From prabhalar at yahoo.com Sun Feb 1 07:09:09 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sun, 1 Feb 2015 12:09:09 +0000 (UTC) Subject: [keycloak-user] Keycloak Roles Message-ID: <2029223580.260253.1422792549369.JavaMail.yahoo@mail.yahoo.com> It appears that the current "manage" roles in Keycloak seem to be cover?all clients/apps meaning app1 or client1 created by user1 can be deleted or user2. Is that correct? If so, is there any realm specific role that would allow users to manage only the client or applications created by them? Taking this further, can a group of users create and manage only their applications but not the ones created by another group of users? If not, how can I setup or create new roles to meet that functionality which would be provided to all uses -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150201/30f5a7ba/attachment.html From stian at redhat.com Mon Feb 2 03:13:04 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 03:13:04 -0500 (EST) Subject: [keycloak-user] Rest endpoint and AngularJS client In-Reply-To: References: Message-ID: <965408124.5210577.1422864784384.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Mohan Radhakrishnan" > To: keycloak-user at lists.jboss.org > Sent: Saturday, 31 January, 2015 1:42:39 PM > Subject: [keycloak-user] Rest endpoint and AngularJS client > > > > Hi, > > This is my first post. We have a large HealthCare domain Rest application > with an AngularJS client. We may require role-based access control of HTML > views. We can consult LDAP to get these. But due to some internal reasons we > are not going to use OAuth now. It may be a future enhancement. > > > > Are these types of HTML5/JS applications still protected effectively based on > roles ? I wanted to know before I start reading more about Keycloak because > OAuth is not used now. An HTML5/JS application doesn't have any access control. All it can do is hide features a user can't access. The access control has to be done on the REST endpoints. This is a perfect fit for OpenID Connect. When you login to Keycloak your app is given a token, that includes the roles the user can access. These can then be used by the AngularJS app to enable/disable features. When invoking REST endpoints the token is passed along, which then allows the REST endpoints to verify if the user has access to the requested resource or not. In summary Keycloak and OpenID Connect are perfect fits for the type of application you're doing. > > > > > > > > Thanks, > > Mohan > This e-mail and any files transmitted with it are for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply to the > sender and destroy all copies of the original message. Any unauthorized > review, use, disclosure, dissemination, forwarding, printing or copying of > this email, and/or any action taken in reliance on the contents of this > e-mail is strictly prohibited and may be unlawful. Where permitted by > applicable law, this e-mail and other e-mail communications sent to and from > Cognizant e-mail addresses may be monitored. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 2 03:15:11 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 03:15:11 -0500 (EST) Subject: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop and failed login In-Reply-To: References: <1273392275.188649.1422748235957.JavaMail.yahoo@mail.yahoo.com> Message-ID: <515845864.5215469.1422864911665.JavaMail.zimbra@redhat.com> Have you updated keycloak.js in your application? Are you sure you've cleared the cache fully? ----- Original Message ----- > From: "Dean Peterson" > To: "Raghu Prabhala" > Cc: keycloak-user at lists.jboss.org > Sent: Sunday, 1 February, 2015 2:34:47 AM > Subject: Re: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop > and failed login > > I did try that but no luck, thanks though. I have reverted back to the old > version for now. > > On Sat, Jan 31, 2015 at 5:50 PM, Raghu Prabhala < prabhalar at yahoo.com > > wrote: > > > > Dean - Try cleaning your cache. Stian suggested it and it helped me login > using both IE and chrome. > > Raghu > > From: Dean Peterson < peterson.dean at gmail.com > > To: keycloak-user at lists.jboss.org > Sent: Saturday, January 31, 2015 2:28 PM > Subject: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT > causes Javascript Client infinite loop and failed login > > Going from 1.1.0-Alpha1-SNAPSHOT causes an infinite loop when logging in. > First, it successfully transitions to the login page. When I log in, the > application transitions back to the application and keeps calling > keycloak.init over and over and over and over again. It keeps pasting codes > to the url: > > http://localhost:9001/?redirect_fragment=%2F&code=2yUSElT2JIocE_X2oT1Ch3tg45585iA7y8SverL2zuE.c98648eb-78bc-4842-ba55-0fe06a6310e2&state=94770349-f618-4350-86f6-2d18a747f590&redirect_fragment=%2F&code=nfqgpQaGab4naoUhOjjaI-aEwgGXBAaab_VwhuATgKc.02e9893b-ce54-4f33-853e-5b32f4436607&state=9c2922ac-870f-41c3-83b7-e6f3c6d9515c&redirect_fragment=%2F&code=PIiKn8stYZdzyqvznivtjNcbYOIskuL_Z0ZUR8Pid68.a7788117-4bc9-48ea-a4ba-a684f9c07fa0&state=957c3760-3677-47f6-87d8-68702d992554&redirect_fragment=%2F&code=jVOdexjyoaet6IZZe3bsClcIcxfq0Fdg3EliMnRsWr4.f1c2c6a3-f9e8-48fd-aefc-cc11eee06ab8&state=babbff58-3ab2-4872-830f-e5740c1e7e6e&redirect_fragment=%2F&code=nmVJQVGlORshZ4ibRL_uQv19vZNUw3fn-F1RFDdbFHA.8c93dea7-e539-46d6-bb08-2d97c69b52e9&state=7e751210-c9ea-47c3-8204-15e001789f4f&redirect_fragment=%2F&code=wSn5hn8w1WiYzr5HSxHXNGM2K0AtmSO-BBDWr79V498.b74f26c3-2bd7-427e-9112-11f44c587202&state=48fa3e1f-5c54-40e2-8253-d5ad33bc9e31&redirect_fragment=%2F&code=CtXSrbKGq2kvmE1RQLervaGgYsfSY4WxSUaVoXrL6zs.64385b1b-b2d4-47e5-8d34-0a21f9b36ebc&state=d8d9c0f8-f50e-43a4-8dcd-7d4a7688a25e&redirect_fragment=%2F&code=M1pWroIoRx0A7t26PgVku6V7F7DHvIuxsdcTmW-6CUY.0485a560-2de2-4b8b-86af-a96d4740bd89&state=b9b10695-7530-4f72-8328-950a3eb33a6d&redirect_fragment=%2F&code=KFr4NK2oltNcHlo7-LipDN6nCogl8HQaVqd7Ta7CsLA.23761f01-f13e-48cf-a053-0c96a9f6dfe9&state=f758d86d-4752-4fc3-84e0-d8111e7d359b&redirect_fragment=%2F&code=8uMQnRXeMnrXZCkQCQ_p0Ts5oS63AA3nieWeKpVto8w.4bdb4eaa-2f16-4247-9d2d-e9c8da88941c&state=bdf787b8-f360-479c-a552-b8157ad5422a&redirect_fragment=%2F&code=dssl2GpIK7hRriXcrN0e55NSh0Odd8b3ShEFAw6FnLw.b50d4bf5-6e4f-4edd-82c0-d8c7b285e6aa&state=941953a2-994b-44ae-b811-ec0ac7516211&redirect_fragment=%2F&code=3_YPCYPpfWOO-DGGDzOajp9MloW-xNsPiM2k7JW8Occ.1a0b9340-201e-481f-8ae2-d3f40754f35d&state=f5450022-1592-41d3-b769-a121391d599e&redirect_fragment=%2F&code=-h9BxvTEuneA0FwCRN7Y6zPe1z-YugntHEAtvAdJWRI.ca710f93-6068-4b3c-85c0-6657f7b1b72e&state=f4721ed6-7de8-4ee4-8b3b-f7491eefc4f3&redirect_fragment=%2F&code=GQ9a3b4DqQH-QfLxeGwFeM-EQp1lqSqCnwKI4ojNgUA.71d4072f-06d9-4d1c-8cfb-f9fac2cf07f8&state=4a173d60-fd78-4d9b-8a8b-ba7db2e0e314&redirect_fragment=%2F&code=diBdfGHVtDEhW2Dp96cYLXdTlbFANWwOEHP0eK5RsJU.4754aec5-dcec-4d52-8de0-223589b00d7f&state=d9961b74-ae71-404e-8075-c8c10eb62976&redirect_fragment=%2F&code=Al9N8qK84uRSnnneeg94sR1mnT1A1_ZlVYeIgs3M6d8.383240fc-0638-4516-b462-e8cead8cda5a&state=7d79987f-4274-4234-b5fb-0558926a4d61&redirect_fragment=%2F&code=hYbgRbq7jZqz1n6CY8Y82E3Bnd_stpY7xgmsKoXWKJs.3e769fd7-bfc9-4e2e-876a-16b16332c954&state=a59bb636-57f7-4bd9-aca1-bec03395062b&redirect_fragment=%2F&code=APVKB_D4-lZlRfX8_4jU0mEqbLM0xDZtwd1HfZCpmgM.9809ebdf-7d68-4456-9a18-666862d531ed&state=8a2899f4-40a7-496f-ab45-aa7dd0ea44bc&redirect_fragment=%2F&code=7DrAdXC7Zmg1lOUCy7iGybgudpmmvc3G4LMLHsudh4U.73c35508-71f7-4230-ac79-2913a134f42a&state=9365dccc-5f68-4e02-81e9-0546a4b5c172&redirect_fragment=%2F&code=qz-ui_3j9h6oIlEtPJnf9n4Q1k4NBHWC84-rMnEcwaM.d9602cd1-aef0-4543-a0e3-0c172d624cc5&state=318603f5-2157-4b6c-8184-e87ce90edcf0&redirect_fragment=%2F&code=efoTaB6S9dZ7BZs1Ndk1lEhnVCHCbxpfa0wV3ciLUZo.686fcd96-c876-41f3-95a2-cf8edf70be9c&state=2c61b238-e530-454f-b86d-e125f48c20c3&redirect_fragment=%2F&code=tBivJlcq_RXh1C7SlzAkNn6WGsEpCBJaUD4IeHj59CQ.915b3b10-47d3-40d0-bf0a-397d1d902d99&state=01d6a256-e3ac-4bef-8430-cc692ee1ac3d&redirect_fragment=%2F&code=BP86r2awy-nXy5I6-4FSodUYjhmXcA-QHsZCvCYmR3Q.9056289c-6058-4d92-b08f-9f459d215327&state=ac32b483-08b6-4ff2-8d9f-552f0b09b8ad&redirect_fragment=%2F&code=YxV_agzHeUB_1BdC_llgpBXJBpQt40Ka38Zm_9bf5YU.c2f2cf35-61bb-4c19-8774-40911c7c6264&state=c737ec92-e876-49b4-8f0f-9fc4ae74085d&redirect_fragment=%2F&code=ru7PK7ZRenyKWhrClTTV9DGJWTclRm0-REMt0MFXJqE.147c7825-998d-4e6b-848c-7cf5b9629d27&state=fbe96433-166c-4408-8b1d-f0ee6615a46c&redirect_fragment=%2F&code=DI7xZGQ-p-XkXlTLztYtrerDdremPhnnsGzvpaN0uoU.bfb4cecb-9057-4aa8-a7dc-71cfb29f6a6f&state=8789c40c-9324-4efe-a8b4-91b75c9a9a9b&redirect_fragment=%2F&code=mjXyKsLUv0QjOvEaHxcZzi4qxCl9-AU85Er6Vcr_NTM.150d7721-824e-4b78-9738-05c60f30735d&state=252f2fb3-da19-4bb3-830b-412981fb4fdf&redirect_fragment=%2F&code=Ra1OxSO5dcQjNPHEbM9hvdVxykXofegFMw-5AkUdhE0.2af011ad-1dca-4d69-9506-ca8fbbb7ffd1&state=261a384f-2bb2-4d79-939b-69b8a5bff7f8&redirect_fragment=%2F&code=t02uT8YiKQFMcywReLdz19BeB91n7oFb8rpnj9wvzwc.1fbc112d-6743-4fdc-8143-c95b66159fc7&state=28151aa4-ee71-4b77-9cc7-d656289e4d00&redirect_fragment=%2F&code=pARWRhOUM9JjrcAl4vtlVWqJVZL6ADibYMRCR8CcWdY.d6176d98-da15-4d7c-a1d7-2227bce2054b&state=2e8f34cc-b0eb-42b6-a3c0-989e108b80a1&redirect_fragment=%2F&code=-hC0kenzpWz4d2FF_cCAT9BjuhzlQUUO331rnTfuiWc.d056e22e-7483-4f0f-9cea-79df4ef8c688&state=a9d015ce-e2c4-4e09-b512-14dc0fe81c19&redirect_fragment=%2F&code=DnX7JRBGWBAa-faSZhulNvt7sj3jXf4HlxKnunBOeg0.ae6ebd42-08e1-4477-8256-75bf16e4070b&state=50723b38-7e07-41c8-8c77-9ab3e4cdd2f4&redirect_fragment=%2F&code=Hol6EDplp4h3HR1ENbdggxvdC4CRMJ5zgxxRnsq200M.f476b27b-c220-41ce-b859-b47925a69d82&state=63c5603d-9248-41c8-bb06-173e2b1e20e9&redirect_fragment=%2F&code=iCJAEG6GGPoCUyZq3_3BdIRgxpnwFzNp6dKFTT3vmTo.c346dc83-384f-4495-8073-2ae477e32e81&state=dfd35aeb-723e-46b2-9849-7e3e3cdb19e8&redirect_fragment=%2F&code=0URNUCBRpAjttcFyLiX2aUJRKo7eSvE_zqiEn9K_kpg.446bd9f8-17b5-473b-8eb8-7d5bb0ba2f80&state=848f4682-8bc7-4434-880f-cea6e8240b77&redirect_fragment=%2F&code=oR_c11RrLlgsHmcefb-JLB9sMpBjeH7ObsKZivCMWfM.f340f86b-53b7-4c1b-9b95-b8477be159ff&state=52870ca6-db65-487d-b778-42d1c5d3ba73&redirect_fragment=%2F&code=-KQ-zo8wYMc7F2TuOrht3u_6kU5B26q7cYa0n7YVQDM.fff5658e-36b5-4cdc-b1d3-92742c9be7a1&state=8c909ef8-6e87-425a-aa25-ba1025f040a0&redirect_fragment=%2F&code=26EcSny6pVrgLc4EOWGT7x29jxb1lBzqRI5IU-Kvu4E.e0652809-7c3f-42b6-93c8-ca4e37f048be&state=5f1c4251-efc6-4996-ae02-85dd7e6b5d32&redirect_fragment=%2F&code=MuICKR6-kSTPhKy-KboxXKbsAmUsk9SDxD5iUrMjP5g.87a55f67-3c1b-4c1a-b3eb-51e3b87e36cb&state=124ad77a-a04e-4164-8cc2-9ad9ea62b993&redirect_fragment=%2F&code=74eDb8oSwATL9iBhrGOmlzkIKK1kB5Ukr4zgmatJu-w.562584ef-bf29-41a2-a4e0-06de60f94692&state=aa078c4b-2d19-4d5f-8a30-a2f23e11ebbc&redirect_fragment=%2F&code=TY8B2uTAO5hY1EVYPVn-j2ErmZcQ_mejizmhe4s39FY.e9e00594-7894-4bea-95b2-079d3e6b4bdd&state=13c4a88a-1b35-41c7-b27a-03ba960f0a03&redirect_fragment=%2F&code=YrlKEzdIS6L98o8mOR8EMHJL0hCUEV6KJtXJme7mFjE.8111c1e2-06be-4d7f-a896-d1bbd417c60b&state=ade7e140-0ff0-4022-9876-82cb2d43d584&redirect_fragment=%2F&code=XHsec992KGdkL8kxMyOZNrHOI758kC8P3fPrrJocRso.4251099a-85ee-4214-bded-4c3ee50e096b&state=0277da4d-3bae-4ff7-8c0d-d609fd9da9e6&redirect_fragment=%2F&code=h8itvnj3Og_Qb1tMNAkX-pVggHWWOkreceSnvCMzwY0.6abb9511-8880-4976-af35-8871d0189491&state=93a26fe6-724c-451d-8b15-f0c41df3b208&redirect_fragment=%2F&code=WKbxyUQaA9ayWk7gQYP0qD_10FZiatt1GEyTN2oWlvQ.ca495f09-0702-45f0-863b-81dde847de02&state=9a01fef5-f4cf-4c6f-aeb8-0696d3334052&redirect_fragment=%2F&code=d5hpwnOJgzgVj1pmgveR0pwWrqx1ts_4M6OmTYQ0REM.6fd63fed-ad00-42dc-9b37-93498cc92687&state=077899a4-28b4-4c01-8c22-f4248ed7a329&redirect_fragment=%2F&code=kYNN-4wFSGAE39NWC8azP57SUWaiWK57LLAu-_xeSD8.16e0bfd2-3413-41f9-be4b-1a4509fed5fa&state=01149fda-904d-4d7b-b9a6-d5d9353e99e2&redirect_fragment=%2F&code=nSvx6OyDIWqCxZhbeFAH4xEcNP63Wx8t5nmw17iaUh0.5efb8727-61f7-4410-9d6e-5efde3a06f01&state=df59cb84-caa3-4834-861c-1d09d6366f8a&redirect_fragment=%2F&code=pt2_mNt3XqMWqgMPhoKf8aCdN2I5e_D5rMMXEK5dEv4.31170b8b-4c29-422e-916e-096973e451a1&state=db977cc8-1641-4724-afdb-91e9e8182feb&redirect_fragment=%2F&code=0o0Tz3gnlOGMK2UGw_F0fGfy_RuMpoCLJbWfnhQRRxU.d4490e99-1381-4ff9-a835-dd46ca3fa36d&state=77dae174-18b9-4bf7-848f-aa805f570385&redirect_fragment=%2F&code=Isuf4fy2JZe4opWp9D0Tm5L2DRY2fYUwDwnQCHEKNnc.e071a377-fef1-4aed-a222-563befd32f90&state=9cca93d4-af39-4431-9390-661f9320ccc9&redirect_fragment=%2F&code=dSURtq4wigtgGHh_8lADlw_efDWTMjHM4NRNUJM0OJI.31286972-3ca8-4dce-bf94-22a469e433d2&state=95d9486e-c0e3-4c52-96e6-f7908240eda6&redirect_fragment=%2F&code=Sfdp-yRIj2gV8HjAP63thYypNfPBhsz_MBqlljTTS5E.8d7f80d4-05f1-4d94-b86b-6aea78cbcf7a&state=d5d31bba-1766-450a-9655-f94e02f1a961&redirect_fragment=%2F&code=9TQ_NIF2Fo57vJ4pTki4xljoFvlgEQUo2GGS7qJVXL8.003fa4fe-4d83-4d6b-8740-f6d161df5924&state=8e55c62f-54c6-4466-93fc-c7b19bfbc268&redirect_fragment=%2F&code=I376yS5PVONXEHQK4uZGnmRYLENTHh4Q9m7rln8h1jQ.db51d3c3-c7d6-4120-9bec-6ff668dc296e&state=3fef4050-2301-43a4-84af-e66b5772608c&redirect_fragment=%2F&code=zV3VDW3zDjeiF6suaQyfFi6_VkhcwpZruqMd-TM4gFI.357f5f58-edfe-403f-ae9f-a6840692fd80&state=ca4a311a-23ac-495c-830e-c239b59e6fe1&redirect_fragment=%2F&code=H5rua-kyePPnPBwXsWO5YMtO33k2IgAR1bT8d9C7Cdc.6d24e642-f57d-4b6d-9fae-70f1d2a7674e&state=4843d851-8b03-446c-96ab-0f1466f71eb5&redirect_fragment=%2F&code=Vv5ZrxknxKp9qFSgyTFAOx3X2BXWVTnPpFPQ5cdas_s.96269587-fe83-4541-a0a5-9e1187359331&state=fefedfa1-baaf-438d-80e0-ee8a22dbd9f8&redirect_fragment=%2F&code=1UUjSbGWlwkhBl7bKHnevN6aacsWRyPCx6FGaFHzXdA.11766fbb-6dec-4161-a26a-f010a501e299&state=5f40a4cc-148a-44ad-bf18-516b12018a51&redirect_fragment=%2F&code=Jdse-sa4ZdHfUiN6TzF_PJCBfohFR-Gf2V5Dkz-NR6E.f5749ec6-a668-4e4b-b5ca-145a2034c056&state=ca13aa35-682a-4655-84e9-290cb22b022f&redirect_fragment=%2F&code=C-riHUr97rgUoWSJv9eLiSQvY2iaZA_ymnpw1ZwfQIA.ff392a07-b294-4106-a5b6-1e96d3522cb4&state=4cee0bd8-83df-43f6-8ea1-59f7b4502f28&redirect_fragment=%2F&code=iwIslKy__2637mvcAxwBUYquXBIzjQfnJ9s4qZeNlrQ.af57a394-2653-4e93-8af1-f532eaa4c1b9&state=291f1d70-1dc1-4cfe-98ff-c1167dad45a8&redirect_fragment=%2F&code=jyxRPi11qAHDOXyuR-K11FjziPisq-oV51UMVjCuFWA.545d09d0-55b8-4838-ab89-d8b48a891769&state=b439de9b-ee78-4c3e-8dfa-69307972a918#/ > > I am running an angularjs javascript client running on a separate domain from > the wildfly server. Everything was working prior to the "upgrade". > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 2 03:16:37 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 03:16:37 -0500 (EST) Subject: [keycloak-user] Keycloak Adapters In-Reply-To: <1724654062.218718.1422756345516.JavaMail.yahoo@mail.yahoo.com> References: <1724654062.218718.1422756345516.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1284680768.5218380.1422864997735.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Keycloak-user" > Sent: Sunday, 1 February, 2015 3:05:45 AM > Subject: [keycloak-user] Keycloak Adapters > > Dev team - A philosophical question about the adapters. Rather than building > so many adapters for different Java Web containers including different > versions, would it make sense to build a single Servlet Filter that would > take care of all those cases and even other containers from Oracle/IBM etc? Ideally yes, but technically it's not possible as there's no standard way to deal with a lot of things, for example propagating the security context to the EJB layer. > > Raghu > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 2 03:18:57 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 03:18:57 -0500 (EST) Subject: [keycloak-user] How to get UserRepresentation by subject id In-Reply-To: References: Message-ID: <1993440798.5219837.1422865137054.JavaMail.zimbra@redhat.com> It should be by-id, but currently it's only available by-username. Please create a jira and we'll fix it. ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org > Sent: Sunday, 1 February, 2015 5:00:28 AM > Subject: [keycloak-user] How to get UserRepresentation by subject id > > I remember reading that the correct way to uniquely identify a keycloak user > is by the subject id. That is what I associate with objects in my > application. I need to get a UserRepresentation using the admin client by > that subject id. However, the only option allowed is to use username. Ex. > realm.users().get("username"). I need realm.users().get("subjectid"). Is > there a way to get UserRepresentation by subject? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 2 03:20:28 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 03:20:28 -0500 (EST) Subject: [keycloak-user] Keycloak Roles In-Reply-To: <2029223580.260253.1422792549369.JavaMail.yahoo@mail.yahoo.com> References: <2029223580.260253.1422792549369.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1453966054.5220582.1422865228561.JavaMail.zimbra@redhat.com> All access control in Keycloak is per-realm and there's currently no way you could do per-app access control in Keycloak other than rolling your own endpoints. ----- Original Message ----- > From: "Raghu Prabhala" > To: "Keycloak-user" > Sent: Sunday, 1 February, 2015 1:09:09 PM > Subject: [keycloak-user] Keycloak Roles > > It appears that the current "manage" roles in Keycloak seem to be cover all > clients/apps meaning app1 or client1 created by user1 can be deleted or > user2. Is that correct? If so, is there any realm specific role that would > allow users to manage only the client or applications created by them? > Taking this further, can a group of users create and manage only their > applications but not the ones created by another group of users? If not, how > can I setup or create new roles to meet that functionality which would be > provided to all uses > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From christoph.machnik at traveltainment.de Mon Feb 2 07:09:01 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Mon, 2 Feb 2015 12:09:01 +0000 Subject: [keycloak-user] Possibility to get the keycloak session timeout value per Java-Script Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC4783E@EX-TT-AC-01.traveltainment.int> Hi, I want to show an info, befoe the session runs in a timeout, so that the user can react and not be logged out. For this i need to read the session timeout that is configuresd in the keycloak admin console. is there a possibility to get the timeout value in javascript ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150202/34c51bf8/attachment.html From juraci at kroehling.de Mon Feb 2 07:26:43 2015 From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=) Date: Mon, 02 Feb 2015 13:26:43 +0100 Subject: [keycloak-user] Best practices for building appliances Message-ID: <54CF6D03.3090909@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, In our project, we plan to have a distribution where we ship our application with a Wildfly bundled, a la Keycloak Appliance. My main concern is shipping our distribution with a default pair of realm keys or with a pre-filled database. I know it's possible to import a realm on the first boot and KC will generate the required keys if they are missing from the imported JSON template, but as we are shipping our own WAR, we would need to get the public key into our application's keycloak.json (or subsystem) before it gets deployed. I wonder if this is a common situation and what would be the best practices for such case. I think Stian mentioned before that a future version of KC would allow auto registration of applications, but until that is available, I'd be interested in hearing your experiences about it. Another situation is for a contributor of the project or for users who would want to build from the source: what would be the best practice for generating new keys at each build? If there's no easy solution for that now, I'd be interested in building a "keycloak-cli" utility that would generate realm and application JSON files, possibly with a Maven plugin wrapper to make it easier to consume from maven projects. Would something like that be interesting for the project? Best, Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= =wYHW -----END PGP SIGNATURE----- From dimiker at yahoo.gr Mon Feb 2 08:07:27 2015 From: dimiker at yahoo.gr (Dimitris Keramidas) Date: Mon, 2 Feb 2015 13:07:27 +0000 (UTC) Subject: [keycloak-user] Upgrading from 1.0.4 to 1.1.0: Role(s) not found Message-ID: <1388158607.955685.1422882447285.JavaMail.yahoo@mail.yahoo.com> Hello, I am currently deploying Keycloak version 1.0.4 as a war, in a WildFly app-server. I am using oracle 11g as the database for the datatore and schema. I've followed the relevant guide to install version 1.1.0, and the schema seemed to be upgraded normally. However, I found two problems: 1. The war distribution bundle, does not contain the themes that need to be placed in wildfly's configuration directory. I downloaded the appliance bundle and used those, instead. 2. After logging into the administration console, I could see the list of roles I created for my realms, but could not access/edit any. I am only getting a "Error! Not found" message. Furthermore, If I try to assign a new role to a user, the "available roles" list is empty. Please note though, that users that already have roles assigned to them, work/log in properly. Any help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150202/7b63a80d/attachment.html From ssilvert at redhat.com Mon Feb 2 08:11:28 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 02 Feb 2015 08:11:28 -0500 Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <54CF6D03.3090909@kroehling.de> References: <54CF6D03.3090909@kroehling.de> Message-ID: <54CF7780.3040407@redhat.com> Hi Juca, I'm working on these exact issues right now. The current plan is to build on top of WildFly CLI. So you would be able to do most/all Keycloak API calls from there. This will allow us to integrate more smoothly with WildFly and achieve some of our long term goals for both Keycloak and WildFly. Your specific use case is one I've been thinking about along with a larger scope of requirements. I think what will happen is that the Keycloak subsystem will be able to do your setup at deployment time and configure a secure-deployment in standalone.xml or domain.xml. I already have some of the code for that. It just uses a secure-deployment declared as a template and then adds Keycloak to any unsecured WAR at deployment time. But it will also need to be able add the application in Keycloak, find the public key, and obtain the client secret. That part is not done yet. I think I need to put together a full plan for this and many other use cases where we need tighter WildFly integration. Then I'll break it all down into tasks. I'll get that done as soon as possible, but shoot for no later than Friday. Would you be willing to help with some of the tasks? Stan On 2/2/2015 7:26 AM, Juraci Paix?o Kr?hling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > In our project, we plan to have a distribution where we ship our > application with a Wildfly bundled, a la Keycloak Appliance. > > My main concern is shipping our distribution with a default pair of > realm keys or with a pre-filled database. I know it's possible to > import a realm on the first boot and KC will generate the required > keys if they are missing from the imported JSON template, but as we > are shipping our own WAR, we would need to get the public key into our > application's keycloak.json (or subsystem) before it gets deployed. > > I wonder if this is a common situation and what would be the best > practices for such case. I think Stian mentioned before that a future > version of KC would allow auto registration of applications, but until > that is available, I'd be interested in hearing your experiences about it. > > Another situation is for a contributor of the project or for users who > would want to build from the source: what would be the best practice > for generating new keys at each build? If there's no easy solution for > that now, I'd be interested in building a "keycloak-cli" utility that > would generate realm and application JSON files, possibly with a Maven > plugin wrapper to make it easier to consume from maven projects. Would > something like that be interesting for the project? > > Best, > Juca. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a > DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX > csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL > YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee > gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu > O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= > =wYHW > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From d.stropalov at gmail.com Mon Feb 2 08:33:06 2015 From: d.stropalov at gmail.com (Dmytro Stropalov) Date: Mon, 2 Feb 2015 14:33:06 +0100 Subject: [keycloak-user] OAuth grant page Message-ID: Hello! I want to use Keycloak for SSO and IDM mainly for a services/applications in the intranet. But I have a strong requirement to work only via OAuth protocol. So, is there any possibility to skip or disable OAuth grant page on user login, because it's not really necessary in my case? Thank you! All the best, Dmitry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150202/ec4f4249/attachment.html From Mohan.Radhakrishnan at cognizant.com Mon Feb 2 09:07:24 2015 From: Mohan.Radhakrishnan at cognizant.com (Mohan.Radhakrishnan at cognizant.com) Date: Mon, 2 Feb 2015 14:07:24 +0000 Subject: [keycloak-user] Rest endpoint and AngularJS client In-Reply-To: <965408124.5210577.1422864784384.JavaMail.zimbra@redhat.com> References: <965408124.5210577.1422864784384.JavaMail.zimbra@redhat.com> Message-ID: We do have WebSeal backed by Tivoli in our legacy application. The new REST endpoints are built on top of the legacy EJB application. It is not an entirely new application. Slowly the HTML5/Rest layers will replace the legacy system. There could be others in the forum who have this setup. Any initial pointers ? Thanks, Mohan -----Original Message----- From: Stian Thorgersen [mailto:stian at redhat.com] Sent: Monday, February 02, 2015 1:43 PM To: Radhakrishnan, Mohan (Cognizant) Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Rest endpoint and AngularJS client ----- Original Message ----- > From: "Mohan Radhakrishnan" > To: keycloak-user at lists.jboss.org > Sent: Saturday, 31 January, 2015 1:42:39 PM > Subject: [keycloak-user] Rest endpoint and AngularJS client > > > > Hi, > > This is my first post. We have a large HealthCare domain Rest > application with an AngularJS client. We may require role-based access > control of HTML views. We can consult LDAP to get these. But due to > some internal reasons we are not going to use OAuth now. It may be a future enhancement. > > > > Are these types of HTML5/JS applications still protected effectively > based on roles ? I wanted to know before I start reading more about > Keycloak because OAuth is not used now. An HTML5/JS application doesn't have any access control. All it can do is hide features a user can't access. The access control has to be done on the REST endpoints. This is a perfect fit for OpenID Connect. When you login to Keycloak your app is given a token, that includes the roles the user can access. These can then be used by the AngularJS app to enable/disable features. When invoking REST endpoints the token is passed along, which then allows the REST endpoints to verify if the user has access to the requested resource or not. In summary Keycloak and OpenID Connect are perfect fits for the type of application you're doing. > > > > > > > > Thanks, > > Mohan > This e-mail and any files transmitted with it are for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply to > the sender and destroy all copies of the original message. Any > unauthorized review, use, disclosure, dissemination, forwarding, > printing or copying of this email, and/or any action taken in reliance > on the contents of this e-mail is strictly prohibited and may be > unlawful. Where permitted by applicable law, this e-mail and other > e-mail communications sent to and from Cognizant e-mail addresses may be monitored. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. From stian at redhat.com Mon Feb 2 09:42:29 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 09:42:29 -0500 (EST) Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <54CF6D03.3090909@kroehling.de> References: <54CF6D03.3090909@kroehling.de> Message-ID: <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> This is something that we need to figure out and find a proper solution for. It should be very easy for any JBoss project/product to both embed Keycloak and to use a centralized Keycloak for SSO. There are quite a few issues that needs resolving to achieve this properly: * Do we support embedding Keycloak in other containers than WildFly/EAP? * Do we provide a slimmed down version of Keycloak for embedding? An embedded Keycloak should be for securing the projects console in a simple deployment, not for a SSO solution. * How do we handle bootstrapping? Applications needs to configure themselves, including realm keys and application secrets. What happens if realm keys, application urls, etc change. * How do we provide a simple mechanism to link to a centralized Keycloak server * How do we make sure multiple projects can share the same Keycloak realm? Roles for example is a problem here if multiple projects use realm level roles (Keycloak itself does!) * How to enable SSL for a project? Keycloak is not secure without SSL! That's one of the downsides to bearer auth. Those issues (and probably a whole bunch more) should all be solved consistently for all JBoss projects. ----- Original Message ----- > From: "Juraci Paix?o Kr?hling" > To: keycloak-user at lists.jboss.org > Sent: Monday, 2 February, 2015 1:26:43 PM > Subject: [keycloak-user] Best practices for building appliances > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > In our project, we plan to have a distribution where we ship our > application with a Wildfly bundled, a la Keycloak Appliance. > > My main concern is shipping our distribution with a default pair of > realm keys or with a pre-filled database. I know it's possible to > import a realm on the first boot and KC will generate the required > keys if they are missing from the imported JSON template, but as we > are shipping our own WAR, we would need to get the public key into our > application's keycloak.json (or subsystem) before it gets deployed. > > I wonder if this is a common situation and what would be the best > practices for such case. I think Stian mentioned before that a future > version of KC would allow auto registration of applications, but until > that is available, I'd be interested in hearing your experiences about it. > > Another situation is for a contributor of the project or for users who > would want to build from the source: what would be the best practice > for generating new keys at each build? If there's no easy solution for > that now, I'd be interested in building a "keycloak-cli" utility that > would generate realm and application JSON files, possibly with a Maven > plugin wrapper to make it easier to consume from maven projects. Would > something like that be interesting for the project? > > Best, > Juca. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a > DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX > csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL > YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee > gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu > O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= > =wYHW > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bmcwhirt at redhat.com Mon Feb 2 09:56:00 2015 From: bmcwhirt at redhat.com (Bob McWhirter) Date: Mon, 2 Feb 2015 09:56:00 -0500 Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> References: <54CF6D03.3090909@kroehling.de> <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> Message-ID: <8D234C43-18AB-42E3-ACBD-C7929D618937@redhat.com> fwiw? As a user, I enjoyed the -appliance download, but also wonder why it needs to be based upon Wildfly, instead of maybe a smaller -appliance download based upon just Undertow? -Bob On Feb 2, 2015, at 9:42 AM, Stian Thorgersen wrote: > This is something that we need to figure out and find a proper solution for. It should be very easy for any JBoss project/product to both embed Keycloak and to use a centralized Keycloak for SSO. > > There are quite a few issues that needs resolving to achieve this properly: > > * Do we support embedding Keycloak in other containers than WildFly/EAP? > * Do we provide a slimmed down version of Keycloak for embedding? An embedded Keycloak should be for securing the projects console in a simple deployment, not for a SSO solution. > * How do we handle bootstrapping? Applications needs to configure themselves, including realm keys and application secrets. What happens if realm keys, application urls, etc change. > * How do we provide a simple mechanism to link to a centralized Keycloak server > * How do we make sure multiple projects can share the same Keycloak realm? Roles for example is a problem here if multiple projects use realm level roles (Keycloak itself does!) > * How to enable SSL for a project? Keycloak is not secure without SSL! That's one of the downsides to bearer auth. > > Those issues (and probably a whole bunch more) should all be solved consistently for all JBoss projects. > > ----- Original Message ----- >> From: "Juraci Paix?o Kr?hling" >> To: keycloak-user at lists.jboss.org >> Sent: Monday, 2 February, 2015 1:26:43 PM >> Subject: [keycloak-user] Best practices for building appliances >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> All, >> >> In our project, we plan to have a distribution where we ship our >> application with a Wildfly bundled, a la Keycloak Appliance. >> >> My main concern is shipping our distribution with a default pair of >> realm keys or with a pre-filled database. I know it's possible to >> import a realm on the first boot and KC will generate the required >> keys if they are missing from the imported JSON template, but as we >> are shipping our own WAR, we would need to get the public key into our >> application's keycloak.json (or subsystem) before it gets deployed. >> >> I wonder if this is a common situation and what would be the best >> practices for such case. I think Stian mentioned before that a future >> version of KC would allow auto registration of applications, but until >> that is available, I'd be interested in hearing your experiences about it. >> >> Another situation is for a contributor of the project or for users who >> would want to build from the source: what would be the best practice >> for generating new keys at each build? If there's no easy solution for >> that now, I'd be interested in building a "keycloak-cli" utility that >> would generate realm and application JSON files, possibly with a Maven >> plugin wrapper to make it easier to consume from maven projects. Would >> something like that be interesting for the project? >> >> Best, >> Juca. >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> >> iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a >> DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX >> csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL >> YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee >> gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu >> O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= >> =wYHW >> -----END PGP SIGNATURE----- >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 2 10:03:24 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 10:03:24 -0500 (EST) Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <54CF7780.3040407@redhat.com> References: <54CF6D03.3090909@kroehling.de> <54CF7780.3040407@redhat.com> Message-ID: <1267692723.5607431.1422889404668.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Stan Silvert" > To: keycloak-user at lists.jboss.org > Sent: Monday, 2 February, 2015 2:11:28 PM > Subject: Re: [keycloak-user] Best practices for building appliances > > Hi Juca, > > I'm working on these exact issues right now. > > The current plan is to build on top of WildFly CLI. So you would be > able to do most/all Keycloak API calls from there. This will allow us > to integrate more smoothly with WildFly and achieve some of our long > term goals for both Keycloak and WildFly. AFAIK that's not been decided yet. I'm not convinced about using WildFly CLI for the Keycloak CLI. My concerns are with regards to usability and the amount of required boilerplate to support all operations through DMR. We need to decide on what's best for Keycloak, not just for WildFly's use of Keycloak. > > Your specific use case is one I've been thinking about along with a > larger scope of requirements. I think what will happen is that the > Keycloak subsystem will be able to do your setup at deployment time and > configure a secure-deployment in standalone.xml or domain.xml. I > already have some of the code for that. It just uses a > secure-deployment declared as a template and then adds Keycloak to any > unsecured WAR at deployment time. secure-deployment should be for end-user applications, so that doesn't apply to this > > But it will also need to be able add the application in Keycloak, find > the public key, and obtain the client secret. That part is not done yet. This is something I'm looking into at the moment. We need a way for an application to securely configure itself. > > I think I need to put together a full plan for this and many other use > cases where we need tighter WildFly integration. Then I'll break it all > down into tasks. I'll get that done as soon as possible, but shoot for > no later than Friday. Would you be willing to help with some of the tasks? It would be great if we can get an update on what was decided on the WildFly F2F. We need to have follow-up discussions and probably a few hangouts around these issues. > > Stan > > On 2/2/2015 7:26 AM, Juraci Paix?o Kr?hling wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > All, > > > > In our project, we plan to have a distribution where we ship our > > application with a Wildfly bundled, a la Keycloak Appliance. > > > > My main concern is shipping our distribution with a default pair of > > realm keys or with a pre-filled database. I know it's possible to > > import a realm on the first boot and KC will generate the required > > keys if they are missing from the imported JSON template, but as we > > are shipping our own WAR, we would need to get the public key into our > > application's keycloak.json (or subsystem) before it gets deployed. > > > > I wonder if this is a common situation and what would be the best > > practices for such case. I think Stian mentioned before that a future > > version of KC would allow auto registration of applications, but until > > that is available, I'd be interested in hearing your experiences about it. > > > > Another situation is for a contributor of the project or for users who > > would want to build from the source: what would be the best practice > > for generating new keys at each build? If there's no easy solution for > > that now, I'd be interested in building a "keycloak-cli" utility that > > would generate realm and application JSON files, possibly with a Maven > > plugin wrapper to make it easier to consume from maven projects. Would > > something like that be interesting for the project? > > > > Best, > > Juca. > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1 > > > > iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a > > DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX > > csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL > > YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee > > gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu > > O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= > > =wYHW > > -----END PGP SIGNATURE----- > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Mon Feb 2 10:18:58 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 2 Feb 2015 10:18:58 -0500 (EST) Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <8D234C43-18AB-42E3-ACBD-C7929D618937@redhat.com> References: <54CF6D03.3090909@kroehling.de> <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> <8D234C43-18AB-42E3-ACBD-C7929D618937@redhat.com> Message-ID: <2040842626.5620071.1422890338621.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bob McWhirter" > To: keycloak-user at lists.jboss.org > Sent: Monday, 2 February, 2015 3:56:00 PM > Subject: Re: [keycloak-user] Best practices for building appliances > > fwiw? > > As a user, I enjoyed the -appliance download, but also wonder why it needs to > be based upon Wildfly, instead of maybe a smaller -appliance download based > upon just Undertow? As a user, would that be mainly the size of the download, or is there any other issues? Currently we depend on WildFly for SSL, datasources, Infinispan caches, startup script. We're discussing/considering tighter integration with WildFly in the future as there are more features we're adding which are dependent on the container such as client cert authentication, modules (classloader isolation for custom code), JEE support for providers, etc.. We may even go as far as using WildFly CLI and standalone/domain.xml.... We are considering a slimmed-down version of Keycloak to embed into other JBoss projects, but this will not be targeted at end-users. > > -Bob > > > On Feb 2, 2015, at 9:42 AM, Stian Thorgersen wrote: > > > This is something that we need to figure out and find a proper solution > > for. It should be very easy for any JBoss project/product to both embed > > Keycloak and to use a centralized Keycloak for SSO. > > > > There are quite a few issues that needs resolving to achieve this properly: > > > > * Do we support embedding Keycloak in other containers than WildFly/EAP? > > * Do we provide a slimmed down version of Keycloak for embedding? An > > embedded Keycloak should be for securing the projects console in a simple > > deployment, not for a SSO solution. > > * How do we handle bootstrapping? Applications needs to configure > > themselves, including realm keys and application secrets. What happens if > > realm keys, application urls, etc change. > > * How do we provide a simple mechanism to link to a centralized Keycloak > > server > > * How do we make sure multiple projects can share the same Keycloak realm? > > Roles for example is a problem here if multiple projects use realm level > > roles (Keycloak itself does!) > > * How to enable SSL for a project? Keycloak is not secure without SSL! > > That's one of the downsides to bearer auth. > > > > Those issues (and probably a whole bunch more) should all be solved > > consistently for all JBoss projects. > > > > ----- Original Message ----- > >> From: "Juraci Paix?o Kr?hling" > >> To: keycloak-user at lists.jboss.org > >> Sent: Monday, 2 February, 2015 1:26:43 PM > >> Subject: [keycloak-user] Best practices for building appliances > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> All, > >> > >> In our project, we plan to have a distribution where we ship our > >> application with a Wildfly bundled, a la Keycloak Appliance. > >> > >> My main concern is shipping our distribution with a default pair of > >> realm keys or with a pre-filled database. I know it's possible to > >> import a realm on the first boot and KC will generate the required > >> keys if they are missing from the imported JSON template, but as we > >> are shipping our own WAR, we would need to get the public key into our > >> application's keycloak.json (or subsystem) before it gets deployed. > >> > >> I wonder if this is a common situation and what would be the best > >> practices for such case. I think Stian mentioned before that a future > >> version of KC would allow auto registration of applications, but until > >> that is available, I'd be interested in hearing your experiences about it. > >> > >> Another situation is for a contributor of the project or for users who > >> would want to build from the source: what would be the best practice > >> for generating new keys at each build? If there's no easy solution for > >> that now, I'd be interested in building a "keycloak-cli" utility that > >> would generate realm and application JSON files, possibly with a Maven > >> plugin wrapper to make it easier to consume from maven projects. Would > >> something like that be interesting for the project? > >> > >> Best, > >> Juca. > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v1 > >> > >> iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a > >> DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX > >> csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL > >> YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee > >> gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu > >> O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= > >> =wYHW > >> -----END PGP SIGNATURE----- > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From brmeyer at redhat.com Mon Feb 2 15:00:18 2015 From: brmeyer at redhat.com (Brett Meyer) Date: Mon, 2 Feb 2015 15:00:18 -0500 (EST) Subject: [keycloak-user] authenticate EJB remote clients In-Reply-To: <1940796580.5823302.1422907106388.JavaMail.zimbra@redhat.com> Message-ID: <1307824534.5824017.1422907218066.JavaMail.zimbra@redhat.com> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter I'm probably mis-reading that chapter, but is it implying that Keycloak can handle authenticating EJB *remote* clients? I haven't had success, so far, even after setting up the security-domain in standalone.xml and referencing it with @SecurityDomain. Even with concepts from https://github.com/wildfly/quickstart/tree/master/ejb-security, I continue to receive "Invalid user". Is that a use case that's supported, or am I misunderstanding? Thanks! From mposolda at redhat.com Mon Feb 2 17:14:00 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 02 Feb 2015 23:14:00 +0100 Subject: [keycloak-user] Possibility to get the keycloak session timeout value per Java-Script In-Reply-To: <9656B9D10BC6124A88D5E27DD02422855BC4783E@EX-TT-AC-01.traveltainment.int> References: <9656B9D10BC6124A88D5E27DD02422855BC4783E@EX-TT-AC-01.traveltainment.int> Message-ID: <54CFF6A8.4020607@redhat.com> Hi, on keycloak.js there is function "isTokenExpired()" which can be used to check if token is expired. You can also give it an argument like "isTokenExpired(10)", which will return true if token is expired *or* is going to expire in next 10 seconds. Some more info in the docs: http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter Marek On 2.2.2015 13:09, Christoph Machnik wrote: > Hi, > > I want to show an info, befoe the session runs in a timeout, so that > the user can react and not be logged out. For this i need to read the > session timeout that is configuresd in the keycloak admin console. is > there a possibility to get the timeout value in javascript ? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150202/d13e94be/attachment-0001.html From mposolda at redhat.com Mon Feb 2 17:18:56 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 02 Feb 2015 23:18:56 +0100 Subject: [keycloak-user] Upgrading from 1.0.4 to 1.1.0: Role(s) not found In-Reply-To: <1388158607.955685.1422882447285.JavaMail.yahoo@mail.yahoo.com> References: <1388158607.955685.1422882447285.JavaMail.yahoo@mail.yahoo.com> Message-ID: <54CFF7D0.7060102@redhat.com> On 2.2.2015 14:07, Dimitris Keramidas wrote: > Hello, > > I am currently deploying Keycloak version 1.0.4 as a war, in a WildFly > app-server. I am using oracle 11g as the database for the datatore and > schema. I've followed the relevant guide to install version 1.1.0, and > the schema seemed to be upgraded normally. However, I found two problems: > 1. The war distribution bundle, does not contain the themes that need > to be placed in wildfly's configuration directory. I downloaded the > appliance bundle and used those, instead. This might be a bug in packaging. However you can create directory "themes" manually and put it just the files, which you want to override. The themes from this directory will have precedence over the themes from classpath (those are bundled inside jar file keycloak-forms-common-themes-VERSION.jar) > > 2. After logging into the administration console, I could see the list > of roles I created for my realms, but could not access/edit any. I am > only getting a "Error! Not found" message. Furthermore, If I try to > assign a new role to a user, the "available roles" list is empty. > Please note though, that users that already have roles assigned to > them, work/log in properly. Could you try to delete your browser cache? Marek > > Any help would be appreciated. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150202/f718b97f/attachment.html From mposolda at redhat.com Mon Feb 2 17:23:00 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 02 Feb 2015 23:23:00 +0100 Subject: [keycloak-user] OAuth grant page In-Reply-To: References: Message-ID: <54CFF8C4.70606@redhat.com> Yes, you can just create "Application" instead of "OAuth client" in keycloak admin console. OAuth grant page is shown just for OAuth clients. Note that "applications" are also using OAuth for login (or OpenID Connect to be more precise). Marek On 2.2.2015 14:33, Dmytro Stropalov wrote: > Hello! > > I want to use Keycloak for SSO and IDM mainly for a > services/applications in the intranet. But I have a strong requirement > to work only via OAuth protocol. So, is there any possibility to skip > or disable OAuth grant page on user login, because it's not really > necessary in my case? Thank you! > > All the best, > Dmitry > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150202/ef224285/attachment.html From stian at redhat.com Tue Feb 3 03:07:33 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 3 Feb 2015 03:07:33 -0500 (EST) Subject: [keycloak-user] authenticate EJB remote clients In-Reply-To: <1307824534.5824017.1422907218066.JavaMail.zimbra@redhat.com> References: <1307824534.5824017.1422907218066.JavaMail.zimbra@redhat.com> Message-ID: <201854761.6088462.1422950853165.JavaMail.zimbra@redhat.com> That chapter is about propagating the security context from the web layer to the ejb layer, not about remote ejb clients. We don't have any support for remote ejb clients currently, but that may be something that we could add. ----- Original Message ----- > From: "Brett Meyer" > To: keycloak-user at lists.jboss.org > Sent: Monday, 2 February, 2015 9:00:18 PM > Subject: [keycloak-user] authenticate EJB remote clients > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#jboss-adapter > > I'm probably mis-reading that chapter, but is it implying that Keycloak can > handle authenticating EJB *remote* clients? I haven't had success, so far, > even after setting up the security-domain in standalone.xml and referencing > it with @SecurityDomain. Even with concepts from > https://github.com/wildfly/quickstart/tree/master/ejb-security, I continue > to receive "Invalid user". Is that a use case that's supported, or am I > misunderstanding? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Tue Feb 3 04:08:58 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 03 Feb 2015 10:08:58 +0100 Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <54CF6D03.3090909@kroehling.de> References: <54CF6D03.3090909@kroehling.de> Message-ID: <54D0902A.3070903@redhat.com> On 2.2.2015 13:26, Juraci Paix?o Kr?hling wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > In our project, we plan to have a distribution where we ship our > application with a Wildfly bundled, a la Keycloak Appliance. > > My main concern is shipping our distribution with a default pair of > realm keys or with a pre-filled database. I know it's possible to > import a realm on the first boot and KC will generate the required > keys if they are missing from the imported JSON template, but as we > are shipping our own WAR, we would need to get the public key into our > application's keycloak.json (or subsystem) before it gets deployed. For public realm key, you don't need to specify it in keycloak.json. In that case, the adapter downloads public key from keycloak auth-server during first HTTP request (see AdapterDeploymentContext.resolveRealmKey). I guess this won't solve all your issues, but maybe it will help a little bit ;) Marek > > I wonder if this is a common situation and what would be the best > practices for such case. I think Stian mentioned before that a future > version of KC would allow auto registration of applications, but until > that is available, I'd be interested in hearing your experiences about it. > > Another situation is for a contributor of the project or for users who > would want to build from the source: what would be the best practice > for generating new keys at each build? If there's no easy solution for > that now, I'd be interested in building a "keycloak-cli" utility that > would generate realm and application JSON files, possibly with a Maven > plugin wrapper to make it easier to consume from maven projects. Would > something like that be interesting for the project? > > Best, > Juca. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a > DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX > csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL > YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee > gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu > O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= > =wYHW > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From christoph.machnik at traveltainment.de Tue Feb 3 04:59:40 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Tue, 3 Feb 2015 09:59:40 +0000 Subject: [keycloak-user] Possibility to get the keycloak session timeout value per Java-Script In-Reply-To: <54CFF6A8.4020607@redhat.com> References: <9656B9D10BC6124A88D5E27DD02422855BC4783E@EX-TT-AC-01.traveltainment.int>, <54CFF6A8.4020607@redhat.com> Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC48120@EX-TT-AC-01.traveltainment.int> Hi, thanks for the answer, but i want to know the value of the sessioin timeout (red) and the "isTokenExpired(X)" is for the accessToken value (blue). [X] Is there a possibility to get this value (red) in Java Script ? ________________________________ Von: Marek Posolda [mposolda at redhat.com] Gesendet: Montag, 2. Februar 2015 23:14 Bis: Christoph Machnik; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Possibility to get the keycloak session timeout value per Java-Script Hi, on keycloak.js there is function "isTokenExpired()" which can be used to check if token is expired. You can also give it an argument like "isTokenExpired(10)", which will return true if token is expired *or* is going to expire in next 10 seconds. Some more info in the docs: http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter Marek On 2.2.2015 13:09, Christoph Machnik wrote: Hi, I want to show an info, befoe the session runs in a timeout, so that the user can react and not be logged out. For this i need to read the session timeout that is configuresd in the keycloak admin console. is there a possibility to get the timeout value in javascript ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150203/63a9a686/attachment.html From peterson.dean at gmail.com Tue Feb 3 13:42:02 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Tue, 3 Feb 2015 12:42:02 -0600 Subject: [keycloak-user] Long Ugly Urls Message-ID: It seems keycloak concatenates a few request parameters to every request. Is there a way to prevent keycloak from making my urls long and ugly? Ex. http://trade.abecorn.com/?redirect_fragment=%2F&code=1sUsCF6MdwpWCiNiSqT1HMNYcFI.ZWFmYTY0Y2QtNTUxMC00MjU4LWI5NzctYjA5ZGM3MzM3Zjky&state=b63aad37-1902-4179-8847-8fad97fdd675#/trade/54d0623ca8095b56971408ce It should just be: http://trade.abecorn.com/#/trade/54d0623ca8095b56971408ce -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150203/3c6bbb7d/attachment.html From stian at redhat.com Wed Feb 4 02:57:16 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 4 Feb 2015 02:57:16 -0500 (EST) Subject: [keycloak-user] Long Ugly Urls In-Reply-To: References: Message-ID: <173465242.7041406.1423036636905.JavaMail.zimbra@redhat.com> code and state query params are part of the redirect back to the application. These should be stripped off automatically by the adapter. Are you using keycloak.js? ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 3 February, 2015 7:42:02 PM > Subject: [keycloak-user] Long Ugly Urls > > It seems keycloak concatenates a few request parameters to every request. Is > there a way to prevent keycloak from making my urls long and ugly? > > Ex. > > http://trade.abecorn.com/?redirect_fragment=%2F&code=1sUsCF6MdwpWCiNiSqT1HMNYcFI.ZWFmYTY0Y2QtNTUxMC00MjU4LWI5NzctYjA5ZGM3MzM3Zjky&state=b63aad37-1902-4179-8847-8fad97fdd675#/trade/54d0623ca8095b56971408ce > > It should just be: > > http://trade.abecorn.com/#/trade/54d0623ca8095b56971408ce > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 4 03:32:09 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 04 Feb 2015 09:32:09 +0100 Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <2040842626.5620071.1422890338621.JavaMail.zimbra@redhat.com> References: <54CF6D03.3090909@kroehling.de> <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> <8D234C43-18AB-42E3-ACBD-C7929D618937@redhat.com> <2040842626.5620071.1422890338621.JavaMail.zimbra@redhat.com> Message-ID: <54D1D909.4000806@redhat.com> My take is to be ideally as much independent on Wildfly as possible. Each dependent feature might cause issues with portability and migration. For example if we tightly integrate with Wildfly CLI and Wildfly 10 would come with "New uber-cool CLI v 1.0", which won't be compatible with previous CLI, we would need to rewrite our CLI operations or provide abstraction/SPI to be able to run on all of Wildfly 8,9,10. It looks to me that earlier or later, we would need to provide auth-server WAR, which will run on Jetty, Tomcat etc. Currently it's not hard to have auth-server running on those (as recently proven by coolmind182006 and his blogpost). Would be nice to keep it like that. Marek On 2.2.2015 16:18, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Bob McWhirter" >> To: keycloak-user at lists.jboss.org >> Sent: Monday, 2 February, 2015 3:56:00 PM >> Subject: Re: [keycloak-user] Best practices for building appliances >> >> fwiw? >> >> As a user, I enjoyed the -appliance download, but also wonder why it needs to >> be based upon Wildfly, instead of maybe a smaller -appliance download based >> upon just Undertow? > As a user, would that be mainly the size of the download, or is there any other issues? > > Currently we depend on WildFly for SSL, datasources, Infinispan caches, startup script. We're discussing/considering tighter integration with WildFly in the future as there are more features we're adding which are dependent on the container such as client cert authentication, modules (classloader isolation for custom code), JEE support for providers, etc.. We may even go as far as using WildFly CLI and standalone/domain.xml.... > > We are considering a slimmed-down version of Keycloak to embed into other JBoss projects, but this will not be targeted at end-users. > >> -Bob >> >> >> On Feb 2, 2015, at 9:42 AM, Stian Thorgersen wrote: >> >>> This is something that we need to figure out and find a proper solution >>> for. It should be very easy for any JBoss project/product to both embed >>> Keycloak and to use a centralized Keycloak for SSO. >>> >>> There are quite a few issues that needs resolving to achieve this properly: >>> >>> * Do we support embedding Keycloak in other containers than WildFly/EAP? >>> * Do we provide a slimmed down version of Keycloak for embedding? An >>> embedded Keycloak should be for securing the projects console in a simple >>> deployment, not for a SSO solution. >>> * How do we handle bootstrapping? Applications needs to configure >>> themselves, including realm keys and application secrets. What happens if >>> realm keys, application urls, etc change. >>> * How do we provide a simple mechanism to link to a centralized Keycloak >>> server >>> * How do we make sure multiple projects can share the same Keycloak realm? >>> Roles for example is a problem here if multiple projects use realm level >>> roles (Keycloak itself does!) >>> * How to enable SSL for a project? Keycloak is not secure without SSL! >>> That's one of the downsides to bearer auth. >>> >>> Those issues (and probably a whole bunch more) should all be solved >>> consistently for all JBoss projects. >>> >>> ----- Original Message ----- >>>> From: "Juraci Paix?o Kr?hling" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Monday, 2 February, 2015 1:26:43 PM >>>> Subject: [keycloak-user] Best practices for building appliances >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> All, >>>> >>>> In our project, we plan to have a distribution where we ship our >>>> application with a Wildfly bundled, a la Keycloak Appliance. >>>> >>>> My main concern is shipping our distribution with a default pair of >>>> realm keys or with a pre-filled database. I know it's possible to >>>> import a realm on the first boot and KC will generate the required >>>> keys if they are missing from the imported JSON template, but as we >>>> are shipping our own WAR, we would need to get the public key into our >>>> application's keycloak.json (or subsystem) before it gets deployed. >>>> >>>> I wonder if this is a common situation and what would be the best >>>> practices for such case. I think Stian mentioned before that a future >>>> version of KC would allow auto registration of applications, but until >>>> that is available, I'd be interested in hearing your experiences about it. >>>> >>>> Another situation is for a contributor of the project or for users who >>>> would want to build from the source: what would be the best practice >>>> for generating new keys at each build? If there's no easy solution for >>>> that now, I'd be interested in building a "keycloak-cli" utility that >>>> would generate realm and application JSON files, possibly with a Maven >>>> plugin wrapper to make it easier to consume from maven projects. Would >>>> something like that be interesting for the project? >>>> >>>> Best, >>>> Juca. >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1 >>>> >>>> iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a >>>> DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX >>>> csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL >>>> YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee >>>> gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu >>>> O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= >>>> =wYHW >>>> -----END PGP SIGNATURE----- >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From koster at tizin.nl Wed Feb 4 04:20:40 2015 From: koster at tizin.nl (Marcel Koster) Date: Wed, 4 Feb 2015 10:20:40 +0100 Subject: [keycloak-user] Unable to access Administration console on first run, due to https required Message-ID: Good morning, I am trying to deploy the keycloak standalone server, but I cannot access the Administration console as specified in the tutorial on our external linux server that we use as a development environment. We have no certificate for that server and no need for ssl, because it is used for development only. I can run the server on my localhost just fine and access the Administration console. How can I disable the ssl check on the standalone keycloak server? Greetings, Marcel Koster [image: Tizin] 0642044604 *Peizerstate* koster at tizin.nl Peizerweg 87A www.tizin.nl 9727AH Groningen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150204/f7050afd/attachment.html From stian at redhat.com Wed Feb 4 04:32:07 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 4 Feb 2015 04:32:07 -0500 (EST) Subject: [keycloak-user] Unable to access Administration console on first run, due to https required In-Reply-To: References: Message-ID: <392072799.7114351.1423042327716.JavaMail.zimbra@redhat.com> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/server-installation.html#ssl_modes ----- Original Message ----- > From: "Marcel Koster" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 4 February, 2015 10:20:40 AM > Subject: [keycloak-user] Unable to access Administration console on first run, due to https required > > Good morning, > > I am trying to deploy the keycloak standalone server, but I cannot access the > Administration console as specified in the tutorial on our external linux > server that we use as a development environment. We have no certificate for > that server and no need for ssl, because it is used for development only. I > can run the server on my localhost just fine and access the Administration > console. > How can I disable the ssl check on the standalone keycloak server? > > Greetings, > > Marcel Koster > > > > 0642044604 Peizerstate > > koster at tizin.nl Peizerweg 87A > www.tizin.nl 9727AH Groningen > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Wed Feb 4 07:43:53 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 04 Feb 2015 07:43:53 -0500 Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <54D1D909.4000806@redhat.com> References: <54CF6D03.3090909@kroehling.de> <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> <8D234C43-18AB-42E3-ACBD-C7929D618937@redhat.com> <2040842626.5620071.1422890338621.JavaMail.zimbra@redhat.com> <54D1D909.4000806@redhat.com> Message-ID: <54D21409.3070700@redhat.com> On 2/4/2015 3:32 AM, Marek Posolda wrote: > My take is to be ideally as much independent on Wildfly as possible. > Each dependent feature might cause issues with portability and migration. > > For example if we tightly integrate with Wildfly CLI and Wildfly 10 > would come with "New uber-cool CLI v 1.0", which won't be compatible > with previous CLI, we would need to rewrite our CLI operations or > provide abstraction/SPI to be able to run on all of Wildfly 8,9,10. Very, very, very unlikely. The whole EAP customer base would revolt. DMR/CLI was written for extreme backward compatibility. Even when something changes for a subsystem in standalone.xml the parser can still read old standalone.xml files and act accordingly. We are allowed to break backward compatibility in major versions, but I don't think we've done that since JBoss AS 7. > > It looks to me that earlier or later, we would need to provide > auth-server WAR, which will run on Jetty, Tomcat etc. Currently it's not > hard to have auth-server running on those (as recently proven by > coolmind182006 and his blogpost). Would be nice to keep it like that. > > Marek > > On 2.2.2015 16:18, Stian Thorgersen wrote: >> ----- Original Message ----- >>> From: "Bob McWhirter" >>> To: keycloak-user at lists.jboss.org >>> Sent: Monday, 2 February, 2015 3:56:00 PM >>> Subject: Re: [keycloak-user] Best practices for building appliances >>> >>> fwiw? >>> >>> As a user, I enjoyed the -appliance download, but also wonder why it needs to >>> be based upon Wildfly, instead of maybe a smaller -appliance download based >>> upon just Undertow? >> As a user, would that be mainly the size of the download, or is there any other issues? >> >> Currently we depend on WildFly for SSL, datasources, Infinispan caches, startup script. We're discussing/considering tighter integration with WildFly in the future as there are more features we're adding which are dependent on the container such as client cert authentication, modules (classloader isolation for custom code), JEE support for providers, etc.. We may even go as far as using WildFly CLI and standalone/domain.xml.... >> >> We are considering a slimmed-down version of Keycloak to embed into other JBoss projects, but this will not be targeted at end-users. >> >>> -Bob >>> >>> >>> On Feb 2, 2015, at 9:42 AM, Stian Thorgersen wrote: >>> >>>> This is something that we need to figure out and find a proper solution >>>> for. It should be very easy for any JBoss project/product to both embed >>>> Keycloak and to use a centralized Keycloak for SSO. >>>> >>>> There are quite a few issues that needs resolving to achieve this properly: >>>> >>>> * Do we support embedding Keycloak in other containers than WildFly/EAP? >>>> * Do we provide a slimmed down version of Keycloak for embedding? An >>>> embedded Keycloak should be for securing the projects console in a simple >>>> deployment, not for a SSO solution. >>>> * How do we handle bootstrapping? Applications needs to configure >>>> themselves, including realm keys and application secrets. What happens if >>>> realm keys, application urls, etc change. >>>> * How do we provide a simple mechanism to link to a centralized Keycloak >>>> server >>>> * How do we make sure multiple projects can share the same Keycloak realm? >>>> Roles for example is a problem here if multiple projects use realm level >>>> roles (Keycloak itself does!) >>>> * How to enable SSL for a project? Keycloak is not secure without SSL! >>>> That's one of the downsides to bearer auth. >>>> >>>> Those issues (and probably a whole bunch more) should all be solved >>>> consistently for all JBoss projects. >>>> >>>> ----- Original Message ----- >>>>> From: "Juraci Paix?o Kr?hling" >>>>> To: keycloak-user at lists.jboss.org >>>>> Sent: Monday, 2 February, 2015 1:26:43 PM >>>>> Subject: [keycloak-user] Best practices for building appliances >>>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> All, >>>>> >>>>> In our project, we plan to have a distribution where we ship our >>>>> application with a Wildfly bundled, a la Keycloak Appliance. >>>>> >>>>> My main concern is shipping our distribution with a default pair of >>>>> realm keys or with a pre-filled database. I know it's possible to >>>>> import a realm on the first boot and KC will generate the required >>>>> keys if they are missing from the imported JSON template, but as we >>>>> are shipping our own WAR, we would need to get the public key into our >>>>> application's keycloak.json (or subsystem) before it gets deployed. >>>>> >>>>> I wonder if this is a common situation and what would be the best >>>>> practices for such case. I think Stian mentioned before that a future >>>>> version of KC would allow auto registration of applications, but until >>>>> that is available, I'd be interested in hearing your experiences about it. >>>>> >>>>> Another situation is for a contributor of the project or for users who >>>>> would want to build from the source: what would be the best practice >>>>> for generating new keys at each build? If there's no easy solution for >>>>> that now, I'd be interested in building a "keycloak-cli" utility that >>>>> would generate realm and application JSON files, possibly with a Maven >>>>> plugin wrapper to make it easier to consume from maven projects. Would >>>>> something like that be interesting for the project? >>>>> >>>>> Best, >>>>> Juca. >>>>> >>>>> -----BEGIN PGP SIGNATURE----- >>>>> Version: GnuPG v1 >>>>> >>>>> iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a >>>>> DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX >>>>> csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL >>>>> YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee >>>>> gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu >>>>> O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= >>>>> =wYHW >>>>> -----END PGP SIGNATURE----- >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Wed Feb 4 08:11:22 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 04 Feb 2015 08:11:22 -0500 Subject: [keycloak-user] Best practices for building appliances In-Reply-To: <54D21409.3070700@redhat.com> References: <54CF6D03.3090909@kroehling.de> <1987117506.5580740.1422888149435.JavaMail.zimbra@redhat.com> <8D234C43-18AB-42E3-ACBD-C7929D618937@redhat.com> <2040842626.5620071.1422890338621.JavaMail.zimbra@redhat.com> <54D1D909.4000806@redhat.com> <54D21409.3070700@redhat.com> Message-ID: <54D21A7A.4060709@redhat.com> On 2/4/2015 7:43 AM, Stan Silvert wrote: > On 2/4/2015 3:32 AM, Marek Posolda wrote: >> My take is to be ideally as much independent on Wildfly as possible. >> Each dependent feature might cause issues with portability and migration. >> >> For example if we tightly integrate with Wildfly CLI and Wildfly 10 >> would come with "New uber-cool CLI v 1.0", which won't be compatible >> with previous CLI, we would need to rewrite our CLI operations or >> provide abstraction/SPI to be able to run on all of Wildfly 8,9,10. > Very, very, very unlikely. The whole EAP customer base would revolt. > DMR/CLI was written for extreme backward compatibility. BTW, this is one of the reasons that DMR is appealing. The EAP team has used its years of experience to think through all of these issues and design for them. The downside is that it's also one of the reasons that building a subsystem can be rather complicated. But in return for complexity up front, you also get things like scripting, help text system, i10n/l8n of help text, unified model between CLI and consoles, a service model, expression resolution, "restart required" notification, config file history, and much more. Also don't forget the advantages of using DMR across middleware products. Developers and admins can control Keycloak and other middleware products inside the same script using the same server connection. And they can do this with one script that controls an entire domain. We'll never have time to build out the infrastructure needed to address all of these features and use cases. > > Even when something changes for a subsystem in standalone.xml the parser > can still read old standalone.xml files and act accordingly. > > We are allowed to break backward compatibility in major versions, but I > don't think we've done that since JBoss AS 7. >> It looks to me that earlier or later, we would need to provide >> auth-server WAR, which will run on Jetty, Tomcat etc. Currently it's not >> hard to have auth-server running on those (as recently proven by >> coolmind182006 and his blogpost). Would be nice to keep it like that. >> >> Marek >> >> On 2.2.2015 16:18, Stian Thorgersen wrote: >>> ----- Original Message ----- >>>> From: "Bob McWhirter" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Monday, 2 February, 2015 3:56:00 PM >>>> Subject: Re: [keycloak-user] Best practices for building appliances >>>> >>>> fwiw? >>>> >>>> As a user, I enjoyed the -appliance download, but also wonder why it needs to >>>> be based upon Wildfly, instead of maybe a smaller -appliance download based >>>> upon just Undertow? >>> As a user, would that be mainly the size of the download, or is there any other issues? >>> >>> Currently we depend on WildFly for SSL, datasources, Infinispan caches, startup script. We're discussing/considering tighter integration with WildFly in the future as there are more features we're adding which are dependent on the container such as client cert authentication, modules (classloader isolation for custom code), JEE support for providers, etc.. We may even go as far as using WildFly CLI and standalone/domain.xml.... >>> >>> We are considering a slimmed-down version of Keycloak to embed into other JBoss projects, but this will not be targeted at end-users. >>> >>>> -Bob >>>> >>>> >>>> On Feb 2, 2015, at 9:42 AM, Stian Thorgersen wrote: >>>> >>>>> This is something that we need to figure out and find a proper solution >>>>> for. It should be very easy for any JBoss project/product to both embed >>>>> Keycloak and to use a centralized Keycloak for SSO. >>>>> >>>>> There are quite a few issues that needs resolving to achieve this properly: >>>>> >>>>> * Do we support embedding Keycloak in other containers than WildFly/EAP? >>>>> * Do we provide a slimmed down version of Keycloak for embedding? An >>>>> embedded Keycloak should be for securing the projects console in a simple >>>>> deployment, not for a SSO solution. >>>>> * How do we handle bootstrapping? Applications needs to configure >>>>> themselves, including realm keys and application secrets. What happens if >>>>> realm keys, application urls, etc change. >>>>> * How do we provide a simple mechanism to link to a centralized Keycloak >>>>> server >>>>> * How do we make sure multiple projects can share the same Keycloak realm? >>>>> Roles for example is a problem here if multiple projects use realm level >>>>> roles (Keycloak itself does!) >>>>> * How to enable SSL for a project? Keycloak is not secure without SSL! >>>>> That's one of the downsides to bearer auth. >>>>> >>>>> Those issues (and probably a whole bunch more) should all be solved >>>>> consistently for all JBoss projects. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Juraci Paix?o Kr?hling" >>>>>> To: keycloak-user at lists.jboss.org >>>>>> Sent: Monday, 2 February, 2015 1:26:43 PM >>>>>> Subject: [keycloak-user] Best practices for building appliances >>>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> All, >>>>>> >>>>>> In our project, we plan to have a distribution where we ship our >>>>>> application with a Wildfly bundled, a la Keycloak Appliance. >>>>>> >>>>>> My main concern is shipping our distribution with a default pair of >>>>>> realm keys or with a pre-filled database. I know it's possible to >>>>>> import a realm on the first boot and KC will generate the required >>>>>> keys if they are missing from the imported JSON template, but as we >>>>>> are shipping our own WAR, we would need to get the public key into our >>>>>> application's keycloak.json (or subsystem) before it gets deployed. >>>>>> >>>>>> I wonder if this is a common situation and what would be the best >>>>>> practices for such case. I think Stian mentioned before that a future >>>>>> version of KC would allow auto registration of applications, but until >>>>>> that is available, I'd be interested in hearing your experiences about it. >>>>>> >>>>>> Another situation is for a contributor of the project or for users who >>>>>> would want to build from the source: what would be the best practice >>>>>> for generating new keys at each build? If there's no easy solution for >>>>>> that now, I'd be interested in building a "keycloak-cli" utility that >>>>>> would generate realm and application JSON files, possibly with a Maven >>>>>> plugin wrapper to make it easier to consume from maven projects. Would >>>>>> something like that be interesting for the project? >>>>>> >>>>>> Best, >>>>>> Juca. >>>>>> >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> Version: GnuPG v1 >>>>>> >>>>>> iQEcBAEBAgAGBQJUz20DAAoJEDnJtskdmzLMbUYH/A0bclPFHI5FhL85lAXUrJ+a >>>>>> DT0PLdm9nMSzCJS23Auey4XSfk3YMxaGqve0yiEAstkfkro4AsPsvmQz1H/zyyUX >>>>>> csZduMlo8zzXox1n0uK8Mz95dnikSMD4MzAqXM3g8l3a7ORiw25Gg51REBMOJPUL >>>>>> YzX0qRQlEq+MDCJw/L0G5KUZWqmrCYy5GpJ8e3wibK/MzPg/vhs7KLgxr0jh8Eee >>>>>> gjlG/H4K37crDZrRE2ILGi7xV6GZYTw6AKgm03QFqt0/9HluJFcU9vPUs4JWMKfu >>>>>> O7Nf4qQ7OJWnVijepQ1Jdcg7uRnX1a019v0kbIZT3g6YSoYT6nCRow9kCEQ0DGo= >>>>>> =wYHW >>>>>> -----END PGP SIGNATURE----- >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From panulab at gmail.com Wed Feb 4 10:46:03 2015 From: panulab at gmail.com (Pablo N) Date: Wed, 4 Feb 2015 16:46:03 +0100 Subject: [keycloak-user] Fwd: ClassNotFoundException: org.xnio.OptionMap In-Reply-To: References: Message-ID: Hello, I was running my web application in Wildfly 8.2 and Keycloak 1.0.4.Final and everything worked as expected. After updating Keycloak to version 1.1.0.Final (also wildfly adapter version) I get the following error when I try to access my application: 08:32:41,271 ERROR [io.undertow.request] (default task-11) UT005023: Exception handling request to /gui/main/home: java.lang.NoClassDefFo undError: org/xnio/OptionMap at org.keycloak.adapters.undertow.SavedRequest.trySaveRequest(SavedRequest.java:49) [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Fina l] at org.keycloak.adapters.undertow.ServletSessionTokenStore.saveRequest(ServletSessionTokenStore.java:111) [keycloak-undertow-adapter-1.1. 0.Final.jar:1.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator$2.challenge(OAuthRequestAuthenticator.java:182) [keycloak-adapter-core-1.1.0.Final.jar :1.1.0.Final] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.sendChallenge(AbstractUndertowKeycloakAuthMech.java:68) [keycloak-unde rtow-adapter-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:330) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:349) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:314) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:135) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:109) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:114) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undert ow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1. 1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1. 0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja va:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undert ow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1. 1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [unde rtow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1. 0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-ada pter-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-ada pter-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.ja r:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1 .1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.F inal] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1 .1.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_11] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_11] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] Caused by: java.lang.ClassNotFoundException: org.xnio.OptionMap from [Module "deployment.gui-web-0.14.0-SNAPSHOT.war:main" from Service M odule Loader] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final] ... 36 more As I can see this error was discovered and solved ( https://issues.jboss.org/browse/KEYCLOAK-899) so I dont know if any migration change is pending from my side. Thank you very much for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150204/68903cdc/attachment.html From gerbermichi at me.com Wed Feb 4 11:28:12 2015 From: gerbermichi at me.com (Michael Gerber) Date: Wed, 04 Feb 2015 16:28:12 +0000 (GMT) Subject: [keycloak-user] =?utf-8?q?_Re=3A__ClassNotFoundException=3A_org?= =?utf-8?q?=2Exnio=2EOptionMap?= Message-ID: <4eadc436-d543-4609-b3ba-c6a9d1653b57@me.com> Hi, I had once a similiar issue... Have a look at the module.xml file in:? modules\system\layers\base\org\keycloak\keycloak-undertow-adapter\main Is the module org.jboss.xnio listed in the dependencies section? Best Michael Am 04. Februar 2015 um 16:47 schrieb Pablo N : Hello, I was running my web application in Wildfly 8.2 and Keycloak 1.0.4.Final and everything worked as expected. After updating Keycloak to version 1.1.0.Final (also wildfly adapter version) I get the following error when I try to access my application: 08:32:41,271 ERROR [io.undertow.request] (default task-11) UT005023: Exception handling request to /gui/main/home: java.lang.NoClassDefFo undError: org/xnio/OptionMap ??????? at org.keycloak.adapters.undertow.SavedRequest.trySaveRequest(SavedRequest.java:49) [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Fina l] ??????? at org.keycloak.adapters.undertow.ServletSessionTokenStore.saveRequest(ServletSessionTokenStore.java:111) [keycloak-undertow-adapter-1.1. 0.Final.jar:1.1.0.Final] ??????? at org.keycloak.adapters.OAuthRequestAuthenticator$2.challenge(OAuthRequestAuthenticator.java:182) [keycloak-adapter-core-1.1.0.Final.jar :1.1.0.Final] ??????? at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.sendChallenge(AbstractUndertowKeycloakAuthMech.java:68) [keycloak-unde rtow-adapter-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:330) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:349) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:314) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:135) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:109) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:114) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undert ow-servlet-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1. 1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1. 0.Final.jar:1.1.0.Final] ??????? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja va:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undert ow-servlet-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1. 1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [unde rtow-servlet-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1. 0.Final] ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-ada pter-1.1.0.Final.jar:1.1.0.Final] ??????? at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-ada pter-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.ja r:1.1.0.Final] ??????? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1 .1.0.Final] ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.F inal] ??????? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1 .1.0.Final] ??????? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] ??????? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_11] ??????? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_11] ??????? at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] Caused by: java.lang.ClassNotFoundException: org.xnio.OptionMap from [Module "deployment.gui-web-0.14.0-SNAPSHOT.war:main" from Service M odule Loader] ??????? at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final] ??????? at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final] ??????? at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final] ??????? at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final] ??????? at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final] ??????? ... 36 more As I can see this error was discovered and solved (https://issues.jboss.org/browse/KEYCLOAK-899) so I dont know if any migration change is pending from my side. Thank you very much for your help _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150204/a2ff7782/attachment-0001.html From panulab at gmail.com Thu Feb 5 03:18:16 2015 From: panulab at gmail.com (Pablo N) Date: Thu, 5 Feb 2015 09:18:16 +0100 Subject: [keycloak-user] ClassNotFoundException: org.xnio.OptionMap Message-ID: I checked what you commented and this dependency is there: 2015-02-04 17:28 GMT+01:00 Michael Gerber : > Hi, > > I had once a similiar issue... > > Have a look at the module.xml file in: > modules\system\layers\base\org\keycloak\keycloak-undertow-adapter\main > > Is the module org.jboss.xnio listed in the dependencies section? > > Best > Michael > > Am 04. Februar 2015 um 16:47 schrieb Pablo N : > > > Hello, > > I was running my web application in Wildfly 8.2 and Keycloak 1.0.4.Final > and everything worked as expected. > > After updating Keycloak to version 1.1.0.Final (also wildfly adapter > version) I get the following error when I try to access my application: > > 08:32:41,271 ERROR [io.undertow.request] (default task-11) UT005023: > Exception handling request to /gui/main/home: java.lang.NoClassDefFo > undError: org/xnio/OptionMap > at > org.keycloak.adapters.undertow.SavedRequest.trySaveRequest(SavedRequest.java:49) > [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Fina > l] > at > org.keycloak.adapters.undertow.ServletSessionTokenStore.saveRequest(ServletSessionTokenStore.java:111) > [keycloak-undertow-adapter-1.1. > 0.Final.jar:1.1.0.Final] > at > org.keycloak.adapters.OAuthRequestAuthenticator$2.challenge(OAuthRequestAuthenticator.java:182) > [keycloak-adapter-core-1.1.0.Final.jar > :1.1.0.Final] > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.sendChallenge(AbstractUndertowKeycloakAuthMech.java:68) > [keycloak-unde > rtow-adapter-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:330) > [undertow-core-1.1.0.Final.jar: > 1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:349) > [undertow-core-1.1.0.Final.jar: > 1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:314) > [undertow-core-1.1.0.Final.jar: > 1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:135) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:109) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:114) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) > [undert > ow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > [undertow-core-1. > 1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.1. > 0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja > va:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > [undert > ow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1. > 1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [unde > rtow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.1.0.Final.jar:1.1. > 0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > [keycloak-undertow-ada > pter-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > [keycloak-undertow-ada > pter-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) > [undertow-servlet-1.1.0.Final.ja > r:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) > [undertow-servlet-1.1.0.Final.jar:1 > .1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) > [undertow-servlet-1.1.0.Final.jar:1.1.0.F > inal] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) > [undertow-servlet-1.1.0.Final.jar:1 > .1.0.Final] > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_11] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_11] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] > Caused by: java.lang.ClassNotFoundException: org.xnio.OptionMap from > [Module "deployment.gui-web-0.14.0-SNAPSHOT.war:main" from Service M > odule Loader] > at > org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) > [jboss-modules.jar:1.3.3.Final] > at > org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) > [jboss-modules.jar:1.3.3.Final] > at > org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) > [jboss-modules.jar:1.3.3.Final] > at > org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) > [jboss-modules.jar:1.3.3.Final] > at > org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) > [jboss-modules.jar:1.3.3.Final] > ... 36 more > > As I can see this error was discovered and solved ( > https://issues.jboss.org/browse/KEYCLOAK-899) so I dont know if any > migration change is pending from my side. > > Thank you very much for your help > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150205/127b75a9/attachment.html From bburke at redhat.com Thu Feb 5 08:02:01 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 05 Feb 2015 08:02:01 -0500 Subject: [keycloak-user] ClassNotFoundException: org.xnio.OptionMap In-Reply-To: References: Message-ID: <54D369C9.5040306@redhat.com> How to reproduce? A regular GET request? On 2/5/2015 3:18 AM, Pablo N wrote: > > I checked what you commented and this dependency is there: > > name="org.keycloak.keycloak-undertow-adapter"> > > > > > > > > > > > > > > > > > > > > > > > 2015-02-04 17:28 GMT+01:00 Michael Gerber >: > > Hi, > > I had once a similiar issue... > > Have a look at the module.xml file in: > modules\system\layers\base\org\keycloak\keycloak-undertow-adapter\main > > Is the module org.jboss.xnio listed in the dependencies section? > > Best > Michael > > Am 04. Februar 2015 um 16:47 schrieb Pablo N >: > >> >> Hello, >> >> I was running my web application in Wildfly 8.2 and Keycloak >> 1.0.4.Final and everything worked as expected. >> >> After updating Keycloak to version 1.1.0.Final (also wildfly >> adapter version) I get the following error when I try to access my >> application: >> >> 08:32:41,271 ERROR [io.undertow.request] (default task-11) >> UT005023: Exception handling request to /gui/main/home: >> java.lang.NoClassDefFo >> undError: org/xnio/OptionMap >> at >> org.keycloak.adapters.undertow.SavedRequest.trySaveRequest(SavedRequest.java:49) >> [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Fina >> l] >> at >> org.keycloak.adapters.undertow.ServletSessionTokenStore.saveRequest(ServletSessionTokenStore.java:111) >> [keycloak-undertow-adapter-1.1. >> 0.Final.jar:1.1.0.Final] >> at >> org.keycloak.adapters.OAuthRequestAuthenticator$2.challenge(OAuthRequestAuthenticator.java:182) >> [keycloak-adapter-core-1.1.0.Final.jar >> :1.1.0.Final] >> at >> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.sendChallenge(AbstractUndertowKeycloakAuthMech.java:68) >> [keycloak-unde >> rtow-adapter-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:330) >> [undertow-core-1.1.0.Final.jar: >> 1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:349) >> [undertow-core-1.1.0.Final.jar: >> 1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:314) >> [undertow-core-1.1.0.Final.jar: >> 1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:135) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> >> at >> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:109) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> >> at >> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:114) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> >> at >> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) >> [undert >> ow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) >> [undertow-core-1. >> 1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) >> [undertow-core-1.1. >> 0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja >> va:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) >> [undert >> ow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> [undertow-core-1. >> 1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) >> [unde >> rtow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> [undertow-core-1.1.0.Final.jar:1.1. >> 0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >> [keycloak-undertow-ada >> pter-1.1.0.Final.jar:1.1.0.Final] >> at >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >> [keycloak-undertow-ada >> pter-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) >> [undertow-servlet-1.1.0.Final.ja >> r:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) >> [undertow-servlet-1.1.0.Final.jar:1 >> .1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.F >> inal] >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) >> [undertow-servlet-1.1.0.Final.jar:1 >> .1.0.Final] >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [rt.jar:1.8.0_11] >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [rt.jar:1.8.0_11] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] >> Caused by: java.lang.ClassNotFoundException: org.xnio.OptionMap >> from [Module "deployment.gui-web-0.14.0-SNAPSHOT.war:main" from >> Service M >> odule Loader] >> at >> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) >> [jboss-modules.jar:1.3.3.Final] >> at >> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) >> [jboss-modules.jar:1.3.3.Final] >> at >> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) >> [jboss-modules.jar:1.3.3.Final] >> at >> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) >> [jboss-modules.jar:1.3.3.Final] >> at >> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) >> [jboss-modules.jar:1.3.3.Final] >> ... 36 more >> >> As I can see this error was discovered and solved >> (https://issues.jboss.org/browse/KEYCLOAK-899) so I dont know if >> any migration change is pending from my side. >> >> Thank you very much for your help >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Fri Feb 6 06:26:42 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 06 Feb 2015 12:26:42 +0100 Subject: [keycloak-user] Possibility to get the keycloak session timeout value per Java-Script In-Reply-To: <9656B9D10BC6124A88D5E27DD02422855BC48120@EX-TT-AC-01.traveltainment.int> References: <9656B9D10BC6124A88D5E27DD02422855BC4783E@EX-TT-AC-01.traveltainment.int>, <54CFF6A8.4020607@redhat.com> <9656B9D10BC6124A88D5E27DD02422855BC48120@EX-TT-AC-01.traveltainment.int> Message-ID: <54D4A4F2.903@redhat.com> We have 2 timeouts related to session: - Idle timeout: it's 30 minutes by default. It is refreshed after each token refresh or successful SSO login. In other words, in your Javascript application, you need to perform token refresh at least once per 30 minutes. The timeout is available on refreshToken and can be checked in your JS application by "keycloak.refreshTokenParsed.exp" - Max session lifespan: It's 10 hours by default. This is really maximum timeout of each session from login time. Even if you refresh your token each 30 minutes, after 10 hours will be session expired and your user would really need to get redirected to KC login screen and re-authenticate. This is not available in JS app afaik, but people still need to re-authenticate after this time, so I think it's not an issue. All timeouts are configurable. See http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/timeouts.html Marek On 3.2.2015 10:59, Christoph Machnik wrote: > Hi, > thanks for the answer, but i want to know the value of the sessioin > timeout (red) and the "isTokenExpired(X)" is for the accessToken value > (blue). > > > > Is there a possibility to get this value (red) in Java Script ? > > ------------------------------------------------------------------------ > *Von:* Marek Posolda [mposolda at redhat.com] > *Gesendet:* Montag, 2. Februar 2015 23:14 > *Bis:* Christoph Machnik; keycloak-user at lists.jboss.org > *Betreff:* Re: [keycloak-user] Possibility to get the keycloak session > timeout value per Java-Script > > Hi, > > on keycloak.js there is function "isTokenExpired()" which can be used > to check if token is expired. You can also give it an argument like > "isTokenExpired(10)", which will return true if token is expired *or* > is going to expire in next 10 seconds. Some more info in the docs: > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter > > Marek > > On 2.2.2015 13:09, Christoph Machnik wrote: >> Hi, >> >> I want to show an info, befoe the session runs in a timeout, so that >> the user can react and not be logged out. For this i need to read the >> session timeout that is configuresd in the keycloak admin console. is >> there a possibility to get the timeout value in javascript ? >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150206/f04c9f46/attachment.html From sahilsachdeva at gmail.com Fri Feb 6 07:22:17 2015 From: sahilsachdeva at gmail.com (Sahil Sachdeva) Date: Fri, 6 Feb 2015 13:22:17 +0100 Subject: [keycloak-user] Two-way SSL via Undertow in keycloak-appliance-dist-all-1.1.0.Final Message-ID: Hello Everybody, I am new to keycloak and playing around a little. I have small REST service i have deployed in the keycloak server and am trying to secure it. This is how far i have gotten: 1) I got the basic auth running. 2 ) I was abel to force SSL all through. Using a truststore in the adapter and the necessary settings in standalone.xml to take a step further i added: to the security-realm which i used in step 2 to enable SSL, added the truststore to the required directory. How ever this broke the application partly. I can reach the master-realm login and admin console. When i go to the URL of the REST service i am redirected to the loginpage of my application realm. But after sucessfully logging in, i get a 403 forbidden and "SSLPeerUnverifiedException: peer not authenticated" error in the logs. Does any one have an idea why? The only thing that changed from one way SSL to two-way SSL is the undertow configuration, why does it disturb the adapter? Best, Sahil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150206/7e8c25a1/attachment.html From bburke at redhat.com Fri Feb 6 10:19:16 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 06 Feb 2015 10:19:16 -0500 Subject: [keycloak-user] Keycloak Adapters In-Reply-To: <1284680768.5218380.1422864997735.JavaMail.zimbra@redhat.com> References: <1724654062.218718.1422756345516.JavaMail.yahoo@mail.yahoo.com> <1284680768.5218380.1422864997735.JavaMail.zimbra@redhat.com> Message-ID: <54D4DB74.60905@redhat.com> JASPIC would sort of work...unfortunately each vendor implements it slightly different, so we'd end up having multiple adapters anyways. On 2/2/2015 3:16 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Raghu Prabhala" >> To: "Keycloak-user" >> Sent: Sunday, 1 February, 2015 3:05:45 AM >> Subject: [keycloak-user] Keycloak Adapters >> >> Dev team - A philosophical question about the adapters. Rather than building >> so many adapters for different Java Web containers including different >> versions, would it make sense to build a single Servlet Filter that would >> take care of all those cases and even other containers from Oracle/IBM etc? > > Ideally yes, but technically it's not possible as there's no standard way to deal with a lot of things, for example propagating the security context to the EJB layer. > >> >> Raghu >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Feb 6 10:21:37 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 06 Feb 2015 10:21:37 -0500 Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <842A02C9-385A-493B-A740-7607E3E798DA@yahoo.com> References: <808566761.3720687.1422601858175.JavaMail.zimbra@redhat.com> <974226441.1786830.1422625454868.JavaMail.yahoo@mail.yahoo.com> <1778785947.4002515.1422626472860.JavaMail.zimbra@redhat.com> <842A02C9-385A-493B-A740-7607E3E798DA@yahoo.com> Message-ID: <54D4DC01.50401@redhat.com> Keycloak won't be a kerberos server any time soon, if ever. We are creating a SAML/OIDC to kerberos bridge though. On 1/30/2015 10:52 AM, Raghu Prabhala wrote: > Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos. > > If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users > > Sent from my iPhone > >> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen wrote: >> >> >> >> ----- Original Message ----- >>> From: "Raghu Prabhala" >>> To: "Stian Thorgersen" >>> Cc: "keycloak dev" , "keycloak-user" >>> Sent: Friday, 30 January, 2015 2:44:14 PM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> Great. Looking forward to the 1.2 Beta version. >>> Regarding the system account support, from my perspective, it is very >>> important because we have thousands of applications that interact with each >>> other using system accounts (authentication with Kerberos with keytabs) and >>> till we have that functionality, we will not be able to consider Keycloak as >>> a SSO solution even though it is coming out to be a good product. The sooner >>> we have it, the better. Hopefully, even other users will pitch in to request >>> that functionality so that you can bump it up in your priority list. >>> Thanks once again.Raghu >> >> For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws. >> >>> From: Stian Thorgersen >>> To: Raghu Prabhala >>> Cc: keycloak dev ; keycloak-user >>> >>> Sent: Friday, January 30, 2015 2:10 AM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Raghu Prabhala" >>>> To: "Stian Thorgersen" >>>> Cc: "keycloak dev" , "keycloak-user" >>>> >>>> Sent: Thursday, January 29, 2015 6:44:11 PM >>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>>> >>>> Congrats Keycloak team. A great deal of features in this release - really >>>> like SAML and clustering. >>>> >>>> But what I am really looking for is the next release as we need all the >>>> features you listed -any tentative dates for the beta version? >>> >>> We might do a beta soon, but that'll only include identity brokering. The >>> other features will be at least a month away. >>> >>>> >>>> The functionality provided so far seems to be targeted toward users >>>> accounts. >>>> When can we expect support for System accounts (with diff auth mechanisms >>>> like certificates, Kerberos etc? >>> >>> Some time this year we aim to have system accounts with certificates, it'll >>> depend on priorities. We don't have any plans to support Kerberos >>> authentication with system accounts, but maybe that makes sense to add as >>> well. >>> >>> >>> >>>> >>>> Thanks, >>>> Raghu >>>> >>>> Sent from my iPhone >>>> >>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: >>>>> >>>>> The Keycloak team is proud to announce the release of Keycloak >>>>> 1.1.0.Final. >>>>> Highlights in this release includes: >>>>> >>>>> * SAML 2.0 >>>>> * Clustering >>>>> * Jetty, Tomcat and Fuse adapters >>>>> * HTTP Security Proxy >>>>> * Automatic migration of db schema >>>>> >>>>> We?re already started working on features for the next release. Some >>>>> exiting features coming soon includes: >>>>> >>>>> * Identity brokering >>>>> * Custom user profiles >>>>> * Kerberos >>>>> * OpenID Connect interop >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jacob.donofrio at gmail.com Fri Feb 6 14:42:34 2015 From: jacob.donofrio at gmail.com (Jacob D'Onofrio) Date: Fri, 6 Feb 2015 14:42:34 -0500 Subject: [keycloak-user] AssertionConsumerServiceURL Requirement in AuthnRequest Message-ID: Hi, I am experimenting with using keycloak (1.1.0.Final) running on wildfly 8.2.0.Final as an IDP for a service which is running on WebLogic 10.3.6. When WebLogic sends the request to keycloak, I get a NullPointerException like so: Caused by: java.lang.NullPointerException at org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:195) [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:175) [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:320) [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:413) [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_65] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_65] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_65] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.10.Final.jar:] ... 39 more I truncated the stack trace a bit. Looks like the method loginRequest of SamlService.BindingProtocol expects that the AuthNRequest token specify a AssertionConsumerServiceURL attribute, which WebLogic is not setting, however the SAML documentation states that the attribute is optional. I wanted to check here before I posted a JIRA issue if this is a bug, or intended behavior. Thanks, Jacob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150206/202974ec/attachment-0001.html From christoph.machnik at traveltainment.de Mon Feb 9 04:58:14 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Mon, 9 Feb 2015 09:58:14 +0000 Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC49BFF@EX-TT-AC-01.traveltainment.int> Hi all, I have a html-frontend and i want to show the loginpage from keycloak as a part of this frontend and not redirect to the loginpage. Is there a possibility to do this ? My first thougt was an iframe, but what is the src for this ?
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150209/821384c2/attachment.html From daduev.ad at gmail.com Mon Feb 9 07:27:55 2015 From: daduev.ad at gmail.com (Adam Daduev) Date: Mon, 9 Feb 2015 14:27:55 +0200 Subject: [keycloak-user] Ldap User Federation Providers Message-ID: Hi! I'm new in Keycloak. I use ldap as user federation providers, all work fine, but in my ldap store? user info, as user phone number, department and so on, when i add user from ldap to keycloak database, keycloak copy username, mail and nothing more. Can i copy another info or override keycloak principal? I think the Keycloak great thing and has a good future. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150209/b86b9e10/attachment.html From prabhalar at yahoo.com Mon Feb 9 08:13:19 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Mon, 9 Feb 2015 13:13:19 +0000 (UTC) Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <54D4DC01.50401@redhat.com> References: <54D4DC01.50401@redhat.com> Message-ID: <1030125401.1143228.1423487599084.JavaMail.yahoo@mail.yahoo.com> I think that would satisfy my requirements - but not sure until I see that bridge along with the?Identity broker functionality in the next beta release - eagerly waiting for it. From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Friday, February 6, 2015 10:21 AM Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released Keycloak won't be a kerberos server any time soon, if ever.? We are creating a SAML/OIDC to kerberos bridge though. On 1/30/2015 10:52 AM, Raghu Prabhala wrote: > Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos. > > If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users > > Sent from my iPhone > >> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen wrote: >> >> >> >> ----- Original Message ----- >>> From: "Raghu Prabhala" >>> To: "Stian Thorgersen" >>> Cc: "keycloak dev" , "keycloak-user" >>> Sent: Friday, 30 January, 2015 2:44:14 PM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> Great. Looking forward to the 1.2 Beta version. >>> Regarding the system account support, from my perspective, it is very >>> important because we have thousands of applications that interact with each >>> other using system accounts (authentication with Kerberos with keytabs) and >>> till we have that functionality, we will not be able to consider Keycloak as >>> a SSO solution even though it is coming out to be a good product. The sooner >>> we have it, the better. Hopefully, even other users will pitch in to request >>> that functionality so that you can bump it up in your priority list. >>> Thanks once again.Raghu >> >> For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws. >> >>>? ? ? ? From: Stian Thorgersen >>> To: Raghu Prabhala >>> Cc: keycloak dev ; keycloak-user >>> >>> Sent: Friday, January 30, 2015 2:10 AM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Raghu Prabhala" >>>> To: "Stian Thorgersen" >>>> Cc: "keycloak dev" , "keycloak-user" >>>> >>>> Sent: Thursday, January 29, 2015 6:44:11 PM >>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>>> >>>> Congrats Keycloak team. A great deal of features in this release - really >>>> like SAML and clustering. >>>> >>>> But what I am really looking for is the next release as we need all the >>>> features you listed -any tentative dates for the beta version? >>> >>> We might do a beta soon, but that'll only include identity brokering. The >>> other features will be at least a month away. >>> >>>> >>>> The functionality provided so far seems to be targeted toward users >>>> accounts. >>>> When can we expect support for System accounts (with diff auth mechanisms >>>> like certificates, Kerberos etc? >>> >>> Some time this year we aim to have system accounts with certificates, it'll >>> depend on priorities. We don't have any plans to support Kerberos >>> authentication with system accounts, but maybe that makes sense to add as >>> well. >>> >>> >>> >>>> >>>> Thanks, >>>> Raghu >>>> >>>> Sent from my iPhone >>>> >>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: >>>>> >>>>> The Keycloak team is proud to announce the release of Keycloak >>>>> 1.1.0.Final. >>>>> Highlights in this release includes: >>>>> >>>>> * SAML 2.0 >>>>> * Clustering >>>>> * Jetty, Tomcat and Fuse adapters >>>>> * HTTP Security Proxy >>>>> * Automatic migration of db schema >>>>> >>>>> We?re already started working on features for the next release. Some >>>>> exiting features coming soon includes: >>>>> >>>>> * Identity brokering >>>>> * Custom user profiles >>>>> * Kerberos >>>>> * OpenID Connect interop >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150209/413f3c53/attachment.html From mposolda at redhat.com Mon Feb 9 09:42:06 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 09 Feb 2015 15:42:06 +0100 Subject: [keycloak-user] Ldap User Federation Providers In-Reply-To: References: Message-ID: <54D8C73E.7020408@redhat.com> Hi, This is on our roadmap for next version, however right now there is just username, firstName, lastName, email. Marek On 9.2.2015 13:27, Adam Daduev wrote: > Hi! > > I'm new in Keycloak. > I use ldap as user federation providers, all work fine, but in my ldap > store? user info, as user phone number, department and so on, when i > add user from ldap to keycloak database, keycloak copy username, > mail and nothing more. > Can i copy another info or override keycloak principal? > > I think the Keycloak great thing and has a good future. > > Thanks. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150209/f4b7aa38/attachment-0001.html From bburke at redhat.com Mon Feb 9 13:09:53 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 09 Feb 2015 13:09:53 -0500 Subject: [keycloak-user] AssertionConsumerServiceURL Requirement in AuthnRequest In-Reply-To: References: Message-ID: <54D8F7F1.50403@redhat.com> Post a JIRA, I'll fix it. On 2/6/2015 2:42 PM, Jacob D'Onofrio wrote: > Hi, > > I am experimenting with using keycloak (1.1.0.Final) running on wildfly > 8.2.0.Final as an IDP for a service which is running on WebLogic 10.3.6. > When WebLogic sends the request to keycloak, I get a > NullPointerException like so: > > Caused by: java.lang.NullPointerException > at > org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:195) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:175) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:320) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:413) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_65] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_65] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_65] > at java.lang.reflect.Method.invoke(Method.java:606) > [rt.jar:1.7.0_65] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > [resteasy-jaxrs-3.0.10.Final.jar:] > ... 39 more > > I truncated the stack trace a bit. Looks like the method loginRequest of > SamlService.BindingProtocol expects that the AuthNRequest token specify > a AssertionConsumerServiceURL attribute, which WebLogic is not setting, > however the SAML documentation states that the attribute is optional. > > I wanted to check here before I posted a JIRA issue if this is a bug, or > intended behavior. > > Thanks, > Jacob > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Feb 9 13:10:56 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 09 Feb 2015 13:10:56 -0500 Subject: [keycloak-user] AssertionConsumerServiceURL Requirement in AuthnRequest In-Reply-To: References: Message-ID: <54D8F830.8040206@redhat.com> Actually, I'll need some way of identifying the client making the authn request. Can you post the SAML request perchance? On 2/6/2015 2:42 PM, Jacob D'Onofrio wrote: > Hi, > > I am experimenting with using keycloak (1.1.0.Final) running on wildfly > 8.2.0.Final as an IDP for a service which is running on WebLogic 10.3.6. > When WebLogic sends the request to keycloak, I get a > NullPointerException like so: > > Caused by: java.lang.NullPointerException > at > org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:195) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:175) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:320) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:413) > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_65] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_65] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_65] > at java.lang.reflect.Method.invoke(Method.java:606) > [rt.jar:1.7.0_65] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > [resteasy-jaxrs-3.0.10.Final.jar:] > ... 39 more > > I truncated the stack trace a bit. Looks like the method loginRequest of > SamlService.BindingProtocol expects that the AuthNRequest token specify > a AssertionConsumerServiceURL attribute, which WebLogic is not setting, > however the SAML documentation states that the attribute is optional. > > I wanted to check here before I posted a JIRA issue if this is a bug, or > intended behavior. > > Thanks, > Jacob > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jacob.donofrio at gmail.com Mon Feb 9 14:00:56 2015 From: jacob.donofrio at gmail.com (Jacob D'Onofrio) Date: Mon, 9 Feb 2015 14:00:56 -0500 Subject: [keycloak-user] AssertionConsumerServiceURL Requirement in AuthnRequest In-Reply-To: <54D8F830.8040206@redhat.com> References: <54D8F830.8040206@redhat.com> Message-ID: Here is the AuthnRequest that was generated by WebLogic. Do you still want me to create a JIRA? http://clokpsbmw01:7001/saml2 AGcoZLrPSDr5TgULgb/AQdpGAofuP9YstgnYMryKams= ROJaB9lwk5LiNfZMZmWrOrZmeXSZnjZiGwb9Q/ODzSscrs49ucJLhEzjzVXmr5jbLNg5UR5Pi1H+ N2hM/hZKEPpzxDtaR8RRzi8MYCiEwtqcbUD429txx0Sr1ZgPkhtw+KPsWAc5c17y8egzHCwe77DZ CXDYzMtYlMui92kZ29Jj2QdgztSzxUNwHfOVGl6KAWu3NGlzobV+jbKtw20LOxAfpIW/e9hdwNAM 9OCwpKdcp6bvZrZ4GZZ/LXHJQzeZZtC3avwz4NHWX/9sOyYmspAVukTfCAyXeRxsbTgYX2vZKCOj /a1ONd65CtgTCyE9tOzD7Ar1sWyp4FylrArABw== On Mon, Feb 9, 2015 at 1:10 PM, Bill Burke wrote: > Actually, I'll need some way of identifying the client making the authn > request. Can you post the SAML request perchance? > > On 2/6/2015 2:42 PM, Jacob D'Onofrio wrote: > > Hi, > > > > I am experimenting with using keycloak (1.1.0.Final) running on wildfly > > 8.2.0.Final as an IDP for a service which is running on WebLogic 10.3.6. > > When WebLogic sends the request to keycloak, I get a > > NullPointerException like so: > > > > Caused by: java.lang.NullPointerException > > at > > > org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:195) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at > > > org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:175) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at > > > org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:320) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at > > org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:413) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > [rt.jar:1.7.0_65] > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > [rt.jar:1.7.0_65] > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > [rt.jar:1.7.0_65] > > at java.lang.reflect.Method.invoke(Method.java:606) > > [rt.jar:1.7.0_65] > > at > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > ... 39 more > > > > I truncated the stack trace a bit. Looks like the method loginRequest of > > SamlService.BindingProtocol expects that the AuthNRequest token specify > > a AssertionConsumerServiceURL attribute, which WebLogic is not setting, > > however the SAML documentation states that the attribute is optional. > > > > I wanted to check here before I posted a JIRA issue if this is a bug, or > > intended behavior. > > > > Thanks, > > Jacob > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150209/46681e3b/attachment.html From Peng.Chen at halliburton.com Mon Feb 9 17:37:00 2015 From: Peng.Chen at halliburton.com (Kevin Chen) Date: Mon, 9 Feb 2015 22:37:00 +0000 Subject: [keycloak-user] does keycloak work with sharepoint 2010/2013 Message-ID: Hi: Does Keycloak support integration with Sharepoint? We want to configure the Sharepoint to use Keycloak as Identity Manager. Thanks Kevin ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150209/11ee7836/attachment-0001.html From bburke at redhat.com Mon Feb 9 17:39:45 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 09 Feb 2015 17:39:45 -0500 Subject: [keycloak-user] does keycloak work with sharepoint 2010/2013 In-Reply-To: References: Message-ID: <54D93731.6060307@redhat.com> No, we don't. But, I was told that Sharepoint can be secured via SAML? If so, it might be possible to integrate Sharepoint with Keycloak. Sharepoint is on the roadmap, but were months away from having the time to do it. Now, if we could get somebody in the community to at least research what is needed.... ;) On 2/9/2015 5:37 PM, Kevin Chen wrote: > Hi: > > Does Keycloak support integration with Sharepoint? We want to configure > the Sharepoint to use Keycloak as Identity Manager. > > Thanks > > Kevin > > ------------------------------------------------------------------------ > This e-mail, including any attached files, may contain confidential and > privileged information for the sole use of the intended recipient. Any > review, use, distribution, or disclosure by others is strictly > prohibited. If you are not the intended recipient (or authorized to > receive information for the intended recipient), please contact the > sender by reply e-mail and delete all copies of this message. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Feb 9 17:43:26 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 09 Feb 2015 17:43:26 -0500 Subject: [keycloak-user] AssertionConsumerServiceURL Requirement in AuthnRequest In-Reply-To: References: <54D8F830.8040206@redhat.com> Message-ID: <54D9380E.1060709@redhat.com> Ok, I'm working on it right now. I'll change it so that you can register the asssertion consumer service url in the admin console. https://issues.jboss.org/browse/KEYCLOAK-1034 On 2/9/2015 2:00 PM, Jacob D'Onofrio wrote: > Here is the AuthnRequest that was generated by WebLogic. > > Do you still want me to create a JIRA? > > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > Destination="http://clokpsbmw01:8080/auth/realms/dev/protocol/saml/" > ForceAuthn="false" > ID="_0xadc0f2f6b3f36e604d310d4209db5c31" > IsPassive="false" > IssueInstant="2015-02-06T17:13:31.151Z" > Version="2.0"> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://clokpsbmw01:7001/saml2 > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"> > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml > samlp"/> > > > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > AGcoZLrPSDr5TgULgb/AQdpGAofuP9YstgnYMryKams= > > > > ROJaB9lwk5LiNfZMZmWrOrZmeXSZnjZiGwb9Q/ODzSscrs49ucJLhEzjzVXmr5jbLNg5UR5Pi1H+ > N2hM/hZKEPpzxDtaR8RRzi8MYCiEwtqcbUD429txx0Sr1ZgPkhtw+KPsWAc5c17y8egzHCwe77DZ > CXDYzMtYlMui92kZ29Jj2QdgztSzxUNwHfOVGl6KAWu3NGlzobV+jbKtw20LOxAfpIW/e9hdwNAM > 9OCwpKdcp6bvZrZ4GZZ/LXHJQzeZZtC3avwz4NHWX/9sOyYmspAVukTfCAyXeRxsbTgYX2vZKCOj > /a1ONd65CtgTCyE9tOzD7Ar1sWyp4FylrArABw== > > > > > On Mon, Feb 9, 2015 at 1:10 PM, Bill Burke > wrote: > > Actually, I'll need some way of identifying the client making the authn > request. Can you post the SAML request perchance? > > On 2/6/2015 2:42 PM, Jacob D'Onofrio wrote: > > Hi, > > > > I am experimenting with using keycloak (1.1.0.Final) running on > wildfly > > 8.2.0.Final as an IDP for a service which is running on WebLogic > 10.3.6. > > When WebLogic sends the request to keycloak, I get a > > NullPointerException like so: > > > > Caused by: java.lang.NullPointerException > > at > > > org.keycloak.protocol.saml.SamlService$BindingProtocol.loginRequest(SamlService.java:195) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at > > > org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:175) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at > > > org.keycloak.protocol.saml.SamlService$PostBindingProtocol.execute(SamlService.java:320) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at > > > org.keycloak.protocol.saml.SamlService.postBinding(SamlService.java:413) > > [keycloak-saml-protocol-1.1.0.Final.jar:1.1.0.Final] > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > [rt.jar:1.7.0_65] > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > > [rt.jar:1.7.0_65] > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > [rt.jar:1.7.0_65] > > at java.lang.reflect.Method.invoke(Method.java:606) > > [rt.jar:1.7.0_65] > > at > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > at > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > > [resteasy-jaxrs-3.0.10.Final.jar:] > > ... 39 more > > > > I truncated the stack trace a bit. Looks like the method > loginRequest of > > SamlService.BindingProtocol expects that the AuthNRequest token > specify > > a AssertionConsumerServiceURL attribute, which WebLogic is not > setting, > > however the SAML documentation states that the attribute is optional. > > > > I wanted to check here before I posted a JIRA issue if this is a > bug, or > > intended behavior. > > > > Thanks, > > Jacob > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From felipe.braun at intelbras.com.br Wed Feb 11 11:31:54 2015 From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja) Date: Wed, 11 Feb 2015 14:31:54 -0200 Subject: [keycloak-user] Annoying refresh in 1.1.0 Final Message-ID: <54DB83FA.7010701@intelbras.com.br> Hello, We're testing Keycloak to use in some of our apps, specifically with SAML. But it's not the case I'm reaching out to you :) We were using 1.1.0.Beta2 so far, and when started to create a REST client for the admin, we got some "Internal Server Error", but no log to help the dev. So, upgraded to 1.1.0.Final (WAR dist) just now. ANNOYING refresh after logged in the admin, making it nearly impossible to configure the realm -- something like every 5 seconds. And when going to another configuration part (say, Applications), it appears quickly "*Error!* Not found" in a red box on the top of the page, but it opens correctly. Tried to see if was some garbage from the previous WildFly install, so did a fresh install too, but nothing different. Also got the appliance dist, and got the same annoying refresh and "not found" error. Has anyone seen this? -- Felipe Braun Azambuja DBA Tecnologia da Informa??o e Comunica??o (48) 3281 9577 felipe.braun at intelbras.com.br Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. From prabhalar at yahoo.com Wed Feb 11 12:16:54 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Wed, 11 Feb 2015 12:16:54 -0500 Subject: [keycloak-user] Annoying refresh in 1.1.0 Final In-Reply-To: <54DB83FA.7010701@intelbras.com.br> References: <54DB83FA.7010701@intelbras.com.br> Message-ID: <0AB464EE-881E-48E4-ADD0-D08867987C79@yahoo.com> Clearing your browser cache will address the problem Sent from my iPhone > On Feb 11, 2015, at 11:31 AM, Felipe Braun Azambuja wrote: > > Hello, > > We're testing Keycloak to use in some of our apps, specifically with > SAML. But it's not the case I'm reaching out to you :) > > We were using 1.1.0.Beta2 so far, and when started to create a REST > client for the admin, we got some "Internal Server Error", but no log to > help the dev. So, upgraded to 1.1.0.Final (WAR dist) just now. > > ANNOYING refresh after logged in the admin, making it nearly impossible > to configure the realm -- something like every 5 seconds. And when going > to another configuration part (say, Applications), it appears quickly > "*Error!* Not found" in a red box on the top of the page, but it opens > correctly. > > Tried to see if was some garbage from the previous WildFly install, so > did a fresh install too, but nothing different. Also got the appliance > dist, and got the same annoying refresh and "not found" error. > > > Has anyone seen this? > -- > Felipe Braun Azambuja > DBA > Tecnologia da Informa??o e Comunica??o > (48) 3281 9577 > felipe.braun at intelbras.com.br > Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. > > The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Peng.Chen at halliburton.com Thu Feb 12 15:24:10 2015 From: Peng.Chen at halliburton.com (Kevin Chen) Date: Thu, 12 Feb 2015 20:24:10 +0000 Subject: [keycloak-user] how to implement SSO among services with Keycloak Message-ID: In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication. One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again. How can we obtain a new token and pass it to the next hop? Thanks Kevin ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. From mashama at gmail.com Thu Feb 12 18:20:06 2015 From: mashama at gmail.com (Mashama McFarlane) Date: Thu, 12 Feb 2015 18:20:06 -0500 Subject: [keycloak-user] Setting the default HTTP session timeout - HttpSession.html#setMaxInactiveInterval Message-ID: I am using KeyCloak 1.1.0.Final on Wildfly 8.1. I am wondering if it is possible for the adapter to set the max inactive interval for servlet container session. In my case I would like the servlet session timeout to be equal to the SSO session timeout externally managed and configured through KeyCloak. If doesn't make sense for the adapter to do this then how can I do it in my application logic? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150212/e53e0462/attachment.html From mposolda at redhat.com Fri Feb 13 05:21:52 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 13 Feb 2015 11:21:52 +0100 Subject: [keycloak-user] Setting the default HTTP session timeout - HttpSession.html#setMaxInactiveInterval In-Reply-To: References: Message-ID: <54DDD040.7050602@redhat.com> Hi, Session timeout of HttpSession can be set in web.xml of your application by adding this: | 30 AFAIK Wildfly and EAP6 have session timeout 30 minutes by default, which is same like the default SSO Idle timeout in Keycloak. Marek | On 13.2.2015 00:20, Mashama McFarlane wrote: > I am using KeyCloak 1.1.0.Final on Wildfly 8.1. I am wondering if it > is possible for the adapter to set the max inactive interval for > servlet container session. In my case I would like the servlet > session timeout to be equal to the SSO session timeout externally > managed and configured through KeyCloak. If doesn't make sense for > the adapter to do this then how can I do it in my application logic? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150213/fd62fdb2/attachment-0001.html From mposolda at redhat.com Fri Feb 13 05:33:29 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 13 Feb 2015 11:33:29 +0100 Subject: [keycloak-user] how to implement SSO among services with Keycloak In-Reply-To: References: Message-ID: <54DDD2F9.7050903@redhat.com> Keycloak can serve this use-case pretty well. Once you authenticate application1 with Keycloak, you will receive accessToken for this application. This accessToken can then be used to invoke other HTTP services (like "application2") and retrieve data from them. You just need to send the obtained accessToken in Authorization header in format like "Authorization: Bearer your-token". Also if your application "application2" is used just as "container of REST data" for other applications and never accessed directly by user from his browser, you can configure at as "bearer-only" in keycloak admin console and in keycloak.json of this application. We have examples exactly for this usecase: "customer-service" uses accessToken to invoke bearer-only application "database-service" and obtain data from it. See code here: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L56 Marek On 12.2.2015 21:24, Kevin Chen wrote: > In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication. > > One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again. > How can we obtain a new token and pass it to the next hop? > > Thanks > Kevin > > ---------------------------------------------------------------------- > This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From niko at n-k.de Fri Feb 13 05:41:11 2015 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Fri, 13 Feb 2015 11:41:11 +0100 Subject: [keycloak-user] Proxy users remain logged in when logged out in the backend Message-ID: <1B0F4A45-3B9B-4E4A-9360-0974ABA2B3BB@n-k.de> Hi, I think there?s a state problem when using applications behind a Keycloak Proxy solution. This is our scenario: An application is ?secured? only behind a Keycloak proxy. In some of our use cases, the session will be killed/logged out in the backend, before (proxy cookie) timeout. As now the proxy cookie is still set (and valid), the proxy assumes the user still to be logged in and injects still the header fields. The proxy doesn?t know that the user has been logged out. We switched now the ?always-refresh-token? option to ?true? in the proxy application configuration and it works as expected. But this will have impacts on performance and is not our preferred way of handling this issue. Is there any other way of notifying the proxy of logged out users? Can we use the Admin URL for this? If yes, how? Regards, - Niko From bburke at redhat.com Fri Feb 13 07:41:50 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 13 Feb 2015 07:41:50 -0500 Subject: [keycloak-user] how to implement SSO among services with Keycloak In-Reply-To: <54DDD2F9.7050903@redhat.com> References: <54DDD2F9.7050903@redhat.com> Message-ID: <54DDF10E.2040108@redhat.com> The demo app shows how this is done: 1. visit customer portal 2. customer portal initiates a login 3. customer portal receives a token 4. customer uses token to make secure REST invocation to another database service. On 2/13/2015 5:33 AM, Marek Posolda wrote: > Keycloak can serve this use-case pretty well. Once you authenticate > application1 with Keycloak, you will receive accessToken for this > application. This accessToken can then be used to invoke other HTTP > services (like "application2") and retrieve data from them. You just > need to send the obtained accessToken in Authorization header in format > like "Authorization: Bearer your-token". > > Also if your application "application2" is used just as "container of > REST data" for other applications and never accessed directly by user > from his browser, you can configure at as "bearer-only" in keycloak > admin console and in keycloak.json of this application. > > We have examples exactly for this usecase: "customer-service" uses > accessToken to invoke bearer-only application "database-service" and > obtain data from it. See code here: > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L56 > > > Marek > > On 12.2.2015 21:24, Kevin Chen wrote: >> In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication. >> >> One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again. >> How can we obtain a new token and pass it to the next hop? >> >> Thanks >> Kevin >> >> ---------------------------------------------------------------------- >> This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From walterrrice at gmail.com Fri Feb 13 16:47:46 2015 From: walterrrice at gmail.com (Walter Rice) Date: Fri, 13 Feb 2015 21:47:46 +0000 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect Message-ID: Hi, I am trying to set up the demo as per the youtube videos (#1 and #2). I am using keycloak 1.0.5. I have set up per the video (i think), however things aren't working as expected. I browse to http://localhost:8080/customer-portal/ and all is fine. I click Customer Listing and I am redirected to login page as expected. I enter my name/pw , this is successful and then I am redirected back to http://localhost:8080/customer-portal/customers/view.jsp but the page is 'Forbidden' (redirect uri appears ok here?) I am using the 'full' version with bundled wildfly server. *customer app:* keycloak file { "realm": "cryo198", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "customer-portal", "credentials": { "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22" } } *web.xml* KEYCLOAK cryo198 *redirect URI:* /customer-portal/* *database app:* { "realm": "cryo198", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "NONE", "resource": "database", "bearer-only": "true" } *web.xml* KEYCLOAK cryo198 *redirect URI:* n./a ..set as bearer only *deployed apps:* $ /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh -c --command="deploy -l" NAME RUNTIME-NAME ENABLED STATUS admin-access.war admin-access.war true OK angular-product.war angular-product.war true OK auth-server.war auth-server.war true OK customer-portal-js.war customer-portal-js.war true OK customer-portal.war customer-portal.war true OK database.war database.war true OK product-portal.war product-portal.war true OK *Log:* 2015-02-13 21:22:29,665 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-41) adminRequest http://localhost:8080/customer-portal/custo mers/view.jsp 2015-02-13 21:22:29,667 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-41) --> authenticate() 2015-02-13 21:22:29,668 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-41) try bearer 2015-02-13 21:22:29,669 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-41) try oauth 2015-02-13 21:22:29,669 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-41) session was null, returning null 2015-02-13 21:22:29,670 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) there was no code 2015-02-13 21:22:29,670 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) redirecting to auth server 2015-02-13 21:22:29,671 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) callback uri: http://localhost:8080/customer-portal/ customers/view.jsp 2015-02-13 21:22:29,672 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) Sending redirect to login page: http://localhost:808 0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true 2015-02-13 21:22:29,701 DEBUG [org.keycloak.services.resources.TokenService] (default task-42) replacing relative valid redirect with: http://localhos t:8080/customer-portal/* 2015-02-13 21:22:29,702 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-42) Could not find cookie: KEYCLOAK_IDENTITY 2015-02-13 21:22:46,300 DEBUG [org.keycloak.services.resources.TokenService] (default task-43) replacing relative valid redirect with: http://localhos t:8080/customer-portal/* 2015-02-13 21:22:46,301 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-43) validating password for user: walt 2015-02-13 21:22:46,306 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-43) Expiring remember me cookie 2015-02-13 21:22:46,307 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-43) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au th/realms/cryo198 2015-02-13 21:22:46,308 DEBUG [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) processAccessCode: isResource: true 2015-02-13 21:22:46,308 DEBUG [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) processAccessCode: go to oauth page?: false 2015-02-13 21:22:46,329 DEBUG [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 0-1b32ccabb2e8 2015-02-13 21:22:46,340 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-43) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/cryo198, max-age: -1 2015-02-13 21:22:46,387 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-44) adminRequest http://localhost:8080/customer-portal/custo mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8 2015-02-13 21:22:46,388 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-44) --> authenticate() 2015-02-13 21:22:46,389 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-44) try bearer 2015-02-13 21:22:46,389 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-44) try oauth 2015-02-13 21:22:46,389 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-44) session was null, returning null 2015-02-13 21:22:46,390 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) there was a code, resolving 2015-02-13 21:22:46,390 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) checking state cookie for after code 2015-02-13 21:22:46,390 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) ** reseting application state cookie 2015-02-13 21:22:46,477 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) Token Verification succeeded! 2015-02-13 21:22:46,478 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) successful authenticated 2015-02-13 21:22:46,478 TRACE [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-44) checking whether to refresh. 2015-02-13 21:22:46,478 TRACE [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-44) use realm role mappings 2015-02-13 21:22:46,479 DEBUG [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-44) propagate security context to wildfly 2015-02-13 21:22:46,481 TRACE [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-44) checking whether to refresh. 2015-02-13 21:22:46,484 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-44) AUTHENTICATED 2015-02-13 21:22:46,502 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-46) adminRequest http://localhost:8080/customer-portal/custo mers/view.jsp 2015-02-13 21:22:46,505 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-46) --> authenticate() 2015-02-13 21:22:46,506 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-46) try bearer 2015-02-13 21:22:46,506 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-46) try oauth 2015-02-13 21:22:46,507 DEBUG [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-46) session is active 2015-02-13 21:22:46,508 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached account found 2015-02-13 21:22:46,508 DEBUG [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-46) propagate security context to wildfly 2015-02-13 21:22:46,509 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-46) AUTHENTICATED: was cached 2015-02-13 21:22:46,510 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46) AuthenticatedActionsValve.invoke http://localhost: 8080/customer-portal/customers/view.jsp Many thanks W -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150213/c51d885a/attachment-0001.html From bburke at redhat.com Fri Feb 13 19:27:14 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 13 Feb 2015 19:27:14 -0500 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: References: Message-ID: <54DE9662.7020709@redhat.com> You don't have constriants set up correctly in web.xml? You don't have the appropriate scope for the application set up? On 2/13/2015 4:47 PM, Walter Rice wrote: > Hi, > > I am trying to set up the demo as per the youtube videos (#1 and #2). I > am using keycloak 1.0.5. I have set up per the video (i think), however > things aren't working as expected. > > I browse to http://localhost:8080/customer-portal/ and all is fine. I > click Customer Listing and I am redirected to login page as expected. I > enter my name/pw , this is successful and then I am redirected back to > http://localhost:8080/customer-portal/customers/view.jsp but the page is > 'Forbidden' (redirect uri appears ok here?) > > I am using the 'full' version with bundled wildfly server. > > > > *customer app:* > keycloak file > > { > "realm": "cryo198", > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "external", > "resource": "customer-portal", > "credentials": { > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22" > } > } > > *web.xml* > > KEYCLOAK > cryo198 > > > *redirect URI:* > /customer-portal/* > > *database app:* > { > "realm": "cryo198", > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "NONE", > "resource": "database", > "bearer-only": "true" > } > > > > *web.xml* > > KEYCLOAK > cryo198 > > > *redirect URI:* > n./a ..set as bearer only > > *deployed apps:* > $ > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh > -c --command="deploy -l" > NAME RUNTIME-NAME ENABLED STATUS > admin-access.war admin-access.war true OK > angular-product.war angular-product.war true OK > auth-server.war auth-server.war true OK > customer-portal-js.war customer-portal-js.war true OK > customer-portal.war customer-portal.war true OK > database.war database.war true OK > product-portal.war product-portal.war true OK > > > > > > > *Log:* > 2015-02-13 21:22:29,665 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41) > adminRequest http://localhost:8080/customer-portal/custo > mers/view.jsp > 2015-02-13 21:22:29,667 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-41) --> > authenticate() > 2015-02-13 21:22:29,668 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-41) try bearer > 2015-02-13 21:22:29,669 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-41) try oauth > 2015-02-13 21:22:29,669 DEBUG > [org.keycloak.adapters.RequestAuthenticator] (default task-41) session > was null, returning null > 2015-02-13 21:22:29,670 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > there was no code > 2015-02-13 21:22:29,670 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > redirecting to auth server > 2015-02-13 21:22:29,671 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > callback uri: http://localhost:8080/customer-portal/ > customers/view.jsp > 2015-02-13 21:22:29,672 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > Sending redirect to login page: http://localhost:808 > 0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true > 2015-02-13 21:22:29,701 DEBUG > [org.keycloak.services.resources.TokenService] (default task-42) > replacing relative valid redirect with: http://localhos > t:8080/customer-portal/* > 2015-02-13 21:22:29,702 DEBUG > [org.keycloak.services.managers.AuthenticationManager] (default task-42) > Could not find cookie: KEYCLOAK_IDENTITY > 2015-02-13 21:22:46,300 DEBUG > [org.keycloak.services.resources.TokenService] (default task-43) > replacing relative valid redirect with: http://localhos > t:8080/customer-portal/* > 2015-02-13 21:22:46,301 DEBUG > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > validating password for user: walt > 2015-02-13 21:22:46,306 DEBUG > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > Expiring remember me cookie > 2015-02-13 21:22:46,307 DEBUG > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > th/realms/cryo198 > 2015-02-13 21:22:46,308 DEBUG > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > processAccessCode: isResource: true > 2015-02-13 21:22:46,308 DEBUG > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > processAccessCode: go to oauth page?: false > 2015-02-13 21:22:46,329 DEBUG > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > 0-1b32ccabb2e8 > 2015-02-13 21:22:46,340 DEBUG > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > Create login cookie - name: KEYCLOAK_IDENTITY, > path: /auth/realms/cryo198, max-age: -1 > 2015-02-13 21:22:46,387 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44) > adminRequest http://localhost:8080/customer-portal/custo > mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8 > 2015-02-13 21:22:46,388 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-44) --> > authenticate() > 2015-02-13 21:22:46,389 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-44) try bearer > 2015-02-13 21:22:46,389 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-44) try oauth > 2015-02-13 21:22:46,389 DEBUG > [org.keycloak.adapters.RequestAuthenticator] (default task-44) session > was null, returning null > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > there was a code, resolving > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > checking state cookie for after code > 2015-02-13 21:22:46,390 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) ** > reseting application state cookie > 2015-02-13 21:22:46,477 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > Token Verification succeeded! > 2015-02-13 21:22:46,478 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > successful authenticated > 2015-02-13 21:22:46,478 TRACE > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > task-44) checking whether to refresh. > 2015-02-13 21:22:46,478 TRACE > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > task-44) use realm role mappings > 2015-02-13 21:22:46,479 DEBUG > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > task-44) propagate security context to wildfly > 2015-02-13 21:22:46,481 TRACE > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > task-44) checking whether to refresh. > 2015-02-13 21:22:46,484 DEBUG > [org.keycloak.adapters.RequestAuthenticator] (default task-44) AUTHENTICATED > 2015-02-13 21:22:46,502 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46) > adminRequest http://localhost:8080/customer-portal/custo > mers/view.jsp > 2015-02-13 21:22:46,505 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-46) --> > authenticate() > 2015-02-13 21:22:46,506 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-46) try bearer > 2015-02-13 21:22:46,506 TRACE > [org.keycloak.adapters.RequestAuthenticator] (default task-46) try oauth > 2015-02-13 21:22:46,507 DEBUG > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > task-46) session is active > 2015-02-13 21:22:46,508 DEBUG > [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached > account found > 2015-02-13 21:22:46,508 DEBUG > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > task-46) propagate security context to wildfly > 2015-02-13 21:22:46,509 DEBUG > [org.keycloak.adapters.RequestAuthenticator] (default task-46) > AUTHENTICATED: was cached > 2015-02-13 21:22:46,510 DEBUG > [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46) > AuthenticatedActionsValve.invoke http://localhost: > 8080/customer-portal/customers/view.jsp > > > Many thanks > W > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From walterrrice at gmail.com Fri Feb 13 20:04:43 2015 From: walterrrice at gmail.com (Walter Rice) Date: Sat, 14 Feb 2015 01:04:43 +0000 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: <54DE9662.7020709@redhat.com> References: <54DE9662.7020709@redhat.com> Message-ID: Hi Bill, Thanks for the reply. I dunno! I followed the video to the letter.... below is my web.xml for customer-portal. Apologies for noob qn but how do i check application scope?... customer-portal Admins /admin/* admin Customers /customers/* user KEYCLOAK cryo198 admin user On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke wrote: > You don't have constriants set up correctly in web.xml? You don't have > the appropriate scope for the application set up? > > On 2/13/2015 4:47 PM, Walter Rice wrote: > > Hi, > > > > I am trying to set up the demo as per the youtube videos (#1 and #2). I > > am using keycloak 1.0.5. I have set up per the video (i think), however > > things aren't working as expected. > > > > I browse to http://localhost:8080/customer-portal/ and all is fine. I > > click Customer Listing and I am redirected to login page as expected. I > > enter my name/pw , this is successful and then I am redirected back to > > http://localhost:8080/customer-portal/customers/view.jsp but the page is > > 'Forbidden' (redirect uri appears ok here?) > > > > I am using the 'full' version with bundled wildfly server. > > > > > > > > *customer app:* > > keycloak file > > > > { > > "realm": "cryo198", > > "realm-public-key": > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "external", > > "resource": "customer-portal", > > "credentials": { > > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22" > > } > > } > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > /customer-portal/* > > > > *database app:* > > { > > "realm": "cryo198", > > "realm-public-key": > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "NONE", > > "resource": "database", > > "bearer-only": "true" > > } > > > > > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > n./a ..set as bearer only > > > > *deployed apps:* > > $ > > > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh > > -c --command="deploy -l" > > NAME RUNTIME-NAME ENABLED STATUS > > admin-access.war admin-access.war true OK > > angular-product.war angular-product.war true OK > > auth-server.war auth-server.war true OK > > customer-portal-js.war customer-portal-js.war true OK > > customer-portal.war customer-portal.war true OK > > database.war database.war true OK > > product-portal.war product-portal.war true OK > > > > > > > > > > > > > > *Log:* > > 2015-02-13 21:22:29,665 DEBUG > > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41) > > adminRequest http://localhost:8080/customer-portal/custo > > mers/view.jsp > > 2015-02-13 21:22:29,667 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) --> > > authenticate() > > 2015-02-13 21:22:29,668 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) try bearer > > 2015-02-13 21:22:29,669 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) try oauth > > 2015-02-13 21:22:29,669 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) session > > was null, returning null > > 2015-02-13 21:22:29,670 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > there was no code > > 2015-02-13 21:22:29,670 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > redirecting to auth server > > 2015-02-13 21:22:29,671 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > callback uri: http://localhost:8080/customer-portal/ > > customers/view.jsp > > 2015-02-13 21:22:29,672 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > Sending redirect to login page: http://localhost:808 > > > 0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state > > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true > > 2015-02-13 21:22:29,701 DEBUG > > [org.keycloak.services.resources.TokenService] (default task-42) > > replacing relative valid redirect with: http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:29,702 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default task-42) > > Could not find cookie: KEYCLOAK_IDENTITY > > 2015-02-13 21:22:46,300 DEBUG > > [org.keycloak.services.resources.TokenService] (default task-43) > > replacing relative valid redirect with: http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:46,301 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > > validating password for user: walt > > 2015-02-13 21:22:46,306 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > > Expiring remember me cookie > > 2015-02-13 21:22:46,307 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > > th/realms/cryo198 > > 2015-02-13 21:22:46,308 DEBUG > > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > > processAccessCode: isResource: true > > 2015-02-13 21:22:46,308 DEBUG > > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > > processAccessCode: go to oauth page?: false > > 2015-02-13 21:22:46,329 DEBUG > > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > > 0-1b32ccabb2e8 > > 2015-02-13 21:22:46,340 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default task-43) > > Create login cookie - name: KEYCLOAK_IDENTITY, > > path: /auth/realms/cryo198, max-age: -1 > > 2015-02-13 21:22:46,387 DEBUG > > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44) > > adminRequest http://localhost:8080/customer-portal/custo > > > mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8 > > 2015-02-13 21:22:46,388 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) --> > > authenticate() > > 2015-02-13 21:22:46,389 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) try bearer > > 2015-02-13 21:22:46,389 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) try oauth > > 2015-02-13 21:22:46,389 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) session > > was null, returning null > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > there was a code, resolving > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > checking state cookie for after code > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) ** > > reseting application state cookie > > 2015-02-13 21:22:46,477 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > Token Verification succeeded! > > 2015-02-13 21:22:46,478 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > successful authenticated > > 2015-02-13 21:22:46,478 TRACE > > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,478 TRACE > > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > > task-44) use realm role mappings > > 2015-02-13 21:22:46,479 DEBUG > > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > > task-44) propagate security context to wildfly > > 2015-02-13 21:22:46,481 TRACE > > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,484 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) > AUTHENTICATED > > 2015-02-13 21:22:46,502 DEBUG > > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46) > > adminRequest http://localhost:8080/customer-portal/custo > > mers/view.jsp > > 2015-02-13 21:22:46,505 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) --> > > authenticate() > > 2015-02-13 21:22:46,506 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) try bearer > > 2015-02-13 21:22:46,506 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) try oauth > > 2015-02-13 21:22:46,507 DEBUG > > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > > task-46) session is active > > 2015-02-13 21:22:46,508 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached > > account found > > 2015-02-13 21:22:46,508 DEBUG > > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > > task-46) propagate security context to wildfly > > 2015-02-13 21:22:46,509 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) > > AUTHENTICATED: was cached > > 2015-02-13 21:22:46,510 DEBUG > > [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46) > > AuthenticatedActionsValve.invoke http://localhost: > > 8080/customer-portal/customers/view.jsp > > > > > > Many thanks > > W > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/e3c23eb2/attachment-0001.html From bburke at redhat.com Fri Feb 13 20:09:15 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 13 Feb 2015 20:09:15 -0500 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: References: <54DE9662.7020709@redhat.com> Message-ID: <54DEA03B.2050905@redhat.com> Got to the admin console. Go to your application definition. Go to the scope tab. What does it say? On 2/13/2015 8:04 PM, Walter Rice wrote: > Hi Bill, > > Thanks for the reply. I dunno! I followed the video to the letter.... > below is my web.xml for customer-portal. Apologies for noob qn but how > do i check application scope?... > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" > version="3.0"> > > customer-portal > > > > Admins > /admin/* > > > admin > > > > > Customers > /customers/* > > > user > > > > > > > KEYCLOAK > cryo198 > > > > admin > > > user > > > > > On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke > wrote: > > You don't have constriants set up correctly in web.xml? You don't have > the appropriate scope for the application set up? > > On 2/13/2015 4:47 PM, Walter Rice wrote: > > Hi, > > > > I am trying to set up the demo as per the youtube videos (#1 and #2). I > > am using keycloak 1.0.5. I have set up per the video (i think), however > > things aren't working as expected. > > > > I browse tohttp://localhost:8080/customer-portal/ and all is fine. I > > click Customer Listing and I am redirected to login page as expected. I > > enter my name/pw , this is successful and then I am redirected back to > >http://localhost:8080/customer-portal/customers/view.jsp but the page is > > 'Forbidden' (redirect uri appears ok here?) > > > > I am using the 'full' version with bundled wildfly server. > > > > > > > > *customer app:* > > keycloak file > > > > { > > "realm": "cryo198", > > "realm-public-key": > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "external", > > "resource": "customer-portal", > > "credentials": { > > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22" > > } > > } > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > /customer-portal/* > > > > *database app:* > > { > > "realm": "cryo198", > > "realm-public-key": > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYesXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "NONE", > > "resource": "database", > > "bearer-only": "true" > > } > > > > > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > n./a ..set as bearer only > > > > *deployed apps:* > > $ > > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak-appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh > > -c --command="deploy -l" > > NAME RUNTIME-NAME ENABLED STATUS > > admin-access.war admin-access.war true OK > > angular-product.war angular-product.war true OK > > auth-server.war auth-server.war true OK > > customer-portal-js.war customer-portal-js.war true OK > > customer-portal.war customer-portal.war true OK > > database.war database.war true OK > > product-portal.war product-portal.war true OK > > > > > > > > > > > > > > *Log:* > > 2015-02-13 21:22:29,665 DEBUG > > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41) > > adminRequest http://localhost:8080/customer-portal/custo > > mers/view.jsp > > 2015-02-13 21:22:29,667 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) --> > > authenticate() > > 2015-02-13 21:22:29,668 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) > try bearer > > 2015-02-13 21:22:29,669 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) > try oauth > > 2015-02-13 21:22:29,669 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-41) > session > > was null, returning null > > 2015-02-13 21:22:29,670 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > there was no code > > 2015-02-13 21:22:29,670 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > redirecting to auth server > > 2015-02-13 21:22:29,671 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > callback uri: http://localhost:8080/customer-portal/ > > customers/view.jsp > > 2015-02-13 21:22:29,672 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-41) > > Sending redirect to login page: http://localhost:808 > > > 0/auth/realms/cryo198/tokens/login?client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state > > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true > > 2015-02-13 21:22:29,701 DEBUG > > [org.keycloak.services.resources.TokenService] (default task-42) > > replacing relative valid redirect with: http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:29,702 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default > task-42) > > Could not find cookie: KEYCLOAK_IDENTITY > > 2015-02-13 21:22:46,300 DEBUG > > [org.keycloak.services.resources.TokenService] (default task-43) > > replacing relative valid redirect with: http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:46,301 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default > task-43) > > validating password for user: walt > > 2015-02-13 21:22:46,306 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default > task-43) > > Expiring remember me cookie > > 2015-02-13 21:22:46,307 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default > task-43) > > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > > th/realms/cryo198 > > 2015-02-13 21:22:46,308 DEBUG > > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > > processAccessCode: isResource: true > > 2015-02-13 21:22:46,308 DEBUG > > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > > processAccessCode: go to oauth page?: false > > 2015-02-13 21:22:46,329 DEBUG > > [org.keycloak.services.resources.flows.OAuthFlows] (default task-43) > > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > > 0-1b32ccabb2e8 > > 2015-02-13 21:22:46,340 DEBUG > > [org.keycloak.services.managers.AuthenticationManager] (default > task-43) > > Create login cookie - name: KEYCLOAK_IDENTITY, > > path: /auth/realms/cryo198, max-age: -1 > > 2015-02-13 21:22:46,387 DEBUG > > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44) > > adminRequest http://localhost:8080/customer-portal/custo > > > mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY.OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8 > > 2015-02-13 21:22:46,388 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) --> > > authenticate() > > 2015-02-13 21:22:46,389 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) > try bearer > > 2015-02-13 21:22:46,389 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) > try oauth > > 2015-02-13 21:22:46,389 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) > session > > was null, returning null > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > there was a code, resolving > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > checking state cookie for after code > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default > task-44) ** > > reseting application state cookie > > 2015-02-13 21:22:46,477 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > Token Verification succeeded! > > 2015-02-13 21:22:46,478 DEBUG > > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-44) > > successful authenticated > > 2015-02-13 21:22:46,478 TRACE > > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,478 TRACE > > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > > task-44) use realm role mappings > > 2015-02-13 21:22:46,479 DEBUG > > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > > task-44) propagate security context to wildfly > > 2015-02-13 21:22:46,481 TRACE > > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,484 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-44) > AUTHENTICATED > > 2015-02-13 21:22:46,502 DEBUG > > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46) > > adminRequest http://localhost:8080/customer-portal/custo > > mers/view.jsp > > 2015-02-13 21:22:46,505 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) --> > > authenticate() > > 2015-02-13 21:22:46,506 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) > try bearer > > 2015-02-13 21:22:46,506 TRACE > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) > try oauth > > 2015-02-13 21:22:46,507 DEBUG > > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default > > task-46) session is active > > 2015-02-13 21:22:46,508 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) Cached > > account found > > 2015-02-13 21:22:46,508 DEBUG > > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default > > task-46) propagate security context to wildfly > > 2015-02-13 21:22:46,509 DEBUG > > [org.keycloak.adapters.RequestAuthenticator] (default task-46) > > AUTHENTICATED: was cached > > 2015-02-13 21:22:46,510 DEBUG > > [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-46) > > AuthenticatedActionsValve.invoke http://localhost: > > 8080/customer-portal/customers/view.jsp > > > > > > Many thanks > > W > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From walterrrice at gmail.com Sat Feb 14 04:40:42 2015 From: walterrrice at gmail.com (Walter Rice) Date: Sat, 14 Feb 2015 09:40:42 +0000 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: <54DEA03B.2050905@redhat.com> References: <54DE9662.7020709@redhat.com> <54DEA03B.2050905@redhat.com> Message-ID: Hi Bill, Full scope allowed: ON I changed this to off then add user and admin roles... same result I realise it's probably silly mistake on my part! but I just can't see it... If i click *customer admin interface* i get the following: Customer Admin InterfaceUser *96cfdfd1-ba0d-480a-9a80-18ec830391fe *made this request. Admin REST To Get Role List of RealmThere was a failure processing request. You either didn't configure Keycloak properly Status from database service invocation was: 404 /Brian On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke wrote: > Got to the admin console. Go to your application definition. Go to the > scope tab. What does it say? > > > On 2/13/2015 8:04 PM, Walter Rice wrote: > >> Hi Bill, >> >> Thanks for the reply. I dunno! I followed the video to the letter.... >> below is my web.xml for customer-portal. Apologies for noob qn but how >> do i check application scope?... >> >> >> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee >> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" >> version="3.0"> >> >> customer-portal >> >> >> >> Admins >> /admin/* >> >> >> admin >> >> >> >> >> Customers >> /customers/* >> >> >> user >> >> >> >> >> >> >> KEYCLOAK >> cryo198 >> >> >> >> admin >> >> >> user >> >> >> >> >> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke > > wrote: >> >> You don't have constriants set up correctly in web.xml? You don't >> have >> the appropriate scope for the application set up? >> >> On 2/13/2015 4:47 PM, Walter Rice wrote: >> > Hi, >> > >> > I am trying to set up the demo as per the youtube videos (#1 and >> #2). I >> > am using keycloak 1.0.5. I have set up per the video (i think), >> however >> > things aren't working as expected. >> > >> > I browse tohttp://localhost:8080/customer-portal/ and all is fine. >> I >> >> > click Customer Listing and I am redirected to login page as >> expected. I >> > enter my name/pw , this is successful and then I am redirected back >> to >> >http://localhost:8080/customer-portal/customers/view.jsp but the >> page is >> > 'Forbidden' (redirect uri appears ok here?) >> > >> > I am using the 'full' version with bundled wildfly server. >> > >> > >> > >> > *customer app:* >> > keycloak file >> > >> > { >> > "realm": "cryo198", >> > "realm-public-key": >> > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYe >> sXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg >> 2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/ >> 4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", >> > "auth-server-url": "http://localhost:8080/auth", >> > "ssl-required": "external", >> > "resource": "customer-portal", >> > "credentials": { >> > "secret": "a0872aa0-113d-435c-a9d6-56cd9b270e22" >> > } >> > } >> > >> > *web.xml* >> > >> > KEYCLOAK >> > cryo198 >> > >> > >> > *redirect URI:* >> > /customer-portal/* >> > >> > *database app:* >> > { >> > "realm": "cryo198", >> > "realm-public-key": >> > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFnsEHg1o9UMBpMoHqLxYe >> sXgDsTHnv1vF0AgrznxAcLfmYUdjvBNdIXZNfB7I7tG9OMHvX21h9arHdcdg >> 2qqk9adLjHuImg/LhYHVOrosJ/sybohrR/Im+k1fTsw/5p/nwZKOF1DLL4/ >> 4SZAY2h19FGCi0ZgIvE80psq98UvCNQIDAQAB", >> > "auth-server-url": "http://localhost:8080/auth", >> > "ssl-required": "NONE", >> > "resource": "database", >> > "bearer-only": "true" >> > } >> > >> > >> > >> > *web.xml* >> > >> > KEYCLOAK >> > cryo198 >> > >> > >> > *redirect URI:* >> > n./a ..set as bearer only >> > >> > *deployed apps:* >> > $ >> > /c/tools/keycloak-appliance-dist-all-1.0.5.Final/keycloak- >> appliance-dist-all-1.0.5.Final/keycloak/bin/jboss-cli.sh >> > -c --command="deploy -l" >> > NAME RUNTIME-NAME ENABLED STATUS >> > admin-access.war admin-access.war true OK >> > angular-product.war angular-product.war true OK >> > auth-server.war auth-server.war true OK >> > customer-portal-js.war customer-portal-js.war true OK >> > customer-portal.war customer-portal.war true OK >> > database.war database.war true OK >> > product-portal.war product-portal.war true OK >> > >> > >> > >> > >> > >> > >> > *Log:* >> > 2015-02-13 21:22:29,665 DEBUG >> > [org.keycloak.adapters.PreAuthActionsHandler] (default task-41) >> > adminRequest http://localhost:8080/customer-portal/custo >> > mers/view.jsp >> > 2015-02-13 21:22:29,667 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-41) --> >> > authenticate() >> > 2015-02-13 21:22:29,668 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-41) >> try bearer >> > 2015-02-13 21:22:29,669 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-41) >> try oauth >> > 2015-02-13 21:22:29,669 DEBUG >> > [org.keycloak.adapters.RequestAuthenticator] (default task-41) >> session >> > was null, returning null >> > 2015-02-13 21:22:29,670 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-41) >> > there was no code >> > 2015-02-13 21:22:29,670 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-41) >> > redirecting to auth server >> > 2015-02-13 21:22:29,671 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-41) >> > callback uri: http://localhost:8080/customer-portal/ >> > customers/view.jsp >> > 2015-02-13 21:22:29,672 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-41) >> > Sending redirect to login page: http://localhost:808 >> > >> 0/auth/realms/cryo198/tokens/login?client_id=customer- >> portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080% >> 2Fcustomer-portal%2Fcustomers%2Fview.jsp&state >> > =2%2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8&login=true >> > 2015-02-13 21:22:29,701 DEBUG >> > [org.keycloak.services.resources.TokenService] (default task-42) >> > replacing relative valid redirect with: http://localhos >> > t:8080/customer-portal/* >> > 2015-02-13 21:22:29,702 DEBUG >> > [org.keycloak.services.managers.AuthenticationManager] (default >> task-42) >> > Could not find cookie: KEYCLOAK_IDENTITY >> > 2015-02-13 21:22:46,300 DEBUG >> > [org.keycloak.services.resources.TokenService] (default task-43) >> > replacing relative valid redirect with: http://localhos >> > t:8080/customer-portal/* >> > 2015-02-13 21:22:46,301 DEBUG >> > [org.keycloak.services.managers.AuthenticationManager] (default >> task-43) >> > validating password for user: walt >> > 2015-02-13 21:22:46,306 DEBUG >> > [org.keycloak.services.managers.AuthenticationManager] (default >> task-43) >> > Expiring remember me cookie >> > 2015-02-13 21:22:46,307 DEBUG >> > [org.keycloak.services.managers.AuthenticationManager] (default >> task-43) >> > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au >> > th/realms/cryo198 >> > 2015-02-13 21:22:46,308 DEBUG >> > [org.keycloak.services.resources.flows.OAuthFlows] (default >> task-43) >> > processAccessCode: isResource: true >> > 2015-02-13 21:22:46,308 DEBUG >> > [org.keycloak.services.resources.flows.OAuthFlows] (default >> task-43) >> > processAccessCode: go to oauth page?: false >> > 2015-02-13 21:22:46,329 DEBUG >> > [org.keycloak.services.resources.flows.OAuthFlows] (default >> task-43) >> > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 >> > 0-1b32ccabb2e8 >> > 2015-02-13 21:22:46,340 DEBUG >> > [org.keycloak.services.managers.AuthenticationManager] (default >> task-43) >> > Create login cookie - name: KEYCLOAK_IDENTITY, >> > path: /auth/realms/cryo198, max-age: -1 >> > 2015-02-13 21:22:46,387 DEBUG >> > [org.keycloak.adapters.PreAuthActionsHandler] (default task-44) >> > adminRequest http://localhost:8080/customer-portal/custo >> > >> mers/view.jsp?code=zf9VUvG6-QkAWtF8xDFcJfnBnrY. >> OTY1YjllMzMtZDdlNS00YWQwLWEwMzgtZjIzMTJhODZjMTIx&state=2% >> 2F8185a8ea-5a38-4a91-b990-1b32ccabb2e8 >> > 2015-02-13 21:22:46,388 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-44) --> >> > authenticate() >> > 2015-02-13 21:22:46,389 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-44) >> try bearer >> > 2015-02-13 21:22:46,389 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-44) >> try oauth >> > 2015-02-13 21:22:46,389 DEBUG >> > [org.keycloak.adapters.RequestAuthenticator] (default task-44) >> session >> > was null, returning null >> > 2015-02-13 21:22:46,390 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-44) >> > there was a code, resolving >> > 2015-02-13 21:22:46,390 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-44) >> > checking state cookie for after code >> > 2015-02-13 21:22:46,390 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-44) ** >> > reseting application state cookie >> > 2015-02-13 21:22:46,477 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-44) >> > Token Verification succeeded! >> > 2015-02-13 21:22:46,478 DEBUG >> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default >> task-44) >> > successful authenticated >> > 2015-02-13 21:22:46,478 TRACE >> > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] >> (default >> > task-44) checking whether to refresh. >> > 2015-02-13 21:22:46,478 TRACE >> > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default >> > task-44) use realm role mappings >> > 2015-02-13 21:22:46,479 DEBUG >> > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] >> (default >> > task-44) propagate security context to wildfly >> > 2015-02-13 21:22:46,481 TRACE >> > [org.keycloak.adapters.RefreshableKeycloakSecurityContext] >> (default >> > task-44) checking whether to refresh. >> > 2015-02-13 21:22:46,484 DEBUG >> > [org.keycloak.adapters.RequestAuthenticator] (default task-44) >> AUTHENTICATED >> > 2015-02-13 21:22:46,502 DEBUG >> > [org.keycloak.adapters.PreAuthActionsHandler] (default task-46) >> > adminRequest http://localhost:8080/customer-portal/custo >> > mers/view.jsp >> > 2015-02-13 21:22:46,505 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-46) --> >> > authenticate() >> > 2015-02-13 21:22:46,506 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-46) >> try bearer >> > 2015-02-13 21:22:46,506 TRACE >> > [org.keycloak.adapters.RequestAuthenticator] (default task-46) >> try oauth >> > 2015-02-13 21:22:46,507 DEBUG >> > [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default >> > task-46) session is active >> > 2015-02-13 21:22:46,508 DEBUG >> > [org.keycloak.adapters.RequestAuthenticator] (default task-46) >> Cached >> > account found >> > 2015-02-13 21:22:46,508 DEBUG >> > [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] >> (default >> > task-46) propagate security context to wildfly >> > 2015-02-13 21:22:46,509 DEBUG >> > [org.keycloak.adapters.RequestAuthenticator] (default task-46) >> > AUTHENTICATED: was cached >> > 2015-02-13 21:22:46,510 DEBUG >> > [org.keycloak.adapters.AuthenticatedActionsHandler] (default >> task-46) >> > AuthenticatedActionsValve.invoke http://localhost: >> > 8080/customer-portal/customers/view.jsp >> > >> > >> > Many thanks >> > W >> > >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org > jboss.org> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/fba49a7a/attachment-0001.html From bburke at redhat.com Sat Feb 14 09:03:31 2015 From: bburke at redhat.com (Bill Burke) Date: Sat, 14 Feb 2015 09:03:31 -0500 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: References: <54DE9662.7020709@redhat.com> <54DEA03B.2050905@redhat.com> Message-ID: <54DF55B3.7080607@redhat.com> Which demo did you build off of? On 2/14/2015 4:40 AM, Walter Rice wrote: > Hi Bill, > > Full scope allowed: ON > > I changed this to off then add user and admin roles... same result > > I realise it's probably silly mistake on my part! but I just can't see it... > > If i click *customer admin interface* i get the following: > > > Customer Admin Interface > > User *96cfdfd1-ba0d-480a-9a80-18ec830391fe *made this request. > > > Admin REST To Get Role List of Realm > > There was a failure processing request. You either didn't configure > Keycloak properly Status from database service invocation was: 404 > > > /Brian > > > > On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke > wrote: > > Got to the admin console. Go to your application definition. Go to > the scope tab. What does it say? > > > On 2/13/2015 8:04 PM, Walter Rice wrote: > > Hi Bill, > > Thanks for the reply. I dunno! I followed the video to the > letter.... > below is my web.xml for customer-portal. Apologies for noob qn > but how > do i check application scope?... > > > xmlns:xsi="http://www.w3.org/__2001/XMLSchema-instance > " > xsi:schemaLocation="http://__java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd > " > version="3.0"> > > customer-portal > > > > Admins > /admin/* > > > admin > > > > > Customers > /customers/* > > > user > > > > > > > KEYCLOAK > cryo198 > > > > admin > > > user > > > > > On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke > >> wrote: > > You don't have constriants set up correctly in web.xml? > You don't have > the appropriate scope for the application set up? > > On 2/13/2015 4:47 PM, Walter Rice wrote: > > Hi, > > > > I am trying to set up the demo as per the youtube videos > (#1 and #2). I > > am using keycloak 1.0.5. I have set up per the video (i > think), however > > things aren't working as expected. > > > > I browse tohttp://localhost:8080/__customer-portal/ and > all is fine. I > > > click Customer Listing and I am redirected to login page > as expected. I > > enter my name/pw , this is successful and then I am > redirected back to > > >http://localhost:8080/__customer-portal/customers/__view.jsp > but > the page is > > 'Forbidden' (redirect uri appears ok here?) > > > > I am using the 'full' version with bundled wildfly server. > > > > > > > > *customer app:* > > keycloak file > > > > { > > "realm": "cryo198", > > "realm-public-key": > > > "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe__sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg__2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "external", > > "resource": "customer-portal", > > "credentials": { > > "secret": "a0872aa0-113d-435c-a9d6-__56cd9b270e22" > > } > > } > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > /customer-portal/* > > > > *database app:* > > { > > "realm": "cryo198", > > "realm-public-key": > > > "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe__sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg__2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "NONE", > > "resource": "database", > > "bearer-only": "true" > > } > > > > > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > n./a ..set as bearer only > > > > *deployed apps:* > > $ > > > /c/tools/keycloak-appliance-__dist-all-1.0.5.Final/keycloak-__appliance-dist-all-1.0.5.__Final/keycloak/bin/jboss-cli.__sh > > -c --command="deploy -l" > > NAME RUNTIME-NAME ENABLED STATUS > > admin-access.war admin-access.war true OK > > angular-product.war angular-product.war true OK > > auth-server.war auth-server.war true OK > > customer-portal-js.war customer-portal-js.war true OK > > customer-portal.war customer-portal.war true OK > > database.war database.war true OK > > product-portal.war product-portal.war true OK > > > > > > > > > > > > > > *Log:* > > 2015-02-13 21:22:29,665 DEBUG > > [org.keycloak.adapters.__PreAuthActionsHandler] (default > task-41) > > adminRequest > http://localhost:8080/__customer-portal/custo > > > mers/view.jsp > > 2015-02-13 21:22:29,667 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-41) --> > > authenticate() > > 2015-02-13 21:22:29,668 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-41) > try bearer > > 2015-02-13 21:22:29,669 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-41) > try oauth > > 2015-02-13 21:22:29,669 DEBUG > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-41) > session > > was null, returning null > > 2015-02-13 21:22:29,670 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-41) > > there was no code > > 2015-02-13 21:22:29,670 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-41) > > redirecting to auth server > > 2015-02-13 21:22:29,671 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-41) > > callback uri: http://localhost:8080/__customer-portal/ > > > customers/view.jsp > > 2015-02-13 21:22:29,672 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-41) > > Sending redirect to login page: http://localhost:808 > > > > 0/auth/realms/cryo198/tokens/__login?client_id=customer-__portal&redirect_uri=http%3A%__2F%2Flocalhost%3A8080%__2Fcustomer-portal%2Fcustomers%__2Fview.jsp&state > > =2%2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8&login=true > > 2015-02-13 21:22:29,701 DEBUG > > [org.keycloak.services.__resources.TokenService] > (default task-42) > > replacing relative valid redirect with: http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:29,702 DEBUG > > > [org.keycloak.services.__managers.__AuthenticationManager] (default > task-42) > > Could not find cookie: KEYCLOAK_IDENTITY > > 2015-02-13 21:22:46,300 DEBUG > > [org.keycloak.services.__resources.TokenService] > (default task-43) > > replacing relative valid redirect with: http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:46,301 DEBUG > > > [org.keycloak.services.__managers.__AuthenticationManager] (default > task-43) > > validating password for user: walt > > 2015-02-13 21:22:46,306 DEBUG > > > [org.keycloak.services.__managers.__AuthenticationManager] (default > task-43) > > Expiring remember me cookie > > 2015-02-13 21:22:46,307 DEBUG > > > [org.keycloak.services.__managers.__AuthenticationManager] (default > task-43) > > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > > th/realms/cryo198 > > 2015-02-13 21:22:46,308 DEBUG > > [org.keycloak.services.__resources.flows.OAuthFlows] > (default task-43) > > processAccessCode: isResource: true > > 2015-02-13 21:22:46,308 DEBUG > > [org.keycloak.services.__resources.flows.OAuthFlows] > (default task-43) > > processAccessCode: go to oauth page?: false > > 2015-02-13 21:22:46,329 DEBUG > > [org.keycloak.services.__resources.flows.OAuthFlows] > (default task-43) > > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > > 0-1b32ccabb2e8 > > 2015-02-13 21:22:46,340 DEBUG > > > [org.keycloak.services.__managers.__AuthenticationManager] (default > task-43) > > Create login cookie - name: KEYCLOAK_IDENTITY, > > path: /auth/realms/cryo198, max-age: -1 > > 2015-02-13 21:22:46,387 DEBUG > > [org.keycloak.adapters.__PreAuthActionsHandler] (default > task-44) > > adminRequest > http://localhost:8080/__customer-portal/custo > > > > > mers/view.jsp?code=zf9VUvG6-__QkAWtF8xDFcJfnBnrY.__OTY1YjllMzMtZDdlNS00YWQwLWEwMz__gtZjIzMTJhODZjMTIx&state=2%__2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8 > > 2015-02-13 21:22:46,388 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-44) --> > > authenticate() > > 2015-02-13 21:22:46,389 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-44) > try bearer > > 2015-02-13 21:22:46,389 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-44) > try oauth > > 2015-02-13 21:22:46,389 DEBUG > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-44) > session > > was null, returning null > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-44) > > there was a code, resolving > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-44) > > checking state cookie for after code > > 2015-02-13 21:22:46,390 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] (default > task-44) ** > > reseting application state cookie > > 2015-02-13 21:22:46,477 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-44) > > Token Verification succeeded! > > 2015-02-13 21:22:46,478 DEBUG > > [org.keycloak.adapters.__OAuthRequestAuthenticator] > (default task-44) > > successful authenticated > > 2015-02-13 21:22:46,478 TRACE > > > [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text] > (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,478 TRACE > > > [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount] > (default > > task-44) use realm role mappings > > 2015-02-13 21:22:46,479 DEBUG > > > [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator] > (default > > task-44) propagate security context to wildfly > > 2015-02-13 21:22:46,481 TRACE > > > [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text] > (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,484 DEBUG > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-44) > AUTHENTICATED > > 2015-02-13 21:22:46,502 DEBUG > > [org.keycloak.adapters.__PreAuthActionsHandler] (default > task-46) > > adminRequest > http://localhost:8080/__customer-portal/custo > > > mers/view.jsp > > 2015-02-13 21:22:46,505 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-46) --> > > authenticate() > > 2015-02-13 21:22:46,506 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-46) > try bearer > > 2015-02-13 21:22:46,506 TRACE > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-46) > try oauth > > 2015-02-13 21:22:46,507 DEBUG > > > [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount] > (default > > task-46) session is active > > 2015-02-13 21:22:46,508 DEBUG > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-46) Cached > > account found > > 2015-02-13 21:22:46,508 DEBUG > > > [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator] > (default > > task-46) propagate security context to wildfly > > 2015-02-13 21:22:46,509 DEBUG > > [org.keycloak.adapters.__RequestAuthenticator] (default > task-46) > > AUTHENTICATED: was cached > > 2015-02-13 21:22:46,510 DEBUG > > [org.keycloak.adapters.__AuthenticatedActionsHandler] > (default task-46) > > AuthenticatedActionsValve.__invoke http://localhost: > > 8080/customer-portal/__customers/view.jsp > > > > > > Many thanks > > W > > > > > > > > > > _________________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/__mailman/listinfo/keycloak-user > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/__mailman/listinfo/keycloak-user > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From walterrrice at gmail.com Sat Feb 14 09:05:52 2015 From: walterrrice at gmail.com (Walter Rice) Date: Sat, 14 Feb 2015 14:05:52 +0000 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: <54DF55B3.7080607@redhat.com> References: <54DE9662.7020709@redhat.com> <54DEA03B.2050905@redhat.com> <54DF55B3.7080607@redhat.com> Message-ID: I used everything in 1.0.5 ..... On Sat, Feb 14, 2015 at 2:03 PM, Bill Burke wrote: > Which demo did you build off of? > > On 2/14/2015 4:40 AM, Walter Rice wrote: > >> Hi Bill, >> >> Full scope allowed: ON >> >> I changed this to off then add user and admin roles... same result >> >> I realise it's probably silly mistake on my part! but I just can't see >> it... >> >> If i click *customer admin interface* i get the following: >> >> >> Customer Admin Interface >> >> User *96cfdfd1-ba0d-480a-9a80-18ec830391fe *made this request. >> >> >> Admin REST To Get Role List of Realm >> >> There was a failure processing request. You either didn't configure >> Keycloak properly Status from database service invocation was: 404 >> >> >> /Brian >> >> >> >> On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke > > wrote: >> >> Got to the admin console. Go to your application definition. Go to >> the scope tab. What does it say? >> >> >> On 2/13/2015 8:04 PM, Walter Rice wrote: >> >> Hi Bill, >> >> Thanks for the reply. I dunno! I followed the video to the >> letter.... >> below is my web.xml for customer-portal. Apologies for noob qn >> but how >> do i check application scope?... >> >> >> > xmlns:xsi="http://www.w3.org/__2001/XMLSchema-instance >> " >> xsi:schemaLocation="http://__java.sun.com/xml/ns/javaee >> >> http://java.sun.com/xml/ns/__javaee/web-app_3_0.xsd >> " >> version="3.0"> >> >> customer-portal >> >> >> >> Admins >> /admin/* >> >> >> admin >> >> >> >> >> Customers >> /customers/* >> >> >> user >> >> >> >> >> >> >> KEYCLOAK >> cryo198 >> >> >> >> admin >> >> >> user >> >> >> >> >> On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke > >> >> wrote: >> >> You don't have constriants set up correctly in web.xml? >> You don't have >> the appropriate scope for the application set up? >> >> On 2/13/2015 4:47 PM, Walter Rice wrote: >> > Hi, >> > >> > I am trying to set up the demo as per the youtube videos >> (#1 and #2). I >> > am using keycloak 1.0.5. I have set up per the video (i >> think), however >> > things aren't working as expected. >> > >> > I browse tohttp://localhost:8080/__customer-portal/ and >> all is fine. I >> >> > click Customer Listing and I am redirected to login page >> as expected. I >> > enter my name/pw , this is successful and then I am >> redirected back to >> >> >http://localhost:8080/__customer-portal/customers/__view.jsp >> but >> the page is >> > 'Forbidden' (redirect uri appears ok here?) >> > >> > I am using the 'full' version with bundled wildfly server. >> > >> > >> > >> > *customer app:* >> > keycloak file >> > >> > { >> > "realm": "cryo198", >> > "realm-public-key": >> > >> "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe >> __sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg >> __2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__ >> 4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB", >> > "auth-server-url": "http://localhost:8080/auth", >> > "ssl-required": "external", >> > "resource": "customer-portal", >> > "credentials": { >> > "secret": "a0872aa0-113d-435c-a9d6-__56cd9b270e22" >> > } >> > } >> > >> > *web.xml* >> > >> > KEYCLOAK >> > cryo198 >> > >> > >> > *redirect URI:* >> > /customer-portal/* >> > >> > *database app:* >> > { >> > "realm": "cryo198", >> > "realm-public-key": >> > >> "__MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD__CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe >> __sXgDsTHnv1vF0AgrznxAcLfmYUdjvB__NdIXZNfB7I7tG9OMHvX21h9arHdcdg >> __2qqk9adLjHuImg/LhYHVOrosJ/__sybohrR/Im+k1fTsw/5p/__nwZKOF1DLL4/__ >> 4SZAY2h19FGCi0ZgIvE80psq98UvCN__QIDAQAB", >> > "auth-server-url": "http://localhost:8080/auth", >> > "ssl-required": "NONE", >> > "resource": "database", >> > "bearer-only": "true" >> > } >> > >> > >> > >> > *web.xml* >> > >> > KEYCLOAK >> > cryo198 >> > >> > >> > *redirect URI:* >> > n./a ..set as bearer only >> > >> > *deployed apps:* >> > $ >> > >> /c/tools/keycloak-appliance-__dist-all-1.0.5.Final/keycloak- >> __appliance-dist-all-1.0.5.__Final/keycloak/bin/jboss-cli.__sh >> > -c --command="deploy -l" >> > NAME RUNTIME-NAME ENABLED >> STATUS >> > admin-access.war admin-access.war true OK >> > angular-product.war angular-product.war true OK >> > auth-server.war auth-server.war true OK >> > customer-portal-js.war customer-portal-js.war true OK >> > customer-portal.war customer-portal.war true OK >> > database.war database.war true OK >> > product-portal.war product-portal.war true OK >> > >> > >> > >> > >> > >> > >> > *Log:* >> > 2015-02-13 21:22:29,665 DEBUG >> > [org.keycloak.adapters.__PreAuthActionsHandler] (default >> task-41) >> > adminRequest >> http://localhost:8080/__customer-portal/custo >> >> > mers/view.jsp >> > 2015-02-13 21:22:29,667 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-41) --> >> > authenticate() >> > 2015-02-13 21:22:29,668 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-41) >> try bearer >> > 2015-02-13 21:22:29,669 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-41) >> try oauth >> > 2015-02-13 21:22:29,669 DEBUG >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-41) >> session >> > was null, returning null >> > 2015-02-13 21:22:29,670 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-41) >> > there was no code >> > 2015-02-13 21:22:29,670 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-41) >> > redirecting to auth server >> > 2015-02-13 21:22:29,671 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-41) >> > callback uri: http://localhost:8080/__customer-portal/ >> >> > customers/view.jsp >> > 2015-02-13 21:22:29,672 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-41) >> > Sending redirect to login page: http://localhost:808 >> > >> >> 0/auth/realms/cryo198/tokens/__login?client_id=customer-__ >> portal&redirect_uri=http%3A%__2F%2Flocalhost%3A8080%__ >> 2Fcustomer-portal%2Fcustomers%__2Fview.jsp&state >> > =2%2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8&login=true >> > 2015-02-13 21:22:29,701 DEBUG >> > [org.keycloak.services.__resources.TokenService] >> (default task-42) >> > replacing relative valid redirect with: http://localhos >> > t:8080/customer-portal/* >> > 2015-02-13 21:22:29,702 DEBUG >> > >> [org.keycloak.services.__managers.__AuthenticationManager] >> (default >> task-42) >> > Could not find cookie: KEYCLOAK_IDENTITY >> > 2015-02-13 21:22:46,300 DEBUG >> > [org.keycloak.services.__resources.TokenService] >> (default task-43) >> > replacing relative valid redirect with: http://localhos >> > t:8080/customer-portal/* >> > 2015-02-13 21:22:46,301 DEBUG >> > >> [org.keycloak.services.__managers.__AuthenticationManager] >> (default >> task-43) >> > validating password for user: walt >> > 2015-02-13 21:22:46,306 DEBUG >> > >> [org.keycloak.services.__managers.__AuthenticationManager] >> (default >> task-43) >> > Expiring remember me cookie >> > 2015-02-13 21:22:46,307 DEBUG >> > >> [org.keycloak.services.__managers.__AuthenticationManager] >> (default >> task-43) >> > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au >> > th/realms/cryo198 >> > 2015-02-13 21:22:46,308 DEBUG >> > [org.keycloak.services.__resources.flows.OAuthFlows] >> (default task-43) >> > processAccessCode: isResource: true >> > 2015-02-13 21:22:46,308 DEBUG >> > [org.keycloak.services.__resources.flows.OAuthFlows] >> (default task-43) >> > processAccessCode: go to oauth page?: false >> > 2015-02-13 21:22:46,329 DEBUG >> > [org.keycloak.services.__resources.flows.OAuthFlows] >> (default task-43) >> > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 >> > 0-1b32ccabb2e8 >> > 2015-02-13 21:22:46,340 DEBUG >> > >> [org.keycloak.services.__managers.__AuthenticationManager] >> (default >> task-43) >> > Create login cookie - name: KEYCLOAK_IDENTITY, >> > path: /auth/realms/cryo198, max-age: -1 >> > 2015-02-13 21:22:46,387 DEBUG >> > [org.keycloak.adapters.__PreAuthActionsHandler] (default >> task-44) >> > adminRequest >> http://localhost:8080/__customer-portal/custo >> >> > >> >> mers/view.jsp?code=zf9VUvG6-__QkAWtF8xDFcJfnBnrY.__ >> OTY1YjllMzMtZDdlNS00YWQwLWEwMz__gtZjIzMTJhODZjMTIx&state=2%_ >> _2F8185a8ea-5a38-4a91-b990-__1b32ccabb2e8 >> > 2015-02-13 21:22:46,388 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-44) --> >> > authenticate() >> > 2015-02-13 21:22:46,389 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-44) >> try bearer >> > 2015-02-13 21:22:46,389 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-44) >> try oauth >> > 2015-02-13 21:22:46,389 DEBUG >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-44) >> session >> > was null, returning null >> > 2015-02-13 21:22:46,390 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-44) >> > there was a code, resolving >> > 2015-02-13 21:22:46,390 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-44) >> > checking state cookie for after code >> > 2015-02-13 21:22:46,390 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default >> task-44) ** >> > reseting application state cookie >> > 2015-02-13 21:22:46,477 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-44) >> > Token Verification succeeded! >> > 2015-02-13 21:22:46,478 DEBUG >> > [org.keycloak.adapters.__OAuthRequestAuthenticator] >> (default task-44) >> > successful authenticated >> > 2015-02-13 21:22:46,478 TRACE >> > >> [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text] >> (default >> > task-44) checking whether to refresh. >> > 2015-02-13 21:22:46,478 TRACE >> > >> [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount] >> (default >> > task-44) use realm role mappings >> > 2015-02-13 21:22:46,479 DEBUG >> > >> [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator] >> (default >> > task-44) propagate security context to wildfly >> > 2015-02-13 21:22:46,481 TRACE >> > >> [org.keycloak.adapters.__RefreshableKeycloakSecurityCon__text] >> (default >> > task-44) checking whether to refresh. >> > 2015-02-13 21:22:46,484 DEBUG >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-44) >> AUTHENTICATED >> > 2015-02-13 21:22:46,502 DEBUG >> > [org.keycloak.adapters.__PreAuthActionsHandler] (default >> task-46) >> > adminRequest >> http://localhost:8080/__customer-portal/custo >> >> > mers/view.jsp >> > 2015-02-13 21:22:46,505 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-46) --> >> > authenticate() >> > 2015-02-13 21:22:46,506 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-46) >> try bearer >> > 2015-02-13 21:22:46,506 TRACE >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-46) >> try oauth >> > 2015-02-13 21:22:46,507 DEBUG >> > >> [org.keycloak.adapters.__undertow.__KeycloakUndertowAccount] >> (default >> > task-46) session is active >> > 2015-02-13 21:22:46,508 DEBUG >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-46) Cached >> > account found >> > 2015-02-13 21:22:46,508 DEBUG >> > >> [org.keycloak.adapters.__wildfly.__WildflyRequestAuthenticator] >> (default >> > task-46) propagate security context to wildfly >> > 2015-02-13 21:22:46,509 DEBUG >> > [org.keycloak.adapters.__RequestAuthenticator] (default >> task-46) >> > AUTHENTICATED: was cached >> > 2015-02-13 21:22:46,510 DEBUG >> > [org.keycloak.adapters.__AuthenticatedActionsHandler] >> (default task-46) >> > AuthenticatedActionsValve.__invoke http://localhost: >> > 8080/customer-portal/__customers/view.jsp >> > >> > >> > Many thanks >> > W >> > >> > >> > >> > >> > _________________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > > >> > https://lists.jboss.org/__mailman/listinfo/keycloak-user >> >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _________________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> > > >> https://lists.jboss.org/__mailman/listinfo/keycloak-user >> >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/23c95dc2/attachment-0001.html From bburke at redhat.com Sat Feb 14 09:09:13 2015 From: bburke at redhat.com (Bill Burke) Date: Sat, 14 Feb 2015 09:09:13 -0500 Subject: [keycloak-user] Noob question -- 'forbidden' on demo after redirect In-Reply-To: References: <54DE9662.7020709@redhat.com> <54DEA03B.2050905@redhat.com> <54DF55B3.7080607@redhat.com> Message-ID: <54DF5709.3080607@redhat.com> You are running all the demo examples? You didn't modify them? You loaded the appropriate realm.json files, etc.? On 2/14/2015 9:05 AM, Walter Rice wrote: > I used everything in 1.0.5 ..... > > On Sat, Feb 14, 2015 at 2:03 PM, Bill Burke > wrote: > > Which demo did you build off of? > > On 2/14/2015 4:40 AM, Walter Rice wrote: > > Hi Bill, > > Full scope allowed: ON > > I changed this to off then add user and admin roles... same result > > I realise it's probably silly mistake on my part! but I just > can't see it... > > If i click *customer admin interface* i get the following: > > > Customer Admin Interface > > User *96cfdfd1-ba0d-480a-9a80-__18ec830391fe *made this request. > > > Admin REST To Get Role List of Realm > > There was a failure processing request. You either didn't configure > Keycloak properly Status from database service invocation was: 404 > > > /Brian > > > > On Sat, Feb 14, 2015 at 1:09 AM, Bill Burke > >> wrote: > > Got to the admin console. Go to your application > definition. Go to > the scope tab. What does it say? > > > On 2/13/2015 8:04 PM, Walter Rice wrote: > > Hi Bill, > > Thanks for the reply. I dunno! I followed the video to the > letter.... > below is my web.xml for customer-portal. Apologies for > noob qn > but how > do i check application scope?... > > > > xmlns:xsi="http://www.w3.org/____2001/XMLSchema-instance > > >" > > xsi:schemaLocation="http://__j__ava.sun.com/xml/ns/javaee > > > > http://java.sun.com/xml/ns/____javaee/web-app_3_0.xsd > > >" > version="3.0"> > > customer-portal > > > > > Admins > /admin/* > > > admin > > > > > > Customers > /customers/* > > > user > > > > > > > KEYCLOAK > cryo198 > > > > admin > > > user > > > > > On Sat, Feb 14, 2015 at 12:27 AM, Bill Burke > > > > > >>> wrote: > > You don't have constriants set up correctly in > web.xml? > You don't have > the appropriate scope for the application set up? > > On 2/13/2015 4:47 PM, Walter Rice wrote: > > Hi, > > > > I am trying to set up the demo as per the > youtube videos > (#1 and #2). I > > am using keycloak 1.0.5. I have set up per the > video (i > think), however > > things aren't working as expected. > > > > I browse > tohttp://localhost:8080/____customer-portal/ and > all is fine. I > > > click Customer Listing and I am redirected to > login page > as expected. I > > enter my name/pw , this is successful and then I am > redirected back to > > > >http://localhost:8080/____customer-portal/customers/____view.jsp > > > but > the page is > > 'Forbidden' (redirect uri appears ok here?) > > > > I am using the 'full' version with bundled > wildfly server. > > > > > > > > *customer app:* > > keycloak file > > > > { > > "realm": "cryo198", > > "realm-public-key": > > > > "____MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD______CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe______sXgDsTHnv1vF0AgrznxAcLfmYUdjvB______NdIXZNfB7I7tG9OMHvX21h9arHdcdg____2qqk9adLjHuImg/LhYHVOrosJ/____sybohrR/Im+k1fTsw/5p/____nwZKOF1DLL4/____4SZAY2h19FGCi0ZgIvE80psq98UvCN____QIDAQAB", > > "auth-server-url": "http://localhost:8080/auth", > > "ssl-required": "external", > > "resource": "customer-portal", > > "credentials": { > > "secret": "a0872aa0-113d-435c-a9d6-____56cd9b270e22" > > } > > } > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > /customer-portal/* > > > > *database app:* > > { > > "realm": "cryo198", > > "realm-public-key": > > > > "____MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD______CBiQKBgQCFnsEHg1o9UMBpMoHqLxYe______sXgDsTHnv1vF0AgrznxAcLfmYUdjvB______NdIXZNfB7I7tG9OMHvX21h9arHdcdg____2qqk9adLjHuImg/LhYHVOrosJ/____sybohrR/Im+k1fTsw/5p/____nwZKOF1DLL4/____4SZAY2h19FGCi0ZgIvE80psq98UvCN____QIDAQAB", > > "auth-server-url": > "http://localhost:8080/auth", > > "ssl-required": "NONE", > > "resource": "database", > > "bearer-only": "true" > > } > > > > > > > > *web.xml* > > > > KEYCLOAK > > cryo198 > > > > > > *redirect URI:* > > n./a ..set as bearer only > > > > *deployed apps:* > > $ > > > > /c/tools/keycloak-appliance-____dist-all-1.0.5.Final/keycloak-____appliance-dist-all-1.0.5.____Final/keycloak/bin/jboss-cli.____sh > > -c --command="deploy -l" > > NAME RUNTIME-NAME > ENABLED STATUS > > admin-access.war admin-access.war > true OK > > angular-product.war angular-product.war > true OK > > auth-server.war auth-server.war > true OK > > customer-portal-js.war customer-portal-js.war > true OK > > customer-portal.war customer-portal.war > true OK > > database.war database.war > true OK > > product-portal.war product-portal.war > true OK > > > > > > > > > > > > > > *Log:* > > 2015-02-13 21:22:29,665 DEBUG > > > [org.keycloak.adapters.____PreAuthActionsHandler] (default > task-41) > > adminRequest > http://localhost:8080/____customer-portal/custo > > > > > mers/view.jsp > > 2015-02-13 21:22:29,667 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-41) --> > > authenticate() > > 2015-02-13 21:22:29,668 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-41) > try bearer > > 2015-02-13 21:22:29,669 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-41) > try oauth > > 2015-02-13 21:22:29,669 DEBUG > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-41) > session > > was null, returning null > > 2015-02-13 21:22:29,670 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-41) > > there was no code > > 2015-02-13 21:22:29,670 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-41) > > redirecting to auth server > > 2015-02-13 21:22:29,671 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-41) > > callback uri: > http://localhost:8080/____customer-portal/ > > > > > customers/view.jsp > > 2015-02-13 21:22:29,672 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-41) > > Sending redirect to login page: > http://localhost:808 > > > > > 0/auth/realms/cryo198/tokens/____login?client_id=customer-____portal&redirect_uri=http%3A%____2F%2Flocalhost%3A8080%____2Fcustomer-portal%2Fcustomers%____2Fview.jsp&state > > > =2%2F8185a8ea-5a38-4a91-b990-____1b32ccabb2e8&login=true > > 2015-02-13 21:22:29,701 DEBUG > > [org.keycloak.services.____resources.TokenService] > (default task-42) > > replacing relative valid redirect with: > http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:29,702 DEBUG > > > > [org.keycloak.services.____managers.____AuthenticationManager] > (default > task-42) > > Could not find cookie: KEYCLOAK_IDENTITY > > 2015-02-13 21:22:46,300 DEBUG > > [org.keycloak.services.____resources.TokenService] > (default task-43) > > replacing relative valid redirect with: > http://localhos > > t:8080/customer-portal/* > > 2015-02-13 21:22:46,301 DEBUG > > > > [org.keycloak.services.____managers.____AuthenticationManager] > (default > task-43) > > validating password for user: walt > > 2015-02-13 21:22:46,306 DEBUG > > > > [org.keycloak.services.____managers.____AuthenticationManager] > (default > task-43) > > Expiring remember me cookie > > 2015-02-13 21:22:46,307 DEBUG > > > > [org.keycloak.services.____managers.____AuthenticationManager] > (default > task-43) > > Expiring cookie: KEYCLOAK_REMEMBER_ME path: /au > > th/realms/cryo198 > > 2015-02-13 21:22:46,308 DEBUG > > > [org.keycloak.services.____resources.flows.OAuthFlows] > (default task-43) > > processAccessCode: isResource: true > > 2015-02-13 21:22:46,308 DEBUG > > > [org.keycloak.services.____resources.flows.OAuthFlows] > (default task-43) > > processAccessCode: go to oauth page?: false > > 2015-02-13 21:22:46,329 DEBUG > > > [org.keycloak.services.____resources.flows.OAuthFlows] > (default task-43) > > redirectAccessCode: state: 2/8185a8ea-5a38-4a91-b99 > > 0-1b32ccabb2e8 > > 2015-02-13 21:22:46,340 DEBUG > > > > [org.keycloak.services.____managers.____AuthenticationManager] > (default > task-43) > > Create login cookie - name: KEYCLOAK_IDENTITY, > > path: /auth/realms/cryo198, max-age: -1 > > 2015-02-13 21:22:46,387 DEBUG > > > [org.keycloak.adapters.____PreAuthActionsHandler] (default > task-44) > > adminRequest > http://localhost:8080/____customer-portal/custo > > > > > > > > mers/view.jsp?code=zf9VUvG6-____QkAWtF8xDFcJfnBnrY.____OTY1YjllMzMtZDdlNS00YWQwLWEwMz____gtZjIzMTJhODZjMTIx&state=2%____2F8185a8ea-5a38-4a91-b990-____1b32ccabb2e8 > > 2015-02-13 21:22:46,388 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-44) --> > > authenticate() > > 2015-02-13 21:22:46,389 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-44) > try bearer > > 2015-02-13 21:22:46,389 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-44) > try oauth > > 2015-02-13 21:22:46,389 DEBUG > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-44) > session > > was null, returning null > > 2015-02-13 21:22:46,390 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-44) > > there was a code, resolving > > 2015-02-13 21:22:46,390 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-44) > > checking state cookie for after code > > 2015-02-13 21:22:46,390 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] (default > task-44) ** > > reseting application state cookie > > 2015-02-13 21:22:46,477 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-44) > > Token Verification succeeded! > > 2015-02-13 21:22:46,478 DEBUG > > > [org.keycloak.adapters.____OAuthRequestAuthenticator] > (default task-44) > > successful authenticated > > 2015-02-13 21:22:46,478 TRACE > > > > [org.keycloak.adapters.____RefreshableKeycloakSecurityCon____text] > (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,478 TRACE > > > > [org.keycloak.adapters.____undertow.____KeycloakUndertowAccount] > (default > > task-44) use realm role mappings > > 2015-02-13 21:22:46,479 DEBUG > > > > [org.keycloak.adapters.____wildfly.____WildflyRequestAuthenticator] > (default > > task-44) propagate security context to wildfly > > 2015-02-13 21:22:46,481 TRACE > > > > [org.keycloak.adapters.____RefreshableKeycloakSecurityCon____text] > (default > > task-44) checking whether to refresh. > > 2015-02-13 21:22:46,484 DEBUG > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-44) > AUTHENTICATED > > 2015-02-13 21:22:46,502 DEBUG > > > [org.keycloak.adapters.____PreAuthActionsHandler] (default > task-46) > > adminRequest > http://localhost:8080/____customer-portal/custo > > > > > mers/view.jsp > > 2015-02-13 21:22:46,505 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-46) --> > > authenticate() > > 2015-02-13 21:22:46,506 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-46) > try bearer > > 2015-02-13 21:22:46,506 TRACE > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-46) > try oauth > > 2015-02-13 21:22:46,507 DEBUG > > > > [org.keycloak.adapters.____undertow.____KeycloakUndertowAccount] > (default > > task-46) session is active > > 2015-02-13 21:22:46,508 DEBUG > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-46) Cached > > account found > > 2015-02-13 21:22:46,508 DEBUG > > > > [org.keycloak.adapters.____wildfly.____WildflyRequestAuthenticator] > (default > > task-46) propagate security context to wildfly > > 2015-02-13 21:22:46,509 DEBUG > > > [org.keycloak.adapters.____RequestAuthenticator] (default > task-46) > > AUTHENTICATED: was cached > > 2015-02-13 21:22:46,510 DEBUG > > > [org.keycloak.adapters.____AuthenticatedActionsHandler] > (default task-46) > > AuthenticatedActionsValve.____invoke > http://localhost: > > 8080/customer-portal/____customers/view.jsp > > > > > > Many thanks > > W > > > > > > > > > > ___________________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > ____jboss.org > >> > > > https://lists.jboss.org/____mailman/listinfo/keycloak-user > > > __> > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > ___________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > > ____jboss.org > >> > https://lists.jboss.org/____mailman/listinfo/keycloak-user > > > __> > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From prabhalar at yahoo.com Sat Feb 14 17:03:55 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sat, 14 Feb 2015 22:03:55 +0000 (UTC) Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <1030125401.1143228.1423487599084.JavaMail.yahoo@mail.yahoo.com> References: <54D4DC01.50401@redhat.com> <1030125401.1143228.1423487599084.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1291727090.3290495.1423951435854.JavaMail.yahoo@mail.yahoo.com> Bill - Just wanted to let you know the Identity Broker currently being built?meets my requirements.?I have successfully tested out a complex scenario (given below)?involving both SPNEGO as well as SAML Service Provider functionality 1) KC? on two hosts acting as SAML IDP using SPNEGO as Identity Broker.2) KC on another host acting as SAML SP communicating with IDP?(Point 1)?and a client using OpenID Connect (Point 3)3) A Client application communicating with KC (refer to Point 2) using OpenID Connect Any user accessing the client application will now?be seamlessly authenticated without entering password. Now I am looking for the "custom profiles" functionality which would help me move forward. Just to reiterate my requirement - once the user is authenticated, I would like to make a LDAP call (in some cases?multiple calls to different repositories)?to retrieve all user information that should eventually be populated in the SAML claims or OIDC id_token selectively. A big thank you to you and the entire dev team for accommodating our requests :-). Great Job!!! Regards,Raghu From: Raghu Prabhala To: Bill Burke ; "keycloak-user at lists.jboss.org" Sent: Monday, February 9, 2015 8:13 AM Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released I think that would satisfy my requirements - but not sure until I see that bridge along with the?Identity broker functionality in the next beta release - eagerly waiting for it. From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Friday, February 6, 2015 10:21 AM Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released Keycloak won't be a kerberos server any time soon, if ever.? We are creating a SAML/OIDC to kerberos bridge though. On 1/30/2015 10:52 AM, Raghu Prabhala wrote: > Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos. > > If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users > > Sent from my iPhone > >> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen wrote: >> >> >> >> ----- Original Message ----- >>> From: "Raghu Prabhala" >>> To: "Stian Thorgersen" >>> Cc: "keycloak dev" , "keycloak-user" >>> Sent: Friday, 30 January, 2015 2:44:14 PM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> Great. Looking forward to the 1.2 Beta version. >>> Regarding the system account support, from my perspective, it is very >>> important because we have thousands of applications that interact with each >>> other using system accounts (authentication with Kerberos with keytabs) and >>> till we have that functionality, we will not be able to consider Keycloak as >>> a SSO solution even though it is coming out to be a good product. The sooner >>> we have it, the better. Hopefully, even other users will pitch in to request >>> that functionality so that you can bump it up in your priority list. >>> Thanks once again.Raghu >> >> For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws. >> >>>? ? ? ? From: Stian Thorgersen >>> To: Raghu Prabhala >>> Cc: keycloak dev ; keycloak-user >>> >>> Sent: Friday, January 30, 2015 2:10 AM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Raghu Prabhala" >>>> To: "Stian Thorgersen" >>>> Cc: "keycloak dev" , "keycloak-user" >>>> >>>> Sent: Thursday, January 29, 2015 6:44:11 PM >>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>>> >>>> Congrats Keycloak team. A great deal of features in this release - really >>>> like SAML and clustering. >>>> >>>> But what I am really looking for is the next release as we need all the >>>> features you listed -any tentative dates for the beta version? >>> >>> We might do a beta soon, but that'll only include identity brokering. The >>> other features will be at least a month away. >>> >>>> >>>> The functionality provided so far seems to be targeted toward users >>>> accounts. >>>> When can we expect support for System accounts (with diff auth mechanisms >>>> like certificates, Kerberos etc? >>> >>> Some time this year we aim to have system accounts with certificates, it'll >>> depend on priorities. We don't have any plans to support Kerberos >>> authentication with system accounts, but maybe that makes sense to add as >>> well. >>> >>> >>> >>>> >>>> Thanks, >>>> Raghu >>>> >>>> Sent from my iPhone >>>> >>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: >>>>> >>>>> The Keycloak team is proud to announce the release of Keycloak >>>>> 1.1.0.Final. >>>>> Highlights in this release includes: >>>>> >>>>> * SAML 2.0 >>>>> * Clustering >>>>> * Jetty, Tomcat and Fuse adapters >>>>> * HTTP Security Proxy >>>>> * Automatic migration of db schema >>>>> >>>>> We?re already started working on features for the next release. Some >>>>> exiting features coming soon includes: >>>>> >>>>> * Identity brokering >>>>> * Custom user profiles >>>>> * Kerberos >>>>> * OpenID Connect interop >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/59f94516/attachment-0001.html From andrew.reifers at dristcoach.com Sat Feb 14 21:35:44 2015 From: andrew.reifers at dristcoach.com (Andrew Reifers) Date: Sat, 14 Feb 2015 18:35:44 -0800 Subject: [keycloak-user] Application Managed Security (Non-Adapter) SAML or OpenID Integration Example Message-ID: Hello All, First off I'm a NOOB with SSO, so please educate me kindly on any ignorance within my questions. >From my research thus far and previous mailing posts sent to this user list: Keycloak is very tuned to using a Servlet Container security approach with keycloak adapters utilizing the .json/.xml configuration file. I've been able to get a basic authentication working using a completely front end approach. To be clear it's an Angular JS front end and it was extremely straight forward just porting over the example. The problem is that I'm trying to tie the authentication to the server application layer (Spring Security). I am pretty married to Spring Security at this point and would like to authenticate via an application managed approach. There are multiple libraries within Spring Security that support industry standards that are in compatible with Keycloak (SAML, OpenID, OAuth etc). To be fair I have't ruled out a Servlet Security approach but I've spent a weekend (again SSO Noob here) trying to migrate my existing spring security (Application Managed Security) application to a Container using the tomcat adapter and it's been painful to say the least. I am still using Spring Boot and Java Config. In an attempt to decouple all the existing security controls that are application managed I've been able to basically accomplish removing the existing security : You can see the existing code and output below for my entire current setup for a KeyCloakServerConfiguration Servlet and if you see anything obvious let me know. I'm not sure how the forms login handoff is suppose to occur at this point. Should it just be an iframe sourcing in the SSO login form? OK so what would be much much more convenient at this point is a few examples of integrating manually with Keycloak rather then using the adapters. Does anyone have an example or documentation on how to us SAML or OpenID at an application managed level (Spring Security SAML or OpenID example would be amazing)? Specifically without using a keycloak adapter. Thanks in advance for any support/information you can provide. Best, Andrew @Configuration public class KeyCloakServerConfiguration { @Bean public EmbeddedServletContainerCustomizer getKeycloakContainerCustomizer() { return new EmbeddedServletContainerCustomizer() { @Override public void customize( ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) { if (configurableEmbeddedServletContainer instanceof TomcatEmbeddedServletContainerFactory) { TomcatEmbeddedServletContainerFactory container = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer; KeycloakAuthenticatorValve authenticatorValve = new KeycloakAuthenticatorValve(); container.addContextValves(authenticatorValve); container.addContextCustomizers(getKeycloakContextCustomizer()); } } }; } @Bean public TomcatContextCustomizer getKeycloakContextCustomizer() { return new TomcatContextCustomizer() { @Override public void customize(Context context) { SecurityConstraint secConstraints = new SecurityConstraint(); secConstraints.setAuthConstraint(true); secConstraints.addAuthRole("ROLE_USER"); //The only time the application Should Allow Puts is when and administrator //is authenticated with the site. SecurityCollection putCollection = new SecurityCollection(); putCollection.addPattern("/**"); putCollection.addMethod("POST"); SecurityCollection getAuthenticatedMaterialsCollection = new SecurityCollection(); getAuthenticatedMaterialsCollection.addPattern("/**"); getAuthenticatedMaterialsCollection.addPattern("/*"); secConstraints.addCollection(putCollection); secConstraints.addCollection(getAuthenticatedMaterialsCollection); context.addConstraint(secConstraints); LoginConfig loginConfig = new LoginConfig(); loginConfig.setAuthMethod("KEYCLOAK"); context.setLoginConfig(loginConfig); context.addParameter("keycloak.config.resolver", SpringBootKeycloakConfigResolver.class.getName()); } }; } public static class SpringBootKeycloakConfigResolver implements KeycloakConfigResolver { private KeycloakDeployment keycloakDeployment; @Override public KeycloakDeployment resolve(HttpFacade.Request request) { if (keycloakDeployment != null) { return keycloakDeployment; } InputStream configInputStream = getClass().getResourceAsStream( "/keycloak.json"); if (configInputStream == null) { keycloakDeployment = new KeycloakDeployment(); } else { keycloakDeployment = KeycloakDeploymentBuilder .build(configInputStream); } return keycloakDeployment; } } Here is the console output. So what I gather is that it appears to be at least intercepting the requests appropriately and it is successfully loading the .json resource file. [DEBUG] org.keycloak.adapters.PreAuthActionsHandler - adminRequest http://localhost:8080/ [DEBUG] org.keycloak.adapters.KeycloakDeployment - resolveBrowserUrls [DEBUG] org.keycloak.adapters.KeycloakDeployment - resolveNonBrowserUrls [DEBUG] org.keycloak.adapters.KeycloakDeploymentBuilder - Use authServerUrl: http://192.168.53.252:8080/auth, codeUrl: http://192.168.53.252:8080/auth/realms/Spring-Development/protocol/openid-connect/access/codes, relativeUrls: NEVER -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150214/9fe37435/attachment.html From bburke at redhat.com Sun Feb 15 11:33:45 2015 From: bburke at redhat.com (Bill Burke) Date: Sun, 15 Feb 2015 11:33:45 -0500 Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <1291727090.3290495.1423951435854.JavaMail.yahoo@mail.yahoo.com> References: <54D4DC01.50401@redhat.com> <1030125401.1143228.1423487599084.JavaMail.yahoo@mail.yahoo.com> <1291727090.3290495.1423951435854.JavaMail.yahoo@mail.yahoo.com> Message-ID: <54E0CA69.3090702@redhat.com> Working on claims right now. Should have something end of next week. Can you think of anything that would make kerberos or any other feature easier to configure or use? Your feedback would be a great help. On 2/14/2015 5:03 PM, Raghu Prabhala wrote: > Bill - Just wanted to let you know the Identity Broker currently being > built meets my requirements. I have successfully tested out a complex > scenario (given below) involving both SPNEGO as well as SAML Service > Provider functionality > > 1) KC on two hosts acting as SAML IDP using SPNEGO as Identity Broker. > 2) KC on another host acting as SAML SP communicating with IDP (Point > 1) and a client using OpenID Connect (Point 3) > 3) A Client application communicating with KC (refer to Point 2) using > OpenID Connect > > Any user accessing the client application will now be seamlessly > authenticated without entering password. Now I am looking for the > "custom profiles" functionality which would help me move forward. Just > to reiterate my requirement - once the user is authenticated, I would > like to make a LDAP call (in some cases multiple calls to different > repositories) to retrieve all user information that should eventually be > populated in the SAML claims or OIDC id_token selectively. > > A big thank you to you and the entire dev team for accommodating our > requests :-). Great Job!!! > > Regards, > Raghu > ------------------------------------------------------------------------ > *From:* Raghu Prabhala > *To:* Bill Burke ; "keycloak-user at lists.jboss.org" > > *Sent:* Monday, February 9, 2015 8:13 AM > *Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released > > I think that would satisfy my requirements - but not sure until I see > that bridge along with the Identity broker functionality in the next > beta release - eagerly waiting for it. > > > ------------------------------------------------------------------------ > *From:* Bill Burke > *To:* keycloak-user at lists.jboss.org > *Sent:* Friday, February 6, 2015 10:21 AM > *Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released > > Keycloak won't be a kerberos server any time soon, if ever. We are > creating a SAML/OIDC to kerberos bridge though. > > On 1/30/2015 10:52 AM, Raghu Prabhala wrote: > > Unfortunately yes. Kerberos is deeply ingrained in most of internal > applications/processes. While we can ask any new applications to use > certificates, we have to support Kerberos. > > > > If that is not something that you will support, probably identity > brokering would help. I can write a Kerberos broker as long as it is > given control ( need http request) immediately by Keycloak, perhaps I > can handle both authentication with key tabs (for system accts) as well > as SPNEGO for users > > > > Sent from my iPhone > > > >> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen > wrote: > >> > >> > >> > >> ----- Original Message ----- > >>> From: "Raghu Prabhala" > > >>> To: "Stian Thorgersen" > > >>> Cc: "keycloak dev" >, "keycloak-user" > > > >>> Sent: Friday, 30 January, 2015 2:44:14 PM > >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > >>> > >>> Great. Looking forward to the 1.2 Beta version. > >>> Regarding the system account support, from my perspective, it is very > >>> important because we have thousands of applications that interact > with each > >>> other using system accounts (authentication with Kerberos with > keytabs) and > >>> till we have that functionality, we will not be able to consider > Keycloak as > >>> a SSO solution even though it is coming out to be a good product. > The sooner > >>> we have it, the better. Hopefully, even other users will pitch in > to request > >>> that functionality so that you can bump it up in your priority list. > >>> Thanks once again.Raghu > >> > >> For your use-case would it have to be Kerberos? Only options we've > been considering are certificates and jwt/jws. > >> > >>> From: Stian Thorgersen > > >>> To: Raghu Prabhala > > >>> Cc: keycloak dev >; keycloak-user > >>> > > >>> Sent: Friday, January 30, 2015 2:10 AM > >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > >>> > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Raghu Prabhala" > > >>>> To: "Stian Thorgersen" > > >>>> Cc: "keycloak dev" >, "keycloak-user" > >>>> > > >>>> Sent: Thursday, January 29, 2015 6:44:11 PM > >>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > >>>> > >>>> Congrats Keycloak team. A great deal of features in this release - > really > >>>> like SAML and clustering. > >>>> > >>>> But what I am really looking for is the next release as we need > all the > >>>> features you listed -any tentative dates for the beta version? > >>> > >>> We might do a beta soon, but that'll only include identity > brokering. The > >>> other features will be at least a month away. > >>> > >>>> > >>>> The functionality provided so far seems to be targeted toward users > >>>> accounts. > >>>> When can we expect support for System accounts (with diff auth > mechanisms > >>>> like certificates, Kerberos etc? > >>> > >>> Some time this year we aim to have system accounts with > certificates, it'll > >>> depend on priorities. We don't have any plans to support Kerberos > >>> authentication with system accounts, but maybe that makes sense to > add as > >>> well. > >>> > >>> > >>> > >>>> > >>>> Thanks, > >>>> Raghu > >>>> > >>>> Sent from my iPhone > >>>> > >>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen > wrote: > >>>>> > >>>>> The Keycloak team is proud to announce the release of Keycloak > >>>>> 1.1.0.Final. > >>>>> Highlights in this release includes: > >>>>> > >>>>> * SAML 2.0 > >>>>> * Clustering > >>>>> * Jetty, Tomcat and Fuse adapters > >>>>> * HTTP Security Proxy > >>>>> * Automatic migration of db schema > >>>>> > >>>>> We?re already started working on features for the next release. Some > >>>>> exiting features coming soon includes: > >>>>> > >>>>> * Identity brokering > >>>>> * Custom user profiles > >>>>> * Kerberos > >>>>> * OpenID Connect interop > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Sun Feb 15 11:47:42 2015 From: bburke at redhat.com (Bill Burke) Date: Sun, 15 Feb 2015 11:47:42 -0500 Subject: [keycloak-user] Application Managed Security (Non-Adapter) SAML or OpenID Integration Example In-Reply-To: References: Message-ID: <54E0CDAE.80705@redhat.com> Our queue is very full at the moment and none of us know enough about Spring Security to help you out. I actually know nothing about it. If you are interested in investigating this, that would be really helpful. Even specing out requirements and how Keycloak should integration with Spring Security would be helpful. In "master", somebody contributed Spring Boot integration. I'm not sure of what it does, but maybe that would be something useful to you? You would have to clone and build from master to use this though. We also have a Security Proxy, but I don't know if that will help you. http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html On 2/14/2015 9:35 PM, Andrew Reifers wrote: > Hello All, > > First off I'm a NOOB with SSO, so please educate me kindly on any > ignorance within my questions. > > From my research thus far and previous mailing posts sent to this user > list: > > Keycloak is very tuned to using a Servlet Container security approach > with keycloak adapters utilizing the .json/.xml configuration file. I've > been able to get a basic authentication working using a completely front > end approach. To be clear it's an Angular JS front end and it was > extremely straight forward just porting over the example. The problem > is that I'm trying to tie the authentication to the server application > layer (Spring Security). I am pretty married to Spring Security at this > point and would like to authenticate via an application managed > approach. There are multiple libraries within Spring Security that > support industry standards that are in compatible with Keycloak (SAML, > OpenID, OAuth etc). > > To be fair I have't ruled out a Servlet Security approach but I've spent > a weekend (again SSO Noob here) trying to migrate my existing spring > security (Application Managed Security) application to a Container using > the tomcat adapter and it's been painful to say the least. I am still > using Spring Boot and Java Config. In an attempt to decouple all the > existing security controls that are application managed I've been able > to basically accomplish removing the existing security : You can see the > existing code and output below for my entire current setup for a > KeyCloakServerConfiguration Servlet and if you see anything obvious let > me know. I'm not sure how the forms login handoff is suppose to occur > at this point. Should it just be an iframe sourcing in the SSO login form? > > OK so what would be much much more convenient at this point is a few > examples of integrating manually with Keycloak rather then using the > adapters. Does anyone have an example or documentation on how to us > SAML or OpenID at an application managed level (Spring Security SAML or > OpenID example would be amazing)? Specifically without using a keycloak > adapter. > Thanks in advance for any support/information you can provide. > > Best, Andrew > > @Configuration > > public class KeyCloakServerConfiguration { > > > @Bean > > public EmbeddedServletContainerCustomizer getKeycloakContainerCustomizer() { > > return new EmbeddedServletContainerCustomizer() { > > @Override > > public void customize( > > ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) { > > if (configurableEmbeddedServletContainer instanceof > TomcatEmbeddedServletContainerFactory) { > > TomcatEmbeddedServletContainerFactory container = > (TomcatEmbeddedServletContainerFactory) > configurableEmbeddedServletContainer; > > > KeycloakAuthenticatorValve authenticatorValve = new > KeycloakAuthenticatorValve(); > > container.addContextValves(authenticatorValve); > > > container.addContextCustomizers(getKeycloakContextCustomizer()); > > } > > } > > > }; > > } > > > @Bean > > public TomcatContextCustomizer getKeycloakContextCustomizer() { > > return new TomcatContextCustomizer() { > > @Override > > public void customize(Context context) { > > SecurityConstraint secConstraints = new SecurityConstraint(); > > secConstraints.setAuthConstraint(true); > > > secConstraints.addAuthRole("ROLE_USER"); > > //The only time the application Should Allow Puts is when and administrator > > //is authenticated with the site. > > SecurityCollection putCollection = new SecurityCollection(); > > putCollection.addPattern("/**"); > > putCollection.addMethod("POST"); > > SecurityCollection getAuthenticatedMaterialsCollection = new > SecurityCollection(); > > getAuthenticatedMaterialsCollection.addPattern("/**"); > > getAuthenticatedMaterialsCollection.addPattern("/*"); > > secConstraints.addCollection(putCollection); > > secConstraints.addCollection(getAuthenticatedMaterialsCollection); > > context.addConstraint(secConstraints); > > LoginConfig loginConfig = new LoginConfig(); > > loginConfig.setAuthMethod("KEYCLOAK"); > > context.setLoginConfig(loginConfig); > > > context.addParameter("keycloak.config.resolver", > > SpringBootKeycloakConfigResolver.class.getName()); > > } > > > }; > > } > > > public static class SpringBootKeycloakConfigResolver implements > > KeycloakConfigResolver { > > > private KeycloakDeployment keycloakDeployment; > > > @Override > > public KeycloakDeployment resolve(HttpFacade.Request request) { > > if(keycloakDeployment!= null) { > > returnkeycloakDeployment; > > } > > > InputStream configInputStream = getClass().getResourceAsStream( > > "/keycloak.json"); > > > if(configInputStream== null) { > > keycloakDeployment = new KeycloakDeployment(); > > } else { > > keycloakDeployment = KeycloakDeploymentBuilder > > .build(configInputStream); > > } > > > returnkeycloakDeployment; > > } > > } > > > Here is the console output. So what I gather is that it appears to be > at least intercepting the requests appropriately and it is successfully > loading the .json resource file. > > [DEBUG] org.keycloak.adapters.PreAuthActionsHandler - adminRequest > http://localhost:8080/ > > [DEBUG] org.keycloak.adapters.KeycloakDeployment - resolveBrowserUrls > > [DEBUG] org.keycloak.adapters.KeycloakDeployment - resolveNonBrowserUrls > > [DEBUG] org.keycloak.adapters.KeycloakDeploymentBuilder - Use > authServerUrl: http://192.168.53.252:8080/auth, codeUrl: > http://192.168.53.252:8080/auth/realms/Spring-Development/protocol/openid-connect/access/codes, > relativeUrls: NEVER > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From prabhalar at yahoo.com Sun Feb 15 16:39:47 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sun, 15 Feb 2015 21:39:47 +0000 (UTC) Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <54E0CA69.3090702@redhat.com> References: <54E0CA69.3090702@redhat.com> Message-ID: <993816063.3760726.1424036387567.JavaMail.yahoo@mail.yahoo.com> That's great Bill.?Can't wait to try out the?claims piece.?I will send out a separate email with my feedback. ? From: Bill Burke To: Raghu Prabhala ; "keycloak-user at lists.jboss.org" Sent: Sunday, February 15, 2015 11:33 AM Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released Working on claims right now.? Should have something end of next week. Can you think of anything that would make kerberos or any other feature easier to configure or use?? Your feedback would be a great help. On 2/14/2015 5:03 PM, Raghu Prabhala wrote: > Bill - Just wanted to let you know the Identity Broker currently being > built meets my requirements. I have successfully tested out a complex > scenario (given below) involving both SPNEGO as well as SAML Service > Provider functionality > > 1) KC? on two hosts acting as SAML IDP using SPNEGO as Identity Broker. > 2) KC on another host acting as SAML SP communicating with IDP (Point > 1) and a client using OpenID Connect (Point 3) > 3) A Client application communicating with KC (refer to Point 2) using > OpenID Connect > > Any user accessing the client application will now be seamlessly > authenticated without entering password. Now I am looking for the > "custom profiles" functionality which would help me move forward. Just > to reiterate my requirement - once the user is authenticated, I would > like to make a LDAP call (in some cases multiple calls to different > repositories) to retrieve all user information that should eventually be > populated in the SAML claims or OIDC id_token selectively. > > A big thank you to you and the entire dev team for accommodating our > requests :-). Great Job!!! > > Regards, > Raghu > ------------------------------------------------------------------------ > *From:* Raghu Prabhala > *To:* Bill Burke ; "keycloak-user at lists.jboss.org" > > *Sent:* Monday, February 9, 2015 8:13 AM > *Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released > > I think that would satisfy my requirements - but not sure until I see > that bridge along with the Identity broker functionality in the next > beta release - eagerly waiting for it. > > > ------------------------------------------------------------------------ > *From:* Bill Burke > *To:* keycloak-user at lists.jboss.org > *Sent:* Friday, February 6, 2015 10:21 AM > *Subject:* Re: [keycloak-user] Keycloak 1.1.0.Final Released > > Keycloak won't be a kerberos server any time soon, if ever.? We are > creating a SAML/OIDC to kerberos bridge though. > > On 1/30/2015 10:52 AM, Raghu Prabhala wrote: >? > Unfortunately yes. Kerberos is deeply ingrained in most of internal > applications/processes. While we can ask any new applications to use > certificates, we have to support Kerberos. >? > >? > If that is not something that you will support, probably identity > brokering would help. I can write a Kerberos broker as long as it is > given control ( need http request) immediately by Keycloak, perhaps I > can handle both authentication with key tabs (for system accts) as well > as SPNEGO for users >? > >? > Sent from my iPhone >? > >? >> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen > wrote: >? >> >? >> >? >> >? >> ----- Original Message ----- >? >>> From: "Raghu Prabhala" > >? >>> To: "Stian Thorgersen" > >? >>> Cc: "keycloak dev" >, "keycloak-user" > > >? >>> Sent: Friday, 30 January, 2015 2:44:14 PM >? >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >? >>> >? >>> Great. Looking forward to the 1.2 Beta version. >? >>> Regarding the system account support, from my perspective, it is very >? >>> important because we have thousands of applications that interact > with each >? >>> other using system accounts (authentication with Kerberos with > keytabs) and >? >>> till we have that functionality, we will not be able to consider > Keycloak as >? >>> a SSO solution even though it is coming out to be a good product. > The sooner >? >>> we have it, the better. Hopefully, even other users will pitch in > to request >? >>> that functionality so that you can bump it up in your priority list. >? >>> Thanks once again.Raghu >? >> >? >> For your use-case would it have to be Kerberos? Only options we've > been considering are certificates and jwt/jws. >? >> >? >>>? ? ? ? From: Stian Thorgersen > >? >>> To: Raghu Prabhala > >? >>> Cc: keycloak dev >; keycloak-user >? >>> > >? >>> Sent: Friday, January 30, 2015 2:10 AM >? >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >? >>> >? >>> >? >>> >? >>> ----- Original Message ----- >? >>>> From: "Raghu Prabhala" > >? >>>> To: "Stian Thorgersen" > >? >>>> Cc: "keycloak dev" >, "keycloak-user" >? >>>> > >? >>>> Sent: Thursday, January 29, 2015 6:44:11 PM >? >>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >? >>>> >? >>>> Congrats Keycloak team. A great deal of features in this release - > really >? >>>> like SAML and clustering. >? >>>> >? >>>> But what I am really looking for is the next release as we need > all the >? >>>> features you listed -any tentative dates for the beta version? >? >>> >? >>> We might do a beta soon, but that'll only include identity > brokering. The >? >>> other features will be at least a month away. >? >>> >? >>>> >? >>>> The functionality provided so far seems to be targeted toward users >? >>>> accounts. >? >>>> When can we expect support for System accounts (with diff auth > mechanisms >? >>>> like certificates, Kerberos etc? >? >>> >? >>> Some time this year we aim to have system accounts with > certificates, it'll >? >>> depend on priorities. We don't have any plans to support Kerberos >? >>> authentication with system accounts, but maybe that makes sense to > add as >? >>> well. >? >>> >? >>> >? >>> >? >>>> >? >>>> Thanks, >? >>>> Raghu >? >>>> >? >>>> Sent from my iPhone >? >>>> >? >>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen > wrote: >? >>>>> >? >>>>> The Keycloak team is proud to announce the release of Keycloak >? >>>>> 1.1.0.Final. >? >>>>> Highlights in this release includes: >? >>>>> >? >>>>> * SAML 2.0 >? >>>>> * Clustering >? >>>>> * Jetty, Tomcat and Fuse adapters >? >>>>> * HTTP Security Proxy >? >>>>> * Automatic migration of db schema >? >>>>> >? >>>>> We?re already started working on features for the next release. Some >? >>>>> exiting features coming soon includes: >? >>>>> >? >>>>> * Identity brokering >? >>>>> * Custom user profiles >? >>>>> * Kerberos >? >>>>> * OpenID Connect interop >? >>>>> >? >>>>> _______________________________________________ >? >>>>> keycloak-user mailing list >? >>>>> keycloak-user at lists.jboss.org >? >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >? >>> >? >>> >? > >? > _______________________________________________ >? > keycloak-user mailing list >? > keycloak-user at lists.jboss.org >? > https://lists.jboss.org/mailman/listinfo/keycloak-user >? > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150215/356b9f32/attachment-0001.html From Peng.Chen at halliburton.com Mon Feb 16 10:00:20 2015 From: Peng.Chen at halliburton.com (Kevin Chen) Date: Mon, 16 Feb 2015 15:00:20 +0000 Subject: [keycloak-user] [EXTERNAL] Re: how to implement SSO among services with Keycloak In-Reply-To: <54DDF10E.2040108@redhat.com> References: <54DDD2F9.7050903@redhat.com> <54DDF10E.2040108@redhat.com> Message-ID: Thanks Bill. Will the token expire? If so how to deal with it in the following situation: Service 1 in Jboss1 got a token based on the user login(it will have username/password information), then it will connect to Service 2 on JBOSS 2 with the token, The Service 2 will then connect to Service 3 in JBOSS 3. If the token expired, how can Service 2 to refresh it. Thanks Kevin -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Friday, February 13, 2015 6:42 AM To: keycloak-user at lists.jboss.org Subject: [EXTERNAL] Re: [keycloak-user] how to implement SSO among services with Keycloak The demo app shows how this is done: 1. visit customer portal 2. customer portal initiates a login 3. customer portal receives a token 4. customer uses token to make secure REST invocation to another database service. On 2/13/2015 5:33 AM, Marek Posolda wrote: > Keycloak can serve this use-case pretty well. Once you authenticate > application1 with Keycloak, you will receive accessToken for this > application. This accessToken can then be used to invoke other HTTP > services (like "application2") and retrieve data from them. You just > need to send the obtained accessToken in Authorization header in > format like "Authorization: Bearer your-token". > > Also if your application "application2" is used just as "container of > REST data" for other applications and never accessed directly by user > from his browser, you can configure at as "bearer-only" in keycloak > admin console and in keycloak.json of this application. > > We have examples exactly for this usecase: "customer-service" uses > accessToken to invoke bearer-only application "database-service" and > obtain data from it. See code here: > https://github.com/keycloak/keycloak/blob/master/examples/demo-templat > e/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClie > nt.java#L56 > > > Marek > > On 12.2.2015 21:24, Kevin Chen wrote: >> In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication. >> >> One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again. >> How can we obtain a new token and pass it to the next hop? >> >> Thanks >> Kevin >> >> --------------------------------------------------------------------- >> - This e-mail, including any attached files, may contain confidential >> and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Feb 16 10:14:00 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 16 Feb 2015 10:14:00 -0500 Subject: [keycloak-user] [EXTERNAL] Re: how to implement SSO among services with Keycloak In-Reply-To: References: <54DDD2F9.7050903@redhat.com> <54DDF10E.2040108@redhat.com> Message-ID: <54E20938.7080403@redhat.com> The token will expire. There's been talk of providing an API to turn a token into a refresh token. Haven't fully thought through the security implications yet though. On 2/16/2015 10:00 AM, Kevin Chen wrote: > Thanks Bill. > > Will the token expire? If so how to deal with it in the following situation: > Service 1 in Jboss1 got a token based on the user login(it will have username/password information), then it will connect to Service 2 on JBOSS 2 with the token, The Service 2 will then connect to Service 3 in JBOSS 3. If the token expired, how can Service 2 to refresh it. > > Thanks > Kevin > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke > Sent: Friday, February 13, 2015 6:42 AM > To: keycloak-user at lists.jboss.org > Subject: [EXTERNAL] Re: [keycloak-user] how to implement SSO among services with Keycloak > > The demo app shows how this is done: > > 1. visit customer portal > 2. customer portal initiates a login > 3. customer portal receives a token > 4. customer uses token to make secure REST invocation to another database service. > > On 2/13/2015 5:33 AM, Marek Posolda wrote: >> Keycloak can serve this use-case pretty well. Once you authenticate >> application1 with Keycloak, you will receive accessToken for this >> application. This accessToken can then be used to invoke other HTTP >> services (like "application2") and retrieve data from them. You just >> need to send the obtained accessToken in Authorization header in >> format like "Authorization: Bearer your-token". >> >> Also if your application "application2" is used just as "container of >> REST data" for other applications and never accessed directly by user >> from his browser, you can configure at as "bearer-only" in keycloak >> admin console and in keycloak.json of this application. >> >> We have examples exactly for this usecase: "customer-service" uses >> accessToken to invoke bearer-only application "database-service" and >> obtain data from it. See code here: >> https://github.com/keycloak/keycloak/blob/master/examples/demo-templat >> e/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClie >> nt.java#L56 >> >> >> Marek >> >> On 12.2.2015 21:24, Kevin Chen wrote: >>> In our environment, we will have multiple JBOSS instance that will host different services, they will use the same Keycloak server for authentication. >>> >>> One of the requirement for us is once an user is authenticated with one service, and if that service need invoke another service running in a different JBOSS instance, user should not be asked to logged in again. >>> How can we obtain a new token and pass it to the next hop? >>> >>> Thanks >>> Kevin >>> >>> --------------------------------------------------------------------- >>> - This e-mail, including any attached files, may contain confidential >>> and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From christinalau28 at icloud.com Mon Feb 16 20:26:50 2015 From: christinalau28 at icloud.com (Christina Lau) Date: Mon, 16 Feb 2015 20:26:50 -0500 Subject: [keycloak-user] keycloak-appliance-dist-all-1.1.0.Final does not have an auth-server.war Message-ID: <43081108-912A-41B8-A8C7-9997E31EA5C3@icloud.com> Hi, after unzipping keycloak-appliance-dist-all-1.1.0.Final.zip, it does not have a auth-server.war in the keycloak/standalone/deployments folder. I tried to copy the auth-server.war from the keycloak-war-dist-all-1.1.0.Final.zip, but I can?t make it work. Can you tell me what the steps are to get auth-server.war to work in the appliance-dist-all? According to the documentation, it should be there (it used to be there), but it is missing now. I need to update the lib folders with some customization. Thx for your help. Christina From bburke at redhat.com Mon Feb 16 20:35:01 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 16 Feb 2015 20:35:01 -0500 Subject: [keycloak-user] keycloak-appliance-dist-all-1.1.0.Final does not have an auth-server.war In-Reply-To: <43081108-912A-41B8-A8C7-9997E31EA5C3@icloud.com> References: <43081108-912A-41B8-A8C7-9997E31EA5C3@icloud.com> Message-ID: <54E29AC5.1000509@redhat.com> Yeah, things changed a bit so that we could run Keycloak in a cluster with a Wildfly/JBoss Domain Controller. This may help you: http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/providers.html#d4e353 On 2/16/2015 8:26 PM, Christina Lau wrote: > Hi, after unzipping keycloak-appliance-dist-all-1.1.0.Final.zip, it does not have a auth-server.war in the keycloak/standalone/deployments folder. > > I tried to copy the auth-server.war from the keycloak-war-dist-all-1.1.0.Final.zip, but I can?t make it work. > > Can you tell me what the steps are to get auth-server.war to work in the appliance-dist-all? > > According to the documentation, it should be there (it used to be there), but it is missing now. > > I need to update the lib folders with some customization. Thx for your help. > > Christina > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From christoph.machnik at traveltainment.de Tue Feb 17 02:41:53 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Tue, 17 Feb 2015 07:41:53 +0000 Subject: [keycloak-user] installing keycloak on an wildfly domain cluster Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC4AFFE@EX-TT-AC-01.traveltainment.int> Hallo all, i try to install keycloak on a wildfly domain cluster. The Cluster uses the domain.xml as configuration with the full-ha profile and not the standalone.xml. Is there anithing special to look for and to do other than in the documentaiton ? I have deployed the things in the deployment folder and copy paste the configuration folder. But when i try to go to the keycloak administration console (http://[Server-IP]:8080/auth/admin/index.html) i got "404 - Not Found" as answer. Is there anythig i have to do, after i have done the configuration of the used profile and the installation of the adapter, to run keycloak on a wildfly domain cluster ? Christoph -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150217/c5623d24/attachment.html From chenkeong.yap at izeno.com Tue Feb 17 03:54:23 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Tue, 17 Feb 2015 16:54:23 +0800 Subject: [keycloak-user] keycloak proxy server Message-ID: Hi, When i access my app from http://localhost:8080/customer-portal and it was redirected to keycloak login page (https://192.168.1.10:8443/auth). After login is successful, the request is redirected back to http://localhost:8080/customer-portal instead of http://localhost:9080/customer-portal. Can someone advise what's wrong with the settings? keycloak proxy server hosted on localhost:8080 customer-portal application hosted on localhost:9080 proxy.json configuration shown below. { "target-url": "http://localhost:8082", "bind-address": "localhost", "http-port": "8080", "https-port": "8443", "keystore": "classpath:ssl.jks", "keystore-password": "password", "key-password": "password", "send-access-token": true, "applications": [ { "base-path": "/customer-portal", "error-page": "/error.html", "adapter-config": { "realm": "demo", "resource": "customer-portal", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "https://192.168.1.10:8443/auth", "ssl-required" : "external", "enable-cors" : true, "principal-attribute": "KEYCLOAK_NAME", "credentials": { "secret": "password" } } , "constraints": [ { "pattern": "/users/*", "roles-allowed": [ "user" ] }, { "pattern": "/*", "roles-allowed": [ "user" ] }, { "pattern": "/call-bearer/*", "roles-allowed": [ "user" ] }, { "pattern": "/bearer/*", "roles-allowed": [ "user" ] }, { "pattern": "/admins/*", "roles-allowed": [ "admin" ] }, { "pattern": "/users/permit", "permit": true }, { "pattern": "/users/deny", "deny": true } ] } ] } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150217/1cc023bf/attachment-0001.html From stian at redhat.com Tue Feb 17 07:21:33 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 17 Feb 2015 07:21:33 -0500 (EST) Subject: [keycloak-user] Two-way SSL via Undertow in keycloak-appliance-dist-all-1.1.0.Final In-Reply-To: References: Message-ID: <125598432.8256222.1424175693509.JavaMail.zimbra@redhat.com> You need to configure a truststore for the adapter. See 'truststore' in http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#adapter-config. ----- Original Message ----- > From: "Sahil Sachdeva" > To: "keycloak-user" > Sent: Friday, February 6, 2015 1:22:17 PM > Subject: [keycloak-user] Two-way SSL via Undertow in keycloak-appliance-dist-all-1.1.0.Final > > Hello Everybody, > > I am new to keycloak and playing around a little. I have small REST service i > have deployed in the keycloak server and am trying to secure it. This is how > far i have gotten: > > 1) I got the basic auth running. > 2 ) I was abel to force SSL all through. Using a truststore in the adapter > and the necessary settings in standalone.xml > > to take a step further i added: > > keystore-password="mypassword"/> > > > to the security-realm which i used in step 2 to enable SSL , added the > truststore to the required directory. How ever this broke the application > partly. I can reach the master-realm login and admin console. When i go to > the URL of the REST service i am redirected to the loginpage of my > application realm. But after sucessfully logging in, i get a 403 forbidden > and "SSLPeerUnverifiedException: peer not authenticated" error in the logs. > > Does any one have an idea why? The only thing that changed from one way SSL > to two-way SSL is the undertow configuration, why does it disturb the > adapter? > > Best, > Sahil > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Tue Feb 17 08:26:19 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 17 Feb 2015 08:26:19 -0500 Subject: [keycloak-user] installing keycloak on an wildfly domain cluster In-Reply-To: <9656B9D10BC6124A88D5E27DD02422855BC4AFFE@EX-TT-AC-01.traveltainment.int> References: <9656B9D10BC6124A88D5E27DD02422855BC4AFFE@EX-TT-AC-01.traveltainment.int> Message-ID: <54E3417B.8060104@redhat.com> There is a subtle difference between a WildFly domain installation and a WildFly cluster installation. A domain installation is clustered, but it is also possible to create a cluster without using a domain. See the WildFly High Availability Guide: https://docs.jboss.org/author/display/WFLY8/High+Availability+Guide In a domain environment, there is no deployment folder. For Keycloak, version 1.1.0 has the auth server controlled by the Keycloak subsystem so it can be easily deployed and used in a domain. However, the documentation for that is missing. We are trying to fix the situation right now. On 2/17/2015 2:41 AM, Christoph Machnik wrote: > Hallo all, > > i try to install keycloak on a wildfly domain cluster. The Cluster > uses the domain.xml as configuration with the full-ha profile and not > the standalone.xml. Is there anithing special to look for and to do > other than in the documentaiton ? I have deployed the things in the > deployment folder and copy paste the configuration folder. But when i > try to go to the keycloak administration console > (http://[Server-IP]:8080/auth/admin/index.html) i got "404 - Not > Found" as answer. > Is there anythig i have to do, after i have done the configuration of > the used profile and the installation of the adapter, to run keycloak > on a wildfly domain cluster ? > > Christoph > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150217/d5a29ce3/attachment.html From christinalau28 at icloud.com Tue Feb 17 10:23:08 2015 From: christinalau28 at icloud.com (Christina Lau) Date: Tue, 17 Feb 2015 10:23:08 -0500 Subject: [keycloak-user] Unable to use war version either (keycloak-war-dist-all-1.1.0) Message-ID: I tried to use the war dist on top of wildfly 8.2 together with the adapter, and changing standalone.xml. I can start the Keycloak server and logged in as admin, but I am unable to deploy the demo example. I keep getting this error: Unknown authentication mechanism KEYCLOAK. Please advice. Thanks... 10:12:31,417 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./customer-portal: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./customer-portal: Failed to start service at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_55] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_55] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55] Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:222) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:87) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] ... 3 more Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK at io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:323) at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:198) ... 7 more 10:12:31,420 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "customer-portal.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.undertow.deployment.default-server.default-host./customer-portal" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./customer-portal: Failed to start service Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} 10:12:31,421 ERROR [org.jboss.as.server] (management-handler-thread - 1) JBAS015870: Deploy of deployment "customer-portal.war" was rolled back with the following failure message: {"JBAS014671: Failed services" => {"jboss.undertow.deployment.default-server.default-host./customer-portal" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./customer-portal: Failed to start service Caused by: java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150217/0b798f3a/attachment.html From christinalau28 at icloud.com Tue Feb 17 11:24:09 2015 From: christinalau28 at icloud.com (Christina Lau) Date: Tue, 17 Feb 2015 11:24:09 -0500 Subject: [keycloak-user] keycloak-war-dist-all-1.1.0 on wildfly8.2 problems Message-ID: Do we need this? true auth If I have this, I get this error: 11:17:29,821 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - address: ([("deployment" => "auth-server.war")]) - failure description: {"JBAS014671: Failed services" => {"jboss.deployment.unit.\"auth-server.war\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"auth-server.war\".POST_MODULE: JBAS018733: Failed to process phase POST_MODULE of deployment \"auth-server.war\" Caused by: org.jboss.msc.service.DuplicateServiceException: Service jboss.naming.context.java.module.auth.auth.ValidatorFactory is already registered?}} If I don?t have this, I get this error when deploying the demo app. Caused by: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK"}} -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150217/31313df5/attachment-0001.html From ssilvert at redhat.com Tue Feb 17 11:43:08 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 17 Feb 2015 11:43:08 -0500 Subject: [keycloak-user] keycloak-war-dist-all-1.1.0 on wildfly8.2 problems In-Reply-To: References: Message-ID: <54E36F9C.8010702@redhat.com> Are you using the appliance dist? It should work out of the box. Are you trying to deploy the keycloak auth server in the /deployments directory? There is no need to do that any more because the auth server is now deployed and controlled from the keycloak subsystem. On 2/17/2015 11:24 AM, Christina Lau wrote: > Do we need this? > > > > true > auth > > > > If I have this, I get this error: > > > 11:17:29,821 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) JBAS014613: Operation ("deploy") failed - > address: ([("deployment" => "auth-server.war")]) - failure > description: {"JBAS014671: Failed services" => > {"jboss.deployment.unit.\"auth-server.war\".POST_MODULE" => > "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"auth-server.war\".POST_MODULE: JBAS018733: > Failed to process phase POST_MODULE of deployment \"auth-server.war\" > Caused by: org.jboss.msc.service.DuplicateServiceException: > Service jboss.naming.context.java.module.auth.auth.ValidatorFactory is > already registered"}} > > > If I don't have this, I get this error when deploying the demo app. > > Caused by: java.lang.RuntimeException: UT010039: Unknown > authentication mechanism KEYCLOAK"}} > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150217/e2c51b88/attachment.html From chenkeong.yap at izeno.com Tue Feb 17 16:34:59 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Wed, 18 Feb 2015 05:34:59 +0800 Subject: [keycloak-user] keycloak proxy server In-Reply-To: References: Message-ID: Hi, Is there any updates? The app is protected by proxy but after login is successful and is not redirect back to app and stay at proxy url On Feb 17, 2015 4:54 PM, "Chen Keong Yap" wrote: > Hi, > > When i access my app from http://localhost:8080/customer-portal and it > was redirected to keycloak login page (https://192.168.1.10:8443/auth). > After login is successful, the request is redirected back to > http://localhost:8080/customer-portal instead of > http://localhost:9080/customer-portal. Can someone advise what's wrong > with the settings? > > keycloak proxy server hosted on localhost:8080 > > customer-portal application hosted on localhost:9080 > > proxy.json configuration shown below. > > { > "target-url": "http://localhost:8082", > "bind-address": "localhost", > "http-port": "8080", > "https-port": "8443", > "keystore": "classpath:ssl.jks", > "keystore-password": "password", > "key-password": "password", > "send-access-token": true, > "applications": [ > { > "base-path": "/customer-portal", > "error-page": "/error.html", > "adapter-config": { > "realm": "demo", > "resource": "customer-portal", > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "auth-server-url": "https://192.168.1.10:8443/auth", > "ssl-required" : "external", > "enable-cors" : true, > "principal-attribute": "KEYCLOAK_NAME", > "credentials": { > "secret": "password" > } > } > , > "constraints": [ > { > "pattern": "/users/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/call-bearer/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/bearer/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/admins/*", > "roles-allowed": [ > "admin" > ] > }, > { > "pattern": "/users/permit", > "permit": true > }, > { > "pattern": "/users/deny", > "deny": true > } > ] > } > ] > > > } > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150218/b13a1167/attachment.html From christinalau28 at icloud.com Tue Feb 17 16:51:29 2015 From: christinalau28 at icloud.com (Christina Lau) Date: Tue, 17 Feb 2015 16:51:29 -0500 Subject: [keycloak-user] keycloak-war-dist-all-1.1.0 on wildfly8.2 problems Message-ID: <8E4E8640-0FBA-4A58-925D-34AB653C1929@icloud.com> I need to update some lib in the keycloak auth server. This is because I want to extend the user account to add my own pages. I had a Jira issue opened on this but it was not fixed. So my soln (which worked in 1.0) was to update a few lib in keycloak to add my own custom page to store some custom data. Therefore the appliance dist didn?t work for me cos it doesn?t even have the auth server. Can you let me know how I can port my existing soln over? Thx. From bburke at redhat.com Tue Feb 17 22:26:51 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 17 Feb 2015 22:26:51 -0500 Subject: [keycloak-user] keycloak proxy server In-Reply-To: References: Message-ID: <54E4067B.9090007@redhat.com> All browser HTTP requests go through the proxy. Your browser is never redirected to the actual application. The actual application should be behind a firewall or some other mechanism. Its the same concept as using Apache HTTPD in front of an application. On 2/17/2015 4:34 PM, Chen Keong Yap wrote: > Hi, > > Is there any updates? The app is protected by proxy but after login is > successful and is not redirect back to app and stay at proxy url > > On Feb 17, 2015 4:54 PM, "Chen Keong Yap" > wrote: > > Hi, > > When i access my app from http://localhost:8080/customer-portal and > it was redirected to keycloak login page > (https://192.168.1.10:8443/auth). After login is successful, the > request is redirected back to http://localhost:8080/customer-portal > instead of http://localhost:9080/customer-portal. Can someone advise > what's wrong with the settings? > > keycloak proxy server hosted on localhost:8080 > > customer-portal application hosted on localhost:9080 > > proxy.json configuration shown below. > > { > "target-url": "http://localhost:8082", > "bind-address": "localhost", > "http-port": "8080", > "https-port": "8443", > "keystore": "classpath:ssl.jks", > "keystore-password": "password", > "key-password": "password", > "send-access-token": true, > "applications": [ > { > "base-path": "/customer-portal", > "error-page": "/error.html", > "adapter-config": { > "realm": "demo", > "resource": "customer-portal", > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "auth-server-url": "https://192.168.1.10:8443/auth", > "ssl-required" : "external", > "enable-cors" : true, > "principal-attribute": "KEYCLOAK_NAME", > "credentials": { > "secret": "password" > } > } > , > "constraints": [ > { > "pattern": "/users/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/call-bearer/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/bearer/*", > "roles-allowed": [ > "user" > ] > }, > { > "pattern": "/admins/*", > "roles-allowed": [ > "admin" > ] > }, > { > "pattern": "/users/permit", > "permit": true > }, > { > "pattern": "/users/deny", > "deny": true > } > ] > } > ] > > > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From chenkeong.yap at izeno.com Wed Feb 18 02:32:41 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Wed, 18 Feb 2015 15:32:41 +0800 Subject: [keycloak-user] keycloak proxy server In-Reply-To: <54E4067B.9090007@redhat.com> References: <54E4067B.9090007@redhat.com> Message-ID: Hi, Yes. I think keycloak proxy is quite similar to apache web proxy. Now the only difference is apache web proxy can reverse proxy for app hosted on different ip and port whereas keycloak proxy server seem like forcing the app to run on same ip and port. I have tried to change the base-path and target-url to use different ip and port but it does not work. Kindly share the opinions. On Feb 18, 2015 11:27 AM, "Bill Burke" wrote: > All browser HTTP requests go through the proxy. Your browser is never > redirected to the actual application. The actual application should be > behind a firewall or some other mechanism. Its the same concept as > using Apache HTTPD in front of an application. > > On 2/17/2015 4:34 PM, Chen Keong Yap wrote: > > Hi, > > > > Is there any updates? The app is protected by proxy but after login is > > successful and is not redirect back to app and stay at proxy url > > > > On Feb 17, 2015 4:54 PM, "Chen Keong Yap" > > wrote: > > > > Hi, > > > > When i access my app from http://localhost:8080/customer-portal and > > it was redirected to keycloak login page > > (https://192.168.1.10:8443/auth). After login is successful, the > > request is redirected back to http://localhost:8080/customer-portal > > instead of http://localhost:9080/customer-portal. Can someone advise > > what's wrong with the settings? > > > > keycloak proxy server hosted on localhost:8080 > > > > customer-portal application hosted on localhost:9080 > > > > proxy.json configuration shown below. > > > > { > > "target-url": "http://localhost:8082", > > "bind-address": "localhost", > > "http-port": "8080", > > "https-port": "8443", > > "keystore": "classpath:ssl.jks", > > "keystore-password": "password", > > "key-password": "password", > > "send-access-token": true, > > "applications": [ > > { > > "base-path": "/customer-portal", > > "error-page": "/error.html", > > "adapter-config": { > > "realm": "demo", > > "resource": "customer-portal", > > "realm-public-key": > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > "auth-server-url": "https://192.168.1.10:8443/auth > ", > > "ssl-required" : "external", > > "enable-cors" : true, > > "principal-attribute": "KEYCLOAK_NAME", > > "credentials": { > > "secret": "password" > > } > > } > > , > > "constraints": [ > > { > > "pattern": "/users/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/call-bearer/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/bearer/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/admins/*", > > "roles-allowed": [ > > "admin" > > ] > > }, > > { > > "pattern": "/users/permit", > > "permit": true > > }, > > { > > "pattern": "/users/deny", > > "deny": true > > } > > ] > > } > > ] > > > > > > } > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150218/5af8c063/attachment.html From bburke at redhat.com Wed Feb 18 08:19:29 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 18 Feb 2015 08:19:29 -0500 Subject: [keycloak-user] keycloak proxy server In-Reply-To: References: <54E4067B.9090007@redhat.com> Message-ID: <54E49161.5090701@redhat.com> This is what is happening: * Keycloak server is deployed at https://192.168.1.10:8443/auth * Keycloak proxy is deployed at localhost:8080 * Customer portal is deployed at localhost:8082 1. Browser visits proxy 2. proxy sees browser is logged in, redirects to keycloak 3. Keycloak logs browser in, redirects back to proxy 4. proxy makes an out-of-band request to customer portal 5. proxy copies response from customer portal and returns it to browser Which step is not happening? On 2/18/2015 2:32 AM, Chen Keong Yap wrote: > Hi, > > Yes. I think keycloak proxy is quite similar to apache web proxy. Now > the only difference is apache web proxy can reverse proxy for app hosted > on different ip and port whereas keycloak proxy server seem like forcing > the app to run on same ip and port. I have tried to change the base-path > and target-url to use different ip and port but it does not work. Kindly > share the opinions. > > On Feb 18, 2015 11:27 AM, "Bill Burke" > wrote: > > All browser HTTP requests go through the proxy. Your browser is never > redirected to the actual application. The actual application should be > behind a firewall or some other mechanism. Its the same concept as > using Apache HTTPD in front of an application. > > On 2/17/2015 4:34 PM, Chen Keong Yap wrote: > > Hi, > > > > Is there any updates? The app is protected by proxy but after > login is > > successful and is not redirect back to app and stay at proxy url > > > > On Feb 17, 2015 4:54 PM, "Chen Keong Yap" > > > >> wrote: > > > > Hi, > > > > When i access my app from > http://localhost:8080/customer-portal and > > it was redirected to keycloak login page > > (https://192.168.1.10:8443/auth). After login is successful, the > > request is redirected back to > http://localhost:8080/customer-portal > > instead of http://localhost:9080/customer-portal. Can someone > advise > > what's wrong with the settings? > > > > keycloak proxy server hosted on localhost:8080 > > > > customer-portal application hosted on localhost:9080 > > > > proxy.json configuration shown below. > > > > { > > "target-url": "http://localhost:8082", > > "bind-address": "localhost", > > "http-port": "8080", > > "https-port": "8443", > > "keystore": "classpath:ssl.jks", > > "keystore-password": "password", > > "key-password": "password", > > "send-access-token": true, > > "applications": [ > > { > > "base-path": "/customer-portal", > > "error-page": "/error.html", > > "adapter-config": { > > "realm": "demo", > > "resource": "customer-portal", > > "realm-public-key": > > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > > "auth-server-url": > "https://192.168.1.10:8443/auth", > > "ssl-required" : "external", > > "enable-cors" : true, > > "principal-attribute": "KEYCLOAK_NAME", > > "credentials": { > > "secret": "password" > > } > > } > > , > > "constraints": [ > > { > > "pattern": "/users/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/call-bearer/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/bearer/*", > > "roles-allowed": [ > > "user" > > ] > > }, > > { > > "pattern": "/admins/*", > > "roles-allowed": [ > > "admin" > > ] > > }, > > { > > "pattern": "/users/permit", > > "permit": true > > }, > > { > > "pattern": "/users/deny", > > "deny": true > > } > > ] > > } > > ] > > > > > > } > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mike.love at symbiotics.co.za Wed Feb 18 08:33:14 2015 From: mike.love at symbiotics.co.za (Mike Love) Date: Wed, 18 Feb 2015 15:33:14 +0200 Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service Message-ID: Hi, I am successfully authenticating an AngularJS client calling REST Services. The token is validated as expected after login. On calling the REST service, the authorization hearer (Bearer token) is available as HTTP Header as expected. Now, in the REST Service processing I want to extract the UserId (SubjectId) so that I can lookup additional information before continuing with processing. I have seen that the JS adapter has a keycloak object that provides access the this information, is there a similar Java helper class to extract this information? Regards, Mike Love -- ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150218/3a00e3ed/attachment-0001.html From stian at redhat.com Wed Feb 18 08:38:53 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 18 Feb 2015 08:38:53 -0500 (EST) Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service In-Reply-To: References: Message-ID: <2081500458.9199933.1424266733824.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Mike Love" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, February 18, 2015 2:33:14 PM > Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service > > Hi, > > I am successfully authenticating an AngularJS client calling REST Services. > > The token is validated as expected after login. On calling the REST service, > the authorization hearer (Bearer token) is available as HTTP Header as > expected. > > Now, in the REST Service processing I want to extract the UserId (SubjectId) > so that I can lookup additional information before continuing with > processing. > > I have seen that the JS adapter has a keycloak object that provides access > the this information, is there a similar Java helper class to extract this > information? You can either use one of our adapters or org.keycloak.RSATokenVerifier.verifyToken > > > Regards, > Mike Love > > > ******************************************************************************** > This email and any accompanying attachments may contain confidential and > proprietary information. This information is private and protected by law > and, accordingly, if you are not the intended recipient, you are requested > to delete this entire communication immediately and are notified that any > disclosure, copying or distribution of or taking any action based on this > information is prohibited. > > Emails cannot be guaranteed to be secure or free of errors or viruses. The > sender does not accept any liability or responsibility for any interception, > corruption, destruction, loss, late arrival or incompleteness of or > tampering or interference with any of the information contained in this > email or for its incorrect delivery or non-delivery for whatsoever reason or > for its effect on any electronic device of the recipient. > > ******************************************************************************** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chenkeong.yap at izeno.com Wed Feb 18 08:49:35 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Wed, 18 Feb 2015 21:49:35 +0800 Subject: [keycloak-user] keycloak proxy server In-Reply-To: <54E49161.5090701@redhat.com> References: <54E4067B.9090007@redhat.com> <54E49161.5090701@redhat.com> Message-ID: Step 4 and 5 not happening On Feb 18, 2015 9:19 PM, "Bill Burke" wrote: > This is what is happening: > > * Keycloak server is deployed at https://192.168.1.10:8443/auth > * Keycloak proxy is deployed at localhost:8080 > * Customer portal is deployed at localhost:8082 > > 1. Browser visits proxy > 2. proxy sees browser is logged in, redirects to keycloak > 3. Keycloak logs browser in, redirects back to proxy > 4. proxy makes an out-of-band request to customer portal > 5. proxy copies response from customer portal and returns it to browser > > Which step is not happening? > > On 2/18/2015 2:32 AM, Chen Keong Yap wrote: > >> Hi, >> >> Yes. I think keycloak proxy is quite similar to apache web proxy. Now >> the only difference is apache web proxy can reverse proxy for app hosted >> on different ip and port whereas keycloak proxy server seem like forcing >> the app to run on same ip and port. I have tried to change the base-path >> and target-url to use different ip and port but it does not work. Kindly >> share the opinions. >> >> On Feb 18, 2015 11:27 AM, "Bill Burke" > > wrote: >> >> All browser HTTP requests go through the proxy. Your browser is never >> redirected to the actual application. The actual application should >> be >> behind a firewall or some other mechanism. Its the same concept as >> using Apache HTTPD in front of an application. >> >> On 2/17/2015 4:34 PM, Chen Keong Yap wrote: >> > Hi, >> > >> > Is there any updates? The app is protected by proxy but after >> login is >> > successful and is not redirect back to app and stay at proxy url >> > >> > On Feb 17, 2015 4:54 PM, "Chen Keong Yap" >> >> > > >> wrote: >> > >> > Hi, >> > >> > When i access my app from >> http://localhost:8080/customer-portal and >> > it was redirected to keycloak login page >> > (https://192.168.1.10:8443/auth). After login is successful, >> the >> > request is redirected back to >> http://localhost:8080/customer-portal >> > instead of http://localhost:9080/customer-portal. Can someone >> advise >> > what's wrong with the settings? >> > >> > keycloak proxy server hosted on localhost:8080 >> > >> > customer-portal application hosted on localhost:9080 >> > >> > proxy.json configuration shown below. >> > >> > { >> > "target-url": "http://localhost:8082", >> > "bind-address": "localhost", >> > "http-port": "8080", >> > "https-port": "8443", >> > "keystore": "classpath:ssl.jks", >> > "keystore-password": "password", >> > "key-password": "password", >> > "send-access-token": true, >> > "applications": [ >> > { >> > "base-path": "/customer-portal", >> > "error-page": "/error.html", >> > "adapter-config": { >> > "realm": "demo", >> > "resource": "customer-portal", >> > "realm-public-key": >> > >> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0x >> tL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/ >> UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/ >> p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", >> > "auth-server-url": >> "https://192.168.1.10:8443/auth", >> > "ssl-required" : "external", >> > "enable-cors" : true, >> > "principal-attribute": "KEYCLOAK_NAME", >> > "credentials": { >> > "secret": "password" >> > } >> > } >> > , >> > "constraints": [ >> > { >> > "pattern": "/users/*", >> > "roles-allowed": [ >> > "user" >> > ] >> > }, >> > { >> > "pattern": "/*", >> > "roles-allowed": [ >> > "user" >> > ] >> > }, >> > { >> > "pattern": "/call-bearer/*", >> > "roles-allowed": [ >> > "user" >> > ] >> > }, >> > { >> > "pattern": "/bearer/*", >> > "roles-allowed": [ >> > "user" >> > ] >> > }, >> > { >> > "pattern": "/admins/*", >> > "roles-allowed": [ >> > "admin" >> > ] >> > }, >> > { >> > "pattern": "/users/permit", >> > "permit": true >> > }, >> > { >> > "pattern": "/users/deny", >> > "deny": true >> > } >> > ] >> > } >> > ] >> > >> > >> > } >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org > jboss.org> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150218/a93eea37/attachment.html From mike.love at symbiotics.co.za Wed Feb 18 09:13:53 2015 From: mike.love at symbiotics.co.za (Mike Love) Date: Wed, 18 Feb 2015 16:13:53 +0200 Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service Message-ID: Thank you Stian. RSATokenVerifier.verifyToken has done the trick Regards, Mike Love On 2015/02/18, 15:38, "Stian Thorgersen" wrote: > > >----- Original Message ----- >> From: "Mike Love" >> To: keycloak-user at lists.jboss.org >> Sent: Wednesday, February 18, 2015 2:33:14 PM >> Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service >> >> Hi, >> >> I am successfully authenticating an AngularJS client calling REST >>Services. >> >> The token is validated as expected after login. On calling the REST >>service, >> the authorization hearer (Bearer token) is available as HTTP Header as >> expected. >> >> Now, in the REST Service processing I want to extract the UserId >>(SubjectId) >> so that I can lookup additional information before continuing with >> processing. >> >> I have seen that the JS adapter has a keycloak object that provides >>access >> the this information, is there a similar Java helper class to extract >>this >> information? > >You can either use one of our adapters or >org.keycloak.RSATokenVerifier.verifyToken > >> >> >> Regards, >> Mike Love >> >> >> >>************************************************************************* >>******* >> This email and any accompanying attachments may contain confidential and >> proprietary information. This information is private and protected by >>law >> and, accordingly, if you are not the intended recipient, you are >>requested >> to delete this entire communication immediately and are notified that >>any >> disclosure, copying or distribution of or taking any action based on >>this >> information is prohibited. >> >> Emails cannot be guaranteed to be secure or free of errors or viruses. >>The >> sender does not accept any liability or responsibility for any >>interception, >> corruption, destruction, loss, late arrival or incompleteness of or >> tampering or interference with any of the information contained in this >> email or for its incorrect delivery or non-delivery for whatsoever >>reason or >> for its effect on any electronic device of the recipient. >> >> >>************************************************************************* >>******* >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** From bburke at redhat.com Wed Feb 18 09:18:40 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 18 Feb 2015 09:18:40 -0500 Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service In-Reply-To: References: Message-ID: <54E49F40.2030302@redhat.com> Is your REST service using our adapters? If so, then you can obtain the token from either typecasting the user Principal to KeycloakPrincipal and navigating to the KeycloakSecurityContext interface. The KeycloakSecurityContext interface is also available within the HttpServletRequest attribute KeycloakSecurityContext session = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); On 2/18/2015 9:13 AM, Mike Love wrote: > Thank you Stian. > > RSATokenVerifier.verifyToken has done the trick > > > > Regards, > Mike Love > > > > > > On 2015/02/18, 15:38, "Stian Thorgersen" wrote: > >> >> >> ----- Original Message ----- >>> From: "Mike Love" >>> To: keycloak-user at lists.jboss.org >>> Sent: Wednesday, February 18, 2015 2:33:14 PM >>> Subject: [keycloak-user] Extract Subjectid from token in JaxRS Service >>> >>> Hi, >>> >>> I am successfully authenticating an AngularJS client calling REST >>> Services. >>> >>> The token is validated as expected after login. On calling the REST >>> service, >>> the authorization hearer (Bearer token) is available as HTTP Header as >>> expected. >>> >>> Now, in the REST Service processing I want to extract the UserId >>> (SubjectId) >>> so that I can lookup additional information before continuing with >>> processing. >>> >>> I have seen that the JS adapter has a keycloak object that provides >>> access >>> the this information, is there a similar Java helper class to extract >>> this >>> information? >> >> You can either use one of our adapters or >> org.keycloak.RSATokenVerifier.verifyToken >> >>> >>> >>> Regards, >>> Mike Love >>> >>> >>> >>> ************************************************************************* >>> ******* >>> This email and any accompanying attachments may contain confidential and >>> proprietary information. This information is private and protected by >>> law >>> and, accordingly, if you are not the intended recipient, you are >>> requested >>> to delete this entire communication immediately and are notified that >>> any >>> disclosure, copying or distribution of or taking any action based on >>> this >>> information is prohibited. >>> >>> Emails cannot be guaranteed to be secure or free of errors or viruses. >>> The >>> sender does not accept any liability or responsibility for any >>> interception, >>> corruption, destruction, loss, late arrival or incompleteness of or >>> tampering or interference with any of the information contained in this >>> email or for its incorrect delivery or non-delivery for whatsoever >>> reason or >>> for its effect on any electronic device of the recipient. >>> >>> >>> ************************************************************************* >>> ******* >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From Joe.Strathern at halliburton.com Wed Feb 18 16:47:15 2015 From: Joe.Strathern at halliburton.com (Joe Strathern) Date: Wed, 18 Feb 2015 21:47:15 +0000 Subject: [keycloak-user] Using KeyCloak as the Teiid JDBC LoginModule Message-ID: Hello KeyCloak Community, I am attempting to use KeyCloak to authenticate JDBC in JBoss (Teiid) and are experiencing issues. I have already posted the issue on the Teiid forums: https://developer.jboss.org/thread/252411 But wanted to get a KeyCloak perspective to see what the problem might be. With the details in the thread above, is there a reason we cannot authenticate with KeyCloak for JDBC? Thanks, Joe ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150218/efe69562/attachment.html From prabhalar at yahoo.com Wed Feb 18 21:20:00 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 19 Feb 2015 02:20:00 +0000 (UTC) Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot Message-ID: <1192718293.1189683.1424312400652.JavaMail.yahoo@mail.yahoo.com> Hi, I tested out the SAML broker functionality that is listed in the below examplehttps://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication We have a very important use case that is similar to the above except that the SAML Identity broker is ADFS and a?few issues are preventing me from testing it out: 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML metadata) which is not available currently. Perhaps I can generate my own metadata using the above example but would prefer KC to provide one that is similar to IDP metadata that is listed in the documentation.2) The ADFS IDP metadata has RoleDescriptor element that is not currently being parsed by the KC SAML broker. I logged my issues in the JIRA https://issues.jboss.org/browse/KEYCLOAK-8833) The roles and other claims need to passed back to the client applications using OIDC (I am aware that Bill is making some functionality available over the next few days and hopefully it will address my requirement) Any suggestions on how I handle the first two? Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150219/e5689827/attachment.html From stian at redhat.com Thu Feb 19 03:25:17 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 19 Feb 2015 03:25:17 -0500 (EST) Subject: [keycloak-user] IPhone turns off local storage by default and that causes Keycloak.js to fail. In-Reply-To: References: <936442513.3767134.1422607717780.JavaMail.zimbra@redhat.com> Message-ID: <737604101.10334965.1424334317147.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Dean Peterson" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Saturday, January 31, 2015 6:27:11 PM > Subject: Re: [keycloak-user] IPhone turns off local storage by default and that causes Keycloak.js to fail. > > Do you have a suggested approach to handling this? Prompt the user that > they should turn off private browsing on their Iphone? Sorry for the late reply, but yes that seems like a decent option. It may be possible to work around this by using an iframe, but that opens up a whole can of possible csrf and clickjacking attacks. Private mode seems like a really stupid option with regards to HTML5 apps if you ask me. Have a look at http://security.stackexchange.com/questions/20187/oauth2-cross-site-request-forgery-and-state-parameter and you'll find out why the state parm is required. > > On Fri, Jan 30, 2015 at 2:48 AM, Stian Thorgersen wrote: > > > Only option would be to disable state verification, which could leave it > > open to CSRF. > > > > ----- Original Message ----- > > > From: "Dean Peterson" > > > To: keycloak-user at lists.jboss.org > > > Sent: Monday, 26 January, 2015 12:34:26 AM > > > Subject: [keycloak-user] IPhone turns off local storage by default and > > that causes Keycloak.js to fail. > > > > > > IPhones are in private mode by default. When in private mode, they do not > > > allow localstorage. Any application secured with the pure js keycloak > > file > > > fails. When I turn private mode off, the application works. Will > > Keycloak be > > > supporting IPhones with the pure javascript client in the future without > > > requiring users turn private mode off? > > > > > > I get the following error in private mode. The highlighted code is what > > > causes the error: > > > > > > QuotaExceededError: DOM Exception 22: An attempt was made to add > > something to > > > storage that exceeded the quota. > > > > > > Jessicakc.createLoginUrl = function(options) { > > > var state = createUUID(); > > > > > > var redirectUri = adapter.redirectUri(options); > > > if (options && options.prompt) { > > > if (redirectUri.indexOf('?') == -1) { > > > redirectUri += '?prompt=' + options.prompt; > > > } else { > > > redirectUri += '&prompt=' + options.prompt; > > > } > > > } > > > > > > sessionStorage.oauthState = state; > > > > > > var url = getRealmUrl() > > > + '/tokens/login' > > > + '?client_id=' + encodeURIComponent(kc.clientId) > > > + '&redirect_uri=' + encodeURIComponent(redirectUri) > > > + '&state=' + encodeURIComponent(state) > > > + '&response_type=code'; > > > > > > if (options && options.prompt) { > > > url += '&prompt=' + options.prompt; > > > } > > > > > > if (options && options.loginHint) { > > > url += '&login_hint=' + options.loginHint; > > > } > > > > > > return url; > > > } > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Thu Feb 19 06:33:29 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 19 Feb 2015 06:33:29 -0500 (EST) Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <1192718293.1189683.1424312400652.JavaMail.yahoo@mail.yahoo.com> References: <1192718293.1189683.1424312400652.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Keycloak-user" > Sent: Thursday, February 19, 2015 12:20:00 AM > Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > Hi, > > I tested out the SAML broker functionality that is listed in the below > example > https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication > > We have a very important use case that is similar to the above except that > the SAML Identity broker is ADFS and a few issues are preventing me from > testing it out: > > 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML > metadata) which is not available currently. Perhaps I can generate my own > metadata using the above example but would prefer KC to provide one that is > similar to IDP metadata that is listed in the documentation. In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications. > 2) The ADFS IDP metadata has RoleDescriptor element that is not currently > being parsed by the KC SAML broker. I logged my issues in the JIRA > https://issues.jboss.org/browse/KEYCLOAK-883 I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored. > 3) The roles and other claims need to passed back to the client applications > using OIDC (I am aware that Bill is making some functionality available over > the next few days and hopefully it will address my requirement) > > Any suggestions on how I handle the first two? > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From christoph.machnik at traveltainment.de Thu Feb 19 06:55:40 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Thu, 19 Feb 2015 11:55:40 +0000 Subject: [keycloak-user] installing keycloak on an wildfly domain cluster In-Reply-To: <54E3417B.8060104@redhat.com> References: <9656B9D10BC6124A88D5E27DD02422855BC4AFFE@EX-TT-AC-01.traveltainment.int>, <54E3417B.8060104@redhat.com> Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC4B17A@EX-TT-AC-01.traveltainment.int> When do you think the missiong documentaition for the deplyment of keycloak on a domain enviroment is released ? ________________________________ Von: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org]" im Auftrag von "Stan Silvert [ssilvert at redhat.com] Gesendet: Dienstag, 17. Februar 2015 14:26 Bis: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] installing keycloak on an wildfly domain cluster There is a subtle difference between a WildFly domain installation and a WildFly cluster installation. A domain installation is clustered, but it is also possible to create a cluster without using a domain. See the WildFly High Availability Guide: https://docs.jboss.org/author/display/WFLY8/High+Availability+Guide In a domain environment, there is no deployment folder. For Keycloak, version 1.1.0 has the auth server controlled by the Keycloak subsystem so it can be easily deployed and used in a domain. However, the documentation for that is missing. We are trying to fix the situation right now. On 2/17/2015 2:41 AM, Christoph Machnik wrote: Hallo all, i try to install keycloak on a wildfly domain cluster. The Cluster uses the domain.xml as configuration with the full-ha profile and not the standalone.xml. Is there anithing special to look for and to do other than in the documentaiton ? I have deployed the things in the deployment folder and copy paste the configuration folder. But when i try to go to the keycloak administration console (http://[Server-IP]:8080/auth/admin/index.html) i got "404 - Not Found" as answer. Is there anythig i have to do, after i have done the configuration of the used profile and the installation of the adapter, to run keycloak on a wildfly domain cluster ? Christoph _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150219/7edf1fb2/attachment-0001.html From prabhalar at yahoo.com Thu Feb 19 08:25:24 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 19 Feb 2015 13:25:24 +0000 (UTC) Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> References: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> Message-ID: <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> Hi Pedro - Please see my comments?inline. Thanks,Raghu ? From: Pedro Igor Silva To: Raghu Prabhala Cc: Keycloak-user Sent: Thursday, February 19, 2015 6:33 AM Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot ----- Original Message ----- > From: "Raghu Prabhala" > To: "Keycloak-user" > Sent: Thursday, February 19, 2015 12:20:00 AM > Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > Hi, > > I tested out the SAML broker functionality that is listed in the below > example > https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication > > We have a very important use case that is similar to the above except that > the SAML Identity broker is ADFS and a few issues are preventing me from > testing it out: > > 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML > metadata) which is not available currently. Perhaps I can generate my own > metadata using the above example but would prefer KC to provide one that is > similar to IDP metadata that is listed in the documentation. In this case you need a SPSSODescriptor, right ? I think we can easily implement an endpoint to retrieve SP metadata for SAML applications. [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking forward to see it near term. > 2) The ADFS IDP metadata has RoleDescriptor element that is not currently > being parsed by the KC SAML broker. I logged my issues in the JIRA > https://issues.jboss.org/browse/KEYCLOAK-883 I've already fixed our parsers. However, the RoleDescriptor you have in that metadata are describing WS-Federation entities that will just be ignored. [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described under RoleDescriptor? - so I will have to build something to handle that. Any advice on where I should start? > 3) The roles and other claims need to passed back to the client applications > using OIDC (I am aware that Bill is making some functionality available over > the next few days and hopefully it will address my requirement) > > Any suggestions on how I handle the first two? > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150219/02b0afab/attachment.html From psilva at redhat.com Thu Feb 19 08:46:22 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 19 Feb 2015 08:46:22 -0500 (EST) Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> References: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> Message-ID: <2139810149.15949044.1424353582356.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Pedro Igor Silva" > Cc: "Keycloak-user" > Sent: Thursday, February 19, 2015 11:25:24 AM > Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > Hi Pedro - Please see my comments?inline. > Thanks,Raghu > ? From: Pedro Igor Silva > To: Raghu Prabhala > Cc: Keycloak-user > Sent: Thursday, February 19, 2015 6:33 AM > Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > ----- Original Message ----- > > From: "Raghu Prabhala" > > To: "Keycloak-user" > > Sent: Thursday, February 19, 2015 12:20:00 AM > > Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > > > Hi, > > > > I tested out the SAML broker functionality that is listed in the below > > example > > https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication > > > > We have a very important use case that is similar to the above except that > > the SAML Identity broker is ADFS and a few issues are preventing me from > > testing it out: > > > > 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML > > metadata) which is not available currently. Perhaps I can generate my own > > metadata using the above example but would prefer KC to provide one that is > > similar to IDP metadata that is listed in the documentation. > > In this case you need a SPSSODescriptor, right ? I think we can easily > implement an endpoint to retrieve SP metadata for SAML applications. > [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking > forward to see it near term. > > 2) The ADFS IDP metadata has RoleDescriptor element that is not currently > > being parsed by the KC SAML broker. I logged my issues in the JIRA > > https://issues.jboss.org/browse/KEYCLOAK-883 > > I've already fixed our parsers. However, the RoleDescriptor you have in that > metadata are describing WS-Federation entities that will just be ignored. > > > [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described > under RoleDescriptor? - so I will have to build something to handle that. > Any advice on where I should start? A few questions ... Can you give more details why you need to handle that ? Your use case is about brokering the SAML Identity Provider described by a idp descriptor along your metadata, right ? Or are you trying to broker a STS ? > > > 3) The roles and other claims need to passed back to the client > > applications > > using OIDC (I am aware that Bill is making some functionality available > > over > > the next few days and hopefully it will address my requirement) > > > > Any suggestions on how I handle the first two? > > > > Thanks, > > Raghu > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From prabhalar at yahoo.com Thu Feb 19 11:24:09 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 19 Feb 2015 11:24:09 -0500 Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <2139810149.15949044.1424353582356.JavaMail.zimbra@redhat.com> References: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> <2139810149.15949044.1424353582356.JavaMail.zimbra@redhat.com> Message-ID: <65F769A0-ED3B-44DC-A5EE-09614E63AD95@yahoo.com> Sent from my iPhone > On Feb 19, 2015, at 8:46 AM, Pedro Igor Silva wrote: > > ----- Original Message ----- >> From: "Raghu Prabhala" >> To: "Pedro Igor Silva" >> Cc: "Keycloak-user" >> Sent: Thursday, February 19, 2015 11:25:24 AM >> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >> >> Hi Pedro - Please see my comments inline. >> Thanks,Raghu >> From: Pedro Igor Silva >> To: Raghu Prabhala >> Cc: Keycloak-user >> Sent: Thursday, February 19, 2015 6:33 AM >> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >> >> ----- Original Message ----- >>> From: "Raghu Prabhala" >>> To: "Keycloak-user" >>> Sent: Thursday, February 19, 2015 12:20:00 AM >>> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>> >>> Hi, >>> >>> I tested out the SAML broker functionality that is listed in the below >>> example >>> https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication >>> >>> We have a very important use case that is similar to the above except that >>> the SAML Identity broker is ADFS and a few issues are preventing me from >>> testing it out: >>> >>> 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML >>> metadata) which is not available currently. Perhaps I can generate my own >>> metadata using the above example but would prefer KC to provide one that is >>> similar to IDP metadata that is listed in the documentation. >> >> In this case you need a SPSSODescriptor, right ? I think we can easily >> implement an endpoint to retrieve SP metadata for SAML applications. >> [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking >> forward to see it near term. >>> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently >>> being parsed by the KC SAML broker. I logged my issues in the JIRA >>> https://issues.jboss.org/browse/KEYCLOAK-883 >> >> I've already fixed our parsers. However, the RoleDescriptor you have in that >> metadata are describing WS-Federation entities that will just be ignored. >> >> >> [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described >> under RoleDescriptor - so I will have to build something to handle that. >> Any advice on where I should start? > > A few questions ... > > Can you give more details why you need to handle that ? > [RAGHU] we have a number of windows applications (share point, lync etc) that make use of AD groups that are sent as a part of the SAML response by our IDP which is ADFS. There are a number of windows specific attributes that are described by schemas.microsoft.com as well as schemas.xmlsoap.org and they have been used under role descriptor element in the IDPSSO. We need to able parse the metadata and then retrieve the attributes which should then be passed to the client applications > Your use case is about brokering the SAML Identity Provider described by a idp descriptor along your metadata, right ? Or are you trying to broker a STS ? > [RAGHU] we have a requirement for STS as well but I wanted to get the basic use cases out first and then I will be back with more requirements >> >>> 3) The roles and other claims need to passed back to the client >>> applications >>> using OIDC (I am aware that Bill is making some functionality available >>> over >>> the next few days and hopefully it will address my requirement) >>> >>> Any suggestions on how I handle the first two? >>> >>> Thanks, >>> Raghu >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> From psilva at redhat.com Thu Feb 19 12:21:55 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 19 Feb 2015 12:21:55 -0500 (EST) Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <65F769A0-ED3B-44DC-A5EE-09614E63AD95@yahoo.com> References: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> <2139810149.15949044.1424353582356.JavaMail.zimbra@redhat.com> <65F769A0-ED3B-44DC-A5EE-09614E63AD95@yahoo.com> Message-ID: <82220790.16195318.1424366515685.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Pedro Igor Silva" > Cc: "Keycloak-user" > Sent: Thursday, February 19, 2015 2:24:09 PM > Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > > > > Sent from my iPhone > > > On Feb 19, 2015, at 8:46 AM, Pedro Igor Silva wrote: > > > > ----- Original Message ----- > >> From: "Raghu Prabhala" > >> To: "Pedro Igor Silva" > >> Cc: "Keycloak-user" > >> Sent: Thursday, February 19, 2015 11:25:24 AM > >> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > >> > >> Hi Pedro - Please see my comments inline. > >> Thanks,Raghu > >> From: Pedro Igor Silva > >> To: Raghu Prabhala > >> Cc: Keycloak-user > >> Sent: Thursday, February 19, 2015 6:33 AM > >> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > >> > >> ----- Original Message ----- > >>> From: "Raghu Prabhala" > >>> To: "Keycloak-user" > >>> Sent: Thursday, February 19, 2015 12:20:00 AM > >>> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot > >>> > >>> Hi, > >>> > >>> I tested out the SAML broker functionality that is listed in the below > >>> example > >>> https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication > >>> > >>> We have a very important use case that is similar to the above except > >>> that > >>> the SAML Identity broker is ADFS and a few issues are preventing me from > >>> testing it out: > >>> > >>> 1) The ADFS IDP requires that I upload the KC SAML broker information > >>> (SAML > >>> metadata) which is not available currently. Perhaps I can generate my own > >>> metadata using the above example but would prefer KC to provide one that > >>> is > >>> similar to IDP metadata that is listed in the documentation. > >> > >> In this case you need a SPSSODescriptor, right ? I think we can easily > >> implement an endpoint to retrieve SP metadata for SAML applications. > >> [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking > >> forward to see it near term. > >>> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently > >>> being parsed by the KC SAML broker. I logged my issues in the JIRA > >>> https://issues.jboss.org/browse/KEYCLOAK-883 > >> > >> I've already fixed our parsers. However, the RoleDescriptor you have in > >> that > >> metadata are describing WS-Federation entities that will just be ignored. > >> > >> > >> [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described > >> under RoleDescriptor - so I will have to build something to handle that. > >> Any advice on where I should start? > > > > A few questions ... > > > > Can you give more details why you need to handle that ? > > > [RAGHU] we have a number of windows applications (share point, lync etc) > > that make use of AD groups that are sent as a part of the SAML response by > > our IDP which is ADFS. There are a number of windows specific attributes > > that are described by schemas.microsoft.com as well as schemas.xmlsoap.org > > and they have been used under role descriptor element in the IDPSSO. We > > need to able parse the metadata and then retrieve the attributes which > > should then be passed to the client applications Accordingly with the metadata you are using, claims are not defined for the IdP sso descriptor, but for the roledescriptor that references a STS endpoint. That is why I asked you about the STS and why I think we can safely ignore that for now, considering that we are brokering a SAML IdP and not a STS. Given that, I think that what you are missing is Bill's work around claim mapping. Which should be available soon. For now, the broker only trust/federate identities from external IdPs in order to create and authenticate the user in KC. Only some basic attributes are considered during federation such as identifier, username, email and first and last name. > > > Your use case is about brokering the SAML Identity Provider described by a > > idp descriptor along your metadata, right ? Or are you trying to broker a > > STS ? > > > [RAGHU] we have a requirement for STS as well but I wanted to get the basic > use cases out first and then I will be back with more requirements I believe the broker SPI can easily support a WS-Trust STS provider. But today it is not in the list of OOTB providers. > >> > >>> 3) The roles and other claims need to passed back to the client > >>> applications > >>> using OIDC (I am aware that Bill is making some functionality available > >>> over > >>> the next few days and hopefully it will address my requirement) > >>> > >>> Any suggestions on how I handle the first two? > >>> > >>> Thanks, > >>> Raghu > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > From prabhalar at yahoo.com Thu Feb 19 13:23:09 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 19 Feb 2015 13:23:09 -0500 Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <82220790.16195318.1424366515685.JavaMail.zimbra@redhat.com> References: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> <2139810149.15949044.1424353582356.JavaMail.zimbra@redhat.com> <65F769A0-ED3B-44DC-A5EE-09614E63AD95@yahoo.com> <82220790.16195318.1424366515685.JavaMail.zimbra@redhat.com> Message-ID: <846E06A5-13C5-46EA-8466-A38605D275AE@yahoo.com> My apologies. Didn't realize that the xml had references to STS. That is not what we have and as you mentioned, we can ignore them. Will wait for the claim mapping from Bill. Thanks a lot. Sent from my iPhone > On Feb 19, 2015, at 12:21 PM, Pedro Igor Silva wrote: > > ----- Original Message ----- >> From: "Raghu Prabhala" >> To: "Pedro Igor Silva" >> Cc: "Keycloak-user" >> Sent: Thursday, February 19, 2015 2:24:09 PM >> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >> >> >> >> Sent from my iPhone >> >>> On Feb 19, 2015, at 8:46 AM, Pedro Igor Silva wrote: >>> >>> ----- Original Message ----- >>>> From: "Raghu Prabhala" >>>> To: "Pedro Igor Silva" >>>> Cc: "Keycloak-user" >>>> Sent: Thursday, February 19, 2015 11:25:24 AM >>>> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>>> >>>> Hi Pedro - Please see my comments inline. >>>> Thanks,Raghu >>>> From: Pedro Igor Silva >>>> To: Raghu Prabhala >>>> Cc: Keycloak-user >>>> Sent: Thursday, February 19, 2015 6:33 AM >>>> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>>> >>>> ----- Original Message ----- >>>>> From: "Raghu Prabhala" >>>>> To: "Keycloak-user" >>>>> Sent: Thursday, February 19, 2015 12:20:00 AM >>>>> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>>>> >>>>> Hi, >>>>> >>>>> I tested out the SAML broker functionality that is listed in the below >>>>> example >>>>> https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication >>>>> >>>>> We have a very important use case that is similar to the above except >>>>> that >>>>> the SAML Identity broker is ADFS and a few issues are preventing me from >>>>> testing it out: >>>>> >>>>> 1) The ADFS IDP requires that I upload the KC SAML broker information >>>>> (SAML >>>>> metadata) which is not available currently. Perhaps I can generate my own >>>>> metadata using the above example but would prefer KC to provide one that >>>>> is >>>>> similar to IDP metadata that is listed in the documentation. >>>> >>>> In this case you need a SPSSODescriptor, right ? I think we can easily >>>> implement an endpoint to retrieve SP metadata for SAML applications. >>>> [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking >>>> forward to see it near term. >>>>> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently >>>>> being parsed by the KC SAML broker. I logged my issues in the JIRA >>>>> https://issues.jboss.org/browse/KEYCLOAK-883 >>>> >>>> I've already fixed our parsers. However, the RoleDescriptor you have in >>>> that >>>> metadata are describing WS-Federation entities that will just be ignored. >>>> >>>> >>>> [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described >>>> under RoleDescriptor - so I will have to build something to handle that. >>>> Any advice on where I should start? >>> >>> A few questions ... >>> >>> Can you give more details why you need to handle that ? >> >>> [RAGHU] we have a number of windows applications (share point, lync etc) >>> that make use of AD groups that are sent as a part of the SAML response by >>> our IDP which is ADFS. There are a number of windows specific attributes >>> that are described by schemas.microsoft.com as well as schemas.xmlsoap.org >>> and they have been used under role descriptor element in the IDPSSO. We >>> need to able parse the metadata and then retrieve the attributes which >>> should then be passed to the client applications > > Accordingly with the metadata you are using, claims are not defined for the IdP sso descriptor, but for the roledescriptor that references a STS endpoint. That is why I asked you about the STS and why I think we can safely ignore that for now, considering that we are brokering a SAML IdP and not a STS. > > Given that, I think that what you are missing is Bill's work around claim mapping. Which should be available soon. > > For now, the broker only trust/federate identities from external IdPs in order to create and authenticate the user in KC. Only some basic attributes are considered during federation such as identifier, username, email and first and last name. > >> >>> Your use case is about brokering the SAML Identity Provider described by a >>> idp descriptor along your metadata, right ? Or are you trying to broker a >>> STS ? >> [RAGHU] we have a requirement for STS as well but I wanted to get the basic >> use cases out first and then I will be back with more requirements > > I believe the broker SPI can easily support a WS-Trust STS provider. But today it is not in the list of OOTB providers. > >>>> >>>>> 3) The roles and other claims need to passed back to the client >>>>> applications >>>>> using OIDC (I am aware that Bill is making some functionality available >>>>> over >>>>> the next few days and hopefully it will address my requirement) >>>>> >>>>> Any suggestions on how I handle the first two? >>>>> >>>>> Thanks, >>>>> Raghu >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From psilva at redhat.com Thu Feb 19 13:26:24 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 19 Feb 2015 13:26:24 -0500 (EST) Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot In-Reply-To: <846E06A5-13C5-46EA-8466-A38605D275AE@yahoo.com> References: <1333508426.15846891.1424345609513.JavaMail.zimbra@redhat.com> <212506030.1557305.1424352324261.JavaMail.yahoo@mail.yahoo.com> <2139810149.15949044.1424353582356.JavaMail.zimbra@redhat.com> <65F769A0-ED3B-44DC-A5EE-09614E63AD95@yahoo.com> <82220790.16195318.1424366515685.JavaMail.zimbra@redhat.com> <846E06A5-13C5-46EA-8466-A38605D275AE@yahoo.com> Message-ID: <1167323648.16236375.1424370384990.JavaMail.zimbra@redhat.com> If you just remove that RoleDescriptor elements from your metadata I think you can proceed with your tests and get that IdP brokered. However, the attributes you expect will not be propagated to KC's id token :) But only, the basic ones I mentioned before. ----- Original Message ----- From: "Raghu Prabhala" To: "Pedro Igor Silva" Cc: "Keycloak-user" Sent: Thursday, February 19, 2015 4:23:09 PM Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot My apologies. Didn't realize that the xml had references to STS. That is not what we have and as you mentioned, we can ignore them. Will wait for the claim mapping from Bill. Thanks a lot. Sent from my iPhone > On Feb 19, 2015, at 12:21 PM, Pedro Igor Silva wrote: > > ----- Original Message ----- >> From: "Raghu Prabhala" >> To: "Pedro Igor Silva" >> Cc: "Keycloak-user" >> Sent: Thursday, February 19, 2015 2:24:09 PM >> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >> >> >> >> Sent from my iPhone >> >>> On Feb 19, 2015, at 8:46 AM, Pedro Igor Silva wrote: >>> >>> ----- Original Message ----- >>>> From: "Raghu Prabhala" >>>> To: "Pedro Igor Silva" >>>> Cc: "Keycloak-user" >>>> Sent: Thursday, February 19, 2015 11:25:24 AM >>>> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>>> >>>> Hi Pedro - Please see my comments inline. >>>> Thanks,Raghu >>>> From: Pedro Igor Silva >>>> To: Raghu Prabhala >>>> Cc: Keycloak-user >>>> Sent: Thursday, February 19, 2015 6:33 AM >>>> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>>> >>>> ----- Original Message ----- >>>>> From: "Raghu Prabhala" >>>>> To: "Keycloak-user" >>>>> Sent: Thursday, February 19, 2015 12:20:00 AM >>>>> Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot >>>>> >>>>> Hi, >>>>> >>>>> I tested out the SAML broker functionality that is listed in the below >>>>> example >>>>> https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication >>>>> >>>>> We have a very important use case that is similar to the above except >>>>> that >>>>> the SAML Identity broker is ADFS and a few issues are preventing me from >>>>> testing it out: >>>>> >>>>> 1) The ADFS IDP requires that I upload the KC SAML broker information >>>>> (SAML >>>>> metadata) which is not available currently. Perhaps I can generate my own >>>>> metadata using the above example but would prefer KC to provide one that >>>>> is >>>>> similar to IDP metadata that is listed in the documentation. >>>> >>>> In this case you need a SPSSODescriptor, right ? I think we can easily >>>> implement an endpoint to retrieve SP metadata for SAML applications. >>>> [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking >>>> forward to see it near term. >>>>> 2) The ADFS IDP metadata has RoleDescriptor element that is not currently >>>>> being parsed by the KC SAML broker. I logged my issues in the JIRA >>>>> https://issues.jboss.org/browse/KEYCLOAK-883 >>>> >>>> I've already fixed our parsers. However, the RoleDescriptor you have in >>>> that >>>> metadata are describing WS-Federation entities that will just be ignored. >>>> >>>> >>>> [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described >>>> under RoleDescriptor - so I will have to build something to handle that. >>>> Any advice on where I should start? >>> >>> A few questions ... >>> >>> Can you give more details why you need to handle that ? >> >>> [RAGHU] we have a number of windows applications (share point, lync etc) >>> that make use of AD groups that are sent as a part of the SAML response by >>> our IDP which is ADFS. There are a number of windows specific attributes >>> that are described by schemas.microsoft.com as well as schemas.xmlsoap.org >>> and they have been used under role descriptor element in the IDPSSO. We >>> need to able parse the metadata and then retrieve the attributes which >>> should then be passed to the client applications > > Accordingly with the metadata you are using, claims are not defined for the IdP sso descriptor, but for the roledescriptor that references a STS endpoint. That is why I asked you about the STS and why I think we can safely ignore that for now, considering that we are brokering a SAML IdP and not a STS. > > Given that, I think that what you are missing is Bill's work around claim mapping. Which should be available soon. > > For now, the broker only trust/federate identities from external IdPs in order to create and authenticate the user in KC. Only some basic attributes are considered during federation such as identifier, username, email and first and last name. > >> >>> Your use case is about brokering the SAML Identity Provider described by a >>> idp descriptor along your metadata, right ? Or are you trying to broker a >>> STS ? >> [RAGHU] we have a requirement for STS as well but I wanted to get the basic >> use cases out first and then I will be back with more requirements > > I believe the broker SPI can easily support a WS-Trust STS provider. But today it is not in the list of OOTB providers. > >>>> >>>>> 3) The roles and other claims need to passed back to the client >>>>> applications >>>>> using OIDC (I am aware that Bill is making some functionality available >>>>> over >>>>> the next few days and hopefully it will address my requirement) >>>>> >>>>> Any suggestions on how I handle the first two? >>>>> >>>>> Thanks, >>>>> Raghu >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From emil.posmyk at gmail.com Fri Feb 20 01:40:15 2015 From: emil.posmyk at gmail.com (Emil Posmyk) Date: Fri, 20 Feb 2015 07:40:15 +0100 Subject: [keycloak-user] Securing war project with webservice (JAX-WS) using keycloak. Message-ID: Hello all It is possible to secure project with webservice using keycloak ? I saw Picketlink STS but I'm not sure it's the best solution becouse this is SAML. *regards--* *Emil Posmyk* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150220/76e5ae7d/attachment.html From John.Schneider at carrier.utc.com Fri Feb 20 09:21:07 2015 From: John.Schneider at carrier.utc.com (Schneider, John DODGE CONSULTING SERVICES, LLC) Date: Fri, 20 Feb 2015 14:21:07 +0000 Subject: [keycloak-user] keycloak proxy server Message-ID: Hi, I'm also experimenting with the proxy server. Its working perfectly for some target URL's, but I'm getting 404 errors for other known-valid URL's. No idea if this is the root cause or not, but I think there's a correlation between target servers that serve virtual hosts and require either absolute paths in the HTTP GET, or the Host header as defined in HTTP 1.1. The proxy seems to be fine whenever I can telnet to a server and receive a successful GET response without specifying the host. Is there any way to trigger proxy logging or more verbose output? This would be very useful for troubleshooting this and other foreseeable issues. Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150220/141514b6/attachment.html From cjwallac at gmail.com Sat Feb 21 10:00:31 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Sat, 21 Feb 2015 10:00:31 -0500 Subject: [keycloak-user] Keycloak and Tomcat 8 deserialize cors-allowed-methods Message-ID: Keycloak Users, I am attempting to configure Keycloak with Tomcat 8 and have deployed the following: /WEB-INF/web.xml customer-portal mprworktrac /mprworktrac user /mprworktrac CONFIDENTIAL BASIC this is ignored currently admin user /META-INF/content.xml /WEB-INF/keyloak.json { "realm" : "worktrac", "resource" : "customer-portal", "realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB", "auth-server-url" : "https://localhost:8443/auth", "ssl-required" : "external", "use-resource-role-mappings" : false, "enable-cors" : true, "cors-max-age" : 1000, "cors-allowed-methods" : [ "POST", "PUT", "DELETE", "GET" ], "bearer-only" : false, "expose-token" : true, "credentials" : { "secret" : "234234-234234-234234" }, "connection-pool-size" : 20, "disable-trust-manager": false, "allow-any-hostname" : false, "truststore" : "/opt/keycloak-appliance-dist-all-1.1.0.Final/keycloak/standalone/configuration/secret.jks", "truststore-password" : "secret", "client-keystore" : "/opt/keycloak-appliance-dist-all-1.1.0.Final/keycloak/standalone/configuration/secret.jks", "client-keystore-password" : "secret", "client-key-password" : "secret" } Extracted keycloak-tomcat8-adapter-dist-1.1.0.Final.zip to $CATALINA_HOME/lib I receive the following in catalina.out on startup: java.lang.RuntimeException: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of java.lang.String out of START_ARRAY token at [Source: java.io.FileInputStream at 7ff0e2e8; line: 9, column: 22] (through reference chain: org.keycloak.representations.adapters.config.AdapterConfig["cors-allowed-methods"]) at org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:104) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:93) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:116) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:65) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:168) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1069) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1719) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of java.lang.String out of START_ARRAY token at [Source: java.io.FileInputStream at 7ff0e2e8; line: 9, column: 22] (through reference chain: org.keycloak.representations.adapters.config.AdapterConfig["cors-allowed-methods"]) at org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) at org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219) at org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:44) at org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:13) at org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:299) at org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet(SettableBeanProperty.java:414) at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:697) at org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:580) at org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2732) at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1909) at org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:102) ... 17 more Your help is greatly appreciated as I am excited to get this working :-) -- Chris Wallace cjwallac at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150221/e9ca674c/attachment-0001.html From bburke at redhat.com Sat Feb 21 10:11:13 2015 From: bburke at redhat.com (Bill Burke) Date: Sat, 21 Feb 2015 10:11:13 -0500 Subject: [keycloak-user] Keycloak and Tomcat 8 deserialize cors-allowed-methods In-Reply-To: References: Message-ID: <54E8A011.1020502@redhat.com> Ugh, documentation is wrong on adapter config file. Sorry it should be: "cors-allowed-methods": "POST, PUT, DELETE" not an array of strings. Basically this is the value that is put in the cors header On 2/21/2015 10:00 AM, Christopher Wallace wrote: > Keycloak Users, > > I am attempting to configure Keycloak with Tomcat 8 and have deployed > the following: > > /WEB-INF/web.xml > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/ > xml/ns/javaee/web-app_3_0.xsd" > version="3.0"> > customer-portal > > > mprworktrac > /mprworktrac > > > user > > > > > /mprworktrac > > > CONFIDENTIAL > > > > BASIC > this is ignored currently > > > admin > > > user > > > > /META-INF/content.xml > > > > > > /WEB-INF/keyloak.json > { > "realm" : "worktrac", > "resource" : "customer-portal", > "realm-public-key" : "MIGfMA0GCSqGSIb3D...31LwIDAQAB", > "auth-server-url" : "https://localhost:8443/auth", > "ssl-required" : "external", > "use-resource-role-mappings" : false, > "enable-cors" : true, > "cors-max-age" : 1000, > "cors-allowed-methods" : [ "POST", "PUT", "DELETE", "GET" ], > "bearer-only" : false, > "expose-token" : true, > "credentials" : { > "secret" : "234234-234234-234234" > }, > "connection-pool-size" : 20, > "disable-trust-manager": false, > "allow-any-hostname" : false, > "truststore" : > "/opt/keycloak-appliance-dist-all-1.1.0.Final/keycloak/standalone/configuration/secret.jks", > "truststore-password" : "secret", > "client-keystore" : > "/opt/keycloak-appliance-dist-all-1.1.0.Final/keycloak/standalone/configuration/secret.jks", > "client-keystore-password" : "secret", > "client-key-password" : "secret" > } > > Extracted keycloak-tomcat8-adapter-dist-1.1.0.Final.zip to > $CATALINA_HOME/lib > > I receive the following in catalina.out on startup: > java.lang.RuntimeException: > org.codehaus.jackson.map.JsonMappingException: Can not deserialize > instance of java.lang.String out of START_ARRAY token > at [Source: java.io.FileInputStream at 7ff0e2e8; line: 9, column: 22] > (through reference chain: > org.keycloak.representations.adapters.config.AdapterConfig["cors-allowed-methods"]) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:104) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:93) > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:116) > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:65) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:168) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714) > at > org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1069) > at > org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1719) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.codehaus.jackson.map.JsonMappingException: Can not > deserialize instance of java.lang.String out of START_ARRAY token > at [Source: java.io.FileInputStream at 7ff0e2e8; line: 9, column: 22] > (through reference chain: > org.keycloak.representations.adapters.config.AdapterConfig["cors-allowed-methods"]) > at > org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) > at > org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219) > at > org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:44) > at > org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:13) > at > org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:299) > at > org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet(SettableBeanProperty.java:414) > at > org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:697) > at > org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:580) > at > org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2732) > at > org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1909) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:102) > ... 17 more > > Your help is greatly appreciated as I am excited to get this working :-) > > -- > Chris Wallace > cjwallac at gmail.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From yonim at odoro.co.il Sun Feb 22 07:07:36 2015 From: yonim at odoro.co.il (Yoni Moses) Date: Sun, 22 Feb 2015 14:07:36 +0200 Subject: [keycloak-user] Endpoint URL's Message-ID: Hi, I've been trying keycloak , very impressive! I don't intended to use it as the sample in jee but rather through openid provider in my case its openid4java with spring security. I've been struggling with configuration of the endpoint especially with discovery end point.. is there somewhere in the doc the list of endpoints keycloak has? so far I've been trying with /auth/realms/{name} Thanks, Yoni -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150222/58f6e819/attachment.html From cjwallac at gmail.com Sun Feb 22 11:18:56 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Sun, 22 Feb 2015 11:18:56 -0500 Subject: [keycloak-user] Enabling CORS Message-ID: I am seem to have a singifigant challenge getting CORS enabled in Tomcat for Keyloak. I have taken the following step: *enabled CORS in keycloak.json as follows:* "enable-cors" : true, "cors-max-age" : 1000, "cors-allowed-methods": "POST, PUT, DELETE, GET" *enabled CORS in web.xml as follows:* CORS com.thetransactioncompany.cors.CORSFilter CORS /* *installed JARs in $CATALINA_HOME/lib: * 27723 Feb 22 11:02 cors-filter-2.3.jar 7847 Feb 22 11:04 java-property-utils-1.9.1.jar *recieve the following error *GET http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 403 Forbidden 11ms] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8082/auth/realms/worktrac/account. This can be fixed by moving the resource to the same domain or enabling CORS. *request URL is*http://localhost:8080/mprworktrac/userinfo.html -- Chris Wallace cjwallac at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150222/edbab05e/attachment.html From bburke at redhat.com Sun Feb 22 14:38:20 2015 From: bburke at redhat.com (Bill Burke) Date: Sun, 22 Feb 2015 14:38:20 -0500 Subject: [keycloak-user] Enabling CORS In-Reply-To: References: Message-ID: <54EA302C.9090304@redhat.com> If you have your own CORS filter, there is no need to enable cors in keycloak.json. On 2/22/2015 11:18 AM, Christopher Wallace wrote: > I am seem to have a singifigant challenge getting CORS enabled in Tomcat > for Keyloak. I have taken the following step: > > *enabled CORS in keycloak.json as follows:* > "enable-cors" : true, > "cors-max-age" : 1000, > "cors-allowed-methods": "POST, PUT, DELETE, GET" > > *enabled CORS in web.xml as follows: > * > CORS > com.thetransactioncompany.cors.CORSFilter > > > CORS > /* > > * > * > *installed JARs in $CATALINA_HOME/lib: > * > 27723 Feb 22 11:02 cors-filter-2.3.jar > 7847 Feb 22 11:04 java-property-utils-1.9.1.jar > > *recieve the following error > *GET http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 403 > Forbidden 11ms] > > Cross-Origin Request Blocked: The Same Origin Policy disallows reading > the remote resource at > http://localhost:8082/auth/realms/worktrac/account. This can be fixed by > moving the resource to the same domain or enabling CORS. > > *request URL is > *http://localhost:8080/mprworktrac/userinfo.html* > * > > -- > Chris Wallace > cjwallac at gmail.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Sun Feb 22 14:39:14 2015 From: bburke at redhat.com (Bill Burke) Date: Sun, 22 Feb 2015 14:39:14 -0500 Subject: [keycloak-user] Enabling CORS In-Reply-To: References: Message-ID: <54EA3062.3070805@redhat.com> I should add that you have to specify valid origins in the admin console for the application if you want to use our cors support. On 2/22/2015 11:18 AM, Christopher Wallace wrote: > I am seem to have a singifigant challenge getting CORS enabled in Tomcat > for Keyloak. I have taken the following step: > > *enabled CORS in keycloak.json as follows:* > "enable-cors" : true, > "cors-max-age" : 1000, > "cors-allowed-methods": "POST, PUT, DELETE, GET" > > *enabled CORS in web.xml as follows: > * > CORS > com.thetransactioncompany.cors.CORSFilter > > > CORS > /* > > * > * > *installed JARs in $CATALINA_HOME/lib: > * > 27723 Feb 22 11:02 cors-filter-2.3.jar > 7847 Feb 22 11:04 java-property-utils-1.9.1.jar > > *recieve the following error > *GET http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 403 > Forbidden 11ms] > > Cross-Origin Request Blocked: The Same Origin Policy disallows reading > the remote resource at > http://localhost:8082/auth/realms/worktrac/account. This can be fixed by > moving the resource to the same domain or enabling CORS. > > *request URL is > *http://localhost:8080/mprworktrac/userinfo.html* > * > > -- > Chris Wallace > cjwallac at gmail.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From cjwallac at gmail.com Sun Feb 22 15:02:16 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Sun, 22 Feb 2015 15:02:16 -0500 Subject: [keycloak-user] Enabling CORS In-Reply-To: <54EA3062.3070805@redhat.com> References: <54EA3062.3070805@redhat.com> Message-ID: Thanks for the reply Bill, I think I have the correct 'Web Origin' set as I tried to cover all for now to get it working then can restrict later, please see attached screen shot. I did remove the CORS filter from my web.xml as I was putting it there as I was trying to see if that would help. Everyones support is greatly appreciated. Thanks! Chris W. On Sun, Feb 22, 2015 at 2:39 PM, Bill Burke wrote: > I should add that you have to specify valid origins in the admin console > for the application if you want to use our cors support. > > On 2/22/2015 11:18 AM, Christopher Wallace wrote: > > I am seem to have a singifigant challenge getting CORS enabled in Tomcat > > for Keyloak. I have taken the following step: > > > > *enabled CORS in keycloak.json as follows:* > > "enable-cors" : true, > > "cors-max-age" : 1000, > > "cors-allowed-methods": "POST, PUT, DELETE, GET" > > > > *enabled CORS in web.xml as follows: > > * > > CORS > > > com.thetransactioncompany.cors.CORSFilter > > > > > > CORS > > /* > > > > * > > * > > *installed JARs in $CATALINA_HOME/lib: > > * > > 27723 Feb 22 11:02 cors-filter-2.3.jar > > 7847 Feb 22 11:04 java-property-utils-1.9.1.jar > > > > *recieve the following error > > *GET http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 403 > > Forbidden 11ms] > > > > Cross-Origin Request Blocked: The Same Origin Policy disallows reading > > the remote resource at > > http://localhost:8082/auth/realms/worktrac/account. This can be fixed by > > moving the resource to the same domain or enabling CORS. > > > > *request URL is > > *http://localhost:8080/mprworktrac/userinfo.html* > > * > > > > -- > > Chris Wallace > > cjwallac at gmail.com > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150222/a55cf6a9/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: worktracApplicatonworktracRealm.tiff Type: image/tiff Size: 132094 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150222/a55cf6a9/attachment-0001.tiff From bburke at redhat.com Sun Feb 22 16:17:29 2015 From: bburke at redhat.com (Bill Burke) Date: Sun, 22 Feb 2015 16:17:29 -0500 Subject: [keycloak-user] Enabling CORS In-Reply-To: References: <54EA3062.3070805@redhat.com> Message-ID: <54EA4769.30801@redhat.com> Ok, so what are you trying to do? Application is on localhost:8080? And there isa javascript app that is trying to invoke the account application on localhost:8082? You have to go to the admin console, click on applications, and go to the account app and add http://localhost:8080 The "account" app needs to allow the appropriate CORS origin. On 2/22/2015 3:02 PM, Christopher Wallace wrote: > Thanks for the reply Bill, I think I have the correct 'Web Origin' set > as I tried to cover all for now to get it working then can restrict > later, please see attached screen shot. I did remove the CORS filter > from my web.xml as I was putting it there as I was trying to see if that > would help. Everyones support is greatly appreciated. > > Thanks! > Chris W. > > On Sun, Feb 22, 2015 at 2:39 PM, Bill Burke > wrote: > > I should add that you have to specify valid origins in the admin console > for the application if you want to use our cors support. > > On 2/22/2015 11:18 AM, Christopher Wallace wrote: > > I am seem to have a singifigant challenge getting CORS enabled in Tomcat > > for Keyloak. I have taken the following step: > > > > *enabled CORS in keycloak.json as follows:* > > "enable-cors" : true, > > "cors-max-age" : 1000, > > "cors-allowed-methods": "POST, PUT, DELETE, GET" > > > > *enabled CORS in web.xml as follows: > > * > > CORS > > com.thetransactioncompany.cors.CORSFilter > > > > > > CORS > > /* > > > > * > > * > > *installed JARs in $CATALINA_HOME/lib: > > * > > 27723 Feb 22 11:02 cors-filter-2.3.jar > > 7847 Feb 22 11:04 java-property-utils-1.9.1.jar > > > > *recieve the following error > > *GET http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 403 > > Forbidden 11ms] > > > > Cross-Origin Request Blocked: The Same Origin Policy disallows reading > > the remote resource at > >http://localhost:8082/auth/realms/worktrac/account. This can be fixed by > > moving the resource to the same domain or enabling CORS. > > > > *request URL is > > *http://localhost:8080/mprworktrac/userinfo.html* > > * > > > > -- > > Chris Wallace > > cjwallac at gmail.com > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From cjwallac at gmail.com Sun Feb 22 18:07:39 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Sun, 22 Feb 2015 18:07:39 -0500 Subject: [keycloak-user] Enabling CORS In-Reply-To: <54EA4769.30801@redhat.com> References: <54EA3062.3070805@redhat.com> <54EA4769.30801@redhat.com> Message-ID: Thank Again Bill! It worked by adding the the 'accounts' application to my realm, what I was doing before was adding the 'origin' to my custom application inside of admin instead of to accounts application. My goal was to leverage the JSON from the accounts services to give my application inside into whom is authenticated. On Sun, Feb 22, 2015 at 4:17 PM, Bill Burke wrote: > Ok, so what are you trying to do? > > Application is on localhost:8080? And there isa javascript app that is > trying to invoke the account application on localhost:8082? You have to go > to the admin console, click on applications, and go to the account app and > add http://localhost:8080 > > The "account" app needs to allow the appropriate CORS origin. > > On 2/22/2015 3:02 PM, Christopher Wallace wrote: > >> Thanks for the reply Bill, I think I have the correct 'Web Origin' set >> as I tried to cover all for now to get it working then can restrict >> later, please see attached screen shot. I did remove the CORS filter >> from my web.xml as I was putting it there as I was trying to see if that >> would help. Everyones support is greatly appreciated. >> >> Thanks! >> Chris W. >> >> On Sun, Feb 22, 2015 at 2:39 PM, Bill Burke > > wrote: >> >> I should add that you have to specify valid origins in the admin >> console >> for the application if you want to use our cors support. >> >> On 2/22/2015 11:18 AM, Christopher Wallace wrote: >> > I am seem to have a singifigant challenge getting CORS enabled in >> Tomcat >> > for Keyloak. I have taken the following step: >> > >> > *enabled CORS in keycloak.json as follows:* >> > "enable-cors" : true, >> > "cors-max-age" : 1000, >> > "cors-allowed-methods": "POST, PUT, DELETE, GET" >> > >> > *enabled CORS in web.xml as follows: >> > * >> > CORS >> > com.thetransactioncompany.cors. >> CORSFilter >> > >> > >> > CORS >> > /* >> > >> > * >> > * >> > *installed JARs in $CATALINA_HOME/lib: >> > * >> > 27723 Feb 22 11:02 cors-filter-2.3.jar >> > 7847 Feb 22 11:04 java-property-utils-1.9.1.jar >> > >> > *recieve the following error >> > *GET http://localhost:8082/auth/realms/worktrac/account [HTTP/1.1 >> 403 >> > Forbidden 11ms] >> > >> > Cross-Origin Request Blocked: The Same Origin Policy disallows >> reading >> > the remote resource at >> >http://localhost:8082/auth/realms/worktrac/account. This can be >> fixed by >> > moving the resource to the same domain or enabling CORS. >> > >> > *request URL is >> > *http://localhost:8080/mprworktrac/userinfo.html* >> > * >> > >> > -- >> > Chris Wallace >> > cjwallac at gmail.com >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org > jboss.org> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> -- >> Chris Wallace >> cjwallac at gmail.com >> c: 570.582.9955 >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150222/47a19b45/attachment.html From emil.posmyk at gmail.com Mon Feb 23 03:45:30 2015 From: emil.posmyk at gmail.com (Emil Posmyk) Date: Mon, 23 Feb 2015 09:45:30 +0100 Subject: [keycloak-user] Login or authenticate methods in keycloak Message-ID: Hello all again how to login or authenticate to keycloak but not using frontend like it was in eg customer-portal.war from examples but through for example REST, I saw the REST API but please can anyone show me how to do that via POST method using SAML ? *please help* *regards* *--* *Emil Posmyk* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150223/11e3f837/attachment.html From stian at redhat.com Mon Feb 23 03:52:03 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 23 Feb 2015 03:52:03 -0500 (EST) Subject: [keycloak-user] Endpoint URL's In-Reply-To: References: Message-ID: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> Hi, We haven't added the discovery part of OpenID Connect yet and there are some issues with the docs as the protocol related endpoints are missing. The endpoints of interest to you are: * /auth/realms/{name}/protocol/openid-connect/login * /auth/realms/{name}/protocol/openid-connect/access/codes * /auth/realms/{name}/protocol/openid-connect/refresh * /auth/realms/{name}/protocol/openid-connect/userinfo We are actively working on better integration with other openid connect client libraries, so let us know what works and what doesn't. ----- Original Message ----- > From: "Yoni Moses" > To: keycloak-user at lists.jboss.org > Sent: Sunday, February 22, 2015 1:07:36 PM > Subject: [keycloak-user] Endpoint URL's > > Hi, > > I've been trying keycloak , very impressive! > I don't intended to use it as the sample in jee but rather through openid > provider in my case its openid4java with spring security. > I've been struggling with configuration of the endpoint especially with > discovery end point.. > is there somewhere in the doc the list of endpoints keycloak has? > so far I've been trying with /auth/realms/{name} > > > Thanks, > Yoni > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From yonim at odoro.co.il Mon Feb 23 04:39:14 2015 From: yonim at odoro.co.il (yonim at odoro.co.il) Date: Mon, 23 Feb 2015 11:39:14 +0200 Subject: [keycloak-user] Endpoint URL's In-Reply-To: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> Message-ID: <023b01d04f4c$97197080$c54c5180$@odoro.co.il> Ok.. a bit frustrating. Any change the 1.2.0 Beta solves some of the issues? I can build it if needed... I've tried openid4java (on top of spring security ) and another client (mitred one, their client not the server) and both looked for the discovery endpoint. Assuming I switch from opened-connect to OAuth - how can I get the userinfo after that? any special endpoint to oauth userinfo after I got the token? Cheers, Yoni -----Original Message----- From: Stian Thorgersen [mailto:stian at redhat.com] Sent: Monday, February 23, 2015 10:52 AM To: Yoni Moses Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Endpoint URL's Hi, We haven't added the discovery part of OpenID Connect yet and there are some issues with the docs as the protocol related endpoints are missing. The endpoints of interest to you are: * /auth/realms/{name}/protocol/openid-connect/login * /auth/realms/{name}/protocol/openid-connect/access/codes * /auth/realms/{name}/protocol/openid-connect/refresh * /auth/realms/{name}/protocol/openid-connect/userinfo We are actively working on better integration with other openid connect client libraries, so let us know what works and what doesn't. ----- Original Message ----- > From: "Yoni Moses" > To: keycloak-user at lists.jboss.org > Sent: Sunday, February 22, 2015 1:07:36 PM > Subject: [keycloak-user] Endpoint URL's > > Hi, > > I've been trying keycloak , very impressive! > I don't intended to use it as the sample in jee but rather through openid > provider in my case its openid4java with spring security. > I've been struggling with configuration of the endpoint especially with > discovery end point.. > is there somewhere in the doc the list of endpoints keycloak has? > so far I've been trying with /auth/realms/{name} > > > Thanks, > Yoni > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From yonim at odoro.co.il Mon Feb 23 05:19:39 2015 From: yonim at odoro.co.il (Yoni Moses) Date: Mon, 23 Feb 2015 12:19:39 +0200 Subject: [keycloak-user] Validate access-token Message-ID: Is there a way (using the admin rest api?) to validate an access token? Went over the list of methods but couldn't find anything .. Cheers, Yoni -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150223/3f7075b3/attachment-0001.html From chenkeong.yap at izeno.com Mon Feb 23 05:31:45 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Mon, 23 Feb 2015 18:31:45 +0800 Subject: [keycloak-user] keycloak proxy server In-Reply-To: References: Message-ID: Just wondering is there any issues with the keycloak proxy. Step 4 and 5 not happening On Feb 20, 2015 10:21 PM, "Schneider, John DODGE CONSULTING SERVICES, LLC" < John.Schneider at carrier.utc.com> wrote: > Hi, > > > > I?m also experimenting with the proxy server. Its working perfectly for > some target URL?s, but I?m getting 404 errors for other known-valid URL?s. > No idea if this is the root cause or not, but I think there?s a correlation > between target servers that serve virtual hosts and require either absolute > paths in the HTTP GET, or the Host header as defined in HTTP 1.1. The > proxy seems to be fine whenever I can telnet to a server and receive a > successful GET response without specifying the host. > > > > Is there any way to trigger proxy logging or more verbose output? This > would be very useful for troubleshooting this and other foreseeable issues. > > > > Thanks, > > John > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150223/96e293c2/attachment.html From emil.posmyk at gmail.com Mon Feb 23 05:56:50 2015 From: emil.posmyk at gmail.com (Emil Posmyk) Date: Mon, 23 Feb 2015 11:56:50 +0100 Subject: [keycloak-user] Login or authenticate methods in keycloak In-Reply-To: References: Message-ID: or maybe simple direction where I should find some examples to create login function without frontend ? *Pozdrawiam* *--* *Emil Posmyk* 2015-02-23 9:45 GMT+01:00 Emil Posmyk : > Hello all again > > how to login or authenticate to keycloak but not using frontend like it > was in eg customer-portal.war from examples but through for example REST, I > saw the REST API but please can anyone show me how to do that via POST > method using SAML ? > > *please help* > > *regards* > *--* > > > *Emil Posmyk* > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150223/037ce311/attachment.html From emil.posmyk at gmail.com Mon Feb 23 06:27:43 2015 From: emil.posmyk at gmail.com (Emil Posmyk) Date: Mon, 23 Feb 2015 12:27:43 +0100 Subject: [keycloak-user] Login or authenticate methods in keycloak In-Reply-To: References: Message-ID: may I ask why anyone can not reply ? *regards* *--* *Emil Posmyk* 2015-02-23 11:56 GMT+01:00 Emil Posmyk : > or maybe simple direction where I should find some examples to create > login function without frontend ? > > > *Pozdrawiam* > *--* > > > *Emil Posmyk* > > 2015-02-23 9:45 GMT+01:00 Emil Posmyk : > >> Hello all again >> >> how to login or authenticate to keycloak but not using frontend like it >> was in eg customer-portal.war from examples but through for example REST, I >> saw the REST API but please can anyone show me how to do that via POST >> method using SAML ? >> >> *please help* >> >> *regards* >> *--* >> >> >> *Emil Posmyk* >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150223/d0e17b38/attachment.html From stian at redhat.com Mon Feb 23 06:58:55 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 23 Feb 2015 06:58:55 -0500 (EST) Subject: [keycloak-user] Validate access-token In-Reply-To: References: Message-ID: <971946871.13278311.1424692735025.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Yoni Moses" > To: keycloak-user at lists.jboss.org > Sent: Monday, February 23, 2015 11:19:39 AM > Subject: [keycloak-user] Validate access-token > > Is there a way (using the admin rest api?) to validate an access token? No, but there's a different rest api for it. It's missing in the docs due to a bug in the way we generate it. It's: /auth/realms/{realm}/protocol/openid-connect/validate It takes 'access_token' as a query param. > > > Went over the list of methods but couldn't find anything .. > > Cheers, > Yoni > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 23 07:02:35 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 23 Feb 2015 07:02:35 -0500 (EST) Subject: [keycloak-user] Login or authenticate methods in keycloak In-Reply-To: References: Message-ID: <1492277841.13280121.1424692955316.JavaMail.zimbra@redhat.com> Please, bear in mind this a mailing list that provides free support for a community project. This does imply that you may have to wait until someone has time to answer your email! Have a look in the download inside examples/saml that should be exactly what you need. ----- Original Message ----- > From: "Emil Posmyk" > To: keycloak-user at lists.jboss.org > Sent: Monday, February 23, 2015 12:27:43 PM > Subject: Re: [keycloak-user] Login or authenticate methods in keycloak > > may I ask why anyone can not reply ? > > > regards > -- > Emil Posmyk > > > 2015-02-23 11:56 GMT+01:00 Emil Posmyk < emil.posmyk at gmail.com > : > > > > or maybe simple direction where I should find some examples to create login > function without frontend ? > > > Pozdrawiam > -- > Emil Posmyk > > > 2015-02-23 9:45 GMT+01:00 Emil Posmyk < emil.posmyk at gmail.com > : > > > > Hello all again > > how to login or authenticate to keycloak but not using frontend like it was > in eg customer-portal.war from examples but through for example REST, I saw > the REST API but please can anyone show me how to do that via POST method > using SAML ? > > please help > > regards > -- > Emil Posmyk > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Mon Feb 23 07:45:46 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 23 Feb 2015 07:45:46 -0500 (EST) Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe In-Reply-To: <9656B9D10BC6124A88D5E27DD02422855BC49BFF@EX-TT-AC-01.traveltainment.int> References: <9656B9D10BC6124A88D5E27DD02422855BC49BFF@EX-TT-AC-01.traveltainment.int> Message-ID: <286578359.13299190.1424695546452.JavaMail.zimbra@redhat.com> We don't support using an iframe as it opens potential exploits (clickjacking, csrf, xss). If you are willing to accept the risk of these, or can mitigate them yourself, you can implement this flow yourself in your application. Basically create a "login" and callback pages on your app. The login page would redirect to Keycloak login page, Keycloak would then redirect back to the callback page which is used to send the token to the main window using window.postMessage. ----- Original Message ----- > From: "Christoph Machnik" > To: keycloak-user at lists.jboss.org > Sent: Monday, February 9, 2015 10:58:14 AM > Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe > > Hi all, > > I have a html-frontend and i want to show the loginpage from keycloak as a > part of this frontend and not redirect to the loginpage. Is there a > possibility to do this ? > My first thougt was an iframe, but what is the src for this ? > >
>
>
>
>
> >
>
>
> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Feb 23 07:50:34 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 23 Feb 2015 07:50:34 -0500 Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe In-Reply-To: <286578359.13299190.1424695546452.JavaMail.zimbra@redhat.com> References: <9656B9D10BC6124A88D5E27DD02422855BC49BFF@EX-TT-AC-01.traveltainment.int> <286578359.13299190.1424695546452.JavaMail.zimbra@redhat.com> Message-ID: <54EB221A.1070903@redhat.com> On 2/23/2015 7:45 AM, Stian Thorgersen wrote: > We don't support using an iframe as it opens potential exploits (clickjacking, csrf, xss). > Actually we might be able to. Currently we restrict this possibility by setting the Content-Security-Policy header. The value of this header is configurable in the admin console. IIRC, you can set up trusted origins with this header. Don't remember. Or you could just shut it off. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Mon Feb 23 07:53:38 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 23 Feb 2015 07:53:38 -0500 (EST) Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe In-Reply-To: <54EB221A.1070903@redhat.com> References: <9656B9D10BC6124A88D5E27DD02422855BC49BFF@EX-TT-AC-01.traveltainment.int> <286578359.13299190.1424695546452.JavaMail.zimbra@redhat.com> <54EB221A.1070903@redhat.com> Message-ID: <237201857.13313480.1424696018755.JavaMail.zimbra@redhat.com> Do we set x-frame-options? The OAuth spec recommends it, http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13 ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Monday, February 23, 2015 1:50:34 PM > Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe > > On 2/23/2015 7:45 AM, Stian Thorgersen wrote: > > We don't support using an iframe as it opens potential exploits > > (clickjacking, csrf, xss). > > > > Actually we might be able to. Currently we restrict this possibility by > setting the Content-Security-Policy header. The value of this header is > configurable in the admin console. IIRC, you can set up trusted origins > with this header. Don't remember. Or you could just shut it off. > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Mon Feb 23 07:56:51 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 23 Feb 2015 07:56:51 -0500 Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe In-Reply-To: <237201857.13313480.1424696018755.JavaMail.zimbra@redhat.com> References: <9656B9D10BC6124A88D5E27DD02422855BC49BFF@EX-TT-AC-01.traveltainment.int> <286578359.13299190.1424695546452.JavaMail.zimbra@redhat.com> <54EB221A.1070903@redhat.com> <237201857.13313480.1424696018755.JavaMail.zimbra@redhat.com> Message-ID: <54EB2393.50604@redhat.com> Yes, look under Security Defenses tab. X-Frame-Options is actually replaced by Content-Security-Policy On 2/23/2015 7:53 AM, Stian Thorgersen wrote: > Do we set x-frame-options? The OAuth spec recommends it, http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13 > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-user at lists.jboss.org >> Sent: Monday, February 23, 2015 1:50:34 PM >> Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe >> >> On 2/23/2015 7:45 AM, Stian Thorgersen wrote: >>> We don't support using an iframe as it opens potential exploits >>> (clickjacking, csrf, xss). >>> >> >> Actually we might be able to. Currently we restrict this possibility by >> setting the Content-Security-Policy header. The value of this header is >> configurable in the admin console. IIRC, you can set up trusted origins >> with this header. Don't remember. Or you could just shut it off. >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Mon Feb 23 08:16:19 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 23 Feb 2015 08:16:19 -0500 (EST) Subject: [keycloak-user] Endpoint URL's In-Reply-To: <023b01d04f4c$97197080$c54c5180$@odoro.co.il> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> Message-ID: <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: yonim at odoro.co.il > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Monday, February 23, 2015 10:39:14 AM > Subject: RE: [keycloak-user] Endpoint URL's > > Ok.. a bit frustrating. > > Any change the 1.2.0 Beta solves some of the issues? I can build it if > needed... Afraid not. We are planning to add the discovery endpoint, but it may be a month or so before we get time. > > I've tried openid4java (on top of spring security ) and another client > (mitred one, their client not the server) and both looked for the discovery > endpoint. > > Assuming I switch from opened-connect to OAuth - how can I get the userinfo > after that? any special endpoint to oauth userinfo after I got the token? You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo with the token. > > Cheers, > Yoni > > > > > > > -----Original Message----- > From: Stian Thorgersen [mailto:stian at redhat.com] > Sent: Monday, February 23, 2015 10:52 AM > To: Yoni Moses > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Endpoint URL's > > Hi, > > We haven't added the discovery part of OpenID Connect yet and there are some > issues with the docs as the protocol related endpoints are missing. The > endpoints of interest to you are: > > * /auth/realms/{name}/protocol/openid-connect/login > * /auth/realms/{name}/protocol/openid-connect/access/codes > * /auth/realms/{name}/protocol/openid-connect/refresh > * /auth/realms/{name}/protocol/openid-connect/userinfo > > We are actively working on better integration with other openid connect > client libraries, so let us know what works and what doesn't. > > ----- Original Message ----- > > From: "Yoni Moses" > > To: keycloak-user at lists.jboss.org > > Sent: Sunday, February 22, 2015 1:07:36 PM > > Subject: [keycloak-user] Endpoint URL's > > > > Hi, > > > > I've been trying keycloak , very impressive! > > I don't intended to use it as the sample in jee but rather through openid > > provider in my case its openid4java with spring security. > > I've been struggling with configuration of the endpoint especially with > > discovery end point.. > > is there somewhere in the doc the list of endpoints keycloak has? > > so far I've been trying with /auth/realms/{name} > > > > > > Thanks, > > Yoni > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From psilva at redhat.com Mon Feb 23 08:44:58 2015 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 23 Feb 2015 08:44:58 -0500 (EST) Subject: [keycloak-user] Securing war project with webservice (JAX-WS) using keycloak. In-Reply-To: References: Message-ID: <1363320232.17623941.1424699098531.JavaMail.zimbra@redhat.com> Hey Emil, It is possible, but you would need to write some code in order to protect your soap endpoints based on KC tokens. Basically, what you need is a JAX-WS handler on the server that knows how to extract a token from a WS-Security header. Once you have the token you may use KC's API to validate it or even invoke a specific REST endpoint in a KC instance. What PicketLink STS provides is a WS-Trust compliant Security Token Service. Which is basically a JAX-WS endpoint that uses WS-Trust to issue/renew/validate/revoke SAML assertions. Although it is flexible enough to support other types of tokens as well. It also provides some OOTB client and server side components that you can use to protect SOAP endpoints. I think we can consider this as a RFE in order to support OOTB protection for soap endpoints based on JAX-WS. Regards. Pedro Igor ----- Original Message ----- From: "Emil Posmyk" To: keycloak-user at lists.jboss.org Sent: Friday, February 20, 2015 4:40:15 AM Subject: [keycloak-user] Securing war project with webservice (JAX-WS) using keycloak. Hello all It is possible to secure project with webservice using keycloak ? I saw Picketlink STS but I'm not sure it's the best solution becouse this is SAML. regards -- Emil Posmyk _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From chenkeong.yap at izeno.com Mon Feb 23 23:25:17 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Tue, 24 Feb 2015 12:25:17 +0800 Subject: [keycloak-user] keycloak proxy server In-Reply-To: References: Message-ID: i've already added ssl cert to java cacerts. do you have any ideas what went wrong? INFO: XNIO NIO Implementation Version 3.3.0.Final Feb 24, 2015 12:23:54 PM org.keycloak.adapters.OAuthRequestAuthenticator resolve Code ERROR: failed to turn code into token javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.ja va:397) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.jav a:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFact ory.java:572) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnect ion(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.ja va:151) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPool edConnAdapter.java:125) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(Default RequestDirector.java:640) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReq uestDirector.java:479) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpCl ient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpCl ient.java:805) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpCl ient.java:784) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReq uest.java:122) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReq uest.java:95) at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequ estAuthenticator.java:261) at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReq uestAuthenticator.java:208) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthen ticator.java:90) On Mon, Feb 23, 2015 at 6:31 PM, Chen Keong Yap wrote: > Just wondering is there any issues with the keycloak proxy. Step 4 and 5 > not happening > On Feb 20, 2015 10:21 PM, "Schneider, John DODGE CONSULTING SERVICES, LLC" > wrote: > >> Hi, >> >> >> >> I?m also experimenting with the proxy server. Its working perfectly for >> some target URL?s, but I?m getting 404 errors for other known-valid URL?s. >> No idea if this is the root cause or not, but I think there?s a correlation >> between target servers that serve virtual hosts and require either absolute >> paths in the HTTP GET, or the Host header as defined in HTTP 1.1. The >> proxy seems to be fine whenever I can telnet to a server and receive a >> successful GET response without specifying the host. >> >> >> >> Is there any way to trigger proxy logging or more verbose output? This >> would be very useful for troubleshooting this and other foreseeable issues. >> >> >> >> Thanks, >> >> John >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- Best Regards, CK Yap Technology Consultant Tel: +65 6100 2788 Fax:+65 6233 9376 iZeno Pte Ltd 72 Bendemeer Road Luzerne #05-28 Singapore 339941 This communication contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above. If you are not the intended recipient,be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.If you have received this communication in error, please notify me by telephone immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150224/29fbf9b5/attachment.html From chenkeong.yap at izeno.com Mon Feb 23 23:47:36 2015 From: chenkeong.yap at izeno.com (Chen Keong Yap) Date: Tue, 24 Feb 2015 12:47:36 +0800 Subject: [keycloak-user] keycloak proxy server In-Reply-To: References: Message-ID: i managed to resolve the issue by setting. "disable-trust-manager": true now there are 2 more issues. 1) proxy is redirecting to actual app but is not consistent. sometimes can redirect but sometimes prompted a download file. 2) noticed KEYCLOAK_USERNAME is not set in the cookie On Tue, Feb 24, 2015 at 12:25 PM, Chen Keong Yap wrote: > > i've already added ssl cert to java cacerts. do you have any ideas what > went wrong? > > > > INFO: XNIO NIO Implementation Version 3.3.0.Final > Feb 24, 2015 12:23:54 PM org.keycloak.adapters.OAuthRequestAuthenticator > resolve > Code > ERROR: failed to turn code into token > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > at > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.ja > va:397) > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.jav > a:128) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFact > ory.java:572) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnect > ion(DefaultClientConnectionOperator.java:180) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.ja > va:151) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPool > edConnAdapter.java:125) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(Default > RequestDirector.java:640) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReq > uestDirector.java:479) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpCl > ient.java:906) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpCl > ient.java:805) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpCl > ient.java:784) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReq > uest.java:122) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReq > uest.java:95) > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequ > estAuthenticator.java:261) > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReq > uestAuthenticator.java:208) > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthen > ticator.java:90) > > On Mon, Feb 23, 2015 at 6:31 PM, Chen Keong Yap > wrote: > >> Just wondering is there any issues with the keycloak proxy. Step 4 and 5 >> not happening >> On Feb 20, 2015 10:21 PM, "Schneider, John DODGE CONSULTING SERVICES, >> LLC" wrote: >> >>> Hi, >>> >>> >>> >>> I?m also experimenting with the proxy server. Its working perfectly for >>> some target URL?s, but I?m getting 404 errors for other known-valid URL?s. >>> No idea if this is the root cause or not, but I think there?s a correlation >>> between target servers that serve virtual hosts and require either absolute >>> paths in the HTTP GET, or the Host header as defined in HTTP 1.1. The >>> proxy seems to be fine whenever I can telnet to a server and receive a >>> successful GET response without specifying the host. >>> >>> >>> >>> Is there any way to trigger proxy logging or more verbose output? This >>> would be very useful for troubleshooting this and other foreseeable issues. >>> >>> >>> >>> Thanks, >>> >>> John >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150224/c8c8e349/attachment-0001.html From jean.merelis at gmail.com Tue Feb 24 11:32:35 2015 From: jean.merelis at gmail.com (Jeandeson O. Merelis) Date: Tue, 24 Feb 2015 13:32:35 -0300 Subject: [keycloak-user] How to put the themes folder in the configuration folder of the wildfly on OpenShift? Message-ID: How to introduce the themes folder in the configuration folder of the wildfly on OpenShift? I introduced in "/.openshift/config/" but does not work. Is there another place where I can put the themes folder? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150224/a8f58bff/attachment.html From cjwallac at gmail.com Tue Feb 24 12:19:31 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Tue, 24 Feb 2015 12:19:31 -0500 Subject: [keycloak-user] Endpoint URL's In-Reply-To: <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> Message-ID: Yoni, Where you able to get this to work? I am attempting to get user information also using http://localhost:8082/auth/realms//protocol/openid-connect/userinfo and it doesn't bring back any data. Any trics? Chris W. On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: yonim at odoro.co.il > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Monday, February 23, 2015 10:39:14 AM > > Subject: RE: [keycloak-user] Endpoint URL's > > > > Ok.. a bit frustrating. > > > > Any change the 1.2.0 Beta solves some of the issues? I can build it if > > needed... > > Afraid not. We are planning to add the discovery endpoint, but it may be a > month or so before we get time. > > > > > I've tried openid4java (on top of spring security ) and another client > > (mitred one, their client not the server) and both looked for the > discovery > > endpoint. > > > > Assuming I switch from opened-connect to OAuth - how can I get the > userinfo > > after that? any special endpoint to oauth userinfo after I got the token? > > You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo with > the token. > > > > > Cheers, > > Yoni > > > > > > > > > > > > > > -----Original Message----- > > From: Stian Thorgersen [mailto:stian at redhat.com] > > Sent: Monday, February 23, 2015 10:52 AM > > To: Yoni Moses > > Cc: keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Endpoint URL's > > > > Hi, > > > > We haven't added the discovery part of OpenID Connect yet and there are > some > > issues with the docs as the protocol related endpoints are missing. The > > endpoints of interest to you are: > > > > * /auth/realms/{name}/protocol/openid-connect/login > > * /auth/realms/{name}/protocol/openid-connect/access/codes > > * /auth/realms/{name}/protocol/openid-connect/refresh > > * /auth/realms/{name}/protocol/openid-connect/userinfo > > > > We are actively working on better integration with other openid connect > > client libraries, so let us know what works and what doesn't. > > > > ----- Original Message ----- > > > From: "Yoni Moses" > > > To: keycloak-user at lists.jboss.org > > > Sent: Sunday, February 22, 2015 1:07:36 PM > > > Subject: [keycloak-user] Endpoint URL's > > > > > > Hi, > > > > > > I've been trying keycloak , very impressive! > > > I don't intended to use it as the sample in jee but rather through > openid > > > provider in my case its openid4java with spring security. > > > I've been struggling with configuration of the endpoint especially with > > > discovery end point.. > > > is there somewhere in the doc the list of endpoints keycloak has? > > > so far I've been trying with /auth/realms/{name} > > > > > > > > > Thanks, > > > Yoni > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150224/b0c1dafa/attachment.html From cjwallac at gmail.com Tue Feb 24 13:21:11 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Tue, 24 Feb 2015 13:21:11 -0500 Subject: [keycloak-user] Endpoint URL's In-Reply-To: References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> Message-ID: I am actually not able to access any of the REST urls I tried from http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html is this something that needs to be enabled or installed speratly from the keycloak appliance? On Tue, Feb 24, 2015 at 12:19 PM, Christopher Wallace wrote: > Yoni, > > Where you able to get this to work? I am attempting to get user > information also using http://localhost:8082/auth/realms//protocol/openid-connect/userinfo > and it doesn't bring back any data. Any trics? > > Chris W. > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > wrote: > >> >> >> ----- Original Message ----- >> > From: yonim at odoro.co.il >> > To: "Stian Thorgersen" >> > Cc: keycloak-user at lists.jboss.org >> > Sent: Monday, February 23, 2015 10:39:14 AM >> > Subject: RE: [keycloak-user] Endpoint URL's >> > >> > Ok.. a bit frustrating. >> > >> > Any change the 1.2.0 Beta solves some of the issues? I can build it if >> > needed... >> >> Afraid not. We are planning to add the discovery endpoint, but it may be >> a month or so before we get time. >> >> > >> > I've tried openid4java (on top of spring security ) and another client >> > (mitred one, their client not the server) and both looked for the >> discovery >> > endpoint. >> > >> > Assuming I switch from opened-connect to OAuth - how can I get the >> userinfo >> > after that? any special endpoint to oauth userinfo after I got the >> token? >> >> You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo with >> the token. >> >> > >> > Cheers, >> > Yoni >> > >> > >> > >> > >> > >> > >> > -----Original Message----- >> > From: Stian Thorgersen [mailto:stian at redhat.com] >> > Sent: Monday, February 23, 2015 10:52 AM >> > To: Yoni Moses >> > Cc: keycloak-user at lists.jboss.org >> > Subject: Re: [keycloak-user] Endpoint URL's >> > >> > Hi, >> > >> > We haven't added the discovery part of OpenID Connect yet and there are >> some >> > issues with the docs as the protocol related endpoints are missing. The >> > endpoints of interest to you are: >> > >> > * /auth/realms/{name}/protocol/openid-connect/login >> > * /auth/realms/{name}/protocol/openid-connect/access/codes >> > * /auth/realms/{name}/protocol/openid-connect/refresh >> > * /auth/realms/{name}/protocol/openid-connect/userinfo >> > >> > We are actively working on better integration with other openid connect >> > client libraries, so let us know what works and what doesn't. >> > >> > ----- Original Message ----- >> > > From: "Yoni Moses" >> > > To: keycloak-user at lists.jboss.org >> > > Sent: Sunday, February 22, 2015 1:07:36 PM >> > > Subject: [keycloak-user] Endpoint URL's >> > > >> > > Hi, >> > > >> > > I've been trying keycloak , very impressive! >> > > I don't intended to use it as the sample in jee but rather through >> openid >> > > provider in my case its openid4java with spring security. >> > > I've been struggling with configuration of the endpoint especially >> with >> > > discovery end point.. >> > > is there somewhere in the doc the list of endpoints keycloak has? >> > > so far I've been trying with /auth/realms/{name} >> > > >> > > >> > > Thanks, >> > > Yoni >> > > >> > > >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150224/46cf7297/attachment.html From stian at redhat.com Wed Feb 25 00:08:45 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 25 Feb 2015 00:08:45 -0500 (EST) Subject: [keycloak-user] Endpoint URL's In-Reply-To: References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> Message-ID: <1527473679.14754419.1424840925556.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Christopher Wallace" > To: "Stian Thorgersen" > Cc: yonim at odoro.co.il, keycloak-user at lists.jboss.org > Sent: Tuesday, February 24, 2015 6:19:31 PM > Subject: Re: [keycloak-user] Endpoint URL's > > Yoni, > > Where you able to get this to work? I am attempting to get user information > also using > http://localhost:8082/auth/realms//protocol/openid-connect/userinfo > and it doesn't bring back any data. Any trics? My bad, it's only in master and wasn't included in 1.1.0.Final > > Chris W. > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen wrote: > > > > > > > ----- Original Message ----- > > > From: yonim at odoro.co.il > > > To: "Stian Thorgersen" > > > Cc: keycloak-user at lists.jboss.org > > > Sent: Monday, February 23, 2015 10:39:14 AM > > > Subject: RE: [keycloak-user] Endpoint URL's > > > > > > Ok.. a bit frustrating. > > > > > > Any change the 1.2.0 Beta solves some of the issues? I can build it if > > > needed... > > > > Afraid not. We are planning to add the discovery endpoint, but it may be a > > month or so before we get time. > > > > > > > > I've tried openid4java (on top of spring security ) and another client > > > (mitred one, their client not the server) and both looked for the > > discovery > > > endpoint. > > > > > > Assuming I switch from opened-connect to OAuth - how can I get the > > userinfo > > > after that? any special endpoint to oauth userinfo after I got the token? > > > > You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo with > > the token. > > > > > > > > Cheers, > > > Yoni > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Stian Thorgersen [mailto:stian at redhat.com] > > > Sent: Monday, February 23, 2015 10:52 AM > > > To: Yoni Moses > > > Cc: keycloak-user at lists.jboss.org > > > Subject: Re: [keycloak-user] Endpoint URL's > > > > > > Hi, > > > > > > We haven't added the discovery part of OpenID Connect yet and there are > > some > > > issues with the docs as the protocol related endpoints are missing. The > > > endpoints of interest to you are: > > > > > > * /auth/realms/{name}/protocol/openid-connect/login > > > * /auth/realms/{name}/protocol/openid-connect/access/codes > > > * /auth/realms/{name}/protocol/openid-connect/refresh > > > * /auth/realms/{name}/protocol/openid-connect/userinfo > > > > > > We are actively working on better integration with other openid connect > > > client libraries, so let us know what works and what doesn't. > > > > > > ----- Original Message ----- > > > > From: "Yoni Moses" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Sunday, February 22, 2015 1:07:36 PM > > > > Subject: [keycloak-user] Endpoint URL's > > > > > > > > Hi, > > > > > > > > I've been trying keycloak , very impressive! > > > > I don't intended to use it as the sample in jee but rather through > > openid > > > > provider in my case its openid4java with spring security. > > > > I've been struggling with configuration of the endpoint especially with > > > > discovery end point.. > > > > is there somewhere in the doc the list of endpoints keycloak has? > > > > so far I've been trying with /auth/realms/{name} > > > > > > > > > > > > Thanks, > > > > Yoni > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > From stian at redhat.com Wed Feb 25 00:10:42 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 25 Feb 2015 00:10:42 -0500 (EST) Subject: [keycloak-user] Endpoint URL's In-Reply-To: References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> Message-ID: <1379677617.14754618.1424841042242.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Christopher Wallace" > To: "Stian Thorgersen" > Cc: yonim at odoro.co.il, keycloak-user at lists.jboss.org > Sent: Tuesday, February 24, 2015 7:21:11 PM > Subject: Re: [keycloak-user] Endpoint URL's > > I am actually not able to access any of the REST urls I tried from > http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html > is this something that needs to be enabled or installed speratly from the > keycloak appliance? They should work fine as long as you have a token to invoke them with. Have you look at admin-access-app example? We also have a Java wrapper for this that makes it easier to invoke from Java, see the admin-client example for that. > > On Tue, Feb 24, 2015 at 12:19 PM, Christopher Wallace > wrote: > > > Yoni, > > > > Where you able to get this to work? I am attempting to get user > > information also using > > http://localhost:8082/auth/realms//protocol/openid-connect/userinfo > > and it doesn't bring back any data. Any trics? > > > > Chris W. > > > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > > wrote: > > > >> > >> > >> ----- Original Message ----- > >> > From: yonim at odoro.co.il > >> > To: "Stian Thorgersen" > >> > Cc: keycloak-user at lists.jboss.org > >> > Sent: Monday, February 23, 2015 10:39:14 AM > >> > Subject: RE: [keycloak-user] Endpoint URL's > >> > > >> > Ok.. a bit frustrating. > >> > > >> > Any change the 1.2.0 Beta solves some of the issues? I can build it if > >> > needed... > >> > >> Afraid not. We are planning to add the discovery endpoint, but it may be > >> a month or so before we get time. > >> > >> > > >> > I've tried openid4java (on top of spring security ) and another client > >> > (mitred one, their client not the server) and both looked for the > >> discovery > >> > endpoint. > >> > > >> > Assuming I switch from opened-connect to OAuth - how can I get the > >> userinfo > >> > after that? any special endpoint to oauth userinfo after I got the > >> token? > >> > >> You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo with > >> the token. > >> > >> > > >> > Cheers, > >> > Yoni > >> > > >> > > >> > > >> > > >> > > >> > > >> > -----Original Message----- > >> > From: Stian Thorgersen [mailto:stian at redhat.com] > >> > Sent: Monday, February 23, 2015 10:52 AM > >> > To: Yoni Moses > >> > Cc: keycloak-user at lists.jboss.org > >> > Subject: Re: [keycloak-user] Endpoint URL's > >> > > >> > Hi, > >> > > >> > We haven't added the discovery part of OpenID Connect yet and there are > >> some > >> > issues with the docs as the protocol related endpoints are missing. The > >> > endpoints of interest to you are: > >> > > >> > * /auth/realms/{name}/protocol/openid-connect/login > >> > * /auth/realms/{name}/protocol/openid-connect/access/codes > >> > * /auth/realms/{name}/protocol/openid-connect/refresh > >> > * /auth/realms/{name}/protocol/openid-connect/userinfo > >> > > >> > We are actively working on better integration with other openid connect > >> > client libraries, so let us know what works and what doesn't. > >> > > >> > ----- Original Message ----- > >> > > From: "Yoni Moses" > >> > > To: keycloak-user at lists.jboss.org > >> > > Sent: Sunday, February 22, 2015 1:07:36 PM > >> > > Subject: [keycloak-user] Endpoint URL's > >> > > > >> > > Hi, > >> > > > >> > > I've been trying keycloak , very impressive! > >> > > I don't intended to use it as the sample in jee but rather through > >> openid > >> > > provider in my case its openid4java with spring security. > >> > > I've been struggling with configuration of the endpoint especially > >> with > >> > > discovery end point.. > >> > > is there somewhere in the doc the list of endpoints keycloak has? > >> > > so far I've been trying with /auth/realms/{name} > >> > > > >> > > > >> > > Thanks, > >> > > Yoni > >> > > > >> > > > >> > > _______________________________________________ > >> > > keycloak-user mailing list > >> > > keycloak-user at lists.jboss.org > >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> > > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > > -- > > Chris Wallace > > cjwallac at gmail.com > > c: 570.582.9955 > > > > > > -- > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > From stian at redhat.com Wed Feb 25 00:33:25 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 25 Feb 2015 00:33:25 -0500 (EST) Subject: [keycloak-user] How to put the themes folder in the configuration folder of the wildfly on OpenShift? In-Reply-To: References: Message-ID: <1663299422.14757728.1424842405872.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Jeandeson O. Merelis" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, February 24, 2015 5:32:35 PM > Subject: [keycloak-user] How to put the themes folder in the configuration folder of the wildfly on OpenShift? > > How to introduce the themes folder in the configuration folder of the wildfly > on OpenShift? > > I introduced in "/.openshift/config/" but does not work. > > Is there another place where I can put the themes folder? No, I'm afraid the only option to do this atm is to fork the cartridge itself. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cjwallac at gmail.com Wed Feb 25 07:34:15 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Wed, 25 Feb 2015 07:34:15 -0500 Subject: [keycloak-user] Endpoint URL's In-Reply-To: <1379677617.14754618.1424841042242.JavaMail.zimbra@redhat.com> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> <1379677617.14754618.1424841042242.JavaMail.zimbra@redhat.com> Message-ID: I am receiving Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8082/auth/realms/worktrac/protocol/openid-connect/userinfo. This can be fixed by moving the resource to the same domain or enabling CORS. What 'application' does the http://localhost:8082/auth/realms/worktrac/protocol/openid-connect/userinfo url use for it's origins? I have worktrac realm worktrac app and account app both configured with http://localhost:8080/* which is the origin. Also it seems like that's the errors it's indicated, but I also see a 404 error for this URL. I have valid Subject, idtoken and token as I printed them to the console and included below. I also pasted the java code and my keycloak.json which seems to be working upto "Here 2". It seems this is 90% there it's just failing at the actual call. *"subject"* *"441e652f-fc78-453e-90dd-2b998eb771d7" "idtoken""eyJhbGciOiJSUzI1NiJ9.eyJuYW1lIjoiQ2hyaXMgV2FsbGFjZSBXYWxsYWNlIiwiZW1haWwiOiJjaHJpcy53YWxhbGNlQG1lZGljYWxwYXlyZXZpZXcuY29tIiwianRpIjoiNWJmZDlkYzItYzU1NC00YTY2LWE0MDAtN2EwNmQxODZjNDNmIiwiZXhwIjoxNDI0ODY3NTA4LCJuYmYiOjAsImlhdCI6MTQyNDg2NzIwOCwiaXNzIjoid29ya3RyYWMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNDQxZTY1MmYtZmM3OC00NTNlLTkwZGQtMmI5OThlYjc3MWQ3IiwiYXpwIjoiYWNjb3VudCIsImdpdmVuX25hbWUiOiJDaHJpcyBXYWxsYWNlIiwiZmFtaWx5X25hbWUiOiJXYWxsYWNlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY2p3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlfQ.HNR7tHN7jngluZNEJsrL-CVDzP96mIm4jMZVqvy56w_rsRjvvTuvj8Ke4raWyDVXzbZv4TmSk5iobPAzXlUCx4KLlHlrC6W5yTGXJ20Mgn73PHlsM3dCOJIyFYs6o2J19a8iZyHtuS5BwXiR44Ba5xPmzw9LVNmOm4ppropTPgE" MyController.js:86"token" "eyJhbGciOiJSUzI1NiJ9.eyJuYW1lIjoiQ2hyaXMgV2FsbGFjZSBXYWxsYWNlIiwiZW1haWwiOiJjaHJpcy53YWxhbGNlQG1lZGljYWxwYXlyZXZpZXcuY29tIiwianRpIjoiMzY0YjE3YjQtNjJkZS00NDY5LWFkYjUtNDdmMmYzNGU1NDBjIiwiZXhwIjoxNDI0ODY3NTA4LCJuYmYiOjAsImlhdCI6MTQyNDg2NzIwOCwiaXNzIjoid29ya3RyYWMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNDQxZTY1MmYtZmM3OC00NTNlLTkwZGQtMmI5OThlYjc3MWQ3IiwiYXpwIjoiYWNjb3VudCIsImdpdmVuX25hbWUiOiJDaHJpcyBXYWxsYWNlIiwiZmFtaWx5X25hbWUiOiJXYWxsYWNlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY2p3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJzZXNzaW9uX3N0YXRlIjoiZmQzNTY4OTAtMDUyMy00Y2JkLWE2OTEtZTk0MDQxOTYyZDc1IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlc291cmNlX2FjY2VzcyI6eyJ3b3JrdHJhYyI6eyJyb2xlcyI6WyJhZG1pbiIsInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.R8NdAIf2P3-6JfxE9maP6PtPGE04zdM8LgaUbLqqfKOEDu2Pe5JMoUO5tbD20_oYMe_gr6jZOJsOmY01VtuWHVYczS7KIRXm3KnmrKIBeNXETPineb1wT7MgtzKYcf3MqoLcje1vR48iTbVlSszb2Np8Jqo4wa7cGSfadaZApgU" * var keycloak = Keycloak(); var loadData = function () { console.log(keycloak.subject); console.log('idtoken'); console.log(keycloak.idToken); console.log('token'); console.log(keycloak.token); var url = ' http://localhost:8082/auth/realms/worktrac/protocol/openid-connect/userinfo '; var req = new XMLHttpRequest(); req.open('GET', url, true); req.setRequestHeader('Accept', 'application/json'); req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); console.log('Here 1'); req.onreadystatechange = function () { if (req.readyState == 4) { console.log('Here 2'); if (req.status == 200) { console.log('render page 3'); var users = JSON.parse(req.responseText); var html = ''; for (var i = 0; i < users.length; i++) { html += '

' + users[i] + '

'; } console.log('HTML'); console.log(html); console.log('finished loading data'); } } }; req.send(); }; var loadFailure = function () { document.getElementById('customers').innerHTML = 'Failed to load data. Check console log'; }; var reloadData = function () { keycloak.updateToken(10) .success(loadData) .error(function() { document.getElementById('customers').innerHTML = 'Failed to load data. User is logged out.'; }); }; keycloak.init({ onLoad: 'login-required' }).success(reloadData); keycloak.json { "realm": "worktrac", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJSuOKHBTZxV4/KKAZH8i4+nB/65IY8VDe+70pWrJSpm0pJICfSbnSmJ3YFKKK3B1RR1Ev8mxFRyVTVm+TZgflkZ8HJM+wfEGgySMZvBlRAsR2yI0mmTrbGBA8c6RJAA4B2+9nxk0/iXCJGq545aDvbXjPMuhy6zf3OqpdqgcFYQIDAQAB", "auth-server-url": "http://localhost:8082/auth", "ssl-required": "none", "resource": "worktrac", "public-client": true, "use-resource-role-mappings": true, "enable-cors" : true, "cors-max-age" : 1000, "cors-allowed-methods": "POST, PUT, DELETE, GET" } On Wed, Feb 25, 2015 at 12:10 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Christopher Wallace" > > To: "Stian Thorgersen" > > Cc: yonim at odoro.co.il, keycloak-user at lists.jboss.org > > Sent: Tuesday, February 24, 2015 7:21:11 PM > > Subject: Re: [keycloak-user] Endpoint URL's > > > > I am actually not able to access any of the REST urls I tried from > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html > > is this something that needs to be enabled or installed speratly from the > > keycloak appliance? > > They should work fine as long as you have a token to invoke them with. > Have you look at admin-access-app example? We also have a Java wrapper for > this that makes it easier to invoke from Java, see the admin-client example > for that. > > > > > On Tue, Feb 24, 2015 at 12:19 PM, Christopher Wallace < > cjwallac at gmail.com> > > wrote: > > > > > Yoni, > > > > > > Where you able to get this to work? I am attempting to get user > > > information also using > > > http://localhost:8082/auth/realms/ > /protocol/openid-connect/userinfo > > > and it doesn't bring back any data. Any trics? > > > > > > Chris W. > > > > > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > > > wrote: > > > > > >> > > >> > > >> ----- Original Message ----- > > >> > From: yonim at odoro.co.il > > >> > To: "Stian Thorgersen" > > >> > Cc: keycloak-user at lists.jboss.org > > >> > Sent: Monday, February 23, 2015 10:39:14 AM > > >> > Subject: RE: [keycloak-user] Endpoint URL's > > >> > > > >> > Ok.. a bit frustrating. > > >> > > > >> > Any change the 1.2.0 Beta solves some of the issues? I can build it > if > > >> > needed... > > >> > > >> Afraid not. We are planning to add the discovery endpoint, but it may > be > > >> a month or so before we get time. > > >> > > >> > > > >> > I've tried openid4java (on top of spring security ) and another > client > > >> > (mitred one, their client not the server) and both looked for the > > >> discovery > > >> > endpoint. > > >> > > > >> > Assuming I switch from opened-connect to OAuth - how can I get the > > >> userinfo > > >> > after that? any special endpoint to oauth userinfo after I got the > > >> token? > > >> > > >> You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo > with > > >> the token. > > >> > > >> > > > >> > Cheers, > > >> > Yoni > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > -----Original Message----- > > >> > From: Stian Thorgersen [mailto:stian at redhat.com] > > >> > Sent: Monday, February 23, 2015 10:52 AM > > >> > To: Yoni Moses > > >> > Cc: keycloak-user at lists.jboss.org > > >> > Subject: Re: [keycloak-user] Endpoint URL's > > >> > > > >> > Hi, > > >> > > > >> > We haven't added the discovery part of OpenID Connect yet and there > are > > >> some > > >> > issues with the docs as the protocol related endpoints are missing. > The > > >> > endpoints of interest to you are: > > >> > > > >> > * /auth/realms/{name}/protocol/openid-connect/login > > >> > * /auth/realms/{name}/protocol/openid-connect/access/codes > > >> > * /auth/realms/{name}/protocol/openid-connect/refresh > > >> > * /auth/realms/{name}/protocol/openid-connect/userinfo > > >> > > > >> > We are actively working on better integration with other openid > connect > > >> > client libraries, so let us know what works and what doesn't. > > >> > > > >> > ----- Original Message ----- > > >> > > From: "Yoni Moses" > > >> > > To: keycloak-user at lists.jboss.org > > >> > > Sent: Sunday, February 22, 2015 1:07:36 PM > > >> > > Subject: [keycloak-user] Endpoint URL's > > >> > > > > >> > > Hi, > > >> > > > > >> > > I've been trying keycloak , very impressive! > > >> > > I don't intended to use it as the sample in jee but rather through > > >> openid > > >> > > provider in my case its openid4java with spring security. > > >> > > I've been struggling with configuration of the endpoint especially > > >> with > > >> > > discovery end point.. > > >> > > is there somewhere in the doc the list of endpoints keycloak has? > > >> > > so far I've been trying with /auth/realms/{name} > > >> > > > > >> > > > > >> > > Thanks, > > >> > > Yoni > > >> > > > > >> > > > > >> > > _______________________________________________ > > >> > > keycloak-user mailing list > > >> > > keycloak-user at lists.jboss.org > > >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > >> > > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > > > > > > > > > > -- > > > Chris Wallace > > > cjwallac at gmail.com > > > c: 570.582.9955 > > > > > > > > > > > -- > > Chris Wallace > > cjwallac at gmail.com > > c: 570.582.9955 > > > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150225/416a2d25/attachment-0001.html From cjwallac at gmail.com Wed Feb 25 07:41:27 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Wed, 25 Feb 2015 07:41:27 -0500 Subject: [keycloak-user] Endpoint URL's In-Reply-To: References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> <1379677617.14754618.1424841042242.JavaMail.zimbra@redhat.com> Message-ID: One correction this is refering to the account app json not worktrac as specified below: { "realm": "worktrac", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJSuOKHBTZxV4/KKAZH8i4+nB/65IY8VDe+70pWrJSpm0pJICfSbnSmJ3YFKKK3B1RR1Ev8mxFRyVTVm+TZgflkZ8HJM+wfEGgySMZvBlRAsR2yI0mmTrbGBA8c6RJAA4B2+9nxk0/iXCJGq545aDvbXjPMuhy6zf3OqpdqgcFYQIDAQAB", "auth-server-url": "http://localhost:8082/auth", "ssl-required": "none", "resource": "account", "public-client": true, "use-resource-role-mappings": true, "enable-cors" : true, "cors-max-age" : 1000, "cors-allowed-methods": "POST, PUT, DELETE, GET" } On Wed, Feb 25, 2015 at 7:34 AM, Christopher Wallace wrote: > I am receiving Cross-Origin Request Blocked: The Same Origin Policy > disallows reading the remote resource at > http://localhost:8082/auth/realms/worktrac/protocol/openid-connect/userinfo. > This can be fixed by moving the resource to the same domain or enabling > CORS. What 'application' does the > http://localhost:8082/auth/realms/worktrac/protocol/openid-connect/userinfo > url use for it's origins? I have worktrac realm worktrac app and account > app both configured with http://localhost:8080/* which is the origin. > Also it seems like that's the errors it's indicated, but I also see a 404 > error for this URL. I have valid Subject, idtoken and token as I printed > them to the console and included below. I also pasted the java code and my > keycloak.json which seems to be working upto "Here 2". It seems this is 90% > there it's just failing at the actual call. > > > *"subject"* > > > > > > *"441e652f-fc78-453e-90dd-2b998eb771d7" > "idtoken""eyJhbGciOiJSUzI1NiJ9.eyJuYW1lIjoiQ2hyaXMgV2FsbGFjZSBXYWxsYWNlIiwiZW1haWwiOiJjaHJpcy53YWxhbGNlQG1lZGljYWxwYXlyZXZpZXcuY29tIiwianRpIjoiNWJmZDlkYzItYzU1NC00YTY2LWE0MDAtN2EwNmQxODZjNDNmIiwiZXhwIjoxNDI0ODY3NTA4LCJuYmYiOjAsImlhdCI6MTQyNDg2NzIwOCwiaXNzIjoid29ya3RyYWMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNDQxZTY1MmYtZmM3OC00NTNlLTkwZGQtMmI5OThlYjc3MWQ3IiwiYXpwIjoiYWNjb3VudCIsImdpdmVuX25hbWUiOiJDaHJpcyBXYWxsYWNlIiwiZmFtaWx5X25hbWUiOiJXYWxsYWNlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY2p3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlfQ.HNR7tHN7jngluZNEJsrL-CVDzP96mIm4jMZVqvy56w_rsRjvvTuvj8Ke4raWyDVXzbZv4TmSk5iobPAzXlUCx4KLlHlrC6W5yTGXJ20Mgn73PHlsM3dCOJIyFYs6o2J19a8iZyHtuS5BwXiR44Ba5xPmzw9LVNmOm4ppropTPgE" > MyController.js:86"token" > "eyJhbGciOiJSUzI1NiJ9.eyJuYW1lIjoiQ2hyaXMgV2FsbGFjZSBXYWxsYWNlIiwiZW1haWwiOiJjaHJpcy53YWxhbGNlQG1lZGljYWxwYXlyZXZpZXcuY29tIiwianRpIjoiMzY0YjE3YjQtNjJkZS00NDY5LWFkYjUtNDdmMmYzNGU1NDBjIiwiZXhwIjoxNDI0ODY3NTA4LCJuYmYiOjAsImlhdCI6MTQyNDg2NzIwOCwiaXNzIjoid29ya3RyYWMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNDQxZTY1MmYtZmM3OC00NTNlLTkwZGQtMmI5OThlYjc3MWQ3IiwiYXpwIjoiYWNjb3VudCIsImdpdmVuX25hbWUiOiJDaHJpcyBXYWxsYWNlIiwiZmFtaWx5X25hbWUiOiJXYWxsYWNlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiY2p3IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJzZXNzaW9uX3N0YXRlIjoiZmQzNTY4OTAtMDUyMy00Y2JkLWE2OTEtZTk0MDQxOTYyZDc1IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC8qIiwiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlc291cmNlX2FjY2VzcyI6eyJ3b3JrdHJhYyI6eyJyb2xlcyI6WyJhZG1pbiIsInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19fQ.R8NdAIf2P3-6JfxE9maP6PtPGE04zdM8LgaUbLqqfKOEDu2Pe5JMoUO5tbD20_oYMe_gr6jZOJsOmY01VtuWHVYczS7KIRXm3KnmrKIBeNXETPineb1wT7MgtzKYcf3MqoLcje1vR48iTbVlSszb2Np8Jqo4wa7cGSfadaZApgU" > * > > var keycloak = Keycloak(); > var loadData = function () { > > console.log(keycloak.subject); > console.log('idtoken'); > console.log(keycloak.idToken); > console.log('token'); > console.log(keycloak.token); > > var url = ' > http://localhost:8082/auth/realms/worktrac/protocol/openid-connect/userinfo > '; > var req = new XMLHttpRequest(); > > req.open('GET', url, true); > req.setRequestHeader('Accept', 'application/json'); > req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token); > > console.log('Here 1'); > req.onreadystatechange = function () { > if (req.readyState == 4) { > console.log('Here 2'); > if (req.status == 200) { > console.log('render page 3'); > var users = JSON.parse(req.responseText); > var html = ''; > for (var i = 0; i < users.length; i++) { > html += '

' + users[i] + '

'; > } > console.log('HTML'); > console.log(html); > console.log('finished loading data'); > } > } > }; > > req.send(); > }; > > > var loadFailure = function () { > document.getElementById('customers').innerHTML = 'Failed to > load data. Check console log'; > }; > > var reloadData = function () { > keycloak.updateToken(10) > .success(loadData) > .error(function() { > document.getElementById('customers').innerHTML = 'Failed to > load data. User is logged out.'; > }); > }; > > > keycloak.init({ onLoad: 'login-required' }).success(reloadData); > > keycloak.json > { > "realm": "worktrac", > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJSuOKHBTZxV4/KKAZH8i4+nB/65IY8VDe+70pWrJSpm0pJICfSbnSmJ3YFKKK3B1RR1Ev8mxFRyVTVm+TZgflkZ8HJM+wfEGgySMZvBlRAsR2yI0mmTrbGBA8c6RJAA4B2+9nxk0/iXCJGq545aDvbXjPMuhy6zf3OqpdqgcFYQIDAQAB", > "auth-server-url": "http://localhost:8082/auth", > "ssl-required": "none", > "resource": "worktrac", > "public-client": true, > "use-resource-role-mappings": true, > "enable-cors" : true, > "cors-max-age" : 1000, > "cors-allowed-methods": "POST, PUT, DELETE, GET" > } > > On Wed, Feb 25, 2015 at 12:10 AM, Stian Thorgersen > wrote: > >> >> >> ----- Original Message ----- >> > From: "Christopher Wallace" >> > To: "Stian Thorgersen" >> > Cc: yonim at odoro.co.il, keycloak-user at lists.jboss.org >> > Sent: Tuesday, February 24, 2015 7:21:11 PM >> > Subject: Re: [keycloak-user] Endpoint URL's >> > >> > I am actually not able to access any of the REST urls I tried from >> > >> http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html >> > is this something that needs to be enabled or installed speratly from >> the >> > keycloak appliance? >> >> They should work fine as long as you have a token to invoke them with. >> Have you look at admin-access-app example? We also have a Java wrapper for >> this that makes it easier to invoke from Java, see the admin-client example >> for that. >> >> > >> > On Tue, Feb 24, 2015 at 12:19 PM, Christopher Wallace < >> cjwallac at gmail.com> >> > wrote: >> > >> > > Yoni, >> > > >> > > Where you able to get this to work? I am attempting to get user >> > > information also using >> > > http://localhost:8082/auth/realms/ >> /protocol/openid-connect/userinfo >> > > and it doesn't bring back any data. Any trics? >> > > >> > > Chris W. >> > > >> > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen >> > > wrote: >> > > >> > >> >> > >> >> > >> ----- Original Message ----- >> > >> > From: yonim at odoro.co.il >> > >> > To: "Stian Thorgersen" >> > >> > Cc: keycloak-user at lists.jboss.org >> > >> > Sent: Monday, February 23, 2015 10:39:14 AM >> > >> > Subject: RE: [keycloak-user] Endpoint URL's >> > >> > >> > >> > Ok.. a bit frustrating. >> > >> > >> > >> > Any change the 1.2.0 Beta solves some of the issues? I can build >> it if >> > >> > needed... >> > >> >> > >> Afraid not. We are planning to add the discovery endpoint, but it >> may be >> > >> a month or so before we get time. >> > >> >> > >> > >> > >> > I've tried openid4java (on top of spring security ) and another >> client >> > >> > (mitred one, their client not the server) and both looked for the >> > >> discovery >> > >> > endpoint. >> > >> > >> > >> > Assuming I switch from opened-connect to OAuth - how can I get the >> > >> userinfo >> > >> > after that? any special endpoint to oauth userinfo after I got the >> > >> token? >> > >> >> > >> You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo >> with >> > >> the token. >> > >> >> > >> > >> > >> > Cheers, >> > >> > Yoni >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > -----Original Message----- >> > >> > From: Stian Thorgersen [mailto:stian at redhat.com] >> > >> > Sent: Monday, February 23, 2015 10:52 AM >> > >> > To: Yoni Moses >> > >> > Cc: keycloak-user at lists.jboss.org >> > >> > Subject: Re: [keycloak-user] Endpoint URL's >> > >> > >> > >> > Hi, >> > >> > >> > >> > We haven't added the discovery part of OpenID Connect yet and >> there are >> > >> some >> > >> > issues with the docs as the protocol related endpoints are >> missing. The >> > >> > endpoints of interest to you are: >> > >> > >> > >> > * /auth/realms/{name}/protocol/openid-connect/login >> > >> > * /auth/realms/{name}/protocol/openid-connect/access/codes >> > >> > * /auth/realms/{name}/protocol/openid-connect/refresh >> > >> > * /auth/realms/{name}/protocol/openid-connect/userinfo >> > >> > >> > >> > We are actively working on better integration with other openid >> connect >> > >> > client libraries, so let us know what works and what doesn't. >> > >> > >> > >> > ----- Original Message ----- >> > >> > > From: "Yoni Moses" >> > >> > > To: keycloak-user at lists.jboss.org >> > >> > > Sent: Sunday, February 22, 2015 1:07:36 PM >> > >> > > Subject: [keycloak-user] Endpoint URL's >> > >> > > >> > >> > > Hi, >> > >> > > >> > >> > > I've been trying keycloak , very impressive! >> > >> > > I don't intended to use it as the sample in jee but rather >> through >> > >> openid >> > >> > > provider in my case its openid4java with spring security. >> > >> > > I've been struggling with configuration of the endpoint >> especially >> > >> with >> > >> > > discovery end point.. >> > >> > > is there somewhere in the doc the list of endpoints keycloak has? >> > >> > > so far I've been trying with /auth/realms/{name} >> > >> > > >> > >> > > >> > >> > > Thanks, >> > >> > > Yoni >> > >> > > >> > >> > > >> > >> > > _______________________________________________ >> > >> > > keycloak-user mailing list >> > >> > > keycloak-user at lists.jboss.org >> > >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > >> > >> _______________________________________________ >> > >> keycloak-user mailing list >> > >> keycloak-user at lists.jboss.org >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> > > >> > > >> > > >> > > -- >> > > Chris Wallace >> > > cjwallac at gmail.com >> > > c: 570.582.9955 >> > > >> > >> > >> > >> > -- >> > Chris Wallace >> > cjwallac at gmail.com >> > c: 570.582.9955 >> > >> > > > > -- > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150225/c5dfbd51/attachment-0001.html From yonim at odoro.co.il Thu Feb 26 05:43:03 2015 From: yonim at odoro.co.il (yonim at odoro.co.il) Date: Thu, 26 Feb 2015 12:43:03 +0200 Subject: [keycloak-user] Endpoint URL's In-Reply-To: References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> Message-ID: <074601d051b1$00d1b8f0$02752ad0$@odoro.co.il> Sorry for the late response.. Yeah. The endpoints actually worked;) But the fact that we haven't found a client that supports the openid-connect makes us think to switch to oauth.. From: Christopher Wallace [mailto:cjwallac at gmail.com] Sent: Tuesday, February 24, 2015 7:20 PM To: Stian Thorgersen Cc: yonim at odoro.co.il; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Endpoint URL's Yoni, Where you able to get this to work? I am attempting to get user information also using http://localhost:8082/auth/realms//protocol/openid-connect/userinfo and it doesn't bring back any data. Any trics? Chris W. On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > wrote: ----- Original Message ----- > From: yonim at odoro.co.il > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > Sent: Monday, February 23, 2015 10:39:14 AM > Subject: RE: [keycloak-user] Endpoint URL's > > Ok.. a bit frustrating. > > Any change the 1.2.0 Beta solves some of the issues? I can build it if > needed... Afraid not. We are planning to add the discovery endpoint, but it may be a month or so before we get time. > > I've tried openid4java (on top of spring security ) and another client > (mitred one, their client not the server) and both looked for the discovery > endpoint. > > Assuming I switch from opened-connect to OAuth - how can I get the userinfo > after that? any special endpoint to oauth userinfo after I got the token? You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo with the token. > > Cheers, > Yoni > > > > > > > -----Original Message----- > From: Stian Thorgersen [mailto:stian at redhat.com ] > Sent: Monday, February 23, 2015 10:52 AM > To: Yoni Moses > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Endpoint URL's > > Hi, > > We haven't added the discovery part of OpenID Connect yet and there are some > issues with the docs as the protocol related endpoints are missing. The > endpoints of interest to you are: > > * /auth/realms/{name}/protocol/openid-connect/login > * /auth/realms/{name}/protocol/openid-connect/access/codes > * /auth/realms/{name}/protocol/openid-connect/refresh > * /auth/realms/{name}/protocol/openid-connect/userinfo > > We are actively working on better integration with other openid connect > client libraries, so let us know what works and what doesn't. > > ----- Original Message ----- > > From: "Yoni Moses" > > > To: keycloak-user at lists.jboss.org > > Sent: Sunday, February 22, 2015 1:07:36 PM > > Subject: [keycloak-user] Endpoint URL's > > > > Hi, > > > > I've been trying keycloak , very impressive! > > I don't intended to use it as the sample in jee but rather through openid > > provider in my case its openid4java with spring security. > > I've been struggling with configuration of the endpoint especially with > > discovery end point.. > > is there somewhere in the doc the list of endpoints keycloak has? > > so far I've been trying with /auth/realms/{name} > > > > > > Thanks, > > Yoni > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150226/742f5de4/attachment.html From bburke at redhat.com Thu Feb 26 07:55:52 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 26 Feb 2015 07:55:52 -0500 Subject: [keycloak-user] Endpoint URL's In-Reply-To: <074601d051b1$00d1b8f0$02752ad0$@odoro.co.il> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> <074601d051b1$00d1b8f0$02752ad0$@odoro.co.il> Message-ID: <54EF17D8.1040602@redhat.com> Openid Connect is an OAuth extension. OAuth is just a framework and not a complete protocol. It is also just an authorization framework. OpenID Connect adds authentication as well as all the other details a real protocol needs. On 2/26/2015 5:43 AM, yonim at odoro.co.il wrote: > Sorry for the late response.. > > Yeah. The endpoints actually worked;) > > But the fact that we haven't found a client that supports the > openid-connect makes us think to switch to oauth.. > > *From:*Christopher Wallace [mailto:cjwallac at gmail.com] > *Sent:* Tuesday, February 24, 2015 7:20 PM > *To:* Stian Thorgersen > *Cc:* yonim at odoro.co.il; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Endpoint URL's > > Yoni, > > Where you able to get this to work? I am attempting to get user > information also using > http://localhost:8082/auth/realms//protocol/openid-connect/userinfo > and it doesn't bring back any data. Any trics? > > Chris W. > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > wrote: > > > > ----- Original Message ----- > > From: yonim at odoro.co.il > > To: "Stian Thorgersen" > > > Cc: keycloak-user at lists.jboss.org > > > Sent: Monday, February 23, 2015 10:39:14 AM > > Subject: RE: [keycloak-user] Endpoint URL's > > > > Ok.. a bit frustrating. > > > > Any change the 1.2.0 Beta solves some of the issues? I can build > it if > > needed... > > Afraid not. We are planning to add the discovery endpoint, but it > may be a month or so before we get time. > > > > > I've tried openid4java (on top of spring security ) and another > client > > (mitred one, their client not the server) and both looked for the > discovery > > endpoint. > > > > Assuming I switch from opened-connect to OAuth - how can I get > the userinfo > > after that? any special endpoint to oauth userinfo after I got > the token? > > You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo > with the token. > > > > > > Cheers, > > Yoni > > > > > > > > > > > > > > -----Original Message----- > > From: Stian Thorgersen [mailto:stian at redhat.com > ] > > Sent: Monday, February 23, 2015 10:52 AM > > To: Yoni Moses > > Cc: keycloak-user at lists.jboss.org > > > Subject: Re: [keycloak-user] Endpoint URL's > > > > Hi, > > > > We haven't added the discovery part of OpenID Connect yet and > there are some > > issues with the docs as the protocol related endpoints are > missing. The > > endpoints of interest to you are: > > > > * /auth/realms/{name}/protocol/openid-connect/login > > * /auth/realms/{name}/protocol/openid-connect/access/codes > > * /auth/realms/{name}/protocol/openid-connect/refresh > > * /auth/realms/{name}/protocol/openid-connect/userinfo > > > > We are actively working on better integration with other openid > connect > > client libraries, so let us know what works and what doesn't. > > > > ----- Original Message ----- > > > From: "Yoni Moses" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Sunday, February 22, 2015 1:07:36 PM > > > Subject: [keycloak-user] Endpoint URL's > > > > > > Hi, > > > > > > I've been trying keycloak , very impressive! > > > I don't intended to use it as the sample in jee but rather > through openid > > > provider in my case its openid4java with spring security. > > > I've been struggling with configuration of the endpoint > especially with > > > discovery end point.. > > > is there somewhere in the doc the list of endpoints keycloak has? > > > so far I've been trying with /auth/realms/{name} > > > > > > > > > Thanks, > > > Yoni > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From yonim at odoro.co.il Thu Feb 26 08:55:43 2015 From: yonim at odoro.co.il (yonim at odoro.co.il) Date: Thu, 26 Feb 2015 15:55:43 +0200 Subject: [keycloak-user] Endpoint URL's In-Reply-To: <54EF17D8.1040602@redhat.com> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> <074601d051b1$00d1b8f0$02752ad0$@odoro.co.il> <54EF17D8.1040602@redhat.com> Message-ID: <0a0001d051cb$f28e5710$d7ab0530$@odoro.co.il> Yeah, I know that.. the thing is that we couldn't get our java client (and we tried several) to work against the openid-connect, we got stuck in the discovery part.. so we thought about just use the oauth part -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Thursday, February 26, 2015 2:56 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Endpoint URL's Openid Connect is an OAuth extension. OAuth is just a framework and not a complete protocol. It is also just an authorization framework. OpenID Connect adds authentication as well as all the other details a real protocol needs. On 2/26/2015 5:43 AM, yonim at odoro.co.il wrote: > Sorry for the late response.. > > Yeah. The endpoints actually worked;) > > But the fact that we haven't found a client that supports the > openid-connect makes us think to switch to oauth.. > > *From:*Christopher Wallace [mailto:cjwallac at gmail.com] > *Sent:* Tuesday, February 24, 2015 7:20 PM > *To:* Stian Thorgersen > *Cc:* yonim at odoro.co.il; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Endpoint URL's > > Yoni, > > Where you able to get this to work? I am attempting to get user > information also using > http://localhost:8082/auth/realms//protocol/openid-connect/user > info and it doesn't bring back any data. Any trics? > > Chris W. > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > wrote: > > > > ----- Original Message ----- > > From: yonim at odoro.co.il > > To: "Stian Thorgersen" > > > Cc: keycloak-user at lists.jboss.org > > > Sent: Monday, February 23, 2015 10:39:14 AM > > Subject: RE: [keycloak-user] Endpoint URL's > > > > Ok.. a bit frustrating. > > > > Any change the 1.2.0 Beta solves some of the issues? I can build > it if > > needed... > > Afraid not. We are planning to add the discovery endpoint, but it > may be a month or so before we get time. > > > > > I've tried openid4java (on top of spring security ) and another > client > > (mitred one, their client not the server) and both looked for the > discovery > > endpoint. > > > > Assuming I switch from opened-connect to OAuth - how can I get > the userinfo > > after that? any special endpoint to oauth userinfo after I got > the token? > > You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo > with the token. > > > > > > Cheers, > > Yoni > > > > > > > > > > > > > > -----Original Message----- > > From: Stian Thorgersen [mailto:stian at redhat.com > ] > > Sent: Monday, February 23, 2015 10:52 AM > > To: Yoni Moses > > Cc: keycloak-user at lists.jboss.org > > > Subject: Re: [keycloak-user] Endpoint URL's > > > > Hi, > > > > We haven't added the discovery part of OpenID Connect yet and > there are some > > issues with the docs as the protocol related endpoints are > missing. The > > endpoints of interest to you are: > > > > * /auth/realms/{name}/protocol/openid-connect/login > > * /auth/realms/{name}/protocol/openid-connect/access/codes > > * /auth/realms/{name}/protocol/openid-connect/refresh > > * /auth/realms/{name}/protocol/openid-connect/userinfo > > > > We are actively working on better integration with other openid > connect > > client libraries, so let us know what works and what doesn't. > > > > ----- Original Message ----- > > > From: "Yoni Moses" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Sunday, February 22, 2015 1:07:36 PM > > > Subject: [keycloak-user] Endpoint URL's > > > > > > Hi, > > > > > > I've been trying keycloak , very impressive! > > > I don't intended to use it as the sample in jee but rather > through openid > > > provider in my case its openid4java with spring security. > > > I've been struggling with configuration of the endpoint > especially with > > > discovery end point.. > > > is there somewhere in the doc the list of endpoints keycloak has? > > > so far I've been trying with /auth/realms/{name} > > > > > > > > > Thanks, > > > Yoni > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From cjwallac at gmail.com Thu Feb 26 10:21:39 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Thu, 26 Feb 2015 10:21:39 -0500 Subject: [keycloak-user] ORIGIN for /database/customers Message-ID: I am attempted to use the Javascript Adapter I think I have the javascript correct, but when I go to pu the request to /database/customers I get: XMLHttpRequest cannot load http://localhost:8082/database/customers. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. The response had HTTP status code 405. I have CORS working for authentication from http://localhost:8080 is there a different place to allow this origin? for /database/customers outside of the application inside of the realm I have defined? -- Chris Wallace cjwallac at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150226/7b45d55b/attachment.html From cjwallac at gmail.com Thu Feb 26 11:05:01 2015 From: cjwallac at gmail.com (Christopher Wallace) Date: Thu, 26 Feb 2015 11:05:01 -0500 Subject: [keycloak-user] ORIGIN for /database/customers In-Reply-To: References: Message-ID: I was able to SUCCESSFULLY obtain the JSON user information using the following javascript: var keycloak = Keycloak('http://localhost:8080/app/keycloak.json'); var loadData = function () { console.log(keycloak.tokenParsed); var user = JSON.stringify(keycloak.tokenParsed); console.log(user); }; var loadFailure = function () { console.log('Failed to load data. Check console log'); }; var reloadData = function () { keycloak.updateToken(10) .success(loadData) .error(function() { console.log('Failed to load data. User is logged out.'); }); }; keycloak.init({ onLoad: 'login-required' }).success(reloadData); }, null, this); On Thu, Feb 26, 2015 at 10:21 AM, Christopher Wallace wrote: > I am attempted to use the Javascript Adapter I think I have the javascript > correct, but when I go to pu the request to /database/customers I get: > > XMLHttpRequest cannot load http://localhost:8082/database/customers. No > 'Access-Control-Allow-Origin' header is present on the requested resource. > Origin 'http://localhost:8080' is therefore not allowed access. The > response had HTTP status code 405. > > I have CORS working for authentication from http://localhost:8080 is > there a different place to allow this origin? > for /database/customers outside of the application inside of the realm I > have defined? > > -- > Chris Wallace > cjwallac at gmail.com > -- Chris Wallace cjwallac at gmail.com c: 570.582.9955 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150226/61d5ad15/attachment.html From bburke at redhat.com Thu Feb 26 12:10:54 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 26 Feb 2015 12:10:54 -0500 Subject: [keycloak-user] ORIGIN for /database/customers In-Reply-To: References: Message-ID: <54EF539E.1020105@redhat.com> We need to provide this functionality in keycloak.js so you don't have to do it. On 2/26/2015 11:05 AM, Christopher Wallace wrote: > I was able to SUCCESSFULLY obtain the JSON user information using the > following javascript: > var keycloak = Keycloak('http://localhost:8080/app/keycloak.json'); > var loadData = function () { > console.log(keycloak.tokenParsed); > var user = JSON.stringify(keycloak.tokenParsed); > console.log(user); > }; > > var loadFailure = function () { > console.log('Failed to load data. Check console log'); > }; > > var reloadData = function () { > keycloak.updateToken(10) > .success(loadData) > .error(function() { > console.log('Failed to load data. User is logged out.'); > }); > }; > > keycloak.init({ onLoad: 'login-required' }).success(reloadData); > }, null, this); > > On Thu, Feb 26, 2015 at 10:21 AM, Christopher Wallace > > wrote: > > I am attempted to use the Javascript Adapter I think I have the > javascript correct, but when I go to pu the request to > /database/customers I get: > > XMLHttpRequest cannot load http://localhost:8082/database/customers. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://localhost:8080' is therefore not allowed > access. The response had HTTP status code 405. > > I have CORS working for authentication from http://localhost:8080 is > there a different place to allow this origin? > for /database/customers outside of the application inside of the > realm I have defined? > > -- > Chris Wallace > cjwallac at gmail.com > > > > > -- > Chris Wallace > cjwallac at gmail.com > c: 570.582.9955 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From Peng.Chen at halliburton.com Thu Feb 26 15:25:42 2015 From: Peng.Chen at halliburton.com (Kevin Chen) Date: Thu, 26 Feb 2015 20:25:42 +0000 Subject: [keycloak-user] cluster configuration Message-ID: I am using keycloak 1.1, and tried to configure the cluster with 2 nodes. I am using apache httpd-2.2 as front end for both nodes. The log shows both node. I deployed KeyCloakWebTest.war on both node and without problem to access it. But when I try to access /auth/admin, it did not work: 1. if both nodes are running, after input correct username/password, the same login page will show up again. 2. I stopped one node, login with the same user, it is successful and able to manage my Realms. 3. Then I started the other node, and click on any actions in my already logged in session, the browser will show the login page again and in the newly started node, the following exception show up: 14:22:42,033 WARN [org.jboss.resteasy.core.SynchronousDispatcher] (ajp-/127.0.0.1:8009-2) Failed executing GET /admin/serverinfo: org.jboss.resteasy. spi.UnauthorizedException: Bearer at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152) [keycloak-services-1.2.0.Beta1-SNAPSHOT.j ar:1.2.0.Beta1-SNAPSHOT] How can I fix this? Thanks Kevin ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. From stian at redhat.com Fri Feb 27 00:54:02 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 27 Feb 2015 00:54:02 -0500 (EST) Subject: [keycloak-user] cluster configuration In-Reply-To: References: Message-ID: <633939535.16929093.1425016442374.JavaMail.zimbra@redhat.com> Have you followed the docs (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html)? You need: * Keycloak 1.1.0.Final * Shared DB * Properly configured Infinispan caches * Infinispan user session provider and Infinispan realm+user cache providers ----- Original Message ----- > From: "Kevin Chen" > To: keycloak-user at lists.jboss.org > Sent: Thursday, February 26, 2015 9:25:42 PM > Subject: [keycloak-user] cluster configuration > > I am using keycloak 1.1, and tried to configure the cluster with 2 nodes. I > am using apache httpd-2.2 as front end for both nodes. The log shows both > node. > > I deployed KeyCloakWebTest.war on both node and without problem to access it. > > But when I try to access /auth/admin, it did not work: > 1. if both nodes are running, after input correct username/password, the same > login page will show up again. > 2. I stopped one node, login with the same user, it is successful and able to > manage my Realms. > 3. Then I started the other node, and click on any actions in my already > logged in session, the browser will show the login page again and in the > newly started node, the following exception show up: > 14:22:42,033 WARN [org.jboss.resteasy.core.SynchronousDispatcher] > (ajp-/127.0.0.1:8009-2) Failed executing GET /admin/serverinfo: > org.jboss.resteasy. > spi.UnauthorizedException: Bearer > at > org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152) > [keycloak-services-1.2.0.Beta1-SNAPSHOT.j > ar:1.2.0.Beta1-SNAPSHOT] > > How can I fix this? > > Thanks > Kevin > > ---------------------------------------------------------------------- > This e-mail, including any attached files, may contain confidential and > privileged information for the sole use of the intended recipient. Any > review, use, distribution, or disclosure by others is strictly prohibited. > If you are not the intended recipient (or authorized to receive information > for the intended recipient), please contact the sender by reply e-mail and > delete all copies of this message. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Fri Feb 27 00:57:04 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 27 Feb 2015 00:57:04 -0500 (EST) Subject: [keycloak-user] ORIGIN for /database/customers In-Reply-To: <54EF539E.1020105@redhat.com> References: <54EF539E.1020105@redhat.com> Message-ID: <1620580025.16929360.1425016624837.JavaMail.zimbra@redhat.com> I don't see what's missing here? ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Thursday, February 26, 2015 6:10:54 PM > Subject: Re: [keycloak-user] ORIGIN for /database/customers > > We need to provide this functionality in keycloak.js so you don't have > to do it. > > On 2/26/2015 11:05 AM, Christopher Wallace wrote: > > I was able to SUCCESSFULLY obtain the JSON user information using the > > following javascript: > > var keycloak = Keycloak('http://localhost:8080/app/keycloak.json'); > > var loadData = function () { > > console.log(keycloak.tokenParsed); > > var user = JSON.stringify(keycloak.tokenParsed); > > console.log(user); > > }; > > > > var loadFailure = function () { > > console.log('Failed to load data. Check console log'); > > }; > > > > var reloadData = function () { > > keycloak.updateToken(10) > > .success(loadData) > > .error(function() { > > console.log('Failed to load data. User is logged > > out.'); > > }); > > }; > > > > keycloak.init({ onLoad: 'login-required' }).success(reloadData); > > }, null, this); > > > > On Thu, Feb 26, 2015 at 10:21 AM, Christopher Wallace > > > wrote: > > > > I am attempted to use the Javascript Adapter I think I have the > > javascript correct, but when I go to pu the request to > > /database/customers I get: > > > > XMLHttpRequest cannot load http://localhost:8082/database/customers. > > No 'Access-Control-Allow-Origin' header is present on the requested > > resource. Origin 'http://localhost:8080' is therefore not allowed > > access. The response had HTTP status code 405. > > > > I have CORS working for authentication from http://localhost:8080 is > > there a different place to allow this origin? > > for /database/customers outside of the application inside of the > > realm I have defined? > > > > -- > > Chris Wallace > > cjwallac at gmail.com > > > > > > > > > > -- > > Chris Wallace > > cjwallac at gmail.com > > c: 570.582.9955 > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Fri Feb 27 01:10:47 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 27 Feb 2015 01:10:47 -0500 (EST) Subject: [keycloak-user] Endpoint URL's In-Reply-To: <0a0001d051cb$f28e5710$d7ab0530$@odoro.co.il> References: <2013415826.13014217.1424681523253.JavaMail.zimbra@redhat.com> <023b01d04f4c$97197080$c54c5180$@odoro.co.il> <875813870.13365595.1424697379815.JavaMail.zimbra@redhat.com> <074601d051b1$00d1b8f0$02752ad0$@odoro.co.il> <54EF17D8.1040602@redhat.com> <0a0001d051cb$f28e5710$d7ab0530$@odoro.co.il> Message-ID: <2086264193.16932624.1425017447834.JavaMail.zimbra@redhat.com> We'll add OpenID Connect Discovery soon. It's pretty simple it's just an endpoint with some metadata about our implementation. ----- Original Message ----- > From: yonim at odoro.co.il > To: "Bill Burke" , keycloak-user at lists.jboss.org > Sent: Thursday, February 26, 2015 2:55:43 PM > Subject: Re: [keycloak-user] Endpoint URL's > > Yeah, I know that.. the thing is that we couldn't get our java client (and > we tried several) to work against the openid-connect, we got stuck in the > discovery part.. so we thought about just use the oauth part > > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke > Sent: Thursday, February 26, 2015 2:56 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Endpoint URL's > > Openid Connect is an OAuth extension. OAuth is just a framework and not a > complete protocol. It is also just an authorization framework. > OpenID Connect adds authentication as well as all the other details a real > protocol needs. > > On 2/26/2015 5:43 AM, yonim at odoro.co.il wrote: > > Sorry for the late response.. > > > > Yeah. The endpoints actually worked;) > > > > But the fact that we haven't found a client that supports the > > openid-connect makes us think to switch to oauth.. > > > > *From:*Christopher Wallace [mailto:cjwallac at gmail.com] > > *Sent:* Tuesday, February 24, 2015 7:20 PM > > *To:* Stian Thorgersen > > *Cc:* yonim at odoro.co.il; keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Endpoint URL's > > > > Yoni, > > > > Where you able to get this to work? I am attempting to get user > > information also using > > http://localhost:8082/auth/realms//protocol/openid-connect/user > > info and it doesn't bring back any data. Any trics? > > > > Chris W. > > > > On Mon, Feb 23, 2015 at 8:16 AM, Stian Thorgersen > > wrote: > > > > > > > > ----- Original Message ----- > > > From: yonim at odoro.co.il > > > To: "Stian Thorgersen" > > > > Cc: keycloak-user at lists.jboss.org > > > > > Sent: Monday, February 23, 2015 10:39:14 AM > > > Subject: RE: [keycloak-user] Endpoint URL's > > > > > > Ok.. a bit frustrating. > > > > > > Any change the 1.2.0 Beta solves some of the issues? I can build > > it if > > > needed... > > > > Afraid not. We are planning to add the discovery endpoint, but it > > may be a month or so before we get time. > > > > > > > > I've tried openid4java (on top of spring security ) and another > > client > > > (mitred one, their client not the server) and both looked for the > > discovery > > > endpoint. > > > > > > Assuming I switch from opened-connect to OAuth - how can I get > > the userinfo > > > after that? any special endpoint to oauth userinfo after I got > > the token? > > > > You can invoke /auth/realms/{name}/protocol/openid-connect/userinfo > > with the token. > > > > > > > > > > Cheers, > > > Yoni > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Stian Thorgersen [mailto:stian at redhat.com > > ] > > > Sent: Monday, February 23, 2015 10:52 AM > > > To: Yoni Moses > > > Cc: keycloak-user at lists.jboss.org > > > > > Subject: Re: [keycloak-user] Endpoint URL's > > > > > > Hi, > > > > > > We haven't added the discovery part of OpenID Connect yet and > > there are some > > > issues with the docs as the protocol related endpoints are > > missing. The > > > endpoints of interest to you are: > > > > > > * /auth/realms/{name}/protocol/openid-connect/login > > > * /auth/realms/{name}/protocol/openid-connect/access/codes > > > * /auth/realms/{name}/protocol/openid-connect/refresh > > > * /auth/realms/{name}/protocol/openid-connect/userinfo > > > > > > We are actively working on better integration with other openid > > connect > > > client libraries, so let us know what works and what doesn't. > > > > > > ----- Original Message ----- > > > > From: "Yoni Moses" > > > > > To: keycloak-user at lists.jboss.org > > > > > > Sent: Sunday, February 22, 2015 1:07:36 PM > > > > Subject: [keycloak-user] Endpoint URL's > > > > > > > > Hi, > > > > > > > > I've been trying keycloak , very impressive! > > > > I don't intended to use it as the sample in jee but rather > > through openid > > > > provider in my case its openid4java with spring security. > > > > I've been struggling with configuration of the endpoint > > especially with > > > > discovery end point.. > > > > is there somewhere in the doc the list of endpoints keycloak has? > > > > so far I've been trying with /auth/realms/{name} > > > > > > > > > > > > Thanks, > > > > Yoni > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > > > Chris Wallace > > cjwallac at gmail.com > > c: 570.582.9955 > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Peng.Chen at halliburton.com Fri Feb 27 14:37:47 2015 From: Peng.Chen at halliburton.com (Kevin Chen) Date: Fri, 27 Feb 2015 19:37:47 +0000 Subject: [keycloak-user] cluster configuration In-Reply-To: <633939535.16929093.1425016442374.JavaMail.zimbra@redhat.com> References: <633939535.16929093.1425016442374.JavaMail.zimbra@redhat.com> Message-ID: Stian: Thanks, I did follow the documentation. One thing I am not sure is the "Shared DB", does it refer to keycloak.h2.db? if so, I did point both cluster to the same file. BTW, I am running both nodes on the same machine with port offset. Thanks Kevin -----Original Message----- From: Stian Thorgersen [mailto:stian at redhat.com] Sent: Thursday, February 26, 2015 11:54 PM To: Kevin Chen Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL] Re: [keycloak-user] cluster configuration Have you followed the docs (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/clustering.html)? You need: * Keycloak 1.1.0.Final * Shared DB * Properly configured Infinispan caches * Infinispan user session provider and Infinispan realm+user cache providers ----- Original Message ----- > From: "Kevin Chen" > To: keycloak-user at lists.jboss.org > Sent: Thursday, February 26, 2015 9:25:42 PM > Subject: [keycloak-user] cluster configuration > > I am using keycloak 1.1, and tried to configure the cluster with 2 > nodes. I am using apache httpd-2.2 as front end for both nodes. The > log shows both node. > > I deployed KeyCloakWebTest.war on both node and without problem to access it. > > But when I try to access /auth/admin, it did not work: > 1. if both nodes are running, after input correct username/password, > the same login page will show up again. > 2. I stopped one node, login with the same user, it is successful and > able to manage my Realms. > 3. Then I started the other node, and click on any actions in my > already logged in session, the browser will show the login page again > and in the newly started node, the following exception show up: > 14:22:42,033 WARN [org.jboss.resteasy.core.SynchronousDispatcher] > (ajp-/127.0.0.1:8009-2) Failed executing GET /admin/serverinfo: > org.jboss.resteasy. > spi.UnauthorizedException: Bearer > at > org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:152) > [keycloak-services-1.2.0.Beta1-SNAPSHOT.j > ar:1.2.0.Beta1-SNAPSHOT] > > How can I fix this? > > Thanks > Kevin > > ---------------------------------------------------------------------- > This e-mail, including any attached files, may contain confidential > and privileged information for the sole use of the intended recipient. > Any review, use, distribution, or disclosure by others is strictly prohibited. > If you are not the intended recipient (or authorized to receive > information for the intended recipient), please contact the sender by > reply e-mail and delete all copies of this message. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From emil.posmyk at gmail.com Fri Feb 27 15:47:46 2015 From: emil.posmyk at gmail.com (Emil Posmyk) Date: Fri, 27 Feb 2015 21:47:46 +0100 Subject: [keycloak-user] Token validation in keycloak in oauth with direct access. Message-ID: Hello all I'm trying to validate downloaded earlier token (downloaded via oauth application with direct access) and I found RSATokenVerifier. It's working but this is only json validation and it is not checking same token from user session which exist in memmory. It is possible to use same token and check it with existing in user session (without clustering) ? I want to use the same token several times (for example same token for 5 minutes). Token is sent from client webservice to other webservice and last ws have to check token wchich is sent from first webservice (must make sure that token is correct - the same). I have doubt becouse I saw that always when I try to authenticate with direct access token is new but not over 5 minutes. *regards* *--* *Emil Posmyk* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150227/5acfe633/attachment.html