
> > > > <protocol type="FRAG2"/>
> > > 
> > 
> 
> > > > <protocol type="RSVP"/>
> > > 
> > 
> 
> > > > </stack>
> > > 
> > 
> 
> > > > ...
> > > 
> > 
> 
> > > > <interfaces>
> > > 
> > 
> 
> > > > <interface name="management">
> > > 
> > 
> 
> > > > <nic name="eth0"/>
> > > 
> > 
> 
> > > > </interface>
> > > 
> > 
> 
> > > > <interface name="public">
> > > 
> > 
> 
> > > > <nic name="eth0"/>
> > > 
> > 
> 
> > > > </interface>
> > > 
> > 
> 
> > > > <!-- TODO - only show this if the jacorb subsystem is added -->
> > > 
> > 
> 
> > > > <interface name="unsecure">
> > > 
> > 
> 
> > > > <!--
> > > 
> > 
> 
> > > > ~ Used for IIOP sockets in the standard configuration.
> > > 
> > 
> 
> > > > ~ To secure JacORB you need to setup SSL
> > > 
> > 
> 
> > > > -->
> > > 
> > 
> 
> > > > <nic name="eth0"/>
> > > 
> > 
> 
> > > > </interface>
> > > 
> > 
> 
> > > > </interfaces>
> > > 
> > 
> 

> > > > - keycloak-server.json
> > > 
> > 
> 
> > > > {
> > > 
> > 
> 
> > > > "providers": [
> > > 
> > 
> 
> > > > "classpath:${jboss.server.config.dir}/providers/*"
> > > 
> > 
> 
> > > > ],
> > > 
> > 
> 

> > > > "admin": {
> > > 
> > 
> 
> > > > "realm": "master"
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "eventsStore": {
> > > 
> > 
> 
> > > > "provider": "jpa",
> > > 
> > 
> 
> > > > "jpa": {
> > > 
> > 
> 
> > > > "exclude-events": [ "REFRESH_TOKEN" ]
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "realm": {
> > > 
> > 
> 
> > > > "provider": "jpa"
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "user": {
> > > 
> > 
> 
> > > > "provider": "jpa"
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "userSessionPersister": {
> > > 
> > 
> 
> > > > "provider": "jpa"
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "timer": {
> > > 
> > 
> 
> > > > "provider": "basic"
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "theme": {
> > > 
> > 
> 
> > > > "default": "keycloak",
> > > 
> > 
> 
> > > > "staticMaxAge": 2592000,
> > > 
> > 
> 
> > > > "cacheTemplates": true,
> > > 
> > 
> 
> > > > "cacheThemes": true,
> > > 
> > 
> 
> > > > "folder": {
> > > 
> > 
> 
> > > > "dir": "${jboss.server.config.dir}/themes"
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "scheduled": {
> > > 
> > 
> 
> > > > "interval": 900
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "connectionsHttpClient": {
> > > 
> > 
> 
> > > > "default": {
> > > 
> > 
> 
> > > > "disable-trust-manager": true
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "connectionsJpa": {
> > > 
> > 
> 
> > > > "default": {
> > > 
> > 
> 
> > > > "dataSource": "java:jboss/datasources/PgDskeycloak",
> > > 
> > 
> 
> > > > "databaseSchema": "update"
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 
> > > > },
> > > 
> > 
> 

> > > > "connectionsInfinispan": {
> > > 
> > 
> 
> > > > "default" : {
> > > 
> > 
> 
> > > > "cacheContainer" : "java:jboss/infinispan/Keycloak"
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 
> > > > }
> > > 
> > 
> 

> > > > CHARLES-EDOUARD GAGNAIRE
> > > 
> > 
> 
> > > > SysAdmin
> > > 
> > 
> 
> > > > c.gagnaire at kreactive.com
> > > 
> > 
> 
> > > > p. 06.27.80.28.53
> > > 
> > 
> 
> > > > LYON "Le Capitole"
> > > 
> > 
> 
> > > > 97, cours Gambetta
> > > 
> > 
> 
> > > > 69481 Lyon Cedex 03
> > > 
> > 
> 

> > > > PARIS
> > > 
> > 
> 
> > > > 16, rue de Turbigo
> > > 
> > 
> 
> > > > 75002 Paris
> > > 
> > 
> 

> > > > 
> > > 
> > 
> 

> > > > _______________________________________________
> > > 
> > 
> 
> > > > keycloak-user mailing list
> > > 
> > 
> 
> > > > keycloak-user at lists.jboss.org
> > > 
> > 
> 
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/9b6954f1/attachment-0001.html 

From c.gagnaire at kreactive.com  Fri Dec 18 11:44:43 2015
From: c.gagnaire at kreactive.com (charles-edouard gagnaire)
Date: Fri, 18 Dec 2015 17:44:43 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <1136942401.29453944.1450454151035.JavaMail.zimbra@redhat.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
	<1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
	<1136942401.29453944.1450454151035.JavaMail.zimbra@redhat.com>
Message-ID: <CAChMUMNJcOk3uK9U2LUp2Tc8OE3r_+OMD_SBYC=Q8ENgNceOPw@mail.gmail.com>

Well, i guess i must have done something wrong.

I tried launching my servers like you do :
/opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
-Djboss.bind.address=10.1.7.103 -Djboss.bind.address.management=10.1.7.103
 -Djboss.socket.binding.port-offset=0 -Djboss.node.name=node0
and
 /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
-Djboss.bind.address=10.1.1.245 -Djboss.bind.address.management=10.1.1.245
 -Djboss.socket.binding.port-offset=0 -Djboss.node.name=node1

but i have the same problem, s3_ping creates 2 files and the nodes don't
see each other.

I just tried building the cluster using TCP_PING, this works fine.
When i get back to S3_ping it fails again.

Before using bind.address.management or bind.address, the IP addr was set
in the standalone-ha.xml in the last section of the file (this is hardcoded
for test purpose):

           <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
            <endpoint-config name="Standard-Endpoint-Config"/>
            <endpoint-config name="Recording-Endpoint-Config">
                <pre-handler-chain name="recording-handlers"
protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP
##SOAP12_HTTP_MTOM">
                    <handler name="RecordingHandler"
class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
                </pre-handler-chain>
            </endpoint-config>
            <client-config name="Standard-Client-Config"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:2.0"/>
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
        </subsystem>
    </profile>
    <interfaces>
        <interface name="management">
                <inet-address
value="${jboss.bind.address.management:10.1.1.245}"/>
        </interface>
        <interface name="public">
                <inet-address
value="${jboss.bind.address.management:10.1.1.245}"/>
        </interface>
        <!-- TODO - only show this if the jacorb subsystem is added  -->
        <interface name="unsecure">
            <!--
              ~  Used for IIOP sockets in the standard configuration.
              ~                  To secure JacORB you need to setup SSL
              -->
            <nic name="eth0"/>
        </interface>
    </interfaces>

Thanks again for trying, is it possible for you to send me you config file?
I'll just make a diff to see what i've done wrong.




CHARLES-EDOUARD GAGNAIRE
SysAdmin
c.gagnaire at kreactive.com
p. 06.27.80.28.53LYON "Le Capitole"
97, cours Gambetta
69481 Lyon Cedex 03

PARIS
16, rue de Turbigo
75002 Paris
[image: Kreactive] <http://www.kreactive.com/>


[image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
<https://twitter.com/kreactive>

2015-12-18 16:55 GMT+01:00 Alan Field <afield at redhat.com>:

> Hey Charles,
>
> I modified the standalone-ha.xml similar to your file to add the S3_PING
> protocol, and I was able to get two KeyCloak nodes to cluster. I did have
> to set the jboss.bind.address and jboss.bind.address.management. From your
> logs I can see that these addresses are both set in your environment as
> well. How are you setting these? My log is included below.
>
> Thanks,
> Alan
>
> [ec2-user at ip-172-31-4-165 keycloak-1.7.0.Final]$ bin/standalone.sh -c
> standalone-ha.xml -Djboss.socket.binding.port-offset=0 -Djboss.node.name=node0
> -Djboss.bind.address=$IP -Djboss.bind.address.management=$IP
>
> =========================================================================
>
> JBoss Bootstrap Environment
>
> JBOSS_HOME: /radargun/keycloak-1.7.0.Final
>
> JAVA: java
>
> JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops
> -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
> =========================================================================
>
> Picked up _JAVA_OPTIONS:
> -Djgroups.s3.secret_access_key=ndWrqybZHIaFsEWEuMlWf5fJVffEapbu7DJgcYTd
> -Djgroups.s3.access_key=AKIAIVP76RKVWTPN6S6Q -Djgroups.s3.bucket=jdg-jgroups
> 10:49:41,196 INFO [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 10:49:41,418 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 10:49:41,497 INFO [org.jboss.as] (MSC service thread 1-7) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 10:49:42,524 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 19) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 10:49:42,525 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 10:49:42,531 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 10:49:42,534 INFO [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 10:49:42,707 INFO [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 10:49:42,741 INFO [org.xnio] (MSC service thread 1-2) XNIO version
> 3.3.1.Final
> 10:49:42,750 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO
> Implementation Version 3.3.1.Final
> 10:49:42,782 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 10:49:42,782 INFO [org.wildfly.extension.io] (ServerService Thread Pool
> -- 38) WFLYIO001: Worker 'default' has auto-configured to 16 core threads
> with 128 task threads based on your 8 available processors
> 10:49:42,784 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss
> Remoting version 4.0.9.Final
> 10:49:42,800 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 10:49:42,819 INFO [org.jboss.as.security] (ServerService Thread Pool --
> 56) WFLYSEC0002: Activating Security Subsystem
> 10:49:42,824 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 10:49:42,843 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 10:49:42,841 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 10:49:42,859 INFO [org.jboss.as.security] (MSC service thread 1-3)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 10:49:42,922 INFO [org.jboss.as.connector] (MSC service thread 1-8)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 10:49:42,976 INFO [org.jboss.as.webservices] (ServerService Thread Pool --
> 59) WFLYWS0002: Activating WebServices Extension
> 10:49:42,986 INFO [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 10:49:42,986 INFO [org.wildfly.extension.undertow] (MSC service thread
> 1-5) WFLYUT0003: Undertow 1.2.9.Final starting
> 10:49:42,991 INFO [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 10:49:42,994 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 10:49:43,118 INFO [org.jboss.as.naming] (MSC service thread 1-7)
> WFLYNAM0003: Starting Naming Service
> 10:49:43,119 INFO [org.jboss.as.mail.extension] (MSC service thread 1-6)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 10:49:43,168 INFO [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0014: Creating file handler for path
> /radargun/keycloak-1.7.0.Final/welcome-content
> 10:49:43,181 INFO [org.wildfly.extension.undertow] (MSC service thread
> 1-7) WFLYUT0012: Started server default-server.
> 10:49:43,213 INFO [org.wildfly.extension.undertow] (MSC service thread
> 1-7) WFLYUT0018: Host default-host starting
> 10:49:43,294 INFO [org.wildfly.extension.undertow] (MSC service thread
> 1-8) WFLYUT0006: Undertow AJP listener ajp listening on /172.31.4.165:8009
> 10:49:43,303 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 10:49:43,307 INFO [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow HTTP listener default listening on /
> 172.31.4.165:8080
> 10:49:43,333 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364
> 10:49:43,480 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-3) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 10:49:43,480 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-4) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 10:49:43,739 INFO [org.jboss.as.server.deployment] (MSC service thread
> 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war"
> (runtime-name: "keycloak-server.war")
> 10:49:43,784 INFO [org.jboss.ws.common.management] (MSC service thread
> 1-8) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 10:49:44,786 INFO [stdout] (MSC service thread 1-1)
> 10:49:44,786 INFO [stdout] (MSC service thread 1-1)
> -------------------------------------------------------------------
> 10:49:44,786 INFO [stdout] (MSC service thread 1-1) GMS: address=node0,
> cluster=ee, physical address=172.31.4.165:7600
> 10:49:44,786 INFO [stdout] (MSC service thread 1-1)
> -------------------------------------------------------------------
> 10:49:45,049 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 64) ISPN000078: Starting JGroups channel keycloak
> *10:49:45,055 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 64) ISPN000094: Received new cluster view for channel
> keycloak: [node0|0] (1) [node0]*
> 10:49:45,064 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> Thread Pool -- 64) ISPN000079: Channel keycloak local address is node0,
> physical addresses are [172.31.4.165:7600]
> 10:49:45,067 INFO [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 64) ISPN000128: Infinispan version:
> Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 10:49:45,242 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started users cache from keycloak
> container
> 10:49:45,242 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak
> container
> 10:49:45,243 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 10:49:45,243 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 10:49:45,846 INFO [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 63) Load config from
> /radargun/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 10:49:46,642 INFO [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 63) HHH000204: Processing PersistenceUnitInfo
> [
> name: keycloak-default
> ...]
> 10:49:46,695 INFO [org.hibernate.Version] (ServerService Thread Pool --
> 63) HHH000412: Hibernate Core {4.3.10.Final}
> 10:49:46,696 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 63) HHH000206: hibernate.properties not found
> 10:49:46,697 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 63) HHH000021: Bytecode provider name : javassist
> 10:49:46,856 INFO [org.hibernate.annotations.common.Version]
> (ServerService Thread Pool -- 63) HCANN000001: Hibernate Commons
> Annotations {4.0.5.Final}
> 10:49:46,906 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 63) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect
> 10:49:46,912 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
> Pool -- 63) HHH000431: Unable to determine H2 database version, certain
> features may not work
> 10:49:47,191 INFO
> [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 63) HHH000397: Using ASTQueryTranslatorFactory
> 10:49:47,223 INFO [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 63) HV000001: Hibernate Validator 5.1.3.Final
> 10:49:49,112 INFO [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 63) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 10:49:49,147 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
> 10:49:49,149 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,149 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
> 10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,152 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 63) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 10:49:49,229 INFO [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 63) WFLYUT0021: Registered web context: /auth
> 10:49:49,277 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 10:49:49,572 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
> Http management interface listening on http://172.31.4.165:9990/management
> 10:49:49,573 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://172.31.4.165:9990
> 10:49:49,573 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 8688ms - Started
> 344 of 593 services (339 services are lazy, passive or on-demand)
> *10:50:16,178 INFO
> [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (Incoming-2,ee,node0) ISPN000094: Received new cluster view for channel
> keycloak: [node0|1] (2) [node0, node1]*
> 10:50:16,650 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t2)
> ISPN000310: Starting cluster-wide rebalance for cache users, topology
> CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns =
> 60, owners = (1)[node0: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60,
> owners = (2)[node0: 30, node1: 30]}, unionCH=null, actualMembers=[node0,
> node1]}
> 10:50:16,650 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> ISPN000310: Starting cluster-wide rebalance for cache realms, topology
> CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns =
> 60, owners = (1)[node0: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60,
> owners = (2)[node0: 30, node1: 30]}, unionCH=null, actualMembers=[node0,
> node1]}
> 10:50:16,652 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1)
> ISPN000310: Starting cluster-wide rebalance for cache sessions, topology
> CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80,
> owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
> (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]}
> 10:50:16,652 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t3)
> ISPN000310: Starting cluster-wide rebalance for cache loginFailures,
> topology CacheTopology{id=1, rebalanceId=1,
> currentCH=DefaultConsistentHash{ns=80, owners = (1)[node0: 80+0]},
> pendingCH=DefaultConsistentHash{ns=80, owners = (2)[node0: 40+0, node1:
> 40+0]}, unionCH=null, actualMembers=[node0, node1]}
> 10:50:16,712 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1
> 10:50:16,712 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1)
> ISPN000336: Finished cluster-wide rebalance for cache realms, topology id =
> 1
> 10:50:16,758 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1)
> ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id
> = 1
> 10:50:16,761 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> ISPN000336: Finished cluster-wide rebalance for cache loginFailures,
> topology id = 1
> 10:50:22,061 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> ISPN000310: Starting cluster-wide rebalance for cache offlineSessions,
> topology CacheTopology{id=1, rebalanceId=1,
> currentCH=DefaultConsistentHash{ns=80, owners = (1)[node0: 80+0]},
> pendingCH=DefaultConsistentHash{ns=80, owners = (2)[node0: 40+0, node1:
> 40+0]}, unionCH=null, actualMembers=[node0, node1]}
> 10:50:22,085 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> ISPN000336: Finished cluster-wide rebalance for cache offlineSessions,
> topology id = 1
>
> ------------------------------
>
> *From: *"Alan Field" <afield at redhat.com>
> *To: *"charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> *Cc: *keycloak-user at lists.jboss.org
> *Sent: *Friday, December 18, 2015 10:21:54 AM
>
> *Subject: *Re: [keycloak-user] Problem running keycloak cluster on EC2
> with S3_ping
>
> Hey Charles,
>
> Thanks for the logs. I'm not sure what is wrong, but it looks like each
> server is creating a cluster of 1. I'll try it with my AWS account to see
> if I can figure out what is wrong.
>
> Alan
>
> ------------------------------
>
> *From: *"charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> *To: *"Alan Field" <afield at redhat.com>
> *Cc: *keycloak-user at lists.jboss.org
> *Sent: *Friday, December 18, 2015 10:04:53 AM
> *Subject: *Re: [keycloak-user] Problem running keycloak cluster on EC2
> with S3_ping
>
> First i want to thank you guys for the quick answers, i was still reading
> the "Replace use of Infinispan with User Sessions SPI ?" discussion.
>
> Yes of course i can send all the logs. You'll find them below.
>
> The JGroups version is the one shipping with keycloak 1.7, but the problem
> was the same with Keycloak 1.6.
> Looking at the config file, it looks like i'm using : <subsystem
> xmlns="urn:jboss:domain:jgroups:3.0">
>
> I didn't mention it but i use the archive i found on Keycloak website. The
> archive is "keycloak-1.7.0.Final.tar.gz".
> I just untar and modify the config files, then i launched it using :
> /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
>
> Thank you again for your help
>
> The logs for server 1 are :
> =========================================================================
>
>   JBoss Bootstrap Environment
>
>   JBOSS_HOME: /opt/keycloak-1.7.0.Final
>
>   JAVA: /usr/lib/jvm/jre/bin/java
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops  -server
> -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m
> -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
> =========================================================================
>
> OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m;
> support was removed in 8.0
> 14:38:44,910 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 14:38:45,091 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:45,163 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:46,358 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 24) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,360 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,370 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 14:38:46,572 INFO  [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 14:38:46,589 INFO  [org.xnio] (MSC service thread 1-4) XNIO version
> 3.3.1.Final
> 14:38:46,607 INFO  [org.xnio.nio] (MSC service thread 1-4) XNIO NIO
> Implementation Version 3.3.1.Final
> 14:38:46,655 INFO  [org.jboss.remoting] (MSC service thread 1-4) JBoss
> Remoting version 4.0.9.Final
> 14:38:46,687 INFO  [org.wildfly.extension.io] (ServerService Thread Pool
> -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads
> with 32 task threads based on your 2 available processors
> 14:38:46,685 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> driver class org.postgresql.Driver (version 9.4)
> 14:38:46,715 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:46,724 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:46,744 INFO  [org.jboss.as.connector] (MSC service thread 1-4)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:46,746 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
> postgresql
> 14:38:46,767 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 14:38:46,769 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:46,781 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:46,772 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 14:38:46,914 INFO  [org.jboss.as.security] (ServerService Thread Pool --
> 56) WFLYSEC0002: Activating Security Subsystem
> 14:38:46,916 INFO  [org.jboss.as.security] (MSC service thread 1-1)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:46,932 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 14:38:46,957 INFO  [org.jboss.as.webservices] (ServerService Thread Pool
> -- 59) WFLYWS0002: Activating WebServices Extension
> 14:38:46,985 INFO  [org.jboss.as.naming] (MSC service thread 1-2)
> WFLYNAM0003: Starting Naming Service
> 14:38:46,992 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-4)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:47,115 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-1) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,119 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,206 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0014: Creating file handler for path
> /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:47,229 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-4) WFLYUT0012: Started server default-server.
> 14:38:47,263 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-4) WFLYUT0018: Host default-host starting
> 14:38:47,320 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.7.103:8009
> 14:38:47,324 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-3) WFLYUT0006: Undertow HTTP listener default listening on /
> 10.1.7.103:8080
> 14:38:47,339 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:47,372 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000032: Listening to proxy advertisements on /
> 224.0.1.105:23364
> 14:38:47,478 INFO
>  [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> (MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for
> java:jboss/datasources/PgDskeycloak
> 14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 14:38:47,530 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/PgDskeycloak]
> 14:38:47,673 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war"
> (runtime-name: "keycloak-server.war")
> 14:38:47,820 INFO  [org.jboss.ws.common.management] (MSC service thread
> 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
> 14:38:48,899 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:49,250 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel
> keycloak
> 14:38:49,265 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> 14:38:49,273 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local
> address is ip-10-1-7-103, physical addresses are [10.1.7.103:7600]
> 14:38:49,277 INFO  [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 14:38:49,521 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak
> container
> 14:38:49,529 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 14:38:49,530 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 14:38:49,536 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak
> container
> 14:38:50,116 INFO  [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 66) Load config from
> /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:50,638 INFO  [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo
> [
>         name: keycloak-default
>         ...]
> 14:38:50,690 INFO  [org.hibernate.Version] (ServerService Thread Pool --
> 66) HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:50,691 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 66) HHH000206: hibernate.properties not found
> 14:38:50,693 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 66) HHH000021: Bytecode provider name : javassist
> 14:38:50,842 INFO  [org.hibernate.annotations.common.Version]
> (ServerService Thread Pool -- 66) HCANN000001: Hibernate Commons
> Annotations {4.0.5.Final}
> 14:38:51,794 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 66) HHH000400: Using dialect:
> org.hibernate.dialect.PostgreSQL9Dialect
> 14:38:51,803 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> (ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 14:38:52,120 INFO
>  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 66) HHH000397: Using ASTQueryTranslatorFactory
> 14:38:52,156 INFO  [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 66) HV000001: Hibernate Validator 5.1.3.Final
> 14:38:53,706 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 14:38:53,748 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,752 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,824 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 66) WFLYUT0021: Registered web context: /auth
> 14:38:53,920 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 14:38:54,021 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
> Http management interface listening on http://10.1.7.103:9990/management
> 14:38:54,021 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://10.1.7.103:9990
> 14:38:54,022 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms - Started
> 349 of 613 services (353 services are lazy, passive or on-demand)
>
>
> The logs for server 2 are :
> =========================================================================
>
>   JBoss Bootstrap Environment
>
>   JBOSS_HOME: /opt/keycloak-1.7.0.Final
>
>   JAVA: /usr/lib/jvm/jre/bin/java
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops  -server
> -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m
> -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
> =========================================================================
>
> 14:38:48,239 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 14:38:48,723 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:48,896 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:50,979 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:50,983 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:50,986 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:51,010 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 14:38:51,044 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:51,452 INFO  [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 14:38:51,499 INFO  [org.xnio] (MSC service thread 1-1) XNIO version
> 3.3.1.Final
> 14:38:51,520 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO
> Implementation Version 3.3.1.Final
> 14:38:51,590 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> driver class org.postgresql.Driver (version 9.4)
> 14:38:51,603 INFO  [org.wildfly.extension.io] (ServerService Thread Pool
> -- 38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads
> with 16 task threads based on your 1 available processors
> 14:38:51,601 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:51,634 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:51,694 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 14:38:51,666 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:51,696 INFO  [org.jboss.as.connector] (MSC service thread 1-2)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:51,932 INFO  [org.jboss.as.webservices] (ServerService Thread Pool
> -- 59) WFLYWS0002: Activating WebServices Extension
> 14:38:51,970 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss
> Remoting version 4.0.9.Final
> 14:38:51,975 INFO  [org.jboss.as.security] (ServerService Thread Pool --
> 56) WFLYSEC0002: Activating Security Subsystem
> 14:38:51,972 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 14:38:51,971 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 14:38:52,140 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,187 INFO  [org.jboss.as.security] (MSC service thread 1-2)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:52,224 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-1) WFLYJCA0018: Started Driver service with driver-name =
> postgresql
> 14:38:52,225 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:52,368 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-1) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,369 INFO  [org.jboss.as.naming] (MSC service thread 1-2)
> WFLYNAM0003: Starting Naming Service
> 14:38:52,471 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-2)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:52,710 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0014: Creating file handler for path
> /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:52,864 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0012: Started server default-server.
> 14:38:53,133 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow HTTP listener default listening on /
> 10.1.1.245:8080
> 14:38:53,166 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0018: Host default-host starting
> 14:38:53,192 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.1.245:8009
> 14:38:53,211 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:53,307 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000032: Listening to proxy advertisements on /
> 224.0.1.105:23364
> 14:38:53,779 INFO
>  [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> (MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for
> java:jboss/datasources/PgDskeycloak
> 14:38:53,896 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-1) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 14:38:53,903 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 14:38:53,909 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/PgDskeycloak]
> 14:38:54,118 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-2) WFLYSRV0027: Starting deployment of "keycloak-server.war"
> (runtime-name: "keycloak-server.war")
> 14:38:54,306 INFO  [org.jboss.ws.common.management] (MSC service thread
> 1-1) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
> 14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:56,139 INFO  [stdout] (MSC service thread 1-2) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
> 14:38:56,139 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:56,606 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel
> keycloak
> 14:38:56,623 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> 14:38:56,644 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local
> address is ip-10-1-1-245, physical addresses are [10.1.1.245:7600]
> 14:38:56,651 INFO  [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 14:38:57,044 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak
> container
> 14:38:57,050 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 14:38:57,055 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak
> container
> 14:38:57,059 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 14:38:58,007 INFO  [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 64) Load config from
> /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:58,755 INFO  [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo
> [
>         name: keycloak-default
>         ...]
> 14:38:58,812 INFO  [org.hibernate.Version] (ServerService Thread Pool --
> 64) HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:58,819 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 64) HHH000206: hibernate.properties not found
> 14:38:58,824 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 64) HHH000021: Bytecode provider name : javassist
> 14:38:59,268 INFO  [org.hibernate.annotations.common.Version]
> (ServerService Thread Pool -- 64) HCANN000001: Hibernate Commons
> Annotations {4.0.5.Final}
> 14:39:00,264 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 64) HHH000400: Using dialect:
> org.hibernate.dialect.PostgreSQL9Dialect
> 14:39:00,272 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> (ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 14:39:00,602 INFO
>  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 64) HHH000397: Using ASTQueryTranslatorFactory
> 14:39:00,634 INFO  [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 64) HV000001: Hibernate Validator 5.1.3.Final
> 14:39:04,607 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 14:39:04,665 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,757 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 64) WFLYUT0021: Registered web context: /auth
> 14:39:04,844 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 14:39:05,526 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
> Http management interface listening on http://10.1.1.245:9990/management
> 14:39:05,527 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://10.1.1.245:9990
> 14:39:05,531 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms -
> Started 349 of 613 services (353 services are lazy, passive or on-demand)
>
>
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03
>
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> [image: Kreactive] <http://www.kreactive.com/>
>
>
> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
> <https://twitter.com/kreactive>
>
> 2015-12-18 15:53 GMT+01:00 Alan Field <afield at redhat.com>:
>
>> Hey Charles,
>>
>> Can you send the full logs and tell me which version of JGroups you are
>> using?
>>
>> Thanks,
>> Alan
>>
>> ------------------------------
>>
>> *From: *"charles-edouard gagnaire" <c.gagnaire at kreactive.com>
>> *To: *keycloak-user at lists.jboss.org
>> *Sent: *Friday, December 18, 2015 9:01:12 AM
>> *Subject: *[keycloak-user] Problem running keycloak cluster on EC2 with
>> S3_ping
>>
>>
>> hi,
>>
>> I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
>> The database configuration is OK no problem, but i can't manage to get
>> the invalidation cache working correctly.
>> I configured Infinispan to work with S3_ping plugin (the relevant part of
>> my configuration is below).
>>
>> When i run both server, the connection with the database is Ok, but the
>> infinispan logs look like this :
>> On Server 1 :
>> ...
>> 11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS:
>> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
>> ...
>> 11:00:18,057 INFO
>>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
>> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
>> ...
>>
>> On Server 2 :
>> ...
>> 11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS:
>> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
>> ...
>> 11:03:41,783 INFO
>>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
>> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
>> ...
>>
>> In my S3 bucket, i have 2 files created :
>> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
>> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
>>
>> And the content of the files is like this :
>> File 1 :
>> ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
>>
>> File 2 :
>> ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
>>
>> When i read the logs, it looks like the infinispan's cache can't contact
>> each other.
>> I double check my network config, and i tried connecting from one server
>> to the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
>> fine.
>>
>> Is there a way to check the infinispan status of the servers?
>> Do you guys got any clue on how to make this works?
>>
>> Thank you,
>> Charles-Edouard
>>
>> My config looks like this :
>>
>> - Standalone-ha.xml
>> ...
>> <datasources>
>>                 <driver name="postgresql" module="org.postgresql">
>>
>>  <datasource-class>org.postgresql.Driver</datasource-class>
>>
>>  <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>>                 </driver>
>>                 <datasource
>> jndi-name="java:jboss/datasources/PgDskeycloak" pool-name="PgDskeycloak"
>> enabled="true" use-java-context="true">
>>
>> <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
>>                     <driver>postgresql</driver>
>>                     <pool>
>>                         <min-pool-size>5</min-pool-size>
>>                         <initial-pool-size>5</initial-pool-size>
>>                         <max-pool-size>100</max-pool-size>
>>                         <prefill>true</prefill>
>>                     </pool>
>>                     <validation>
>>                         <valid-connection-checker
>>
>>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
>>                         <exception-sorter
>>
>>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
>>                     </validation>
>>                     <security>
>>                         <user-name>****</user-name>
>>                         <password>****</password>
>>                     </security>
>>                 </datasource>
>> ...
>>             <stacks default="tcp">
>>                 <stack name="udp">
>>                     <transport type="UDP" socket-binding="jgroups-udp"/>
>>                     <protocol type="PING"/>
>>                     <protocol type="MERGE3"/>
>>                     <protocol type="FD_SOCK"
>> socket-binding="jgroups-udp-fd"/>
>>                     <protocol type="FD_ALL"/>
>>                     <protocol type="VERIFY_SUSPECT"/>
>>                     <protocol type="pbcast.NAKACK2"/>
>>                     <protocol type="UNICAST3"/>
>>                     <protocol type="pbcast.STABLE"/>
>>                     <protocol type="pbcast.GMS"/>
>>                     <protocol type="UFC"/>
>>                     <protocol type="MFC"/>
>>                     <protocol type="FRAG2"/>
>>                     <protocol type="RSVP"/>
>>                 </stack>
>>                 <stack name="tcp">
>>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>>                     <protocol type="S3_PING" >
>>                         <property name="location">****</property>
>>                         <property name="access_key">****</property>
>>                         <property name="secret_access_key">****</property>
>>                     </protocol>
>>                     <!-- <protocol type="MPING"
>> socket-binding="jgroups-mping"/> -->
>>                     <protocol type="MERGE3"/>
>>                     <protocol type="FD_SOCK"
>> socket-binding="jgroups-tcp-fd"/>
>>                     <protocol type="FD"/>
>>                     <protocol type="VERIFY_SUSPECT"/>
>>                     <protocol type="pbcast.NAKACK2"/>
>>                     <protocol type="UNICAST3"/>
>>                     <protocol type="pbcast.STABLE"/>
>>                     <protocol type="pbcast.GMS"/>
>>                     <protocol type="MFC"/>
>>                     <protocol type="FRAG2"/>
>>                     <protocol type="RSVP"/>
>>                 </stack>
>> ...
>>     <interfaces>
>>         <interface name="management">
>>                 <nic name="eth0"/>
>>         </interface>
>>         <interface name="public">
>>             <nic name="eth0"/>
>>         </interface>
>>         <!-- TODO - only show this if the jacorb subsystem is added  -->
>>         <interface name="unsecure">
>>             <!--
>>               ~  Used for IIOP sockets in the standard configuration.
>>               ~                  To secure JacORB you need to setup SSL
>>               -->
>>             <nic name="eth0"/>
>>         </interface>
>>     </interfaces>
>>
>> - keycloak-server.json
>> {
>>     "providers": [
>>         "classpath:${jboss.server.config.dir}/providers/*"
>>     ],
>>
>>     "admin": {
>>         "realm": "master"
>>     },
>>
>>     "eventsStore": {
>>         "provider": "jpa",
>>         "jpa": {
>>             "exclude-events": [ "REFRESH_TOKEN" ]
>>         }
>>     },
>>
>>     "realm": {
>>         "provider": "jpa"
>>     },
>>
>>     "user": {
>>         "provider": "jpa"
>>     },
>>
>>     "userSessionPersister": {
>>         "provider": "jpa"
>>     },
>>
>>     "timer": {
>>         "provider": "basic"
>>     },
>>
>>     "theme": {
>>         "default": "keycloak",
>>         "staticMaxAge": 2592000,
>>         "cacheTemplates": true,
>>         "cacheThemes": true,
>>         "folder": {
>>           "dir": "${jboss.server.config.dir}/themes"
>>         }
>>     },
>>
>>     "scheduled": {
>>         "interval": 900
>>     },
>>
>>     "connectionsHttpClient": {
>>         "default": {
>>             "disable-trust-manager": true
>>         }
>>     },
>>
>>     "connectionsJpa": {
>>         "default": {
>>             "dataSource": "java:jboss/datasources/PgDskeycloak",
>>             "databaseSchema": "update"
>>         }
>>     },
>>
>>     "connectionsInfinispan": {
>>         "default" : {
>>             "cacheContainer" : "java:jboss/infinispan/Keycloak"
>>         }
>>     }
>> }
>>
>> CHARLES-EDOUARD GAGNAIRE
>> SysAdmin
>> c.gagnaire at kreactive.com
>> p. 06.27.80.28.53LYON "Le Capitole"
>> 97, cours Gambetta
>> 69481 Lyon Cedex 03
>>
>> PARIS
>> 16, rue de Turbigo
>> 75002 Paris
>> [image: Kreactive] <http://www.kreactive.com/>
>>
>>
>> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
>> <https://twitter.com/kreactive>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/16ce3bf6/attachment-0001.html 

From srossillo at smartling.com  Fri Dec 18 12:51:18 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Fri, 18 Dec 2015 12:51:18 -0500
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
	<1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
Message-ID: <247B5BE3-AD17-4944-BD94-29C3B2B7055B@smartling.com>

May sound basic but if you?re using a VPC, you have to explicily allow traffic between your EC2 instances in your security group.


Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 18, 2015, at 10:21 AM, Alan Field <afield at redhat.com> wrote:
> 
> Hey Charles,
> 
> Thanks for the logs. I'm not sure what is wrong, but it looks like each server is creating a cluster of 1. I'll try it with my AWS account to see if I can figure out what is wrong.
> 
> Alan
> 
> From: "charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, December 18, 2015 10:04:53 AM
> Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2 with S3_ping
> 
> First i want to thank you guys for the quick answers, i was still reading the "Replace use of Infinispan with User Sessions SPI ?" discussion. 
> 
> Yes of course i can send all the logs. You'll find them below.  
> 
> The JGroups version is the one shipping with keycloak 1.7, but the problem was the same with Keycloak 1.6.
> Looking at the config file, it looks like i'm using : <subsystem xmlns="urn:jboss:domain:jgroups:3.0">
> 
> I didn't mention it but i use the archive i found on Keycloak website. The archive is "keycloak-1.7.0.Final.tar.gz". 
> I just untar and modify the config files, then i launched it using : /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
> 
> Thank you again for your help 
> 
> The logs for server 1 are : 
> =========================================================================
> 
>   JBoss Bootstrap Environment
> 
>   JBOSS_HOME: /opt/keycloak-1.7.0.Final
> 
>   JAVA: /usr/lib/jvm/jre/bin/java
> 
>   JAVA_OPTS:  -server -XX:+UseCompressedOops  -server -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> 
> =========================================================================
> 
> OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
> 14:38:44,910 INFO  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
> 14:38:45,091 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:45,163 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service thread 1-2) WFLYSRV0049: Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:46,358 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 24) WFLYCTL0028: Attribute 'job-repository-type' in the resource at address '/subsystem=batch' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:46,360 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=PgDskeycloak' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=KeycloakDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:46,370 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'default-stack' in the resource at address '/subsystem=jgroups' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:46,572 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
> 14:38:46,589 INFO  [org.xnio] (MSC service thread 1-4) XNIO version 3.3.1.Final
> 14:38:46,607 INFO  [org.xnio.nio] (MSC service thread 1-4) XNIO NIO Implementation Version 3.3.1.Final
> 14:38:46,655 INFO  [org.jboss.remoting] (MSC service thread 1-4) JBoss Remoting version 4.0.9.Final
> 14:38:46,687 INFO  [org.wildfly.extension.io <http://org.wildfly.extension.io/>] (ServerService Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads with 32 task threads based on your 2 available processors
> 14:38:46,685 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 9.4)
> 14:38:46,715 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:46,724 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:46,744 INFO  [org.jboss.as.connector] (MSC service thread 1-4) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:46,746 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = postgresql
> 14:38:46,767 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3)
> 14:38:46,769 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:46,781 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:46,772 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49) WFLYNAM0001: Activating Naming Subsystem
> 14:38:46,914 INFO  [org.jboss.as.security] (ServerService Thread Pool -- 56) WFLYSEC0002: Activating Security Subsystem
> 14:38:46,916 INFO  [org.jboss.as.security] (MSC service thread 1-1) WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:46,932 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57) WFLYTX0013: Node identifier property is set to the default value. Please make sure it is unique.
> 14:38:46,957 INFO  [org.jboss.as.webservices] (ServerService Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension
> 14:38:46,985 INFO  [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003: Starting Naming Service
> 14:38:46,992 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-4) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:47,115 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,119 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,206 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for path /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:47,229 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0012: Started server default-server.
> 14:38:47,263 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0018: Host default-host starting
> 14:38:47,320 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.7.103:8009 <http://10.1.7.103:8009/>
> 14:38:47,324 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-3) WFLYUT0006: Undertow HTTP listener default listening on /10.1.7.103:8080 <http://10.1.7.103:8080/>
> 14:38:47,339 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:47,372 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364 <http://224.0.1.105:23364/>
> 14:38:47,478 INFO  [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for java:jboss/datasources/PgDskeycloak
> 14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
> 14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 14:38:47,530 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/PgDskeycloak]
> 14:38:47,673 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")
> 14:38:47,820 INFO  [org.jboss.ws.common.management] (MSC service thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2) -------------------------------------------------------------------
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2) GMS: address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600 <http://10.1.7.103:7600/>
> 14:38:48,899 INFO  [stdout] (MSC service thread 1-2) -------------------------------------------------------------------
> 14:38:49,250 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> 14:38:49,265 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> 14:38:49,273 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local address is ip-10-1-7-103, physical addresses are [10.1.7.103:7600 <http://10.1.7.103:7600/>]
> 14:38:49,277 INFO  [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread Pool -- 62) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 14:38:49,521 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> 14:38:49,529 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak container
> 14:38:49,530 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak container
> 14:38:49,536 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> 14:38:50,116 INFO  [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 66) Load config from /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:50,638 INFO  [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo [
>         name: keycloak-default
>         ...]
> 14:38:50,690 INFO  [org.hibernate.Version] (ServerService Thread Pool -- 66) HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:50,691 INFO  [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 66) HHH000206: hibernate.properties not found
> 14:38:50,693 INFO  [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 66) HHH000021: Bytecode provider name : javassist
> 14:38:50,842 INFO  [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 66) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 14:38:51,794 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 66) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL9Dialect
> 14:38:51,803 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder] (ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB creation as createClob() method threw error : java.lang.reflect.InvocationTargetException
> 14:38:52,120 INFO  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService Thread Pool -- 66) HHH000397: Using ASTQueryTranslatorFactory
> 14:38:52,156 INFO  [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 66) HV000001: Hibernate Validator 5.1.3.Final
> 14:38:53,706 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from keycloak container
> 14:38:53,748 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding class resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding class resource org.keycloak.services.resources.QRCodeResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding singleton resource org.keycloak.services.resources.ServerVersionResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,752 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 66) Adding provider singleton org.keycloak.services.resources.ModelExceptionMapper from Application class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,824 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 66) WFLYUT0021: Registered web context: /auth
> 14:38:53,920 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
> 14:38:54,021 INFO  [org.jboss.as <http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://10.1.7.103:9990/management <http://10.1.7.103:9990/management>
> 14:38:54,021 INFO  [org.jboss.as <http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://10.1.7.103:9990 <http://10.1.7.103:9990/>
> 14:38:54,022 INFO  [org.jboss.as <http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0025: Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms - Started 349 of 613 services (353 services are lazy, passive or on-demand)
> 
> 
> The logs for server 2 are : 
> =========================================================================
> 
>   JBoss Bootstrap Environment
> 
>   JBOSS_HOME: /opt/keycloak-1.7.0.Final
> 
>   JAVA: /usr/lib/jvm/jre/bin/java
> 
>   JAVA_OPTS:  -server -XX:+UseCompressedOops  -server -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> 
> =========================================================================
> 
> 14:38:48,239 INFO  [org.jboss.modules] (main) JBoss Modules version 1.4.3.Final
> 14:38:48,723 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:48,896 INFO  [org.jboss.as <http://org.jboss.as/>] (MSC service thread 1-2) WFLYSRV0049: Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:50,979 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute 'job-repository-type' in the resource at address '/subsystem=batch' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:50,983 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=PgDskeycloak' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:50,986 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:51,010 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'default-stack' in the resource at address '/subsystem=jgroups' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:51,044 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the resource at address '/subsystem=datasources/data-source=KeycloakDS' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 14:38:51,452 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
> 14:38:51,499 INFO  [org.xnio] (MSC service thread 1-1) XNIO version 3.3.1.Final
> 14:38:51,520 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.3.1.Final
> 14:38:51,590 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 9.4)
> 14:38:51,603 INFO  [org.wildfly.extension.io <http://org.wildfly.extension.io/>] (ServerService Thread Pool -- 38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with 16 task threads based on your 1 available processors
> 14:38:51,601 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:51,634 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:51,694 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49) WFLYNAM0001: Activating Naming Subsystem
> 14:38:51,666 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46) WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:51,696 INFO  [org.jboss.as.connector] (MSC service thread 1-2) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:51,932 INFO  [org.jboss.as.webservices] (ServerService Thread Pool -- 59) WFLYWS0002: Activating WebServices Extension
> 14:38:51,970 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 4.0.9.Final
> 14:38:51,975 INFO  [org.jboss.as.security] (ServerService Thread Pool -- 56) WFLYSEC0002: Activating Security Subsystem
> 14:38:51,972 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3)
> 14:38:51,971 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57) WFLYTX0013: Node identifier property is set to the default value. Please make sure it is unique.
> 14:38:52,140 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,187 INFO  [org.jboss.as.security] (MSC service thread 1-2) WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:52,224 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = postgresql
> 14:38:52,225 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:52,368 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,369 INFO  [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003: Starting Naming Service
> 14:38:52,471 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-2) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:52,710 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 58) WFLYUT0014: Creating file handler for path /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:52,864 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0012: Started server default-server.
> 14:38:53,133 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTP listener default listening on /10.1.1.245:8080 <http://10.1.1.245:8080/>
> 14:38:53,166 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0018: Host default-host starting
> 14:38:53,192 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.1.245:8009 <http://10.1.1.245:8009/>
> 14:38:53,211 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:53,307 INFO  [org.jboss.modcluster] (ServerService Thread Pool -- 62) MODCLUSTER000032: Listening to proxy advertisements on /224.0.1.105:23364 <http://224.0.1.105:23364/>
> 14:38:53,779 INFO  [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for java:jboss/datasources/PgDskeycloak
> 14:38:53,896 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
> 14:38:53,903 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 14:38:53,909 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/PgDskeycloak]
> 14:38:54,118 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")
> 14:38:54,306 INFO  [org.jboss.ws.common.management] (MSC service thread 1-1) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
> 14:38:56,138 INFO  [stdout] (MSC service thread 1-2) -------------------------------------------------------------------
> 14:38:56,139 INFO  [stdout] (MSC service thread 1-2) GMS: address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600 <http://10.1.1.245:7600/>
> 14:38:56,139 INFO  [stdout] (MSC service thread 1-2) -------------------------------------------------------------------
> 14:38:56,606 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> 14:38:56,623 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> 14:38:56,644 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local address is ip-10-1-1-245, physical addresses are [10.1.1.245:7600 <http://10.1.1.245:7600/>]
> 14:38:56,651 INFO  [org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread Pool -- 62) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 14:38:57,044 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> 14:38:57,050 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak container
> 14:38:57,055 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> 14:38:57,059 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak container
> 14:38:58,007 INFO  [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 64) Load config from /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:58,755 INFO  [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo [
>         name: keycloak-default
>         ...]
> 14:38:58,812 INFO  [org.hibernate.Version] (ServerService Thread Pool -- 64) HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:58,819 INFO  [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 64) HHH000206: hibernate.properties not found
> 14:38:58,824 INFO  [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 64) HHH000021: Bytecode provider name : javassist
> 14:38:59,268 INFO  [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 64) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 14:39:00,264 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 64) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL9Dialect
> 14:39:00,272 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder] (ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB creation as createClob() method threw error : java.lang.reflect.InvocationTargetException
> 14:39:00,602 INFO  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService Thread Pool -- 64) HHH000397: Using ASTQueryTranslatorFactory
> 14:39:00,634 INFO  [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 64) HV000001: Hibernate Validator 5.1.3.Final
> 14:39:04,607 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from keycloak container
> 14:39:04,665 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding class resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding class resource org.keycloak.services.resources.QRCodeResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding provider singleton org.keycloak.services.resources.ModelExceptionMapper from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding singleton resource org.keycloak.services.resources.ServerVersionResource from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment] (ServerService Thread Pool -- 64) Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,757 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 64) WFLYUT0021: Registered web context: /auth
> 14:39:04,844 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
> 14:39:05,526 INFO  [org.jboss.as <http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://10.1.1.245:9990/management <http://10.1.1.245:9990/management>
> 14:39:05,527 INFO  [org.jboss.as <http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://10.1.1.245:9990 <http://10.1.1.245:9990/>
> 14:39:05,531 INFO  [org.jboss.as <http://org.jboss.as/>] (Controller Boot Thread) WFLYSRV0025: Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms - Started 349 of 613 services (353 services are lazy, passive or on-demand)
> 
> 
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin 
> c.gagnaire at kreactive.com <mailto:c.gagnaire at kreactive.com>
> p. 06.27.80.28.53
> LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03 
> 
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> 	
>  <http://www.kreactive.com/>
> 
> 
>  <https://www.facebook.com/kreactive>  <https://twitter.com/kreactive>	
> 
> 2015-12-18 15:53 GMT+01:00 Alan Field <afield at redhat.com <mailto:afield at redhat.com>>:
> Hey Charles,
> 
> Can you send the full logs and tell me which version of JGroups you are using?
> 
> Thanks,
> Alan
> 
> From: "charles-edouard gagnaire" <c.gagnaire at kreactive.com <mailto:c.gagnaire at kreactive.com>>
> To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> Sent: Friday, December 18, 2015 9:01:12 AM
> Subject: [keycloak-user] Problem running keycloak cluster on EC2 with S3_ping
> 
> 
> hi, 
> 
> I'm having trouble configuring a Keycloak cluster running on AWS' EC2. 
> The database configuration is OK no problem, but i can't manage to get the invalidation cache working correctly. 
> I configured Infinispan to work with S3_ping plugin (the relevant part of my configuration is below). 
> 
> When i run both server, the connection with the database is Ok, but the infinispan logs look like this : 
> On Server 1 : 
> ...
> 11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS: address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600 <http://10.1.7.103:7600/>
> ...
> 11:00:18,057 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> ...
> 
> On Server 2 : 
> ...
> 11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS: address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600 <http://10.1.1.245:7600/>
> ...
> 11:03:41,783 INFO  [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> ...
> 
> In my S3 bucket, i have 2 files created :
> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
> 
> And the content of the files is like this :
> File 1 : 
> ip-10-1-1-245 	402ea329-c135-f1e9-2782-02768779e02f 	10.1.1.245:7600 <http://10.1.1.245:7600/> 	T
> 
> File 2 : 
> ip-10-1-7-103 	a584321f-408b-b2ae-e2dd-d19333db96c4 	10.1.7.103:7600 <http://10.1.7.103:7600/> 	T
> 
> When i read the logs, it looks like the infinispan's cache can't contact each other.
> I double check my network config, and i tried connecting from one server to the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works fine. 
> 
> Is there a way to check the infinispan status of the servers?
> Do you guys got any clue on how to make this works? 
> 
> Thank you, 
> Charles-Edouard
> 
> My config looks like this : 
> 
> - Standalone-ha.xml
> ...
> <datasources>
>                 <driver name="postgresql" module="org.postgresql">
>                    <datasource-class>org.postgresql.Driver</datasource-class>
>                    <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>                 </driver>
>                 <datasource jndi-name="java:jboss/datasources/PgDskeycloak" pool-name="PgDskeycloak" enabled="true" use-java-context="true">
>                     <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
>                     <driver>postgresql</driver>
>                     <pool>
>                         <min-pool-size>5</min-pool-size>
>                         <initial-pool-size>5</initial-pool-size>
>                         <max-pool-size>100</max-pool-size>
>                         <prefill>true</prefill>
>                     </pool>
>                     <validation>
>                         <valid-connection-checker
>                                  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
>                         <exception-sorter
>                                  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
>                     </validation>
>                     <security>
>                         <user-name>****</user-name>
>                         <password>****</password>
>                     </security>
>                 </datasource>
> ...
>             <stacks default="tcp">
>                 <stack name="udp">
>                     <transport type="UDP" socket-binding="jgroups-udp"/>
>                     <protocol type="PING"/>
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
>                     <protocol type="FD_ALL"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="UFC"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
>                 <stack name="tcp">
>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>                     <protocol type="S3_PING" >
>                         <property name="location">****</property>
>                         <property name="access_key">****</property>
>                         <property name="secret_access_key">****</property>
>                     </protocol>
>                     <!-- <protocol type="MPING" socket-binding="jgroups-mping"/> -->
>                     <protocol type="MERGE3"/>
>                     <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
>                     <protocol type="FD"/>
>                     <protocol type="VERIFY_SUSPECT"/>
>                     <protocol type="pbcast.NAKACK2"/>
>                     <protocol type="UNICAST3"/>
>                     <protocol type="pbcast.STABLE"/>
>                     <protocol type="pbcast.GMS"/>
>                     <protocol type="MFC"/>
>                     <protocol type="FRAG2"/>
>                     <protocol type="RSVP"/>
>                 </stack>
> ...
>     <interfaces>
>         <interface name="management">
>                 <nic name="eth0"/>
>         </interface>
>         <interface name="public">
>             <nic name="eth0"/>
>         </interface>
>         <!-- TODO - only show this if the jacorb subsystem is added  -->
>         <interface name="unsecure">
>             <!--
>               ~  Used for IIOP sockets in the standard configuration.
>               ~                  To secure JacORB you need to setup SSL
>               -->
>             <nic name="eth0"/>
>         </interface>
>     </interfaces>
> 
> 	
> - keycloak-server.json
> {
>     "providers": [
>         "classpath:${jboss.server.config.dir}/providers/*"
>     ],
> 
>     "admin": {
>         "realm": "master"
>     },
> 
>     "eventsStore": {
>         "provider": "jpa",
>         "jpa": {
>             "exclude-events": [ "REFRESH_TOKEN" ]
>         }
>     },
> 
>     "realm": {
>         "provider": "jpa"
>     },
> 
>     "user": {
>         "provider": "jpa"
>     },
> 
>     "userSessionPersister": {
>         "provider": "jpa"
>     },
> 
>     "timer": {
>         "provider": "basic"
>     },
> 
>     "theme": {
>         "default": "keycloak",
>         "staticMaxAge": 2592000,
>         "cacheTemplates": true,
>         "cacheThemes": true,
>         "folder": {
>           "dir": "${jboss.server.config.dir}/themes"
>         }
>     },
> 
>     "scheduled": {
>         "interval": 900
>     },
> 
>     "connectionsHttpClient": {
>         "default": {
>             "disable-trust-manager": true
>         }
>     },
> 
>     "connectionsJpa": {
>         "default": {
>             "dataSource": "java:jboss/datasources/PgDskeycloak",
>             "databaseSchema": "update"
>         }
>     },
> 
>     "connectionsInfinispan": {
>         "default" : {
>             "cacheContainer" : "java:jboss/infinispan/Keycloak"
>         }
>     }
> }
> 
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin 
> c.gagnaire at kreactive.com <mailto:c.gagnaire at kreactive.com>
> p. 06.27.80.28.53
> LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03 
> 
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> 	
>  <http://www.kreactive.com/>
> 
> 
>  <https://www.facebook.com/kreactive>  <https://twitter.com/kreactive>	
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/a1b9c780/attachment-0001.html 

From c.gagnaire at kreactive.com  Fri Dec 18 13:45:17 2015
From: c.gagnaire at kreactive.com (charles-edouard gagnaire)
Date: Fri, 18 Dec 2015 19:45:17 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <247B5BE3-AD17-4944-BD94-29C3B2B7055B@smartling.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
	<1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
	<247B5BE3-AD17-4944-BD94-29C3B2B7055B@smartling.com>
Message-ID: <CAChMUMO2O=4BgZAh729qZzo00KJUzD9P2cWCVV0Zc34+gs7KYQ@mail.gmail.com>

Yeah it's basic but that's why I tried with tcp ping.
I wanted to be sure I had no network misconfiguration.
On Dec 18, 2015 18:51, "Scott Rossillo" <srossillo at smartling.com> wrote:

> May sound basic but if you?re using a VPC, you have to explicily allow
> traffic between your EC2 instances in your security group.
>
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> [image: Powered by Sigstr] <http://www.sigstr.com/>
>
> On Dec 18, 2015, at 10:21 AM, Alan Field <afield at redhat.com> wrote:
>
> Hey Charles,
>
> Thanks for the logs. I'm not sure what is wrong, but it looks like each
> server is creating a cluster of 1. I'll try it with my AWS account to see
> if I can figure out what is wrong.
>
> Alan
>
> ------------------------------
>
> *From: *"charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> *To: *"Alan Field" <afield at redhat.com>
> *Cc: *keycloak-user at lists.jboss.org
> *Sent: *Friday, December 18, 2015 10:04:53 AM
> *Subject: *Re: [keycloak-user] Problem running keycloak cluster on EC2
> with S3_ping
>
> First i want to thank you guys for the quick answers, i was still reading
> the "Replace use of Infinispan with User Sessions SPI ?" discussion.
>
> Yes of course i can send all the logs. You'll find them below.
>
> The JGroups version is the one shipping with keycloak 1.7, but the problem
> was the same with Keycloak 1.6.
> Looking at the config file, it looks like i'm using : <subsystem
> xmlns="urn:jboss:domain:jgroups:3.0">
>
> I didn't mention it but i use the archive i found on Keycloak website. The
> archive is "keycloak-1.7.0.Final.tar.gz".
> I just untar and modify the config files, then i launched it using :
> /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
>
> Thank you again for your help
>
> The logs for server 1 are :
> =========================================================================
>
>   JBoss Bootstrap Environment
>
>   JBOSS_HOME: /opt/keycloak-1.7.0.Final
>
>   JAVA: /usr/lib/jvm/jre/bin/java
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops  -server
> -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m
> -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
> =========================================================================
>
> OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m;
> support was removed in 8.0
> 14:38:44,910 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 14:38:45,091 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:45,163 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:46,358 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 24) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,360 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,362 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:46,370 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 14:38:46,572 INFO  [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 14:38:46,589 INFO  [org.xnio] (MSC service thread 1-4) XNIO version
> 3.3.1.Final
> 14:38:46,607 INFO  [org.xnio.nio] (MSC service thread 1-4) XNIO NIO
> Implementation Version 3.3.1.Final
> 14:38:46,655 INFO  [org.jboss.remoting] (MSC service thread 1-4) JBoss
> Remoting version 4.0.9.Final
> 14:38:46,687 INFO  [org.wildfly.extension.io] (ServerService Thread Pool
> -- 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads
> with 32 task threads based on your 2 available processors
> 14:38:46,685 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> driver class org.postgresql.Driver (version 9.4)
> 14:38:46,715 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:46,724 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:46,744 INFO  [org.jboss.as.connector] (MSC service thread 1-4)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:46,746 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
> postgresql
> 14:38:46,767 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 14:38:46,769 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:46,781 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:46,772 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 14:38:46,914 INFO  [org.jboss.as.security] (ServerService Thread Pool --
> 56) WFLYSEC0002: Activating Security Subsystem
> 14:38:46,916 INFO  [org.jboss.as.security] (MSC service thread 1-1)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:46,932 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 14:38:46,957 INFO  [org.jboss.as.webservices] (ServerService Thread Pool
> -- 59) WFLYWS0002: Activating WebServices Extension
> 14:38:46,985 INFO  [org.jboss.as.naming] (MSC service thread 1-2)
> WFLYNAM0003: Starting Naming Service
> 14:38:46,992 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-4)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:47,115 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-1) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,119 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:47,206 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0014: Creating file handler for path
> /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:47,229 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-4) WFLYUT0012: Started server default-server.
> 14:38:47,263 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-4) WFLYUT0018: Host default-host starting
> 14:38:47,320 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.7.103:8009
> 14:38:47,324 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-3) WFLYUT0006: Undertow HTTP listener default listening on /
> 10.1.7.103:8080
> 14:38:47,339 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:47,372 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000032: Listening to proxy advertisements on /
> 224.0.1.105:23364
> 14:38:47,478 INFO
>  [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> (MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for
> java:jboss/datasources/PgDskeycloak
> 14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 14:38:47,513 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 14:38:47,530 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/PgDskeycloak]
> 14:38:47,673 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war"
> (runtime-name: "keycloak-server.war")
> 14:38:47,820 INFO  [org.jboss.ws.common.management] (MSC service thread
> 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:48,898 INFO  [stdout] (MSC service thread 1-2) GMS:
> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
> 14:38:48,899 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:49,250 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel
> keycloak
> 14:38:49,265 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> 14:38:49,273 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local
> address is ip-10-1-7-103, physical addresses are [10.1.7.103:7600]
> 14:38:49,277 INFO  [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 14:38:49,521 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak
> container
> 14:38:49,529 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 14:38:49,530 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 14:38:49,536 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak
> container
> 14:38:50,116 INFO  [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 66) Load config from
> /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:50,638 INFO  [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo
> [
>         name: keycloak-default
>         ...]
> 14:38:50,690 INFO  [org.hibernate.Version] (ServerService Thread Pool --
> 66) HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:50,691 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 66) HHH000206: hibernate.properties not found
> 14:38:50,693 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 66) HHH000021: Bytecode provider name : javassist
> 14:38:50,842 INFO  [org.hibernate.annotations.common.Version]
> (ServerService Thread Pool -- 66) HCANN000001: Hibernate Commons
> Annotations {4.0.5.Final}
> 14:38:51,794 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 66) HHH000400: Using dialect:
> org.hibernate.dialect.PostgreSQL9Dialect
> 14:38:51,803 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> (ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 14:38:52,120 INFO
>  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 66) HHH000397: Using ASTQueryTranslatorFactory
> 14:38:52,156 INFO  [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 66) HV000001: Hibernate Validator 5.1.3.Final
> 14:38:53,706 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 14:38:53,748 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,750 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,751 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,752 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 66) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:38:53,824 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 66) WFLYUT0021: Registered web context: /auth
> 14:38:53,920 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 14:38:54,021 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
> Http management interface listening on http://10.1.7.103:9990/management
> 14:38:54,021 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://10.1.7.103:9990
> 14:38:54,022 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms - Started
> 349 of 613 services (353 services are lazy, passive or on-demand)
>
>
> The logs for server 2 are :
> =========================================================================
>
>   JBoss Bootstrap Environment
>
>   JBOSS_HOME: /opt/keycloak-1.7.0.Final
>
>   JAVA: /usr/lib/jvm/jre/bin/java
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops  -server
> -XX:+UseCompressedOops -Xms64m -Xmx512m -XX:MaxPermSize=256m
> -Djava.net.preferIPv4Stack=true
> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
>
> =========================================================================
>
> 14:38:48,239 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.4.3.Final
> 14:38:48,723 INFO  [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 14:38:48,896 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 14:38:50,979 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute
> 'job-repository-type' in the resource at address '/subsystem=batch' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:50,983 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=PgDskeycloak' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:50,986 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=ExampleDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:51,010 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'default-stack' in
> the resource at address '/subsystem=jgroups' is deprecated, and may be
> removed in future version. See the attribute description in the output of
> the read-resource-description operation to learn more about the deprecation.
> 14:38:51,044 INFO  [org.jboss.as.controller.management-deprecated]
> (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in the
> resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> deprecated, and may be removed in future version. See the attribute
> description in the output of the read-resource-description operation to
> learn more about the deprecation.
> 14:38:51,452 INFO  [org.jboss.as.server] (Controller Boot Thread)
> WFLYSRV0039: Creating http management service using socket-binding
> (management-http)
> 14:38:51,499 INFO  [org.xnio] (MSC service thread 1-1) XNIO version
> 3.3.1.Final
> 14:38:51,520 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO
> Implementation Version 3.3.1.Final
> 14:38:51,590 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying non-JDBC-compliant
> driver class org.postgresql.Driver (version 9.4)
> 14:38:51,603 INFO  [org.wildfly.extension.io] (ServerService Thread Pool
> -- 38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads
> with 16 task threads based on your 1 available processors
> 14:38:51,601 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 14:38:51,634 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread
> Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 14:38:51,694 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> WFLYNAM0001: Activating Naming Subsystem
> 14:38:51,666 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> WFLYJSF0007: Activated the following JSF Implementations: [main]
> 14:38:51,696 INFO  [org.jboss.as.connector] (MSC service thread 1-2)
> WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 14:38:51,932 INFO  [org.jboss.as.webservices] (ServerService Thread Pool
> -- 59) WFLYWS0002: Activating WebServices Extension
> 14:38:51,970 INFO  [org.jboss.remoting] (MSC service thread 1-1) JBoss
> Remoting version 4.0.9.Final
> 14:38:51,975 INFO  [org.jboss.as.security] (ServerService Thread Pool --
> 56) WFLYSEC0002: Activating Security Subsystem
> 14:38:51,972 INFO  [org.jboss.as.connector.subsystems.datasources]
> (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> driver class org.h2.Driver (version 1.3)
> 14:38:51,971 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> WFLYTX0013: Node identifier property is set to the default value. Please
> make sure it is unique.
> 14:38:52,140 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,187 INFO  [org.jboss.as.security] (MSC service thread 1-2)
> WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 14:38:52,224 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-1) WFLYJCA0018: Started Driver service with driver-name =
> postgresql
> 14:38:52,225 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service
> thread 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> 14:38:52,368 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-1) WFLYUT0003: Undertow 1.2.9.Final starting
> 14:38:52,369 INFO  [org.jboss.as.naming] (MSC service thread 1-2)
> WFLYNAM0003: Starting Naming Service
> 14:38:52,471 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-2)
> WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 14:38:52,710 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 58) WFLYUT0014: Creating file handler for path
> /opt/keycloak-1.7.0.Final/welcome-content
> 14:38:52,864 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0012: Started server default-server.
> 14:38:53,133 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow HTTP listener default listening on /
> 10.1.1.245:8080
> 14:38:53,166 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0018: Host default-host starting
> 14:38:53,192 INFO  [org.wildfly.extension.undertow] (MSC service thread
> 1-2) WFLYUT0006: Undertow AJP listener ajp listening on /10.1.1.245:8009
> 14:38:53,211 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 14:38:53,307 INFO  [org.jboss.modcluster] (ServerService Thread Pool --
> 62) MODCLUSTER000032: Listening to proxy advertisements on /
> 224.0.1.105:23364
> 14:38:53,779 INFO
>  [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> (MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for
> java:jboss/datasources/PgDskeycloak
> 14:38:53,896 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-1) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 14:38:53,903 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 14:38:53,909 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service thread 1-2) WFLYJCA0001: Bound data source
> [java:jboss/datasources/PgDskeycloak]
> 14:38:54,118 INFO  [org.jboss.as.server.deployment] (MSC service thread
> 1-2) WFLYSRV0027: Starting deployment of "keycloak-server.war"
> (runtime-name: "keycloak-server.war")
> 14:38:54,306 INFO  [org.jboss.ws.common.management] (MSC service thread
> 1-1) JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
> 14:38:56,138 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:56,139 INFO  [stdout] (MSC service thread 1-2) GMS:
> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
> 14:38:56,139 INFO  [stdout] (MSC service thread 1-2)
> -------------------------------------------------------------------
> 14:38:56,606 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000078: Starting JGroups channel
> keycloak
> 14:38:56,623 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> 14:38:56,644 INFO
>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> (ServerService Thread Pool -- 62) ISPN000079: Channel keycloak local
> address is ip-10-1-1-245, physical addresses are [10.1.1.245:7600]
> 14:38:56,651 INFO  [org.infinispan.factories.GlobalComponentRegistry]
> (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> Infinispan 'Insanely Bad Elf' 7.2.3.Final
> 14:38:57,044 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 65) WFLYCLINF0002: Started users cache from keycloak
> container
> 14:38:57,050 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak
> container
> 14:38:57,055 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak
> container
> 14:38:57,059 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak
> container
> 14:38:58,007 INFO  [org.keycloak.services.resources.KeycloakApplication]
> (ServerService Thread Pool -- 64) Load config from
> /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 14:38:58,755 INFO  [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo
> [
>         name: keycloak-default
>         ...]
> 14:38:58,812 INFO  [org.hibernate.Version] (ServerService Thread Pool --
> 64) HHH000412: Hibernate Core {4.3.10.Final}
> 14:38:58,819 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 64) HHH000206: hibernate.properties not found
> 14:38:58,824 INFO  [org.hibernate.cfg.Environment] (ServerService Thread
> Pool -- 64) HHH000021: Bytecode provider name : javassist
> 14:38:59,268 INFO  [org.hibernate.annotations.common.Version]
> (ServerService Thread Pool -- 64) HCANN000001: Hibernate Commons
> Annotations {4.0.5.Final}
> 14:39:00,264 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 64) HHH000400: Using dialect:
> org.hibernate.dialect.PostgreSQL9Dialect
> 14:39:00,272 INFO  [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> (ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 14:39:00,602 INFO
>  [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory] (ServerService
> Thread Pool -- 64) HHH000397: Using ASTQueryTranslatorFactory
> 14:39:00,634 INFO  [org.hibernate.validator.internal.util.Version]
> (ServerService Thread Pool -- 64) HV000001: Hibernate Validator 5.1.3.Final
> 14:39:04,607 INFO  [org.jboss.as.clustering.infinispan] (ServerService
> Thread Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from
> keycloak container
> 14:39:04,665 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Deploying javax.ws.rs.core.Application:
> class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.WelcomeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,667 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.QRCodeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.JsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding class resource
> org.keycloak.services.resources.ThemeResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,668 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding provider singleton
> org.keycloak.services.resources.ModelExceptionMapper from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.RealmsResource from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding provider singleton
> org.keycloak.services.util.ObjectMapperResolver from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.ServerVersionResource from Application
> class org.keycloak.services.resources.KeycloakApplication
> 14:39:04,669 INFO  [org.jboss.resteasy.spi.ResteasyDeployment]
> (ServerService Thread Pool -- 64) Adding singleton resource
> org.keycloak.services.resources.admin.AdminRoot from Application class
> org.keycloak.services.resources.KeycloakApplication
> 14:39:04,757 INFO  [org.wildfly.extension.undertow] (ServerService Thread
> Pool -- 64) WFLYUT0021: Registered web context: /auth
> 14:39:04,844 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 61)
> WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 14:39:05,526 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060:
> Http management interface listening on http://10.1.1.245:9990/management
> 14:39:05,527 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051:
> Admin console listening on http://10.1.1.245:9990
> 14:39:05,531 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025:
> Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms -
> Started 349 of 613 services (353 services are lazy, passive or on-demand)
>
>
> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03
>
> PARIS
> 16, rue de Turbigo
> 75002 Paris
> [image: Kreactive] <http://www.kreactive.com/>
>
>
> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
> <https://twitter.com/kreactive>
>
> 2015-12-18 15:53 GMT+01:00 Alan Field <afield at redhat.com>:
>
>> Hey Charles,
>>
>> Can you send the full logs and tell me which version of JGroups you are
>> using?
>>
>> Thanks,
>> Alan
>>
>> ------------------------------
>>
>> *From: *"charles-edouard gagnaire" <c.gagnaire at kreactive.com>
>> *To: *keycloak-user at lists.jboss.org
>> *Sent: *Friday, December 18, 2015 9:01:12 AM
>> *Subject: *[keycloak-user] Problem running keycloak cluster on EC2 with
>> S3_ping
>>
>>
>> hi,
>>
>> I'm having trouble configuring a Keycloak cluster running on AWS' EC2.
>> The database configuration is OK no problem, but i can't manage to get
>> the invalidation cache working correctly.
>> I configured Infinispan to work with S3_ping plugin (the relevant part of
>> my configuration is below).
>>
>> When i run both server, the connection with the database is Ok, but the
>> infinispan logs look like this :
>> On Server 1 :
>> ...
>> 11:00:17,592 INFO  [stdout] (MSC service thread 1-1) GMS:
>> address=ip-10-1-7-103, cluster=ee, physical address=10.1.7.103:7600
>> ...
>> 11:00:18,057 INFO
>>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
>> channel keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
>> ...
>>
>> On Server 2 :
>> ...
>> 11:03:41,159 INFO  [stdout] (MSC service thread 1-1) GMS:
>> address=ip-10-1-1-245, cluster=ee, physical address=10.1.1.245:7600
>> ...
>> 11:03:41,783 INFO
>>  [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (ServerService Thread Pool -- 62) ISPN000094: Received new cluster view for
>> channel keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
>> ...
>>
>> In my S3 bucket, i have 2 files created :
>> 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
>> a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
>>
>> And the content of the files is like this :
>> File 1 :
>> ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600 T
>>
>> File 2 :
>> ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600 T
>>
>> When i read the logs, it looks like the infinispan's cache can't contact
>> each other.
>> I double check my network config, and i tried connecting from one server
>> to the other using nc (like this: nc -vvv 10.1.7.103 7600) and this works
>> fine.
>>
>> Is there a way to check the infinispan status of the servers?
>> Do you guys got any clue on how to make this works?
>>
>> Thank you,
>> Charles-Edouard
>>
>> My config looks like this :
>>
>> - Standalone-ha.xml
>> ...
>> <datasources>
>>                 <driver name="postgresql" module="org.postgresql">
>>
>>  <datasource-class>org.postgresql.Driver</datasource-class>
>>
>>  <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
>>                 </driver>
>>                 <datasource
>> jndi-name="java:jboss/datasources/PgDskeycloak" pool-name="PgDskeycloak"
>> enabled="true" use-java-context="true">
>>
>> <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
>>                     <driver>postgresql</driver>
>>                     <pool>
>>                         <min-pool-size>5</min-pool-size>
>>                         <initial-pool-size>5</initial-pool-size>
>>                         <max-pool-size>100</max-pool-size>
>>                         <prefill>true</prefill>
>>                     </pool>
>>                     <validation>
>>                         <valid-connection-checker
>>
>>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
>>                         <exception-sorter
>>
>>  class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
>>                     </validation>
>>                     <security>
>>                         <user-name>****</user-name>
>>                         <password>****</password>
>>                     </security>
>>                 </datasource>
>> ...
>>             <stacks default="tcp">
>>                 <stack name="udp">
>>                     <transport type="UDP" socket-binding="jgroups-udp"/>
>>                     <protocol type="PING"/>
>>                     <protocol type="MERGE3"/>
>>                     <protocol type="FD_SOCK"
>> socket-binding="jgroups-udp-fd"/>
>>                     <protocol type="FD_ALL"/>
>>                     <protocol type="VERIFY_SUSPECT"/>
>>                     <protocol type="pbcast.NAKACK2"/>
>>                     <protocol type="UNICAST3"/>
>>                     <protocol type="pbcast.STABLE"/>
>>                     <protocol type="pbcast.GMS"/>
>>                     <protocol type="UFC"/>
>>                     <protocol type="MFC"/>
>>                     <protocol type="FRAG2"/>
>>                     <protocol type="RSVP"/>
>>                 </stack>
>>                 <stack name="tcp">
>>                     <transport type="TCP" socket-binding="jgroups-tcp"/>
>>                     <protocol type="S3_PING" >
>>                         <property name="location">****</property>
>>                         <property name="access_key">****</property>
>>                         <property name="secret_access_key">****</property>
>>                     </protocol>
>>                     <!-- <protocol type="MPING"
>> socket-binding="jgroups-mping"/> -->
>>                     <protocol type="MERGE3"/>
>>                     <protocol type="FD_SOCK"
>> socket-binding="jgroups-tcp-fd"/>
>>                     <protocol type="FD"/>
>>                     <protocol type="VERIFY_SUSPECT"/>
>>                     <protocol type="pbcast.NAKACK2"/>
>>                     <protocol type="UNICAST3"/>
>>                     <protocol type="pbcast.STABLE"/>
>>                     <protocol type="pbcast.GMS"/>
>>                     <protocol type="MFC"/>
>>                     <protocol type="FRAG2"/>
>>                     <protocol type="RSVP"/>
>>                 </stack>
>> ...
>>     <interfaces>
>>         <interface name="management">
>>                 <nic name="eth0"/>
>>         </interface>
>>         <interface name="public">
>>             <nic name="eth0"/>
>>         </interface>
>>         <!-- TODO - only show this if the jacorb subsystem is added  -->
>>         <interface name="unsecure">
>>             <!--
>>               ~  Used for IIOP sockets in the standard configuration.
>>               ~                  To secure JacORB you need to setup SSL
>>               -->
>>             <nic name="eth0"/>
>>         </interface>
>>     </interfaces>
>>
>> - keycloak-server.json
>> {
>>     "providers": [
>>         "classpath:${jboss.server.config.dir}/providers/*"
>>     ],
>>
>>     "admin": {
>>         "realm": "master"
>>     },
>>
>>     "eventsStore": {
>>         "provider": "jpa",
>>         "jpa": {
>>             "exclude-events": [ "REFRESH_TOKEN" ]
>>         }
>>     },
>>
>>     "realm": {
>>         "provider": "jpa"
>>     },
>>
>>     "user": {
>>         "provider": "jpa"
>>     },
>>
>>     "userSessionPersister": {
>>         "provider": "jpa"
>>     },
>>
>>     "timer": {
>>         "provider": "basic"
>>     },
>>
>>     "theme": {
>>         "default": "keycloak",
>>         "staticMaxAge": 2592000,
>>         "cacheTemplates": true,
>>         "cacheThemes": true,
>>         "folder": {
>>           "dir": "${jboss.server.config.dir}/themes"
>>         }
>>     },
>>
>>     "scheduled": {
>>         "interval": 900
>>     },
>>
>>     "connectionsHttpClient": {
>>         "default": {
>>             "disable-trust-manager": true
>>         }
>>     },
>>
>>     "connectionsJpa": {
>>         "default": {
>>             "dataSource": "java:jboss/datasources/PgDskeycloak",
>>             "databaseSchema": "update"
>>         }
>>     },
>>
>>     "connectionsInfinispan": {
>>         "default" : {
>>             "cacheContainer" : "java:jboss/infinispan/Keycloak"
>>         }
>>     }
>> }
>>
>> CHARLES-EDOUARD GAGNAIRE
>> SysAdmin
>> c.gagnaire at kreactive.com
>> p. 06.27.80.28.53LYON "Le Capitole"
>> 97, cours Gambetta
>> 69481 Lyon Cedex 03
>>
>> PARIS
>> 16, rue de Turbigo
>> 75002 Paris
>> [image: Kreactive] <http://www.kreactive.com/>
>>
>>
>> [image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
>> <https://twitter.com/kreactive>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/9bb32d27/attachment-0001.html 

From afield at redhat.com  Fri Dec 18 14:12:37 2015
From: afield at redhat.com (Alan Field)
Date: Fri, 18 Dec 2015 14:12:37 -0500 (EST)
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
 S3_ping
In-Reply-To: <CAChMUMNJcOk3uK9U2LUp2Tc8OE3r_+OMD_SBYC=Q8ENgNceOPw@mail.gmail.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
	<1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
	<1136942401.29453944.1450454151035.JavaMail.zimbra@redhat.com>
	<CAChMUMNJcOk3uK9U2LUp2Tc8OE3r_+OMD_SBYC=Q8ENgNceOPw@mail.gmail.com>
Message-ID: <1293737813.29528323.1450465957001.JavaMail.zimbra@redhat.com>

Hey Charles, 

All I did in my config file is change the following: 

<stacks default="tcp"> 

<stack name="tcp"> 
<transport type="TCP" socket-binding="jgroups-tcp"/> 
<!-- <protocol type="MPING" socket-binding="jgroups-mping"/> --> 
<protocol type="S3_PING"> 
<property name="location"><private_s3_bucket_name></property> 
<property name="access_key"><my_access_key></property> 
<property name="secret_access_key"><my_secret_access_key></property> 
</protocol> 

... 

I'm still not sure why the nodes aren't clustering. Are you starting them simultaneously? Can you try letting one node completely start before you start the second one? If that doesn't work, we may need to take the discussion to the jgroups-users list, since this is not KeyCloak specific. 

Thanks, 

Alan 

----- Original Message -----

> From: "charles-edouard gagnaire" <c.gagnaire at kreactive.com>
> To: "Alan Field" <afield at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, December 18, 2015 11:44:43 AM
> Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2 with
> S3_ping

> Well, i guess i must have done something wrong.

> I tried launching my servers like you do :
> /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
> -Djboss.bind.address=10.1.7.103 -Djboss.bind.address.management=10.1.7.103
> -Djboss.socket.binding.port-offset=0 - Djboss.node.name =node0
> and
> /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
> -Djboss.bind.address=10.1.1.245 -Djboss.bind.address.management=10.1.1.245
> -Djboss.socket.binding.port-offset=0 - Djboss.node.name =node1

> but i have the same problem, s3_ping creates 2 files and the nodes don't see
> each other.

> I just tried building the cluster using TCP_PING, this works fine.
> When i get back to S3_ping it fails again.

> Before using bind.address.management or bind.address, the IP addr was set in
> the standalone-ha.xml in the last section of the file (this is hardcoded for
> test purpose):

> <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
> <endpoint-config name="Standard-Endpoint-Config"/>
> <endpoint-config name="Recording-Endpoint-Config">
> <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP
> ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
> <handler name="RecordingHandler"
> class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
> </pre-handler-chain>
> </endpoint-config>
> <client-config name="Standard-Client-Config"/>
> </subsystem>
> <subsystem xmlns="urn:jboss:domain:weld:2.0"/>
> <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
> <web-context>auth</web-context>
> </subsystem>
> </profile>
> <interfaces>
> <interface name="management">
> <inet-address value="${jboss.bind.address.management:10.1.1.245}"/>
> </interface>
> <interface name="public">
> <inet-address value="${jboss.bind.address.management:10.1.1.245}"/>
> </interface>
> <!-- TODO - only show this if the jacorb subsystem is added -->
> <interface name="unsecure">
> <!--
> ~ Used for IIOP sockets in the standard configuration.
> ~ To secure JacORB you need to setup SSL
> -->
> <nic name="eth0"/>
> </interface>
> </interfaces>

> Thanks again for trying, is it possible for you to send me you config file?
> I'll just make a diff to see what i've done wrong.

> CHARLES-EDOUARD GAGNAIRE
> SysAdmin
> c.gagnaire at kreactive.com
> p. 06.27.80.28.53
> LYON "Le Capitole"
> 97, cours Gambetta
> 69481 Lyon Cedex 03

> PARIS
> 16, rue de Turbigo
> 75002 Paris

> 

> 2015-12-18 16:55 GMT+01:00 Alan Field < afield at redhat.com > :

> > Hey Charles,
> 

> > I modified the standalone-ha.xml similar to your file to add the S3_PING
> > protocol, and I was able to get two KeyCloak nodes to cluster. I did have
> > to
> > set the jboss.bind.address and jboss.bind.address.management. From your
> > logs
> > I can see that these addresses are both set in your environment as well.
> > How
> > are you setting these? My log is included below.
> 

> > Thanks,
> 
> > Alan
> 

> > [ec2-user at ip-172-31-4-165 keycloak-1.7.0.Final]$ bin/standalone.sh -c
> > standalone-ha.xml -Djboss.socket.binding.port-offset=0 - Djboss.node.name
> > =node0 -Djboss.bind.address=$IP -Djboss.bind.address.management=$IP
> 

> > =========================================================================
> 

> > JBoss Bootstrap Environment
> 

> > JBOSS_HOME: /radargun/keycloak-1.7.0.Final
> 

> > JAVA: java
> 

> > JAVA_OPTS: -server -XX:+UseCompressedOops -server -XX:+UseCompressedOops
> > -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> 

> > =========================================================================
> 

> > Picked up _JAVA_OPTIONS:
> > -Djgroups.s3.secret_access_key=ndWrqybZHIaFsEWEuMlWf5fJVffEapbu7DJgcYTd
> > -Djgroups.s3.access_key=AKIAIVP76RKVWTPN6S6Q
> > -Djgroups.s3.bucket=jdg-jgroups
> 
> > 10:49:41,196 INFO [org.jboss.modules] (main) JBoss Modules version
> > 1.4.3.Final
> 
> > 10:49:41,418 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> 
> > 10:49:41,497 INFO [ org.jboss.as ] (MSC service thread 1-7) WFLYSRV0049:
> > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> 
> > 10:49:42,524 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 19) WFLYCTL0028: Attribute 'default-stack' in
> > the resource at address '/subsystem=jgroups' is deprecated, and may be
> > removed in future version. See the attribute description in the output of
> > the read-resource-description operation to learn more about the
> > deprecation.
> 
> > 10:49:42,525 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute
> > 'job-repository-type' in the resource at address '/subsystem=batch' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 10:49:42,531 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=ExampleDS' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 10:49:42,534 INFO [org.jboss.as.controller.management-deprecated]
> > (ServerService Thread Pool -- 25) WFLYCTL0028: Attribute 'enabled' in the
> > resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> > deprecated, and may be removed in future version. See the attribute
> > description in the output of the read-resource-description operation to
> > learn more about the deprecation.
> 
> > 10:49:42,707 INFO [org.jboss.as.server] (Controller Boot Thread)
> > WFLYSRV0039:
> > Creating http management service using socket-binding (management-http)
> 
> > 10:49:42,741 INFO [org.xnio] (MSC service thread 1-2) XNIO version
> > 3.3.1.Final
> 
> > 10:49:42,750 INFO [org.xnio.nio] (MSC service thread 1-2) XNIO NIO
> > Implementation Version 3.3.1.Final
> 
> > 10:49:42,782 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> 
> > 10:49:42,782 INFO [ org.wildfly.extension.io ] (ServerService Thread Pool
> > --
> > 38) WFLYIO001: Worker 'default' has auto-configured to 16 core threads with
> > 128 task threads based on your 8 available processors
> 
> > 10:49:42,784 INFO [org.jboss.remoting] (MSC service thread 1-2) JBoss
> > Remoting version 4.0.9.Final
> 
> > 10:49:42,800 INFO [org.jboss.as.clustering.jgroups] (ServerService Thread
> > Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> 
> > 10:49:42,819 INFO [org.jboss.as.security] (ServerService Thread Pool -- 56)
> > WFLYSEC0002: Activating Security Subsystem
> 
> > 10:49:42,824 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> > WFLYTX0013: Node identifier property is set to the default value. Please
> > make sure it is unique.
> 
> > 10:49:42,843 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 49)
> > WFLYNAM0001: Activating Naming Subsystem
> 
> > 10:49:42,841 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> > WFLYJSF0007: Activated the following JSF Implementations: [main]
> 
> > 10:49:42,859 INFO [org.jboss.as.security] (MSC service thread 1-3)
> > WFLYSEC0001: Current PicketBox version=4.9.2.Final
> 
> > 10:49:42,922 INFO [org.jboss.as.connector] (MSC service thread 1-8)
> > WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> 
> > 10:49:42,976 INFO [org.jboss.as.webservices] (ServerService Thread Pool --
> > 59) WFLYWS0002: Activating WebServices Extension
> 
> > 10:49:42,986 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> 
> > 10:49:42,986 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5)
> > WFLYUT0003: Undertow 1.2.9.Final starting
> 
> > 10:49:42,991 INFO [org.jboss.as.connector.subsystems.datasources]
> > (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> > driver class org.h2.Driver (version 1.3)
> 
> > 10:49:42,994 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > thread
> > 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> 
> > 10:49:43,118 INFO [org.jboss.as.naming] (MSC service thread 1-7)
> > WFLYNAM0003:
> > Starting Naming Service
> 
> > 10:49:43,119 INFO [org.jboss.as.mail.extension] (MSC service thread 1-6)
> > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> 
> > 10:49:43,168 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 58) WFLYUT0014: Creating file handler for path
> > /radargun/keycloak-1.7.0.Final/welcome-content
> 
> > 10:49:43,181 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7)
> > WFLYUT0012: Started server default-server.
> 
> > 10:49:43,213 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7)
> > WFLYUT0018: Host default-host starting
> 
> > 10:49:43,294 INFO [org.wildfly.extension.undertow] (MSC service thread 1-8)
> > WFLYUT0006: Undertow AJP listener ajp listening on / 172.31.4.165:8009
> 
> > 10:49:43,303 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> > MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> 
> > 10:49:43,307 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2)
> > WFLYUT0006: Undertow HTTP listener default listening on / 172.31.4.165:8080
> 
> > 10:49:43,333 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 62)
> > MODCLUSTER000032: Listening to proxy advertisements on / 224.0.1.105:23364
> 
> > 10:49:43,480 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-3) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/ExampleDS]
> 
> > 10:49:43,480 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > service thread 1-4) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/KeycloakDS]
> 
> > 10:49:43,739 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3)
> > WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name:
> > "keycloak-server.war")
> 
> > 10:49:43,784 INFO [org.jboss.ws.common.management] (MSC service thread 1-8)
> > JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 
> > 10:49:44,786 INFO [stdout] (MSC service thread 1-1)
> 
> > 10:49:44,786 INFO [stdout] (MSC service thread 1-1)
> > -------------------------------------------------------------------
> 
> > 10:49:44,786 INFO [stdout] (MSC service thread 1-1) GMS: address=node0,
> > cluster=ee, physical address= 172.31.4.165:7600
> 
> > 10:49:44,786 INFO [stdout] (MSC service thread 1-1)
> > -------------------------------------------------------------------
> 
> > 10:49:45,049 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 64) ISPN000078: Starting JGroups channel keycloak
> 
> > 10:49:45,055 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 64) ISPN000094: Received new cluster view for channel
> > keycloak: [node0|0] (1) [node0]
> 
> > 10:49:45,064 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (ServerService
> > Thread Pool -- 64) ISPN000079: Channel keycloak local address is node0,
> > physical addresses are [ 172.31.4.165:7600 ]
> 
> > 10:49:45,067 INFO [org.infinispan.factories.GlobalComponentRegistry]
> > (ServerService Thread Pool -- 64) ISPN000128: Infinispan version:
> > Infinispan
> > 'Insanely Bad Elf' 7.2.3.Final
> 
> > 10:49:45,242 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 64) WFLYCLINF0002: Started users cache from keycloak container
> 
> > 10:49:45,242 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 65) WFLYCLINF0002: Started realms cache from keycloak container
> 
> > 10:49:45,243 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak container
> 
> > 10:49:45,243 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> > container
> 
> > 10:49:45,846 INFO [org.keycloak.services.resources.KeycloakApplication]
> > (ServerService Thread Pool -- 63) Load config from
> > /radargun/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> 
> > 10:49:46,642 INFO [org.hibernate.jpa.internal.util.LogHelper]
> > (ServerService
> > Thread Pool -- 63) HHH000204: Processing PersistenceUnitInfo [
> 
> > name: keycloak-default
> 
> > ...]
> 
> > 10:49:46,695 INFO [org.hibernate.Version] (ServerService Thread Pool -- 63)
> > HHH000412: Hibernate Core {4.3.10.Final}
> 
> > 10:49:46,696 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > Pool
> > -- 63) HHH000206: hibernate.properties not found
> 
> > 10:49:46,697 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > Pool
> > -- 63) HHH000021: Bytecode provider name : javassist
> 
> > 10:49:46,856 INFO [org.hibernate.annotations.common.Version] (ServerService
> > Thread Pool -- 63) HCANN000001: Hibernate Commons Annotations {4.0.5.Final}
> 
> > 10:49:46,906 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> > Pool
> > -- 63) HHH000400: Using dialect: org.hibernate.dialect.H2Dialect
> 
> > 10:49:46,912 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
> > Pool -- 63) HHH000431: Unable to determine H2 database version, certain
> > features may not work
> 
> > 10:49:47,191 INFO
> > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> > (ServerService Thread Pool -- 63) HHH000397: Using
> > ASTQueryTranslatorFactory
> 
> > 10:49:47,223 INFO [org.hibernate.validator.internal.util.Version]
> > (ServerService Thread Pool -- 63) HV000001: Hibernate Validator 5.1.3.Final
> 
> > 10:49:49,112 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > Thread
> > Pool -- 63) WFLYCLINF0002: Started offlineSessions cache from keycloak
> > container
> 
> > 10:49:49,147 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Deploying javax.ws.rs.core.Application: class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,149 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding class resource
> > org.keycloak.services.resources.ThemeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,149 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding class resource
> > org.keycloak.services.resources.JsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding class resource
> > org.keycloak.services.resources.WelcomeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding class resource
> > org.keycloak.services.resources.QRCodeResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,150 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding singleton resource
> > org.keycloak.services.resources.ServerVersionResource from Application
> > class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding provider singleton
> > org.keycloak.services.util.ObjectMapperResolver from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding provider singleton
> > org.keycloak.services.resources.ModelExceptionMapper from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,151 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding singleton resource
> > org.keycloak.services.resources.admin.AdminRoot from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,152 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > (ServerService
> > Thread Pool -- 63) Adding singleton resource
> > org.keycloak.services.resources.RealmsResource from Application class
> > org.keycloak.services.resources.KeycloakApplication
> 
> > 10:49:49,229 INFO [org.wildfly.extension.undertow] (ServerService Thread
> > Pool
> > -- 63) WFLYUT0021: Registered web context: /auth
> 
> > 10:49:49,277 INFO [org.jboss.as.server] (ServerService Thread Pool -- 61)
> > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > "keycloak-server.war")
> 
> > 10:49:49,572 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0060:
> > Http
> > management interface listening on http://172.31.4.165:9990/management
> 
> > 10:49:49,573 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0051:
> > Admin console listening on http://172.31.4.165:9990
> 
> > 10:49:49,573 INFO [ org.jboss.as ] (Controller Boot Thread) WFLYSRV0025:
> > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 8688ms - Started
> > 344 of 593 services (339 services are lazy, passive or on-demand)
> 
> > 10:50:16,178 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (Incoming-2,ee,node0) ISPN000094: Received new cluster view for channel
> > keycloak: [node0|1] (2) [node0, node1]
> 
> > 10:50:16,650 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t2)
> > ISPN000310:
> > Starting cluster-wide rebalance for cache users, topology
> > CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns =
> > 60, owners = (1)[node0: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60,
> > owners = (2)[node0: 30, node1: 30]}, unionCH=null, actualMembers=[node0,
> > node1]}
> 
> > 10:50:16,650 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> > ISPN000310:
> > Starting cluster-wide rebalance for cache realms, topology
> > CacheTopology{id=1, rebalanceId=1, currentCH=ReplicatedConsistentHash{ns =
> > 60, owners = (1)[node0: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60,
> > owners = (2)[node0: 30, node1: 30]}, unionCH=null, actualMembers=[node0,
> > node1]}
> 
> > 10:50:16,652 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1)
> > ISPN000310:
> > Starting cluster-wide rebalance for cache sessions, topology
> > CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80,
> > owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
> > (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]}
> 
> > 10:50:16,652 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t3)
> > ISPN000310:
> > Starting cluster-wide rebalance for cache loginFailures, topology
> > CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80,
> > owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
> > (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]}
> 
> > 10:50:16,712 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> > ISPN000336:
> > Finished cluster-wide rebalance for cache users, topology id = 1
> 
> > 10:50:16,712 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1)
> > ISPN000336:
> > Finished cluster-wide rebalance for cache realms, topology id = 1
> 
> > 10:50:16,758 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t1)
> > ISPN000336:
> > Finished cluster-wide rebalance for cache sessions, topology id = 1
> 
> > 10:50:16,761 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> > ISPN000336:
> > Finished cluster-wide rebalance for cache loginFailures, topology id = 1
> 
> > 10:50:22,061 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> > ISPN000310:
> > Starting cluster-wide rebalance for cache offlineSessions, topology
> > CacheTopology{id=1, rebalanceId=1, currentCH=DefaultConsistentHash{ns=80,
> > owners = (1)[node0: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
> > (2)[node0: 40+0, node1: 40+0]}, unionCH=null, actualMembers=[node0, node1]}
> 
> > 10:50:22,085 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t4)
> > ISPN000336:
> > Finished cluster-wide rebalance for cache offlineSessions, topology id = 1
> 

> > > From: "Alan Field" < afield at redhat.com >
> > 
> 
> > > To: "charles-edouard gagnaire" < c.gagnaire at kreactive.com >
> > 
> 
> > > Cc: keycloak-user at lists.jboss.org
> > 
> 
> > > Sent: Friday, December 18, 2015 10:21:54 AM
> > 
> 

> > > Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2 with
> > > S3_ping
> > 
> 

> > > Hey Charles,
> > 
> 

> > > Thanks for the logs. I'm not sure what is wrong, but it looks like each
> > > server is creating a cluster of 1. I'll try it with my AWS account to see
> > > if
> > > I can figure out what is wrong.
> > 
> 

> > > Alan
> > 
> 

> > > > From: "charles-edouard gagnaire" < c.gagnaire at kreactive.com >
> > > 
> > 
> 
> > > > To: "Alan Field" < afield at redhat.com >
> > > 
> > 
> 
> > > > Cc: keycloak-user at lists.jboss.org
> > > 
> > 
> 
> > > > Sent: Friday, December 18, 2015 10:04:53 AM
> > > 
> > 
> 
> > > > Subject: Re: [keycloak-user] Problem running keycloak cluster on EC2
> > > > with
> > > > S3_ping
> > > 
> > 
> 

> > > > First i want to thank you guys for the quick answers, i was still
> > > > reading
> > > > the
> > > > "Replace use of Infinispan with User Sessions SPI ?" discussion.
> > > 
> > 
> 

> > > > Yes of course i can send all the logs. You'll find them below.
> > > 
> > 
> 

> > > > The JGroups version is the one shipping with keycloak 1.7, but the
> > > > problem
> > > > was the same with Keycloak 1.6.
> > > 
> > 
> 
> > > > Looking at the config file, it looks like i'm using : <subsystem
> > > > xmlns="urn:jboss:domain:jgroups:3.0">
> > > 
> > 
> 

> > > > I didn't mention it but i use the archive i found on Keycloak website.
> > > > The
> > > > archive is "keycloak-1.7.0.Final.tar.gz".
> > > 
> > 
> 
> > > > I just untar and modify the config files, then i launched it using :
> > > > /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
> > > 
> > 
> 

> > > > Thank you again for your help
> > > 
> > 
> 

> > > > The logs for server 1 are :
> > > 
> > 
> 
> > > > =========================================================================
> > > 
> > 
> 

> > > > JBoss Bootstrap Environment
> > > 
> > 
> 

> > > > JBOSS_HOME: /opt/keycloak-1.7.0.Final
> > > 
> > 
> 

> > > > JAVA: /usr/lib/jvm/jre/bin/java
> > > 
> > 
> 

> > > > JAVA_OPTS: -server -XX:+UseCompressedOops -server
> > > > -XX:+UseCompressedOops
> > > > -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> > > > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> > > 
> > 
> 

> > > > =========================================================================
> > > 
> > 
> 

> > > > OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m;
> > > > support
> > > > was removed in 8.0
> > > 
> > 
> 
> > > > 14:38:44,910 INFO [org.jboss.modules] (main) JBoss Modules version
> > > > 1.4.3.Final
> > > 
> > 
> 
> > > > 14:38:45,091 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> > > 
> > 
> 
> > > > 14:38:45,163 INFO [ org.jboss.as ] (MSC service thread 1-2)
> > > > WFLYSRV0049:
> > > > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> > > 
> > 
> 
> > > > 14:38:46,358 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 24) WFLYCTL0028: Attribute
> > > > 'job-repository-type' in the resource at address '/subsystem=batch' is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:46,360 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in
> > > > the
> > > > resource at address '/subsystem=datasources/data-source=PgDskeycloak'
> > > > is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:46,362 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in
> > > > the
> > > > resource at address '/subsystem=datasources/data-source=ExampleDS' is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:46,362 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute 'enabled' in
> > > > the
> > > > resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:46,370 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 21) WFLYCTL0028: Attribute
> > > > 'default-stack'
> > > > in
> > > > the resource at address '/subsystem=jgroups' is deprecated, and may be
> > > > removed in future version. See the attribute description in the output
> > > > of
> > > > the read-resource-description operation to learn more about the
> > > > deprecation.
> > > 
> > 
> 
> > > > 14:38:46,572 INFO [org.jboss.as.server] (Controller Boot Thread)
> > > > WFLYSRV0039:
> > > > Creating http management service using socket-binding (management-http)
> > > 
> > 
> 
> > > > 14:38:46,589 INFO [org.xnio] (MSC service thread 1-4) XNIO version
> > > > 3.3.1.Final
> > > 
> > 
> 
> > > > 14:38:46,607 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO
> > > > Implementation Version 3.3.1.Final
> > > 
> > 
> 
> > > > 14:38:46,655 INFO [org.jboss.remoting] (MSC service thread 1-4) JBoss
> > > > Remoting version 4.0.9.Final
> > > 
> > 
> 
> > > > 14:38:46,687 INFO [ org.wildfly.extension.io ] (ServerService Thread
> > > > Pool
> > > > --
> > > > 38) WFLYIO001: Worker 'default' has auto-configured to 4 core threads
> > > > with
> > > > 32 task threads based on your 2 available processors
> > > 
> > 
> 
> > > > 14:38:46,685 INFO [org.jboss.as.connector.subsystems.datasources]
> > > > (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying
> > > > non-JDBC-compliant
> > > > driver class org.postgresql.Driver (version 9.4)
> > > 
> > 
> 
> > > > 14:38:46,715 INFO [org.jboss.as.clustering.jgroups] (ServerService
> > > > Thread
> > > > Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> > > 
> > 
> 
> > > > 14:38:46,724 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> > > 
> > 
> 
> > > > 14:38:46,744 INFO [org.jboss.as.connector] (MSC service thread 1-4)
> > > > WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> > > 
> > 
> 
> > > > 14:38:46,746 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > > > thread
> > > > 1-2) WFLYJCA0018: Started Driver service with driver-name = postgresql
> > > 
> > 
> 
> > > > 14:38:46,767 INFO [org.jboss.as.connector.subsystems.datasources]
> > > > (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> > > > driver class org.h2.Driver (version 1.3)
> > > 
> > 
> 
> > > > 14:38:46,769 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > > > thread
> > > > 1-2) WFLYJCA0018: Started Driver service with driver-name = h2
> > > 
> > 
> 
> > > > 14:38:46,781 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> > > > WFLYJSF0007: Activated the following JSF Implementations: [main]
> > > 
> > 
> 
> > > > 14:38:46,772 INFO [org.jboss.as.naming] (ServerService Thread Pool --
> > > > 49)
> > > > WFLYNAM0001: Activating Naming Subsystem
> > > 
> > 
> 
> > > > 14:38:46,914 INFO [org.jboss.as.security] (ServerService Thread Pool --
> > > > 56)
> > > > WFLYSEC0002: Activating Security Subsystem
> > > 
> > 
> 
> > > > 14:38:46,916 INFO [org.jboss.as.security] (MSC service thread 1-1)
> > > > WFLYSEC0001: Current PicketBox version=4.9.2.Final
> > > 
> > 
> 
> > > > 14:38:46,932 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> > > > WFLYTX0013: Node identifier property is set to the default value.
> > > > Please
> > > > make sure it is unique.
> > > 
> > 
> 
> > > > 14:38:46,957 INFO [org.jboss.as.webservices] (ServerService Thread Pool
> > > > --
> > > > 59) WFLYWS0002: Activating WebServices Extension
> > > 
> > 
> 
> > > > 14:38:46,985 INFO [org.jboss.as.naming] (MSC service thread 1-2)
> > > > WFLYNAM0003:
> > > > Starting Naming Service
> > > 
> > 
> 
> > > > 14:38:46,992 INFO [org.jboss.as.mail.extension] (MSC service thread
> > > > 1-4)
> > > > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> > > 
> > 
> 
> > > > 14:38:47,115 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-1)
> > > > WFLYUT0003: Undertow 1.2.9.Final starting
> > > 
> > 
> 
> > > > 14:38:47,119 INFO [org.wildfly.extension.undertow] (ServerService
> > > > Thread
> > > > Pool
> > > > -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> > > 
> > 
> 
> > > > 14:38:47,206 INFO [org.wildfly.extension.undertow] (ServerService
> > > > Thread
> > > > Pool
> > > > -- 58) WFLYUT0014: Creating file handler for path
> > > > /opt/keycloak-1.7.0.Final/welcome-content
> > > 
> > 
> 
> > > > 14:38:47,229 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-4)
> > > > WFLYUT0012: Started server default-server.
> > > 
> > 
> 
> > > > 14:38:47,263 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-4)
> > > > WFLYUT0018: Host default-host starting
> > > 
> > 
> 
> > > > 14:38:47,320 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-2)
> > > > WFLYUT0006: Undertow AJP listener ajp listening on / 10.1.7.103:8009
> > > 
> > 
> 
> > > > 14:38:47,324 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-3)
> > > > WFLYUT0006: Undertow HTTP listener default listening on /
> > > > 10.1.7.103:8080
> > > 
> > 
> 
> > > > 14:38:47,339 INFO [org.jboss.modcluster] (ServerService Thread Pool --
> > > > 62)
> > > > MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> > > 
> > 
> 
> > > > 14:38:47,372 INFO [org.jboss.modcluster] (ServerService Thread Pool --
> > > > 62)
> > > > MODCLUSTER000032: Listening to proxy advertisements on /
> > > > 224.0.1.105:23364
> > > 
> > 
> 
> > > > 14:38:47,478 INFO
> > > > [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> > > > (MSC service thread 1-1) IJ020018: Enabling <validate-on-match> for
> > > > java:jboss/datasources/PgDskeycloak
> > > 
> > 
> 
> > > > 14:38:47,513 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > > > service thread 1-2) WFLYJCA0001: Bound data source
> > > > [java:jboss/datasources/KeycloakDS]
> > > 
> > 
> 
> > > > 14:38:47,513 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > > > service thread 1-2) WFLYJCA0001: Bound data source
> > > > [java:jboss/datasources/ExampleDS]
> > > 
> > 
> 
> > > > 14:38:47,530 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > > > service thread 1-2) WFLYJCA0001: Bound data source
> > > > [java:jboss/datasources/PgDskeycloak]
> > > 
> > 
> 
> > > > 14:38:47,673 INFO [org.jboss.as.server.deployment] (MSC service thread
> > > > 1-4)
> > > > WFLYSRV0027: Starting deployment of "keycloak-server.war"
> > > > (runtime-name:
> > > > "keycloak-server.war")
> > > 
> > 
> 
> > > > 14:38:47,820 INFO [org.jboss.ws.common.management] (MSC service thread
> > > > 1-3)
> > > > JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> > > 
> > 
> 
> > > > 14:38:48,898 INFO [stdout] (MSC service thread 1-2)
> > > 
> > 
> 
> > > > 14:38:48,898 INFO [stdout] (MSC service thread 1-2)
> > > > -------------------------------------------------------------------
> > > 
> > 
> 
> > > > 14:38:48,898 INFO [stdout] (MSC service thread 1-2) GMS:
> > > > address=ip-10-1-7-103, cluster=ee, physical address= 10.1.7.103:7600
> > > 
> > 
> 
> > > > 14:38:48,899 INFO [stdout] (MSC service thread 1-2)
> > > > -------------------------------------------------------------------
> > > 
> > 
> 
> > > > 14:38:49,250 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> > > 
> > 
> 
> > > > 14:38:49,265 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > > > keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> > > 
> > 
> 
> > > > 14:38:49,273 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000079: Channel keycloak local address is
> > > > ip-10-1-7-103, physical addresses are [ 10.1.7.103:7600 ]
> > > 
> > 
> 
> > > > 14:38:49,277 INFO [org.infinispan.factories.GlobalComponentRegistry]
> > > > (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> > > > Infinispan
> > > > 'Insanely Bad Elf' 7.2.3.Final
> > > 
> > 
> 
> > > > 14:38:49,521 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> > > 
> > 
> 
> > > > 14:38:49,529 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 62) WFLYCLINF0002: Started loginFailures cache from keycloak
> > > > container
> > > 
> > 
> 
> > > > 14:38:49,530 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 66) WFLYCLINF0002: Started sessions cache from keycloak
> > > > container
> > > 
> > 
> 
> > > > 14:38:49,536 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> > > 
> > 
> 
> > > > 14:38:50,116 INFO [org.keycloak.services.resources.KeycloakApplication]
> > > > (ServerService Thread Pool -- 66) Load config from
> > > > /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> > > 
> > 
> 
> > > > 14:38:50,638 INFO [org.hibernate.jpa.internal.util.LogHelper]
> > > > (ServerService
> > > > Thread Pool -- 66) HHH000204: Processing PersistenceUnitInfo [
> > > 
> > 
> 
> > > > name: keycloak-default
> > > 
> > 
> 
> > > > ...]
> > > 
> > 
> 
> > > > 14:38:50,690 INFO [org.hibernate.Version] (ServerService Thread Pool --
> > > > 66)
> > > > HHH000412: Hibernate Core {4.3.10.Final}
> > > 
> > 
> 
> > > > 14:38:50,691 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > > > Pool
> > > > -- 66) HHH000206: hibernate.properties not found
> > > 
> > 
> 
> > > > 14:38:50,693 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > > > Pool
> > > > -- 66) HHH000021: Bytecode provider name : javassist
> > > 
> > 
> 
> > > > 14:38:50,842 INFO [org.hibernate.annotations.common.Version]
> > > > (ServerService
> > > > Thread Pool -- 66) HCANN000001: Hibernate Commons Annotations
> > > > {4.0.5.Final}
> > > 
> > 
> 
> > > > 14:38:51,794 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> > > > Pool
> > > > -- 66) HHH000400: Using dialect:
> > > > org.hibernate.dialect.PostgreSQL9Dialect
> > > 
> > 
> 
> > > > 14:38:51,803 INFO
> > > > [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> > > > (ServerService Thread Pool -- 66) HHH000424: Disabling contextual LOB
> > > > creation as createClob() method threw error :
> > > > java.lang.reflect.InvocationTargetException
> > > 
> > 
> 
> > > > 14:38:52,120 INFO
> > > > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> > > > (ServerService Thread Pool -- 66) HHH000397: Using
> > > > ASTQueryTranslatorFactory
> > > 
> > 
> 
> > > > 14:38:52,156 INFO [org.hibernate.validator.internal.util.Version]
> > > > (ServerService Thread Pool -- 66) HV000001: Hibernate Validator
> > > > 5.1.3.Final
> > > 
> > 
> 
> > > > 14:38:53,706 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 66) WFLYCLINF0002: Started offlineSessions cache from keycloak
> > > > container
> > > 
> > 
> 
> > > > 14:38:53,748 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Deploying javax.ws.rs.core.Application: class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding class resource
> > > > org.keycloak.services.resources.WelcomeResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding class resource
> > > > org.keycloak.services.resources.JsResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding class resource
> > > > org.keycloak.services.resources.QRCodeResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,750 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding class resource
> > > > org.keycloak.services.resources.ThemeResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding singleton resource
> > > > org.keycloak.services.resources.RealmsResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding singleton resource
> > > > org.keycloak.services.resources.ServerVersionResource from Application
> > > > class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding singleton resource
> > > > org.keycloak.services.resources.admin.AdminRoot from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,751 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding provider singleton
> > > > org.keycloak.services.util.ObjectMapperResolver from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,752 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 66) Adding provider singleton
> > > > org.keycloak.services.resources.ModelExceptionMapper from Application
> > > > class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:38:53,824 INFO [org.wildfly.extension.undertow] (ServerService
> > > > Thread
> > > > Pool
> > > > -- 66) WFLYUT0021: Registered web context: /auth
> > > 
> > 
> 
> > > > 14:38:53,920 INFO [org.jboss.as.server] (ServerService Thread Pool --
> > > > 61)
> > > > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > > > "keycloak-server.war")
> > > 
> > 
> 
> > > > 14:38:54,021 INFO [ org.jboss.as ] (Controller Boot Thread)
> > > > WFLYSRV0060:
> > > > Http
> > > > management interface listening on http://10.1.7.103:9990/management
> > > 
> > 
> 
> > > > 14:38:54,021 INFO [ org.jboss.as ] (Controller Boot Thread)
> > > > WFLYSRV0051:
> > > > Admin console listening on http://10.1.7.103:9990
> > > 
> > 
> 
> > > > 14:38:54,022 INFO [ org.jboss.as ] (Controller Boot Thread)
> > > > WFLYSRV0025:
> > > > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 9388ms -
> > > > Started
> > > > 349 of 613 services (353 services are lazy, passive or on-demand)
> > > 
> > 
> 

> > > > The logs for server 2 are :
> > > 
> > 
> 
> > > > =========================================================================
> > > 
> > 
> 

> > > > JBoss Bootstrap Environment
> > > 
> > 
> 

> > > > JBOSS_HOME: /opt/keycloak-1.7.0.Final
> > > 
> > 
> 

> > > > JAVA: /usr/lib/jvm/jre/bin/java
> > > 
> > 
> 

> > > > JAVA_OPTS: -server -XX:+UseCompressedOops -server
> > > > -XX:+UseCompressedOops
> > > > -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
> > > > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
> > > 
> > 
> 

> > > > =========================================================================
> > > 
> > 
> 

> > > > 14:38:48,239 INFO [org.jboss.modules] (main) JBoss Modules version
> > > > 1.4.3.Final
> > > 
> > 
> 
> > > > 14:38:48,723 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
> > > 
> > 
> 
> > > > 14:38:48,896 INFO [ org.jboss.as ] (MSC service thread 1-2)
> > > > WFLYSRV0049:
> > > > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) starting
> > > 
> > 
> 
> > > > 14:38:50,979 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 8) WFLYCTL0028: Attribute
> > > > 'job-repository-type' in the resource at address '/subsystem=batch' is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:50,983 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in
> > > > the
> > > > resource at address '/subsystem=datasources/data-source=PgDskeycloak'
> > > > is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:50,986 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in
> > > > the
> > > > resource at address '/subsystem=datasources/data-source=ExampleDS' is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:51,010 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 14) WFLYCTL0028: Attribute
> > > > 'default-stack'
> > > > in
> > > > the resource at address '/subsystem=jgroups' is deprecated, and may be
> > > > removed in future version. See the attribute description in the output
> > > > of
> > > > the read-resource-description operation to learn more about the
> > > > deprecation.
> > > 
> > 
> 
> > > > 14:38:51,044 INFO [org.jboss.as.controller.management-deprecated]
> > > > (ServerService Thread Pool -- 11) WFLYCTL0028: Attribute 'enabled' in
> > > > the
> > > > resource at address '/subsystem=datasources/data-source=KeycloakDS' is
> > > > deprecated, and may be removed in future version. See the attribute
> > > > description in the output of the read-resource-description operation to
> > > > learn more about the deprecation.
> > > 
> > 
> 
> > > > 14:38:51,452 INFO [org.jboss.as.server] (Controller Boot Thread)
> > > > WFLYSRV0039:
> > > > Creating http management service using socket-binding (management-http)
> > > 
> > 
> 
> > > > 14:38:51,499 INFO [org.xnio] (MSC service thread 1-1) XNIO version
> > > > 3.3.1.Final
> > > 
> > 
> 
> > > > 14:38:51,520 INFO [org.xnio.nio] (MSC service thread 1-1) XNIO NIO
> > > > Implementation Version 3.3.1.Final
> > > 
> > 
> 
> > > > 14:38:51,590 INFO [org.jboss.as.connector.subsystems.datasources]
> > > > (ServerService Thread Pool -- 35) WFLYJCA0005: Deploying
> > > > non-JDBC-compliant
> > > > driver class org.postgresql.Driver (version 9.4)
> > > 
> > 
> 
> > > > 14:38:51,603 INFO [ org.wildfly.extension.io ] (ServerService Thread
> > > > Pool
> > > > --
> > > > 38) WFLYIO001: Worker 'default' has auto-configured to 2 core threads
> > > > with
> > > > 16 task threads based on your 1 available processors
> > > 
> > 
> 
> > > > 14:38:51,601 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 39) WFLYCLINF0001: Activating Infinispan subsystem.
> > > 
> > 
> 
> > > > 14:38:51,634 INFO [org.jboss.as.clustering.jgroups] (ServerService
> > > > Thread
> > > > Pool -- 43) WFLYCLJG0001: Activating JGroups subsystem.
> > > 
> > 
> 
> > > > 14:38:51,694 INFO [org.jboss.as.naming] (ServerService Thread Pool --
> > > > 49)
> > > > WFLYNAM0001: Activating Naming Subsystem
> > > 
> > 
> 
> > > > 14:38:51,666 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 46)
> > > > WFLYJSF0007: Activated the following JSF Implementations: [main]
> > > 
> > 
> 
> > > > 14:38:51,696 INFO [org.jboss.as.connector] (MSC service thread 1-2)
> > > > WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
> > > 
> > 
> 
> > > > 14:38:51,932 INFO [org.jboss.as.webservices] (ServerService Thread Pool
> > > > --
> > > > 59) WFLYWS0002: Activating WebServices Extension
> > > 
> > 
> 
> > > > 14:38:51,970 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss
> > > > Remoting version 4.0.9.Final
> > > 
> > 
> 
> > > > 14:38:51,975 INFO [org.jboss.as.security] (ServerService Thread Pool --
> > > > 56)
> > > > WFLYSEC0002: Activating Security Subsystem
> > > 
> > 
> 
> > > > 14:38:51,972 INFO [org.jboss.as.connector.subsystems.datasources]
> > > > (ServerService Thread Pool -- 35) WFLYJCA0004: Deploying JDBC-compliant
> > > > driver class org.h2.Driver (version 1.3)
> > > 
> > 
> 
> > > > 14:38:51,971 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 57)
> > > > WFLYTX0013: Node identifier property is set to the default value.
> > > > Please
> > > > make sure it is unique.
> > > 
> > 
> 
> > > > 14:38:52,140 INFO [org.wildfly.extension.undertow] (ServerService
> > > > Thread
> > > > Pool
> > > > -- 58) WFLYUT0003: Undertow 1.2.9.Final starting
> > > 
> > 
> 
> > > > 14:38:52,187 INFO [org.jboss.as.security] (MSC service thread 1-2)
> > > > WFLYSEC0001: Current PicketBox version=4.9.2.Final
> > > 
> > 
> 
> > > > 14:38:52,224 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > > > thread
> > > > 1-1) WFLYJCA0018: Started Driver service with driver-name = postgresql
> > > 
> > 
> 
> > > > 14:38:52,225 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service
> > > > thread
> > > > 1-1) WFLYJCA0018: Started Driver service with driver-name = h2
> > > 
> > 
> 
> > > > 14:38:52,368 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-1)
> > > > WFLYUT0003: Undertow 1.2.9.Final starting
> > > 
> > 
> 
> > > > 14:38:52,369 INFO [org.jboss.as.naming] (MSC service thread 1-2)
> > > > WFLYNAM0003:
> > > > Starting Naming Service
> > > 
> > 
> 
> > > > 14:38:52,471 INFO [org.jboss.as.mail.extension] (MSC service thread
> > > > 1-2)
> > > > WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
> > > 
> > 
> 
> > > > 14:38:52,710 INFO [org.wildfly.extension.undertow] (ServerService
> > > > Thread
> > > > Pool
> > > > -- 58) WFLYUT0014: Creating file handler for path
> > > > /opt/keycloak-1.7.0.Final/welcome-content
> > > 
> > 
> 
> > > > 14:38:52,864 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-2)
> > > > WFLYUT0012: Started server default-server.
> > > 
> > 
> 
> > > > 14:38:53,133 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-2)
> > > > WFLYUT0006: Undertow HTTP listener default listening on /
> > > > 10.1.1.245:8080
> > > 
> > 
> 
> > > > 14:38:53,166 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-2)
> > > > WFLYUT0018: Host default-host starting
> > > 
> > 
> 
> > > > 14:38:53,192 INFO [org.wildfly.extension.undertow] (MSC service thread
> > > > 1-2)
> > > > WFLYUT0006: Undertow AJP listener ajp listening on / 10.1.1.245:8009
> > > 
> > 
> 
> > > > 14:38:53,211 INFO [org.jboss.modcluster] (ServerService Thread Pool --
> > > > 62)
> > > > MODCLUSTER000001: Initializing mod_cluster version 1.3.1.Final
> > > 
> > 
> 
> > > > 14:38:53,307 INFO [org.jboss.modcluster] (ServerService Thread Pool --
> > > > 62)
> > > > MODCLUSTER000032: Listening to proxy advertisements on /
> > > > 224.0.1.105:23364
> > > 
> > 
> 
> > > > 14:38:53,779 INFO
> > > > [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer]
> > > > (MSC service thread 1-2) IJ020018: Enabling <validate-on-match> for
> > > > java:jboss/datasources/PgDskeycloak
> > > 
> > 
> 
> > > > 14:38:53,896 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > > > service thread 1-1) WFLYJCA0001: Bound data source
> > > > [java:jboss/datasources/KeycloakDS]
> > > 
> > 
> 
> > > > 14:38:53,903 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > > > service thread 1-2) WFLYJCA0001: Bound data source
> > > > [java:jboss/datasources/ExampleDS]
> > > 
> > 
> 
> > > > 14:38:53,909 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
> > > > service thread 1-2) WFLYJCA0001: Bound data source
> > > > [java:jboss/datasources/PgDskeycloak]
> > > 
> > 
> 
> > > > 14:38:54,118 INFO [org.jboss.as.server.deployment] (MSC service thread
> > > > 1-2)
> > > > WFLYSRV0027: Starting deployment of "keycloak-server.war"
> > > > (runtime-name:
> > > > "keycloak-server.war")
> > > 
> > 
> 
> > > > 14:38:54,306 INFO [org.jboss.ws.common.management] (MSC service thread
> > > > 1-1)
> > > > JBWS022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> > > 
> > 
> 
> > > > 14:38:56,138 INFO [stdout] (MSC service thread 1-2)
> > > 
> > 
> 
> > > > 14:38:56,138 INFO [stdout] (MSC service thread 1-2)
> > > > -------------------------------------------------------------------
> > > 
> > 
> 
> > > > 14:38:56,139 INFO [stdout] (MSC service thread 1-2) GMS:
> > > > address=ip-10-1-1-245, cluster=ee, physical address= 10.1.1.245:7600
> > > 
> > 
> 
> > > > 14:38:56,139 INFO [stdout] (MSC service thread 1-2)
> > > > -------------------------------------------------------------------
> > > 
> > 
> 
> > > > 14:38:56,606 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000078: Starting JGroups channel keycloak
> > > 
> > 
> 
> > > > 14:38:56,623 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000094: Received new cluster view for channel
> > > > keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> > > 
> > 
> 
> > > > 14:38:56,644 INFO
> > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > (ServerService
> > > > Thread Pool -- 62) ISPN000079: Channel keycloak local address is
> > > > ip-10-1-1-245, physical addresses are [ 10.1.1.245:7600 ]
> > > 
> > 
> 
> > > > 14:38:56,651 INFO [org.infinispan.factories.GlobalComponentRegistry]
> > > > (ServerService Thread Pool -- 62) ISPN000128: Infinispan version:
> > > > Infinispan
> > > > 'Insanely Bad Elf' 7.2.3.Final
> > > 
> > 
> 
> > > > 14:38:57,044 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 65) WFLYCLINF0002: Started users cache from keycloak container
> > > 
> > 
> 
> > > > 14:38:57,050 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 62) WFLYCLINF0002: Started sessions cache from keycloak
> > > > container
> > > 
> > 
> 
> > > > 14:38:57,055 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 63) WFLYCLINF0002: Started realms cache from keycloak container
> > > 
> > 
> 
> > > > 14:38:57,059 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak
> > > > container
> > > 
> > 
> 
> > > > 14:38:58,007 INFO [org.keycloak.services.resources.KeycloakApplication]
> > > > (ServerService Thread Pool -- 64) Load config from
> > > > /opt/keycloak-1.7.0.Final/standalone/configuration/keycloak-server.json
> > > 
> > 
> 
> > > > 14:38:58,755 INFO [org.hibernate.jpa.internal.util.LogHelper]
> > > > (ServerService
> > > > Thread Pool -- 64) HHH000204: Processing PersistenceUnitInfo [
> > > 
> > 
> 
> > > > name: keycloak-default
> > > 
> > 
> 
> > > > ...]
> > > 
> > 
> 
> > > > 14:38:58,812 INFO [org.hibernate.Version] (ServerService Thread Pool --
> > > > 64)
> > > > HHH000412: Hibernate Core {4.3.10.Final}
> > > 
> > 
> 
> > > > 14:38:58,819 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > > > Pool
> > > > -- 64) HHH000206: hibernate.properties not found
> > > 
> > 
> 
> > > > 14:38:58,824 INFO [org.hibernate.cfg.Environment] (ServerService Thread
> > > > Pool
> > > > -- 64) HHH000021: Bytecode provider name : javassist
> > > 
> > 
> 
> > > > 14:38:59,268 INFO [org.hibernate.annotations.common.Version]
> > > > (ServerService
> > > > Thread Pool -- 64) HCANN000001: Hibernate Commons Annotations
> > > > {4.0.5.Final}
> > > 
> > 
> 
> > > > 14:39:00,264 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> > > > Pool
> > > > -- 64) HHH000400: Using dialect:
> > > > org.hibernate.dialect.PostgreSQL9Dialect
> > > 
> > 
> 
> > > > 14:39:00,272 INFO
> > > > [org.hibernate.engine.jdbc.internal.LobCreatorBuilder]
> > > > (ServerService Thread Pool -- 64) HHH000424: Disabling contextual LOB
> > > > creation as createClob() method threw error :
> > > > java.lang.reflect.InvocationTargetException
> > > 
> > 
> 
> > > > 14:39:00,602 INFO
> > > > [org.hibernate.hql.internal.ast.ASTQueryTranslatorFactory]
> > > > (ServerService Thread Pool -- 64) HHH000397: Using
> > > > ASTQueryTranslatorFactory
> > > 
> > 
> 
> > > > 14:39:00,634 INFO [org.hibernate.validator.internal.util.Version]
> > > > (ServerService Thread Pool -- 64) HV000001: Hibernate Validator
> > > > 5.1.3.Final
> > > 
> > 
> 
> > > > 14:39:04,607 INFO [org.jboss.as.clustering.infinispan] (ServerService
> > > > Thread
> > > > Pool -- 64) WFLYCLINF0002: Started offlineSessions cache from keycloak
> > > > container
> > > 
> > 
> 
> > > > 14:39:04,665 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Deploying javax.ws.rs.core.Application: class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,667 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding class resource
> > > > org.keycloak.services.resources.WelcomeResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,667 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding class resource
> > > > org.keycloak.services.resources.QRCodeResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding class resource
> > > > org.keycloak.services.resources.JsResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding class resource
> > > > org.keycloak.services.resources.ThemeResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,668 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding provider singleton
> > > > org.keycloak.services.resources.ModelExceptionMapper from Application
> > > > class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding singleton resource
> > > > org.keycloak.services.resources.RealmsResource from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding provider singleton
> > > > org.keycloak.services.util.ObjectMapperResolver from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding singleton resource
> > > > org.keycloak.services.resources.ServerVersionResource from Application
> > > > class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,669 INFO [org.jboss.resteasy.spi.ResteasyDeployment]
> > > > (ServerService
> > > > Thread Pool -- 64) Adding singleton resource
> > > > org.keycloak.services.resources.admin.AdminRoot from Application class
> > > > org.keycloak.services.resources.KeycloakApplication
> > > 
> > 
> 
> > > > 14:39:04,757 INFO [org.wildfly.extension.undertow] (ServerService
> > > > Thread
> > > > Pool
> > > > -- 64) WFLYUT0021: Registered web context: /auth
> > > 
> > 
> 
> > > > 14:39:04,844 INFO [org.jboss.as.server] (ServerService Thread Pool --
> > > > 61)
> > > > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name :
> > > > "keycloak-server.war")
> > > 
> > 
> 
> > > > 14:39:05,526 INFO [ org.jboss.as ] (Controller Boot Thread)
> > > > WFLYSRV0060:
> > > > Http
> > > > management interface listening on http://10.1.1.245:9990/management
> > > 
> > 
> 
> > > > 14:39:05,527 INFO [ org.jboss.as ] (Controller Boot Thread)
> > > > WFLYSRV0051:
> > > > Admin console listening on http://10.1.1.245:9990
> > > 
> > 
> 
> > > > 14:39:05,531 INFO [ org.jboss.as ] (Controller Boot Thread)
> > > > WFLYSRV0025:
> > > > Keycloak 1.7.0.Final (WildFly Core 1.0.2.Final) started in 17727ms -
> > > > Started
> > > > 349 of 613 services (353 services are lazy, passive or on-demand)
> > > 
> > 
> 

> > > > CHARLES-EDOUARD GAGNAIRE
> > > 
> > 
> 
> > > > SysAdmin
> > > 
> > 
> 
> > > > c.gagnaire at kreactive.com
> > > 
> > 
> 
> > > > p. 06.27.80.28.53
> > > 
> > 
> 
> > > > LYON "Le Capitole"
> > > 
> > 
> 
> > > > 97, cours Gambetta
> > > 
> > 
> 
> > > > 69481 Lyon Cedex 03
> > > 
> > 
> 

> > > > PARIS
> > > 
> > 
> 
> > > > 16, rue de Turbigo
> > > 
> > 
> 
> > > > 75002 Paris
> > > 
> > 
> 

> > > > 
> > > 
> > 
> 

> > > > 2015-12-18 15:53 GMT+01:00 Alan Field < afield at redhat.com > :
> > > 
> > 
> 

> > > > > Hey Charles,
> > > > 
> > > 
> > 
> 

> > > > > Can you send the full logs and tell me which version of JGroups you
> > > > > are
> > > > > using?
> > > > 
> > > 
> > 
> 

> > > > > Thanks,
> > > > 
> > > 
> > 
> 
> > > > > Alan
> > > > 
> > > 
> > 
> 

> > > > > > From: "charles-edouard gagnaire" < c.gagnaire at kreactive.com >
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > To: keycloak-user at lists.jboss.org
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Sent: Friday, December 18, 2015 9:01:12 AM
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Subject: [keycloak-user] Problem running keycloak cluster on EC2
> > > > > > with
> > > > > > S3_ping
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > hi,
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > I'm having trouble configuring a Keycloak cluster running on AWS'
> > > > > > EC2.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > The database configuration is OK no problem, but i can't manage to
> > > > > > get
> > > > > > the
> > > > > > invalidation cache working correctly.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > I configured Infinispan to work with S3_ping plugin (the relevant
> > > > > > part
> > > > > > of
> > > > > > my
> > > > > > configuration is below).
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > When i run both server, the connection with the database is Ok, but
> > > > > > the
> > > > > > infinispan logs look like this :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > On Server 1 :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 11:00:17,592 INFO [stdout] (MSC service thread 1-1) GMS:
> > > > > > address=ip-10-1-7-103, cluster=ee, physical address=
> > > > > > 10.1.7.103:7600
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 11:00:18,057 INFO
> > > > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > > > (ServerService
> > > > > > Thread Pool -- 62) ISPN000094: Received new cluster view for
> > > > > > channel
> > > > > > keycloak: [ip-10-1-7-103|0] (1) [ip-10-1-7-103]
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > On Server 2 :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 11:03:41,159 INFO [stdout] (MSC service thread 1-1) GMS:
> > > > > > address=ip-10-1-1-245, cluster=ee, physical address=
> > > > > > 10.1.1.245:7600
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 11:03:41,783 INFO
> > > > > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > > > > > (ServerService
> > > > > > Thread Pool -- 62) ISPN000094: Received new cluster view for
> > > > > > channel
> > > > > > keycloak: [ip-10-1-1-245|0] (1) [ip-10-1-1-245]
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > In my S3 bucket, i have 2 files created :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 402ea329-c135-f1e9-2782-02768779e02f.ip-10-1-1-245.list
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > a584321f-408b-b2ae-e2dd-d19333db96c4.ip-10-1-7-103.list
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > And the content of the files is like this :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > File 1 :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ip-10-1-1-245 402ea329-c135-f1e9-2782-02768779e02f 10.1.1.245:7600
> > > > > > T
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > File 2 :
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ip-10-1-7-103 a584321f-408b-b2ae-e2dd-d19333db96c4 10.1.7.103:7600
> > > > > > T
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > When i read the logs, it looks like the infinispan's cache can't
> > > > > > contact
> > > > > > each
> > > > > > other.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > I double check my network config, and i tried connecting from one
> > > > > > server
> > > > > > to
> > > > > > the other using nc (like this: nc -vvv 10.1.7.103 7600) and this
> > > > > > works
> > > > > > fine.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Is there a way to check the infinispan status of the servers?
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Do you guys got any clue on how to make this works?
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Thank you,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Charles-Edouard
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > My config looks like this :
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > - Standalone-ha.xml
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <datasources>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <driver name="postgresql" module="org.postgresql">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <datasource-class>org.postgresql.Driver</datasource-class>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </driver>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <datasource jndi-name="java:jboss/datasources/PgDskeycloak"
> > > > > > pool-name="PgDskeycloak" enabled="true" use-java-context="true">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <connection-url>jdbc:postgresql://****:5432/keycloak?ApplicationName=keycloak</connection-url>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <driver>postgresql</driver>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <pool>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <min-pool-size>5</min-pool-size>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <initial-pool-size>5</initial-pool-size>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <max-pool-size>100</max-pool-size>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <prefill>true</prefill>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </pool>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <validation>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <valid-connection-checker
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <exception-sorter
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </validation>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <security>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <user-name>****</user-name>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <password>****</password>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </security>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </datasource>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <stacks default="tcp">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <stack name="udp">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <transport type="UDP" socket-binding="jgroups-udp"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="PING"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="MERGE3"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="FD_ALL"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="VERIFY_SUSPECT"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="pbcast.NAKACK2"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="UNICAST3"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="pbcast.STABLE"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="pbcast.GMS"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="UFC"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="MFC"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="FRAG2"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="RSVP"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </stack>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <stack name="tcp">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <transport type="TCP" socket-binding="jgroups-tcp"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="S3_PING" >
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <property name="location">****</property>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <property name="access_key">****</property>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <property name="secret_access_key">****</property>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </protocol>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <!-- <protocol type="MPING" socket-binding="jgroups-mping"/> -->
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="MERGE3"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="FD"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="VERIFY_SUSPECT"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="pbcast.NAKACK2"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="UNICAST3"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="pbcast.STABLE"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="pbcast.GMS"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="MFC"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="FRAG2"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <protocol type="RSVP"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </stack>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ...
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <interfaces>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <interface name="management">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <nic name="eth0"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </interface>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <interface name="public">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <nic name="eth0"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </interface>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <!-- TODO - only show this if the jacorb subsystem is added -->
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <interface name="unsecure">
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <!--
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ~ Used for IIOP sockets in the standard configuration.
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ~ To secure JacORB you need to setup SSL
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > -->
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > <nic name="eth0"/>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </interface>
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > </interfaces>
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > - keycloak-server.json
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "providers": [
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "classpath:${jboss.server.config.dir}/providers/*"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > ],
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "admin": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "realm": "master"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "eventsStore": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "provider": "jpa",
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "jpa": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "exclude-events": [ "REFRESH_TOKEN" ]
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "realm": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "provider": "jpa"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "user": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "provider": "jpa"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "userSessionPersister": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "provider": "jpa"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "timer": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "provider": "basic"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "theme": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "default": "keycloak",
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "staticMaxAge": 2592000,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "cacheTemplates": true,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "cacheThemes": true,
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "folder": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "dir": "${jboss.server.config.dir}/themes"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "scheduled": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "interval": 900
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "connectionsHttpClient": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "default": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "disable-trust-manager": true
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "connectionsJpa": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "default": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "dataSource": "java:jboss/datasources/PgDskeycloak",
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "databaseSchema": "update"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > },
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > "connectionsInfinispan": {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "default" : {
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > "cacheContainer" : "java:jboss/infinispan/Keycloak"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > }
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > CHARLES-EDOUARD GAGNAIRE
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > SysAdmin
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > c.gagnaire at kreactive.com
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > p. 06.27.80.28.53
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > LYON "Le Capitole"
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 97, cours Gambetta
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 69481 Lyon Cedex 03
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > PARIS
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 16, rue de Turbigo
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 75002 Paris
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > _______________________________________________
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user mailing list
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > keycloak-user at lists.jboss.org
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > 
> > 
> 
> > > _______________________________________________
> > 
> 
> > > keycloak-user mailing list
> > 
> 
> > > keycloak-user at lists.jboss.org
> > 
> 
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151218/a5c25a2a/attachment-0001.html 

From hamed at web-presence-in-china.com  Fri Dec 18 23:47:15 2015
From: hamed at web-presence-in-china.com (ha.hamed@gmail.com)
Date: Sat, 19 Dec 2015 12:47:15 +0800
Subject: [keycloak-user] Use SMS for login/register
Message-ID: <CAFyNp-w-CvUbA3LiE4bNyCxKtnm6VdsdSLMO10sYKUivet2nbg@mail.gmail.com>

I'm living in China for years now. Most of Chinese services here work with
SMS for login (OTP) and registration. If you force them to fill form, you
will lose most of your users. I'm wondering who I can add this capability
to Keycloak.

Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151219/6fdef0c7/attachment.html 

From lingvisa at gmail.com  Sun Dec 20 18:11:28 2015
From: lingvisa at gmail.com (Martin Min)
Date: Sun, 20 Dec 2015 18:11:28 -0500
Subject: [keycloak-user] Can't the the customer-portal tutorial running
	correctly
Message-ID: <CAKUZDO5iXT66DfbQWRvsy=XZ7qaui5D7+gZhEonYdRhkhPeVFw@mail.gmail.com>

Hello, I am new to keycloak and is having an issue to the the
customer-portal tutorial running fully. After following all the
instructions in the tutorial and running the customer-portal application, I
received the following result:
"

Goto: products <http://localhost:8080/product-portal> | logout
<http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri=%2Fcustomer-portal>
 | manage acct
<http://localhost:8080/auth/realms/demo/account?referrer=customer-portal>

*Caller IDToken values* (*You can specify what is returned in IDToken in
the customer-portal claims page in the admin console*:

Username: lingvisa

Email: lingvisa at gmail.com

Full Name: martin

First: martin
Customer ListingThere was a failure processing request. You either didn't
configure Keycloak properly, or maybe you just forgot to secure the
database service? Status from database service invocation was: 401
"

My Json file in database-service application:
{
  "realm": "demo",
  "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg3cFXIGDZzubQg+31kGsG6yYK+nsrkx4FB4BHnn9mCFjcan0LACZDt3rOqFuA2Z9J1sJsLACbrEZMgLoYl0XtnZyobs99lKrKJkSnwDi10ptQ24M1eYrqBs84VOv4t8xLLg34Em7033mPOXtEFVU0s1kcawZCD30vMwbYXyyOrK5peoLBoGeY9dUZLRPEJ/hrGZxkrWjNobd4Gkf5FTMdKAqTJtf/YqYsvBP5VrJT+yIuLBw8sq+cZKqBdAvb6nuOs6UEZpioEos9KWaTryxn0MYY1r75g9Udd0FSW+e+5Pm7+J+wDQVEkJ+tEXoiv9JADHc9BgHM6eqwzavpryPWwIDAQAB",
  "bearer-only": true,
  "ssl-required": "external",
  "resource": "database-service"
}

What might cause the 401 error message? Thank you.

I am using the latest download "/keycloak-demo-1.7.0.Final" and admin
console is a bit different from this in the tutorial. But there is no
significant difference. In the keycloak console, I created the "database"
client with only two fields filled:

client protocol: openid-connect
access type: barer-only

Without any URLs used, as in customer-portal and product-portal.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151220/b2c02f92/attachment.html 

From sthorger at redhat.com  Mon Dec 21 02:52:47 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 21 Dec 2015 08:52:47 +0100
Subject: [keycloak-user] Use SMS for login/register
In-Reply-To: <CAFyNp-w-CvUbA3LiE4bNyCxKtnm6VdsdSLMO10sYKUivet2nbg@mail.gmail.com>
References: <CAFyNp-w-CvUbA3LiE4bNyCxKtnm6VdsdSLMO10sYKUivet2nbg@mail.gmail.com>
Message-ID: <CAJgngAdbR64Qx217wyga_HwnYrta3VDXHBL=KV_1DoZmDTEXig@mail.gmail.com>

Take a look at
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html

On 19 December 2015 at 05:47, ha.hamed at gmail.com <
hamed at web-presence-in-china.com> wrote:

> I'm living in China for years now. Most of Chinese services here work with
> SMS for login (OTP) and registration. If you force them to fill form, you
> will lose most of your users. I'm wondering who I can add this capability
> to Keycloak.
>
> Regards,
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/d262da39/attachment.html 

From sthorger at redhat.com  Mon Dec 21 02:53:55 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 21 Dec 2015 08:53:55 +0100
Subject: [keycloak-user] Can't the the customer-portal tutorial running
	correctly
In-Reply-To: <CAKUZDO5iXT66DfbQWRvsy=XZ7qaui5D7+gZhEonYdRhkhPeVFw@mail.gmail.com>
References: <CAKUZDO5iXT66DfbQWRvsy=XZ7qaui5D7+gZhEonYdRhkhPeVFw@mail.gmail.com>
Message-ID: <CAJgngAchiNivWdWxwFB1nZx5tB_PHsAq3-V4TEMZJoU0vwm3Ow@mail.gmail.com>

Is the realm-public-key the same in keycloak.json in database service as it
is in the realm you have?

On 21 December 2015 at 00:11, Martin Min <lingvisa at gmail.com> wrote:

> Hello, I am new to keycloak and is having an issue to the the
> customer-portal tutorial running fully. After following all the
> instructions in the tutorial and running the customer-portal application, I
> received the following result:
> "
>
> Goto: products <http://localhost:8080/product-portal> | logout
> <http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri=%2Fcustomer-portal>
>  | manage acct
> <http://localhost:8080/auth/realms/demo/account?referrer=customer-portal>
>
> *Caller IDToken values* (*You can specify what is returned in IDToken in
> the customer-portal claims page in the admin console*:
>
> Username: lingvisa
>
> Email: lingvisa at gmail.com
>
> Full Name: martin
>
> First: martin
> Customer ListingThere was a failure processing request. You either didn't
> configure Keycloak properly, or maybe you just forgot to secure the
> database service? Status from database service invocation was: 401
> "
>
> My Json file in database-service application:
> {
>   "realm": "demo",
>   "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg3cFXIGDZzubQg+31kGsG6yYK+nsrkx4FB4BHnn9mCFjcan0LACZDt3rOqFuA2Z9J1sJsLACbrEZMgLoYl0XtnZyobs99lKrKJkSnwDi10ptQ24M1eYrqBs84VOv4t8xLLg34Em7033mPOXtEFVU0s1kcawZCD30vMwbYXyyOrK5peoLBoGeY9dUZLRPEJ/hrGZxkrWjNobd4Gkf5FTMdKAqTJtf/YqYsvBP5VrJT+yIuLBw8sq+cZKqBdAvb6nuOs6UEZpioEos9KWaTryxn0MYY1r75g9Udd0FSW+e+5Pm7+J+wDQVEkJ+tEXoiv9JADHc9BgHM6eqwzavpryPWwIDAQAB",
>   "bearer-only": true,
>   "ssl-required": "external",
>   "resource": "database-service"
> }
>
> What might cause the 401 error message? Thank you.
>
> I am using the latest download "/keycloak-demo-1.7.0.Final" and admin
> console is a bit different from this in the tutorial. But there is no
> significant difference. In the keycloak console, I created the "database"
> client with only two fields filled:
>
> client protocol: openid-connect
> access type: barer-only
>
> Without any URLs used, as in customer-portal and product-portal.
>
> Thank you.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/ff3f8e0e/attachment.html 

From c.gagnaire at kreactive.com  Mon Dec 21 04:09:15 2015
From: c.gagnaire at kreactive.com (charles-edouard gagnaire)
Date: Mon, 21 Dec 2015 10:09:15 +0100
Subject: [keycloak-user] Problem running keycloak cluster on EC2 with
	S3_ping
In-Reply-To: <1293737813.29528323.1450465957001.JavaMail.zimbra@redhat.com>
References: <CAChMUMP=K+K0q4otUL8b91NWANr+s=mBwDhr9zm7Cb7WSpsWmg@mail.gmail.com>
	<1940183163.29425630.1450450421689.JavaMail.zimbra@redhat.com>
	<CAChMUMPszh_wcpr7oEtoXm8NXL5VtXMTfscNwq+ZQ2df0kfD9A@mail.gmail.com>
	<1313897333.29439715.1450452114385.JavaMail.zimbra@redhat.com>
	<1136942401.29453944.1450454151035.JavaMail.zimbra@redhat.com>
	<CAChMUMNJcOk3uK9U2LUp2Tc8OE3r_+OMD_SBYC=Q8ENgNceOPw@mail.gmail.com>
	<1293737813.29528323.1450465957001.JavaMail.zimbra@redhat.com>
Message-ID: <CAChMUMM0=ijWK1-8Yc2ChsEegn1W0XDawir8WQoX7vpTfMi2Ng@mail.gmail.com>

Hi,

sorry for the late answer but i was afk for the week end and missed your
mail.

For the launch :
i tried to launch them at the same time : doesn't work.
i tried to wait for the message "08:27:30,825 INFO  [org.jboss.as]
(Controller Boot Thread) WFLYSRV0025: Keycloak 1.7.0.Final (WildFly Core
1.0.2.Final) started in 12810ms - Started 352 of 600 services (340 services
are lazy, passive or on-demand)" before launching the second instance but
it's the same.

I've put my whole instance config, and the command  i use to launch the
instance in case i've done something wrong.
I'm using root to launch my instance, are you doing the same?

Thanks again for your help ;)

Charles-Edouard

Commande to launch :
Host 1:
[root at ip-10-1-7-103 ~]# /opt/keycloak-1.7.0.Final/bin/standalone.sh -c
standalone-ha.xml -Djboss.bind.address=10.1.7.103
-Djboss.bind.address.management=10.1.7.103
 -Djboss.socket.binding.port-offset=0 -Djboss.node.name=node0
Host 2:
 /opt/keycloak-1.7.0.Final/bin/standalone.sh -c standalone-ha.xml
-Djboss.bind.address=10.1.7.103 -Djboss.bind.address.management=10.1.1.245
 -Djboss.socket.binding.port-offset=0 -Djboss.node.name=node1

Config:
Host 1 (the second config is the same, but can't enclose it here because of
size limitation )

[root at ip-10-1-7-103 keycloak-1.7.0.Final]# cat
standalone/configuration/standalone-ha.xml
<?xml version="1.0" ?>

<server xmlns="urn:jboss:domain:3.0">
    <extensions>
        <extension module="org.jboss.as.clustering.infinispan"/>
        <extension module="org.jboss.as.clustering.jgroups"/>
        <extension module="org.jboss.as.connector"/>
        <extension module="org.jboss.as.ee"/>
        <extension module="org.jboss.as.ejb3"/>
        <extension module="org.jboss.as.jaxrs"/>
        <extension module="org.jboss.as.jdr"/>
        <extension module="org.jboss.as.jmx"/>
        <extension module="org.jboss.as.jpa"/>
        <extension module="org.jboss.as.jsf"/>
        <extension module="org.jboss.as.logging"/>
        <extension module="org.jboss.as.mail"/>
        <extension module="org.jboss.as.modcluster"/>
        <extension module="org.jboss.as.naming"/>
        <extension module="org.jboss.as.pojo"/>
        <extension module="org.jboss.as.remoting"/>
        <extension module="org.jboss.as.sar"/>
        <extension module="org.jboss.as.security"/>
        <extension module="org.jboss.as.transactions"/>
        <extension module="org.jboss.as.webservices"/>
        <extension module="org.jboss.as.weld"/>
        <extension module="org.keycloak.keycloak-server-subsystem"/>
        <extension module="org.wildfly.extension.batch"/>
        <extension module="org.wildfly.extension.bean-validation"/>
        <extension module="org.wildfly.extension.io"/>
        <extension module="org.wildfly.extension.request-controller"/>
        <extension module="org.wildfly.extension.security.manager"/>
        <extension module="org.wildfly.extension.undertow"/>
    </extensions>
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local" skip-group-loading="true"/>
                    <properties path="mgmt-users.properties"
relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties"
relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"
skip-group-loading="true"/>
                    <properties path="application-users.properties"
relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties"
relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>
        </security-realms>
        <audit-log>
            <formatters>
                <json-formatter name="json-formatter"/>
            </formatters>
            <handlers>
                <file-handler name="file" formatter="json-formatter"
relative-to="jboss.server.data.dir" path="audit-log.log"/>
            </handlers>
            <logger log-boot="true" log-read-only="false" enabled="false">
                <handlers>
                    <handler name="file"/>
                </handlers>
            </logger>
        </audit-log>
        <management-interfaces>
            <http-interface security-realm="ManagementRealm"
http-upgrade-enabled="true">
                <socket-binding http="management-http"/>
            </http-interface>
        </management-interfaces>
        <access-control provider="simple">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
    </management>
    <profile>
        <subsystem xmlns="urn:jboss:domain:logging:3.0">
            <console-handler name="CONSOLE">
                <level name="INFO"/>
                <formatter>
                    <named-formatter name="COLOR-PATTERN"/>
                </formatter>
            </console-handler>
            <periodic-rotating-file-handler name="FILE" autoflush="true">
                <formatter>
                    <named-formatter name="PATTERN"/>
                </formatter>
                <file relative-to="jboss.server.log.dir" path="server.log"/>
                <suffix value=".yyyy-MM-dd"/>
                <append value="true"/>
            </periodic-rotating-file-handler>
            <logger category="com.arjuna">
                <level name="WARN"/>
            </logger>
            <logger category="org.apache.tomcat.util.modeler">
                <level name="WARN"/>
            </logger>
            <logger category="org.jboss.as.config">
                <level name="DEBUG"/>
            </logger>
            <logger category="sun.rmi">
                <level name="WARN"/>
            </logger>
            <logger category="jacorb">
                <level name="WARN"/>
            </logger>
            <logger category="jacorb.config">
                <level name="ERROR"/>
            </logger>
            <root-logger>
                <level name="INFO"/>
                <handlers>
                    <handler name="CONSOLE"/>
                    <handler name="FILE"/>
                </handlers>
            </root-logger>
            <formatter name="PATTERN">
                <pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS}
%-5p [%c] (%t) %s%e%n"/>
            </formatter>
            <formatter name="COLOR-PATTERN">
                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p
[%c] (%t) %s%e%n"/>
            </formatter>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:batch:1.0">
            <job-repository>
                <in-memory/>
            </job-repository>
            <thread-pool>
                <max-threads count="10"/>
                <keepalive-time time="30" unit="seconds"/>
            </thread-pool>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
        <subsystem xmlns="urn:jboss:domain:datasources:3.0">
            <datasources>
                <driver name="postgresql" module="org.postgresql">

 <datasource-class>org.postgresql.Driver</datasource-class>

 <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
                </driver>
                <datasource jndi-name="java:jboss/datasources/PgDskeycloak"
pool-name="PgDskeycloak" enabled="true" use-java-context="true">
                    <connection-url>jdbc:postgresql://
sso-keycloak-prod.cp8bhn7eutp3.eu-west-1.rds.amazonaws.com:5432/keycloak?ApplicationName=keycloak
</connection-url>
                    <driver>postgresql</driver>
                    <pool>
                        <min-pool-size>5</min-pool-size>
                        <initial-pool-size>5</initial-pool-size>
                        <max-pool-size>100</max-pool-size>
                        <prefill>true</prefill>
                    </pool>
                    <validation>
                        <valid-connection-checker

 class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker"></valid-connection-checker>
                        <exception-sorter

 class-name="org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter"></exception-sorter>
                    </validation>
                    <security>
                        <user-name>kreactive</user-name>
                        <password>ss0_K3yc70Ak_Pr0d</password>
                    </security>
                </datasource>
                <datasource jndi-name="java:jboss/datasources/ExampleDS"
pool-name="ExampleDS" enabled="true" use-java-context="true">

<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
                    <driver>h2</driver>
                    <security>
                        <user-name>sa</user-name>
                        <password>sa</password>
                    </security>
                </datasource>
                <datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">

<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
                    <driver>h2</driver>
                    <security>
                        <user-name>sa</user-name>
                        <password>sa</password>
                    </security>
                </datasource>
                <drivers>
                    <driver name="h2" module="com.h2database.h2">

<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                    </driver>
                </drivers>
            </datasources>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:ee:3.0">

<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
            <concurrent>
                <context-services>
                    <context-service name="default"
jndi-name="java:jboss/ee/concurrency/context/default"
use-transaction-setup-provider="true"/>
                </context-services>
                <managed-thread-factories>
                    <managed-thread-factory name="default"
jndi-name="java:jboss/ee/concurrency/factory/default"
context-service="default"/>
                </managed-thread-factories>
                <managed-executor-services>
                    <managed-executor-service name="default"
jndi-name="java:jboss/ee/concurrency/executor/default"
context-service="default" hung-task-threshold="60000" core-threads="5"
max-threads="25" keepalive-time="5000"/>
                </managed-executor-services>
                <managed-scheduled-executor-services>
                    <managed-scheduled-executor-service name="default"
jndi-name="java:jboss/ee/concurrency/scheduler/default"
context-service="default" hung-task-threshold="60000" core-threads="2"
keepalive-time="3000"/>
                </managed-scheduled-executor-services>
            </concurrent>
            <default-bindings
context-service="java:jboss/ee/concurrency/context/default"
datasource="java:jboss/datasources/ExampleDS"
managed-executor-service="java:jboss/ee/concurrency/executor/default"
managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:ejb3:3.0">
            <session-bean>
                <stateful default-access-timeout="5000"
cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
                <singleton default-access-timeout="5000"/>
            </session-bean>
            <pools>
                <bean-instance-pools>
                    <!-- A sample strict max pool configuration -->
                    <strict-max-pool name="slsb-strict-max-pool"
max-pool-size="20" instance-acquisition-timeout="5"
instance-acquisition-timeout-unit="MINUTES"/>
                    <strict-max-pool name="mdb-strict-max-pool"
max-pool-size="20" instance-acquisition-timeout="5"
instance-acquisition-timeout-unit="MINUTES"/>
                </bean-instance-pools>
            </pools>
            <caches>
                <cache name="simple"/>
                <cache name="distributable" aliases="passivating clustered"
passivation-store-ref="infinispan"/>
            </caches>
            <passivation-stores>
                <passivation-store name="infinispan" cache-container="ejb"
max-size="10000"/>
            </passivation-stores>
            <async thread-pool-name="default"/>
            <timer-service thread-pool-name="default"
default-data-store="default-file-store">
                <data-stores>
                    <file-data-store name="default-file-store"
path="timer-service-data" relative-to="jboss.server.data.dir"/>
                </data-stores>
            </timer-service>
            <remote connector-ref="http-remoting-connector"
thread-pool-name="default"/>
            <thread-pools>
                <thread-pool name="default">
                    <max-threads count="10"/>
                    <keepalive-time time="100" unit="milliseconds"/>
                </thread-pool>
            </thread-pools>
            <default-security-domain value="other"/>
            <default-missing-method-permissions-deny-access value="true"/>
            <log-system-exceptions value="true"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:io:1.1">
            <worker name="default"/>
            <buffer-pool name="default"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:infinispan:3.0">
            <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">
                <transport lock-timeout="60000"/>
                <invalidation-cache name="realms" mode="SYNC"/>
                <invalidation-cache name="users" mode="SYNC"/>
                <distributed-cache name="sessions" mode="SYNC" owners="1"/>
                <distributed-cache name="loginFailures" mode="SYNC"
owners="1"/>
            </cache-container>
            <cache-container name="server" aliases="singleton cluster"
default-cache="default" module="org.wildfly.clustering.server">
                <transport lock-timeout="60000"/>
                <replicated-cache name="default" mode="SYNC">
                    <transaction mode="BATCH"/>
                </replicated-cache>
            </cache-container>
            <cache-container name="web" default-cache="dist"
module="org.wildfly.clustering.web.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0"
owners="2">
                    <transaction mode="BATCH"/>
                    <file-store/>
                </distributed-cache>
            </cache-container>
            <cache-container name="ejb" aliases="sfsb" default-cache="dist"
module="org.wildfly.clustering.ejb.infinispan">
                <transport lock-timeout="60000"/>
                <distributed-cache name="dist" mode="ASYNC" l1-lifespan="0"
owners="2">
                    <transaction mode="BATCH"/>
                    <file-store/>
                </distributed-cache>
            </cache-container>
            <cache-container name="hibernate" default-cache="local-query"
module="org.hibernate.infinispan">
                <transport lock-timeout="60000"/>
                <invalidation-cache name="entity" mode="SYNC">
                    <transaction mode="NON_XA"/>
                    <eviction strategy="LRU" max-entries="10000"/>
                    <expiration max-idle="100000"/>
                </invalidation-cache>
                <local-cache name="local-query">
                    <eviction strategy="LRU" max-entries="10000"/>
                    <expiration max-idle="100000"/>
                </local-cache>
                <replicated-cache name="timestamps" mode="ASYNC"/>
            </cache-container>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
        <subsystem xmlns="urn:jboss:domain:jca:3.0">
            <archive-validation enabled="true" fail-on-error="true"
fail-on-warn="false"/>
            <bean-validation enabled="true"/>
            <default-workmanager>
                <short-running-threads>
                    <core-threads count="50"/>
                    <queue-length count="50"/>
                    <max-threads count="50"/>
                    <keepalive-time time="10" unit="seconds"/>
                </short-running-threads>
                <long-running-threads>
                    <core-threads count="50"/>
                    <queue-length count="50"/>
                    <max-threads count="50"/>
                    <keepalive-time time="10" unit="seconds"/>
                </long-running-threads>
            </default-workmanager>
            <cached-connection-manager/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jdr:1.0"/>
        <subsystem xmlns="urn:jboss:domain:jgroups:3.0">
            <channels default="ee">
                <channel name="ee"/>
            </channels>
            <stacks default="tcp">
                <stack name="udp">
                    <transport type="UDP" socket-binding="jgroups-udp"/>
                    <protocol type="PING"/>
                    <protocol type="MERGE3"/>
                    <protocol type="FD_SOCK"
socket-binding="jgroups-udp-fd"/>
                    <protocol type="FD_ALL"/>
                    <protocol type="VERIFY_SUSPECT"/>
                    <protocol type="pbcast.NAKACK2"/>
                    <protocol type="UNICAST3"/>
                    <protocol type="pbcast.STABLE"/>
                    <protocol type="pbcast.GMS"/>
                    <protocol type="UFC"/>
                    <protocol type="MFC"/>
                    <protocol type="FRAG2"/>
                    <protocol type="RSVP"/>
                </stack>
                <stack name="tcp">
                    <transport type="TCP" socket-binding="jgroups-tcp"/>
                        <!-- <protocol type="TCPPING">
                                    <property
name="initial_hosts">10.1.7.103[7600],10.1.1.245[7600]</property>
                                    <property
name="port_range">10</property>
                                    <property name="timeout">3000</property>
                                    <property
name="num_initial_members">2</property>
                        </protocol> -->
                    <protocol type="S3_PING" >
                        <property
name="location">keycloakinfinispan</property>
                        <property
name="access_key">AKIAJK6ADRHWQJ3LPPRA</property>
                        <property
name="secret_access_key">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</property>
                    </protocol>
                    <protocol type="MPING" socket-binding="jgroups-mping"/>
                    <protocol type="MERGE3"/>
                    <protocol type="FD_SOCK"
socket-binding="jgroups-tcp-fd"/>
                    <protocol type="FD"/>
                    <protocol type="VERIFY_SUSPECT"/>
                    <protocol type="pbcast.NAKACK2"/>
                    <protocol type="UNICAST3"/>
                    <protocol type="pbcast.STABLE"/>
                    <protocol type="pbcast.GMS"/>
                    <protocol type="MFC"/>
                    <protocol type="FRAG2"/>
                    <protocol type="RSVP"/>
                </stack>
            </stacks>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
            <expose-resolved-model/>
            <expose-expression-model/>
            <remoting-connector/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
            <jpa default-datasource=""
default-extended-persistence-inheritance="DEEP"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:jsf:1.0"/>
        <subsystem xmlns="urn:jboss:domain:mail:2.0">
            <mail-session name="default"
jndi-name="java:jboss/mail/Default">
                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
            </mail-session>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:modcluster:2.0">
            <mod-cluster-config advertise-socket="modcluster"
connector="ajp">
                <dynamic-load-provider>
                    <load-metric type="cpu"/>
                </dynamic-load-provider>
            </mod-cluster-config>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:naming:2.0">
            <remote-naming/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:pojo:1.0"/>
        <subsystem xmlns="urn:jboss:domain:remoting:3.0">
            <endpoint worker="default"/>
            <http-connector name="http-remoting-connector"
connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:resource-adapters:3.0"/>
        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
        <subsystem xmlns="urn:jboss:domain:sar:1.0"/>
        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking"
value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking"
value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy"
cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jboss-ejb-policy"
cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
            </security-domains>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:transactions:3.0">
            <core-environment>
                <process-id>
                    <uuid/>
                </process-id>
            </core-environment>
            <recovery-environment socket-binding="txn-recovery-environment"
status-socket-binding="txn-status-manager"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:undertow:2.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http"
redirect-socket="https"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="server-header" header-name="Server"
header-value="WildFly/9"/>
                <response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
            </filters>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:webservices:2.0">
            <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
            <endpoint-config name="Standard-Endpoint-Config"/>
            <endpoint-config name="Recording-Endpoint-Config">
                <pre-handler-chain name="recording-handlers"
protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP
##SOAP12_HTTP_MTOM">
                    <handler name="RecordingHandler"
class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
                </pre-handler-chain>
            </endpoint-config>
            <client-config name="Standard-Client-Config"/>
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:weld:2.0"/>
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>auth</web-context>
        </subsystem>
    </profile>
    <interfaces>
        <interface name="management">
                <!-- <nic name="eth0"/> -->
                <inet-address
value="${jboss.bind.address.management:10.1.7.103}"/>
        </interface>
        <interface name="public">
            <!-- <nic name="eth0"/> -->
                <inet-address
value="${jboss.bind.address.management:10.1.7.103}"/>
        </interface>
        <!-- TODO - only show this if the jacorb subsystem is added  -->
        <interface name="unsecure">
            <!--
              ~  Used for IIOP sockets in the standard configuration.
              ~                  To secure JacORB you need to setup SSL
              -->
            <nic name="eth0"/>
        </interface>
    </interfaces>
    <socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management"
port="${jboss.management.https.port:9993}"/>
        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="jgroups-mping" port="0"
multicast-address="${jboss.default.multicast.address:230.0.0.4}"
multicast-port="45700"/>
        <socket-binding name="jgroups-tcp" port="7600"/>
        <socket-binding name="jgroups-tcp-fd" port="57600"/>
        <socket-binding name="jgroups-udp" port="55200"
multicast-address="${jboss.default.multicast.address:230.0.0.4}"
multicast-port="45688"/>
        <socket-binding name="jgroups-udp-fd" port="54200"/>
        <socket-binding name="modcluster" port="0"
multicast-address="224.0.1.105" multicast-port="23364"/>
        <socket-binding name="txn-recovery-environment" port="4712"/>
        <socket-binding name="txn-status-manager" port="4713"/>
        <outbound-socket-binding name="mail-smtp">
            <remote-destination host="localhost" port="25"/>
        </outbound-socket-binding>
    </socket-binding-group>
</server>

CHARLES-EDOUARD GAGNAIRE
SysAdmin
c.gagnaire at kreactive.com
p. 06.27.80.28.53LYON "Le Capitole"
97, cours Gambetta
69481 Lyon Cedex 03

PARIS
16, rue de Turbigo
75002 Paris
[image: Kreactive] <http://www.kreactive.com/>


[image: Facebook] <https://www.facebook.com/kreactive> [image: Twitter]
<https://twitter.com/kreactive>

2015-12-18 20:12 GMT+01:00 Alan Field <afield at redhat.com>:

> Hey Charles,
>
> All I did in my config file is change the following:
>
>             <stacks default="tcp">
>
>             <stack name="tcp">
>                <transport type="TCP" socket-binding="jgroups-tcp"/>
>                <!-- <protocol type="MPING"
> socket-binding="jgroups-mping"/> -->
>                <protocol type="S3_PING">
>                   <property
> name="location"><private_s3_bucket_name></property>
>                   <property name="access_key"><my_access_key></property>
>                   <property
> name="secret_access_key"><my_secret_access_key></property>
>                </protocol>
>
>                ...
>
>
> I'm still not sure why the nodes aren't clustering. Are you starting them
> simultaneously? Can you try letting one node completely start before you
> start the second one? If that doesn't work, we may need to take the
> discussion to the jgroups-users list, since this is not KeyCloak specific.
>
>
> Thanks,
>
> Alan
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/38aa7428/attachment-0001.html 

From orestis.tsakiridis at telestax.com  Mon Dec 21 07:47:06 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Mon, 21 Dec 2015 14:47:06 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN768qECttFQBoMbQTXiuGbzWgXX-r-zAu7g-FT1PdoptDMw@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
	<CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
	<CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>
	<CABjN768qECttFQBoMbQTXiuGbzWgXX-r-zAu7g-FT1PdoptDMw@mail.gmail.com>
Message-ID: <CABjN76-_F8OzJtBHZuFxyPN_OCUYUB9DLfEmPyE+Pfc-TM88OQ@mail.gmail.com>

Hello again!

So, i've recently pulled your master branch and started working on it (HEAD
was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password hashing
SPI.

Actually, i implemented PasswordHashProvider and
PasswordHashProviderFactory and created a  provider .jar as described in
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
.

So, all went fine there. Deployment on keycloak had no issues too.

I'm wondering however how i enable this custom Password Hash Provider. Is
there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
use my custom "RestcommPasswordHashProvider".

All i've found is the "Authentication/Password Policy/Hash algorithm"  in
the Administration Console UI that directly maps to
"Pbkdf2PasswordHashProvider" but adding a new entry and changing this
to "restcomm-md5" (the id of the new provider) seems to have no effect.

Any ideas ?



On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Great! I will keep an eye on it.
>
> BR
>
> Orestis
>
> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> That'd be great. If you watch this
>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
>> master.
>>
>> Hopefully it should be added within a few days.
>>
>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Ok Stian.
>>>
>>> I will try to implement auth_spi.
>>>
>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>> implementation and send feedback.
>>>
>>>
>>> Thanks
>>>
>>> Orestis
>>>
>>> Telestax
>>>
>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>>
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>
>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Thanks Stian.
>>>>>
>>>>> Can you send me some documentation or source code pointers about
>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>> overriding login form ? sth else?
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>>>> released in early January.
>>>>>>
>>>>>> If you can't wait for that I think it would be better to not import
>>>>>> users with a password at all and instead send reset password links to their
>>>>>> email address. That would assume all users have emails registered. Or you
>>>>>> could also modify the password authenticator and make it run md5 the value
>>>>>> of the input password for users that haven't updated their password yet.
>>>>>>
>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>
>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>> etc as i've described.
>>>>>>>
>>>>>>> Thanks Stian
>>>>>>>
>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>
>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>
>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>
>>>>>>>>> The only solution i've come down to is store the password as they
>>>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>>>> Not the best UX  :-(
>>>>>>>>>
>>>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>>>> db"  or sth like that?
>>>>>>>>>
>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Orestis
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/f818552d/attachment.html 

From orestis.tsakiridis at telestax.com  Mon Dec 21 07:48:19 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Mon, 21 Dec 2015 14:48:19 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN76-_F8OzJtBHZuFxyPN_OCUYUB9DLfEmPyE+Pfc-TM88OQ@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
	<CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
	<CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>
	<CABjN768qECttFQBoMbQTXiuGbzWgXX-r-zAu7g-FT1PdoptDMw@mail.gmail.com>
	<CABjN76-_F8OzJtBHZuFxyPN_OCUYUB9DLfEmPyE+Pfc-TM88OQ@mail.gmail.com>
Message-ID: <CABjN768f-KoTBirg6Bcgf6tvPBCYprieZs-+O7jEM31zS-0kUQ@mail.gmail.com>

Btw, hHere is a screenshot of the 'switch' i referred to:

On Mon, Dec 21, 2015 at 2:47 PM, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Hello again!
>
> So, i've recently pulled your master branch and started working on it
> (HEAD was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password
> hashing SPI.
>
> Actually, i implemented PasswordHashProvider and
> PasswordHashProviderFactory and created a  provider .jar as described in
> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
> .
>
> So, all went fine there. Deployment on keycloak had no issues too.
>
> I'm wondering however how i enable this custom Password Hash Provider. Is
> there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
> use my custom "RestcommPasswordHashProvider".
>
> All i've found is the "Authentication/Password Policy/Hash algorithm"  in
> the Administration Console UI that directly maps to
> "Pbkdf2PasswordHashProvider" but adding a new entry and changing this
> to "restcomm-md5" (the id of the new provider) seems to have no effect.
>
> Any ideas ?
>
>
>
> On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Great! I will keep an eye on it.
>>
>> BR
>>
>> Orestis
>>
>> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> That'd be great. If you watch this
>>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
>>> master.
>>>
>>> Hopefully it should be added within a few days.
>>>
>>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Ok Stian.
>>>>
>>>> I will try to implement auth_spi.
>>>>
>>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>>> implementation and send feedback.
>>>>
>>>>
>>>> Thanks
>>>>
>>>> Orestis
>>>>
>>>> Telestax
>>>>
>>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>>
>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>>
>>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Thanks Stian.
>>>>>>
>>>>>> Can you send me some documentation or source code pointers about
>>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>>> overriding login form ? sth else?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll be
>>>>>>> released in early January.
>>>>>>>
>>>>>>> If you can't wait for that I think it would be better to not import
>>>>>>> users with a password at all and instead send reset password links to their
>>>>>>> email address. That would assume all users have emails registered. Or you
>>>>>>> could also modify the password authenticator and make it run md5 the value
>>>>>>> of the input password for users that haven't updated their password yet.
>>>>>>>
>>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>
>>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>>> etc as i've described.
>>>>>>>>
>>>>>>>> Thanks Stian
>>>>>>>>
>>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>>
>>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>>
>>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>>
>>>>>>>>>> The only solution i've come down to is store the password as they
>>>>>>>>>> are in keycloak (md5ed) and tell the users to use the hashed value instead
>>>>>>>>>> of the plaintext one wieh signing in. Then, force them to reset passwords.
>>>>>>>>>> Not the best UX  :-(
>>>>>>>>>>
>>>>>>>>>> Is there a way to tell keycloak that "these passwords are already
>>>>>>>>>> hashed in md5" so, "store them as they are" and "when a user tries to sign
>>>>>>>>>> in, first hash his password with md5 and the compare to the value stored in
>>>>>>>>>> db"  or sth like that?
>>>>>>>>>>
>>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>>
>>>>>>>>>> Orestis
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/05e77f99/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auth_password_policy.png
Type: image/png
Size: 39986 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/05e77f99/attachment-0001.png 

From bburke at redhat.com  Mon Dec 21 08:36:21 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 21 Dec 2015 08:36:21 -0500
Subject: [keycloak-user] Use SMS for login/register
In-Reply-To: <CAJgngAdbR64Qx217wyga_HwnYrta3VDXHBL=KV_1DoZmDTEXig@mail.gmail.com>
References: <CAFyNp-w-CvUbA3LiE4bNyCxKtnm6VdsdSLMO10sYKUivet2nbg@mail.gmail.com>
	<CAJgngAdbR64Qx217wyga_HwnYrta3VDXHBL=KV_1DoZmDTEXig@mail.gmail.com>
Message-ID: <56780055.5060502@redhat.com>

We don't have any direct SMS integration because there seems to be a 
bunch of different providers for SMS and no clear leader and they cost 
money and seem to be different popular ones depending on the region of 
the world.  So...you have to code it yourself.

On 12/21/2015 2:52 AM, Stian Thorgersen wrote:
> Take a look at
> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>
> On 19 December 2015 at 05:47, ha.hamed at gmail.com
> <mailto:ha.hamed at gmail.com> <hamed at web-presence-in-china.com
> <mailto:hamed at web-presence-in-china.com>> wrote:
>
>     I'm living in China for years now. Most of Chinese services here
>     work with SMS for login (OTP) and registration. If you force them to
>     fill form, you will lose most of your users. I'm wondering who I can
>     add this capability to Keycloak.
>
>     Regards,
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ado.boj.83 at gmail.com  Mon Dec 21 09:09:53 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Mon, 21 Dec 2015 15:09:53 +0100
Subject: [keycloak-user] Issue during Import of Realm via startup in domain
	mode
Message-ID: <CALxJa+0MsZZkWr0DZAniFEFM=oEivLXW+XDr3M_vgLQEYpqZHA@mail.gmail.com>

My environment: keycloak-demo-1.7.0.Final running in domain mode with main
server group: server-one and server-two
OracleLinux 7 (Java version 1.8.0_45) machine connect with Oracle Database
12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the
Partitioning, OLAP, Advanced Analytics and Real Application Testing options
and Oracle JDBC driver 11.2.0.3.0


After import Realm during keycloak startup in console:
./domain.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/opt/keycloak-1.7.0.Final/export_demo.json

I got only on server-two this ERROR, server-one is OK:
*[Server:server-two] 14:25:30,037 ERROR
[org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool
-- 64) Error during export/import: org.keycloak.models.ModelException:
javax.persistence.OptimisticLockException: Batch update returned unexpected
row count from update [0]; actual row count: 0; expected: 1*
*[Server:server-two]     at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)*
*[Server:server-two]     at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)*
*[Server:server-two]     at com.sun.proxy.$Proxy117.flush(Unknown Source)*
*[Server:server-two]     at
org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:114)*
*[Server:server-two]     at
org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.removeRealm(DefaultCacheRealmProvider.java:221)*
*[Server:server-two]     at
org.keycloak.exportimport.util.ImportUtils.importRealm(ImportUtils.java:76)*
*[Server:server-two]     at
org.keycloak.exportimport.util.ImportUtils.importRealms(ImportUtils.java:45)*
*[Server:server-two]     at
org.keycloak.exportimport.singlefile.SingleFileImportProvider$1.runExportImportTask(SingleFileImportProvider.java:45)*
*[Server:server-two]     at
org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18)*
*[Server:server-two]     at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:264)*
*[Server:server-two]     at
org.keycloak.exportimport.singlefile.SingleFileImportProvider.importModel(SingleFileImportProvider.java:41)*
*[Server:server-two]     at
org.keycloak.exportimport.ExportImportManager.checkExportImport(ExportImportManager.java:67)*
*[Server:server-two]     at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)*
*[Server:server-two]     at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)*
*[Server:server-two]     at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)*
*[Server:server-two]     at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)*
*[Server:server-two]     at
java.lang.reflect.Constructor.newInstance(Constructor.java:422)*
*[Server:server-two]     at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)*
*[Server:server-two]     at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)*
*[Server:server-two]     at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)*
*[Server:server-two]     at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)*
*[Server:server-two]     at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)*
*[Server:server-two]     at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)*
*[Server:server-two]     at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)*
*[Server:server-two]     at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)*
*[Server:server-two]     at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)*
*[Server:server-two]     at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)*
*[Server:server-two]     at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)*
*[Server:server-two]     at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)*
*[Server:server-two]     at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)*
*[Server:server-two]     at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)*
*[Server:server-two]     at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
*[Server:server-two]     at
java.util.concurrent.FutureTask.run(FutureTask.java:266)*
*[Server:server-two]     at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)*
*[Server:server-two]     at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)*
*[Server:server-two]     at java.lang.Thread.run(Thread.java:745)*
*[Server:server-two]     at
org.jboss.threads.JBossThread.run(JBossThread.java:320)*
*[Server:server-two] Caused by: javax.persistence.OptimisticLockException:
Batch update returned unexpected row count from update [0]; actual row
count: 0; expected: 1*
*[Server:server-two]     at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.wrapStaleStateException(AbstractEntityManagerImpl.java:1800)*
*[Server:server-two]     at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1705)*
*[Server:server-two]     at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)*
*[Server:server-two]     at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)*
*[Server:server-two]     at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)*
*[Server:server-two]     at
sun.reflect.GeneratedMethodAccessor278.invoke(Unknown Source)*
*[Server:server-two]     at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*
*[Server:server-two]     at
java.lang.reflect.Method.invoke(Method.java:497)*
*[Server:server-two]     at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)*
*[Server:server-two]     ... 35 more*
*[Server:server-two] Caused by: org.hibernate.StaleStateException: Batch
update returned unexpected row count from update [0]; actual row count: 0;
expected: 1*
*[Server:server-two]     at
org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:81)*
*[Server:server-two]     at
org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:73)*
*[Server:server-two]     at
org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:63)*
*[Server:server-two]     at
org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3400)*
*[Server:server-two]     at
org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3630)*
*[Server:server-two]     at
org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:114)*
*[Server:server-two]     at
org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:465)*
*[Server:server-two]     at
org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:351)*
*[Server:server-two]     at
org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)*
*[Server:server-two]     at
org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)*
*[Server:server-two]     at
org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1258)*
*[Server:server-two]     at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)*
*[Server:server-two]     ... 39 more*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/d143caf8/attachment.html 

From sthorger at redhat.com  Mon Dec 21 09:28:52 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 21 Dec 2015 15:28:52 +0100
Subject: [keycloak-user] Issue during Import of Realm via startup in
 domain mode
In-Reply-To: <CALxJa+0MsZZkWr0DZAniFEFM=oEivLXW+XDr3M_vgLQEYpqZHA@mail.gmail.com>
References: <CALxJa+0MsZZkWr0DZAniFEFM=oEivLXW+XDr3M_vgLQEYpqZHA@mail.gmail.com>
Message-ID: <CAJgngAcnORAEULqo9EmBcn6Ev3MUbhX4Z94CB739F1vgKq9O5g@mail.gmail.com>

You should only run import on one server. Otherwise both servers will
independently try to recreate everything in the import file.

On 21 December 2015 at 15:09, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> My environment: keycloak-demo-1.7.0.Final running in domain mode with main
> server group: server-one and server-two
> OracleLinux 7 (Java version 1.8.0_45) machine connect with Oracle
> Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With
> the Partitioning, OLAP, Advanced Analytics and Real Application Testing
> options
> and Oracle JDBC driver 11.2.0.3.0
>
>
> After import Realm during keycloak startup in console:
> ./domain.sh -Dkeycloak.migration.action=import
> -Dkeycloak.migration.provider=singleFile
> -Dkeycloak.migration.file=/opt/keycloak-1.7.0.Final/export_demo.json
>
> I got only on server-two this ERROR, server-one is OK:
> *[Server:server-two] 14:25:30,037 ERROR
> [org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool
> -- 64) Error during export/import: org.keycloak.models.ModelException:
> javax.persistence.OptimisticLockException: Batch update returned unexpected
> row count from update [0]; actual row count: 0; expected: 1*
> *[Server:server-two]     at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)*
> *[Server:server-two]     at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)*
> *[Server:server-two]     at com.sun.proxy.$Proxy117.flush(Unknown Source)*
> *[Server:server-two]     at
> org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:114)*
> *[Server:server-two]     at
> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.removeRealm(DefaultCacheRealmProvider.java:221)*
> *[Server:server-two]     at
> org.keycloak.exportimport.util.ImportUtils.importRealm(ImportUtils.java:76)*
> *[Server:server-two]     at
> org.keycloak.exportimport.util.ImportUtils.importRealms(ImportUtils.java:45)*
> *[Server:server-two]     at
> org.keycloak.exportimport.singlefile.SingleFileImportProvider$1.runExportImportTask(SingleFileImportProvider.java:45)*
> *[Server:server-two]     at
> org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18)*
> *[Server:server-two]     at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:264)*
> *[Server:server-two]     at
> org.keycloak.exportimport.singlefile.SingleFileImportProvider.importModel(SingleFileImportProvider.java:41)*
> *[Server:server-two]     at
> org.keycloak.exportimport.ExportImportManager.checkExportImport(ExportImportManager.java:67)*
> *[Server:server-two]     at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)*
> *[Server:server-two]     at
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)*
> *[Server:server-two]     at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)*
> *[Server:server-two]     at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)*
> *[Server:server-two]     at
> java.lang.reflect.Constructor.newInstance(Constructor.java:422)*
> *[Server:server-two]     at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)*
> *[Server:server-two]     at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)*
> *[Server:server-two]     at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)*
> *[Server:server-two]     at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)*
> *[Server:server-two]     at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)*
> *[Server:server-two]     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)*
> *[Server:server-two]     at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)*
> *[Server:server-two]     at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)*
> *[Server:server-two]     at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)*
> *[Server:server-two]     at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)*
> *[Server:server-two]     at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)*
> *[Server:server-two]     at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)*
> *[Server:server-two]     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)*
> *[Server:server-two]     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)*
> *[Server:server-two]     at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
> *[Server:server-two]     at
> java.util.concurrent.FutureTask.run(FutureTask.java:266)*
> *[Server:server-two]     at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)*
> *[Server:server-two]     at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)*
> *[Server:server-two]     at java.lang.Thread.run(Thread.java:745)*
> *[Server:server-two]     at
> org.jboss.threads.JBossThread.run(JBossThread.java:320)*
> *[Server:server-two] Caused by: javax.persistence.OptimisticLockException:
> Batch update returned unexpected row count from update [0]; actual row
> count: 0; expected: 1*
> *[Server:server-two]     at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.wrapStaleStateException(AbstractEntityManagerImpl.java:1800)*
> *[Server:server-two]     at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1705)*
> *[Server:server-two]     at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)*
> *[Server:server-two]     at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)*
> *[Server:server-two]     at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)*
> *[Server:server-two]     at
> sun.reflect.GeneratedMethodAccessor278.invoke(Unknown Source)*
> *[Server:server-two]     at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*
> *[Server:server-two]     at
> java.lang.reflect.Method.invoke(Method.java:497)*
> *[Server:server-two]     at
> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)*
> *[Server:server-two]     ... 35 more*
> *[Server:server-two] Caused by: org.hibernate.StaleStateException: Batch
> update returned unexpected row count from update [0]; actual row count: 0;
> expected: 1*
> *[Server:server-two]     at
> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:81)*
> *[Server:server-two]     at
> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:73)*
> *[Server:server-two]     at
> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:63)*
> *[Server:server-two]     at
> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3400)*
> *[Server:server-two]     at
> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3630)*
> *[Server:server-two]     at
> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:114)*
> *[Server:server-two]     at
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:465)*
> *[Server:server-two]     at
> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:351)*
> *[Server:server-two]     at
> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)*
> *[Server:server-two]     at
> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)*
> *[Server:server-two]     at
> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1258)*
> *[Server:server-two]     at
> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)*
> *[Server:server-two]     ... 39 more*
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/b4052a2d/attachment-0001.html 

From sthorger at redhat.com  Mon Dec 21 09:43:24 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 21 Dec 2015 15:43:24 +0100
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CABjN768f-KoTBirg6Bcgf6tvPBCYprieZs-+O7jEM31zS-0kUQ@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
	<CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
	<CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>
	<CABjN768qECttFQBoMbQTXiuGbzWgXX-r-zAu7g-FT1PdoptDMw@mail.gmail.com>
	<CABjN76-_F8OzJtBHZuFxyPN_OCUYUB9DLfEmPyE+Pfc-TM88OQ@mail.gmail.com>
	<CABjN768f-KoTBirg6Bcgf6tvPBCYprieZs-+O7jEM31zS-0kUQ@mail.gmail.com>
Message-ID: <CAJgngAe3mXEyK63rsLOKrS-c-zXSrir5hAZRuM-EMiiTt4EMCg@mail.gmail.com>

In authentication / password policy you can configure what hashing
algorithm new passwords are hashed with. If you change that value then
update the users password either through admin console or account
management it should use your provider.

However, this is probably not what you want as you are implementing a md5
hash provider which is weaker than the built in provider. I assume you want
to import users with passwords that are hashed using md5? If so you need to
specify the algorithm for the password in the json when you import the
user. For example:

"users" : [ {
    "username" : "myuser",
    "enabled" : true,
    "credentials" : [ {
      "type" : "password",
      "hashedSaltedValue" : "***************",
      "salt" : "**************",
      "hashIterations" : 1000,
      "algorithm" : "restcomm-md5"
    } ]
  } ]

On 21 December 2015 at 13:48, Orestis Tsakiridis <
orestis.tsakiridis at telestax.com> wrote:

> Btw, hHere is a screenshot of the 'switch' i referred to:
>
> On Mon, Dec 21, 2015 at 2:47 PM, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Hello again!
>>
>> So, i've recently pulled your master branch and started working on it
>> (HEAD was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password
>> hashing SPI.
>>
>> Actually, i implemented PasswordHashProvider and
>> PasswordHashProviderFactory and created a  provider .jar as described in
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
>> .
>>
>> So, all went fine there. Deployment on keycloak had no issues too.
>>
>> I'm wondering however how i enable this custom Password Hash Provider. Is
>> there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
>> use my custom "RestcommPasswordHashProvider".
>>
>> All i've found is the "Authentication/Password Policy/Hash algorithm"  in
>> the Administration Console UI that directly maps to
>> "Pbkdf2PasswordHashProvider" but adding a new entry and changing this
>> to "restcomm-md5" (the id of the new provider) seems to have no effect.
>>
>> Any ideas ?
>>
>>
>>
>> On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Great! I will keep an eye on it.
>>>
>>> BR
>>>
>>> Orestis
>>>
>>> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> That'd be great. If you watch this
>>>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's in
>>>> master.
>>>>
>>>> Hopefully it should be added within a few days.
>>>>
>>>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>
>>>>> Ok Stian.
>>>>>
>>>>> I will try to implement auth_spi.
>>>>>
>>>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>>>> implementation and send feedback.
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Orestis
>>>>>
>>>>> Telestax
>>>>>
>>>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>>>
>>>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>
>>>>>>> Thanks Stian.
>>>>>>>
>>>>>>> Can you send me some documentation or source code pointers about
>>>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>>>> overriding login form ? sth else?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll
>>>>>>>> be released in early January.
>>>>>>>>
>>>>>>>> If you can't wait for that I think it would be better to not import
>>>>>>>> users with a password at all and instead send reset password links to their
>>>>>>>> email address. That would assume all users have emails registered. Or you
>>>>>>>> could also modify the password authenticator and make it run md5 the value
>>>>>>>> of the input password for users that haven't updated their password yet.
>>>>>>>>
>>>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>
>>>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>>>> etc as i've described.
>>>>>>>>>
>>>>>>>>> Thanks Stian
>>>>>>>>>
>>>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>>>
>>>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to create some migration scripts that will port users
>>>>>>>>>>> from Application1 into keycloak. Users in Application1 already have
>>>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>>>
>>>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>>>
>>>>>>>>>>> The only solution i've come down to is store the password as
>>>>>>>>>>> they are in keycloak (md5ed) and tell the users to use the hashed value
>>>>>>>>>>> instead of the plaintext one wieh signing in. Then, force them to reset
>>>>>>>>>>> passwords. Not the best UX  :-(
>>>>>>>>>>>
>>>>>>>>>>> Is there a way to tell keycloak that "these passwords are
>>>>>>>>>>> already hashed in md5" so, "store them as they are" and "when a user tries
>>>>>>>>>>> to sign in, first hash his password with md5 and the compare to the value
>>>>>>>>>>> stored in db"  or sth like that?
>>>>>>>>>>>
>>>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>>
>>>>>>>>>>> Orestis
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/92a62d90/attachment.html 

From ado.boj.83 at gmail.com  Mon Dec 21 09:50:39 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Mon, 21 Dec 2015 15:50:39 +0100
Subject: [keycloak-user] Issue during Import of Realm via startup in
 domain mode
In-Reply-To: <CAJgngAcnORAEULqo9EmBcn6Ev3MUbhX4Z94CB739F1vgKq9O5g@mail.gmail.com>
References: <CALxJa+0MsZZkWr0DZAniFEFM=oEivLXW+XDr3M_vgLQEYpqZHA@mail.gmail.com>
	<CAJgngAcnORAEULqo9EmBcn6Ev3MUbhX4Z94CB739F1vgKq9O5g@mail.gmail.com>
Message-ID: <CALxJa+2pXcbXBabEet=_7ooFXj52kAhYJLrXQ48HV5PrcmOCXg@mail.gmail.com>

But, what is command for this import per server? I check Chapter 25. Export
and Import, but w/o answer.

On Mon, Dec 21, 2015 at 3:28 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> You should only run import on one server. Otherwise both servers will
> independently try to recreate everything in the import file.
>
> On 21 December 2015 at 15:09, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> My environment: keycloak-demo-1.7.0.Final running in domain mode with
>> main server group: server-one and server-two
>> OracleLinux 7 (Java version 1.8.0_45) machine connect with Oracle
>> Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With
>> the Partitioning, OLAP, Advanced Analytics and Real Application Testing
>> options
>> and Oracle JDBC driver 11.2.0.3.0
>>
>>
>> After import Realm during keycloak startup in console:
>> ./domain.sh -Dkeycloak.migration.action=import
>> -Dkeycloak.migration.provider=singleFile
>> -Dkeycloak.migration.file=/opt/keycloak-1.7.0.Final/export_demo.json
>>
>> I got only on server-two this ERROR, server-one is OK:
>> *[Server:server-two] 14:25:30,037 ERROR
>> [org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool
>> -- 64) Error during export/import: org.keycloak.models.ModelException:
>> javax.persistence.OptimisticLockException: Batch update returned unexpected
>> row count from update [0]; actual row count: 0; expected: 1*
>> *[Server:server-two]     at
>> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)*
>> *[Server:server-two]     at
>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)*
>> *[Server:server-two]     at com.sun.proxy.$Proxy117.flush(Unknown Source)*
>> *[Server:server-two]     at
>> org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:114)*
>> *[Server:server-two]     at
>> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.removeRealm(DefaultCacheRealmProvider.java:221)*
>> *[Server:server-two]     at
>> org.keycloak.exportimport.util.ImportUtils.importRealm(ImportUtils.java:76)*
>> *[Server:server-two]     at
>> org.keycloak.exportimport.util.ImportUtils.importRealms(ImportUtils.java:45)*
>> *[Server:server-two]     at
>> org.keycloak.exportimport.singlefile.SingleFileImportProvider$1.runExportImportTask(SingleFileImportProvider.java:45)*
>> *[Server:server-two]     at
>> org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18)*
>> *[Server:server-two]     at
>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:264)*
>> *[Server:server-two]     at
>> org.keycloak.exportimport.singlefile.SingleFileImportProvider.importModel(SingleFileImportProvider.java:41)*
>> *[Server:server-two]     at
>> org.keycloak.exportimport.ExportImportManager.checkExportImport(ExportImportManager.java:67)*
>> *[Server:server-two]     at
>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)*
>> *[Server:server-two]     at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)*
>> *[Server:server-two]     at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)*
>> *[Server:server-two]     at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)*
>> *[Server:server-two]     at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:422)*
>> *[Server:server-two]     at
>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)*
>> *[Server:server-two]     at
>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)*
>> *[Server:server-two]     at
>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)*
>> *[Server:server-two]     at
>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)*
>> *[Server:server-two]     at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)*
>> *[Server:server-two]     at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)*
>> *[Server:server-two]     at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)*
>> *[Server:server-two]     at
>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)*
>> *[Server:server-two]     at
>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)*
>> *[Server:server-two]     at
>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)*
>> *[Server:server-two]     at
>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)*
>> *[Server:server-two]     at
>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)*
>> *[Server:server-two]     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)*
>> *[Server:server-two]     at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)*
>> *[Server:server-two]     at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
>> *[Server:server-two]     at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)*
>> *[Server:server-two]     at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)*
>> *[Server:server-two]     at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)*
>> *[Server:server-two]     at java.lang.Thread.run(Thread.java:745)*
>> *[Server:server-two]     at
>> org.jboss.threads.JBossThread.run(JBossThread.java:320)*
>> *[Server:server-two] Caused by:
>> javax.persistence.OptimisticLockException: Batch update returned unexpected
>> row count from update [0]; actual row count: 0; expected: 1*
>> *[Server:server-two]     at
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.wrapStaleStateException(AbstractEntityManagerImpl.java:1800)*
>> *[Server:server-two]     at
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1705)*
>> *[Server:server-two]     at
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)*
>> *[Server:server-two]     at
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)*
>> *[Server:server-two]     at
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)*
>> *[Server:server-two]     at
>> sun.reflect.GeneratedMethodAccessor278.invoke(Unknown Source)*
>> *[Server:server-two]     at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*
>> *[Server:server-two]     at
>> java.lang.reflect.Method.invoke(Method.java:497)*
>> *[Server:server-two]     at
>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)*
>> *[Server:server-two]     ... 35 more*
>> *[Server:server-two] Caused by: org.hibernate.StaleStateException: Batch
>> update returned unexpected row count from update [0]; actual row count: 0;
>> expected: 1*
>> *[Server:server-two]     at
>> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:81)*
>> *[Server:server-two]     at
>> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:73)*
>> *[Server:server-two]     at
>> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:63)*
>> *[Server:server-two]     at
>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3400)*
>> *[Server:server-two]     at
>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3630)*
>> *[Server:server-two]     at
>> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:114)*
>> *[Server:server-two]     at
>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:465)*
>> *[Server:server-two]     at
>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:351)*
>> *[Server:server-two]     at
>> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)*
>> *[Server:server-two]     at
>> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)*
>> *[Server:server-two]     at
>> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1258)*
>> *[Server:server-two]     at
>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)*
>> *[Server:server-two]     ... 39 more*
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/0de346a6/attachment-0001.html 

From sthorger at redhat.com  Mon Dec 21 10:02:19 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 21 Dec 2015 16:02:19 +0100
Subject: [keycloak-user] Issue during Import of Realm via startup in
 domain mode
In-Reply-To: <CALxJa+2pXcbXBabEet=_7ooFXj52kAhYJLrXQ48HV5PrcmOCXg@mail.gmail.com>
References: <CALxJa+0MsZZkWr0DZAniFEFM=oEivLXW+XDr3M_vgLQEYpqZHA@mail.gmail.com>
	<CAJgngAcnORAEULqo9EmBcn6Ev3MUbhX4Z94CB739F1vgKq9O5g@mail.gmail.com>
	<CALxJa+2pXcbXBabEet=_7ooFXj52kAhYJLrXQ48HV5PrcmOCXg@mail.gmail.com>
Message-ID: <CAJgngAevBP8KDNVXhpdNfRtXkzHDP4phk0Z38_Ofr3P8aQ8cCA@mail.gmail.com>

As domain.sh by default starts two server the simplest is probably to just
run standalone.sh first to import the data, then run domain.sh afterwards.

On 21 December 2015 at 15:50, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> But, what is command for this import per server? I check Chapter 25.
> Export and Import, but w/o answer.
>
> On Mon, Dec 21, 2015 at 3:28 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> You should only run import on one server. Otherwise both servers will
>> independently try to recreate everything in the import file.
>>
>> On 21 December 2015 at 15:09, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> My environment: keycloak-demo-1.7.0.Final running in domain mode with
>>> main server group: server-one and server-two
>>> OracleLinux 7 (Java version 1.8.0_45) machine connect with Oracle
>>> Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With
>>> the Partitioning, OLAP, Advanced Analytics and Real Application Testing
>>> options
>>> and Oracle JDBC driver 11.2.0.3.0
>>>
>>>
>>> After import Realm during keycloak startup in console:
>>> ./domain.sh -Dkeycloak.migration.action=import
>>> -Dkeycloak.migration.provider=singleFile
>>> -Dkeycloak.migration.file=/opt/keycloak-1.7.0.Final/export_demo.json
>>>
>>> I got only on server-two this ERROR, server-one is OK:
>>> *[Server:server-two] 14:25:30,037 ERROR
>>> [org.keycloak.exportimport.ExportImportManager] (ServerService Thread Pool
>>> -- 64) Error during export/import: org.keycloak.models.ModelException:
>>> javax.persistence.OptimisticLockException: Batch update returned unexpected
>>> row count from update [0]; actual row count: 0; expected: 1*
>>> *[Server:server-two]     at
>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)*
>>> *[Server:server-two]     at
>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)*
>>> *[Server:server-two]     at com.sun.proxy.$Proxy117.flush(Unknown
>>> Source)*
>>> *[Server:server-two]     at
>>> org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:114)*
>>> *[Server:server-two]     at
>>> org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.removeRealm(DefaultCacheRealmProvider.java:221)*
>>> *[Server:server-two]     at
>>> org.keycloak.exportimport.util.ImportUtils.importRealm(ImportUtils.java:76)*
>>> *[Server:server-two]     at
>>> org.keycloak.exportimport.util.ImportUtils.importRealms(ImportUtils.java:45)*
>>> *[Server:server-two]     at
>>> org.keycloak.exportimport.singlefile.SingleFileImportProvider$1.runExportImportTask(SingleFileImportProvider.java:45)*
>>> *[Server:server-two]     at
>>> org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18)*
>>> *[Server:server-two]     at
>>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:264)*
>>> *[Server:server-two]     at
>>> org.keycloak.exportimport.singlefile.SingleFileImportProvider.importModel(SingleFileImportProvider.java:41)*
>>> *[Server:server-two]     at
>>> org.keycloak.exportimport.ExportImportManager.checkExportImport(ExportImportManager.java:67)*
>>> *[Server:server-two]     at
>>> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)*
>>> *[Server:server-two]     at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)*
>>> *[Server:server-two]     at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)*
>>> *[Server:server-two]     at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)*
>>> *[Server:server-two]     at
>>> java.lang.reflect.Constructor.newInstance(Constructor.java:422)*
>>> *[Server:server-two]     at
>>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)*
>>> *[Server:server-two]     at
>>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2211)*
>>> *[Server:server-two]     at
>>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:295)*
>>> *[Server:server-two]     at
>>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:236)*
>>> *[Server:server-two]     at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:112)*
>>> *[Server:server-two]     at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)*
>>> *[Server:server-two]     at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)*
>>> *[Server:server-two]     at
>>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)*
>>> *[Server:server-two]     at
>>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)*
>>> *[Server:server-two]     at
>>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:230)*
>>> *[Server:server-two]     at
>>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:131)*
>>> *[Server:server-two]     at
>>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:511)*
>>> *[Server:server-two]     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)*
>>> *[Server:server-two]     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)*
>>> *[Server:server-two]     at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)*
>>> *[Server:server-two]     at
>>> java.util.concurrent.FutureTask.run(FutureTask.java:266)*
>>> *[Server:server-two]     at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)*
>>> *[Server:server-two]     at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)*
>>> *[Server:server-two]     at java.lang.Thread.run(Thread.java:745)*
>>> *[Server:server-two]     at
>>> org.jboss.threads.JBossThread.run(JBossThread.java:320)*
>>> *[Server:server-two] Caused by:
>>> javax.persistence.OptimisticLockException: Batch update returned unexpected
>>> row count from update [0]; actual row count: 0; expected: 1*
>>> *[Server:server-two]     at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.wrapStaleStateException(AbstractEntityManagerImpl.java:1800)*
>>> *[Server:server-two]     at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1705)*
>>> *[Server:server-two]     at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)*
>>> *[Server:server-two]     at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683)*
>>> *[Server:server-two]     at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338)*
>>> *[Server:server-two]     at
>>> sun.reflect.GeneratedMethodAccessor278.invoke(Unknown Source)*
>>> *[Server:server-two]     at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)*
>>> *[Server:server-two]     at
>>> java.lang.reflect.Method.invoke(Method.java:497)*
>>> *[Server:server-two]     at
>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)*
>>> *[Server:server-two]     ... 35 more*
>>> *[Server:server-two] Caused by: org.hibernate.StaleStateException: Batch
>>> update returned unexpected row count from update [0]; actual row count: 0;
>>> expected: 1*
>>> *[Server:server-two]     at
>>> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:81)*
>>> *[Server:server-two]     at
>>> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:73)*
>>> *[Server:server-two]     at
>>> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:63)*
>>> *[Server:server-two]     at
>>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3400)*
>>> *[Server:server-two]     at
>>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3630)*
>>> *[Server:server-two]     at
>>> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:114)*
>>> *[Server:server-two]     at
>>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:465)*
>>> *[Server:server-two]     at
>>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:351)*
>>> *[Server:server-two]     at
>>> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350)*
>>> *[Server:server-two]     at
>>> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56)*
>>> *[Server:server-two]     at
>>> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1258)*
>>> *[Server:server-two]     at
>>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335)*
>>> *[Server:server-two]     ... 39 more*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/0602bea2/attachment.html 

From ado.boj.83 at gmail.com  Mon Dec 21 10:31:22 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Mon, 21 Dec 2015 16:31:22 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
Message-ID: <CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>

So I would like to clarify it:

In version 1.6.1.Final was Sending verify email done via REST-API:
PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
Here was JIRA ticket 2063  created (missing code in verify link)
http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2

In actual version 1.7.0.Final, when I check same REST-API:
PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
I got verification email with Subject "Update Your Account" are running
verification link
http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022

But same verification email in 1.7.0.Final I am getting with different
REST_API:
PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
with body ["VERIFY_EMAIL"]

In summary:

Now both REST-APIs works fine in version 1.7.0.Final.
But my question is: shouldn't be different verification email in subject
and in link for first REST_API:
http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
and second REST-API: PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
with body ["VERIFY_EMAIL"]?
Because when I do this two operation via GUI I got different verification
emails in subject and link. First one is with subject Verify email and
second one is Update Your Account.



On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I don't understand what you are saying here. Can you please reformulate
> the question?
>
> On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> Hi all,
>>
>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>
>> After send two different REST-APIs:
>> 1.) PUT
>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>> and
>> 2.) PUT
>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>> with body ["VERIFY_EMAIL"]
>>
>> I got for both REST APIs email with Subject "Update Your Account" and
>> link generated in email:
>>
>>
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>
>> What is in different when I generate Verify Email via GUI
>> when Subject is "Verify email" and link generated in email:
>>
>>
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>
>>
>> Should it be so now correct or something was changed or something is
>> incorrect on my side?
>>
>> Thanks.
>>
>>
>>
>>
>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>> issues at jboss.org> wrote:
>>
>>> Stian Thorgersen
>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>> *updated* [image: Bug] KEYCLOAK-2063
>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>> generated via REST API - Send an email-verification email to the user
>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>> Thorgersen
>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add Comment
>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>> Atlassian logo]
>>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/6dc2d033/attachment-0001.html 

From amaeztu at tesicnor.com  Mon Dec 21 11:52:58 2015
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Mon, 21 Dec 2015 17:52:58 +0100
Subject: [keycloak-user] Cannot access the keycloak standalone server using
 the machine hostname
Message-ID: <56782E6A.8060907@tesicnor.com>

I am launching keycloak 1.7.0.Final using the default configuration on a 
Windows 7 machine (standalone.bat). However, when I try to access it 
with some host name different than localhost (let's say 
http://myhostname.mycompany.com:8080/auth/ or 
http://192.168.0.155:8080/auth/), the server doesn't respond. This makes 
some client I have configured work properly when I login in my host 
machine but not when I am in another one, since I need to have 
http://localhost:8080/auth/ as "auth-server-url" in my client, but when 
performing redirection the url is not available obviously from a remote 
machine.

That could sound a trivial question, but still I don't know how to solve 
it having looked the documentation up.

Thanks in advance.
-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/334a6975/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/334a6975/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/334a6975/attachment.png 

From thomas.raehalme at aitiofinland.com  Mon Dec 21 12:59:14 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Mon, 21 Dec 2015 19:59:14 +0200
Subject: [keycloak-user] Cannot access the keycloak standalone server
 using the machine hostname
In-Reply-To: <56782E6A.8060907@tesicnor.com>
References: <56782E6A.8060907@tesicnor.com>
Message-ID: <CAPyAMoaQSoZM-DOWUWdh-vxy_uSjxoS66G_0z7arJ-1URpbQsA@mail.gmail.com>

Hi,

That's because Wildfly binds to 127.0.0.1 by default. Define system
property jboss.bind.address to override the setting, for example:

export JAVA_OPTS="-Djboss.bind.address=0.0.0.0"

Best regards,
Thomas


On Mon, Dec 21, 2015 at 6:52 PM, Aritz Maeztu <amaeztu at tesicnor.com> wrote:

> I am launching keycloak 1.7.0.Final using the default configuration on a
> Windows 7 machine (standalone.bat). However, when I try to access it with
> some host name different than localhost (let's say
> http://myhostname.mycompany.com:8080/auth/ or
> http://192.168.0.155:8080/auth/), the server doesn't respond. This makes
> some client I have configured work properly when I login in my host machine
> but not when I am in another one, since I need to have
> http://localhost:8080/auth/ as "auth-server-url" in my client, but when
> performing redirection the url is not available obviously from a remote
> machine.
>
> That could sound a trivial question, but still I don't know how to solve
> it having looked the documentation up.
>
> Thanks in advance.
> --
> Aritz Maeztu Ota?o
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/3846899c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/3846899c/attachment.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151221/3846899c/attachment.gif 

From sthorger at redhat.com  Tue Dec 22 02:38:47 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 22 Dec 2015 08:38:47 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
Message-ID: <CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>

I'm still struggling to read what you are saying..

Are you saying that when you use the "send-verify-email" endpoint the
subject of the email is "Verify email" and when you use the
"execute-actions-email" the subject is "Update Your Account"? If so I think
that's the wanted behavior. "execute-actions-email" allows a user to
perform one or more actions.

On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> So I would like to clarify it:
>
> In version 1.6.1.Final was Sending verify email done via REST-API:
> PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
> Here was JIRA ticket 2063  created (missing code in verify link)
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>
> In actual version 1.7.0.Final, when I check same REST-API:
> PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
> I got verification email with Subject "Update Your Account" are running
> verification link
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>
> But same verification email in 1.7.0.Final I am getting with different
> REST_API:
> PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
> with body ["VERIFY_EMAIL"]
>
> In summary:
>
> Now both REST-APIs works fine in version 1.7.0.Final.
> But my question is: shouldn't be different verification email in subject
> and in link for first REST_API:
> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
> and second REST-API: PUT
> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
> with body ["VERIFY_EMAIL"]?
> Because when I do this two operation via GUI I got different verification
> emails in subject and link. First one is with subject Verify email and
> second one is Update Your Account.
>
>
>
> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I don't understand what you are saying here. Can you please reformulate
>> the question?
>>
>> On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>
>>> After send two different REST-APIs:
>>> 1.) PUT
>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>> and
>>> 2.) PUT
>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>> with body ["VERIFY_EMAIL"]
>>>
>>> I got for both REST APIs email with Subject "Update Your Account" and
>>> link generated in email:
>>>
>>>
>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>
>>> What is in different when I generate Verify Email via GUI
>>> when Subject is "Verify email" and link generated in email:
>>>
>>>
>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>
>>>
>>> Should it be so now correct or something was changed or something is
>>> incorrect on my side?
>>>
>>> Thanks.
>>>
>>>
>>>
>>>
>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>> issues at jboss.org> wrote:
>>>
>>>> Stian Thorgersen
>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>> generated via REST API - Send an email-verification email to the user
>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>> Thorgersen
>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add Comment
>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>> Atlassian logo]
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/c6a036fc/attachment-0001.html 

From sthorger at redhat.com  Tue Dec 22 02:39:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 22 Dec 2015 08:39:42 +0100
Subject: [keycloak-user] Cannot access the keycloak standalone server
 using the machine hostname
In-Reply-To: <CAPyAMoaQSoZM-DOWUWdh-vxy_uSjxoS66G_0z7arJ-1URpbQsA@mail.gmail.com>
References: <56782E6A.8060907@tesicnor.com>
	<CAPyAMoaQSoZM-DOWUWdh-vxy_uSjxoS66G_0z7arJ-1URpbQsA@mail.gmail.com>
Message-ID: <CAJgngAcvA0nuK=Y090_v9fSN6Ts2fNJ+EEW4b6r_c_3hDsZb5Q@mail.gmail.com>

You can also just run it with:

bin/standalone.sh -b 0.0.0.0

On 21 December 2015 at 18:59, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> Hi,
>
> That's because Wildfly binds to 127.0.0.1 by default. Define system
> property jboss.bind.address to override the setting, for example:
>
> export JAVA_OPTS="-Djboss.bind.address=0.0.0.0"
>
> Best regards,
> Thomas
>
>
> On Mon, Dec 21, 2015 at 6:52 PM, Aritz Maeztu <amaeztu at tesicnor.com>
> wrote:
>
>> I am launching keycloak 1.7.0.Final using the default configuration on a
>> Windows 7 machine (standalone.bat). However, when I try to access it with
>> some host name different than localhost (let's say
>> http://myhostname.mycompany.com:8080/auth/ or
>> http://192.168.0.155:8080/auth/), the server doesn't respond. This makes
>> some client I have configured work properly when I login in my host machine
>> but not when I am in another one, since I need to have
>> http://localhost:8080/auth/ as "auth-server-url" in my client, but when
>> performing redirection the url is not available obviously from a remote
>> machine.
>>
>> That could sound a trivial question, but still I don't know how to solve
>> it having looked the documentation up.
>>
>> Thanks in advance.
>> --
>> Aritz Maeztu Ota?o
>> Departamento Desarrollo de Software
>> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>> <http://www.tesicnor.com>
>>
>> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>> Telf.: 948 21 40 40
>> Fax.: 948 21 40 41
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
>> medioambiente es cosa de todos.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/8631d0b0/attachment.html 

From ado.boj.83 at gmail.com  Tue Dec 22 03:51:26 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Tue, 22 Dec 2015 09:51:26 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
Message-ID: <CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>

Sorry for misunderstanding from my side.
No, I am saying that in 1.7.0.Final is same subject of email for  both
endpoints "send-verify-email" and "execute-actions-email" and it is "Update
Your Account".

On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I'm still struggling to read what you are saying..
>
> Are you saying that when you use the "send-verify-email" endpoint the
> subject of the email is "Verify email" and when you use the
> "execute-actions-email" the subject is "Update Your Account"? If so I think
> that's the wanted behavior. "execute-actions-email" allows a user to
> perform one or more actions.
>
> On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> So I would like to clarify it:
>>
>> In version 1.6.1.Final was Sending verify email done via REST-API:
>> PUT
>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>> Here was JIRA ticket 2063  created (missing code in verify link)
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>
>> In actual version 1.7.0.Final, when I check same REST-API:
>> PUT
>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>> I got verification email with Subject "Update Your Account" are running
>> verification link
>>
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>
>> But same verification email in 1.7.0.Final I am getting with different
>> REST_API:
>> PUT
>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>> with body ["VERIFY_EMAIL"]
>>
>> In summary:
>>
>> Now both REST-APIs works fine in version 1.7.0.Final.
>> But my question is: shouldn't be different verification email in subject
>> and in link for first REST_API:
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>> and second REST-API: PUT
>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>> with body ["VERIFY_EMAIL"]?
>> Because when I do this two operation via GUI I got different verification
>> emails in subject and link. First one is with subject Verify email and
>> second one is Update Your Account.
>>
>>
>>
>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> I don't understand what you are saying here. Can you please reformulate
>>> the question?
>>>
>>> On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>>
>>>> After send two different REST-APIs:
>>>> 1.) PUT
>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>> and
>>>> 2.) PUT
>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>> with body ["VERIFY_EMAIL"]
>>>>
>>>> I got for both REST APIs email with Subject "Update Your Account" and
>>>> link generated in email:
>>>>
>>>>
>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>
>>>> What is in different when I generate Verify Email via GUI
>>>> when Subject is "Verify email" and link generated in email:
>>>>
>>>>
>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>
>>>>
>>>> Should it be so now correct or something was changed or something is
>>>> incorrect on my side?
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>> issues at jboss.org> wrote:
>>>>
>>>>> Stian Thorgersen
>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>>> generated via REST API - Send an email-verification email to the user
>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>> Thorgersen
>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>> Comment <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>> Atlassian logo]
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/568c7d50/attachment-0001.html 

From sthorger at redhat.com  Tue Dec 22 04:34:02 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 22 Dec 2015 10:34:02 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
Message-ID: <CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>

Ok,

So basically the issue here is with send-verify-email the subject used to
be "Verify email", while it's now "Update Your Account"?

On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Sorry for misunderstanding from my side.
> No, I am saying that in 1.7.0.Final is same subject of email for  both
> endpoints "send-verify-email" and "execute-actions-email" and it is "Update
> Your Account".
>
> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I'm still struggling to read what you are saying..
>>
>> Are you saying that when you use the "send-verify-email" endpoint the
>> subject of the email is "Verify email" and when you use the
>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>> that's the wanted behavior. "execute-actions-email" allows a user to
>> perform one or more actions.
>>
>> On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> So I would like to clarify it:
>>>
>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>> PUT
>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>
>>> In actual version 1.7.0.Final, when I check same REST-API:
>>> PUT
>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>> I got verification email with Subject "Update Your Account" are running
>>> verification link
>>>
>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>
>>> But same verification email in 1.7.0.Final I am getting with different
>>> REST_API:
>>> PUT
>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>> with body ["VERIFY_EMAIL"]
>>>
>>> In summary:
>>>
>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>> But my question is: shouldn't be different verification email in subject
>>> and in link for first REST_API:
>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>> and second REST-API: PUT
>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>> with body ["VERIFY_EMAIL"]?
>>> Because when I do this two operation via GUI I got different
>>> verification emails in subject and link. First one is with subject Verify
>>> email and second one is Update Your Account.
>>>
>>>
>>>
>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> I don't understand what you are saying here. Can you please reformulate
>>>> the question?
>>>>
>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>>>
>>>>> After send two different REST-APIs:
>>>>> 1.) PUT
>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>> and
>>>>> 2.) PUT
>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>> with body ["VERIFY_EMAIL"]
>>>>>
>>>>> I got for both REST APIs email with Subject "Update Your Account" and
>>>>> link generated in email:
>>>>>
>>>>>
>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>
>>>>> What is in different when I generate Verify Email via GUI
>>>>> when Subject is "Verify email" and link generated in email:
>>>>>
>>>>>
>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>
>>>>>
>>>>> Should it be so now correct or something was changed or something is
>>>>> incorrect on my side?
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>> issues at jboss.org> wrote:
>>>>>
>>>>>> Stian Thorgersen
>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>>>> generated via REST API - Send an email-verification email to the user
>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>> Thorgersen
>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>> Comment <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>
>>>>>> This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>>> Atlassian logo]
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/f7c0fd30/attachment-0001.html 

From rushil.vaish at gmail.com  Tue Dec 22 04:58:48 2015
From: rushil.vaish at gmail.com (Rushil Agarwal)
Date: Tue, 22 Dec 2015 03:58:48 -0600
Subject: [keycloak-user] Getting logged in user through Node API's
Message-ID: <CAJ9in0ELr_4UGZCO48FeFLoHEu=+y6T78qgeLMb+E_hR-4W1yw@mail.gmail.com>

Hi Team,

I ave implemented Keycloak using npm package "connect-keycloak"

I am not able to find any example or help to fetch in the currently logged
in userid through Node API's.
Any help would be appreciated.

My code snippet:

*App.js*

var memoryStore = new session.MemoryStore();
var routes = require('./routes/index');
var users = require('./routes/users');

app.use( session({
  secret: 'aaslkdhlkhsd',
  resave: false,
  saveUninitialized: true,
  store: memoryStore,
} ))

var keycloak = new Keycloak({
  store: memoryStore
});

app.use( keycloak.middleware( {
  logout: '/logout',
  admin: '/',
} ));

*Index.js*
router.get('/',keycloak.protect(),function(req, res, next) {

    res.sendfile('pages/index.html',{root:'./public'});
});

-- 
-- 
*With best regards :-*

Rushil Agarwal

Mobile: +91 78298 86000

Please don't print this e-mail unless you really need to. SAVE PAPER TO
SAVE TREES
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/39a56c87/attachment.html 

From ado.boj.83 at gmail.com  Tue Dec 22 05:12:14 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Tue, 22 Dec 2015 11:12:14 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
Message-ID: <CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>

Yes exactly, what is in difference:

When I generate Verify Email via GUI, there is different mail subject and
verify link, too.
- subject is "Verify email"
- link generated in email:

http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5



On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Ok,
>
> So basically the issue here is with send-verify-email the subject used to
> be "Verify email", while it's now "Update Your Account"?
>
> On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> Sorry for misunderstanding from my side.
>> No, I am saying that in 1.7.0.Final is same subject of email for  both
>> endpoints "send-verify-email" and "execute-actions-email" and it is "Update
>> Your Account".
>>
>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> I'm still struggling to read what you are saying..
>>>
>>> Are you saying that when you use the "send-verify-email" endpoint the
>>> subject of the email is "Verify email" and when you use the
>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>> perform one or more actions.
>>>
>>> On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>> wrote:
>>>
>>>> So I would like to clarify it:
>>>>
>>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>>> PUT
>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>
>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>> PUT
>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>> I got verification email with Subject "Update Your Account" are running
>>>> verification link
>>>>
>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>
>>>> But same verification email in 1.7.0.Final I am getting with different
>>>> REST_API:
>>>> PUT
>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>> with body ["VERIFY_EMAIL"]
>>>>
>>>> In summary:
>>>>
>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>> But my question is: shouldn't be different verification email in
>>>> subject and in link for first REST_API:
>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>> and second REST-API: PUT
>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>> with body ["VERIFY_EMAIL"]?
>>>> Because when I do this two operation via GUI I got different
>>>> verification emails in subject and link. First one is with subject Verify
>>>> email and second one is Update Your Account.
>>>>
>>>>
>>>>
>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <sthorger at redhat.com
>>>> > wrote:
>>>>
>>>>> I don't understand what you are saying here. Can you please
>>>>> reformulate the question?
>>>>>
>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>>>>
>>>>>> After send two different REST-APIs:
>>>>>> 1.) PUT
>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>> and
>>>>>> 2.) PUT
>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>
>>>>>> I got for both REST APIs email with Subject "Update Your Account" and
>>>>>> link generated in email:
>>>>>>
>>>>>>
>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>
>>>>>> What is in different when I generate Verify Email via GUI
>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>
>>>>>>
>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>
>>>>>>
>>>>>> Should it be so now correct or something was changed or something is
>>>>>> incorrect on my side?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>> issues at jboss.org> wrote:
>>>>>>
>>>>>>> Stian Thorgersen
>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>>>>> generated via REST API - Send an email-verification email to the user
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>> Thorgersen
>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>> Comment <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>
>>>>>>> This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>>>> Atlassian logo]
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/fea39e5d/attachment-0001.html 

From sthorger at redhat.com  Tue Dec 22 05:24:53 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 22 Dec 2015 11:24:53 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
	<CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
Message-ID: <CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>

What do you mean about via GUI? Is it with verify email enabled, or
manually through admin console?

On 22 December 2015 at 11:12, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Yes exactly, what is in difference:
>
> When I generate Verify Email via GUI, there is different mail subject and
> verify link, too.
> - subject is "Verify email"
> - link generated in email:
>
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>
>
>
> On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Ok,
>>
>> So basically the issue here is with send-verify-email the subject used to
>> be "Verify email", while it's now "Update Your Account"?
>>
>> On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> Sorry for misunderstanding from my side.
>>> No, I am saying that in 1.7.0.Final is same subject of email for  both
>>> endpoints "send-verify-email" and "execute-actions-email" and it is "Update
>>> Your Account".
>>>
>>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> I'm still struggling to read what you are saying..
>>>>
>>>> Are you saying that when you use the "send-verify-email" endpoint the
>>>> subject of the email is "Verify email" and when you use the
>>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>>> perform one or more actions.
>>>>
>>>> On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>> wrote:
>>>>
>>>>> So I would like to clarify it:
>>>>>
>>>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>>>> PUT
>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>>
>>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>>> PUT
>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>> I got verification email with Subject "Update Your Account" are
>>>>> running verification link
>>>>>
>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>
>>>>> But same verification email in 1.7.0.Final I am getting with different
>>>>> REST_API:
>>>>> PUT
>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>> with body ["VERIFY_EMAIL"]
>>>>>
>>>>> In summary:
>>>>>
>>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>>> But my question is: shouldn't be different verification email in
>>>>> subject and in link for first REST_API:
>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>> and second REST-API: PUT
>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>> with body ["VERIFY_EMAIL"]?
>>>>> Because when I do this two operation via GUI I got different
>>>>> verification emails in subject and link. First one is with subject Verify
>>>>> email and second one is Update Your Account.
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <
>>>>> sthorger at redhat.com> wrote:
>>>>>
>>>>>> I don't understand what you are saying here. Can you please
>>>>>> reformulate the question?
>>>>>>
>>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <ado.boj.83 at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>>>>>
>>>>>>> After send two different REST-APIs:
>>>>>>> 1.) PUT
>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>> and
>>>>>>> 2.) PUT
>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>
>>>>>>> I got for both REST APIs email with Subject "Update Your Account"
>>>>>>> and link generated in email:
>>>>>>>
>>>>>>>
>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>
>>>>>>> What is in different when I generate Verify Email via GUI
>>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>>
>>>>>>>
>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>>
>>>>>>>
>>>>>>> Should it be so now correct or something was changed or something is
>>>>>>> incorrect on my side?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>>> issues at jboss.org> wrote:
>>>>>>>
>>>>>>>> Stian Thorgersen
>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>>>>>> generated via REST API - Send an email-verification email to the user
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>>> Thorgersen
>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>>> Comment <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>
>>>>>>>> This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4
>>>>>>>> ) [image: Atlassian logo]
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/1a63ad3f/attachment-0001.html 

From ado.boj.83 at gmail.com  Tue Dec 22 07:11:36 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Tue, 22 Dec 2015 13:11:36 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
	<CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
	<CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>
Message-ID: <CALxJa+2zT+1cyiBPUv8QpYqwjpT4SKH5TL-Wj-3uyLKoh0AM6A@mail.gmail.com>

Yes I mean Admin console as GUI, when user before had Email verified: OFF
and I made this action via Required User Actions

On Tue, Dec 22, 2015 at 11:24 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> What do you mean about via GUI? Is it with verify email enabled, or
> manually through admin console?
>
> On 22 December 2015 at 11:12, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> Yes exactly, what is in difference:
>>
>> When I generate Verify Email via GUI, there is different mail subject
>> and verify link, too.
>> - subject is "Verify email"
>> - link generated in email:
>>
>>
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>
>>
>>
>> On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Ok,
>>>
>>> So basically the issue here is with send-verify-email the subject used
>>> to be "Verify email", while it's now "Update Your Account"?
>>>
>>> On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>> wrote:
>>>
>>>> Sorry for misunderstanding from my side.
>>>> No, I am saying that in 1.7.0.Final is same subject of email for  both
>>>> endpoints "send-verify-email" and "execute-actions-email" and it is "Update
>>>> Your Account".
>>>>
>>>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> I'm still struggling to read what you are saying..
>>>>>
>>>>> Are you saying that when you use the "send-verify-email" endpoint the
>>>>> subject of the email is "Verify email" and when you use the
>>>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>>>> perform one or more actions.
>>>>>
>>>>> On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> So I would like to clarify it:
>>>>>>
>>>>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>>>>> PUT
>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>>>
>>>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>>>> PUT
>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>> I got verification email with Subject "Update Your Account" are
>>>>>> running verification link
>>>>>>
>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>
>>>>>> But same verification email in 1.7.0.Final I am getting with
>>>>>> different REST_API:
>>>>>> PUT
>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>
>>>>>> In summary:
>>>>>>
>>>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>>>> But my question is: shouldn't be different verification email in
>>>>>> subject and in link for first REST_API:
>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>> and second REST-API: PUT
>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>> with body ["VERIFY_EMAIL"]?
>>>>>> Because when I do this two operation via GUI I got different
>>>>>> verification emails in subject and link. First one is with subject Verify
>>>>>> email and second one is Update Your Account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>>
>>>>>>> I don't understand what you are saying here. Can you please
>>>>>>> reformulate the question?
>>>>>>>
>>>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <
>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>>>>>>
>>>>>>>> After send two different REST-APIs:
>>>>>>>> 1.) PUT
>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>> and
>>>>>>>> 2.) PUT
>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>
>>>>>>>> I got for both REST APIs email with Subject "Update Your Account"
>>>>>>>> and link generated in email:
>>>>>>>>
>>>>>>>>
>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>
>>>>>>>> What is in different when I generate Verify Email via GUI
>>>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>>>
>>>>>>>>
>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>>>
>>>>>>>>
>>>>>>>> Should it be so now correct or something was changed or something
>>>>>>>> is incorrect on my side?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>>>> issues at jboss.org> wrote:
>>>>>>>>
>>>>>>>>> Stian Thorgersen
>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>>>>>>> generated via REST API - Send an email-verification email to the user
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>>>> Thorgersen
>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>>>> Comment
>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>>>>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>>>>>> Atlassian logo]
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/6a060004/attachment-0001.html 

From sthorger at redhat.com  Tue Dec 22 07:15:42 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 22 Dec 2015 13:15:42 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CALxJa+2zT+1cyiBPUv8QpYqwjpT4SKH5TL-Wj-3uyLKoh0AM6A@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
	<CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
	<CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>
	<CALxJa+2zT+1cyiBPUv8QpYqwjpT4SKH5TL-Wj-3uyLKoh0AM6A@mail.gmail.com>
Message-ID: <CAJgngAec4GirFXLtUHfBJAXTm+gVu27mSaJosaRNA1evYtjtmg@mail.gmail.com>

I think that's fine. If user logs in and gets required action it has the
subject "Verify email", then if admin manually requests the user to perform
actions it has "Update your account".

On 22 December 2015 at 13:11, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Yes I mean Admin console as GUI, when user before had Email verified: OFF
> and I made this action via Required User Actions
>
> On Tue, Dec 22, 2015 at 11:24 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> What do you mean about via GUI? Is it with verify email enabled, or
>> manually through admin console?
>>
>> On 22 December 2015 at 11:12, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> Yes exactly, what is in difference:
>>>
>>> When I generate Verify Email via GUI, there is different mail subject
>>> and verify link, too.
>>> - subject is "Verify email"
>>> - link generated in email:
>>>
>>>
>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>
>>>
>>>
>>> On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Ok,
>>>>
>>>> So basically the issue here is with send-verify-email the subject used
>>>> to be "Verify email", while it's now "Update Your Account"?
>>>>
>>>> On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>> wrote:
>>>>
>>>>> Sorry for misunderstanding from my side.
>>>>> No, I am saying that in 1.7.0.Final is same subject of email for  both
>>>>> endpoints "send-verify-email" and "execute-actions-email" and it is "Update
>>>>> Your Account".
>>>>>
>>>>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <sthorger at redhat.com
>>>>> > wrote:
>>>>>
>>>>>> I'm still struggling to read what you are saying..
>>>>>>
>>>>>> Are you saying that when you use the "send-verify-email" endpoint the
>>>>>> subject of the email is "Verify email" and when you use the
>>>>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>>>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>>>>> perform one or more actions.
>>>>>>
>>>>>> On 21 December 2015 at 16:31, Andrej Prievalsky <ado.boj.83 at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> So I would like to clarify it:
>>>>>>>
>>>>>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>>>>>> PUT
>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>>>>
>>>>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>>>>> PUT
>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>> I got verification email with Subject "Update Your Account" are
>>>>>>> running verification link
>>>>>>>
>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>
>>>>>>> But same verification email in 1.7.0.Final I am getting with
>>>>>>> different REST_API:
>>>>>>> PUT
>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>
>>>>>>> In summary:
>>>>>>>
>>>>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>>>>> But my question is: shouldn't be different verification email in
>>>>>>> subject and in link for first REST_API:
>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>> and second REST-API: PUT
>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>> with body ["VERIFY_EMAIL"]?
>>>>>>> Because when I do this two operation via GUI I got different
>>>>>>> verification emails in subject and link. First one is with subject Verify
>>>>>>> email and second one is Update Your Account.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> I don't understand what you are saying here. Can you please
>>>>>>>> reformulate the question?
>>>>>>>>
>>>>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <
>>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I tried to validate this issue on 1.7.0.Final, but I have question:
>>>>>>>>>
>>>>>>>>> After send two different REST-APIs:
>>>>>>>>> 1.) PUT
>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>>> and
>>>>>>>>> 2.) PUT
>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>>
>>>>>>>>> I got for both REST APIs email with Subject "Update Your Account"
>>>>>>>>> and link generated in email:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>
>>>>>>>>> What is in different when I generate Verify Email via GUI
>>>>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Should it be so now correct or something was changed or something
>>>>>>>>> is incorrect on my side?
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>>>>> issues at jboss.org> wrote:
>>>>>>>>>
>>>>>>>>>> Stian Thorgersen
>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working link
>>>>>>>>>> generated via REST API - Send an email-verification email to the user
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>>>>> Thorgersen
>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>>>>> Comment
>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>>>>>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>>>>>>> Atlassian logo]
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/73b3783f/attachment-0001.html 

From ado.boj.83 at gmail.com  Tue Dec 22 07:31:16 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Tue, 22 Dec 2015 13:31:16 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CAJgngAec4GirFXLtUHfBJAXTm+gVu27mSaJosaRNA1evYtjtmg@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
	<CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
	<CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>
	<CALxJa+2zT+1cyiBPUv8QpYqwjpT4SKH5TL-Wj-3uyLKoh0AM6A@mail.gmail.com>
	<CAJgngAec4GirFXLtUHfBJAXTm+gVu27mSaJosaRNA1evYtjtmg@mail.gmail.com>
Message-ID: <CALxJa+2RkW2VCB=opv3+qFFCc5kVbzpFiPED2u-OTn=hqKHePA@mail.gmail.com>

Yes, I agree, too, that this 2 actions via Admin Console for  "Verify
email" and "Update your account" are different and works fine.

I think, that Issue is with API endpoint "send-verify-email" :
- Mistake behavior:
  verification email with subject "Update Your Account" and verification
link:

http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022

- Correct behavior:
  verification email with subject  "Verify email" and verification link:

http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=
DT4mpFcMC5
<http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5>

Am I right or should both API endpoints "send-verify-email" and
"execute-actions-email"
afinished with subject "Update Your Account". ?



On Tue, Dec 22, 2015 at 1:15 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I think that's fine. If user logs in and gets required action it has the
> subject "Verify email", then if admin manually requests the user to perform
> actions it has "Update your account".
>
> On 22 December 2015 at 13:11, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> Yes I mean Admin console as GUI, when user before had Email verified: OFF
>> and I made this action via Required User Actions
>>
>> On Tue, Dec 22, 2015 at 11:24 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> What do you mean about via GUI? Is it with verify email enabled, or
>>> manually through admin console?
>>>
>>> On 22 December 2015 at 11:12, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>> wrote:
>>>
>>>> Yes exactly, what is in difference:
>>>>
>>>> When I generate Verify Email via GUI, there is different mail subject
>>>> and verify link, too.
>>>> - subject is "Verify email"
>>>> - link generated in email:
>>>>
>>>>
>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>
>>>>
>>>>
>>>> On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <sthorger at redhat.com
>>>> > wrote:
>>>>
>>>>> Ok,
>>>>>
>>>>> So basically the issue here is with send-verify-email the subject used
>>>>> to be "Verify email", while it's now "Update Your Account"?
>>>>>
>>>>> On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Sorry for misunderstanding from my side.
>>>>>> No, I am saying that in 1.7.0.Final is same subject of email for
>>>>>>  both endpoints "send-verify-email" and "execute-actions-email" and
>>>>>> it is "Update Your Account".
>>>>>>
>>>>>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>>
>>>>>>> I'm still struggling to read what you are saying..
>>>>>>>
>>>>>>> Are you saying that when you use the "send-verify-email" endpoint
>>>>>>> the subject of the email is "Verify email" and when you use the
>>>>>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>>>>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>>>>>> perform one or more actions.
>>>>>>>
>>>>>>> On 21 December 2015 at 16:31, Andrej Prievalsky <
>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>
>>>>>>>> So I would like to clarify it:
>>>>>>>>
>>>>>>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>>>>>>> PUT
>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>>>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>>>>>
>>>>>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>>>>>> PUT
>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>> I got verification email with Subject "Update Your Account" are
>>>>>>>> running verification link
>>>>>>>>
>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>
>>>>>>>> But same verification email in 1.7.0.Final I am getting with
>>>>>>>> different REST_API:
>>>>>>>> PUT
>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>
>>>>>>>> In summary:
>>>>>>>>
>>>>>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>>>>>> But my question is: shouldn't be different verification email in
>>>>>>>> subject and in link for first REST_API:
>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>> and second REST-API: PUT
>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>> with body ["VERIFY_EMAIL"]?
>>>>>>>> Because when I do this two operation via GUI I got different
>>>>>>>> verification emails in subject and link. First one is with subject Verify
>>>>>>>> email and second one is Update Your Account.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> I don't understand what you are saying here. Can you please
>>>>>>>>> reformulate the question?
>>>>>>>>>
>>>>>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <
>>>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I tried to validate this issue on 1.7.0.Final, but I have
>>>>>>>>>> question:
>>>>>>>>>>
>>>>>>>>>> After send two different REST-APIs:
>>>>>>>>>> 1.) PUT
>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>>>> and
>>>>>>>>>> 2.) PUT
>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>>>
>>>>>>>>>> I got for both REST APIs email with Subject "Update Your Account"
>>>>>>>>>> and link generated in email:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>>
>>>>>>>>>> What is in different when I generate Verify Email via GUI
>>>>>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Should it be so now correct or something was changed or something
>>>>>>>>>> is incorrect on my side?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>>>>>> issues at jboss.org> wrote:
>>>>>>>>>>
>>>>>>>>>>> Stian Thorgersen
>>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working
>>>>>>>>>>> link generated via REST API - Send an email-verification email to the user
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>>>>>> Thorgersen
>>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add Comment]
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>>>>>> Comment
>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>>>>>>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>>>>>>>> Atlassian logo]
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/8bf086a9/attachment-0001.html 

From sthorger at redhat.com  Tue Dec 22 08:29:29 2015
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 22 Dec 2015 14:29:29 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CALxJa+2RkW2VCB=opv3+qFFCc5kVbzpFiPED2u-OTn=hqKHePA@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
	<CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
	<CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>
	<CALxJa+2zT+1cyiBPUv8QpYqwjpT4SKH5TL-Wj-3uyLKoh0AM6A@mail.gmail.com>
	<CAJgngAec4GirFXLtUHfBJAXTm+gVu27mSaJosaRNA1evYtjtmg@mail.gmail.com>
	<CALxJa+2RkW2VCB=opv3+qFFCc5kVbzpFiPED2u-OTn=hqKHePA@mail.gmail.com>
Message-ID: <CAJgngAe0E6wr85n8srbndY1sw9ZjtzGBWcfn5LxuLg-3FEQYVA@mail.gmail.com>

I agree. However, "send-verify-email" is deprecated and we'll eventually
remove it. It doesn't work with custom required actions so execute-actions
is the preferred usage.

On 22 December 2015 at 13:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
wrote:

> Yes, I agree, too, that this 2 actions via Admin Console for  "Verify
> email" and "Update your account" are different and works fine.
>
> I think, that Issue is with API endpoint "send-verify-email" :
> - Mistake behavior:
>   verification email with subject "Update Your Account" and verification
> link:
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>
> - Correct behavior:
>   verification email with subject  "Verify email" and verification link:
>
> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key= DT4mpFcMC5
> <http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5>
>
> Am I right or should both API endpoints "send-verify-email" and "execute-actions-email"
> afinished with subject "Update Your Account". ?
>
>
>
> On Tue, Dec 22, 2015 at 1:15 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I think that's fine. If user logs in and gets required action it has the
>> subject "Verify email", then if admin manually requests the user to perform
>> actions it has "Update your account".
>>
>> On 22 December 2015 at 13:11, Andrej Prievalsky <ado.boj.83 at gmail.com>
>> wrote:
>>
>>> Yes I mean Admin console as GUI, when user before had Email verified:
>>> OFF and I made this action via Required User Actions
>>>
>>> On Tue, Dec 22, 2015 at 11:24 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> What do you mean about via GUI? Is it with verify email enabled, or
>>>> manually through admin console?
>>>>
>>>> On 22 December 2015 at 11:12, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>> wrote:
>>>>
>>>>> Yes exactly, what is in difference:
>>>>>
>>>>> When I generate Verify Email via GUI, there is different mail subject
>>>>> and verify link, too.
>>>>> - subject is "Verify email"
>>>>> - link generated in email:
>>>>>
>>>>>
>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <
>>>>> sthorger at redhat.com> wrote:
>>>>>
>>>>>> Ok,
>>>>>>
>>>>>> So basically the issue here is with send-verify-email the subject
>>>>>> used to be "Verify email", while it's now "Update Your Account"?
>>>>>>
>>>>>> On 22 December 2015 at 09:51, Andrej Prievalsky <ado.boj.83 at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Sorry for misunderstanding from my side.
>>>>>>> No, I am saying that in 1.7.0.Final is same subject of email for
>>>>>>>  both endpoints "send-verify-email" and "execute-actions-email" and
>>>>>>> it is "Update Your Account".
>>>>>>>
>>>>>>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <
>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>
>>>>>>>> I'm still struggling to read what you are saying..
>>>>>>>>
>>>>>>>> Are you saying that when you use the "send-verify-email" endpoint
>>>>>>>> the subject of the email is "Verify email" and when you use the
>>>>>>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>>>>>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>>>>>>> perform one or more actions.
>>>>>>>>
>>>>>>>> On 21 December 2015 at 16:31, Andrej Prievalsky <
>>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> So I would like to clarify it:
>>>>>>>>>
>>>>>>>>> In version 1.6.1.Final was Sending verify email done via REST-API:
>>>>>>>>> PUT
>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>>>>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>>>>>>
>>>>>>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>>>>>>> PUT
>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>>> I got verification email with Subject "Update Your Account" are
>>>>>>>>> running verification link
>>>>>>>>>
>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>
>>>>>>>>> But same verification email in 1.7.0.Final I am getting with
>>>>>>>>> different REST_API:
>>>>>>>>> PUT
>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>>
>>>>>>>>> In summary:
>>>>>>>>>
>>>>>>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>>>>>>> But my question is: shouldn't be different verification email in
>>>>>>>>> subject and in link for first REST_API:
>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>> and second REST-API: PUT
>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>> with body ["VERIFY_EMAIL"]?
>>>>>>>>> Because when I do this two operation via GUI I got different
>>>>>>>>> verification emails in subject and link. First one is with subject Verify
>>>>>>>>> email and second one is Update Your Account.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <
>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> I don't understand what you are saying here. Can you please
>>>>>>>>>> reformulate the question?
>>>>>>>>>>
>>>>>>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <
>>>>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>>
>>>>>>>>>>> I tried to validate this issue on 1.7.0.Final, but I have
>>>>>>>>>>> question:
>>>>>>>>>>>
>>>>>>>>>>> After send two different REST-APIs:
>>>>>>>>>>> 1.) PUT
>>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>>>>> and
>>>>>>>>>>> 2.) PUT
>>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>>>>
>>>>>>>>>>> I got for both REST APIs email with Subject "Update Your
>>>>>>>>>>> Account" and link generated in email:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>>>
>>>>>>>>>>> What is in different when I generate Verify Email via GUI
>>>>>>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Should it be so now correct or something was changed or
>>>>>>>>>>> something is incorrect on my side?
>>>>>>>>>>>
>>>>>>>>>>> Thanks.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>>>>>>> issues at jboss.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Stian Thorgersen
>>>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working
>>>>>>>>>>>> link generated via REST API - Send an email-verification email to the user
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>>>>>>> Thorgersen
>>>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add
>>>>>>>>>>>> Comment]
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>>>>>>> Comment
>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>>>>>>>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4) [image:
>>>>>>>>>>>> Atlassian logo]
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/73937256/attachment-0001.html 

From cjwallac at gmail.com  Tue Dec 22 08:51:15 2015
From: cjwallac at gmail.com (Christopher Wallace)
Date: Tue, 22 Dec 2015 13:51:15 +0000
Subject: [keycloak-user] To LDAP or NOT?
Message-ID: <CAKpG1FT2ZUv_qeY4PdmjxD713Lq8FQ8uA6-im6gPpZa-Yq43sQ@mail.gmail.com>

We are building a new application with RBAC Security Model, we always
attempt to use as much COTs functionality of our technology stack as
possible. We are working with 1.7 version of KEYCLOAK for SSO (Thank you
for this product by the way) We are at a decision point of where to persist
our users, roles and permissions. We considered LDAP, but then with the
introduction of composite roles into KEYCLOAK there was consolidation could
we support users and roles directly in KEYCLOAK and permissions in our
datastore. My question to the group what is the best practice? Is there
value in having the additional LDAP user repository? Most places my
experience is there is both LDAP or AD and SSO I wanted to keep the email
fairly short, but if you have additional questions please feel free.

Thank You!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/433ae8b3/attachment.html 

From ado.boj.83 at gmail.com  Tue Dec 22 08:58:42 2015
From: ado.boj.83 at gmail.com (Andrej Prievalsky)
Date: Tue, 22 Dec 2015 14:58:42 +0100
Subject: [keycloak-user] [JBoss JIRA] (KEYCLOAK-2063) Not working link
 generated via REST API - Send an email-verification email to the user
In-Reply-To: <CAJgngAe0E6wr85n8srbndY1sw9ZjtzGBWcfn5LxuLg-3FEQYVA@mail.gmail.com>
References: <JIRA.12592504.1447321796000@jira.app.mwc.hst.phx2.redhat.com>
	<JIRA.12592504.1447321796000@Atlassian.JIRA>
	<JIRA.12592504.1447321796000.49052.1448885880488@Atlassian.JIRA>
	<CALxJa+1ycf5+BFBY4+tk-EbLTNa8ikuDY+j7tnP-cMq1mvSQUg@mail.gmail.com>
	<CAJgngAcTcYbjVEH64pQkxwOWb1+H3t-poqVf5+ys1NBMqcLN=A@mail.gmail.com>
	<CALxJa+3q5cdfa6FNmLKEzUPA3j56FNbZjX+Yu3giT5_YrMcqPQ@mail.gmail.com>
	<CAJgngAdq7++tDVoagS+J58vC3xN=kkSo48TpHd7_aOST9P+Bsw@mail.gmail.com>
	<CALxJa+1HGmFxG7r3n6vBYzn4Bs+mbKmpwqB53znDQwvcqpCirw@mail.gmail.com>
	<CAJgngAdk2s6UM=ve1rGQNpo8T+qaKUndLA=TV4oWOxHQuAaXHQ@mail.gmail.com>
	<CALxJa+3viFB37ju7G_uy5ZopOK8TOrAsc-6gL2f2XB2rMZo1Xw@mail.gmail.com>
	<CAJgngAca01e_iyZLn-PHO9B3qHMBTfv8cuEDaGiyiH4omMz4YQ@mail.gmail.com>
	<CALxJa+2zT+1cyiBPUv8QpYqwjpT4SKH5TL-Wj-3uyLKoh0AM6A@mail.gmail.com>
	<CAJgngAec4GirFXLtUHfBJAXTm+gVu27mSaJosaRNA1evYtjtmg@mail.gmail.com>
	<CALxJa+2RkW2VCB=opv3+qFFCc5kVbzpFiPED2u-OTn=hqKHePA@mail.gmail.com>
	<CAJgngAe0E6wr85n8srbndY1sw9ZjtzGBWcfn5LxuLg-3FEQYVA@mail.gmail.com>
Message-ID: <CALxJa+0+=D+KUJ1SJ_r4e0eiVufsy_LPJaVu-F_Z7kWNO515Jg@mail.gmail.com>

Ok, I agree, too.
So we will use for verification email only endpoint-api:
PUT
http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
with body ["VERIFY_EMAIL"]
with subject "Update Your Account"

On Tue, Dec 22, 2015 at 2:29 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I agree. However, "send-verify-email" is deprecated and we'll eventually
> remove it. It doesn't work with custom required actions so execute-actions
> is the preferred usage.
>
> On 22 December 2015 at 13:31, Andrej Prievalsky <ado.boj.83 at gmail.com>
> wrote:
>
>> Yes, I agree, too, that this 2 actions via Admin Console for  "Verify
>> email" and "Update your account" are different and works fine.
>>
>> I think, that Issue is with API endpoint "send-verify-email" :
>> - Mistake behavior:
>>   verification email with subject "Update Your Account" and verification
>> link:
>>
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>
>> - Correct behavior:
>>   verification email with subject  "Verify email" and verification link:
>>
>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key= DT4mpFcMC5
>> <http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5>
>>
>> Am I right or should both API endpoints "send-verify-email" and "execute-actions-email"
>> afinished with subject "Update Your Account". ?
>>
>>
>>
>> On Tue, Dec 22, 2015 at 1:15 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> I think that's fine. If user logs in and gets required action it has the
>>> subject "Verify email", then if admin manually requests the user to perform
>>> actions it has "Update your account".
>>>
>>> On 22 December 2015 at 13:11, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>> wrote:
>>>
>>>> Yes I mean Admin console as GUI, when user before had Email verified:
>>>> OFF and I made this action via Required User Actions
>>>>
>>>> On Tue, Dec 22, 2015 at 11:24 AM, Stian Thorgersen <sthorger at redhat.com
>>>> > wrote:
>>>>
>>>>> What do you mean about via GUI? Is it with verify email enabled, or
>>>>> manually through admin console?
>>>>>
>>>>> On 22 December 2015 at 11:12, Andrej Prievalsky <ado.boj.83 at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Yes exactly, what is in difference:
>>>>>>
>>>>>> When I generate Verify Email via GUI, there is different mail
>>>>>> subject and verify link, too.
>>>>>> - subject is "Verify email"
>>>>>> - link generated in email:
>>>>>>
>>>>>>
>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Dec 22, 2015 at 10:34 AM, Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>>
>>>>>>> Ok,
>>>>>>>
>>>>>>> So basically the issue here is with send-verify-email the subject
>>>>>>> used to be "Verify email", while it's now "Update Your Account"?
>>>>>>>
>>>>>>> On 22 December 2015 at 09:51, Andrej Prievalsky <
>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>
>>>>>>>> Sorry for misunderstanding from my side.
>>>>>>>> No, I am saying that in 1.7.0.Final is same subject of email for
>>>>>>>>  both endpoints "send-verify-email" and "execute-actions-email"
>>>>>>>> and it is "Update Your Account".
>>>>>>>>
>>>>>>>> On Tue, Dec 22, 2015 at 8:38 AM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> I'm still struggling to read what you are saying..
>>>>>>>>>
>>>>>>>>> Are you saying that when you use the "send-verify-email" endpoint
>>>>>>>>> the subject of the email is "Verify email" and when you use the
>>>>>>>>> "execute-actions-email" the subject is "Update Your Account"? If so I think
>>>>>>>>> that's the wanted behavior. "execute-actions-email" allows a user to
>>>>>>>>> perform one or more actions.
>>>>>>>>>
>>>>>>>>> On 21 December 2015 at 16:31, Andrej Prievalsky <
>>>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> So I would like to clarify it:
>>>>>>>>>>
>>>>>>>>>> In version 1.6.1.Final was Sending verify email done via
>>>>>>>>>> REST-API:
>>>>>>>>>> PUT
>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/3cb6d892-8df8-45bf-a336-9ddbce1c56d0/send-verify-email
>>>>>>>>>> Here was JIRA ticket 2063  created (missing code in verify link)
>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?key=lJOE7feTo8VNfmy0OyYpowIT3yMUcJmsY9_QaV2Bd7k.160f1a4f-5f8e-4105-a4d3-0914bb890ed2
>>>>>>>>>>
>>>>>>>>>> In actual version 1.7.0.Final, when I check same REST-API:
>>>>>>>>>> PUT
>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>>>> I got verification email with Subject "Update Your Account" are
>>>>>>>>>> running verification link
>>>>>>>>>>
>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>>
>>>>>>>>>> But same verification email in 1.7.0.Final I am getting with
>>>>>>>>>> different REST_API:
>>>>>>>>>> PUT
>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>>>
>>>>>>>>>> In summary:
>>>>>>>>>>
>>>>>>>>>> Now both REST-APIs works fine in version 1.7.0.Final.
>>>>>>>>>> But my question is: shouldn't be different verification email in
>>>>>>>>>> subject and in link for first REST_API:
>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>> and second REST-API: PUT
>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>>> with body ["VERIFY_EMAIL"]?
>>>>>>>>>> Because when I do this two operation via GUI I got different
>>>>>>>>>> verification emails in subject and link. First one is with subject Verify
>>>>>>>>>> email and second one is Update Your Account.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Thu, Dec 17, 2015 at 10:45 AM, Stian Thorgersen <
>>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> I don't understand what you are saying here. Can you please
>>>>>>>>>>> reformulate the question?
>>>>>>>>>>>
>>>>>>>>>>> On 11 December 2015 at 10:55, Andrej Prievalsky <
>>>>>>>>>>> ado.boj.83 at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hi all,
>>>>>>>>>>>>
>>>>>>>>>>>> I tried to validate this issue on 1.7.0.Final, but I have
>>>>>>>>>>>> question:
>>>>>>>>>>>>
>>>>>>>>>>>> After send two different REST-APIs:
>>>>>>>>>>>> 1.) PUT
>>>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/send-verify-email
>>>>>>>>>>>> and
>>>>>>>>>>>> 2.) PUT
>>>>>>>>>>>> http://172.31.32.216:8080/auth/admin/realms/universities/users/0ee34d46-6d3f-4274-8aea-268bf3560e4c/execute-actions-email
>>>>>>>>>>>> with body ["VERIFY_EMAIL"]
>>>>>>>>>>>>
>>>>>>>>>>>> I got for both REST APIs email with Subject "Update Your
>>>>>>>>>>>> Account" and link generated in email:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/execute-actions?key=KRRUrLQD8RrIqu-QbCh3i5TUwH9Bbbtu9CPpOdHwlG0.fce4040e-945f-4fb9-9ea1-e744cb61a022
>>>>>>>>>>>>
>>>>>>>>>>>> What is in different when I generate Verify Email via GUI
>>>>>>>>>>>> when Subject is "Verify email" and link generated in email:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> http://172.31.32.216:8080/auth/realms/universities/login-actions/email-verification?code=2sdgs_wvS8kR1MMpzj6DrIVnqdyaY76zyCJ_Mga4dio.b6957365-eacc-4a23-8079-adbd88554b23&key=DT4mpFcMC5
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Should it be so now correct or something was changed or
>>>>>>>>>>>> something is incorrect on my side?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Nov 30, 2015 at 1:18 PM, Stian Thorgersen (JIRA) <
>>>>>>>>>>>> issues at jboss.org> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> Stian Thorgersen
>>>>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst>
>>>>>>>>>>>>> *updated* [image: Bug] KEYCLOAK-2063
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063>   Keycloak
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK> / [image: Bug]
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> KEYCLOAK-2063
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Not working
>>>>>>>>>>>>> link generated via REST API - Send an email-verification email to the user
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063> Change By: Stian
>>>>>>>>>>>>> Thorgersen
>>>>>>>>>>>>> <https://issues.jboss.org/secure/ViewProfile.jspa?name=stianst> Status:
>>>>>>>>>>>>> Pull Request Sent Resolved Resolution: Done [image: Add
>>>>>>>>>>>>> Comment]
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment> Add
>>>>>>>>>>>>> Comment
>>>>>>>>>>>>> <https://issues.jboss.org/browse/KEYCLOAK-2063#add-comment>   This
>>>>>>>>>>>>> message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4
>>>>>>>>>>>>> ) [image: Atlassian logo]
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/5b97cf86/attachment-0001.html 

From orestis.tsakiridis at telestax.com  Tue Dec 22 10:12:20 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 22 Dec 2015 17:12:20 +0200
Subject: [keycloak-user] Porting user passwords to keycloak
In-Reply-To: <CAJgngAe3mXEyK63rsLOKrS-c-zXSrir5hAZRuM-EMiiTt4EMCg@mail.gmail.com>
References: <CABjN768+SpjGqMEFejG0A=NCuTdvx35OFHDsCkhV9N4D=qv7Uw@mail.gmail.com>
	<CAJgngAdNz=v1RXV-OcotCET+OBz94dWk0ZOjRA0t0=BpDzWMzA@mail.gmail.com>
	<CABjN76_RHx_U_HveKnPgm4VRKhL3eqFhzGCMQ+A0yi+_wCOX8A@mail.gmail.com>
	<CAJgngAcfUwCmVgr6FQCQhUQyKseBhKYkxtQmqLecOSX1LMmnkA@mail.gmail.com>
	<CABjN769SkbBUpz+kUETWviHB0MF2F72BvwWGf7TgGV8kQ0yjOQ@mail.gmail.com>
	<CAJgngAeX2cUDz9yqo8O5XLMHzp2HE1vAVW8WNRPusgkBE1Z16w@mail.gmail.com>
	<CABjN769dh+W_q7k11noWHAh_6_6T0u06VUDrVUEcdOBvXE9OZQ@mail.gmail.com>
	<CAJgngAef6L=DnYNwtb42YupU2EoCeQZZ_mnL05LcysRAOXZ=Ng@mail.gmail.com>
	<CABjN768qECttFQBoMbQTXiuGbzWgXX-r-zAu7g-FT1PdoptDMw@mail.gmail.com>
	<CABjN76-_F8OzJtBHZuFxyPN_OCUYUB9DLfEmPyE+Pfc-TM88OQ@mail.gmail.com>
	<CABjN768f-KoTBirg6Bcgf6tvPBCYprieZs-+O7jEM31zS-0kUQ@mail.gmail.com>
	<CAJgngAe3mXEyK63rsLOKrS-c-zXSrir5hAZRuM-EMiiTt4EMCg@mail.gmail.com>
Message-ID: <CABjN76-oyb3vW8-cGX17bbfcGyMG5sP7afKCp8ADpzK4hjcMMw@mail.gmail.com>

Hi Stian,

Indeed, changing the authentication/password policy works for new users
when created from Admin Console. The custom password hashing implementation
works fine.

However, creating a user  WITH credentials using this:

http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user

does not work as expected. The user is created but the 'credentials' array
is empty in the resulting user record. I exported the realm and verified
that. Is the one above the correct method to use?

I can only set the password for a user using this:
http://keycloak.github.io/docs/rest-api/index.html#_set_up_a_temporary_password_for_the_user
But this does  not take into account already "hashedSaltedValue".

PUT
127.0.0.1:8080/auth/admin/realms/test/users/216f6050-9c94-47d1-9b96-8534841305df/reset-password
For example i tried sending this:

{
    "type" : "password",
    "hashedSaltedValue" : "****",
    "salt" : "****",
    "hashIterations" : 1,
    "algorithm" : "restcomm-md5"
}

but i got a "400 Bad Request" with "No password provided". Anyway, the
'reset-password' path does not seem the way to go here.



On Mon, Dec 21, 2015 at 4:43 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> In authentication / password policy you can configure what hashing
> algorithm new passwords are hashed with. If you change that value then
> update the users password either through admin console or account
> management it should use your provider.
>
> However, this is probably not what you want as you are implementing a md5
> hash provider which is weaker than the built in provider. I assume you want
> to import users with passwords that are hashed using md5? If so you need to
> specify the algorithm for the password in the json when you import the
> user. For example:
>
> "users" : [ {
>     "username" : "myuser",
>     "enabled" : true,
>     "credentials" : [ {
>       "type" : "password",
>       "hashedSaltedValue" : "***************",
>       "salt" : "**************",
>       "hashIterations" : 1000,
>       "algorithm" : "restcomm-md5"
>     } ]
>   } ]
>
> On 21 December 2015 at 13:48, Orestis Tsakiridis <
> orestis.tsakiridis at telestax.com> wrote:
>
>> Btw, hHere is a screenshot of the 'switch' i referred to:
>>
>> On Mon, Dec 21, 2015 at 2:47 PM, Orestis Tsakiridis <
>> orestis.tsakiridis at telestax.com> wrote:
>>
>>> Hello again!
>>>
>>> So, i've recently pulled your master branch and started working on it
>>> (HEAD was 0197c69ac3d6e8d90a6e7c93e1eaf) and implemented the password
>>> hashing SPI.
>>>
>>> Actually, i implemented PasswordHashProvider and
>>> PasswordHashProviderFactory and created a  provider .jar as described in
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
>>> .
>>>
>>> So, all went fine there. Deployment on keycloak had no issues too.
>>>
>>> I'm wondering however how i enable this custom Password Hash Provider.
>>> Is there a switch that instead of using the "Pbkdf2PasswordHashProvider" to
>>> use my custom "RestcommPasswordHashProvider".
>>>
>>> All i've found is the "Authentication/Password Policy/Hash algorithm"
>>> in the Administration Console UI that directly maps to
>>> "Pbkdf2PasswordHashProvider" but adding a new entry and changing this
>>> to "restcomm-md5" (the id of the new provider) seems to have no effect.
>>>
>>> Any ideas ?
>>>
>>>
>>>
>>> On Thu, Dec 3, 2015 at 1:22 PM, Orestis Tsakiridis <
>>> orestis.tsakiridis at telestax.com> wrote:
>>>
>>>> Great! I will keep an eye on it.
>>>>
>>>> BR
>>>>
>>>> Orestis
>>>>
>>>> On Thu, Dec 3, 2015 at 12:18 PM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> That'd be great. If you watch this
>>>>> https://issues.jboss.org/browse/KEYCLOAK-1900 you'll know when it's
>>>>> in master.
>>>>>
>>>>> Hopefully it should be added within a few days.
>>>>>
>>>>> On 3 December 2015 at 10:08, Orestis Tsakiridis <
>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>
>>>>>> Ok Stian.
>>>>>>
>>>>>> I will try to implement auth_spi.
>>>>>>
>>>>>> Btw, if you need any early adopters for your new Password Hashing SPI
>>>>>> feature, we will gladly use it in our new "Restcomm as a Service"
>>>>>> implementation and send feedback.
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Orestis
>>>>>>
>>>>>> Telestax
>>>>>>
>>>>>> On Tue, Dec 1, 2015 at 4:51 PM, Stian Thorgersen <sthorger at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>>
>>>>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>>>>
>>>>>>> On 1 December 2015 at 15:39, Orestis Tsakiridis <
>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>
>>>>>>>> Thanks Stian.
>>>>>>>>
>>>>>>>> Can you send me some documentation or source code pointers about
>>>>>>>> "modifying the password authenticator" ? Are we talking about a Java class,
>>>>>>>> overriding login form ? sth else?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Dec 1, 2015 at 3:12 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> So looks like we will indeed have password hash spi in 1.8. It'll
>>>>>>>>> be released in early January.
>>>>>>>>>
>>>>>>>>> If you can't wait for that I think it would be better to not
>>>>>>>>> import users with a password at all and instead send reset password links
>>>>>>>>> to their email address. That would assume all users have emails registered.
>>>>>>>>> Or you could also modify the password authenticator and make it run md5 the
>>>>>>>>> value of the input password for users that haven't updated their password
>>>>>>>>> yet.
>>>>>>>>>
>>>>>>>>> On 1 December 2015 at 13:36, Orestis Tsakiridis <
>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>
>>>>>>>>>> Ok, so i guess i'll have to go with a workaround, password reset,
>>>>>>>>>> etc as i've described.
>>>>>>>>>>
>>>>>>>>>> Thanks Stian
>>>>>>>>>>
>>>>>>>>>> On Tue, Dec 1, 2015 at 2:29 PM, Stian Thorgersen <
>>>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> We are planning to add a Password Hashing SPI, which will allow
>>>>>>>>>>> plugging in additional hashing mechanisms. It's not ready quite yet though.
>>>>>>>>>>>
>>>>>>>>>>> On 1 December 2015 at 13:25, Orestis Tsakiridis <
>>>>>>>>>>> orestis.tsakiridis at telestax.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to create some migration scripts that will port
>>>>>>>>>>>> users from Application1 into keycloak. Users in Application1 already have
>>>>>>>>>>>> usernames, passwords etc. I use the admin rest api to create the users.
>>>>>>>>>>>>
>>>>>>>>>>>> The problem i'm facing is that user passwords in Application1
>>>>>>>>>>>> database are already hashed using md5. So, i don't really know the actual
>>>>>>>>>>>> passwords (security wise that makes sense).
>>>>>>>>>>>>
>>>>>>>>>>>> The only solution i've come down to is store the password as
>>>>>>>>>>>> they are in keycloak (md5ed) and tell the users to use the hashed value
>>>>>>>>>>>> instead of the plaintext one wieh signing in. Then, force them to reset
>>>>>>>>>>>> passwords. Not the best UX  :-(
>>>>>>>>>>>>
>>>>>>>>>>>> Is there a way to tell keycloak that "these passwords are
>>>>>>>>>>>> already hashed in md5" so, "store them as they are" and "when a user tries
>>>>>>>>>>>> to sign in, first hash his password with md5 and the compare to the value
>>>>>>>>>>>> stored in db"  or sth like that?
>>>>>>>>>>>>
>>>>>>>>>>>> Any alternatives come to mind ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Regards
>>>>>>>>>>>>
>>>>>>>>>>>> Orestis
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/260fcb0d/attachment.html 

From jayblanc at gmail.com  Tue Dec 22 11:46:38 2015
From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=)
Date: Tue, 22 Dec 2015 16:46:38 +0000
Subject: [keycloak-user] Problem using SAML IdP
Message-ID: <CAPNq5vZwMb87Oe5EwEc_KQwbyDvWBQbRL4GdkSU69T9FApqQpA@mail.gmail.com>

Hi,

I'm trying to integrate keycloak into a the french research federation of
identity (renater) and I'm facing some problems.
Actually, when IdP respond to keycloak i'm getting the following error :
PL00084: Writer: Unsupported Attribute
Value:org.keycloak.dom.saml.v2.assertion.NameIDType

It seems that this IdP is using transient NameID policy only and using the
unspecified field in the idp config in keycloak generate this exception as
a return.

Log of the keycloak server is joined.

I have no idea of what happening because when I was using the test
federation, everything was working but no I'm in the production federation,
login fails.

The renater federation is using Shibolleth and keycloak is not supported by
federation moderators so I'm alone in the dark now...

Renater provides an IdP list that I have to parse and synchronized with IdP
in keycloak. As a return I provide a list of all endpoints for each
keycloak registered IdP to allow federation IdP to answear correctly to the
right endpoint. All of this is done by a small web app deployed aside
keycloak and using REST API to synchronize all the IdP.

One of the IdP entity descriptor is joined. As you can see, only transient
nameid policy is supported and if I configure keycloak to use email or
persistent, I received a response saying that the nameid is not supported :

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>


<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="
https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
ID="_9d03761957aade819b6823c35bbab278"
InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
NameID format not
supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>


Any help would be gracefully appreciated.

Thanks a lot, J?r?me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/563723cb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloak.log
Type: text/x-log
Size: 28296 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/563723cb/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: entity_descriptor.xml
Type: text/xml
Size: 4718 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/563723cb/attachment-0001.xml 

From mposolda at redhat.com  Tue Dec 22 15:01:57 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 Dec 2015 21:01:57 +0100
Subject: [keycloak-user] To LDAP or NOT?
In-Reply-To: <CAKpG1FT2ZUv_qeY4PdmjxD713Lq8FQ8uA6-im6gPpZa-Yq43sQ@mail.gmail.com>
References: <CAKpG1FT2ZUv_qeY4PdmjxD713Lq8FQ8uA6-im6gPpZa-Yq43sQ@mail.gmail.com>
Message-ID: <5679AC35.1050509@redhat.com>

You can plug LDAP into Keycloak as user federation provider (See 
Keycloak docs), but still Keycloak also needs to store users in it's 
internal database. That's because Keycloak has various user's internal 
metadata specific to it's logic. So usually just some parts of user are 
stored in LDAP (you can control with LDAP mappers what exactly), but all 
the other stuff is used in Keycloak database.

Integrating Keycloak with LDAP is useful especially in case that you have:
- Existing user base stored in LDAP
- Other systems or applications, which are compatible with LDAP and 
needs to read user informations from there

If none of those is applicable for you, then it's best to skip LDAP and 
just use Keycloak internal database. There is no need to store info 
about user accounts in 2 places if there is no reason for that.

Marek

On 22/12/15 14:51, Christopher Wallace wrote:
> We are building a new application with RBAC Security Model, we always 
> attempt to use as much COTs functionality of our technology stack as 
> possible. We are working with 1.7 version of KEYCLOAK for SSO (Thank 
> you for this product by the way) We are at a decision point of where 
> to persist our users, roles and permissions. We considered LDAP, but 
> then with the introduction of composite roles into KEYCLOAK there was 
> consolidation could we support users and roles directly in KEYCLOAK 
> and permissions in our datastore. My question to the group what is the 
> best practice? Is there value in having the additional LDAP user 
> repository? Most places my experience is there is both LDAP or AD and 
> SSO I wanted to keep the email fairly short, but if you have 
> additional questions please feel free.
>
> Thank You!
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/bd09aa7b/attachment.html 

From cjwallac at gmail.com  Tue Dec 22 15:09:40 2015
From: cjwallac at gmail.com (Christopher Wallace)
Date: Tue, 22 Dec 2015 20:09:40 +0000
Subject: [keycloak-user] To LDAP or NOT?
In-Reply-To: <5679AC35.1050509@redhat.com>
References: <CAKpG1FT2ZUv_qeY4PdmjxD713Lq8FQ8uA6-im6gPpZa-Yq43sQ@mail.gmail.com>
	<5679AC35.1050509@redhat.com>
Message-ID: <CAKpG1FTrypw7vH4WuB252aLRDdu9ODepMEy8toGwLp-zpte+6w@mail.gmail.com>

Thanks for the Insight Marek, Since we are building newer applications and
have no LEGACY application that require LDAP, I think it's clear for us to
store our users in KEYCLOAK and use SAML or OpenID protocol for Identity
Management Interoperability. If we to inherit some LEGACY applications in
the future we can the point our KEYCLOAK server at those repository and
have KEYCLOAK be the Single Source. Sound reasonable?

We appreciate your feedback and experiences.

Regards

On Tue, Dec 22, 2015 at 3:02 PM Marek Posolda <mposolda at redhat.com> wrote:

> You can plug LDAP into Keycloak as user federation provider (See Keycloak
> docs), but still Keycloak also needs to store users in it's internal
> database. That's because Keycloak has various user's internal metadata
> specific to it's logic. So usually just some parts of user are stored in
> LDAP (you can control with LDAP mappers what exactly), but all the other
> stuff is used in Keycloak database.
>
> Integrating Keycloak with LDAP is useful especially in case that you have:
> - Existing user base stored in LDAP
> - Other systems or applications, which are compatible with LDAP and needs
> to read user informations from there
>
> If none of those is applicable for you, then it's best to skip LDAP and
> just use Keycloak internal database. There is no need to store info about
> user accounts in 2 places if there is no reason for that.
>
> Marek
>
>
> On 22/12/15 14:51, Christopher Wallace wrote:
>
> We are building a new application with RBAC Security Model, we always
> attempt to use as much COTs functionality of our technology stack as
> possible. We are working with 1.7 version of KEYCLOAK for SSO (Thank you
> for this product by the way) We are at a decision point of where to persist
> our users, roles and permissions. We considered LDAP, but then with the
> introduction of composite roles into KEYCLOAK there was consolidation could
> we support users and roles directly in KEYCLOAK and permissions in our
> datastore. My question to the group what is the best practice? Is there
> value in having the additional LDAP user repository? Most places my
> experience is there is both LDAP or AD and SSO I wanted to keep the email
> fairly short, but if you have additional questions please feel free.
>
> Thank You!
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151222/f1d0c01e/attachment.html 

From bburke at redhat.com  Tue Dec 22 15:10:30 2015
From: bburke at redhat.com (Bill Burke)
Date: Tue, 22 Dec 2015 15:10:30 -0500
Subject: [keycloak-user] Problem using SAML IdP
In-Reply-To: <CAPNq5vZwMb87Oe5EwEc_KQwbyDvWBQbRL4GdkSU69T9FApqQpA@mail.gmail.com>
References: <CAPNq5vZwMb87Oe5EwEc_KQwbyDvWBQbRL4GdkSU69T9FApqQpA@mail.gmail.com>
Message-ID: <5679AE36.8060701@redhat.com>

Our brokering doesn't support temporary user ids from the "parent" IDP. 
  Transient Ids in SAML or temporary ids.

On 12/22/2015 11:46 AM, J?r?me Blanchard wrote:
> Hi,
>
> I'm trying to integrate keycloak into a the french research federation
> of identity (renater) and I'm facing some problems.
> Actually, when IdP respond to keycloak i'm getting the following error :
> PL00084: Writer: Unsupported Attribute
> Value:org.keycloak.dom.saml.v2.assertion.NameIDType
>
> It seems that this IdP is using transient NameID policy only and using
> the unspecified field in the idp config in keycloak generate this
> exception as a return.
>
> Log of the keycloak server is joined.
>
> I have no idea of what happening because when I was using the test
> federation, everything was working but no I'm in the production
> federation, login fails.
>
> The renater federation is using Shibolleth and keycloak is not supported
> by federation moderators so I'm alone in the dark now...
>
> Renater provides an IdP list that I have to parse and synchronized with
> IdP in keycloak. As a return I provide a list of all endpoints for each
> keycloak registered IdP to allow federation IdP to answear correctly to
> the right endpoint. All of this is done by a small web app deployed
> aside keycloak and using REST API to synchronize all the IdP.
>
> One of the IdP entity descriptor is joined. As you can see, only
> transient nameid policy is supported and if I configure keycloak to use
> email or persistent, I received a response saying that the nameid is not
> supported :
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
> AssertionConsumerServiceURL="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
> Destination="https://janus.cnrs.fr/idp/profile/SAML2/POST/SSO"
> ForceAuthn="false" ID="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
> IsPassive="false" IssueInstant="2015-12-22T16:13:15.987Z"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> Version="2.0"><saml:Issuer
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://demo-auth.ortolang.fr/auth/realms/ortolang</saml:Issuer><samlp:NameIDPolicy
> AllowCreate="true"
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></samlp:AuthnRequest>
>
>
> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="https://demo-auth.ortolang.fr/auth/realms/ortolang/broker/2db5eab3f83cbaa5a322dcf3f9ac552d/endpoint"
> ID="_9d03761957aade819b6823c35bbab278"
> InResponseTo="ID_c53b5759-cb97-4e95-b540-877a7a6c625d"
> IssueInstant="2015-12-22T16:13:16.420Z" Version="2.0"><saml2:Issuer
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://janus.cnrs.fr/idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><saml2p:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/></saml2p:StatusCode><saml2p:StatusMessage>Required
> NameID format not
> supported</saml2p:StatusMessage></saml2p:Status></saml2p:Response>
>
>
> Any help would be gracefully appreciated.
>
> Thanks a lot, J?r?me.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From amaeztu at tesicnor.com  Wed Dec 23 03:23:38 2015
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Wed, 23 Dec 2015 09:23:38 +0100
Subject: [keycloak-user] Why do I need to include an adapter to work with
 Spring Security or Spring Boot
Message-ID: <567A5A0A.6010101@tesicnor.com>

Even though both Spring Security and Spring Boot happen to support 
OpenId and OAuth2, an specific keycloak adapter in needed in order to 
configure them to work with the keycloak server. Also in Spring Security 
we need to provide the keycloak.json file with the client configuration.

If keycloak supports both standards shouldn't we be able to access it in 
a non-coupling way?

Thanks in advance
-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/e63a841d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/e63a841d/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/e63a841d/attachment-0001.png 

From srossillo at smartling.com  Wed Dec 23 06:44:22 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 23 Dec 2015 11:44:22 +0000
Subject: [keycloak-user] Why do I need to include an adapter to work
 with Spring Security or Spring Boot
In-Reply-To: <567A5A0A.6010101@tesicnor.com>
References: <567A5A0A.6010101@tesicnor.com>
Message-ID: <CALAqdu8HAHUNxZOmFdCBOJTgiwuUSdiP1i--5a8g-1mSQanV8A@mail.gmail.com>

The adapters are provided for full comparability with Keycloak. You don't
have to use them. However, OpenID and OpenID Connect are not the sane
thing. I've yet to see Spring publish an OpenID Connect security project.

If I'm wrong, please post a link to such project.


On Wed, Dec 23, 2015 at 6:07 AM Aritz Maeztu <amaeztu at tesicnor.com> wrote:

> Even though both Spring Security and Spring Boot happen to support OpenId
> and OAuth2, an specific keycloak adapter in needed in order to configure
> them to work with the keycloak server. Also in Spring Security we need to
> provide the keycloak.json file with the client configuration.
>
> If keycloak supports both standards shouldn't we be able to access it in a
> non-coupling way?
>
> Thanks in advance
> --
> Aritz Maeztu Ota?o
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/cfa21ed1/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/cfa21ed1/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/cfa21ed1/attachment.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/cfa21ed1/attachment-0001.png 

From rushil.vaish at gmail.com  Wed Dec 23 08:43:09 2015
From: rushil.vaish at gmail.com (Rushil Agarwal)
Date: Wed, 23 Dec 2015 07:43:09 -0600
Subject: [keycloak-user] Getting logged in user through Node API's
In-Reply-To: <CAJ9in0ELr_4UGZCO48FeFLoHEu=+y6T78qgeLMb+E_hR-4W1yw@mail.gmail.com>
References: <CAJ9in0ELr_4UGZCO48FeFLoHEu=+y6T78qgeLMb+E_hR-4W1yw@mail.gmail.com>
Message-ID: <CAJ9in0HuMmEsDH6PTLaD_ROpoFo6sPSWEoLSHE9h2OTH_PGMpg@mail.gmail.com>

Hi Team,

Kindly help in getting some help in fetching logged in user through Node
API's.
I have attached code what I have written in previous mail.

Thanks in advance.

On Tue, Dec 22, 2015 at 3:58 AM, Rushil Agarwal <rushil.vaish at gmail.com>
wrote:

> Hi Team,
>
> I ave implemented Keycloak using npm package "connect-keycloak"
>
> I am not able to find any example or help to fetch in the currently logged
> in userid through Node API's.
> Any help would be appreciated.
>
> My code snippet:
>
> *App.js*
>
> var memoryStore = new session.MemoryStore();
> var routes = require('./routes/index');
> var users = require('./routes/users');
>
> app.use( session({
>   secret: 'aaslkdhlkhsd',
>   resave: false,
>   saveUninitialized: true,
>   store: memoryStore,
> } ))
>
> var keycloak = new Keycloak({
>   store: memoryStore
> });
>
> app.use( keycloak.middleware( {
>   logout: '/logout',
>   admin: '/',
> } ));
>
> *Index.js*
> router.get('/',keycloak.protect(),function(req, res, next) {
>
>     res.sendfile('pages/index.html',{root:'./public'});
> });
>
> --
> --
> *With best regards :-*
>
> Rushil Agarwal
>
> Mobile: +91 78298 86000
>
> Please don't print this e-mail unless you really need to. SAVE PAPER TO
> SAVE TREES
>



-- 
-- 
*With best regards :-*

Rushil Agarwal

Mobile: +91 78298 86000

Please don't print this e-mail unless you really need to. SAVE PAPER TO
SAVE TREES
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/763de637/attachment.html 

From bburke at redhat.com  Wed Dec 23 09:10:32 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 23 Dec 2015 09:10:32 -0500
Subject: [keycloak-user] Why do I need to include an adapter to work
 with Spring Security or Spring Boot
In-Reply-To: <CALAqdu8HAHUNxZOmFdCBOJTgiwuUSdiP1i--5a8g-1mSQanV8A@mail.gmail.com>
References: <567A5A0A.6010101@tesicnor.com>
	<CALAqdu8HAHUNxZOmFdCBOJTgiwuUSdiP1i--5a8g-1mSQanV8A@mail.gmail.com>
Message-ID: <567AAB58.3090200@redhat.com>

Doesn't Spring have a SAML adapter?  You could definitely use that 
instead too.

On 12/23/2015 6:44 AM, Scott Rossillo wrote:
> The adapters are provided for full comparability with Keycloak. You
> don't have to use them. However, OpenID and OpenID Connect are not the
> sane thing. I've yet to see Spring publish an OpenID Connect security
> project.
>
> If I'm wrong, please post a link to such project.
>
>
> On Wed, Dec 23, 2015 at 6:07 AM Aritz Maeztu <amaeztu at tesicnor.com
> <mailto:amaeztu at tesicnor.com>> wrote:
>
>     Even though both Spring Security and Spring Boot happen to support
>     OpenId and OAuth2, an specific keycloak adapter in needed in order
>     to configure them to work with the keycloak server. Also in Spring
>     Security we need to provide the keycloak.json file with the client
>     configuration.
>
>     If keycloak supports both standards shouldn't we be able to access
>     it in a non-coupling way?
>
>     Thanks in advance
>     --
>     Aritz Maeztu Ota?o
>     Departamento Desarrollo de Software
>     <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>     <http://www.tesicnor.com> 	
>
>     Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>     Telf.: 948 21 40 40
>     Fax.: 948 21 40 41
>
>     Antes de imprimir este e-mail piense bien si es necesario hacerlo:
>     El medioambiente es cosa de todos.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From prabhalar at yahoo.com  Wed Dec 23 10:19:57 2015
From: prabhalar at yahoo.com (Raghuram Prabhala)
Date: Wed, 23 Dec 2015 15:19:57 +0000 (UTC)
Subject: [keycloak-user] Why do I need to include an adapter to work
 with Spring Security or Spring Boot
In-Reply-To: <567AAB58.3090200@redhat.com>
References: <567AAB58.3090200@redhat.com>
Message-ID: <1711308463.2246006.1450883997672.JavaMail.yahoo@mail.yahoo.com>

You can try the below for Spring OpenID connect client functionality. It also has a simple web application to demonstrate the functionality
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client


For SAML Service provider functionality, you can use the below
spring-projects/spring-security-saml

      From: Bill Burke <bburke at redhat.com>
 To: keycloak-user at lists.jboss.org 
 Sent: Wednesday, December 23, 2015 9:10 AM
 Subject: Re: [keycloak-user] Why do I need to include an adapter to work with Spring Security or Spring Boot
   
Doesn't Spring have a SAML adapter?? You could definitely use that 
instead too.

On 12/23/2015 6:44 AM, Scott Rossillo wrote:
> The adapters are provided for full comparability with Keycloak. You
> don't have to use them. However, OpenID and OpenID Connect are not the
> sane thing. I've yet to see Spring publish an OpenID Connect security
> project.
>
> If I'm wrong, please post a link to such project.
>
>
> On Wed, Dec 23, 2015 at 6:07 AM Aritz Maeztu <amaeztu at tesicnor.com
> <mailto:amaeztu at tesicnor.com>> wrote:
>
>? ? Even though both Spring Security and Spring Boot happen to support
>? ? OpenId and OAuth2, an specific keycloak adapter in needed in order
>? ? to configure them to work with the keycloak server. Also in Spring
>? ? Security we need to provide the keycloak.json file with the client
>? ? configuration.
>
>? ? If keycloak supports both standards shouldn't we be able to access
>? ? it in a non-coupling way?
>
>? ? Thanks in advance
>? ? --
>? ? Aritz Maeztu Ota?o
>? ? Departamento Desarrollo de Software
>? ? <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
>? ? <http://www.tesicnor.com> ??? 
>
>? ? Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>? ? Telf.: 948 21 40 40
>? ? Fax.: 948 21 40 41
>
>? ? Antes de imprimir este e-mail piense bien si es necesario hacerlo:
>? ? El medioambiente es cosa de todos.
>
>? ? _______________________________________________
>? ? keycloak-user mailing list
>? ? keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>? ? https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/8a36e7bc/attachment-0001.html 

From M.Notarnicola at klopotek.it  Wed Dec 23 11:36:03 2015
From: M.Notarnicola at klopotek.it (Notarnicola, Mara)
Date: Wed, 23 Dec 2015 16:36:03 +0000
Subject: [keycloak-user] Brute Force Detection and login number of failure
Message-ID: <ee3b35f9afbe47e59fbbcf8819dd9090@Taylor.core.klopotek.local>

Dear all,
We are using Keycloak 1.5.0 and we are switching to 1.7.0 version.
We have extended the AbstractUsernameFormAuthenticator and implemented our UserFederationProvider.
We currently use the Brute Force Detection to detect user login failures.
We have noted that at the first time the BruteForceProtector initializes UsernameLoginFailureModel in its failure method, so both in the FormAuthenticator and in FederationProvider, the UsernameLoginFailureModel of the current session is null.
Our problem is to disable Brute Force for a set of users, it's now possible to do this?

Thanks for your time

Mara
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/ac6453a4/attachment.html 

From amaeztu at tesicnor.com  Wed Dec 23 12:52:53 2015
From: amaeztu at tesicnor.com (Amaeztu)
Date: Wed, 23 Dec 2015 18:52:53 +0100
Subject: [keycloak-user] Why do I need to include an adapter to work
 with Spring Security or Spring Boot
In-Reply-To: <CALAqdu8HAHUNxZOmFdCBOJTgiwuUSdiP1i--5a8g-1mSQanV8A@mail.gmail.com>
References: <567A5A0A.6010101@tesicnor.com>
	<CALAqdu8HAHUNxZOmFdCBOJTgiwuUSdiP1i--5a8g-1mSQanV8A@mail.gmail.com>
Message-ID: <dbtl2et9qn0sj2p4b4k564r3.1450893173783@email.android.com>

OK, it seems that I was misunderstanding some concepts. So adapters seem to be mandatory till spring releases some module for openid-connect 

Nire Sony Xperia? telefonotik bidalita

---- Scott Rossillo igorleak idatzi du ----

>The adapters are provided for full comparability with Keycloak. You don't have to use them. However, OpenID and OpenID Connect are not the sane thing. I've yet to see Spring publish an OpenID Connect security project. 
>
>If I'm wrong, please post a link to such project. 
>
>
>On Wed, Dec 23, 2015 at 6:07 AM Aritz Maeztu <amaeztu at tesicnor.com> wrote:
>
>Even though both Spring Security and Spring Boot happen to support OpenId and OAuth2, an specific keycloak adapter in needed in order to configure them to work with the keycloak server. Also in Spring Security we need to provide the keycloak.json file with the client configuration.
>
>If keycloak supports both standards shouldn't we be able to access it in a non-coupling way?
>
>Thanks in advance
>
>-- 
>
>Aritz Maeztu Ota?o
>Departamento Desarrollo de Software ? ? 
>
>Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
>Telf.: 948 21 40 40 
>Fax.: 948 21 40 41 
>
>Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. 
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/b81538e0/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/b81538e0/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/b81538e0/attachment.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/b81538e0/attachment-0001.png 

From prabhalar at yahoo.com  Wed Dec 23 14:23:11 2015
From: prabhalar at yahoo.com (Raghuram Prabhala)
Date: Wed, 23 Dec 2015 19:23:11 +0000 (UTC)
Subject: [keycloak-user] Why do I need to include an adapter to work
 with Spring Security or Spring Boot
In-Reply-To: <dbtl2et9qn0sj2p4b4k564r3.1450893173783@email.android.com>
References: <dbtl2et9qn0sj2p4b4k564r3.1450893173783@email.android.com>
Message-ID: <1719647433.2252337.1450898591329.JavaMail.yahoo@mail.yahoo.com>

Adapters are not mandatory. We tested out OpenID connect clients based on Apache Oltu against Keycloak. If you need something specific to Spring, look at the below
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client


 

      From: Amaeztu <amaeztu at tesicnor.com>
 To: keycloak-user at lists.jboss.org 
 Sent: Wednesday, December 23, 2015 12:52 PM
 Subject: Re: [keycloak-user] Why do I need to include an adapter to work with Spring Security or Spring Boot
   
OK, it seems that I was misunderstanding some concepts. So adapters seem to be mandatory till spring releases some module for openid-connect Nire Sony Xperia? telefonotik bidalita

---- Scott Rossillo igorleak idatzi du ----

The adapters are provided for full comparability with Keycloak. You don't have to use them. However, OpenID and OpenID Connect are not the sane thing. I've yet to see Spring publish an OpenID Connect security project. 

If I'm wrong, please post a link to such project. 


On Wed, Dec 23, 2015 at 6:07 AM Aritz Maeztu <amaeztu at tesicnor.com> wrote:

  Even though both Spring Security and Spring Boot happen to support OpenId and OAuth2, an specific keycloak adapter in needed in order to configure them to work with the keycloak server. Also in Spring Security we need to provide the keycloak.json file with the client configuration.
 
 If keycloak supports both standards shouldn't we be able to access it in a non-coupling way?
 
 Thanks in advance
 -- 
  
|  Aritz Maeztu Ota?o
 Departamento Desarrollo de Software  |      |
|      |   Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
 Telf.: 948 21 40 40 
 Fax.: 948 21 40 41 
   |
|  Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.  |

   _______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/2939321b/attachment-0001.html 

From srossillo at smartling.com  Wed Dec 23 14:40:29 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Wed, 23 Dec 2015 14:40:29 -0500
Subject: [keycloak-user] Replace use of Infinispan with User Sessions
	SPI ?
In-Reply-To: <CAJgngAdFLfcV4xVKJZV8Gje4DDFzehxiDYSczNv=2qAypbEkow@mail.gmail.com>
References: <D2959174.10C56%pblair@clearme.com>
	<9B39E737-CFDD-41C7-B93A-C1AB07C24BD3@n-k.de>
	<933485378.27311156.1450206835424.JavaMail.zimbra@redhat.com>
	<270388B7-2CB0-4CC1-8CA3-342ED2A1AE75@smartling.com>
	<820916564.28012711.1450298019763.JavaMail.zimbra@redhat.com>
	<1E7688FF-9A64-4CB5-BD6E-72EECD848CCA@smartling.com>
	<1007218979.28021563.1450300269527.JavaMail.zimbra@redhat.com>
	<C3F28BDA-DED7-4AF4-99ED-E5B8355FF03A@smartling.com>
	<951119783.28023953.1450300887169.JavaMail.zimbra@redhat.com>
	<022CC9BB-3994-4E27-B3F5-A094833CC488@smartling.com>
	<CAJgngAdFLfcV4xVKJZV8Gje4DDFzehxiDYSczNv=2qAypbEkow@mail.gmail.com>
Message-ID: <2EA5984A-20F2-4B03-B8A1-A6A0ADE0A8AF@smartling.com>

I will happily document once we validate on Wildfly. Did just the JGroups testing for now.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com


 <http://www.sigstr.com/>
> On Dec 18, 2015, at 2:56 AM, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> If anyone (Scott?) wants to contribute how to configure KC clustering on EC2 to our documentation that'd be great :)
> 
> On 16 December 2015 at 23:11, Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>> wrote:
> 
> I actually set the jgroups.bind_addr to global. I need the EC2 instance's address for jgroups.external.addr, see:
> 
> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>
> 
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com <mailto:srossillo at smartling.com>
> 
>  <http://www.sigstr.com/>
>> On Dec 16, 2015, at 4:21 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
>> 
>> Almost...
>> 
>> I guess if the EC2 instance IP works for the bind address, why do you need to set external_addr?
>> 
>> Thanks for bearing with me on this! :-)
>> 
>> Alan
>> 
>> From: "Scott Rossillo" <srossillo at smartling.com <mailto:srossillo at smartling.com>>
>> To: "Alan Field" <afield at redhat.com <mailto:afield at redhat.com>>
>> Cc: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>, "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Sent: Wednesday, December 16, 2015 4:17:29 PM
>> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
>> 
>> Ah, sorry, my originally contrived example wasn?t using Amazon but just my local Docker machine IP.
>> 
>> In the case of my ECS tests, 172.16.0.0/16 <http://172.16.0.0/16> is the Docker network?s IP, which is local to the machine / EC2 instance. Using ECS, my VPC has an IP range of 172.31.0.0/16 <http://172.31.0.0/16>, so the bind_addr has to be on this network. On my small cluster, that?s either 172.31.44.109 or 172.31.45.191.
>> 
>> Does that clear it up?
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>  <http://www.sigstr.com/>
>> On Dec 16, 2015, at 4:11 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
>> 
>> Hey Scott,
>> 
>> Thanks, I think you answered all of my questions, but I'm confused by something you said in your first email:
>> 
>> "
>> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
>> 
>> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. 
>> "
>> 
>> My understanding is that the 172.16 addresses are the Amazon EC2 instance?s internal IP, so I'm confused why this didn't work for you before. Is the difference that you were setting jgroups.bind_addr to this address and now you are setting it to global and setting external_addr to the instance?s internal IP? Just trying to understand what the problem was and how you fixed it!
>> 
>> Thanks again,
>> Alan
>> 
>> 
>> From: "Scott Rossillo" <srossillo at smartling.com <mailto:srossillo at smartling.com>>
>> To: "Alan Field" <afield at redhat.com <mailto:afield at redhat.com>>
>> Cc: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>, "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Sent: Wednesday, December 16, 2015 3:45:40 PM
>> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
>> 
>> Hi Alan,
>> 
>> > It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
>> 
>> True, it?s mainly about maintaining extra components.
>> 
>> > Which IP address from your example is retrieved with this command:
>> > EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)?
>> 
>> I get the Amazon EC2 instance?s internal IP. This is what I want. There?s another endpoint for public but I don?t want to use it. What?s good about this is when called from inside a Docker container, I manage to get the actual internal IP for the EC2 instance.
>> 
>> > How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
>> 
>> Since this was a test with just 2 known hosts, I injected them as a Docker environment variable with two fixed IPs. Once we switch to JDBC_PING, this will be removed.
>> 
>> > For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
>> 
>> S3_PING, like Gossip Router adds an external dependency on another service. S3 has had consistency issues 3 times in 2015 (at least in US East). I don?t want to rely another component when I already need the database to be up. Less components, less chance of failure. Also, there are ton of variables to set with S3 and it requires preliminary work. I want something that scales well from dev to QA to prod. JDBC_PING has a datasource_jndi_name property. I can just reuse the data source I set up for Keycloak.
>> 
>> I hope I got all your questions.
>> 
>> Best,
>> Scott
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>  <http://www.sigstr.com/>
>> On Dec 16, 2015, at 3:33 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
>> 
>> Hey Scott,
>> 
>> Thanks for following up and showing me your code. I have some questions inline for you:
>> 
>> From: "Scott Rossillo" <srossillo at smartling.com <mailto:srossillo at smartling.com>>
>> To: "Alan Field" <afield at redhat.com <mailto:afield at redhat.com>>
>> Cc: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>, "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Sent: Wednesday, December 16, 2015 2:19:27 PM
>> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
>> 
>> Hi Alan,
>> 
>> Thanks for the informative email. The steps you outlined are similar to what I?ve tested with ECS.  The gossip router is definitely a no-go for production since it?s a single point of failure.
>> It is possible to use the TUNNEL with multiple gossip routers to avoid this, but I understand not wanting to have to setup and maintain the extra gossip router processes.
>> 
>> I am testing this down at the JGroups level right now and got it working with ECS. There were two issues. On TCP you have to specify the external_addr to match the EC2 host otherwise the nodes won?t form a cluster. Secondly, FD_SOCK attempts to connect back on a random port. With Docker instances, this fails. Using a known client_bind_port works well.
>> Which IP address from your example is retrieved with this command:
>> 
>> EXTERNAL_HOST_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4 <http://169.254.169.254/latest/meta-data/local-ipv4>)"
>> 
>> Is it the 172.16.0.4 address or the 10.10.0.100 address? When I use this command in EC2, I get the internal IP address for the instance, but not the public IP address. In your example, that would be the 172.16.0.4 address. Also which address is used for the bind_addr when you use -Djgroups.bind_addr=global? 
>> 
>> Here?s the code I?m testing with: https://github.com/foo4u/aws-infinispan-poc <https://github.com/foo4u/aws-infinispan-poc>
>> 
>> Most interesting are probably:
>> 
>> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/entrypoint.sh>
>> How are you setting the  JGROUPS_INITIAL_HOSTS environment variable?
>> https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml <https://github.com/foo4u/aws-infinispan-poc/blob/master/ecs-jgroups-poc/src/main/resources/tcp.xml>
>> 
>> With this set up the nodes on different machines communicate without issue. I still have to add in something other than TCP_PING, but that wasn?t the main issue. Will use JDBC_PING most likely. Not a fan of S3 for coordination. Plus I already need an RDBMS for Keycloak.
>> For my curiosity, can you tell me more about why you don't want to use S3_PING? Is it the cost or something else? Just wondering and JDBC_PING should work fine.
>> 
>> Thanks,
>> Alan
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>  <https://app.sigstr.com/uc/55e5d41c6533390d03580000>
>>  <http://www.sigstr.com/>
>> On Dec 15, 2015, at 2:13 PM, Alan Field <afield at redhat.com <mailto:afield at redhat.com>> wrote:
>> 
>> Just to be clear, I have successfully tested Infinispan library and server mode clusters on EC2 using S3_PING, TCP, and the internal EC2 IP addresses. None of the cloud providers support multicast. The Docker case is a little different though, because of the issues with getting access to the IP address. 
>> 
>> Thanks,
>> Alan
>> 
>> From: "Niko K?bler" <niko at n-k.de <mailto:niko at n-k.de>>
>> To: "Paul Blair" <pblair at clearme.com <mailto:pblair at clearme.com>>
>> Cc: "keycloak-user" <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Sent: Tuesday, December 15, 2015 1:53:18 PM
>> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions        SPI ?
>> 
>> We will go for the first run with EC2 and S3_PING, but w/o Docker.
>> If we/you/whoever will find a proper solution (possibly on the jgroups mailinglist), we will test this.
>> 
>> Seams that everybody is aware of the Docker/Cloud/Multicast issues, but no-one has a proper solution, only workarounds. :(
>> 
>> 
>> 
>> Am 15.12.2015 um 15:47 schrieb Paul Blair <pblair at clearme.com <mailto:pblair at clearme.com>>:
>> 
>> I've also been working on setting up clustered Keycloak on Docker containers in EC2 and would be interested in any potential solutions for this configuration. 
>> 
>> Alternatively I've set up on EC2 without Docker with S3_PING. I'd be interested in hearing about the issues with this configuration.
>> 
>> From: Scott Rossillo <srossillo at smartling.com <mailto:srossillo at smartling.com>>
>> Date: Mon, 14 Dec 2015 18:31:30 -0500
>> To: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>, <afield at redhat.com <mailto:afield at redhat.com>>
>> Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Subject: Re: [keycloak-user] Replace use of Infinispan with User Sessions SPI ?
>> 
>> There are two issues:
>> 
>> 1. Infinispan relies on JGroups, which is difficult to configure correctly with the various ping techniques that aren?t UDP multicast. I can elaborate on each one that we tested but it?s just generally complex to get right. That?s not to say it?s impossible or the biggest reason this is complicated on ECS or _insert container service here_, see #2 for that.
>> 
>> 2. It is difficult to do discovery correctly with JGroups and Docker. Non-privileged Docker instances - the default and recommend type - do not implicitly know their host?s IP. This causes IP mismatches between what JGroups thinks the machine?s IP is and what it actually is when connecting to hosts on different machines.  This is the main issue and it?s not the fault of JGroups per se, but there?s no simple work around.
>> 
>> Take for example a simple 2 node cluster:
>> 
>> Node 1 comes up on the docker0 interface of host A with the IP address 172.16.0.4. The host A IP is 10.10.0.100.
>> Node 2 comes up on the docker0 interface of host B with the IP address 172.16.0.8. The host B IP is 10.10.0.108.
>> 
>> The 172.16 network is not routable between hosts (by design). Docker does port forwarding for ports we wish to expose to this works fine for HTTP/HTTPS but not the cluster traffic.
>> 
>> So Node 1 will advertise itself as having IP 172.16.0.4 while Node 2 advertises 172.16.0.8. The two cannot talk to each other by default. However, using the hard coded IPs and TCP PING, we can set external_addr on Node 1 to 10.10.0.100 and external_addr on Node 2 to 10.10.0.108 and set initial_hosts to 10.10.0.100, 10.10.0.108. This will cause the nodes to discover each other. However, they will not form a cluster. The nodes will reject the handshake thinking they?re not actually 10.10.0.100 or 10.10.0.108 respectively.
>> 
>> I?d like to discuss further and I can share where we?ve gotten so far with workarounds to this but it may be better to get into the weeds on another list.
>> 
>> Let me know what you think.
>> 
>> Best,
>> Scott
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>  <http://www.sigstr.com/>
>> On Dec 14, 2015, at 5:32 PM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>> 
>> CCing Alan Field from RH Infinispan team and forwarding his question: 
>> I'd like to know which configuration files you are using and why is is
>> harder to use with Amazon?s Docker service (ECS) or Beanstalk. I'd also be
>> interested in how big a cluster you are using in AWS.
>> 
>> 
>> 
>> On 14/12/15 22:24, Scott Rossillo wrote:
>> AWS was why we didn?t use Infinispan to begin with.  That and it?s even more complicated when you deploy using Amazon?s Docker service (ECS) or Beanstalk.
>> 
>> It?s too bad Infinispan  / JGroups are beasts when the out of the box configuration can?t be used. I?m planning to document this as we fix but I?d avoid S3_PING and use JDBC_PING. You already need JDBC for the Keycloak DB, unless you?re using Mongo and it?s easier to test locally.
>> 
>> TCPPING will bite you on AWS if Amazon decides to replace one of your instances (which it does occasionally w/ECS or Beanstalk).
>> 
>> Best,  
>> Scott
>> 
>> Scott Rossillo
>> Smartling | Senior Software Engineer
>> srossillo at smartling.com <mailto:srossillo at smartling.com>
>> 
>>  <http://www.sigstr.com/>
>> On Dec 14, 2015, at 10:59 AM, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>> 
>> On 14/12/15 16:55, Marek Posolda wrote:
>> On 14/12/15 15:58, Bill Burke wrote:
>> On 12/14/2015 5:01 AM, Niko K?bler wrote:
>> Hi Marek,
>> 
>> Am 14.12.2015 um 08:50 schrieb Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>
>> <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>>:
>> 
>> Btv. what's your motivation to not use infinispan? If you afraid of
>> cluster communication, you don't need to worry much about it, because
>> if you run single keycloak through standalone.xml, the infinispan
>> automatically works in LOCAL mode and there is no any cluster
>> communication at all.
>> My current customer is running his apps in AWS. As known, multicast is
>> not available in cloud infrastructures. Wildfly/Infinispan Cluster works
>> pretty well with multicast w/o having to know too much about JGroups
>> config. S3_PING seams to be a viable way to get a cluster running in AWS.
>> But additionally, my customer doesn?t have any (deep) knowledge about
>> JBoss infrastructures and so I?m looking for a way to be able to run
>> Keycloak in a cluster in AWS without the need to build up deeper
>> knowlegde of JGroups config, for example in getting rid of Infinispan.
>> But I do understand all the concerns in doing this.
>> I still have to test S3_PING, if it works as easy as multicast. If yes,
>> we can use it, if no? I don?t know yet. But this gets offtopic for
>> Keycloak mailinglist, it?s more related to pure Wildfly/Infinispan.
>> 
>> seems to me it would be much easier to get Infinispan working on AWS
>> than to write and maintain an entire new caching mechanism and hope we
>> don't refactor the cache SPI.
>> 
>> 
>> +1
>> 
>> I am sure infinispan/JGroups has possibility to run in non-multicast
>> environment. You may just need to figure how exactly to configure it. So
>> I agree that this issue is more related to Wildfly/Infinispan itself
>> than to Keycloak.
>> 
>> You may need to use jgroups protocols like TCP instead of default UDP
>> and maybe TCPPING (this requires to manually list all your cluster
>> nodes. But still, it's much better option IMO than rewriting UserSession
>> SPI)
>> Btv. if TCPPING or S3_PING is an issue, there is also AWS_PING 
>> http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100 <http://www.jgroups.org/manual-3.x/html/protlist.html#d0e5100> , but it's 
>> not official part of jgroups.
>> 
>> Marek
>> 
>> Marek
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
>> 
>> 
>> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>_______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
>> 
>> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151223/2ef6c08e/attachment-0001.html 

From stephen.more at gmail.com  Sun Dec 27 20:14:50 2015
From: stephen.more at gmail.com (Stephen More)
Date: Sun, 27 Dec 2015 20:14:50 -0500
Subject: [keycloak-user] Admin Rest API Documentation Issue (1.6.1.Final)
In-Reply-To: <CAPj1eSytD=2bDCEc_SYi=-cw4m4jdeEVTe-f=Mj62WniF6c_tg@mail.gmail.com>
References: <CAPj1eSytD=2bDCEc_SYi=-cw4m4jdeEVTe-f=Mj62WniF6c_tg@mail.gmail.com>
Message-ID: <CAL2vA_OXc572v1xURXtys0V3uCowwkmbgc-bo+wdn8pShLj_1w@mail.gmail.com>

I am finding the Admin Rest API Documentation misleading as well...perhaps
this could be documented using EL ?

is it

.../{user.id}/role-mappings/clients/{client.id}

or

.../{user.id}/role-mappings/clients/{client.clientId}

or

.../{user.id}/role-mappings/clients/{client.name}



On Wed, Nov 18, 2015 at 1:10 AM, Lohitha Chiranjeewa <kalc04 at gmail.com>
wrote:

> Hi,
>
> Client level role mappings related endpoints are currently misleading
> because it gives the feeling that the client-id could be passed instead of
> the id-of-client. But that's not the case. Hence please update the
> endpoints which has the signature:
>
> ...role-mappings/clients/{client}... --> ...role-mappings/clients/{id-of-client}...
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151227/7872de32/attachment.html 

From mposolda at redhat.com  Mon Dec 28 17:18:24 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Dec 2015 23:18:24 +0100
Subject: [keycloak-user] To LDAP or NOT?
In-Reply-To: <CAKpG1FTrypw7vH4WuB252aLRDdu9ODepMEy8toGwLp-zpte+6w@mail.gmail.com>
References: <CAKpG1FT2ZUv_qeY4PdmjxD713Lq8FQ8uA6-im6gPpZa-Yq43sQ@mail.gmail.com>
	<5679AC35.1050509@redhat.com>
	<CAKpG1FTrypw7vH4WuB252aLRDdu9ODepMEy8toGwLp-zpte+6w@mail.gmail.com>
Message-ID: <5681B530.5060008@redhat.com>

On 22/12/15 21:09, Christopher Wallace wrote:
> Thanks for the Insight Marek, Since we are building newer applications 
> and have no LEGACY application that require LDAP, I think it's clear 
> for us to store our users in KEYCLOAK and use SAML or OpenID protocol 
> for Identity Management Interoperability. If we to inherit some LEGACY 
> applications in the future we can the point our KEYCLOAK server at 
> those repository and have KEYCLOAK be the Single Source. Sound reasonable?
Yes.

Just one thing. Currently we don't have support for bulk sync of users 
from Keycloak to LDAP.

We have support for sync newly created/registered users to LDAP when the 
flow is like:
- You create LDAP federation provider in Keycloak admin console
- You register user "john" in Keycloak
- This user will be registered in both Keycloak DB and LDAP

But we don't have support for sync of previously created users to 
Keycloak, when the flow is like:
- You register new user "john" and he will be created just in Keycloak 
DB (because LDAP federation provider is not yet created)
- Then you create LDAP federation provider
- There is not supported to link Keycloak user "john" with LDAP and sync 
him to LDAP

In other words, if you don't involve LDAP from beginning and you create 
1000 Keycloak users and then you later decide that you want those 1000 
users in LDAP to be available for legacy apps, you may have issues.

We want to support the 2 way sync scenario and we have JIRA for it 
already, but not sure when exactly it will be ready...

Marel
>
> We appreciate your feedback and experiences.
>
> Regards
>
> On Tue, Dec 22, 2015 at 3:02 PM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     You can plug LDAP into Keycloak as user federation provider (See
>     Keycloak docs), but still Keycloak also needs to store users in
>     it's internal database. That's because Keycloak has various user's
>     internal metadata specific to it's logic. So usually just some
>     parts of user are stored in LDAP (you can control with LDAP
>     mappers what exactly), but all the other stuff is used in Keycloak
>     database.
>
>     Integrating Keycloak with LDAP is useful especially in case that
>     you have:
>     - Existing user base stored in LDAP
>     - Other systems or applications, which are compatible with LDAP
>     and needs to read user informations from there
>
>     If none of those is applicable for you, then it's best to skip
>     LDAP and just use Keycloak internal database. There is no need to
>     store info about user accounts in 2 places if there is no reason
>     for that.
>
>     Marek
>
>
>     On 22/12/15 14:51, Christopher Wallace wrote:
>>     We are building a new application with RBAC Security Model, we
>>     always attempt to use as much COTs functionality of our
>>     technology stack as possible. We are working with 1.7 version of
>>     KEYCLOAK for SSO (Thank you for this product by the way) We are
>>     at a decision point of where to persist our users, roles and
>>     permissions. We considered LDAP, but then with the introduction
>>     of composite roles into KEYCLOAK there was consolidation could we
>>     support users and roles directly in KEYCLOAK and permissions in
>>     our datastore. My question to the group what is the best
>>     practice? Is there value in having the additional LDAP user
>>     repository? Most places my experience is there is both LDAP or AD
>>     and SSO I wanted to keep the email fairly short, but if you have
>>     additional questions please feel free.
>>
>>     Thank You!
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151228/4fb49f97/attachment.html 

From amaeztu at tesicnor.com  Tue Dec 29 03:01:07 2015
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Tue, 29 Dec 2015 09:01:07 +0100
Subject: [keycloak-user] RestTemplate support for service account access
Message-ID: <56823DC3.6040200@tesicnor.com>

At this moment there's a KeycloakRestTemplate to use it in Spring which 
allows an end user to retrieve data from other keycloak clients. 
However, a client might also be interested in accessing data with its 
own permissions and with no user interaction. Is there any 
implementation of a RestTemplate to utilize client service accounts and, 
if not, are there any plans to write it? This demo 
<https://github.com/keycloak/keycloak/blob/master/examples/demo-template/service-account/src/main/java/org/keycloak/example/ProductServiceAccountServlet.java>seems 
to do it manually.

Regards
-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/a2540177/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/a2540177/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/a2540177/attachment-0001.png 

From satyajit.das at spire2grow.com  Tue Dec 29 04:13:30 2015
From: satyajit.das at spire2grow.com (Satyajit Das)
Date: Tue, 29 Dec 2015 14:43:30 +0530
Subject: [keycloak-user] Login Rest Service Service Delay
Message-ID: <CA+oCsRp0PXDQG05ah2Ssjf2x7rYyPZLonTKz6w9Jz27MnugXOw@mail.gmail.com>

Hi Team,

We are using login restful service of 1.4.0 final version.

Sometimes the login takes quite some time(around 15 secs) to fetch the
token id given back by login service.

On subsequent call for login rest service takes very less time(75 milisecs)

This is a complete random behavior.

Kindly let me know how to overcome this issue.
below is the snap of Token timeouts.


[image: Inline image 1]

Regards,
Satya.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/427669ed/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 23676 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/427669ed/attachment-0001.png 

From Frank.vanVeen at planonsoftware.com  Tue Dec 29 05:14:20 2015
From: Frank.vanVeen at planonsoftware.com (Frank van Veen)
Date: Tue, 29 Dec 2015 11:14:20 +0100
Subject: [keycloak-user] Viewing users in keycloak
Message-ID: <16DCFFB91025EF4DB80D3ECCA6E097E49251A8098E@NL-MAIL02.planon-fm.com>

Hi,

The last few weeks I've been working on a federation provider implementation. It runs smoothly so far, but today i ran into the following issue;

I was testing functionality of keycloak and wanted to delete a user. When I pressed the view all users button nothing happened so I pressed it again.
Still nothing so I pressed 20 or so more times. Finally I got an error stating I had too much connections to my user federation endpoint (Error originated from my federated storage).
Every time view all users is pressed five more request are made checking if a user exists in federated storage. If you spam the button, while the connection is rather slow, it breaks.
When the first 5 calls return the information isn't displayed yet. The remaining pending calls are the cause for that.

I was wondering why keycloak has this behavior. It might be a better solution to disable functionality of this button while there are still previous calls pending.

Best regards,

Frank van Veen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/1ed4fdd6/attachment.html 

From cjwallac at gmail.com  Tue Dec 29 07:25:55 2015
From: cjwallac at gmail.com (Christopher Wallace)
Date: Tue, 29 Dec 2015 12:25:55 +0000
Subject: [keycloak-user] To LDAP or NOT?
In-Reply-To: <5681B530.5060008@redhat.com>
References: <CAKpG1FT2ZUv_qeY4PdmjxD713Lq8FQ8uA6-im6gPpZa-Yq43sQ@mail.gmail.com>
	<5679AC35.1050509@redhat.com>
	<CAKpG1FTrypw7vH4WuB252aLRDdu9ODepMEy8toGwLp-zpte+6w@mail.gmail.com>
	<5681B530.5060008@redhat.com>
Message-ID: <CAKpG1FTePi9-70s+aA2P+rbE1WLwkoXnAX38zWckP7xpUQuAJQ@mail.gmail.com>

Ok Great! Thank you Marek, If we did need to one time load to LDAP from
KEYCLOAK, I would think we could DUMP the user details from the KEYCLOAK
database and BUILD an LDIF file then do an LDAP import.

- Chris

On Mon, Dec 28, 2015 at 5:18 PM Marek Posolda <mposolda at redhat.com> wrote:

> On 22/12/15 21:09, Christopher Wallace wrote:
>
> Thanks for the Insight Marek, Since we are building newer applications and
> have no LEGACY application that require LDAP, I think it's clear for us to
> store our users in KEYCLOAK and use SAML or OpenID protocol for Identity
> Management Interoperability. If we to inherit some LEGACY applications in
> the future we can the point our KEYCLOAK server at those repository and
> have KEYCLOAK be the Single Source. Sound reasonable?
>
> Yes.
>
> Just one thing. Currently we don't have support for bulk sync of users
> from Keycloak to LDAP.
>
> We have support for sync newly created/registered users to LDAP when the
> flow is like:
> - You create LDAP federation provider in Keycloak admin console
> - You register user "john" in Keycloak
> - This user will be registered in both Keycloak DB and LDAP
>
> But we don't have support for sync of previously created users to
> Keycloak, when the flow is like:
> - You register new user "john" and he will be created just in Keycloak DB
> (because LDAP federation provider is not yet created)
> - Then you create LDAP federation provider
> - There is not supported to link Keycloak user "john" with LDAP and sync
> him to LDAP
>
> In other words, if you don't involve LDAP from beginning and you create
> 1000 Keycloak users and then you later decide that you want those 1000
> users in LDAP to be available for legacy apps, you may have issues.
>
> We want to support the 2 way sync scenario and we have JIRA for it
> already, but not sure when exactly it will be ready...
>
> Marel
>
>
> We appreciate your feedback and experiences.
>
> Regards
>
> On Tue, Dec 22, 2015 at 3:02 PM Marek Posolda <mposolda at redhat.com> wrote:
>
>> You can plug LDAP into Keycloak as user federation provider (See Keycloak
>> docs), but still Keycloak also needs to store users in it's internal
>> database. That's because Keycloak has various user's internal metadata
>> specific to it's logic. So usually just some parts of user are stored in
>> LDAP (you can control with LDAP mappers what exactly), but all the other
>> stuff is used in Keycloak database.
>>
>> Integrating Keycloak with LDAP is useful especially in case that you have:
>> - Existing user base stored in LDAP
>> - Other systems or applications, which are compatible with LDAP and needs
>> to read user informations from there
>>
>> If none of those is applicable for you, then it's best to skip LDAP and
>> just use Keycloak internal database. There is no need to store info about
>> user accounts in 2 places if there is no reason for that.
>>
>> Marek
>>
>>
>> On 22/12/15 14:51, Christopher Wallace wrote:
>>
>> We are building a new application with RBAC Security Model, we always
>> attempt to use as much COTs functionality of our technology stack as
>> possible. We are working with 1.7 version of KEYCLOAK for SSO (Thank you
>> for this product by the way) We are at a decision point of where to persist
>> our users, roles and permissions. We considered LDAP, but then with the
>> introduction of composite roles into KEYCLOAK there was consolidation could
>> we support users and roles directly in KEYCLOAK and permissions in our
>> datastore. My question to the group what is the best practice? Is there
>> value in having the additional LDAP user repository? Most places my
>> experience is there is both LDAP or AD and SSO I wanted to keep the email
>> fairly short, but if you have additional questions please feel free.
>>
>> Thank You!
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/8f5ab634/attachment.html 

From mitja.strojansek at efos.si  Tue Dec 29 10:35:15 2015
From: mitja.strojansek at efos.si (=?UTF-8?Q?Mitja_Strojan=c5=a1ek?=)
Date: Tue, 29 Dec 2015 16:35:15 +0100
Subject: [keycloak-user] Adapter 1.3.1 on EAP 6.3.2
Message-ID: <5682A833.3090202@efos.si>

We have REST services on EAP 6.3.2 with adapter 1.3.1 and gateway server 
WF 8.2 with 1.3.1 server. This configuration doesn't work. Our test case 
works on WF 8.2 server with adapter 1.3.1.
Does anybody has idea, why it shouldn't work also with EAP 6.3.2? Are 
there any incompatibilities?
-- 
*Mitja*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/2d37cdf5/attachment.html 

From srossillo at smartling.com  Tue Dec 29 11:10:42 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Tue, 29 Dec 2015 16:10:42 +0000
Subject: [keycloak-user] RestTemplate support for service account access
In-Reply-To: <56823DC3.6040200@tesicnor.com>
References: <56823DC3.6040200@tesicnor.com>
Message-ID: <CALAqdu-06at0A8Yk2gO+3qPwqyG99u1BehGNwisyTwNHs=7Mrg@mail.gmail.com>

Take a look at these Spring samples. It's set up automatically:

https://github.com/foo4u/keycloak-spring-demo/blob/master/customer-app/src/main/java/org/keycloak/example/spring/customer/service/RemoteCustomerService.java
On Tue, Dec 29, 2015 at 12:31 PM Aritz Maeztu <amaeztu at tesicnor.com> wrote:

> At this moment there's a KeycloakRestTemplate to use it in Spring which
> allows an end user to retrieve data from other keycloak clients. However, a
> client might also be interested in accessing data with its own permissions
> and with no user interaction. Is there any implementation of a RestTemplate
> to utilize client service accounts and, if not, are there any plans to
> write it? This demo
> <https://github.com/keycloak/keycloak/blob/master/examples/demo-template/service-account/src/main/java/org/keycloak/example/ProductServiceAccountServlet.java>seems
> to do it manually.
>
> Regards
> --
> Aritz Maeztu Ota?o
> Departamento Desarrollo de Software
> <https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf.: 948 21 40 40
> Fax.: 948 21 40 41
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/c0dda603/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linkdin.gif
Type: image/gif
Size: 1295 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/c0dda603/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/c0dda603/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.png
Type: image/png
Size: 2983 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151229/c0dda603/attachment-0003.png 

From Mahantesh.Katti at Indecomm.net  Wed Dec 30 12:42:00 2015
From: Mahantesh.Katti at Indecomm.net (Mahantesh Prasad Katti)
Date: Wed, 30 Dec 2015 17:42:00 +0000
Subject: [keycloak-user] retrieving group membership info from LDAP/AD
Message-ID: <83FA22EE27AA7949A5F616D4DD6AF71E1640F1DC@INBLRMBX002.INDECOMM.LOCAL>

Hi All,

In our application, we integrate with Microsoft AD for authenticating users. As part of the authentication result, we also fetch group information for the user authenticated. We also have a pre-defined group-role mapping defined in the application server [This is a JEE configuration file]. This helps decide whether a particular user based on the role he belongs to can access a resource or not. I read another thread "Apply group membership filter on ldap login <http://lists.jboss.org/pipermail/keycloak-user/2015-December/003982.html> " on similar lines. Couple of clarifications.


1.       Based on what I read there is no feature to get roles and map them to specific roles in keycloak and would be available in a future release. I just wanted to understand if my reading of this is on the right lines. Also, wanted to know if there's a workaround for this in the short term.

2.       Also does keycloak provide fine grained access control on the lines of apache shiro?

Thanks
Prasad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151230/c55c50ff/attachment.html 

From cjwallac at gmail.com  Wed Dec 30 17:34:34 2015
From: cjwallac at gmail.com (Christopher Wallace)
Date: Wed, 30 Dec 2015 22:34:34 +0000
Subject: [keycloak-user] KEYCLOAK w/ NGINX Reverse Proxy
Message-ID: <CAKpG1FRSBaLkcy2VAE8foTZ2mKPDo+BTB7ERfVWLTR9QU6m2=A@mail.gmail.com>

Community, I have spent a decent amount of time attempting to get KEYCLOAK
behind an NGINX Reverse Proxy to protect a TOMCAT Application. It does work
without the proxy, but I need the proxy to handle certificates. I think I
am pretty close to having it working, but somethings seems to be missing...
I have done the following. I appreciate any insight you may have as I think
I have exhausted other resources.

*1. Configure a server in NGINX*

server {

listen   443;


ssl    on;

ssl_certificate    /etc/ssl/certs/dcf30de94f28f16f.crt;

ssl_certificate_key    /etc/ssl/certs/*.domain.key;


server_name sso2. domain.com;

access_log /var/log/nginx/nginx.sso.access.log;

error_log /var/log/nginx/nginx.sso.error.log;

  location / {

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_set_header X-Forwarded-Port 443;

        proxy_pass http://internalip:8080;

    }

}

*2. Enable SSL on a Reverse Proxy*

First add proxy-address-forwarding and redirect-socket to the http-listener
 element:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
    ...
    <http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
    ...
</subsystem>

Then add a new socket-binding element to the socket-binding-group element:

<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
    ...
    <socket-binding name="proxy-https" port="443"/>
    ...
</socket-binding-group>


*RECIVE THE FOLLOWING ERROR in TOMCAT:*

1807906 [http-nio-8080-exec-9] ERROR o.k.a.OAuthRequestAuthenticator -
failed to turn code into token

org.apache.http.conn.HttpHostConnectException: Connection to
https://sso2.domain.com refused

at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
~[httpclient-4.2.1.jar:4.2.1]

at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:90)
~[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:297)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:243)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:95)
[keycloak-adapter-core-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:189)
[keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]

at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:28)
[keycloak-tomcat8-adapter-1.7.0.Final.jar:1.7.0.Final]

at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
[lib/:na]

at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:170)
[keycloak-tomcat-core-adapter-1.7.0.Final.jar:1.7.0.Final]

at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
[lib/:na]

at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[lib/:na]

at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
[lib/:na]

at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[lib/:na]

at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
[lib/:na]

at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1086)
[tomcat-coyote.jar:8.0.18]

at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:659)
[tomcat-coyote.jar:8.0.18]

at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:223)
[tomcat-coyote.jar:8.0.18]

at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
[tomcat-coyote.jar:8.0.18]

at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
[tomcat-coyote.jar:8.0.18]

at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[na:1.8.0_25]

at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[na:1.8.0_25]

at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:8.0.18]

at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]

Caused by: java.net.ConnectException: Connection timed out

at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_25]

at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
~[na:1.8.0_25]

at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
~[na:1.8.0_25]

at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
~[na:1.8.0_25]

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_25]

at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_25]

at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:649)
~[na:1.8.0_25]

at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
~[httpclient-4.2.1.jar:4.2.1]

at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
~[httpclient-4.2.1.jar:4.2.1]

... 29 common frames omitted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151230/da42d379/attachment.html 

From traviskds at gmail.com  Thu Dec 31 03:46:43 2015
From: traviskds at gmail.com (Travis De Silva)
Date: Thu, 31 Dec 2015 08:46:43 +0000
Subject: [keycloak-user] Different theme for each client
Message-ID: <CACQJ6LRhirR9UYPkacwb_iv=aZneovcoP6Qg-YrkCkgxA+XVAA@mail.gmail.com>

Hi,

My vote is to provide this feature at a client level as per the original
request.

I think realms should be used for completely different domains when we want
to isolate users etc. Should not try and use it for something that it was
not intended in the design.

The reason why you might need theming at client level is iif you really
think that clients which are essentially different applications most of the
time and each of these applications might have different look and feel
themes (either due to different development teams or vendors building
different applications).

So when someone logins via KeyCloak, its true that we are logging into a
realm but for an end user, it is really logging into a application and
there is a need for the login page theme to look similar to the application
look and feel.

Also I have a use case where I have a back office application that requires
login for admin users and then I have the front office of this application
where in addition to the admin users, you also can have other users as well
who can self register and login to the front end which is a consumer facing
site.

How I handle this is by having two clients in the same realm. This works
fine if you are happy with the same backend login theme to be there for the
consumer facing frontend. But we cannot do that as the front end is a
consumer facing SaaS site, so each front end needs to have the client's
website theme. This becomes very hard to do if we don't have theming at a
client level.

I came across this post from Bill a few months ago
http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html

I am thinking to make use of the client variable that is available in
login.ftl and load different freemarker fragments that will then theme it
differently for each client. As mentioned by Bill, having many if
conditions might not be ideal but it might meet the requirement.

Cheers
Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151231/e73ff3b5/attachment-0001.html 

From thomas.raehalme at aitiofinland.com  Thu Dec 31 03:49:28 2015
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Thu, 31 Dec 2015 10:49:28 +0200
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CACQJ6LRhirR9UYPkacwb_iv=aZneovcoP6Qg-YrkCkgxA+XVAA@mail.gmail.com>
References: <CACQJ6LRhirR9UYPkacwb_iv=aZneovcoP6Qg-YrkCkgxA+XVAA@mail.gmail.com>
Message-ID: <CAPyAMobFqJRKzfJdN9=-EUTxUKPr68vCwuwuKzQ9rwaoO6tuoA@mail.gmail.com>

+1 as I have a similar use-case from a customer.

On Thu, Dec 31, 2015 at 10:46 AM, Travis De Silva <traviskds at gmail.com>
wrote:

> Hi,
>
> My vote is to provide this feature at a client level as per the original
> request.
>
> I think realms should be used for completely different domains when we
> want to isolate users etc. Should not try and use it for something that it
> was not intended in the design.
>
> The reason why you might need theming at client level is iif you really
> think that clients which are essentially different applications most of the
> time and each of these applications might have different look and feel
> themes (either due to different development teams or vendors building
> different applications).
>
> So when someone logins via KeyCloak, its true that we are logging into a
> realm but for an end user, it is really logging into a application and
> there is a need for the login page theme to look similar to the application
> look and feel.
>
> Also I have a use case where I have a back office application that
> requires login for admin users and then I have the front office of this
> application where in addition to the admin users, you also can have other
> users as well who can self register and login to the front end which is a
> consumer facing site.
>
> How I handle this is by having two clients in the same realm. This works
> fine if you are happy with the same backend login theme to be there for the
> consumer facing frontend. But we cannot do that as the front end is a
> consumer facing SaaS site, so each front end needs to have the client's
> website theme. This becomes very hard to do if we don't have theming at a
> client level.
>
> I came across this post from Bill a few months ago
> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
>
> I am thinking to make use of the client variable that is available in
> login.ftl and load different freemarker fragments that will then theme it
> differently for each client. As mentioned by Bill, having many if
> conditions might not be ideal but it might meet the requirement.
>
> Cheers
> Travis
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151231/f83ae680/attachment.html 

From andrey.saroul at gmail.com  Thu Dec 31 07:34:36 2015
From: andrey.saroul at gmail.com (Andrey Saroul)
Date: Thu, 31 Dec 2015 15:34:36 +0300
Subject: [keycloak-user] Need help configuring security constraints
	programmatically
Message-ID: <CAFZbuCOcuUohkrYgixOv+bQv3vHY3g3eGhEowNHCgQhXfqAuRg@mail.gmail.com>

Hello, I'm trying to configure security for simple Spring Rest Webapp and
Keycloak.
I've configured Keycloak server 1.7.0.Final on WildFly 9.0.2 (created
realms, clients, roles, etc.). And it works just fine.
Then I created simple Spring Rest App (boot-less) to test Keycloak security
login. I generated keycloak.json file and put it in my WEB-INF folder.
Then I configured web.xml and Spring dispatcher-servlet.xml. And finally
created annotation driven security config.

protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http.authorizeRequests().antMatchers("/*").hasRole("tms-rest");
}

But when I try to test my web app in browser it does not redirect me to
keycloak login page. I made it work when I configured security-constraint
in web.xml.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>tms</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>tms-rest</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>tms-rest</role-name>
</security-role>


It seems to me that Spring isn't picking up my security rules from security
config bean. Is there any suggestion what am I doing wrong?
And how to be able to set config programmatically?

My app source is in attachment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151231/26059213/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rest-app.zip
Type: application/zip
Size: 6348 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151231/26059213/attachment.zip 

From prabhalar at yahoo.com  Thu Dec 31 08:00:36 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Thu, 31 Dec 2015 08:00:36 -0500
Subject: [keycloak-user] Different theme for each client
In-Reply-To: <CAPyAMobFqJRKzfJdN9=-EUTxUKPr68vCwuwuKzQ9rwaoO6tuoA@mail.gmail.com>
References: <CACQJ6LRhirR9UYPkacwb_iv=aZneovcoP6Qg-YrkCkgxA+XVAA@mail.gmail.com>
	<CAPyAMobFqJRKzfJdN9=-EUTxUKPr68vCwuwuKzQ9rwaoO6tuoA@mail.gmail.com>
Message-ID: <1331CD93-49E4-4017-80FB-B730FECCDF5F@yahoo.com>

+1

Sent from my iPhone

> On Dec 31, 2015, at 3:49 AM, Thomas Raehalme <thomas.raehalme at aitiofinland.com> wrote:
> 
> +1 as I have a similar use-case from a customer.
> 
>> On Thu, Dec 31, 2015 at 10:46 AM, Travis De Silva <traviskds at gmail.com> wrote:
>> Hi,
>> 
>> My vote is to provide this feature at a client level as per the original request.
>> 
>> I think realms should be used for completely different domains when we want to isolate users etc. Should not try and use it for something that it was not intended in the design.
>> 
>> The reason why you might need theming at client level is iif you really think that clients which are essentially different applications most of the time and each of these applications might have different look and feel themes (either due to different development teams or vendors building different applications). 
>> 
>> So when someone logins via KeyCloak, its true that we are logging into a realm but for an end user, it is really logging into a application and there is a need for the login page theme to look similar to the application look and feel.
>> 
>> Also I have a use case where I have a back office application that requires login for admin users and then I have the front office of this application where in addition to the admin users, you also can have other users as well who can self register and login to the front end which is a consumer facing site.
>> 
>> How I handle this is by having two clients in the same realm. This works fine if you are happy with the same backend login theme to be there for the consumer facing frontend. But we cannot do that as the front end is a consumer facing SaaS site, so each front end needs to have the client's website theme. This becomes very hard to do if we don't have theming at a client level.
>> 
>> I came across this post from Bill a few months ago 
>> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
>> 
>> I am thinking to make use of the client variable that is available in login.ftl and load different freemarker fragments that will then theme it differently for each client. As mentioned by Bill, having many if conditions might not be ideal but it might meet the requirement.
>> 
>> Cheers
>> Travis
>> 
>> 
>> 
>>  
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151231/f6cec3c6/attachment-0001.html 

From jermookie at gmail.com  Thu Dec 31 16:08:21 2015
From: jermookie at gmail.com (Jeremy Simon)
Date: Thu, 31 Dec 2015 16:08:21 -0500
Subject: [keycloak-user] development debugging / deployment
Message-ID: <CAPFuFv_9mAAZ6qOnPx7oyoA7QACZC8=Vp+7MJwZmtiQPddYoEQ@mail.gmail.com>

Hi All,

I'm attempting to write my own User Federation Provider and I'm wonder
for tips on how to manage development deployments of it.  I had seen
the registering steps in section 4.2 of the guide (1.7), but I'm
wondering if there are any tricks or ways or methods to continuously
deploy to my local instance as I make code changes to try... you know
ala JRebel or whatever.  (I do have JRebel and have done this for
WARs, but not sure to to manage modules...) Is there a way to set that
up, or do I need to stick with making a shell script build, shutdown
web server, copy over the new jar overtop of the registered one, then
restart?

Help is much appreciated!  Thanks all!


jeremy
jeremy at jeremysimon.com
http://jeremysimon.com
http://vikingcamelstudio.com

From andrey.saroul at gmail.com  Thu Dec 31 17:07:26 2015
From: andrey.saroul at gmail.com (Andrey Saroul)
Date: Fri, 1 Jan 2016 01:07:26 +0300
Subject: [keycloak-user] Spring Security annotation problem
Message-ID: <CAFZbuCP2sLgkJ4pFwZAZdaCwBqB3sefC9ZSucjd=S-sbV05_xA@mail.gmail.com>

Hello! I'm just a begginer in Spring Security, but I would like to know is
it possible to configure keycloak in a way that I can use @PreAuthorize,
@PostAuthorize, @Secured and other annotations.
For example, I've configured the keycloak-spring-security-adapter and
Spring Security in my simple Spring Rest webapp so that I have access to
Principal object in my controller, like this:

@RestController
public class TMSRestController {

    @RequestMapping("/greeting")
    public Greeting greeting(Principal principal,
@RequestParam(value="name") String name) {
        return new Greeting(String.format(template, name));
    }
...
}

But when I try this (just an example, actually I want to execute custom EL
expression before authorization):

@RestController
public class TMSRestController {

    @RequestMapping("/greeting")
    @PreAuthorize("hasRole('ADMIN')")
    public Greeting greeting(Principal principal,
@RequestParam(value="name") String name) {
        return new Greeting(String.format(template, name));
    }
...
}

... I get
exception: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext

What do I need to make this spring security annotations work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/62f069a7/attachment.html 

From nielsbne at gmail.com  Thu Dec 31 18:29:58 2015
From: nielsbne at gmail.com (Niels Bertram)
Date: Fri, 1 Jan 2016 09:29:58 +1000
Subject: [keycloak-user] keycloak-user Digest, Vol 24, Issue 111
In-Reply-To: <mailman.54070.1451566847.3339.keycloak-user@lists.jboss.org>
References: <mailman.54070.1451566847.3339.keycloak-user@lists.jboss.org>
Message-ID: <CAPLPygkWyiUXuFBFBHOzAj0sra4JEmyNfFA58Ydj2VHZZBUbTw@mail.gmail.com>

+1  we have similar requirements where we like to use different themes for
hybrid mobile app clients and traditional responsive web (site) clients


Date: Thu, 31 Dec 2015 10:49:28 +0200
From: Thomas Raehalme <thomas.raehalme at aitiofinland.com>
Subject: Re: [keycloak-user] Different theme for each client
To: keycloak-user <keycloak-user at lists.jboss.org>
Message-ID:
        <CAPyAMobFqJRKzfJdN9=-EUTxUKPr68vCwuwuKzQ9rwaoO6tuoA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

+1 as I have a similar use-case from a customer.

On Thu, Dec 31, 2015 at 10:46 AM, Travis De Silva <traviskds at gmail.com>
wrote:

> Hi,
>
> My vote is to provide this feature at a client level as per the original
> request.
>
> I think realms should be used for completely different domains when we
> want to isolate users etc. Should not try and use it for something that it
> was not intended in the design.
>
> The reason why you might need theming at client level is iif you really
> think that clients which are essentially different applications most of
the
> time and each of these applications might have different look and feel
> themes (either due to different development teams or vendors building
> different applications).
>
> So when someone logins via KeyCloak, its true that we are logging into a
> realm but for an end user, it is really logging into a application and
> there is a need for the login page theme to look similar to the
application
> look and feel.
>
> Also I have a use case where I have a back office application that
> requires login for admin users and then I have the front office of this
> application where in addition to the admin users, you also can have other
> users as well who can self register and login to the front end which is a
> consumer facing site.
>
> How I handle this is by having two clients in the same realm. This works
> fine if you are happy with the same backend login theme to be there for
the
> consumer facing frontend. But we cannot do that as the front end is a
> consumer facing SaaS site, so each front end needs to have the client's
> website theme. This becomes very hard to do if we don't have theming at a
> client level.
>
> I came across this post from Bill a few months ago
> http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
>
> I am thinking to make use of the client variable that is available in
> login.ftl and load different freemarker fragments that will then theme it
> differently for each client. As mentioned by Bill, having many if
> conditions might not be ideal but it might meet the requirement.
>
> Cheers
> Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/314f7928/attachment.html 

From ornot2008 at yahoo.com  Thu Dec 31 22:47:52 2015
From: ornot2008 at yahoo.com (Mai Zi)
Date: Fri, 1 Jan 2016 03:47:52 +0000 (UTC)
Subject: [keycloak-user] Can not login sometimes
References: <132228504.5874139.1451620072461.JavaMail.yahoo.ref@mail.yahoo.com>
Message-ID: <132228504.5874139.1451620072461.JavaMail.yahoo@mail.yahoo.com>

Hi, there,
We are using confidential type client . Sometimes it is hard to login in the system from browser?unless you refresh the login page. ? ?
Anybody has met the same issue ?

RegardsMai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160101/2b3f17fa/attachment.html