From stian at redhat.com Fri Jan 2 02:36:26 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 2 Jan 2015 02:36:26 -0500 (EST) Subject: [keycloak-user] HTTP 403 Forbidden on Keycloak.getInstance In-Reply-To: References: <398767687.2248733.1419942704559.JavaMail.zimbra@redhat.com> Message-ID: <1582030406.2563639.1420184186055.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Alexander Chriztopher" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 30 December, 2014 6:30:04 PM > Subject: Re: [keycloak-user] HTTP 403 Forbidden on Keycloak.getInstance > > ok, i had to go to : User1 | ROLE MAPPING | APPLICATION ROLES | select the > application : realm-management | add the role : realm-admin to my user and > now it is working ! > > Questions : > > # 1 / Why is the application : realm-management involved in this ? In the > example am using the application : examples-admin-client which is completely > different ! The application realm-management is a bit artificial, we only use it to represent the roles for managing the realm. It works, but maybe not the most elegant. > # 2 / When someone needs to administer a realm via the admin client which > client id do you recommend using ? do we have to create a new client id (i > mean application) or should we use some application created by default > within the realm such as : realm-management on or : security-admin-console ? Your own > > > On Tue, Dec 30, 2014 at 6:08 PM, Alexander Chriztopher < > alexander.chriztopher at gmail.com > wrote: > > > > Yes that option was activated for the realm !! > > On Tue, Dec 30, 2014 at 1:31 PM, Stian Thorgersen < stian at redhat.com > wrote: > > > Did you enable 'Direct Grant API' for your realm? If not open the admin > console click on the realm -> settings -> login and toggle 'Direct Grant > API' to ON > > ----- Original Message ----- > > From: "Alexander Chriztopher" < alexander.chriztopher at gmail.com > > > To: keycloak-user at lists.jboss.org > > Sent: Friday, 19 December, 2014 4:06:56 PM > > Subject: [keycloak-user] HTTP 403 Forbidden on Keycloak.getInstance > > > > Hi, > > > > I have a realm with an application called : examples-admin-client and would > > like to use it to manage my realm but i get an error : > > javax.ws.rs.ClientErrorException: HTTP 403 Forbidden every time i make the > > following call : > > > > Keycloak keycloak = Keycloak.getInstance(authServer, "realm-name", "User1", > > "password", "examples-admin-client", > > "a5890cdf-e1df-40c0-9d50-26ad2f7badde"); > > > > When i try to do the same thing with the example realm (i use the json > > example-realm.json provided by the keycloak project) this works nicely > > actually ! > > > > Btw, i can successfully login with the user : User1 with that password. > > > > This is the json for my realm : > > > > { > > "realm": "realm-name", > > "realm-public-key": > > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxwUIE6W3BZYlSxDPpwkknb2ObnrEsGMUJGy3HfNEfkfu9rcY5bxkllLsW32KlR78++xtuI11IE2nuh6nJmUsIKMb55Ez9n7/E9kPmSF6lxavZlQY0HfBnR3ZWgzsoUUz4n7pOhmqHIAGXeuxnMDQ5/upwcolFIZRor1v7oT/H8QIDAQAB", > > "auth-server-url": " http://localhost:8080/auth ", > > "ssl-required": "none", > > "resource": "examples-admin-client", > > "credentials": { > > "secret": "a5890cdf-e1df-40c0-9d50-26ad2f7badde" > > } > > } > > > > Thanks for any help on this one ! > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From alexander.chriztopher at gmail.com Fri Jan 2 11:48:02 2015 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Fri, 2 Jan 2015 17:48:02 +0100 Subject: [keycloak-user] We're sorry ... Unknown code, please login again through your application. In-Reply-To: <839214297.1949973.1419841085143.JavaMail.zimbra@redhat.com> References: <839214297.1949973.1419841085143.JavaMail.zimbra@redhat.com> Message-ID: hi, i have created a jira for this : https://issues.jboss.org/browse/KEYCLOAK-917 thank you. On Mon, Dec 29, 2014 at 9:18 AM, Stian Thorgersen wrote: > This is caused by the "code" on the login page not being valid any more > after the user has clicked the reset password link in the email. It's not > very elegant so please create a JIRA and we'll try to improve it. > > ----- Original Message ----- > > From: "Alexander Chriztopher" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 18 December, 2014 10:57:03 AM > > Subject: [keycloak-user] We're sorry ... Unknown code, please > login again through your application. > > > > Hi All, > > > > Am having the following behaviour within keycloak : > > > > # 1 / Open my application home page which brings me to the keycloak login > > page; > > # 2 / Click on Forgot Password then enter my login and validate. Keep > this > > page open in my browser -this page contains a link : back to login; > > # 3 / Open the received mail and click on the link to reset password > which > > opens a new tab in my browser; > > # 4 / Switch to the previous tab where i left the login page open and > click > > on the link back to login; > > # 5 / A new page opens with the message : We're sorry ... Unknown code, > > please login again through your application. > > > > Could any one tell me why am getting this ? > > > > Thanks for your help. > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150102/0b07933c/attachment.html From jayblanc at gmail.com Tue Jan 6 06:25:26 2015 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Tue, 06 Jan 2015 11:25:26 +0000 Subject: [keycloak-user] Guidelines about OAuth use case Message-ID: Hi all, I must admit that OAuth sometimes appears a little complex for me and I have a use that I'd like to submit in order to collect opinion and/or best practice. My application components are : - a keycloak server configured. - a REST API (/api) protected using WAR adapter - a Angular GUI client of this REST API using JS Adapter - another REST API (/tools) The /tools API is accessed by the Angular GUI but is also a client of the REST API (/api) The /tools application have a rest-api-client.jar embedded that support Credentials Client Grant to ensure OAuth authentication in order to access the /api REST interface. What I expected to do was to allow the Angular JS to propagate its authentication in order to allow the /tools application to access /api authenticated also. I'm facing the problem on how to propagate the JS Adapter authentication to the /tools application to allow it to use in the rest client ? I did not mention that the /tools application is a background task manager that could run a long time away after tool job submission... I'm pretty lost in all the OAuth grant scenari and any suggestion should be highly appreciated. Thanks in advance, J?r?me. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150106/04d320bc/attachment.html From alexander.chriztopher at gmail.com Wed Jan 7 03:39:05 2015 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Wed, 7 Jan 2015 09:39:05 +0100 Subject: [keycloak-user] Password update error messages Message-ID: Hi All, We have looked at those messages and it looks like they are not externalised ! Could anyone confirm this ? Many thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/f2afc513/attachment-0001.html From stian at redhat.com Wed Jan 7 03:45:47 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 7 Jan 2015 03:45:47 -0500 (EST) Subject: [keycloak-user] Password update error messages In-Reply-To: References: Message-ID: <2091435597.4814777.1420620347159.JavaMail.zimbra@redhat.com> Can you give some more details about what password update messages you are referring to? Passwords can be updated in 3 different places for one. ----- Original Message ----- > From: "Alexander Chriztopher" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 7 January, 2015 9:39:05 AM > Subject: [keycloak-user] Password update error messages > > Hi All, > > We have looked at those messages and it looks like they are not externalised > ! > > Could anyone confirm this ? > > Many thanks. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From alexander.chriztopher at gmail.com Wed Jan 7 04:02:37 2015 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Wed, 7 Jan 2015 10:02:37 +0100 Subject: [keycloak-user] Password update error messages In-Reply-To: <2091435597.4814777.1420620347159.JavaMail.zimbra@redhat.com> References: <2091435597.4814777.1420620347159.JavaMail.zimbra@redhat.com> Message-ID: An example is : Invalid Password : must contain at least x numerical digits. On Wed, Jan 7, 2015 at 9:45 AM, Stian Thorgersen wrote: > Can you give some more details about what password update messages you are > referring to? Passwords can be updated in 3 different places for one. > > ----- Original Message ----- > > From: "Alexander Chriztopher" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 7 January, 2015 9:39:05 AM > > Subject: [keycloak-user] Password update error messages > > > > Hi All, > > > > We have looked at those messages and it looks like they are not > externalised > > ! > > > > Could anyone confirm this ? > > > > Many thanks. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/2f2501fa/attachment.html From stian at redhat.com Wed Jan 7 04:04:55 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 7 Jan 2015 04:04:55 -0500 (EST) Subject: [keycloak-user] Password update error messages In-Reply-To: References: <2091435597.4814777.1420620347159.JavaMail.zimbra@redhat.com> Message-ID: <645754843.4823419.1420621495833.JavaMail.zimbra@redhat.com> The password policy messages are not externalized, please create a jira ----- Original Message ----- > From: "Alexander Chriztopher" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, 7 January, 2015 10:02:37 AM > Subject: Re: [keycloak-user] Password update error messages > > An example is : Invalid Password : must contain at least x numerical digits. > > On Wed, Jan 7, 2015 at 9:45 AM, Stian Thorgersen wrote: > > > Can you give some more details about what password update messages you are > > referring to? Passwords can be updated in 3 different places for one. > > > > ----- Original Message ----- > > > From: "Alexander Chriztopher" > > > To: keycloak-user at lists.jboss.org > > > Sent: Wednesday, 7 January, 2015 9:39:05 AM > > > Subject: [keycloak-user] Password update error messages > > > > > > Hi All, > > > > > > We have looked at those messages and it looks like they are not > > externalised > > > ! > > > > > > Could anyone confirm this ? > > > > > > Many thanks. > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From h.p.przybysz at gmail.com Wed Jan 7 04:06:49 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 10:06:49 +0100 Subject: [keycloak-user] How to know when to get a refreshed bearer token Message-ID: Hi, My jee web application uses its bearer token when issuing AJAX requests to other REST services within the realm (but at different origins). It does it by reading the exposed bearer token prior to making an AJAX request. Is there a mechanism by which the application may find out when the bearer token is refreshed, to make it possible to read the bearer token only when needed ? Br / Hubert. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/30c10048/attachment.html From h.p.przybysz at gmail.com Wed Jan 7 06:19:12 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 12:19:12 +0100 Subject: [keycloak-user] single logout Message-ID: Hi, I'm looking for information on how to implement single logout across applications in the realm. There is an Admin URL setting per application in the realm admin GUI which is to be set if the application supports "the adapter REST API", but I failed to find any information about this API. Is this the API to use for single logout ? Br / Hubert. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/6da2a18f/attachment.html From stian at redhat.com Wed Jan 7 06:53:27 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 7 Jan 2015 06:53:27 -0500 (EST) Subject: [keycloak-user] single logout In-Reply-To: References: Message-ID: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> What adapters are you using? Our adapters already have built-in support for this. Server-side adapters (JEE) uses the admin url, while client-side (JS) uses a special iframe to detect logout. ----- Original Message ----- > From: "Hubert Przybysz" > To: "keycloak-user" > Sent: Wednesday, 7 January, 2015 12:19:12 PM > Subject: [keycloak-user] single logout > > Hi, > > I'm looking for information on how to implement single logout across > applications in the realm. There is an Admin URL setting per application in > the realm admin GUI which is to be set if the application supports "the > adapter REST API", but I failed to find any information about this API. Is > this the API to use for single logout ? > > Br / Hubert. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From h.p.przybysz at gmail.com Wed Jan 7 07:18:58 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 13:18:58 +0100 Subject: [keycloak-user] single logout In-Reply-To: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> Message-ID: I'm using your server-side java adapters. When I logout in one application I'm getting the exception below when the server tries to logout the second application (which led me to think I need to implement something). Logout for application 'app-2' failed: org.apache.http.conn.HttpHostConnectException: Connection to https:/ xx.xx.net refused at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_72] On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen wrote: > What adapters are you using? Our adapters already have built-in support > for this. Server-side adapters (JEE) uses the admin url, while client-side > (JS) uses a special iframe to detect logout. > > ----- Original Message ----- > > From: "Hubert Przybysz" > > To: "keycloak-user" > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > Subject: [keycloak-user] single logout > > > > Hi, > > > > I'm looking for information on how to implement single logout across > > applications in the realm. There is an Admin URL setting per application > in > > the realm admin GUI which is to be set if the application supports "the > > adapter REST API", but I failed to find any information about this API. > Is > > this the API to use for single logout ? > > > > Br / Hubert. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/2be4a67d/attachment-0001.html From stian at redhat.com Wed Jan 7 07:25:55 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 7 Jan 2015 07:25:55 -0500 (EST) Subject: [keycloak-user] single logout In-Reply-To: References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> Message-ID: <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> Looks like a configuration issue (or a bug) you should not have to implement anything as long as you use our adapters. Did you set the admin url correctly for the app? It has to be reachable from the Keycloak server. Also, if your app is behind a proxy or is clustered that can also impact on the config. ----- Original Message ----- > From: "Hubert Przybysz" > To: "Stian Thorgersen" > Cc: "keycloak-user" > Sent: Wednesday, 7 January, 2015 1:18:58 PM > Subject: Re: [keycloak-user] single logout > > I'm using your server-side java adapters. When I logout in one application > I'm getting the exception below when the server tries to logout the second > application (which led me to think I need to implement something). > > Logout for application 'app-2' failed: > org.apache.http.conn.HttpHostConnectException: Connection to https:/ > xx.xx.net refused > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > at > org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at > org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at > org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > at > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_72] > > > On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen wrote: > > > What adapters are you using? Our adapters already have built-in support > > for this. Server-side adapters (JEE) uses the admin url, while client-side > > (JS) uses a special iframe to detect logout. > > > > ----- Original Message ----- > > > From: "Hubert Przybysz" > > > To: "keycloak-user" > > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > > Subject: [keycloak-user] single logout > > > > > > Hi, > > > > > > I'm looking for information on how to implement single logout across > > > applications in the realm. There is an Admin URL setting per application > > in > > > the realm admin GUI which is to be set if the application supports "the > > > adapter REST API", but I failed to find any information about this API. > > Is > > > this the API to use for single logout ? > > > > > > Br / Hubert. > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From h.p.przybysz at gmail.com Wed Jan 7 07:45:03 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 13:45:03 +0100 Subject: [keycloak-user] single logout In-Reply-To: <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> Message-ID: It is reachable but perhaps it is a truststore issue. Which truststore is used by the server, the one configured in jboss for https connector, or some other ? On Wed, Jan 7, 2015 at 1:25 PM, Stian Thorgersen wrote: > Looks like a configuration issue (or a bug) you should not have to > implement anything as long as you use our adapters. > > Did you set the admin url correctly for the app? It has to be reachable > from the Keycloak server. Also, if your app is behind a proxy or is > clustered that can also impact on the config. > > ----- Original Message ----- > > From: "Hubert Przybysz" > > To: "Stian Thorgersen" > > Cc: "keycloak-user" > > Sent: Wednesday, 7 January, 2015 1:18:58 PM > > Subject: Re: [keycloak-user] single logout > > > > I'm using your server-side java adapters. When I logout in one > application > > I'm getting the exception below when the server tries to logout the > second > > application (which led me to think I need to implement something). > > > > Logout for application 'app-2' failed: > > org.apache.http.conn.HttpHostConnectException: Connection to https:/ > > xx.xx.net refused > > at > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > > > org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at > > > org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at > org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at > > > org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > at > > > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at > > > org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at > > > org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > [rt.jar:1.7.0_72] > > > > > > On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen > wrote: > > > > > What adapters are you using? Our adapters already have built-in support > > > for this. Server-side adapters (JEE) uses the admin url, while > client-side > > > (JS) uses a special iframe to detect logout. > > > > > > ----- Original Message ----- > > > > From: "Hubert Przybysz" > > > > To: "keycloak-user" > > > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > > > Subject: [keycloak-user] single logout > > > > > > > > Hi, > > > > > > > > I'm looking for information on how to implement single logout across > > > > applications in the realm. There is an Admin URL setting per > application > > > in > > > > the realm admin GUI which is to be set if the application supports > "the > > > > adapter REST API", but I failed to find any information about this > API. > > > Is > > > > this the API to use for single logout ? > > > > > > > > Br / Hubert. > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/92fb78ad/attachment.html From stian at redhat.com Wed Jan 7 07:54:46 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 7 Jan 2015 07:54:46 -0500 (EST) Subject: [keycloak-user] single logout In-Reply-To: References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> Message-ID: <1638819332.4981831.1420635286425.JavaMail.zimbra@redhat.com> Currently the trust manager is actually disabled for these requests so that won't be the problem. We have an outstanding issue to fix this. ----- Original Message ----- > From: "Hubert Przybysz" > To: "Stian Thorgersen" > Cc: "keycloak-user" > Sent: Wednesday, 7 January, 2015 1:45:03 PM > Subject: Re: [keycloak-user] single logout > > It is reachable but perhaps it is a truststore issue. > > Which truststore is used by the server, the one configured in jboss for > https connector, or some other ? > > On Wed, Jan 7, 2015 at 1:25 PM, Stian Thorgersen wrote: > > > Looks like a configuration issue (or a bug) you should not have to > > implement anything as long as you use our adapters. > > > > Did you set the admin url correctly for the app? It has to be reachable > > from the Keycloak server. Also, if your app is behind a proxy or is > > clustered that can also impact on the config. > > > > ----- Original Message ----- > > > From: "Hubert Przybysz" > > > To: "Stian Thorgersen" > > > Cc: "keycloak-user" > > > Sent: Wednesday, 7 January, 2015 1:18:58 PM > > > Subject: Re: [keycloak-user] single logout > > > > > > I'm using your server-side java adapters. When I logout in one > > application > > > I'm getting the exception below when the server tries to logout the > > second > > > application (which led me to think I need to implement something). > > > > > > Logout for application 'app-2' failed: > > > org.apache.http.conn.HttpHostConnectException: Connection to https:/ > > > xx.xx.net refused > > > at > > > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > at > > > > > org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at > > > > > org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at > > org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at > > > > > org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > at > > > > > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at > > > > > org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at > > > > > org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > [rt.jar:1.7.0_72] > > > > > > > > > On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen > > wrote: > > > > > > > What adapters are you using? Our adapters already have built-in support > > > > for this. Server-side adapters (JEE) uses the admin url, while > > client-side > > > > (JS) uses a special iframe to detect logout. > > > > > > > > ----- Original Message ----- > > > > > From: "Hubert Przybysz" > > > > > To: "keycloak-user" > > > > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > > > > Subject: [keycloak-user] single logout > > > > > > > > > > Hi, > > > > > > > > > > I'm looking for information on how to implement single logout across > > > > > applications in the realm. There is an Admin URL setting per > > application > > > > in > > > > > the realm admin GUI which is to be set if the application supports > > "the > > > > > adapter REST API", but I failed to find any information about this > > API. > > > > Is > > > > > this the API to use for single logout ? > > > > > > > > > > Br / Hubert. > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > From h.p.przybysz at gmail.com Wed Jan 7 09:06:32 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 15:06:32 +0100 Subject: [keycloak-user] single logout In-Reply-To: <1638819332.4981831.1420635286425.JavaMail.zimbra@redhat.com> References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> <1638819332.4981831.1420635286425.JavaMail.zimbra@redhat.com> Message-ID: It turned out to be a FW configuration issue after all. Now that the adapters get k_logout properly, I'm assuming that the way for a jee application to learn about the logout is by listening to the HttpSession, correct ? On Wed, Jan 7, 2015 at 1:54 PM, Stian Thorgersen wrote: > Currently the trust manager is actually disabled for these requests so > that won't be the problem. We have an outstanding issue to fix this. > > ----- Original Message ----- > > From: "Hubert Przybysz" > > To: "Stian Thorgersen" > > Cc: "keycloak-user" > > Sent: Wednesday, 7 January, 2015 1:45:03 PM > > Subject: Re: [keycloak-user] single logout > > > > It is reachable but perhaps it is a truststore issue. > > > > Which truststore is used by the server, the one configured in jboss for > > https connector, or some other ? > > > > On Wed, Jan 7, 2015 at 1:25 PM, Stian Thorgersen > wrote: > > > > > Looks like a configuration issue (or a bug) you should not have to > > > implement anything as long as you use our adapters. > > > > > > Did you set the admin url correctly for the app? It has to be reachable > > > from the Keycloak server. Also, if your app is behind a proxy or is > > > clustered that can also impact on the config. > > > > > > ----- Original Message ----- > > > > From: "Hubert Przybysz" > > > > To: "Stian Thorgersen" > > > > Cc: "keycloak-user" > > > > Sent: Wednesday, 7 January, 2015 1:18:58 PM > > > > Subject: Re: [keycloak-user] single logout > > > > > > > > I'm using your server-side java adapters. When I logout in one > > > application > > > > I'm getting the exception below when the server tries to logout the > > > second > > > > application (which led me to think I need to implement something). > > > > > > > > Logout for application 'app-2' failed: > > > > org.apache.http.conn.HttpHostConnectException: Connection to https:/ > > > > xx.xx.net refused > > > > at > > > > > > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > at > > > > > > > > org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > > > > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > > > > > > > > org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > > > > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > > > org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > > > > > > > > org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > at > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at > > > > > > > > org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > [rt.jar:1.7.0_72] > > > > > > > > > > > > On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen > > > wrote: > > > > > > > > > What adapters are you using? Our adapters already have built-in > support > > > > > for this. Server-side adapters (JEE) uses the admin url, while > > > client-side > > > > > (JS) uses a special iframe to detect logout. > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Hubert Przybysz" > > > > > > To: "keycloak-user" > > > > > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > > > > > Subject: [keycloak-user] single logout > > > > > > > > > > > > Hi, > > > > > > > > > > > > I'm looking for information on how to implement single logout > across > > > > > > applications in the realm. There is an Admin URL setting per > > > application > > > > > in > > > > > > the realm admin GUI which is to be set if the application > supports > > > "the > > > > > > adapter REST API", but I failed to find any information about > this > > > API. > > > > > Is > > > > > > this the API to use for single logout ? > > > > > > > > > > > > Br / Hubert. > > > > > > > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/d5220594/attachment.html From bburke at redhat.com Wed Jan 7 09:11:07 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 07 Jan 2015 09:11:07 -0500 Subject: [keycloak-user] How to know when to get a refreshed bearer token In-Reply-To: References: Message-ID: <54AD3E7B.1030801@redhat.com> IIRC, if you're using the correct APIs (in Javascript or on the server side), the token will be automatically updated for you when you request it. On 1/7/2015 4:06 AM, Hubert Przybysz wrote: > Hi, > > My jee web application uses its bearer token when issuing AJAX requests > to other REST services within the realm (but at different origins). It > does it by reading the exposed bearer token prior to making an AJAX > request. Is there a mechanism by which the application may find out when > the bearer token is refreshed, to make it possible to read the bearer > token only when needed ? > > Br / Hubert. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Wed Jan 7 09:15:55 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 7 Jan 2015 09:15:55 -0500 (EST) Subject: [keycloak-user] single logout In-Reply-To: References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> <1638819332.4981831.1420635286425.JavaMail.zimbra@redhat.com> Message-ID: <1684882465.5048016.1420640155187.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Hubert Przybysz" > To: "Stian Thorgersen" > Cc: "keycloak-user" > Sent: Wednesday, 7 January, 2015 3:06:32 PM > Subject: Re: [keycloak-user] single logout > > It turned out to be a FW configuration issue after all. > > Now that the adapters get k_logout properly, I'm assuming that the way for > a jee application to learn about the logout is by listening to the > HttpSession, correct ? AFAIK that's the only way yes > > On Wed, Jan 7, 2015 at 1:54 PM, Stian Thorgersen wrote: > > > Currently the trust manager is actually disabled for these requests so > > that won't be the problem. We have an outstanding issue to fix this. > > > > ----- Original Message ----- > > > From: "Hubert Przybysz" > > > To: "Stian Thorgersen" > > > Cc: "keycloak-user" > > > Sent: Wednesday, 7 January, 2015 1:45:03 PM > > > Subject: Re: [keycloak-user] single logout > > > > > > It is reachable but perhaps it is a truststore issue. > > > > > > Which truststore is used by the server, the one configured in jboss for > > > https connector, or some other ? > > > > > > On Wed, Jan 7, 2015 at 1:25 PM, Stian Thorgersen > > wrote: > > > > > > > Looks like a configuration issue (or a bug) you should not have to > > > > implement anything as long as you use our adapters. > > > > > > > > Did you set the admin url correctly for the app? It has to be reachable > > > > from the Keycloak server. Also, if your app is behind a proxy or is > > > > clustered that can also impact on the config. > > > > > > > > ----- Original Message ----- > > > > > From: "Hubert Przybysz" > > > > > To: "Stian Thorgersen" > > > > > Cc: "keycloak-user" > > > > > Sent: Wednesday, 7 January, 2015 1:18:58 PM > > > > > Subject: Re: [keycloak-user] single logout > > > > > > > > > > I'm using your server-side java adapters. When I logout in one > > > > application > > > > > I'm getting the exception below when the server tries to logout the > > > > second > > > > > application (which led me to think I need to implement something). > > > > > > > > > > Logout for application 'app-2' failed: > > > > > org.apache.http.conn.HttpHostConnectException: Connection to https:/ > > > > > xx.xx.net refused > > > > > at > > > > > > > > > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > at > > > > > > > > > > > org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > > > > > > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > > > > > > > > > > org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > > > > > > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > > > org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > > > > > > > > > > org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > at > > > > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at > > > > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at > > > > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at > > > > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at > > > > > > > > > > > org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at > > > > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at > > > > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > [rt.jar:1.7.0_72] > > > > > > > > > > > > > > > On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen > > > > wrote: > > > > > > > > > > > What adapters are you using? Our adapters already have built-in > > support > > > > > > for this. Server-side adapters (JEE) uses the admin url, while > > > > client-side > > > > > > (JS) uses a special iframe to detect logout. > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Hubert Przybysz" > > > > > > > To: "keycloak-user" > > > > > > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > > > > > > Subject: [keycloak-user] single logout > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > I'm looking for information on how to implement single logout > > across > > > > > > > applications in the realm. There is an Admin URL setting per > > > > application > > > > > > in > > > > > > > the realm admin GUI which is to be set if the application > > supports > > > > "the > > > > > > > adapter REST API", but I failed to find any information about > > this > > > > API. > > > > > > Is > > > > > > > this the API to use for single logout ? > > > > > > > > > > > > > > Br / Hubert. > > > > > > > > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > From h.p.przybysz at gmail.com Wed Jan 7 09:29:49 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 15:29:49 +0100 Subject: [keycloak-user] How to know when to get a refreshed bearer token In-Reply-To: <54AD3E7B.1030801@redhat.com> References: <54AD3E7B.1030801@redhat.com> Message-ID: The token is indeed updated automatically when it is requested. I was rather wondering if there was a way to not have to request it prior to each AJAX request. Currently, since the application does not know when the token expires, it has to either get it prior to each AJAX request, or try to use a possibly stale token and request it again when it gets a 401 from the REST service. It would be nice to get information about token expiry together with the token in response to k_query_bearer_token request. On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke wrote: > IIRC, if you're using the correct APIs (in Javascript or on the server > side), the token will be automatically updated for you when you request it. > > On 1/7/2015 4:06 AM, Hubert Przybysz wrote: > > Hi, > > > > My jee web application uses its bearer token when issuing AJAX requests > > to other REST services within the realm (but at different origins). It > > does it by reading the exposed bearer token prior to making an AJAX > > request. Is there a mechanism by which the application may find out when > > the bearer token is refreshed, to make it possible to read the bearer > > token only when needed ? > > > > Br / Hubert. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/5700476f/attachment.html From bburke at redhat.com Wed Jan 7 10:00:09 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 07 Jan 2015 10:00:09 -0500 Subject: [keycloak-user] How to know when to get a refreshed bearer token In-Reply-To: References: <54AD3E7B.1030801@redhat.com> Message-ID: <54AD49F9.3000305@redhat.com> You probably should not be using the k_query_bearer_token request. I'm thinking of removing it because it is vulnerable to CSRF attacks. Instead use keycloak.js for javascript apps. On 1/7/2015 9:29 AM, Hubert Przybysz wrote: > The token is indeed updated automatically when it is requested. I was > rather wondering if there was a way to not have to request it prior to > each AJAX request. Currently, since the application does not know when > the token expires, it has to either get it prior to each AJAX request, > or try to use a possibly stale token and request it again when it gets a > 401 from the REST service. It would be nice to get information about > token expiry together with the token in response to k_query_bearer_token > request. > > On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke > wrote: > > IIRC, if you're using the correct APIs (in Javascript or on the server > side), the token will be automatically updated for you when you > request it. > > On 1/7/2015 4:06 AM, Hubert Przybysz wrote: > > Hi, > > > > My jee web application uses its bearer token when issuing AJAX > requests > > to other REST services within the realm (but at different > origins). It > > does it by reading the exposed bearer token prior to making an AJAX > > request. Is there a mechanism by which the application may find > out when > > the bearer token is refreshed, to make it possible to read the bearer > > token only when needed ? > > > > Br / Hubert. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From h.p.przybysz at gmail.com Wed Jan 7 17:13:30 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 23:13:30 +0100 Subject: [keycloak-user] single logout In-Reply-To: <1684882465.5048016.1420640155187.JavaMail.zimbra@redhat.com> References: <370154031.4951762.1420631607117.JavaMail.zimbra@redhat.com> <1170256244.4972894.1420633555166.JavaMail.zimbra@redhat.com> <1638819332.4981831.1420635286425.JavaMail.zimbra@redhat.com> <1684882465.5048016.1420640155187.JavaMail.zimbra@redhat.com> Message-ID: Thanks for your help. On Wed, Jan 7, 2015 at 3:15 PM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Hubert Przybysz" > > To: "Stian Thorgersen" > > Cc: "keycloak-user" > > Sent: Wednesday, 7 January, 2015 3:06:32 PM > > Subject: Re: [keycloak-user] single logout > > > > It turned out to be a FW configuration issue after all. > > > > Now that the adapters get k_logout properly, I'm assuming that the way > for > > a jee application to learn about the logout is by listening to the > > HttpSession, correct ? > > AFAIK that's the only way yes > > > > > On Wed, Jan 7, 2015 at 1:54 PM, Stian Thorgersen > wrote: > > > > > Currently the trust manager is actually disabled for these requests so > > > that won't be the problem. We have an outstanding issue to fix this. > > > > > > ----- Original Message ----- > > > > From: "Hubert Przybysz" > > > > To: "Stian Thorgersen" > > > > Cc: "keycloak-user" > > > > Sent: Wednesday, 7 January, 2015 1:45:03 PM > > > > Subject: Re: [keycloak-user] single logout > > > > > > > > It is reachable but perhaps it is a truststore issue. > > > > > > > > Which truststore is used by the server, the one configured in jboss > for > > > > https connector, or some other ? > > > > > > > > On Wed, Jan 7, 2015 at 1:25 PM, Stian Thorgersen > > > wrote: > > > > > > > > > Looks like a configuration issue (or a bug) you should not have to > > > > > implement anything as long as you use our adapters. > > > > > > > > > > Did you set the admin url correctly for the app? It has to be > reachable > > > > > from the Keycloak server. Also, if your app is behind a proxy or is > > > > > clustered that can also impact on the config. > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Hubert Przybysz" > > > > > > To: "Stian Thorgersen" > > > > > > Cc: "keycloak-user" > > > > > > Sent: Wednesday, 7 January, 2015 1:18:58 PM > > > > > > Subject: Re: [keycloak-user] single logout > > > > > > > > > > > > I'm using your server-side java adapters. When I logout in one > > > > > application > > > > > > I'm getting the exception below when the server tries to logout > the > > > > > second > > > > > > application (which led me to think I need to implement > something). > > > > > > > > > > > > Logout for application 'app-2' failed: > > > > > > org.apache.http.conn.HttpHostConnectException: Connection to > https:/ > > > > > > xx.xx.net refused > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > > > > > > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > > > > > at > > > > > > > > > > > > > > > org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:182) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > > > > > > > > > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > > > > > > > > > > > > > org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > > > > > > > > > > > > > org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > > > > org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:444) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > > > > > > > > > > > > > org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:688) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:572) > > > > > > [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:275) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSessions(ResourceAdminManager.java:207) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.services.managers.ResourceAdminManager.logoutClientSession(ResourceAdminManager.java:167) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnect.backchannelLogout(OpenIDConnect.java:143) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.services.managers.AuthenticationManager.logout(AuthenticationManager.java:97) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:994) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at > > > > > > > > > > > > > > > org.keycloak.protocol.oidc.OpenIDConnectService.logout(OpenIDConnectService.java:927) > > > > > > [keycloak-services-1.1.0.Beta2.jar:1.1.0.Beta2] > > > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > > > [rt.jar:1.7.0_72] > > > > > > > > > > > > > > > > > > On Wed, Jan 7, 2015 at 12:53 PM, Stian Thorgersen < > stian at redhat.com> > > > > > wrote: > > > > > > > > > > > > > What adapters are you using? Our adapters already have built-in > > > support > > > > > > > for this. Server-side adapters (JEE) uses the admin url, while > > > > > client-side > > > > > > > (JS) uses a special iframe to detect logout. > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Hubert Przybysz" > > > > > > > > To: "keycloak-user" > > > > > > > > Sent: Wednesday, 7 January, 2015 12:19:12 PM > > > > > > > > Subject: [keycloak-user] single logout > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > I'm looking for information on how to implement single logout > > > across > > > > > > > > applications in the realm. There is an Admin URL setting per > > > > > application > > > > > > > in > > > > > > > > the realm admin GUI which is to be set if the application > > > supports > > > > > "the > > > > > > > > adapter REST API", but I failed to find any information about > > > this > > > > > API. > > > > > > > Is > > > > > > > > this the API to use for single logout ? > > > > > > > > > > > > > > > > Br / Hubert. > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > keycloak-user mailing list > > > > > > > > keycloak-user at lists.jboss.org > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/e588d20c/attachment-0001.html From h.p.przybysz at gmail.com Wed Jan 7 17:25:28 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Wed, 7 Jan 2015 23:25:28 +0100 Subject: [keycloak-user] How to know when to get a refreshed bearer token In-Reply-To: <54AD49F9.3000305@redhat.com> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> Message-ID: Thanks for the heads-up. I'll take a closer look at the javascript adapter. FYI, I've found the k_query_bearer_token request quite useful for a web app that uses a mix of server-side and javascript components. On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke wrote: > You probably should not be using the k_query_bearer_token request. I'm > thinking of removing it because it is vulnerable to CSRF attacks. Instead > use keycloak.js for javascript apps. > > On 1/7/2015 9:29 AM, Hubert Przybysz wrote: > >> The token is indeed updated automatically when it is requested. I was >> rather wondering if there was a way to not have to request it prior to >> each AJAX request. Currently, since the application does not know when >> the token expires, it has to either get it prior to each AJAX request, >> or try to use a possibly stale token and request it again when it gets a >> 401 from the REST service. It would be nice to get information about >> token expiry together with the token in response to k_query_bearer_token >> request. >> >> On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke > > wrote: >> >> IIRC, if you're using the correct APIs (in Javascript or on the server >> side), the token will be automatically updated for you when you >> request it. >> >> On 1/7/2015 4:06 AM, Hubert Przybysz wrote: >> > Hi, >> > >> > My jee web application uses its bearer token when issuing AJAX >> requests >> > to other REST services within the realm (but at different >> origins). It >> > does it by reading the exposed bearer token prior to making an AJAX >> > request. Is there a mechanism by which the application may find >> out when >> > the bearer token is refreshed, to make it possible to read the >> bearer >> > token only when needed ? >> > >> > Br / Hubert. >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org > jboss.org> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150107/5684a87a/attachment.html From bburke at redhat.com Wed Jan 7 17:49:32 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 07 Jan 2015 17:49:32 -0500 Subject: [keycloak-user] How to know when to get a refreshed bearer token In-Reply-To: References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> Message-ID: <54ADB7FC.2070204@redhat.com> If your server-side components are all REST-based, I suggest using bearer token auth for them and obtaining the token via the keycloak.js adapter. Again, k_query_bearer_token auth is vulnerable to CSRF right now. On 1/7/2015 5:25 PM, Hubert Przybysz wrote: > Thanks for the heads-up. I'll take a closer look at the javascript adapter. > > FYI, I've found the k_query_bearer_token request quite useful for a web > app that uses a mix of server-side and javascript components. > > On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke > wrote: > > You probably should not be using the k_query_bearer_token request. > I'm thinking of removing it because it is vulnerable to CSRF > attacks. Instead use keycloak.js for javascript apps. > > On 1/7/2015 9:29 AM, Hubert Przybysz wrote: > > The token is indeed updated automatically when it is requested. > I was > rather wondering if there was a way to not have to request it > prior to > each AJAX request. Currently, since the application does not > know when > the token expires, it has to either get it prior to each AJAX > request, > or try to use a possibly stale token and request it again when > it gets a > 401 from the REST service. It would be nice to get information about > token expiry together with the token in response to > k_query_bearer_token > request. > > On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke > >> wrote: > > IIRC, if you're using the correct APIs (in Javascript or on > the server > side), the token will be automatically updated for you when you > request it. > > On 1/7/2015 4:06 AM, Hubert Przybysz wrote: > > Hi, > > > > My jee web application uses its bearer token when > issuing AJAX > requests > > to other REST services within the realm (but at different > origins). It > > does it by reading the exposed bearer token prior to > making an AJAX > > request. Is there a mechanism by which the application > may find > out when > > the bearer token is refreshed, to make it possible to > read the bearer > > token only when needed ? > > > > Br / Hubert. > > > > > > _________________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/__mailman/listinfo/keycloak-user > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/__mailman/listinfo/keycloak-user > > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bardacp at gmail.com Thu Jan 8 08:41:13 2015 From: bardacp at gmail.com (=?UTF-8?B?UGV0ZXIgQmFyZMOhxI0=?=) Date: Thu, 08 Jan 2015 14:41:13 +0100 Subject: [keycloak-user] Template properties file encoding In-Reply-To: References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> Message-ID: <54AE88F9.2080303@gmail.com> Hi, I want to use UTF-8 encoding in keycloak theme but I have problem with messages.properties file. For example I have ? symbol in this file but it translates into ?? (in login.ftl there is ${rb.usernameOrEmail}). But when I type symbol ? right into login.ftl file it renders with no problem. So I assume there is problem with Freemarker <-> messsages.properties file parsing. I have modified template.ftl file to use I also saved these files with UTF-8 encoding and also added -Dfile.encoding=UTF-8 to JAVA_OPTS in standalone.conf At this moment I have no idea what else should I try please help. P.S. I would hardcode strings into login.ftl file but I cannot hardcode string for invalid uname/passwd message. From gerbermichi at me.com Thu Jan 8 08:48:17 2015 From: gerbermichi at me.com (Michael Gerber) Date: Thu, 08 Jan 2015 13:48:17 +0000 (GMT) Subject: [keycloak-user] pass username to login Message-ID: <22bfdcee-031e-43f3-9706-17f22355511b@me.com> Hi I want to pass a username to the login screen. I know the parameter login_hint, but how can I pass a value for this parameter, if I invoke the application like this: http://localhost/myapp?login_hint=michael best Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150108/61965c54/attachment.html From stian at redhat.com Thu Jan 8 08:59:52 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 8 Jan 2015 08:59:52 -0500 (EST) Subject: [keycloak-user] pass username to login In-Reply-To: <22bfdcee-031e-43f3-9706-17f22355511b@me.com> References: <22bfdcee-031e-43f3-9706-17f22355511b@me.com> Message-ID: <1430193441.5659032.1420725592419.JavaMail.zimbra@redhat.com> What adapter are you using? ----- Original Message ----- > From: "Michael Gerber" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 8 January, 2015 2:48:17 PM > Subject: [keycloak-user] pass username to login > > Hi > > I want to pass a username to the login screen. I know the parameter > login_hint, but how can I pass a value for this parameter, if I invoke the > application like this: > http://localhost/myapp?login_hint=michael > > best > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ivan at akvo.org Thu Jan 8 09:15:29 2015 From: ivan at akvo.org (=?UTF-8?B?SXbDoW4=?= Perdomo) Date: Thu, 8 Jan 2015 15:15:29 +0100 Subject: [keycloak-user] Template properties file encoding In-Reply-To: <54AE88F9.2080303@gmail.com> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> <54AE88F9.2080303@gmail.com> Message-ID: <20150108151529.5e3466f3@akvo.org> Hi, On Thu, 08 Jan 2015 14:41:13 +0100 Peter Bard?? wrote: > I want to use UTF-8 encoding in keycloak theme but I have problem > with messages.properties file. Java properties are expected to be encoded using "ISO 8859-1" > "is assumed to use the ISO 8859-1 character encoding; that is each > byte is one Latin1 character. Characters not in Latin1, and certain > special characters, are represented in keys and elements using Unicode > escapes as defined in section 3.3 of The Java? Language > Specification." http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html#load%28java.io.InputStream%29 My five cents, -- Iv?n From stian at redhat.com Thu Jan 8 09:31:19 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 8 Jan 2015 09:31:19 -0500 (EST) Subject: [keycloak-user] Template properties file encoding In-Reply-To: <54AE88F9.2080303@gmail.com> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> <54AE88F9.2080303@gmail.com> Message-ID: <1850402722.5688861.1420727479228.JavaMail.zimbra@redhat.com> I reckon all templates and properties files should be utf-8 so submit a bug and we'll fix ----- Original Message ----- > From: "Peter Bard??" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 8 January, 2015 2:41:13 PM > Subject: [keycloak-user] Template properties file encoding > > Hi, > > I want to use UTF-8 encoding in keycloak theme but I have problem with > messages.properties file. > For example I have ? symbol in this file but it translates into ?? (in > login.ftl there is ${rb.usernameOrEmail}). > > But when I type symbol ? right into login.ftl file it renders with no > problem. So I assume there is problem with Freemarker <-> > messsages.properties file parsing. > > I have modified template.ftl file to use content="text/html; charset=utf-8" /> > > I also saved these files with UTF-8 encoding and also added > -Dfile.encoding=UTF-8 to JAVA_OPTS in standalone.conf > > At this moment I have no idea what else should I try please help. > > P.S. I would hardcode strings into login.ftl file but I cannot hardcode > string for invalid uname/passwd message. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bardacp at gmail.com Thu Jan 8 10:05:13 2015 From: bardacp at gmail.com (=?UTF-8?B?UGV0ZXIgQmFyZMOhxI0=?=) Date: Thu, 08 Jan 2015 16:05:13 +0100 Subject: [keycloak-user] Template properties file encoding In-Reply-To: <1850402722.5688861.1420727479228.JavaMail.zimbra@redhat.com> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> <54AE88F9.2080303@gmail.com> <1850402722.5688861.1420727479228.JavaMail.zimbra@redhat.com> Message-ID: <54AE9CA9.8050407@gmail.com> As Ivan Perdomo stated in another message encoding ISO 8859-1 should be used when saving .properties file. So I am not sure if this is bug as it part of standard: Java properties are expected to be encoded using "ISO 8859-1" > "is assumed to use the ISO 8859-1 character encoding; that is each > byte is one Latin1 character. Characters not in Latin1, and certain > special characters, are represented in keys and elements using Unicode > escapes as defined in section 3.3 of The Java? Language > Specification." Btw utf-8 works without problem on templates Dne 8.1.2015 v 15:31 Stian Thorgersen napsal(a): > I reckon all templates and properties files should be utf-8 so submit a bug and we'll fix > > ----- Original Message ----- >> From: "Peter Bard??" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, 8 January, 2015 2:41:13 PM >> Subject: [keycloak-user] Template properties file encoding >> >> Hi, >> >> I want to use UTF-8 encoding in keycloak theme but I have problem with >> messages.properties file. >> For example I have ? symbol in this file but it translates into ?? (in >> login.ftl there is ${rb.usernameOrEmail}). >> >> But when I type symbol ? right into login.ftl file it renders with no >> problem. So I assume there is problem with Freemarker <-> >> messsages.properties file parsing. >> >> I have modified template.ftl file to use > content="text/html; charset=utf-8" /> >> >> I also saved these files with UTF-8 encoding and also added >> -Dfile.encoding=UTF-8 to JAVA_OPTS in standalone.conf >> >> At this moment I have no idea what else should I try please help. >> >> P.S. I would hardcode strings into login.ftl file but I cannot hardcode >> string for invalid uname/passwd message. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From bardacp at gmail.com Thu Jan 8 10:08:57 2015 From: bardacp at gmail.com (=?UTF-8?B?UGV0ZXIgQmFyZMOhxI0=?=) Date: Thu, 08 Jan 2015 16:08:57 +0100 Subject: [keycloak-user] Template properties file encoding In-Reply-To: <20150108151529.5e3466f3@akvo.org> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> <54AE88F9.2080303@gmail.com> <20150108151529.5e3466f3@akvo.org> Message-ID: <54AE9D89.1070800@gmail.com> You are right now it works thanks. Dne 8.1.2015 v 15:15 Iv?n Perdomo napsal(a): > Hi, > > On Thu, 08 Jan 2015 14:41:13 +0100 > Peter Bard?? wrote: > >> I want to use UTF-8 encoding in keycloak theme but I have problem >> with messages.properties file. > Java properties are expected to be encoded using "ISO 8859-1" > >> "is assumed to use the ISO 8859-1 character encoding; that is each >> byte is one Latin1 character. Characters not in Latin1, and certain >> special characters, are represented in keys and elements using Unicode >> escapes as defined in section 3.3 of The Java? Language >> Specification." > http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html#load%28java.io.InputStream%29 > > My five cents, > From stian at redhat.com Thu Jan 8 10:11:28 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 8 Jan 2015 10:11:28 -0500 (EST) Subject: [keycloak-user] Template properties file encoding In-Reply-To: <54AE9D89.1070800@gmail.com> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> <54AE88F9.2080303@gmail.com> <20150108151529.5e3466f3@akvo.org> <54AE9D89.1070800@gmail.com> Message-ID: <1375895680.5729556.1420729888678.JavaMail.zimbra@redhat.com> You learn something new every day ;) ----- Original Message ----- > From: "Peter Bard??" > To: "Iv?n Perdomo" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, 8 January, 2015 4:08:57 PM > Subject: Re: [keycloak-user] Template properties file encoding > > You are right now it works thanks. > Dne 8.1.2015 v 15:15 Iv?n Perdomo napsal(a): > > Hi, > > > > On Thu, 08 Jan 2015 14:41:13 +0100 > > Peter Bard?? wrote: > > > >> I want to use UTF-8 encoding in keycloak theme but I have problem > >> with messages.properties file. > > Java properties are expected to be encoded using "ISO 8859-1" > > > >> "is assumed to use the ISO 8859-1 character encoding; that is each > >> byte is one Latin1 character. Characters not in Latin1, and certain > >> special characters, are represented in keys and elements using Unicode > >> escapes as defined in section 3.3 of The Java? Language > >> Specification." > > http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html#load%28java.io.InputStream%29 > > > > My five cents, > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bmcwhirt at redhat.com Mon Jan 12 10:48:27 2015 From: bmcwhirt at redhat.com (Bob McWhirter) Date: Mon, 12 Jan 2015 10:48:27 -0500 Subject: [keycloak-user] Keycloak NPM module for node.js applications Message-ID: Howdy everyone? I just wanted to raise awareness of the first release of the `connect-keycloak` NPM module for Connect- (or Express-)based applications using Node.js. It?s in the NPM registry: https://www.npmjs.com/package/connect-keycloak And documentation is published here: http://keycloak.github.io/keycloak-nodejs/connect/ I welcome any feedback from anyone who might give it a whirl. -Bob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150112/c5ed527d/attachment.html From h.p.przybysz at gmail.com Tue Jan 13 02:52:30 2015 From: h.p.przybysz at gmail.com (Hubert Przybysz) Date: Tue, 13 Jan 2015 08:52:30 +0100 Subject: [keycloak-user] How to know when to get a refreshed bearer token In-Reply-To: <54ADB7FC.2070204@redhat.com> References: <54AD3E7B.1030801@redhat.com> <54AD49F9.3000305@redhat.com> <54ADB7FC.2070204@redhat.com> Message-ID: Hi Bill, When testing my app with the javascript adapter I have noticed that keycloak.js gets confused when messages other than keycloak's get posted on the window (from same origin). I made a quick fix by adding a type="keycloak" to the data posted to the iframe and checking for that value when the iframe sends it back. Other than that the adapter appears to work just fine. Thanks again for pointing me in the right direction. Br / Hubert. On Wed, Jan 7, 2015 at 11:49 PM, Bill Burke wrote: > If your server-side components are all REST-based, I suggest using bearer > token auth for them and obtaining the token via the keycloak.js adapter. > Again, k_query_bearer_token auth is vulnerable to CSRF right now. > > On 1/7/2015 5:25 PM, Hubert Przybysz wrote: > >> Thanks for the heads-up. I'll take a closer look at the javascript >> adapter. >> >> FYI, I've found the k_query_bearer_token request quite useful for a web >> app that uses a mix of server-side and javascript components. >> >> On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke > > wrote: >> >> You probably should not be using the k_query_bearer_token request. >> I'm thinking of removing it because it is vulnerable to CSRF >> attacks. Instead use keycloak.js for javascript apps. >> >> On 1/7/2015 9:29 AM, Hubert Przybysz wrote: >> >> The token is indeed updated automatically when it is requested. >> I was >> rather wondering if there was a way to not have to request it >> prior to >> each AJAX request. Currently, since the application does not >> know when >> the token expires, it has to either get it prior to each AJAX >> request, >> or try to use a possibly stale token and request it again when >> it gets a >> 401 from the REST service. It would be nice to get information >> about >> token expiry together with the token in response to >> k_query_bearer_token >> request. >> >> On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke > >> >> wrote: >> >> IIRC, if you're using the correct APIs (in Javascript or on >> the server >> side), the token will be automatically updated for you when >> you >> request it. >> >> On 1/7/2015 4:06 AM, Hubert Przybysz wrote: >> > Hi, >> > >> > My jee web application uses its bearer token when >> issuing AJAX >> requests >> > to other REST services within the realm (but at different >> origins). It >> > does it by reading the exposed bearer token prior to >> making an AJAX >> > request. Is there a mechanism by which the application >> may find >> out when >> > the bearer token is refreshed, to make it possible to >> read the bearer >> > token only when needed ? >> > >> > Br / Hubert. >> > >> > >> > _________________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > > >> > https://lists.jboss.org/__mailman/listinfo/keycloak-user >> >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _________________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> > > >> https://lists.jboss.org/__mailman/listinfo/keycloak-user >> >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150113/0691ed5c/attachment.html From mikhail.kuznetsov at hp.com Tue Jan 13 16:01:08 2015 From: mikhail.kuznetsov at hp.com (Kuznetsov, Mike) Date: Tue, 13 Jan 2015 21:01:08 +0000 Subject: [keycloak-user] Clarification for using Revocation Policies and Push Revocation Message-ID: <66122567ABACCC42B5B568EC7E90551A1972302F@G6W2492.americas.hpqcorp.net> Hello, We are in the process of securing our REST APIs using Keycloak. We would like to be able to use the Push Revocation feature. Please clarify the following: 1. What is the expected behavior of this feature? 2. Is this feature handled by the application server adapter, and if so, where? Or do we need to modify the application itself to support this feature? Thank You, - Mikhail Kuznetsov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150113/d38519fd/attachment-0001.html From christinalau28 at icloud.com Tue Jan 13 18:45:58 2015 From: christinalau28 at icloud.com (Christina Lau) Date: Tue, 13 Jan 2015 18:45:58 -0500 Subject: [keycloak-user] How can I change the default landing page for the Keycloak cartridge? Message-ID: The Keycloak Openshift cartridge default landing page is /auth/. How can I change it so that it will use by own custom landing page? Thanks... Christina From jimmidyson at gmail.com Tue Jan 13 18:48:43 2015 From: jimmidyson at gmail.com (Jimmi Dyson) Date: Tue, 13 Jan 2015 23:48:43 +0000 Subject: [keycloak-user] Keycloak Spring Boot integration Message-ID: Hi, Has anyone looked at integrating Keycloak with Spring Boot, Spring Security or even just Spring in general? If not, do you have any tips that would help me build this integration? Thanks, Jimmi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150113/95b896f0/attachment.html From bburke at redhat.com Tue Jan 13 20:36:48 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 13 Jan 2015 20:36:48 -0500 Subject: [keycloak-user] Keycloak Spring Boot integration In-Reply-To: References: Message-ID: <54B5C830.80902@redhat.com> I know nothing about Spring Boot or Spring Security. What kind of integration are you looking for? If Spring Security can delegate to servlet layer for authentication and role-based security, then you already have integration. Some insight from you would be helpful on what we should do. On 1/13/2015 6:48 PM, Jimmi Dyson wrote: > Hi, > > Has anyone looked at integrating Keycloak with Spring Boot, Spring > Security or even just Spring in general? > > If not, do you have any tips that would help me build this integration? > > Thanks, > Jimmi > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Wed Jan 14 03:07:10 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 14 Jan 2015 03:07:10 -0500 (EST) Subject: [keycloak-user] Clarification for using Revocation Policies and Push Revocation In-Reply-To: <66122567ABACCC42B5B568EC7E90551A1972302F@G6W2492.americas.hpqcorp.net> References: <66122567ABACCC42B5B568EC7E90551A1972302F@G6W2492.americas.hpqcorp.net> Message-ID: <974653299.9884572.1421222830129.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Mike Kuznetsov" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 13 January, 2015 10:01:08 PM > Subject: [keycloak-user] Clarification for using Revocation Policies and Push Revocation > > > > Hello, > > > > We are in the process of securing our REST APIs using Keycloak. > > > > We would like to be able to use the Push Revocation feature. Please clarify > the following: > > 1. What is the expected behavior of this feature? The server pushes the revocation time out to all registered applications. All registered applications should store this revocation time and not allow any tokens issues prior. > > 2. Is this feature handled by the application server adapter, and if so, > where? Or do we need to modify the application itself to support this > feature? Yes, all our server side adapters handle this feature themselves. All you need to do is register the admin url for the application in the admin console. > > > > Thank You, > > - Mikhail Kuznetsov > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prabhalar at yahoo.com Thu Jan 15 06:46:54 2015 From: prabhalar at yahoo.com (prab rrrr) Date: Thu, 15 Jan 2015 11:46:54 +0000 (UTC) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 Message-ID: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> ?Hi, I created a custom User Federation Provider and deployed it as per the documentation. It worked in earlier versions (1.1 Beta-1) but it appears that the location of Keycloak war in Wildfly?has changed in 1.1 Beta-2 version and it is no longer inflated. Can someone suggest where exactly I have to place the Federation provider jar in 1.1 Beta-2 version? Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150115/95548c6e/attachment.html From ssilvert at redhat.com Thu Jan 15 08:09:56 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 08:09:56 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> Message-ID: <54B7BC24.5070501@redhat.com> Providers are now uploaded using WildFly CLI or CLI GUI. See http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 On 1/15/2015 6:46 AM, prab rrrr wrote: > Hi, > > I created a custom User Federation Provider and deployed it as per the > documentation. It worked in earlier versions (1.1 Beta-1) but it > appears that the location of Keycloak war in Wildfly has changed in > 1.1 Beta-2 version and it is no longer inflated. Can someone suggest > where exactly I have to place the Federation provider jar in 1.1 > Beta-2 version? > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150115/0e5b3ef5/attachment.html From ssilvert at redhat.com Thu Jan 15 08:25:02 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 08:25:02 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B7BC24.5070501@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> Message-ID: <54B7BFAE.9060805@redhat.com> On 1/15/2015 8:09 AM, Stan Silvert wrote: > Providers are now uploaded using WildFly CLI or CLI GUI. > > See > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 BTW, if you are doing this on EAP 6 then you will need to use the latest version of the CLI remote client jar. See https://developer.jboss.org/wiki/UsingTheCLIRemoteClientJar > > On 1/15/2015 6:46 AM, prab rrrr wrote: >> Hi, >> >> I created a custom User Federation Provider and deployed it as per >> the documentation. It worked in earlier versions (1.1 Beta-1) but it >> appears that the location of Keycloak war in Wildfly has changed in >> 1.1 Beta-2 version and it is no longer inflated. Can someone suggest >> where exactly I have to place the Federation provider jar in 1.1 >> Beta-2 version? >> >> Thanks, >> Raghu >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150115/9d6d7778/attachment.html From stian at redhat.com Thu Jan 15 09:29:52 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 15 Jan 2015 09:29:52 -0500 (EST) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B7BC24.5070501@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> Message-ID: <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> How is a provider added using the CLI? I can't find any examples on that. Also, there are still several references in the docs and examples that uses the old approach of copying to WEB-INF/lib. ----- Original Message ----- > From: "Stan Silvert" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 15 January, 2015 2:09:56 PM > Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 > > Providers are now uploaded using WildFly CLI or CLI GUI. > > See > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > > On 1/15/2015 6:46 AM, prab rrrr wrote: > > > > Hi, > > I created a custom User Federation Provider and deployed it as per the > documentation. It worked in earlier versions (1.1 Beta-1) but it appears > that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 > version and it is no longer inflated. Can someone suggest where exactly I > have to place the Federation provider jar in 1.1 Beta-2 version? > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Jan 15 10:14:17 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 15 Jan 2015 10:14:17 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> Message-ID: <54B7D949.2080103@redhat.com> Docs will need to be updated. We need to expand the subsystem so that provider jars can be deployed like any other component. What you have now is *harder* to use than simply dropping in the jar in WEB-INF/lib IMO. On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > How is a provider added using the CLI? I can't find any examples on that. > > Also, there are still several references in the docs and examples that uses the old approach of copying to WEB-INF/lib. > > ----- Original Message ----- >> From: "Stan Silvert" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, 15 January, 2015 2:09:56 PM >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >> >> Providers are now uploaded using WildFly CLI or CLI GUI. >> >> See >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >> >> On 1/15/2015 6:46 AM, prab rrrr wrote: >> >> >> >> Hi, >> >> I created a custom User Federation Provider and deployed it as per the >> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >> version and it is no longer inflated. Can someone suggest where exactly I >> have to place the Federation provider jar in 1.1 Beta-2 version? >> >> Thanks, >> Raghu >> >> >> _______________________________________________ >> keycloak-user mailing list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Thu Jan 15 10:40:35 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 15 Jan 2015 10:40:35 -0500 (EST) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B7D949.2080103@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> Message-ID: <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> Added: https://issues.jboss.org/browse/KEYCLOAK-969 https://issues.jboss.org/browse/KEYCLOAK-970 Will need to be fixed for 1.1.0.Final ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 15 January, 2015 4:14:17 PM > Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 > > Docs will need to be updated. > > We need to expand the subsystem so that provider jars can be deployed > like any other component. What you have now is *harder* to use than > simply dropping in the jar in WEB-INF/lib IMO. > > > > On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > > How is a provider added using the CLI? I can't find any examples on that. > > > > Also, there are still several references in the docs and examples that uses > > the old approach of copying to WEB-INF/lib. > > > > ----- Original Message ----- > >> From: "Stan Silvert" > >> To: keycloak-user at lists.jboss.org > >> Sent: Thursday, 15 January, 2015 2:09:56 PM > >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in > >> Keycloak 1.1 Beta-2 > >> > >> Providers are now uploaded using WildFly CLI or CLI GUI. > >> > >> See > >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > >> > >> On 1/15/2015 6:46 AM, prab rrrr wrote: > >> > >> > >> > >> Hi, > >> > >> I created a custom User Federation Provider and deployed it as per the > >> documentation. It worked in earlier versions (1.1 Beta-1) but it appears > >> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 > >> version and it is no longer inflated. Can someone suggest where exactly I > >> have to place the Federation provider jar in 1.1 Beta-2 version? > >> > >> Thanks, > >> Raghu > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From prabhalar at yahoo.com Thu Jan 15 11:59:12 2015 From: prabhalar at yahoo.com (Raghuram) Date: Thu, 15 Jan 2015 11:59:12 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> Message-ID: Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate Sent from my iPhone > On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: > > Added: > > https://issues.jboss.org/browse/KEYCLOAK-969 > https://issues.jboss.org/browse/KEYCLOAK-970 > > Will need to be fixed for 1.1.0.Final > > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, 15 January, 2015 4:14:17 PM >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >> >> Docs will need to be updated. >> >> We need to expand the subsystem so that provider jars can be deployed >> like any other component. What you have now is *harder* to use than >> simply dropping in the jar in WEB-INF/lib IMO. >> >> >> >>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>> How is a provider added using the CLI? I can't find any examples on that. >>> >>> Also, there are still several references in the docs and examples that uses >>> the old approach of copying to WEB-INF/lib. >>> >>> ----- Original Message ----- >>>> From: "Stan Silvert" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>> Keycloak 1.1 Beta-2 >>>> >>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>> >>>> See >>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>> >>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>> >>>> >>>> >>>> Hi, >>>> >>>> I created a custom User Federation Provider and deployed it as per the >>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>> version and it is no longer inflated. Can someone suggest where exactly I >>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>> >>>> Thanks, >>>> Raghu >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Thu Jan 15 12:17:33 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 12:17:33 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B7D949.2080103@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> Message-ID: <54B7F62D.4080709@redhat.com> On 1/15/2015 10:14 AM, Bill Burke wrote: > Docs will need to be updated. > > We need to expand the subsystem so that provider jars can be deployed > like any other component. What you have now is *harder* to use than > simply dropping in the jar in WEB-INF/lib IMO. Yes, it is slightly harder. We discussed this at length when it was implemented. You can't use a deployment-scanner mechanism in a domain environment. There are other reasons it needs to be this way. I'd have to go back and look at my notes and the previous thread to remember them all. The ease of use problem is mitigated somewhat by using a CLI script. So if you need to upload a provider over and over during development you can use that. Also, we can eventually add the ability to upload and manage providers from the Keycloak admin console. We wouldn't be able to do that if we stuck with the "drop it in the exploded WAR" solution. > > > > On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >> How is a provider added using the CLI? I can't find any examples on that. >> >> Also, there are still several references in the docs and examples that uses the old approach of copying to WEB-INF/lib. >> >> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: keycloak-user at lists.jboss.org >>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>> >>> Providers are now uploaded using WildFly CLI or CLI GUI. >>> >>> See >>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>> >>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>> >>> >>> >>> Hi, >>> >>> I created a custom User Federation Provider and deployed it as per the >>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>> version and it is no longer inflated. Can someone suggest where exactly I >>> have to place the Federation provider jar in 1.1 Beta-2 version? >>> >>> Thanks, >>> Raghu >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From ssilvert at redhat.com Thu Jan 15 12:33:49 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 12:33:49 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> Message-ID: <54B7F9FD.6010808@redhat.com> I assume you mean that it shows up under a "deployment-overlays" tag? If it's under a "deployments" tag then something is wrong. It looks like Users --> Federation no longer exists in the GUI. Stain, do you know about this? On 1/15/2015 11:59 AM, Raghuram wrote: > Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate > > Sent from my iPhone > >> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: >> >> Added: >> >> https://issues.jboss.org/browse/KEYCLOAK-969 >> https://issues.jboss.org/browse/KEYCLOAK-970 >> >> Will need to be fixed for 1.1.0.Final >> >> >> ----- Original Message ----- >>> From: "Bill Burke" >>> To: keycloak-user at lists.jboss.org >>> Sent: Thursday, 15 January, 2015 4:14:17 PM >>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>> >>> Docs will need to be updated. >>> >>> We need to expand the subsystem so that provider jars can be deployed >>> like any other component. What you have now is *harder* to use than >>> simply dropping in the jar in WEB-INF/lib IMO. >>> >>> >>> >>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>> How is a provider added using the CLI? I can't find any examples on that. >>>> >>>> Also, there are still several references in the docs and examples that uses >>>> the old approach of copying to WEB-INF/lib. >>>> >>>> ----- Original Message ----- >>>>> From: "Stan Silvert" >>>>> To: keycloak-user at lists.jboss.org >>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>>> Keycloak 1.1 Beta-2 >>>>> >>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>> >>>>> See >>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>> >>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> I created a custom User Federation Provider and deployed it as per the >>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>>> version and it is no longer inflated. Can someone suggest where exactly I >>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>> >>>>> Thanks, >>>>> Raghu >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prabhalar at yahoo.com Thu Jan 15 13:01:38 2015 From: prabhalar at yahoo.com (Raghuram) Date: Thu, 15 Jan 2015 13:01:38 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B7F9FD.6010808@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> <54B7F9FD.6010808@redhat.com> Message-ID: <42464E93-69AD-4EC5-BEE7-B4C15FFF3C6E@yahoo.com> Thanks for the pointer Stan. I used the wrong command "deploy" earlier. Now i tried "deploy-overlay" command and that did the trick. Sent from my iPhone > On Jan 15, 2015, at 12:33 PM, Stan Silvert wrote: > > I assume you mean that it shows up under a "deployment-overlays" tag? > If it's under a "deployments" tag then something is wrong. > > It looks like Users --> Federation no longer exists in the GUI. Stain, > do you know about this? > >> On 1/15/2015 11:59 AM, Raghuram wrote: >> Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate >> >> Sent from my iPhone >> >>> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: >>> >>> Added: >>> >>> https://issues.jboss.org/browse/KEYCLOAK-969 >>> https://issues.jboss.org/browse/KEYCLOAK-970 >>> >>> Will need to be fixed for 1.1.0.Final >>> >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Thursday, 15 January, 2015 4:14:17 PM >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>>> >>>> Docs will need to be updated. >>>> >>>> We need to expand the subsystem so that provider jars can be deployed >>>> like any other component. What you have now is *harder* to use than >>>> simply dropping in the jar in WEB-INF/lib IMO. >>>> >>>> >>>> >>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>>> How is a provider added using the CLI? I can't find any examples on that. >>>>> >>>>> Also, there are still several references in the docs and examples that uses >>>>> the old approach of copying to WEB-INF/lib. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Stan Silvert" >>>>>> To: keycloak-user at lists.jboss.org >>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>>>> Keycloak 1.1 Beta-2 >>>>>> >>>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>>> >>>>>> See >>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>>> >>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I created a custom User Federation Provider and deployed it as per the >>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>>>> version and it is no longer inflated. Can someone suggest where exactly I >>>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>>> >>>>>> Thanks, >>>>>> Raghu >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Thu Jan 15 13:04:41 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 13:04:41 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <42464E93-69AD-4EC5-BEE7-B4C15FFF3C6E@yahoo.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> <54B7F9FD.6010808@redhat.com> <42464E93-69AD-4EC5-BEE7-B4C15FFF3C6E@yahoo.com> Message-ID: <54B80139.5020804@redhat.com> On 1/15/2015 1:01 PM, Raghuram wrote: > Thanks for the pointer Stan. I used the wrong command "deploy" earlier. Now i tried "deploy-overlay" command and that did the trick. You can do it with deploy-overlay, but it is easier if you do it with "add-provider" from the auth-server resource. It has more options and you don't have to fill in as many attributes. > > > Sent from my iPhone > >> On Jan 15, 2015, at 12:33 PM, Stan Silvert wrote: >> >> I assume you mean that it shows up under a "deployment-overlays" tag? >> If it's under a "deployments" tag then something is wrong. >> >> It looks like Users --> Federation no longer exists in the GUI. Stain, >> do you know about this? >> >>> On 1/15/2015 11:59 AM, Raghuram wrote: >>> Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate >>> >>> Sent from my iPhone >>> >>>> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: >>>> >>>> Added: >>>> >>>> https://issues.jboss.org/browse/KEYCLOAK-969 >>>> https://issues.jboss.org/browse/KEYCLOAK-970 >>>> >>>> Will need to be fixed for 1.1.0.Final >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" >>>>> To: keycloak-user at lists.jboss.org >>>>> Sent: Thursday, 15 January, 2015 4:14:17 PM >>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>>>> >>>>> Docs will need to be updated. >>>>> >>>>> We need to expand the subsystem so that provider jars can be deployed >>>>> like any other component. What you have now is *harder* to use than >>>>> simply dropping in the jar in WEB-INF/lib IMO. >>>>> >>>>> >>>>> >>>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>>>> How is a provider added using the CLI? I can't find any examples on that. >>>>>> >>>>>> Also, there are still several references in the docs and examples that uses >>>>>> the old approach of copying to WEB-INF/lib. >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Stan Silvert" >>>>>>> To: keycloak-user at lists.jboss.org >>>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>>>>> Keycloak 1.1 Beta-2 >>>>>>> >>>>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>>>> >>>>>>> See >>>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>>>> >>>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I created a custom User Federation Provider and deployed it as per the >>>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>>>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>>>>> version and it is no longer inflated. Can someone suggest where exactly I >>>>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>>>> >>>>>>> Thanks, >>>>>>> Raghu >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Thu Jan 15 13:06:48 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 13:06:48 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B80139.5020804@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> <54B7F9FD.6010808@redhat.com> <42464E93-69AD-4EC5-BEE7-B4C15FFF3C6E@yahoo.com> <54B80139.5020804@redhat.com> Message-ID: <54B801B8.6050701@redhat.com> On 1/15/2015 1:04 PM, Stan Silvert wrote: > On 1/15/2015 1:01 PM, Raghuram wrote: >> Thanks for the pointer Stan. I used the wrong command "deploy" earlier. Now i tried "deploy-overlay" command and that did the trick. > You can do it with deploy-overlay, but it is easier if you do it with > "add-provider" from the auth-server resource. It has more options and > you don't have to fill in as many attributes. Example: /subsystem=keycloak/auth-server=main-auth-server/:add-provider(bytes-to-upload="/keycloak/examples/providers/federation-provider/target/federation-properties-example.jar",uploaded-file-name=myprovider.jar) >> >> Sent from my iPhone >> >>> On Jan 15, 2015, at 12:33 PM, Stan Silvert wrote: >>> >>> I assume you mean that it shows up under a "deployment-overlays" tag? >>> If it's under a "deployments" tag then something is wrong. >>> >>> It looks like Users --> Federation no longer exists in the GUI. Stain, >>> do you know about this? >>> >>>> On 1/15/2015 11:59 AM, Raghuram wrote: >>>> Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate >>>> >>>> Sent from my iPhone >>>> >>>>> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: >>>>> >>>>> Added: >>>>> >>>>> https://issues.jboss.org/browse/KEYCLOAK-969 >>>>> https://issues.jboss.org/browse/KEYCLOAK-970 >>>>> >>>>> Will need to be fixed for 1.1.0.Final >>>>> >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" >>>>>> To: keycloak-user at lists.jboss.org >>>>>> Sent: Thursday, 15 January, 2015 4:14:17 PM >>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>>>>> >>>>>> Docs will need to be updated. >>>>>> >>>>>> We need to expand the subsystem so that provider jars can be deployed >>>>>> like any other component. What you have now is *harder* to use than >>>>>> simply dropping in the jar in WEB-INF/lib IMO. >>>>>> >>>>>> >>>>>> >>>>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>>>>> How is a provider added using the CLI? I can't find any examples on that. >>>>>>> >>>>>>> Also, there are still several references in the docs and examples that uses >>>>>>> the old approach of copying to WEB-INF/lib. >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Stan Silvert" >>>>>>>> To: keycloak-user at lists.jboss.org >>>>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>>>>>> Keycloak 1.1 Beta-2 >>>>>>>> >>>>>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>>>>> >>>>>>>> See >>>>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>>>>> >>>>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I created a custom User Federation Provider and deployed it as per the >>>>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>>>>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>>>>>> version and it is no longer inflated. Can someone suggest where exactly I >>>>>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Raghu >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From robin1233 at gmail.com Thu Jan 15 14:49:19 2015 From: robin1233 at gmail.com (robinfernandes .) Date: Thu, 15 Jan 2015 14:49:19 -0500 Subject: [keycloak-user] Unattended OAuth sessions Message-ID: Hi, I was just curious to know if there is a way to have an unattended session using OAuth, like CLI sessions, without prompting for the credentials (username/password)? This is just a general OAuth related question. I just wanted to know if anyone has come across this use case before. Thanks, Robin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150115/7c12b54c/attachment.html From ssilvert at redhat.com Thu Jan 15 15:23:48 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 15:23:48 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> Message-ID: <54B821D4.8040202@redhat.com> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > How is a provider added using the CLI? I can't find any examples on that. In the doc there is a step-by-step example of how to do it. See section 3.4.2.2. http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > > Also, there are still several references in the docs and examples that uses the old approach of copying to WEB-INF/lib. > > ----- Original Message ----- >> From: "Stan Silvert" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, 15 January, 2015 2:09:56 PM >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >> >> Providers are now uploaded using WildFly CLI or CLI GUI. >> >> See >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >> >> On 1/15/2015 6:46 AM, prab rrrr wrote: >> >> >> >> Hi, >> >> I created a custom User Federation Provider and deployed it as per the >> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >> version and it is no longer inflated. Can someone suggest where exactly I >> have to place the Federation provider jar in 1.1 Beta-2 version? >> >> Thanks, >> Raghu >> >> >> _______________________________________________ >> keycloak-user mailing list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Thu Jan 15 17:31:04 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 15 Jan 2015 17:31:04 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B7F9FD.6010808@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B7D949.2080103@redhat.com> <146825425.10934819.1421336435310.JavaMail.zimbra@redhat.com> <54B7F9FD.6010808@redhat.com> Message-ID: <54B83FA8.2060008@redhat.com> On 1/15/2015 12:33 PM, Stan Silvert wrote: > I assume you mean that it shows up under a "deployment-overlays" tag? > If it's under a "deployments" tag then something is wrong. > > It looks like Users --> Federation no longer exists in the GUI. Stain, > do you know about this? Very strange. I took a closer look at this. Firefox is hosed, but everything looks fine in Chrome. > > On 1/15/2015 11:59 AM, Raghuram wrote: >> Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate >> >> Sent from my iPhone >> >>> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: >>> >>> Added: >>> >>> https://issues.jboss.org/browse/KEYCLOAK-969 >>> https://issues.jboss.org/browse/KEYCLOAK-970 >>> >>> Will need to be fixed for 1.1.0.Final >>> >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Thursday, 15 January, 2015 4:14:17 PM >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>>> >>>> Docs will need to be updated. >>>> >>>> We need to expand the subsystem so that provider jars can be deployed >>>> like any other component. What you have now is *harder* to use than >>>> simply dropping in the jar in WEB-INF/lib IMO. >>>> >>>> >>>> >>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>>> How is a provider added using the CLI? I can't find any examples on that. >>>>> >>>>> Also, there are still several references in the docs and examples that uses >>>>> the old approach of copying to WEB-INF/lib. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Stan Silvert" >>>>>> To: keycloak-user at lists.jboss.org >>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>>>> Keycloak 1.1 Beta-2 >>>>>> >>>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>>> >>>>>> See >>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>>> >>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I created a custom User Federation Provider and deployed it as per the >>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>>>> version and it is no longer inflated. Can someone suggest where exactly I >>>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>>> >>>>>> Thanks, >>>>>> Raghu >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prabhalar at yahoo.com Thu Jan 15 21:05:56 2015 From: prabhalar at yahoo.com (prab rrrr) Date: Fri, 16 Jan 2015 02:05:56 +0000 (UTC) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B83FA8.2060008@redhat.com> References: <54B83FA8.2060008@redhat.com> Message-ID: <1252643907.1155662.1421373956862.JavaMail.yahoo@jws10065.mail.ne1.yahoo.com> ?That didn't work for me in IE 11 as well. As you mentioned, Chrome is fine. From: Stan Silvert To: keycloak-user at lists.jboss.org; Stian Thorgersen Sent: Thursday, January 15, 2015 5:31 PM Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 On 1/15/2015 12:33 PM, Stan Silvert wrote: > I assume you mean that it shows up under a "deployment-overlays" tag? > If it's under a "deployments" tag then something is wrong. > > It looks like Users --> Federation no longer exists in the GUI.? Stain, > do you know about this? Very strange.? I took a closer look at this.? Firefox is hosed, but everything looks fine in Chrome. > > On 1/15/2015 11:59 AM, Raghuram wrote: >> Thanks Stian. I deployed the jar under main-auth-server and verified that it appears in the standalone.xml under "deployments" tag. But the federation provider doesn't appear in the gui. Is there anything that I am missing? The same jar worked in beta1 - I could create a provider and authenticate >> >> Sent from my iPhone >> >>> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen wrote: >>> >>> Added: >>> >>>? ? https://issues.jboss.org/browse/KEYCLOAK-969 >>>? ? https://issues.jboss.org/browse/KEYCLOAK-970 >>> >>> Will need to be fixed for 1.1.0.Final >>> >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Thursday, 15 January, 2015 4:14:17 PM >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >>>> >>>> Docs will need to be updated. >>>> >>>> We need to expand the subsystem so that provider jars can be deployed >>>> like any other component.? What you have now is *harder* to use than >>>> simply dropping in the jar in WEB-INF/lib IMO. >>>> >>>> >>>> >>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>>> How is a provider added using the CLI? I can't find any examples on that. >>>>> >>>>> Also, there are still several references in the docs and examples that uses >>>>> the old approach of copying to WEB-INF/lib. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Stan Silvert" >>>>>> To: keycloak-user at lists.jboss.org >>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>>>> Keycloak 1.1 Beta-2 >>>>>> >>>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>>> >>>>>> See >>>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>>> >>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> I created a custom User Federation Provider and deployed it as per the >>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>>>> version and it is no longer inflated. Can someone suggest where exactly I >>>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>>> >>>>>> Thanks, >>>>>> Raghu >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150116/f7c3ac46/attachment-0001.html From stian at redhat.com Fri Jan 16 02:19:35 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 Jan 2015 02:19:35 -0500 (EST) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B821D4.8040202@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> Message-ID: <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Stan Silvert" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, 15 January, 2015 9:23:48 PM > Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 > > On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > > How is a provider added using the CLI? I can't find any examples on that. > In the doc there is a step-by-step example of how to do it. See section > 3.4.2.2. > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 That example uses the CLI GUI, we need one that uses plain CLI There's also another issue with this approach, which I didn't stress enough last time around, it requires the server to be running to add providers. That makes it much harder to for example create a Docker cartridge that includes some custom providers. > > > > > Also, there are still several references in the docs and examples that uses > > the old approach of copying to WEB-INF/lib. > > > > ----- Original Message ----- > >> From: "Stan Silvert" > >> To: keycloak-user at lists.jboss.org > >> Sent: Thursday, 15 January, 2015 2:09:56 PM > >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in > >> Keycloak 1.1 Beta-2 > >> > >> Providers are now uploaded using WildFly CLI or CLI GUI. > >> > >> See > >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > >> > >> On 1/15/2015 6:46 AM, prab rrrr wrote: > >> > >> > >> > >> Hi, > >> > >> I created a custom User Federation Provider and deployed it as per the > >> documentation. It worked in earlier versions (1.1 Beta-1) but it appears > >> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 > >> version and it is no longer inflated. Can someone suggest where exactly I > >> have to place the Federation provider jar in 1.1 Beta-2 version? > >> > >> Thanks, > >> Raghu > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From stian at redhat.com Fri Jan 16 02:24:00 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 Jan 2015 02:24:00 -0500 (EST) Subject: [keycloak-user] Unattended OAuth sessions In-Reply-To: References: Message-ID: <1611363719.11299170.1421393040398.JavaMail.zimbra@redhat.com> Yes, the OAuth2 spec provides the client credentials grant for this, see https://tools.ietf.org/html/rfc6749#section-4.4. We're planning on intruding support for this as well as the ability to authenticate clients with certificates and signed JWTs. ----- Original Message ----- > From: "robinfernandes ." > To: keycloak-user at lists.jboss.org > Sent: Thursday, 15 January, 2015 8:49:19 PM > Subject: [keycloak-user] Unattended OAuth sessions > > Hi, > > I was just curious to know if there is a way to have an unattended session > using OAuth, like CLI sessions, without prompting for the credentials > (username/password)? > > This is just a general OAuth related question. I just wanted to know if > anyone has come across this use case before. > > Thanks, > Robin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Jan 16 07:28:17 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 16 Jan 2015 13:28:17 +0100 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> Message-ID: <54B903E1.20304@redhat.com> Figured out that our "war-dist" still contains auth-server.war in "standalone/deployments" . Appliance dist doesn't have it. This is not expected right? The chapter 3.1 and 3.2 both mentions auth-server.war in deployments folder btv (which is not true at least for appliance dist now). Found out that with the "war-dist" and auth-server.war deployed in standalone/deployments I can normally copy the provider jar to standalone/deployments/auth-server.war/WEB-INF/lib and it works:-) Marek On 16.1.2015 08:19, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Stan Silvert" >> To: "Stian Thorgersen" >> Cc: keycloak-user at lists.jboss.org >> Sent: Thursday, 15 January, 2015 9:23:48 PM >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >> >> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>> How is a provider added using the CLI? I can't find any examples on that. >> In the doc there is a step-by-step example of how to do it. See section >> 3.4.2.2. >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > That example uses the CLI GUI, we need one that uses plain CLI > > There's also another issue with this approach, which I didn't stress enough last time around, it requires the server to be running to add providers. That makes it much harder to for example create a Docker cartridge that includes some custom providers. > >>> Also, there are still several references in the docs and examples that uses >>> the old approach of copying to WEB-INF/lib. >>> >>> ----- Original Message ----- >>>> From: "Stan Silvert" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>> Keycloak 1.1 Beta-2 >>>> >>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>> >>>> See >>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>> >>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>> >>>> >>>> >>>> Hi, >>>> >>>> I created a custom User Federation Provider and deployed it as per the >>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>> version and it is no longer inflated. Can someone suggest where exactly I >>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>> >>>> Thanks, >>>> Raghu >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Fri Jan 16 08:13:24 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 16 Jan 2015 08:13:24 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> Message-ID: <54B90E74.9040704@redhat.com> On 1/16/2015 2:19 AM, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Stan Silvert" >> To: "Stian Thorgersen" >> Cc: keycloak-user at lists.jboss.org >> Sent: Thursday, 15 January, 2015 9:23:48 PM >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >> >> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>> How is a provider added using the CLI? I can't find any examples on that. >> In the doc there is a step-by-step example of how to do it. See section >> 3.4.2.2. >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > That example uses the CLI GUI, we need one that uses plain CLI Plain CLI is harder in this case. CLI GUI lets you browse for the file you need. Overall, plain CLI is a lot more error prone. If you do this once in CLI GUI then you will generate the CLI command that you can cut and paste into plain CLI or a script. But if you want, I can include an example of that command. > > There's also another issue with this approach, which I didn't stress enough last time around, it requires the server to be running to add providers. That makes it much harder to for example create a Docker cartridge that includes some custom providers. Perhaps we just need to document the fact that you can still explode the WAR and do it the old way? > >>> Also, there are still several references in the docs and examples that uses >>> the old approach of copying to WEB-INF/lib. >>> >>> ----- Original Message ----- >>>> From: "Stan Silvert" >>>> To: keycloak-user at lists.jboss.org >>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in >>>> Keycloak 1.1 Beta-2 >>>> >>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>> >>>> See >>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>> >>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>> >>>> >>>> >>>> Hi, >>>> >>>> I created a custom User Federation Provider and deployed it as per the >>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears >>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 >>>> version and it is no longer inflated. Can someone suggest where exactly I >>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>> >>>> Thanks, >>>> Raghu >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From ssilvert at redhat.com Fri Jan 16 08:30:40 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 16 Jan 2015 08:30:40 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B903E1.20304@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> <54B903E1.20304@redhat.com> Message-ID: <54B91280.1020905@redhat.com> On 1/16/2015 7:28 AM, Marek Posolda wrote: > Figured out that our "war-dist" still contains auth-server.war in > "standalone/deployments" . Appliance dist doesn't have it. This is not > expected right? The chapter 3.1 and 3.2 both mentions auth-server.war > in deployments folder btv (which is not true at least for appliance > dist now). The WAR dist doesn't contain the subsystem. So it has to work the old way. I think we need to come to a final decision about supporting the auth server on other platforms, which is the only reason for the WAR dist to still exist. > > Found out that with the "war-dist" and auth-server.war deployed in > standalone/deployments I can normally copy the provider jar to > standalone/deployments/auth-server.war/WEB-INF/lib and it works:-) Right. I didn't change the way it actually works. Uploading allows you to create an overlay, which is the equivalent of copying it by hand, but is more flexible. This is how it has to be done for domain mode. But the old way still works. > > Marek > > On 16.1.2015 08:19, Stian Thorgersen wrote: >> >> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: "Stian Thorgersen" >>> Cc: keycloak-user at lists.jboss.org >>> Sent: Thursday, 15 January, 2015 9:23:48 PM >>> Subject: Re: [keycloak-user] Location of User Federation Provider >>> jar in Keycloak 1.1 Beta-2 >>> >>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: >>>> How is a provider added using the CLI? I can't find any examples on >>>> that. >>> In the doc there is a step-by-step example of how to do it. See section >>> 3.4.2.2. >>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>> >> That example uses the CLI GUI, we need one that uses plain CLI >> >> There's also another issue with this approach, which I didn't stress >> enough last time around, it requires the server to be running to add >> providers. That makes it much harder to for example create a Docker >> cartridge that includes some custom providers. >> >>>> Also, there are still several references in the docs and examples >>>> that uses >>>> the old approach of copying to WEB-INF/lib. >>>> >>>> ----- Original Message ----- >>>>> From: "Stan Silvert" >>>>> To: keycloak-user at lists.jboss.org >>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM >>>>> Subject: Re: [keycloak-user] Location of User Federation Provider >>>>> jar in >>>>> Keycloak 1.1 Beta-2 >>>>> >>>>> Providers are now uploaded using WildFly CLI or CLI GUI. >>>>> >>>>> See >>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 >>>>> >>>>> >>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: >>>>> >>>>> >>>>> >>>>> Hi, >>>>> >>>>> I created a custom User Federation Provider and deployed it as per >>>>> the >>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it >>>>> appears >>>>> that the location of Keycloak war in Wildfly has changed in 1.1 >>>>> Beta-2 >>>>> version and it is no longer inflated. Can someone suggest where >>>>> exactly I >>>>> have to place the Federation provider jar in 1.1 Beta-2 version? >>>>> >>>>> Thanks, >>>>> Raghu >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Fri Jan 16 08:33:49 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 Jan 2015 08:33:49 -0500 (EST) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B91280.1020905@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> <54B903E1.20304@redhat.com> <54B91280.1020905@redhat.com> Message-ID: <1816657622.11453946.1421415229691.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Stan Silvert" > To: "Marek Posolda" > Cc: "Stian Thorgersen" , keycloak-user at lists.jboss.org > Sent: Friday, 16 January, 2015 2:30:40 PM > Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 > > On 1/16/2015 7:28 AM, Marek Posolda wrote: > > Figured out that our "war-dist" still contains auth-server.war in > > "standalone/deployments" . Appliance dist doesn't have it. This is not > > expected right? The chapter 3.1 and 3.2 both mentions auth-server.war > > in deployments folder btv (which is not true at least for appliance > > dist now). > The WAR dist doesn't contain the subsystem. So it has to work the old way. > > I think we need to come to a final decision about supporting the auth > server on other platforms, which is the only reason for the WAR dist to > still exist. If we want to be the OOTB solution for other JBoss projects it has to be possible to embed Keycloak into their solutions. I think that means we'll have to support Tomcat, Jetty, etc runtimes. > > > > Found out that with the "war-dist" and auth-server.war deployed in > > standalone/deployments I can normally copy the provider jar to > > standalone/deployments/auth-server.war/WEB-INF/lib and it works:-) > Right. I didn't change the way it actually works. Uploading allows you > to create an overlay, which is the equivalent of copying it by hand, but > is more flexible. This is how it has to be done for domain mode. But > the old way still works. > > > > Marek > > > > On 16.1.2015 08:19, Stian Thorgersen wrote: > >> > >> ----- Original Message ----- > >>> From: "Stan Silvert" > >>> To: "Stian Thorgersen" > >>> Cc: keycloak-user at lists.jboss.org > >>> Sent: Thursday, 15 January, 2015 9:23:48 PM > >>> Subject: Re: [keycloak-user] Location of User Federation Provider > >>> jar in Keycloak 1.1 Beta-2 > >>> > >>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > >>>> How is a provider added using the CLI? I can't find any examples on > >>>> that. > >>> In the doc there is a step-by-step example of how to do it. See section > >>> 3.4.2.2. > >>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > >>> > >> That example uses the CLI GUI, we need one that uses plain CLI > >> > >> There's also another issue with this approach, which I didn't stress > >> enough last time around, it requires the server to be running to add > >> providers. That makes it much harder to for example create a Docker > >> cartridge that includes some custom providers. > >> > >>>> Also, there are still several references in the docs and examples > >>>> that uses > >>>> the old approach of copying to WEB-INF/lib. > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Stan Silvert" > >>>>> To: keycloak-user at lists.jboss.org > >>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM > >>>>> Subject: Re: [keycloak-user] Location of User Federation Provider > >>>>> jar in > >>>>> Keycloak 1.1 Beta-2 > >>>>> > >>>>> Providers are now uploaded using WildFly CLI or CLI GUI. > >>>>> > >>>>> See > >>>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > >>>>> > >>>>> > >>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: > >>>>> > >>>>> > >>>>> > >>>>> Hi, > >>>>> > >>>>> I created a custom User Federation Provider and deployed it as per > >>>>> the > >>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it > >>>>> appears > >>>>> that the location of Keycloak war in Wildfly has changed in 1.1 > >>>>> Beta-2 > >>>>> version and it is no longer inflated. Can someone suggest where > >>>>> exactly I > >>>>> have to place the Federation provider jar in 1.1 Beta-2 version? > >>>>> > >>>>> Thanks, > >>>>> Raghu > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From bburke at redhat.com Fri Jan 16 08:57:43 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 16 Jan 2015 08:57:43 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <1252643907.1155662.1421373956862.JavaMail.yahoo@jws10065.mail.ne1.yahoo.com> References: <54B83FA8.2060008@redhat.com> <1252643907.1155662.1421373956862.JavaMail.yahoo@jws10065.mail.ne1.yahoo.com> Message-ID: <54B918D7.7050101@redhat.com> Maybe development should stop testing things with Chrome? On 1/15/2015 9:05 PM, prab rrrr wrote: > That didn't work for me in IE 11 as well. As you mentioned, Chrome is > fine. > ------------------------------------------------------------------------ > *From:* Stan Silvert > *To:* keycloak-user at lists.jboss.org; Stian Thorgersen > *Sent:* Thursday, January 15, 2015 5:31 PM > *Subject:* Re: [keycloak-user] Location of User Federation Provider jar > in Keycloak 1.1 Beta-2 > > On 1/15/2015 12:33 PM, Stan Silvert wrote: > > I assume you mean that it shows up under a "deployment-overlays" tag? > > If it's under a "deployments" tag then something is wrong. > > > > It looks like Users --> Federation no longer exists in the GUI. Stain, > > do you know about this? > Very strange. I took a closer look at this. Firefox is hosed, but > everything looks fine in Chrome. > > > > > > On 1/15/2015 11:59 AM, Raghuram wrote: > >> Thanks Stian. I deployed the jar under main-auth-server and verified > that it appears in the standalone.xml under "deployments" tag. But the > federation provider doesn't appear in the gui. Is there anything that I > am missing? The same jar worked in beta1 - I could create a provider and > authenticate > >> > >> Sent from my iPhone > >> > >>> On Jan 15, 2015, at 10:40 AM, Stian Thorgersen > wrote: > >>> > >>> Added: > >>> > >>> https://issues.jboss.org/browse/KEYCLOAK-969 > >>> https://issues.jboss.org/browse/KEYCLOAK-970 > >>> > >>> Will need to be fixed for 1.1.0.Final > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Bill Burke" > > >>>> To: keycloak-user at lists.jboss.org > > >>>> Sent: Thursday, 15 January, 2015 4:14:17 PM > >>>> Subject: Re: [keycloak-user] Location of User Federation Provider > jar in Keycloak 1.1 Beta-2 > >>>> > >>>> Docs will need to be updated. > >>>> > >>>> We need to expand the subsystem so that provider jars can be deployed > >>>> like any other component. What you have now is *harder* to use than > >>>> simply dropping in the jar in WEB-INF/lib IMO. > >>>> > >>>> > >>>> > >>>>> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > >>>>> How is a provider added using the CLI? I can't find any examples > on that. > >>>>> > >>>>> Also, there are still several references in the docs and examples > that uses > >>>>> the old approach of copying to WEB-INF/lib. > >>>>> > >>>>> ----- Original Message ----- > >>>>>> From: "Stan Silvert" > > >>>>>> To: keycloak-user at lists.jboss.org > > >>>>>> Sent: Thursday, 15 January, 2015 2:09:56 PM > >>>>>> Subject: Re: [keycloak-user] Location of User Federation > Provider jar in > >>>>>> Keycloak 1.1 Beta-2 > >>>>>> > >>>>>> Providers are now uploaded using WildFly CLI or CLI GUI. > >>>>>> > >>>>>> See > >>>>>> > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > >>>>>> > >>>>>> On 1/15/2015 6:46 AM, prab rrrr wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I created a custom User Federation Provider and deployed it as > per the > >>>>>> documentation. It worked in earlier versions (1.1 Beta-1) but it > appears > >>>>>> that the location of Keycloak war in Wildfly has changed in 1.1 > Beta-2 > >>>>>> version and it is no longer inflated. Can someone suggest where > exactly I > >>>>>> have to place the Federation provider jar in 1.1 Beta-2 version? > >>>>>> > >>>>>> Thanks, > >>>>>> Raghu > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> keycloak-user mailing list keycloak-user at lists.jboss.org > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> keycloak-user mailing list > >>>>>> keycloak-user at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> -- > >>>> Bill Burke > >>>> JBoss, a division of Red Hat > >>>> http://bill.burkecentral.com > > > > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Jan 16 09:07:50 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 16 Jan 2015 09:07:50 -0500 Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <1816657622.11453946.1421415229691.JavaMail.zimbra@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> <54B903E1.20304@redhat.com> <54B91280.1020905@redhat.com> <1816657622.11453946.1421415229691.JavaMail.zimbra@redhat.com> Message-ID: <54B91B36.4080504@redhat.com> On 1/16/2015 8:33 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Stan Silvert" >> To: "Marek Posolda" >> Cc: "Stian Thorgersen" , keycloak-user at lists.jboss.org >> Sent: Friday, 16 January, 2015 2:30:40 PM >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 >> >> On 1/16/2015 7:28 AM, Marek Posolda wrote: >>> Figured out that our "war-dist" still contains auth-server.war in >>> "standalone/deployments" . Appliance dist doesn't have it. This is not >>> expected right? The chapter 3.1 and 3.2 both mentions auth-server.war >>> in deployments folder btv (which is not true at least for appliance >>> dist now). >> The WAR dist doesn't contain the subsystem. So it has to work the old way. >> >> I think we need to come to a final decision about supporting the auth >> server on other platforms, which is the only reason for the WAR dist to >> still exist. > > If we want to be the OOTB solution for other JBoss projects it has to be possible to embed Keycloak into their solutions. I think that means we'll have to support Tomcat, Jetty, etc runtimes. > This will be an issue for any type of client-cert auth we do. With Wildfly going forward we'll be able to plug in more dynamic security trust managers, can't do that currently with JBossWeb, Tomcat, Jetty, etc... -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Fri Jan 16 09:07:53 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 Jan 2015 09:07:53 -0500 (EST) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B90E74.9040704@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <54B7BC24.5070501@redhat.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> <54B90E74.9040704@redhat.com> Message-ID: <340510006.11473992.1421417272996.JavaMail.zimbra@redhat.com> Currently, I'm not overly happy with releasing 1.1.0.Final and it's down to this issue. I should have raised it before, but it completely slipped my mind :( IMO we need: 1. A usable way to deploy a provider without using the CLI GUI 2. Ideally be able to deploy a provider with an offline server ----- Original Message ----- > From: "Stan Silvert" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Friday, 16 January, 2015 2:13:24 PM > Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 > > On 1/16/2015 2:19 AM, Stian Thorgersen wrote: > > > > ----- Original Message ----- > >> From: "Stan Silvert" > >> To: "Stian Thorgersen" > >> Cc: keycloak-user at lists.jboss.org > >> Sent: Thursday, 15 January, 2015 9:23:48 PM > >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in > >> Keycloak 1.1 Beta-2 > >> > >> On 1/15/2015 9:29 AM, Stian Thorgersen wrote: > >>> How is a provider added using the CLI? I can't find any examples on that. > >> In the doc there is a step-by-step example of how to do it. See section > >> 3.4.2.2. > >> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > > That example uses the CLI GUI, we need one that uses plain CLI > Plain CLI is harder in this case. CLI GUI lets you browse for the file > you need. Overall, plain CLI is a lot more error prone. > > If you do this once in CLI GUI then you will generate the CLI command > that you can cut and paste into plain CLI or a script. But if you want, > I can include an example of that command. > > > > There's also another issue with this approach, which I didn't stress enough > > last time around, it requires the server to be running to add providers. > > That makes it much harder to for example create a Docker cartridge that > > includes some custom providers. > Perhaps we just need to document the fact that you can still explode the > WAR and do it the old way? > > > >>> Also, there are still several references in the docs and examples that > >>> uses > >>> the old approach of copying to WEB-INF/lib. > >>> > >>> ----- Original Message ----- > >>>> From: "Stan Silvert" > >>>> To: keycloak-user at lists.jboss.org > >>>> Sent: Thursday, 15 January, 2015 2:09:56 PM > >>>> Subject: Re: [keycloak-user] Location of User Federation Provider jar in > >>>> Keycloak 1.1 Beta-2 > >>>> > >>>> Providers are now uploaded using WildFly CLI or CLI GUI. > >>>> > >>>> See > >>>> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#d4e350 > >>>> > >>>> On 1/15/2015 6:46 AM, prab rrrr wrote: > >>>> > >>>> > >>>> > >>>> Hi, > >>>> > >>>> I created a custom User Federation Provider and deployed it as per the > >>>> documentation. It worked in earlier versions (1.1 Beta-1) but it appears > >>>> that the location of Keycloak war in Wildfly has changed in 1.1 Beta-2 > >>>> version and it is no longer inflated. Can someone suggest where exactly > >>>> I > >>>> have to place the Federation provider jar in 1.1 Beta-2 version? > >>>> > >>>> Thanks, > >>>> Raghu > >>>> > >>>> > >>>> _______________________________________________ > >>>> keycloak-user mailing list keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>>> > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > From stian at redhat.com Fri Jan 16 09:13:46 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 16 Jan 2015 09:13:46 -0500 (EST) Subject: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 In-Reply-To: <54B91B36.4080504@redhat.com> References: <111594417.61123.1421322414729.JavaMail.yahoo@jws100116.mail.ne1.yahoo.com> <2044258792.10860475.1421332192062.JavaMail.zimbra@redhat.com> <54B821D4.8040202@redhat.com> <1646813976.11298197.1421392775305.JavaMail.zimbra@redhat.com> <54B903E1.20304@redhat.com> <54B91280.1020905@redhat.com> <1816657622.11453946.1421415229691.JavaMail.zimbra@redhat.com> <54B91B36.4080504@redhat.com> Message-ID: <1110711566.11476990.1421417626320.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Friday, 16 January, 2015 3:07:50 PM > Subject: Re: [keycloak-user] Location of User Federation Provider jar in Keycloak 1.1 Beta-2 > > > > On 1/16/2015 8:33 AM, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > >> From: "Stan Silvert" > >> To: "Marek Posolda" > >> Cc: "Stian Thorgersen" , keycloak-user at lists.jboss.org > >> Sent: Friday, 16 January, 2015 2:30:40 PM > >> Subject: Re: [keycloak-user] Location of User Federation Provider jar in > >> Keycloak 1.1 Beta-2 > >> > >> On 1/16/2015 7:28 AM, Marek Posolda wrote: > >>> Figured out that our "war-dist" still contains auth-server.war in > >>> "standalone/deployments" . Appliance dist doesn't have it. This is not > >>> expected right? The chapter 3.1 and 3.2 both mentions auth-server.war > >>> in deployments folder btv (which is not true at least for appliance > >>> dist now). > >> The WAR dist doesn't contain the subsystem. So it has to work the old > >> way. > >> > >> I think we need to come to a final decision about supporting the auth > >> server on other platforms, which is the only reason for the WAR dist to > >> still exist. > > > > If we want to be the OOTB solution for other JBoss projects it has to be > > possible to embed Keycloak into their solutions. I think that means we'll > > have to support Tomcat, Jetty, etc runtimes. > > > > This will be an issue for any type of client-cert auth we do. With > Wildfly going forward we'll be able to plug in more dynamic security > trust managers, can't do that currently with JBossWeb, Tomcat, Jetty, etc... We should provide a slimmed profile of Keycloak for embedding. I don't think that'll have to support client cert authentication. We should also consider adding signed-JWT as an auth mechanism. Looks like that's what Google does (https://developers.google.com/accounts/docs/OAuth2ServiceAccount). > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From robin1233 at gmail.com Fri Jan 16 10:00:32 2015 From: robin1233 at gmail.com (robinfernandes .) Date: Fri, 16 Jan 2015 10:00:32 -0500 Subject: [keycloak-user] Unattended OAuth sessions In-Reply-To: <1611363719.11299170.1421393040398.JavaMail.zimbra@redhat.com> References: <1611363719.11299170.1421393040398.JavaMail.zimbra@redhat.com> Message-ID: Hi Stian, Thanks a lot for the information. Is there a timeline on when this will be introduced? Thanks, Robin On Fri, Jan 16, 2015 at 2:24 AM, Stian Thorgersen wrote: > Yes, the OAuth2 spec provides the client credentials grant for this, see > https://tools.ietf.org/html/rfc6749#section-4.4. > > We're planning on intruding support for this as well as the ability to > authenticate clients with certificates and signed JWTs. > > ----- Original Message ----- > > From: "robinfernandes ." > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 15 January, 2015 8:49:19 PM > > Subject: [keycloak-user] Unattended OAuth sessions > > > > Hi, > > > > I was just curious to know if there is a way to have an unattended > session > > using OAuth, like CLI sessions, without prompting for the credentials > > (username/password)? > > > > This is just a general OAuth related question. I just wanted to know if > > anyone has come across this use case before. > > > > Thanks, > > Robin > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150116/502dee4b/attachment.html From prabhalar at yahoo.com Fri Jan 16 12:44:07 2015 From: prabhalar at yahoo.com (Raghuram) Date: Fri, 16 Jan 2015 12:44:07 -0500 Subject: [keycloak-user] Same global logout Message-ID: <2B8FDBC2-0319-4501-934A-351339DAE486@yahoo.com> Hi, I tried out the Saml feature in 1.1beta2 using Spring Saml 1.0 as service provider. While the overall flow worked like a charm, had a problem with the global logout. While I was logged out by Keycloak, the Saml xml that was returned by Keycloak did not have "context issuer" and it failed validation done at SP. Any pointers on how to resolve it? Thanks Raghu Sent from my iPhone From prabhalar at yahoo.com Fri Jan 16 22:32:18 2015 From: prabhalar at yahoo.com (prab rrrr) Date: Sat, 17 Jan 2015 03:32:18 +0000 (UTC) Subject: [keycloak-user] Keycloak Clustering Issues Message-ID: <1398890693.1483587.1421465538160.JavaMail.yahoo@jws10084.mail.ne1.yahoo.com> Anyone noticed any issues with Infinispan? I saw a weird issue. After setting up a cluster with two nodes, made some changes on node-1 (created a user and changed the first name). While the user appeared on node-2, the change to the first name didn't make it. Restarting the node-2 didn't help either. Wondering if Infinispan is preventing all the changes to be picked up from database. If so, what settings would ensure that the data is consistent between the nodes? Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150117/7510b893/attachment.html From prabhalar at yahoo.com Sat Jan 17 08:54:35 2015 From: prabhalar at yahoo.com (prab rrrr) Date: Sat, 17 Jan 2015 13:54:35 +0000 (UTC) Subject: [keycloak-user] Signing Keys in a cluster Message-ID: <756606235.1537343.1421502875268.JavaMail.yahoo@jws100209.mail.ne1.yahoo.com> Hi, I am in the process of setting up a cluster of keycloak instances, all of which are accessible by a single url (fronted by a reverse proxy or an alias). So when a client application communicates with the single url using either SAML or Openid Connect, how do we ensure that all the keycloak instances use the same set of certificates/keys to sign/encrypt the SAML/OpenID Connect response? Noticed that we can generate a new set of keys for each realm within Keycloak instance but they are different across different instances. Is there a way of using the same certificate/keys across all the instances? Appreciate any input. Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150117/ca12c062/attachment-0001.html From bburke at redhat.com Sat Jan 17 09:32:31 2015 From: bburke at redhat.com (Bill Burke) Date: Sat, 17 Jan 2015 09:32:31 -0500 Subject: [keycloak-user] Signing Keys in a cluster In-Reply-To: <756606235.1537343.1421502875268.JavaMail.yahoo@jws100209.mail.ne1.yahoo.com> References: <756606235.1537343.1421502875268.JavaMail.yahoo@jws100209.mail.ne1.yahoo.com> Message-ID: <54BA727F.4000703@redhat.com> On 1/17/2015 8:54 AM, prab rrrr wrote: > Hi, > > I am in the process of setting up a cluster of keycloak instances, all > of which are accessible by a single url (fronted by a reverse proxy or > an alias). So when a client application communicates with the single url > using either SAML or Openid Connect, how do we ensure that all the > keycloak instances use the same set of certificates/keys to sign/encrypt > the SAML/OpenID Connect response? > > Noticed that we can generate a new set of keys for each realm within > Keycloak instance but they are different across different instances. Is > there a way of using the same certificate/keys across all the instances? > THat shouldn't be the case. There should be one key pair per realm. Sounds like you aren't sharing the same database. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From prabhalar at yahoo.com Sat Jan 17 22:08:16 2015 From: prabhalar at yahoo.com (prab rrrr) Date: Sun, 18 Jan 2015 03:08:16 +0000 (UTC) Subject: [keycloak-user] Signing Keys in a cluster In-Reply-To: <54BA727F.4000703@redhat.com> References: <54BA727F.4000703@redhat.com> Message-ID: <656084995.1638838.1421550496469.JavaMail.yahoo@jws10058.mail.ne1.yahoo.com> Hi Bill - Checked it once again. It appears that the certificate?is changing but the key is?same across the keycloak instances as you mentioned. Not sure where the certificate will come into picture but I did further testing and can confirm that everything works the?way it is supposed to across two instances on two hosts. But is there any way we can upload our own certificate/key to Keycloak instead of?having Keycloak generate it? Based on our client requirements, we may need to support different key strengths. Thanks,Raghu ? From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Saturday, January 17, 2015 9:32 AM Subject: Re: [keycloak-user] Signing Keys in a cluster On 1/17/2015 8:54 AM, prab rrrr wrote: > Hi, > > I am in the process of setting up a cluster of keycloak instances, all > of which are accessible by a single url (fronted by a reverse proxy or > an alias). So when a client application communicates with the single url > using either SAML or Openid Connect, how do we ensure that all the > keycloak instances use the same set of certificates/keys to sign/encrypt > the SAML/OpenID Connect response? > > Noticed that we can generate a new set of keys for each realm within > Keycloak instance but they are different across different instances. Is > there a way of using the same certificate/keys across all the instances? > THat shouldn't be the case.? There should be one key pair per realm. Sounds like you aren't sharing the same database. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150118/a7c601af/attachment.html From stian at redhat.com Mon Jan 19 03:00:34 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 19 Jan 2015 03:00:34 -0500 (EST) Subject: [keycloak-user] Unattended OAuth sessions In-Reply-To: References: <1611363719.11299170.1421393040398.JavaMail.zimbra@redhat.com> Message-ID: <276341145.12211782.1421654434236.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "robinfernandes ." > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Friday, 16 January, 2015 4:00:32 PM > Subject: Re: [keycloak-user] Unattended OAuth sessions > > Hi Stian, > > Thanks a lot for the information. Is there a timeline on when this will be > introduced? Sometime in 2015 hopefully > > Thanks, > Robin > > On Fri, Jan 16, 2015 at 2:24 AM, Stian Thorgersen wrote: > > > Yes, the OAuth2 spec provides the client credentials grant for this, see > > https://tools.ietf.org/html/rfc6749#section-4.4. > > > > We're planning on intruding support for this as well as the ability to > > authenticate clients with certificates and signed JWTs. > > > > ----- Original Message ----- > > > From: "robinfernandes ." > > > To: keycloak-user at lists.jboss.org > > > Sent: Thursday, 15 January, 2015 8:49:19 PM > > > Subject: [keycloak-user] Unattended OAuth sessions > > > > > > Hi, > > > > > > I was just curious to know if there is a way to have an unattended > > session > > > using OAuth, like CLI sessions, without prompting for the credentials > > > (username/password)? > > > > > > This is just a general OAuth related question. I just wanted to know if > > > anyone has come across this use case before. > > > > > > Thanks, > > > Robin > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From mposolda at redhat.com Mon Jan 19 06:09:38 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 Jan 2015 12:09:38 +0100 Subject: [keycloak-user] Keycloak Clustering Issues In-Reply-To: <1398890693.1483587.1421465538160.JavaMail.yahoo@jws10084.mail.ne1.yahoo.com> References: <1398890693.1483587.1421465538160.JavaMail.yahoo@jws10084.mail.ne1.yahoo.com> Message-ID: <54BCE5F2.3030300@redhat.com> That's quite strange. I've just tested same scenario and works fine for me. If you do any change on user, the user is invalidated from cache on node-1 and this change about invalidation should be propagated to node-2 . As long as you have shared database, node-2 should then retrieve newest data about shared user from database. I would suggest to try this: * Make sure that your infinispan cluster is correctly set. You can check it by seeing the message similar to this in server.log of both nodes: node_1 | 10:49:50,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] * Make sure that you enable "infinispan" as provider of realmCache and userCache and configured connectionsInfinispan . When you open admin console on any node like: http://node-1:8080/auth/admin/master/console/index.html#/server-info you should see: connectionsInfinispan default realmCache infinispan userCache infinispan userSessions infinispan * If still seeing issues, you can try to enable trace logging for "org.keycloak.models.cache.infinispan" category. Hope this helps, Marek On 17.1.2015 04:32, prab rrrr wrote: > Anyone noticed any issues with Infinispan? I saw a weird issue. After > setting up a cluster with two nodes, made some changes on node-1 > (created a user and changed the first name). While the user appeared > on node-2, the change to the first name didn't make it. Restarting the > node-2 didn't help either. Wondering if Infinispan is preventing all > the changes to be picked up from database. If so, what settings would > ensure that the data is consistent between the nodes? > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150119/8ad922ea/attachment.html From prabhalar at yahoo.com Mon Jan 19 07:32:41 2015 From: prabhalar at yahoo.com (prab rrrr) Date: Mon, 19 Jan 2015 12:32:41 +0000 (UTC) Subject: [keycloak-user] Keycloak Clustering Issues In-Reply-To: <54BCE5F2.3030300@redhat.com> References: <54BCE5F2.3030300@redhat.com> Message-ID: <711201839.1935217.1421670761731.JavaMail.yahoo@jws100141.mail.ne1.yahoo.com> Hi Marek - Thanks for?the below pointers. I believe my setup is good but probably the udp communication is blocked in my organization as I do not see the specific log you mentioned. Here are some of the log messages I see: Starting JGroups channelReceived new cluster view ... node 1???? (no information about node2) ? I will look at JGroups documentation to have the communication setup using tcp on a different port. Hopefully that would address the problem. I tried out the url you provided to verify the setup but it doesn't work - checked on two different setups. fyi - I am using 1.1Beta2 version. Regards,Raghu From: Marek Posolda To: prab rrrr ; Keycloak-user Sent: Monday, January 19, 2015 6:09 AM Subject: Re: [keycloak-user] Keycloak Clustering Issues That's quite strange. I've just tested same scenario and works fine for me. If you do any change on user, the user is invalidated from cache on node-1 and this change about invalidation should be propagated to node-2 . As long as you have shared database, node-2 should then retrieve newest data about shared user from database. I would suggest to try this: * Make sure that your infinispan cluster is correctly set. You can check it by seeing the message similar to this in server.log of both nodes: node_1 | 10:49:50,344 INFO? [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] * Make sure that you enable "infinispan" as provider of realmCache and userCache and configured connectionsInfinispan . When you open admin console on any node like: http://node-1:8080/auth/admin/master/console/index.html#/server-info you should see: connectionsInfinispan default realmCache infinispan userCache infinispan userSessions infinispan * If still seeing issues, you can try to enable trace logging for "org.keycloak.models.cache.infinispan" category. Hope this helps, Marek On 17.1.2015 04:32, prab rrrr wrote: Anyone noticed any issues with Infinispan? I saw a weird issue. After setting up a cluster with two nodes, made some changes on node-1 (created a user and changed the first name). While the user appeared on node-2, the change to the first name didn't make it. Restarting the node-2 didn't help either. Wondering if Infinispan is preventing all the changes to be picked up from database. If so, what settings would ensure that the data is consistent between the nodes? Thanks, Raghu _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150119/17e6f8dc/attachment-0001.html From stian at redhat.com Mon Jan 19 08:14:42 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 19 Jan 2015 08:14:42 -0500 (EST) Subject: [keycloak-user] How can I change the default landing page for the Keycloak cartridge? In-Reply-To: References: Message-ID: <1784325792.12441584.1421673282320.JavaMail.zimbra@redhat.com> You can create a welcome theme that overrides the welcome-page. First create the theme in: /standalone/configuration/themes/welcome/ Then configure which theme to use in keycloak-server.json: { "theme": { "welcomeTheme": "" } } ----- Original Message ----- > From: "Christina Lau" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 14 January, 2015 12:45:58 AM > Subject: [keycloak-user] How can I change the default landing page for the Keycloak cartridge? > > The Keycloak Openshift cartridge default landing page is /auth/. How can I > change it so that it will use by own custom landing page? Thanks... > > Christina > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Mon Jan 19 11:02:10 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 Jan 2015 17:02:10 +0100 Subject: [keycloak-user] Keycloak Clustering Issues In-Reply-To: <711201839.1935217.1421670761731.JavaMail.yahoo@jws100141.mail.ne1.yahoo.com> References: <54BCE5F2.3030300@redhat.com> <711201839.1935217.1421670761731.JavaMail.yahoo@jws100141.mail.ne1.yahoo.com> Message-ID: <54BD2A82.7010307@redhat.com> oops, sorry. The server-info page was added recently and it's not in 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to build keycloak from master). Anyway, if you enable debug logging for org.keycloak.services.DefaultKeycloakSessionFactory you should see in server.log which providers are used and hence you should see 'infinispan' for realmCache, userCache and userSessions. We also recently added "Troubleshooting" page to clustering docs, which might help you to figure out what ports are needed https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-US/modules/clustering.xml#L222 . You can try to temporarily disable firewall and see if it helps with cluster communication. Then you can figure more accurately which ports you need to open. But generally we rely on infinispan/jgroups for cluster, so more info about cluster config and switch between udp/tcp should be available in their docs. Marek On 19.1.2015 13:32, prab rrrr wrote: > Hi Marek - Thanks for the below pointers. I believe my setup is good > but probably the udp communication is blocked in my organization as I > do not see the specific log you mentioned. Here are some of the log > messages I see: > > Starting JGroups channel > Received new cluster view ... node 1 (no information about node2) > I will look at JGroups documentation to have the communication setup > using tcp on a different port. Hopefully that would address the problem. > > I tried out the url you provided to verify the setup but it doesn't > work - checked on two different setups. fyi - I am using 1.1Beta2 version. > > Regards, > Raghu > ------------------------------------------------------------------------ > *From:* Marek Posolda > *To:* prab rrrr ; Keycloak-user > > *Sent:* Monday, January 19, 2015 6:09 AM > *Subject:* Re: [keycloak-user] Keycloak Clustering Issues > > That's quite strange. I've just tested same scenario and works fine > for me. If you do any change on user, the user is invalidated from > cache on node-1 and this change about invalidation should be > propagated to node-2 . As long as you have shared database, node-2 > should then retrieve newest data about shared user from database. > > I would suggest to try this: > > * Make sure that your infinispan cluster is correctly set. You can > check it by seeing the message similar to this in server.log of both > nodes: node_1 | 10:49:50,344 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-10,shared=udp) ISPN000094: Received new cluster view: > [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] > > * Make sure that you enable "infinispan" as provider of realmCache and > userCache and configured connectionsInfinispan . When you open admin > console on any node like: > http://node-1:8080/auth/admin/master/console/index.html#/server-info > > > you should see: > connectionsInfinispan default > realmCache infinispan > userCache infinispan > userSessions infinispan > > * If still seeing issues, you can try to enable trace logging for > "org.keycloak.models.cache.infinispan" category. > > Hope this helps, > Marek > > > On 17.1.2015 04:32, prab rrrr wrote: >> >> >> Anyone noticed any issues with Infinispan? I saw a weird issue. After >> setting up a cluster with two nodes, made some changes on node-1 >> (created a user and changed the first name). While the user appeared >> on node-2, the change to the first name didn't make it. Restarting >> the node-2 didn't help either. Wondering if Infinispan is preventing >> all the changes to be picked up from database. If so, what settings >> would ensure that the data is consistent between the nodes? >> >> Thanks, >> Raghu >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150119/73079f3d/attachment.html From alexander.chriztopher at gmail.com Tue Jan 20 08:36:04 2015 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Tue, 20 Jan 2015 14:36:04 +0100 Subject: [keycloak-user] Hook for user login Message-ID: Hi all, We are using keycloak with our own user provider and are looking for a way to hook user's login. The idea is to log each user login into the database for later reports. Any idea about the best place to handle/hook each login ? Thanks for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150120/597c2716/attachment.html From stian at redhat.com Tue Jan 20 09:06:15 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 20 Jan 2015 09:06:15 -0500 (EST) Subject: [keycloak-user] Hook for user login In-Reply-To: References: Message-ID: <947419218.13798061.1421762775744.JavaMail.zimbra@redhat.com> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/events.html ----- Original Message ----- > From: "Alexander Chriztopher" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 20 January, 2015 2:36:04 PM > Subject: [keycloak-user] Hook for user login > > Hi all, > > We are using keycloak with our own user provider and are looking for a way to > hook user's login. > > The idea is to log each user login into the database for later reports. > > Any idea about the best place to handle/hook each login ? > > Thanks for your help. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hernan.metaute at ceiba.com.co Tue Jan 20 10:57:14 2015 From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento) Date: Tue, 20 Jan 2015 10:57:14 -0500 Subject: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for admin console Message-ID: Hi, I'm new to keycloak and I recently installed the war distribution on my local machine. For this I had to tweak some configurations on wildfly and *when I finally got it working I zipped the server and copied it to an amazon instance. I logged in to the console and fired up the server with standalone.* *Then I accessed http://:8080/auth and clicked the Admin console link.* *The server then threw an exception:* We're *sorry* ... HTTPS required On my local machine I never set up https and I have been looking through the configuration files both of keycloak and the standalone.xml and see no configuration regarding ssl anywere. The only difference between both installations is that I have the amazon instance pointing to an empty Mongo repo and my local config has a mongo connection to other server already populated with keycloak collections. Could this be the problem? Should I migrate the local mongo database to my amazon instance for keycloak admin console to stop needing ssl? Thanks in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150120/d67053e1/attachment-0001.html From markoradinovic79 at gmail.com Tue Jan 20 14:17:41 2015 From: markoradinovic79 at gmail.com (Marko Radinovic) Date: Tue, 20 Jan 2015 20:17:41 +0100 Subject: [keycloak-user] Always redirected to login form Message-ID: <8BE8F78F-B8C8-4EAC-B658-41E9BA690464@gmail.com> Hi, When I try to login to master realm, I?am redirected back to login page. I?m using: Wildfly 8.2.0.Final Keycloak version 1.1.0-Beta2 Apache2 as proxy server. Here is my apache configuration IfModule mod_ssl.c> ServerName accounts.e-karton.net ErrorLog ${APACHE_LOG_DIR}/accounts.e-karton.net -error.log CustomLog ${APACHE_LOG_DIR}/accounts.e-karton.net -access.log combined SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM ?SSL stuff omitted BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/htmles # Turn off support for true Proxy behaviour as we are acting as # a transparent proxy ProxyRequests Off # Turn off VIA header as we know where the requests are proxied ProxyVia Off ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" SSLProxyEngine on AddDefaultCharset Off Order deny,allow Allow from all ProxyPass / ajp://192.168.5.17:8009/ ProxyPassReverse / ajp://192.168.5.17:8009/ Wildfly configuration: Keycloak jboss-web.xml "> / accounts Can anyone help me with this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150120/6dca2384/attachment.html From guydavis.ca at gmail.com Wed Jan 21 00:08:50 2015 From: guydavis.ca at gmail.com (Guy Davis) Date: Tue, 20 Jan 2015 22:08:50 -0700 Subject: [keycloak-user] Delegated SAML authentication? Message-ID: Good day, With the upcoming Keycloak 1.10, I see SAML support has been added to KeyCloak. Will it be possible to have Keycloak delegate to another IDP such as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default for our JBoss deployments, but in certain cases, customers are asking for integration with the MS Azure cloud authentication mechanisms. Thanks in advance, Guy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150120/2065cf59/attachment.html From stian at redhat.com Wed Jan 21 01:17:57 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 21 Jan 2015 01:17:57 -0500 (EST) Subject: [keycloak-user] Always redirected to login form In-Reply-To: <8BE8F78F-B8C8-4EAC-B658-41E9BA690464@gmail.com> References: <8BE8F78F-B8C8-4EAC-B658-41E9BA690464@gmail.com> Message-ID: <20505931.14280468.1421821077173.JavaMail.zimbra@redhat.com> Does it work if you bypass the proxy? ----- Original Message ----- > From: "Marko Radinovic" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 20 January, 2015 8:17:41 PM > Subject: [keycloak-user] Always redirected to login form > > Hi, > When I try to login to master realm, I?am redirected back to login page. > > I?m using: > Wildfly 8.2.0.Final > Keycloak version 1.1.0-Beta2 > Apache2 as proxy server. > > Here is my apache configuration > > IfModule mod_ssl.c> > > ServerName accounts.e-karton.net > > ErrorLog ${APACHE_LOG_DIR}/ accounts.e-karton.net -error.log > CustomLog ${APACHE_LOG_DIR}/ accounts.e-karton.net -access.log combined > > SSLEngine on > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > > ?SSL stuff omitted > > > BrowserMatch "MSIE [2-6]" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > # MSIE 7 and newer should be able to use keepalive > BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown > > > SetOutputFilter DEFLATE > SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary > SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary > SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary > SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary > SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary > > BrowserMatch ^Mozilla/4 gzip-only-text/html > BrowserMatch ^Mozilla/4\.0[678] no-gzip > BrowserMatch \bMSIE !no-gzip !gzip-only-text/htmles > > # Turn off support for true Proxy behaviour as we are acting as > # a transparent proxy > ProxyRequests Off > > # Turn off VIA header as we know where the requests are proxied > ProxyVia Off > ProxyPreserveHost On > RequestHeader set X-Forwarded-Proto "https" > SSLProxyEngine on > > AddDefaultCharset Off > Order deny,allow > Allow from all > > > > ProxyPass / ajp://192.168.5.17:8009/ > ProxyPassReverse / ajp://192.168.5.17:8009/ > > > > > Wildfly configuration: > > > > > > socket-binding="http" proxy-address-forwarding="true"/> > > > > > > default-web-module="auth-server.war"/> > > > > > > > > > > header-value="WildFly/8"/> > header-value="Undertow/1"/> > > > > Keycloak jboss-web.xml > > > http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd "> > > / > accounts > > > Can anyone help me with this? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Wed Jan 21 01:19:32 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 21 Jan 2015 01:19:32 -0500 (EST) Subject: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for admin console In-Reply-To: References: Message-ID: <603324194.14280582.1421821172810.JavaMail.zimbra@redhat.com> http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#ssl_modes ----- Original Message ----- > From: "Hernan Dario Metaute Sarmiento" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 20 January, 2015 4:57:14 PM > Subject: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for admin > console > > Hi, I'm new to keycloak and I recently installed the war distribution on my > local machine. > For this I had to tweak some configurations on wildfly and when I finally got > it working I zipped the server and copied it to an amazon instance. I logged > in to the console and fired up the server with standalone. > Then I accessed http://:8080/auth and clicked the Admin > console link. > The server then threw an exception: > > > We're sorry ... > > > HTTPS required > On my local machine I never set up https and I have been looking through the > configuration files both of keycloak and the standalone.xml and see no > configuration regarding ssl anywere. > The only difference between both installations is that I have the amazon > instance pointing to an empty Mongo repo and my local config has a mongo > connection to other server already populated with keycloak collections. > Could this be the problem? > Should I migrate the local mongo database to my amazon instance for keycloak > admin console to stop needing ssl? > Thanks in advance > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Wed Jan 21 01:21:38 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 21 Jan 2015 01:21:38 -0500 (EST) Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: References: Message-ID: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Guy Davis" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 21 January, 2015 6:08:50 AM > Subject: [keycloak-user] Delegated SAML authentication? > > Good day, > > With the upcoming Keycloak 1.10, I see SAML support has been added to > KeyCloak. Will it be possible to have Keycloak delegate to another IDP such > as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default > for our JBoss deployments, but in certain cases, customers are asking for > integration with the MS Azure cloud authentication mechanisms. It won't work for 1.1.0. We're working on that (identity brokering) for 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML IdP's. > > Thanks in advance, > Guy > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jorgemoralespou at gmail.com Wed Jan 21 04:43:52 2015 From: jorgemoralespou at gmail.com (Jorge Morales Pou) Date: Wed, 21 Jan 2015 10:43:52 +0100 Subject: [keycloak-user] Keycloak server securing wildfly in docker containers Message-ID: Hi, I have an scenario for Keycloak that I'm not able to solve in an easy way, so any help will be more than appreciated. In apiman (http://www.apiman.io) we are using Keycloak for securing the apiman rest endpoints. We are in the process of creating some demos with docker and for that one of the demos is having keycloak as a separate server to which the wildfly instances holding the apiman rest endpoint will redirect for authentication. So far, I've configured in this wildfly instances the auth-server-url to be the keycloakserver. Internal communication to this server is resolved by name, as it is docker links providing the accesibility, but this is an "internal ip to docker" The problem comes when I try to log into the escured resource, and I get a redirection to this "internal" ip, which my browser can not access, so I get an error. Is there a way to: a) Use a different URL for browser redirection as for internal redirection? b) Use a different redirection strategy? c) do it in any other way? Thanks for any help you can provide on this. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/8f13d391/attachment.html From stian at redhat.com Wed Jan 21 06:23:52 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 21 Jan 2015 06:23:52 -0500 (EST) Subject: [keycloak-user] Keycloak server securing wildfly in docker containers In-Reply-To: References: Message-ID: <952579019.14391817.1421839432659.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Jorge Morales Pou" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 21 January, 2015 10:43:52 AM > Subject: [keycloak-user] Keycloak server securing wildfly in docker containers > > Hi, > I have an scenario for Keycloak that I'm not able to solve in an easy way, so > any help will be more than appreciated. > > In apiman ( http://www.apiman.io ) we are using Keycloak for securing the > apiman rest endpoints. We are in the process of creating some demos with > docker and for that one of the demos is having keycloak as a separate server > to which the wildfly instances holding the apiman rest endpoint will > redirect for authentication. > So far, I've configured in this wildfly instances the auth-server-url to be > the keycloakserver. Internal communication to this server is resolved by > name, as it is docker links providing the accesibility, but this is an > "internal ip to docker" > The problem comes when I try to log into the escured resource, and I get a > redirection to this "internal" ip, which my browser can not access, so I get > an error. > > Is there a way to: > > a) Use a different URL for browser redirection as for internal redirection? > b) Use a different redirection strategy? > c) do it in any other way? I'm currently looking into a solution to this, exactly how it'll work I haven't figured out yet. Should have something more concrete in a few weeks. Is this urgent for you or can it wait? If you have any suggestions please let me know. > > Thanks for any help you can provide on this. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jorgemoralespou at gmail.com Wed Jan 21 06:47:32 2015 From: jorgemoralespou at gmail.com (Jorge Morales Pou) Date: Wed, 21 Jan 2015 12:47:32 +0100 Subject: [keycloak-user] Keycloak server securing wildfly in docker containers In-Reply-To: <952579019.14391817.1421839432659.JavaMail.zimbra@redhat.com> References: <952579019.14391817.1421839432659.JavaMail.zimbra@redhat.com> Message-ID: Hi, So far, for the sake of the demo, I have configured all the involved containers to have net: "host" so they share the same ip, and configured also a port offset for the keycloak server. This way, localhost maps to bot containers (apiman and keycloak). This is not a solution, but at least a workaround for now, and I think a solution should come from Keycloak. Also, I noticed that if I have the keycload server running on a docker container on port 8080 and I have it mapped externaly to port 8081 then same problem arises. This could be tested with the official keycloak docker images available at http://jboss.org/docker with the following command (*if they worked*): docker run -it --rm -p 8081:8080 -p 9090:9090 jboss/keycloak-examples 2015-01-21 12:23 GMT+01:00 Stian Thorgersen : > > > ----- Original Message ----- > > From: "Jorge Morales Pou" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 21 January, 2015 10:43:52 AM > > Subject: [keycloak-user] Keycloak server securing wildfly in docker > containers > > > > Hi, > > I have an scenario for Keycloak that I'm not able to solve in an easy > way, so > > any help will be more than appreciated. > > > > In apiman ( http://www.apiman.io ) we are using Keycloak for securing > the > > apiman rest endpoints. We are in the process of creating some demos with > > docker and for that one of the demos is having keycloak as a separate > server > > to which the wildfly instances holding the apiman rest endpoint will > > redirect for authentication. > > So far, I've configured in this wildfly instances the auth-server-url to > be > > the keycloakserver. Internal communication to this server is resolved by > > name, as it is docker links providing the accesibility, but this is an > > "internal ip to docker" > > The problem comes when I try to log into the escured resource, and I get > a > > redirection to this "internal" ip, which my browser can not access, so I > get > > an error. > > > > Is there a way to: > > > > a) Use a different URL for browser redirection as for internal > redirection? > > b) Use a different redirection strategy? > > c) do it in any other way? > > I'm currently looking into a solution to this, exactly how it'll work I > haven't figured out yet. Should have something more concrete in a few > weeks. Is this urgent for you or can it wait? > > If you have any suggestions please let me know. > > > > > Thanks for any help you can provide on this. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/63540a56/attachment.html From hernan.metaute at ceiba.com.co Wed Jan 21 07:38:00 2015 From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento) Date: Wed, 21 Jan 2015 07:38:00 -0500 Subject: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for admin console In-Reply-To: <603324194.14280582.1421821172810.JavaMail.zimbra@redhat.com> References: <603324194.14280582.1421821172810.JavaMail.zimbra@redhat.com> Message-ID: Well yes, I'm aware of the documentation on how to implement ssl on keycloak. In fact, I already did. I had to in order to keep working My question is regarding why the server in my local environment without ssl runs correctly but as soon as I installed on an Amazon instance started to show the HTTPS REQUIRED error when trying to access the master domain. 2015-01-21 1:19 GMT-05:00 Stian Thorgersen : > > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#ssl_modes > > ----- Original Message ----- > > From: "Hernan Dario Metaute Sarmiento" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 20 January, 2015 4:57:14 PM > > Subject: [keycloak-user] pre configured keycloak on wildfly with war > distribution suddenly requesting https for admin > > console > > > > Hi, I'm new to keycloak and I recently installed the war distribution on > my > > local machine. > > For this I had to tweak some configurations on wildfly and when I > finally got > > it working I zipped the server and copied it to an amazon instance. I > logged > > in to the console and fired up the server with standalone. > > Then I accessed http://:8080/auth and clicked the > Admin > > console link. > > The server then threw an exception: > > > > > > We're sorry ... > > > > > > HTTPS required > > On my local machine I never set up https and I have been looking through > the > > configuration files both of keycloak and the standalone.xml and see no > > configuration regarding ssl anywere. > > The only difference between both installations is that I have the amazon > > instance pointing to an empty Mongo repo and my local config has a mongo > > connection to other server already populated with keycloak collections. > > Could this be the problem? > > Should I migrate the local mongo database to my amazon instance for > keycloak > > admin console to stop needing ssl? > > Thanks in advance > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Hern?n Metaute* Arquitecto *Ceiba Software *(57 4) 444 5 111 Ext 110 Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia Visite nuestro sitio www.ceiba.co ________________________________________ BEste mensaje, incluido su adjunto, es confidencial y puede ser privilegiado. Si usted no es su destinatario, por favor notifique al emisor, luego destruya la comunicacion y todas las copias. Usted no debe copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin autorizaci?n del emisor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/eda03c92/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 8377 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/eda03c92/attachment-0001.png From stian at redhat.com Wed Jan 21 07:42:44 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 21 Jan 2015 07:42:44 -0500 (EST) Subject: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for admin console In-Reply-To: References: <603324194.14280582.1421821172810.JavaMail.zimbra@redhat.com> Message-ID: <464215154.14418342.1421844164185.JavaMail.zimbra@redhat.com> The section I linked to doesn't mention how to setup SSL. Please read section "3.3.4. SSL/HTTPS Requirement/Modes" it clearly answers your question. ----- Original Message ----- > From: "Hernan Dario Metaute Sarmiento" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, 21 January, 2015 1:38:00 PM > Subject: Re: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for > admin console > > Well yes, I'm aware of the documentation on how to implement ssl on > keycloak. In fact, I already did. I had to in order to keep working > My question is regarding why the server in my local environment without ssl > runs correctly but as soon as I installed on an Amazon instance started to > show the HTTPS REQUIRED error when trying to access the master domain. > > 2015-01-21 1:19 GMT-05:00 Stian Thorgersen : > > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#ssl_modes > > > > ----- Original Message ----- > > > From: "Hernan Dario Metaute Sarmiento" > > > To: keycloak-user at lists.jboss.org > > > Sent: Tuesday, 20 January, 2015 4:57:14 PM > > > Subject: [keycloak-user] pre configured keycloak on wildfly with war > > distribution suddenly requesting https for admin > > > console > > > > > > Hi, I'm new to keycloak and I recently installed the war distribution on > > my > > > local machine. > > > For this I had to tweak some configurations on wildfly and when I > > finally got > > > it working I zipped the server and copied it to an amazon instance. I > > logged > > > in to the console and fired up the server with standalone. > > > Then I accessed http://:8080/auth and clicked the > > Admin > > > console link. > > > The server then threw an exception: > > > > > > > > > We're sorry ... > > > > > > > > > HTTPS required > > > On my local machine I never set up https and I have been looking through > > the > > > configuration files both of keycloak and the standalone.xml and see no > > > configuration regarding ssl anywere. > > > The only difference between both installations is that I have the amazon > > > instance pointing to an empty Mongo repo and my local config has a mongo > > > connection to other server already populated with keycloak collections. > > > Could this be the problem? > > > Should I migrate the local mongo database to my amazon instance for > > keycloak > > > admin console to stop needing ssl? > > > Thanks in advance > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > *Hern?n Metaute* > Arquitecto > > *Ceiba Software *(57 4) 444 5 111 Ext 110 > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia > Visite nuestro sitio www.ceiba.co > ________________________________________ > BEste mensaje, incluido su adjunto, es confidencial y puede ser > privilegiado. Si usted no es su destinatario, por favor notifique al > emisor, luego destruya la comunicacion y todas las copias. Usted no debe > copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin > autorizaci?n del emisor. > From alexander.chriztopher at gmail.com Wed Jan 21 08:38:35 2015 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Wed, 21 Jan 2015 14:38:35 +0100 Subject: [keycloak-user] Dev server weird error Message-ID: Hi Guys, Here and then we are getting this error on a server that used to work nicely and without any apparent reason : 14:33:58,380 ERROR [io.undertow.request] [handleFirstRequest] (default task-2) UT005022: Exception generating error page /error.cv: java.lang.RuntimeException: java.lang.RuntimeException: Unable to resolve realm public key remotely, status = 500 at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_11] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_11] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] Caused by: java.lang.RuntimeException: Unable to resolve realm public key remotely, status = 500 at org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:107) [keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:82) [keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1] at org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:61) [keycloak-undertow-adapter-1.1.0.Beta1.jar:1.1.0.Beta1] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] at io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] This happens on dev servers and we don't know what is causing this as it happens very rarely and the only workout found till now is to restart with a fresh install. We are using Wildfly with keycloak war. Thanks for any help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/5099642c/attachment.html From hernan.metaute at ceiba.com.co Wed Jan 21 09:00:01 2015 From: hernan.metaute at ceiba.com.co (Hernan Dario Metaute Sarmiento) Date: Wed, 21 Jan 2015 09:00:01 -0500 Subject: [keycloak-user] pre configured keycloak on wildfly with war distribution suddenly requesting https for admin console In-Reply-To: <464215154.14418342.1421844164185.JavaMail.zimbra@redhat.com> References: <603324194.14280582.1421821172810.JavaMail.zimbra@redhat.com> <464215154.14418342.1421844164185.JavaMail.zimbra@redhat.com> Message-ID: Oh okay. Sorry. The section looked exactly the same as the tutorial's section for setting up SSL. I'll have a look and thanks for your time 2015-01-21 7:42 GMT-05:00 Stian Thorgersen : > The section I linked to doesn't mention how to setup SSL. Please read > section "3.3.4. SSL/HTTPS Requirement/Modes" it clearly answers your > question. > > ----- Original Message ----- > > From: "Hernan Dario Metaute Sarmiento" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Wednesday, 21 January, 2015 1:38:00 PM > > Subject: Re: [keycloak-user] pre configured keycloak on wildfly with war > distribution suddenly requesting https for > > admin console > > > > Well yes, I'm aware of the documentation on how to implement ssl on > > keycloak. In fact, I already did. I had to in order to keep working > > My question is regarding why the server in my local environment without > ssl > > runs correctly but as soon as I installed on an Amazon instance started > to > > show the HTTPS REQUIRED error when trying to access the master domain. > > > > 2015-01-21 1:19 GMT-05:00 Stian Thorgersen : > > > > > > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Beta2/userguide/html/server-installation.html#ssl_modes > > > > > > ----- Original Message ----- > > > > From: "Hernan Dario Metaute Sarmiento" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Tuesday, 20 January, 2015 4:57:14 PM > > > > Subject: [keycloak-user] pre configured keycloak on wildfly with war > > > distribution suddenly requesting https for admin > > > > console > > > > > > > > Hi, I'm new to keycloak and I recently installed the war > distribution on > > > my > > > > local machine. > > > > For this I had to tweak some configurations on wildfly and when I > > > finally got > > > > it working I zipped the server and copied it to an amazon instance. I > > > logged > > > > in to the console and fired up the server with standalone. > > > > Then I accessed http://:8080/auth and clicked > the > > > Admin > > > > console link. > > > > The server then threw an exception: > > > > > > > > > > > > We're sorry ... > > > > > > > > > > > > HTTPS required > > > > On my local machine I never set up https and I have been looking > through > > > the > > > > configuration files both of keycloak and the standalone.xml and see > no > > > > configuration regarding ssl anywere. > > > > The only difference between both installations is that I have the > amazon > > > > instance pointing to an empty Mongo repo and my local config has a > mongo > > > > connection to other server already populated with keycloak > collections. > > > > Could this be the problem? > > > > Should I migrate the local mongo database to my amazon instance for > > > keycloak > > > > admin console to stop needing ssl? > > > > Thanks in advance > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > -- > > > > *Hern?n Metaute* > > Arquitecto > > > > *Ceiba Software *(57 4) 444 5 111 Ext 110 > > Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, > Colombia > > Visite nuestro sitio www.ceiba.co > > ________________________________________ > > BEste mensaje, incluido su adjunto, es confidencial y puede ser > > privilegiado. Si usted no es su destinatario, por favor notifique al > > emisor, luego destruya la comunicacion y todas las copias. Usted no debe > > copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin > > autorizaci?n del emisor. > > > -- *Hern?n Metaute* Arquitecto *Ceiba Software *(57 4) 444 5 111 Ext 110 Cl 8 B 65 - 191 Of 409, Centro Empresarial Puertoseco ? Medell?n, Colombia Visite nuestro sitio www.ceiba.co ________________________________________ BEste mensaje, incluido su adjunto, es confidencial y puede ser privilegiado. Si usted no es su destinatario, por favor notifique al emisor, luego destruya la comunicacion y todas las copias. Usted no debe copiar, distribuir y/o revelar esta comunicacion parcial o totalmente sin autorizaci?n del emisor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/99cc6dae/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 8377 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/99cc6dae/attachment-0001.png From bburke at redhat.com Wed Jan 21 09:45:36 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 21 Jan 2015 09:45:36 -0500 Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> References: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> Message-ID: <54BFBB90.1030800@redhat.com> Pedro has it working in master. Won't be release until like March though probably. On 1/21/2015 1:21 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Guy Davis" >> To: keycloak-user at lists.jboss.org >> Sent: Wednesday, 21 January, 2015 6:08:50 AM >> Subject: [keycloak-user] Delegated SAML authentication? >> >> Good day, >> >> With the upcoming Keycloak 1.10, I see SAML support has been added to >> KeyCloak. Will it be possible to have Keycloak delegate to another IDP such >> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default >> for our JBoss deployments, but in certain cases, customers are asking for >> integration with the MS Azure cloud authentication mechanisms. > > It won't work for 1.1.0. We're working on that (identity brokering) for 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML IdP's. > >> >> Thanks in advance, >> Guy >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Wed Jan 21 11:06:47 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 21 Jan 2015 17:06:47 +0100 Subject: [keycloak-user] Dev server weird error In-Reply-To: References: Message-ID: <54BFCE97.9000401@redhat.com> Hi, another possible workaround is to add realm public key directly to configuration of your adapter. In that case it doesn't need to be downloaded remotely from Keycloak. Something like this: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/WEB-INF/keycloak.json#L4 You can also try to update to newest 1.1.0.Beta2, which has some additional fixes (or wait for 1.1.0.Final which is going to be released quite soon). Also are there any other errors in server log? Since it returns "status 500" from keycloak server, I would suspect there will be some error in keycloak server log too? Marek On 21.1.2015 14:38, Alexander Chriztopher wrote: > Hi Guys, > > Here and then we are getting this error on a server that used to work > nicely and without any apparent reason : > > 14:33:58,380 ERROR [io.undertow.request] [handleFirstRequest] (default > task-2) UT005022: Exception generating error page /error.cv > : java.lang.RuntimeException: > java.lang.RuntimeException: Unable to resolve realm public key > remotely, status = 500 > at > io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_11] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_11] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] > Caused by: java.lang.RuntimeException: Unable to resolve realm public > key remotely, status = 500 > at > org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:107) > [keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1] > at > org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:82) > [keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1] > at > org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:61) > [keycloak-undertow-adapter-1.1.0.Beta1.jar:1.1.0.Beta1] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > > This happens on dev servers and we don't know what is causing this as > it happens very rarely and the only workout found till now is to > restart with a fresh install. > > We are using Wildfly with keycloak war. > > Thanks for any help. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/536a9c75/attachment.html From prabhalar at yahoo.com Wed Jan 21 12:05:30 2015 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Wed, 21 Jan 2015 12:05:30 -0500 Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: <54BFBB90.1030800@redhat.com> References: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> <54BFBB90.1030800@redhat.com> Message-ID: <927D4D67-9ECA-4C0E-9539-B52872A8C64D@yahoo.com> Bill - identity brokering is something that we need today. Is it possible to release an alpha or beta version of that functionality earlier than March so that we can start integration work now? Unfortunately we can't build from source and look for binaries from you. Thanks Raghu Sent from my iPhone > On Jan 21, 2015, at 9:45 AM, Bill Burke wrote: > > Pedro has it working in master. Won't be release until like March > though probably. > >> On 1/21/2015 1:21 AM, Stian Thorgersen wrote: >> >> >> ----- Original Message ----- >>> From: "Guy Davis" >>> To: keycloak-user at lists.jboss.org >>> Sent: Wednesday, 21 January, 2015 6:08:50 AM >>> Subject: [keycloak-user] Delegated SAML authentication? >>> >>> Good day, >>> >>> With the upcoming Keycloak 1.10, I see SAML support has been added to >>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP such >>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by default >>> for our JBoss deployments, but in certain cases, customers are asking for >>> integration with the MS Azure cloud authentication mechanisms. >> >> It won't work for 1.1.0. We're working on that (identity brokering) for 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML IdP's. >> >>> >>> Thanks in advance, >>> Guy >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From markoradinovic79 at gmail.com Wed Jan 21 17:58:37 2015 From: markoradinovic79 at gmail.com (Marko Radinovic) Date: Wed, 21 Jan 2015 23:58:37 +0100 Subject: [keycloak-user] Always redirected to login form In-Reply-To: <20505931.14280468.1421821077173.JavaMail.zimbra@redhat.com> References: <8BE8F78F-B8C8-4EAC-B658-41E9BA690464@gmail.com> <20505931.14280468.1421821077173.JavaMail.zimbra@redhat.com> Message-ID: Hi, I tried without proxy server, but it?s not working. When I navigate to admin console http://accounts.e-karton.net:8081/admin/maste/console I?m redirected to http://accounts.e-karton.net:8081//realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Faccounts.e-karton.net%3A8081%2Fadmin%2Fmaster%2Fconsole%2F&state=1e8dc6f1-b49f-4cce-8cc4-59233caafbb2&response_type=code Redirect url is invalid because of appended ?/?. Now I?m getting this in log: 2015-01-21 15:07:32,193 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-63) failed to execute: javax.ws.rs.NotFoundException: Could not find resource for full path: http://accounts.e-karton.net:8081//realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Faccounts.e-karton.net%3A8081%2Fadmin%2Fmaster%2Fconsole%2F&state=1e8dc6f1-b49f-4cce-8cc4-59233caafbb2&response_type=code The same thing is happening when using proxy server, but there is nothing in log file. How can I prevent this? Thank you. > On Jan 21, 2015, at 7:17 AM, Stian Thorgersen wrote: > > Does it work if you bypass the proxy? > > ----- Original Message ----- >> From: "Marko Radinovic" >> To: keycloak-user at lists.jboss.org >> Sent: Tuesday, 20 January, 2015 8:17:41 PM >> Subject: [keycloak-user] Always redirected to login form >> >> Hi, >> When I try to login to master realm, I?am redirected back to login page. >> >> I?m using: >> Wildfly 8.2.0.Final >> Keycloak version 1.1.0-Beta2 >> Apache2 as proxy server. >> >> Here is my apache configuration >> >> IfModule mod_ssl.c> >> >> ServerName accounts.e-karton.net >> >> ErrorLog ${APACHE_LOG_DIR}/ accounts.e-karton.net -error.log >> CustomLog ${APACHE_LOG_DIR}/ accounts.e-karton.net -access.log combined >> >> SSLEngine on >> SSLProtocol all -SSLv2 >> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM >> >> ?SSL stuff omitted >> >> >> BrowserMatch "MSIE [2-6]" \ >> nokeepalive ssl-unclean-shutdown \ >> downgrade-1.0 force-response-1.0 >> # MSIE 7 and newer should be able to use keepalive >> BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown >> >> >> SetOutputFilter DEFLATE >> SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary >> SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary >> SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary >> SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary >> SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary >> >> BrowserMatch ^Mozilla/4 gzip-only-text/html >> BrowserMatch ^Mozilla/4\.0[678] no-gzip >> BrowserMatch \bMSIE !no-gzip !gzip-only-text/htmles >> >> # Turn off support for true Proxy behaviour as we are acting as >> # a transparent proxy >> ProxyRequests Off >> >> # Turn off VIA header as we know where the requests are proxied >> ProxyVia Off >> ProxyPreserveHost On >> RequestHeader set X-Forwarded-Proto "https" >> SSLProxyEngine on >> >> AddDefaultCharset Off >> Order deny,allow >> Allow from all >> >> >> >> ProxyPass / ajp://192.168.5.17:8009/ >> ProxyPassReverse / ajp://192.168.5.17:8009/ >> >> >> >> >> Wildfly configuration: >> >> >> >> >> >> > socket-binding="http" proxy-address-forwarding="true"/> >> >> >> >> >> >> > default-web-module="auth-server.war"/> >> >> >> >> >> >> >> >> >> >> > header-value="WildFly/8"/> >> > header-value="Undertow/1"/> >> >> >> >> Keycloak jboss-web.xml >> >> >> > http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd "> >> >> / >> accounts >> >> >> Can anyone help me with this? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/665c939f/attachment-0001.html From guydavis.ca at gmail.com Wed Jan 21 21:45:55 2015 From: guydavis.ca at gmail.com (Guy Davis) Date: Wed, 21 Jan 2015 19:45:55 -0700 Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> References: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> Message-ID: Good to know. I'm looking forward to trying out Pedro's commit , particularly the SAML integration with other IDPs. I'll try to build master and start asking questions on the developer's list. On Tue, Jan 20, 2015 at 11:21 PM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Guy Davis" > > To: keycloak-user at lists.jboss.org > > Sent: Wednesday, 21 January, 2015 6:08:50 AM > > Subject: [keycloak-user] Delegated SAML authentication? > > > > Good day, > > > > With the upcoming Keycloak 1.10, I see SAML support has been added to > > KeyCloak. Will it be possible to have Keycloak delegate to another IDP > such > > as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by > default > > for our JBoss deployments, but in certain cases, customers are asking for > > integration with the MS Azure cloud authentication mechanisms. > > It won't work for 1.1.0. We're working on that (identity brokering) for > 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML > IdP's. > > > > > Thanks in advance, > > Guy > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150121/c2332860/attachment.html From stian at redhat.com Thu Jan 22 02:24:56 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 22 Jan 2015 02:24:56 -0500 (EST) Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: <927D4D67-9ECA-4C0E-9539-B52872A8C64D@yahoo.com> References: <1722639053.14281013.1421821298804.JavaMail.zimbra@redhat.com> <54BFBB90.1030800@redhat.com> <927D4D67-9ECA-4C0E-9539-B52872A8C64D@yahoo.com> Message-ID: <1668477620.15029008.1421911496260.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghuram Prabhala" > To: "Bill Burke" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, January 21, 2015 6:05:30 PM > Subject: Re: [keycloak-user] Delegated SAML authentication? > > Bill - identity brokering is something that we need today. Is it possible to > release an alpha or beta version of that functionality earlier than March so > that we can start integration work now? Unfortunately we can't build from > source and look for binaries from you. Once we have 1.1.0.Final released, which is hopefully this or next week, we should be able to release something. > > Thanks > Raghu > > Sent from my iPhone > > > On Jan 21, 2015, at 9:45 AM, Bill Burke wrote: > > > > Pedro has it working in master. Won't be release until like March > > though probably. > > > >> On 1/21/2015 1:21 AM, Stian Thorgersen wrote: > >> > >> > >> ----- Original Message ----- > >>> From: "Guy Davis" > >>> To: keycloak-user at lists.jboss.org > >>> Sent: Wednesday, 21 January, 2015 6:08:50 AM > >>> Subject: [keycloak-user] Delegated SAML authentication? > >>> > >>> Good day, > >>> > >>> With the upcoming Keycloak 1.10, I see SAML support has been added to > >>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP > >>> such > >>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by > >>> default > >>> for our JBoss deployments, but in certain cases, customers are asking for > >>> integration with the MS Azure cloud authentication mechanisms. > >> > >> It won't work for 1.1.0. We're working on that (identity brokering) for > >> 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML > >> IdP's. > >> > >>> > >>> Thanks in advance, > >>> Guy > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From prabhalar at yahoo.com Thu Jan 22 08:22:51 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 22 Jan 2015 13:22:51 +0000 (UTC) Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: <1668477620.15029008.1421911496260.JavaMail.zimbra@redhat.com> References: <1668477620.15029008.1421911496260.JavaMail.zimbra@redhat.com> Message-ID: <1558123933.3025001.1421932971152.JavaMail.yahoo@jws10029.mail.ne1.yahoo.com> That would be great. Thank you vey much Stian. Just?to give you more background?and provide you my wishlist for the short term. 1) Identity brokering that will help us authenticate against diff stores. One of them would be Kerberos (SPNEGO). 2) Customization of?claims in both SAML as well OpenID Connect responses for each application (client) -similar to what ADFS provides today for SAML. It provides a GUI to choose the store as well as the attributes for each relying party and also to map those attribute names to different values (cn can be mapped to "Name" for one client and "Full Name" for another) which will be reflected in the claims sent to the relying party.3) OpenID Connect Interop (Today some of the endpoints do not fully adhere to the Spec) I believe you have all the above requests in your queue for 1.2 release or later?but would appreciate if you can squeeze them in the?next cycle of binaries. Regards,Raghu From: Stian Thorgersen To: Raghuram Prabhala Cc: Bill Burke ; keycloak-user at lists.jboss.org Sent: Thursday, January 22, 2015 2:24 AM Subject: Re: [keycloak-user] Delegated SAML authentication? ----- Original Message ----- > From: "Raghuram Prabhala" > To: "Bill Burke" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, January 21, 2015 6:05:30 PM > Subject: Re: [keycloak-user] Delegated SAML authentication? > > Bill - identity brokering is something that we need today. Is it possible to > release an alpha or beta version of that functionality earlier than March so > that we can start integration work now? Unfortunately we can't build from > source and look for binaries from you. Once we have 1.1.0.Final released, which is hopefully this or next week, we should be able to release something. > > Thanks > Raghu > > Sent from my iPhone > > > On Jan 21, 2015, at 9:45 AM, Bill Burke wrote: > > > > Pedro has it working in master.? Won't be release until like March > > though probably. > > > >> On 1/21/2015 1:21 AM, Stian Thorgersen wrote: > >> > >> > >> ----- Original Message ----- > >>> From: "Guy Davis" > >>> To: keycloak-user at lists.jboss.org > >>> Sent: Wednesday, 21 January, 2015 6:08:50 AM > >>> Subject: [keycloak-user] Delegated SAML authentication? > >>> > >>> Good day, > >>> > >>> With the upcoming Keycloak 1.10, I see SAML support has been added to > >>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP > >>> such > >>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by > >>> default > >>> for our JBoss deployments, but in certain cases, customers are asking for > >>> integration with the MS Azure cloud authentication mechanisms. > >> > >> It won't work for 1.1.0. We're working on that (identity brokering) for > >> 1.2.0 where you'll be able to delegate to external OpenID Connect or SAML > >> IdP's. > >> > >>> > >>> Thanks in advance, > >>> Guy > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150122/b69cc1bd/attachment.html From stian at redhat.com Thu Jan 22 09:05:27 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 22 Jan 2015 09:05:27 -0500 (EST) Subject: [keycloak-user] Delegated SAML authentication? In-Reply-To: <1558123933.3025001.1421932971152.JavaMail.yahoo@jws10029.mail.ne1.yahoo.com> References: <1668477620.15029008.1421911496260.JavaMail.zimbra@redhat.com> <1558123933.3025001.1421932971152.JavaMail.yahoo@jws10029.mail.ne1.yahoo.com> Message-ID: <625952535.15215683.1421935527412.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Stian Thorgersen" > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > Sent: Thursday, January 22, 2015 2:22:51 PM > Subject: Re: [keycloak-user] Delegated SAML authentication? > > That would be great. Thank you vey much Stian. Just?to give you more > background?and provide you my wishlist for the short term. 1) Identity > brokering that will help us authenticate against diff stores. One of them > would be Kerberos (SPNEGO). 2) Customization of?claims in both SAML as well > OpenID Connect responses for each application (client) -similar to what ADFS > provides today for SAML. It provides a GUI to choose the store as well as > the attributes for each relying party and also to map those attribute names > to different values (cn can be mapped to "Name" for one client and "Full > Name" for another) which will be reflected in the claims sent to the relying > party.3) OpenID Connect Interop (Today some of the endpoints do not fully > adhere to the Spec) > I believe you have all the above requests in your queue for 1.2 release or > later?but would appreciate if you can squeeze them in the?next cycle of > binaries. All of those are scheduled for the not so distant future, but I can't guarantee they'll all be included in 1.2. > Regards,Raghu From: Stian Thorgersen > To: Raghuram Prabhala > Cc: Bill Burke ; keycloak-user at lists.jboss.org > Sent: Thursday, January 22, 2015 2:24 AM > Subject: Re: [keycloak-user] Delegated SAML authentication? > > > > ----- Original Message ----- > > From: "Raghuram Prabhala" > > To: "Bill Burke" > > Cc: keycloak-user at lists.jboss.org > > Sent: Wednesday, January 21, 2015 6:05:30 PM > > Subject: Re: [keycloak-user] Delegated SAML authentication? > > > > Bill - identity brokering is something that we need today. Is it possible > > to > > release an alpha or beta version of that functionality earlier than March > > so > > that we can start integration work now? Unfortunately we can't build from > > source and look for binaries from you. > > Once we have 1.1.0.Final released, which is hopefully this or next week, we > should be able to release something. > > > > > Thanks > > Raghu > > > > Sent from my iPhone > > > > > On Jan 21, 2015, at 9:45 AM, Bill Burke wrote: > > > > > > Pedro has it working in master.? Won't be release until like March > > > though probably. > > > > > >> On 1/21/2015 1:21 AM, Stian Thorgersen wrote: > > >> > > >> > > >> ----- Original Message ----- > > >>> From: "Guy Davis" > > >>> To: keycloak-user at lists.jboss.org > > >>> Sent: Wednesday, 21 January, 2015 6:08:50 AM > > >>> Subject: [keycloak-user] Delegated SAML authentication? > > >>> > > >>> Good day, > > >>> > > >>> With the upcoming Keycloak 1.10, I see SAML support has been added to > > >>> KeyCloak. Will it be possible to have Keycloak delegate to another IDP > > >>> such > > >>> as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by > > >>> default > > >>> for our JBoss deployments, but in certain cases, customers are asking > > >>> for > > >>> integration with the MS Azure cloud authentication mechanisms. > > >> > > >> It won't work for 1.1.0. We're working on that (identity brokering) for > > >> 1.2.0 where you'll be able to delegate to external OpenID Connect or > > >> SAML > > >> IdP's. > > >> > > >>> > > >>> Thanks in advance, > > >>> Guy > > >>> > > >>> _______________________________________________ > > >>> keycloak-user mailing list > > >>> keycloak-user at lists.jboss.org > > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > > Bill Burke > > > JBoss, a division of Red Hat > > > http://bill.burkecentral.com > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From alexander.chriztopher at gmail.com Thu Jan 22 12:00:08 2015 From: alexander.chriztopher at gmail.com (Alexander Chriztopher) Date: Thu, 22 Jan 2015 18:00:08 +0100 Subject: [keycloak-user] Dev server weird error In-Reply-To: <54BFCE97.9000401@redhat.com> References: <54BFCE97.9000401@redhat.com> Message-ID: thanks Marek, it was coming from my provider jar depending on another jar that has a bean.xml in it. don't know why but when i take off the bean.xml everything works fine and when i put it back -used to load some CDI stuff at runtime- it does not work anymore .. thanks anyway we have decided to do things slightly differently. On Wed, Jan 21, 2015 at 5:06 PM, Marek Posolda wrote: > Hi, > > another possible workaround is to add realm public key directly to > configuration of your adapter. In that case it doesn't need to be > downloaded remotely from Keycloak. Something like this: > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app/src/main/webapp/WEB-INF/keycloak.json#L4 > > You can also try to update to newest 1.1.0.Beta2, which has some > additional fixes (or wait for 1.1.0.Final which is going to be released > quite soon). > > Also are there any other errors in server log? Since it returns "status > 500" from keycloak server, I would suspect there will be some error in > keycloak server log too? > > Marek > > > On 21.1.2015 14:38, Alexander Chriztopher wrote: > > Hi Guys, > > Here and then we are getting this error on a server that used to work > nicely and without any apparent reason : > > 14:33:58,380 ERROR [io.undertow.request] [handleFirstRequest] (default > task-2) UT005022: Exception generating error page /error.cv: > java.lang.RuntimeException: java.lang.RuntimeException: Unable to resolve > realm public key remotely, status = 500 > at > io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_11] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_11] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] > Caused by: java.lang.RuntimeException: Unable to resolve realm public key > remotely, status = 500 > at > org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:107) > [keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1] > at > org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:82) > [keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1] > at > org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:61) > [keycloak-undertow-adapter-1.1.0.Beta1.jar:1.1.0.Beta1] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) > [undertow-core-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > at > io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402) > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > > This happens on dev servers and we don't know what is causing this as it > happens very rarely and the only workout found till now is to restart with > a fresh install. > > We are using Wildfly with keycloak war. > > Thanks for any help. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150122/2f1b6c2f/attachment.html From markoradinovic79 at gmail.com Thu Jan 22 21:39:40 2015 From: markoradinovic79 at gmail.com (Marko Radinovic) Date: Fri, 23 Jan 2015 03:39:40 +0100 Subject: [keycloak-user] Always redirected to login form In-Reply-To: References: <8BE8F78F-B8C8-4EAC-B658-41E9BA690464@gmail.com> <20505931.14280468.1421821077173.JavaMail.zimbra@redhat.com> Message-ID: Can anyone help me with this? When I use virtualhost configuration it doesn?t work, when I disable virtualhost everything is fine. I tried every possible combination that I can think off, but still isn?t working. Thanks > On Jan 21, 2015, at 11:58 PM, Marko Radinovic wrote: > > Hi, > I tried without proxy server, but it?s not working. > > When I navigate to admin console > > http://accounts.e-karton.net:8081/admin/maste/console > > I?m redirected to > http://accounts.e-karton.net:8081//realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Faccounts.e-karton.net%3A8081%2Fadmin%2Fmaster%2Fconsole%2F&state=1e8dc6f1-b49f-4cce-8cc4-59233caafbb2&response_type=code > > Redirect url is invalid because of appended ?/?. Now I?m getting this in log: > > 2015-01-21 15:07:32,193 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-63) failed to execute: javax.ws.rs.NotFoundException: Could not find resource for full path: http://accounts.e-karton.net:8081//realms/master/tokens/login?client_id=security-admin-console&redirect_uri=http%3A%2F%2Faccounts.e-karton.net%3A8081%2Fadmin%2Fmaster%2Fconsole%2F&state=1e8dc6f1-b49f-4cce-8cc4-59233caafbb2&response_type=code > > The same thing is happening when using proxy server, but there is nothing in log file. > > How can I prevent this? > > Thank you. > >> On Jan 21, 2015, at 7:17 AM, Stian Thorgersen > wrote: >> >> Does it work if you bypass the proxy? >> >> ----- Original Message ----- >>> From: "Marko Radinovic" > >>> To: keycloak-user at lists.jboss.org >>> Sent: Tuesday, 20 January, 2015 8:17:41 PM >>> Subject: [keycloak-user] Always redirected to login form >>> >>> Hi, >>> When I try to login to master realm, I?am redirected back to login page. >>> >>> I?m using: >>> Wildfly 8.2.0.Final >>> Keycloak version 1.1.0-Beta2 >>> Apache2 as proxy server. >>> >>> Here is my apache configuration >>> >>> IfModule mod_ssl.c> >>> >>> ServerName accounts.e-karton.net >>> >>> ErrorLog ${APACHE_LOG_DIR}/ accounts.e-karton.net -error.log >>> CustomLog ${APACHE_LOG_DIR}/ accounts.e-karton.net -access.log combined >>> >>> SSLEngine on >>> SSLProtocol all -SSLv2 >>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM >>> >>> ?SSL stuff omitted >>> >>> >>> BrowserMatch "MSIE [2-6]" \ >>> nokeepalive ssl-unclean-shutdown \ >>> downgrade-1.0 force-response-1.0 >>> # MSIE 7 and newer should be able to use keepalive >>> BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown >>> >>> >>> SetOutputFilter DEFLATE >>> SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary >>> SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary >>> SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary >>> SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary >>> SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary >>> >>> BrowserMatch ^Mozilla/4 gzip-only-text/html >>> BrowserMatch ^Mozilla/4\.0[678] no-gzip >>> BrowserMatch \bMSIE !no-gzip !gzip-only-text/htmles >>> >>> # Turn off support for true Proxy behaviour as we are acting as >>> # a transparent proxy >>> ProxyRequests Off >>> >>> # Turn off VIA header as we know where the requests are proxied >>> ProxyVia Off >>> ProxyPreserveHost On >>> RequestHeader set X-Forwarded-Proto "https" >>> SSLProxyEngine on >>> >>> AddDefaultCharset Off >>> Order deny,allow >>> Allow from all >>> >>> >>> >>> ProxyPass / ajp://192.168.5.17:8009/ >>> ProxyPassReverse / ajp://192.168.5.17:8009/ >>> >>> >>> >>> >>> Wildfly configuration: >>> >>> >>> >>> >>> >>> >> socket-binding="http" proxy-address-forwarding="true"/> >>> >>> >>> >>> >>> >>> >> default-web-module="auth-server.war"/> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> header-value="WildFly/8"/> >>> >> header-value="Undertow/1"/> >>> >>> >>> >>> Keycloak jboss-web.xml >>> >>> >>> >> http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd "> >>> >>> / >>> accounts >>> >>> >>> Can anyone help me with this? >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150123/8539d6e4/attachment-0001.html From panulab at gmail.com Fri Jan 23 05:35:12 2015 From: panulab at gmail.com (Pablo N) Date: Fri, 23 Jan 2015 11:35:12 +0100 Subject: [keycloak-user] Keycloak Redirection when "invalid redirect_uri" Message-ID: Hello, I would like to know if there is any way to redirect the user to the welcome page when User tries to access to an invalid redirect Uri and not leave the user in the Keycloak ?invalid redirect_uri? screen. Thank you very much for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150123/4212f3ce/attachment.html From stian at redhat.com Fri Jan 23 05:44:20 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 23 Jan 2015 05:44:20 -0500 (EST) Subject: [keycloak-user] Keycloak Redirection when "invalid redirect_uri" In-Reply-To: References: Message-ID: <345534820.15774172.1422009860786.JavaMail.zimbra@redhat.com> No and that's not a good idea either. That error message should not be hidden from the user as it could be an attempt to hack the users account. As long as you've correctly configured your application in Keycloak and no-one is trying to hack into the account that message shouldn't be displayed. ----- Original Message ----- > From: "Pablo N" > To: keycloak-user at lists.jboss.org > Sent: Friday, January 23, 2015 11:35:12 AM > Subject: [keycloak-user] Keycloak Redirection when "invalid redirect_uri" > > > > Hello, > > > > I would like to know if there is any way to redirect the user to the welcome > page when User tries to access to an invalid redirect Uri and not leave the > user in the Keycloak ?invalid redirect_uri? screen. > > > > Thank you very much for your help. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From juraci at kroehling.de Fri Jan 23 13:01:38 2015 From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=) Date: Fri, 23 Jan 2015 19:01:38 +0100 Subject: [keycloak-user] Sending the user to the login page without the realm Message-ID: <54C28C82.5090901@kroehling.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I think I've seen something similar here on the list, but I can't find the thread. So, I apologize in advance. I'm doing the integration with an application that is multi tenant, so, before sending the user to Keycloak for the authentication, I present a screen to the user to select his realm on the single-page HTML5 application. This is obviously not optimal for several reasons :-) I was then wondering if it would possible/desirable to have Keycloak to determine the realm of the user based on his login/email address. When doing the redirect to the single-page app, Keycloak would then also send, for instance, the URL for the application to load the keycloak.json file for that realm. Is this something that would be worth pursuing? - - Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUwoyCAAoJEDnJtskdmzLMHhYH/3hii2OFSZsq4CXCL/Vo6+hp dR1p/UvoeNVquu0L1Lv4JZ34+tP/0r7Zh24kBFCglPJjxMdjozP5PCNAz9gW9vCW wr2HnUlwMmLT22mWF9YXsFgt0TPwl/ztDQOWFWnQgzqZRILG6rSC/RqeF1tN/VRU aIZGXUH+9t2nIe5g0jsYj9FdzkJy0iDVlPhSgUqR6mbsSCOSyb+r91VoVXXS62vh dSezepypdstIzxuf/+2PmVxi63+X7kFVO9jy+SNgIMsih8zqsokGuIik5s+jbaZP HhW2oR0NbiM2ch9C32V6M4/dDqhHlYpZkizHkjFZ2jZi4VBS28bfPG/9k7V3xG0= =UCsV -----END PGP SIGNATURE----- From prabhalar at yahoo.com Fri Jan 23 14:19:38 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Fri, 23 Jan 2015 14:19:38 -0500 Subject: [keycloak-user] Keycloak Clustering Issues In-Reply-To: <54BD2A82.7010307@redhat.com> References: <54BCE5F2.3030300@redhat.com> <711201839.1935217.1421670761731.JavaMail.yahoo@jws100141.mail.ne1.yahoo.com> <54BD2A82.7010307@redhat.com> Message-ID: <02F1DA92-3C7B-41DC-82FB-7D5BDC8D50A8@yahoo.com> Figured out the issue. Udp communication was not allowed. So switched to "tcp". Updated the Jira 979 with the settings for tcp. Please update your documentation so that it can benefit others Sent from my iPhone > On Jan 19, 2015, at 11:02 AM, Marek Posolda wrote: > > oops, sorry. The server-info page was added recently and it's not in 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to build keycloak from master). Anyway, if you enable debug logging for org.keycloak.services.DefaultKeycloakSessionFactory you should see in server.log which providers are used and hence you should see 'infinispan' for realmCache, userCache and userSessions. > > We also recently added "Troubleshooting" page to clustering docs, which might help you to figure out what ports are needed https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-US/modules/clustering.xml#L222 . You can try to temporarily disable firewall and see if it helps with cluster communication. Then you can figure more accurately which ports you need to open. > > But generally we rely on infinispan/jgroups for cluster, so more info about cluster config and switch between udp/tcp should be available in their docs. > > Marek > >> On 19.1.2015 13:32, prab rrrr wrote: >> Hi Marek - Thanks for the below pointers. I believe my setup is good but probably the udp communication is blocked in my organization as I do not see the specific log you mentioned. Here are some of the log messages I see: >> >> Starting JGroups channel >> Received new cluster view ... node 1 (no information about node2) >> >> I will look at JGroups documentation to have the communication setup using tcp on a different port. Hopefully that would address the problem. >> >> I tried out the url you provided to verify the setup but it doesn't work - checked on two different setups. fyi - I am using 1.1Beta2 version. >> >> Regards, >> Raghu >> From: Marek Posolda >> To: prab rrrr ; Keycloak-user >> Sent: Monday, January 19, 2015 6:09 AM >> Subject: Re: [keycloak-user] Keycloak Clustering Issues >> >> That's quite strange. I've just tested same scenario and works fine for me. If you do any change on user, the user is invalidated from cache on node-1 and this change about invalidation should be propagated to node-2 . As long as you have shared database, node-2 should then retrieve newest data about shared user from database. >> >> I would suggest to try this: >> >> * Make sure that your infinispan cluster is correctly set. You can check it by seeing the message similar to this in server.log of both nodes: node_1 | 10:49:50,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] >> >> * Make sure that you enable "infinispan" as provider of realmCache and userCache and configured connectionsInfinispan . When you open admin console on any node like: http://node-1:8080/auth/admin/master/console/index.html#/server-info >> >> you should see: >> connectionsInfinispan default >> realmCache infinispan >> userCache infinispan >> userSessions infinispan >> >> * If still seeing issues, you can try to enable trace logging for "org.keycloak.models.cache.infinispan" category. >> >> Hope this helps, >> Marek >> >> >>> On 17.1.2015 04:32, prab rrrr wrote: >>> >>> >>> Anyone noticed any issues with Infinispan? I saw a weird issue. After setting up a cluster with two nodes, made some changes on node-1 (created a user and changed the first name). While the user appeared on node-2, the change to the first name didn't make it. Restarting the node-2 didn't help either. Wondering if Infinispan is preventing all the changes to be picked up from database. If so, what settings would ensure that the data is consistent between the nodes? >>> >>> Thanks, >>> Raghu >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150123/a279f8d7/attachment.html From prabhalar at yahoo.com Sat Jan 24 07:43:42 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sat, 24 Jan 2015 12:43:42 +0000 (UTC) Subject: [keycloak-user] Service Provider Metadata - Keycloak 1.2 Snapshot Message-ID: <1071024979.367967.1422103422718.JavaMail.yahoo@mail.yahoo.com> Hi Dev team, Can you let me know how I can get the Service Provider meta data (SAML) from Keycloak 1.2 Snapshot version (I built it today from master). I am trying to test out the new SP functionality against an external IDP. Apologies for not waiting for a release and asking the question. ThanksRaghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150124/57fe2378/attachment-0001.html From peterson.dean at gmail.com Sun Jan 25 18:34:26 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sun, 25 Jan 2015 17:34:26 -0600 Subject: [keycloak-user] IPhone turns off local storage by default and that causes Keycloak.js to fail. Message-ID: IPhones are in private mode by default. When in private mode, they do not allow localstorage. Any application secured with the pure js keycloak file fails. When I turn private mode off, the application works. Will Keycloak be supporting IPhones with the pure javascript client in the future without requiring users turn private mode off? I get the following error in private mode. The highlighted code is what causes the error: QuotaExceededError: DOM Exception 22: An attempt was made to add something to storage that exceeded the quota. Jessicakc.createLoginUrl = function(options) { var state = createUUID(); var redirectUri = adapter.redirectUri(options); if (options && options.prompt) { if (redirectUri.indexOf('?') == -1) { redirectUri += '?prompt=' + options.prompt; } else { redirectUri += '&prompt=' + options.prompt; } } sessionStorage.oauthState = state; var url = getRealmUrl() + '/tokens/login' + '?client_id=' + encodeURIComponent(kc.clientId) + '&redirect_uri=' + encodeURIComponent(redirectUri) + '&state=' + encodeURIComponent(state) + '&response_type=code'; if (options && options.prompt) { url += '&prompt=' + options.prompt; } if (options && options.loginHint) { url += '&login_hint=' + options.loginHint; } return url; } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150125/fc51ef65/attachment.html From stian at redhat.com Mon Jan 26 02:03:55 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 26 Jan 2015 02:03:55 -0500 (EST) Subject: [keycloak-user] Sending the user to the login page without the realm In-Reply-To: <54C28C82.5090901@kroehling.de> References: <54C28C82.5090901@kroehling.de> Message-ID: <1604264207.237780.1422255835461.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Juraci Paix?o Kr?hling" > To: keycloak-user at lists.jboss.org > Sent: Friday, January 23, 2015 7:01:38 PM > Subject: [keycloak-user] Sending the user to the login page without the realm > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > > I think I've seen something similar here on the list, but I can't find > the thread. So, I apologize in advance. > > I'm doing the integration with an application that is multi tenant, > so, before sending the user to Keycloak for the authentication, I > present a screen to the user to select his realm on the single-page > HTML5 application. This is obviously not optimal for several reasons :-) > > I was then wondering if it would possible/desirable to have Keycloak > to determine the realm of the user based on his login/email address. > When doing the redirect to the single-page app, Keycloak would then > also send, for instance, the URL for the application to load the > keycloak.json file for that realm. > > Is this something that would be worth pursuing? I can't see this being a common use-case and it would require a fair amount of logic. Exactly what are the requirements around your multi-tenancy app? An alternative approach could be to use identity brokering, which is available in master atm. It may need some additional capabilities to fill your needs, but basically it's allows your app to talk to a single realm, while Keycloak brokers to other realms, even to remote servers. > > - - Juca. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUwoyCAAoJEDnJtskdmzLMHhYH/3hii2OFSZsq4CXCL/Vo6+hp > dR1p/UvoeNVquu0L1Lv4JZ34+tP/0r7Zh24kBFCglPJjxMdjozP5PCNAz9gW9vCW > wr2HnUlwMmLT22mWF9YXsFgt0TPwl/ztDQOWFWnQgzqZRILG6rSC/RqeF1tN/VRU > aIZGXUH+9t2nIe5g0jsYj9FdzkJy0iDVlPhSgUqR6mbsSCOSyb+r91VoVXXS62vh > dSezepypdstIzxuf/+2PmVxi63+X7kFVO9jy+SNgIMsih8zqsokGuIik5s+jbaZP > HhW2oR0NbiM2ch9C32V6M4/dDqhHlYpZkizHkjFZ2jZi4VBS28bfPG/9k7V3xG0= > =UCsV > -----END PGP SIGNATURE----- > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From christoph.machnik at traveltainment.de Mon Jan 26 05:04:35 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Mon, 26 Jan 2015 10:04:35 +0000 Subject: [keycloak-user] Best practice: timeouthandling Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC4526C@EX-TT-AC-01.traveltainment.int> I have a keycloak web-application in that objects can be created and changed. This objects are saved in a databse. When someone logged in at the application and open one of this objects to change it. this object gets markes as locked in the database, so no other user can make changes to this object wihle someone else is editing it. Th problem, i have, is that, when someone is editig one of this objects and then runs in a session timeout the object has to marked as unlocked. So i have a javascript-method in the application that sends a ajax-request to a servlet to trigger a function that unlock this object. But i have to call this method BEFORE the timeout loggs the user out. What is the best practice in this case and how i can be sure the method is performed before the user comes to the login screen again ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150126/6fc95161/attachment.html From stephen.flynn at jftechnology.com Mon Jan 26 08:48:00 2015 From: stephen.flynn at jftechnology.com (Stephen Flynn) Date: Mon, 26 Jan 2015 13:48:00 +0000 Subject: [keycloak-user] Email verification : failed to turn code into token: java.net.SocketException Message-ID: <54C64590.7030406@jftechnology.com> Hi guys, Struggling with an odd problem here - will try my best to explain. Scenario is as follows (KC 1.1.Beta2 / Wildfly 8.2.0.Final)... * KeyCloak running on 'host1', app is running on 'host2' (with multi-tenancy) * Created a user with credentials. * Checked that user login/logout/timeout works fine - it does. * Leave the user logged out. * From the KeyCloak user interface on host1 I update the user to 'Email verified' = 'Off' and required user action to 'Verify email' * On next login attempt app landing page redirects to KeyCloak login page *- as expected*. * After I enter username/password I get the 'EMAIL VERIFICATION' page and receive an email with a verification link***- as expected*. * Following the email link verifies the KC user account (now 'Email verified' = 'On' and required user actions are empty)*- as expected*. * KeyCloak redirects back to the correct app landing page on 'host2' *- as expected*. * User is now authenticated but no principal or roles have been propagated to the app (principal is 'anonymous'). * An exception (see below) is logged by the KeyCloak adapter on 'host2' Can't find any similar issues in JIRA/mailing lists - any thoughts ? Or where I should be looking for more detail to clarify this ? best rgds Steve F. THIS EXCEPTION IS LOGGED ON THE APP HOST 2015-01-26 11:00:00,006 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-21) failed to turn code into token: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:196) [rt.jar:1.7.0_51] at java.net.SocketInputStream.read(SocketInputStream.java:122) [rt.jar:1.7.0_51] at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) [jsse.jar:1.7.0_51] at sun.security.ssl.InputRecord.read(InputRecord.java:480) [jsse.jar:1.7.0_51] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) [jsse.jar:1.7.0_51] at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:884) [jsse.jar:1.7.0_51] at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) [jsse.jar:1.7.0_51] at org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:166) at org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:90) at org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:281) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:92) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:62) at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:254) at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:289) at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:252) at org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:219) at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:300) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:127) at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:712) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:517) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122) [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95) [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:261) [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:208) [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:90) [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:93) [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:60) [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] -- =================================================== *Stephen Flynn* *Director, JF Technology (UK) Ltd* Cell (UK) : +44 7768 003 882 Phone : +44 20 7833 8346 IM : xmpp:stephen.flynn at jftechnology.com IM : aim:stephen.flynn at jftechnology.com Website : http://www.jftechnology.com Tech support : support at jftechnology.com =================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150126/1a5e98a8/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: stephen_flynn.vcf Type: text/x-vcard Size: 233 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150126/1a5e98a8/attachment-0001.vcf From simon.temple at amalto.com Mon Jan 26 13:04:00 2015 From: simon.temple at amalto.com (Simon Temple) Date: Mon, 26 Jan 2015 18:04:00 +0000 Subject: [keycloak-user] Deploying auth-server.war on Jetty 8 Message-ID: Would it be possible to deploy the server WAR under Jetty 8? Has anyone done this already? I know I?d have to create a datasource and drop the auth-server.war in the jetty deploy folder? but what about the configuration folder content? Any help would be much appreciated. I tried adding the jetty 8 adapter jars to the jetty /lib and deploying the war but I got a couple of WARNS: 2015-01-26 15:48:55,389 WARN [auth-server.war] (WrapperSimpleAppMain) unavailable (ContextHandler.java:1957) javax.servlet.UnavailableException: org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher at org.eclipse.jetty.servlet.Holder.doStart(Holder.java:99) and 2015-01-26 15:48:55,395 WARN [auth-server.war] (WrapperSimpleAppMain) unavailable (ContextHandler.java:1957) java.lang.NullPointerException at org.eclipse.jetty.servlet.ServletContextHandler$Context.createServlet(ServletContextHandler.java:975) at org.eclipse.jetty.servlet.ServletHolder.newInstance(ServletHolder.java:832) at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:482) TIA Simon From Robert.Brem at adesso.ch Tue Jan 27 01:55:08 2015 From: Robert.Brem at adesso.ch (Brem, Robert) Date: Tue, 27 Jan 2015 06:55:08 +0000 Subject: [keycloak-user] CORS Problem Message-ID: <5522F086A978AE45ADB4CE2A7FAF6E80211A2CE6@ex2010-db02.adesso.local> Hy @ll, For my current project I use Docker and run each service in a own container, and spread the services over multiple servers. All connected via REST. For the security I found Keycloak, and I think it's a really cool tool. But I never was the best friend of security... JASS/Spring Security... My problem is, I try to use the cors example (https://github.com/keycloak/keycloak/tree/master/examples/cors). I also use AngularJS for the frontend that consumes multiple REST Services. But I don't get it to work. I always get the following error: XMLHttpRequest cannot load http://162.244.28.89:8080/BrandService/resources/brands/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://162.244.28.89' is therefore not allowed access. The response had HTTP status code 403. Google Chrome give me the following output for the http request: Remote Address:162.244.28.89:8080 Request URL:http://162.244.28.89:8080/BrandService/resources/brands/ Request Method:GET Status Code:403 Forbidden Request Headersview source Accept:application/json, text/plain, */* Accept-Encoding:gzip, deflate, sdch Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Authorization:Bearer eyJhbGciOiJSUzI1NiJ9....ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII Connection:keep-alive Host:162.244.28.89:8080 Origin:http://162.244.28.89 Referer:http://162.244.28.89/ User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 Response Headersview source Cache-Control:no-cache, no-store, must-revalidate Connection:keep-alive Content-Length:68 Content-Type:text/html;charset=UTF-8 Date:Fri, 23 Jan 2015 19:23:33 GMT Expires:0 Pragma:no-cache Server:WildFly/8 X-Powered-By:Undertow/1 ConsoleSearchEmulationRendering What I don't get is the response header. Shouldn't there be the following header settings: Access-Control-Allow-Credentials:true Access-Control-Allow-Headers:origin,accept,content-type Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD Access-Control-Allow-Origin:* Access-Control-Max-Age:151200 Allow:HEAD, POST, GET, OPTIONS, PUT My keycloak.json looks like that: { "realm": "openPixx", "realm-public-key": "...bmwCckE..gWjLQIDAQAB", "ssl-required": "external", "resource": "BrandService", "bearer-only": true, "cors-max-age" : 1000, "enable-cors": true, "cors-allowed-methods" : "POST, PUT, DELETE, GET" } In Keycloak I've defined the BrandFrontend: Enabled: true Client Protocol: openid-connect Access Type: public Redirect URL: http://162.244.28.89/* Web Origin: http://162.244.28.89 For the AngularJS part I've used the authinterceptor from the example. If you have read until here. Thank you very much and sorry for my bad English :) Greets Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150127/54a1fa7e/attachment.html From stian at redhat.com Tue Jan 27 03:00:44 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 27 Jan 2015 03:00:44 -0500 (EST) Subject: [keycloak-user] Deploying auth-server.war on Jetty 8 In-Reply-To: References: Message-ID: <431547781.868375.1422345644488.JavaMail.zimbra@redhat.com> It may work now, but it's not an option we support and probably won't work in the future. ----- Original Message ----- > From: "Simon Temple" > To: keycloak-user at lists.jboss.org > Sent: Monday, January 26, 2015 7:04:00 PM > Subject: [keycloak-user] Deploying auth-server.war on Jetty 8 > > Would it be possible to deploy the server WAR under Jetty 8? Has anyone done > this already? > I know I?d have to create a datasource and drop the auth-server.war in the > jetty deploy folder? but what about the configuration folder content? > > Any help would be much appreciated. > > I tried adding the jetty 8 adapter jars to the jetty /lib and deploying the > war but I got a couple of WARNS: > > 2015-01-26 15:48:55,389 WARN [auth-server.war] (WrapperSimpleAppMain) > unavailable (ContextHandler.java:1957) > javax.servlet.UnavailableException: > org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher > at org.eclipse.jetty.servlet.Holder.doStart(Holder.java:99) > > and > > 2015-01-26 15:48:55,395 WARN [auth-server.war] (WrapperSimpleAppMain) > unavailable (ContextHandler.java:1957) > java.lang.NullPointerException > at > org.eclipse.jetty.servlet.ServletContextHandler$Context.createServlet(ServletContextHandler.java:975) > at > org.eclipse.jetty.servlet.ServletHolder.newInstance(ServletHolder.java:832) > at > org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:482) > > TIA > > > Simon > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From panulab at gmail.com Tue Jan 27 05:15:12 2015 From: panulab at gmail.com (Pablo N) Date: Tue, 27 Jan 2015 11:15:12 +0100 Subject: [keycloak-user] User Registration Form Field length validation Message-ID: Hello, I would like to know which is the best approach to validate username, First Name and Last Name length in the registration Form. Currently only not empty and email pattern is validated. I dont know If there is any possibility to perform this validation as part of a customized theme or if it is necessary to modify Validation.java class. Thank you very much for your help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150127/338adafb/attachment.html From stian at redhat.com Tue Jan 27 05:19:47 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 27 Jan 2015 05:19:47 -0500 (EST) Subject: [keycloak-user] User Registration Form Field length validation In-Reply-To: References: Message-ID: <536376885.1046247.1422353987208.JavaMail.zimbra@redhat.com> There's no support for this atm, but we're working on custom user profiles which will provide support for defining validation of attributes. ----- Original Message ----- > From: "Pablo N" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, January 27, 2015 11:15:12 AM > Subject: [keycloak-user] User Registration Form Field length validation > > Hello, > > I would like to know which is the best approach to validate username, First > Name and Last Name length in the registration Form. Currently only not empty > and email pattern is validated. > > I dont know If there is any possibility to perform this validation as part of > a customized theme or if it is necessary to modify Validation.java class. > > Thank you very much for your help. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ungarida at gmail.com Tue Jan 27 15:46:33 2015 From: ungarida at gmail.com (Davide Ungari) Date: Tue, 27 Jan 2015 20:46:33 +0000 Subject: [keycloak-user] Authentication throw a proxy on Undertow References: Message-ID: Hi everybody, I saw release 1.0.5.Final. There is somenthing usefull for my usecase? Il giorno Fri Nov 21 2014 at 8:47:21 AM Davide Ungari ha scritto: > Hi Bill, > I see you have pushed some changes. > Tell me as soon as you need me to test it. > > Thank you, > Davide. > > >> Weird... I'm actually screwing around with writing a security proxy >> right now. I just started like an hour or so ago so I'm not exactly >> sure...but I don't think you can implement this with the current >> codebase. You need a Undertow only (no servlet) authentication >> mechanism and to set up the security handler chain correctly. (See the >> BasicAuthServer example in Undertow). >> I should have something working in master by the end of the week. >> On 11/19/2014 6:33 PM, Davide Ungari wrote: > > >> >* Hi everybody, >> *>* this is the big picture: >> *>* a. frontend application with Undertow >> *>* b. backend application with Undertow and Resteasy for REST API >> *> >> >* Both are using Keycloak as SSO. >> *> >> >* I'm trying to configure a proxy from A to B in order to expose backend >> *>* API without CORS problems to the frontend. >> *> >> >* I asked support also to Undertow guys but the issue seems around the >> *>* integration of Keycloack in Undertow. My proxy is implemented like: >> *> >> >* final ProxyClient proxyClient = new >> *>* SimpleProxyClientProvider(new URI("http://localhost:8181 >> * > > >* >")); >> * > > >* final ProxyHandler proxyHandler = new >> *>* ProxyHandler(proxyClient, servletHandler); >> *>* proxyHandler.addRequestHeader(new >> *>* HttpString("Authorization"), new ExchangeAttribute() { >> *>* @Override >> *>* public String readAttribute(HttpServerExchange >> *>* exchange) { >> *>* exchange. >> *>* RefreshableKeycloakSecurityContext context = >> *>* (RefreshableKeycloakSecurityContext) exchange.getSecurityContext(); >> *>* return "Bearer " + context.getTokenString(); >> *>* } >> *> >> >* @Override >> *>* public void writeAttribute(HttpServerExchange >> *>* exchange, String newValue) throws ReadOnlyAttributeException { >> *>* // TODO Auto-generated method stub >> *>* } >> *>* }); >> *> >> >* The problem is that the exchange.getSecurityContext() is always null. >> *>* Any ideas? >> *> >> >* Thanks >> *> >> > >> > >> >* -- >> *>* Davide >> *> >> > >> > >* _______________________________________________ >> *>* keycloak-user mailing list >> *>* keycloak-user at lists.jboss.org >> *>* https://lists.jboss.org/mailman/listinfo/keycloak-user >> *> >> -- > > >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150127/358b5ea2/attachment.html From prabhalar at yahoo.com Tue Jan 27 20:33:57 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Wed, 28 Jan 2015 01:33:57 +0000 (UTC) Subject: [keycloak-user] Keycloak Clustering Issues In-Reply-To: <02F1DA92-3C7B-41DC-82FB-7D5BDC8D50A8@yahoo.com> References: <02F1DA92-3C7B-41DC-82FB-7D5BDC8D50A8@yahoo.com> Message-ID: <1546120285.939822.1422408837116.JavaMail.yahoo@mail.yahoo.com> Hi Marek - Need some more help from you. I have a cluster of two nodes now and I see the below message on both the nodes after I utilized tcp instead of udp. Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] While testing the SAML IDP functionality using Spring SAML as service provider, I noticed that the session information on one node was not getting replicated on the second one (after successfully logging in with 1st node, I took it down and the second node redirected me to login page instead of picking up from where the first one left off) Tried to increase logging for INFINISPAN and JGroups in standalone.xml but didn't see any change in logs. Any suggestions on how I can figure out what is happening? Thanks,Raghu From: Raghu Prabhala To: Marek Posolda Cc: Keycloak-user Sent: Friday, January 23, 2015 2:19 PM Subject: Re: [keycloak-user] Keycloak Clustering Issues Figured out the issue. Udp communication was not allowed. So switched to "tcp". Updated the Jira 979 with the settings for tcp. Please update your documentation so that it can benefit others? Sent from my iPhone On Jan 19, 2015, at 11:02 AM, Marek Posolda wrote: oops, sorry. The server-info page was added recently and it's not in 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to build keycloak from master).? Anyway, if you enable debug logging for org.keycloak.services.DefaultKeycloakSessionFactory you should see in server.log which providers are used and hence you should see 'infinispan' for realmCache, userCache and userSessions. We also recently added "Troubleshooting" page to clustering docs, which might help you to figure out what ports are needed https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-US/modules/clustering.xml#L222 . You can try to temporarily disable firewall and see if it helps with cluster communication. Then you can figure more accurately which ports you need to open. But generally we rely on infinispan/jgroups for cluster, so more info about cluster config and switch between udp/tcp should be available in their docs. Marek On 19.1.2015 13:32, prab rrrr wrote: Hi Marek - Thanks for?the below pointers. I believe my setup is good but probably the udp communication is blocked in my organization as I do not see the specific log you mentioned. Here are some of the log messages I see: Starting JGroups channel Received new cluster view ... node 1???? (no information about node2) ? I will look at JGroups documentation to have the communication setup using tcp on a different port. Hopefully that would address the problem. I tried out the url you provided to verify the setup but it doesn't work - checked on two different setups. fyi - I am using 1.1Beta2 version. Regards, Raghu From: Marek Posolda To: prab rrrr ; Keycloak-user Sent: Monday, January 19, 2015 6:09 AM Subject: Re: [keycloak-user] Keycloak Clustering Issues That's quite strange. I've just tested same scenario and works fine for me. If you do any change on user, the user is invalidated from cache on node-1 and this change about invalidation should be propagated to node-2 . As long as you have shared database, node-2 should then retrieve newest data about shared user from database. I would suggest to try this: * Make sure that your infinispan cluster is correctly set. You can check it by seeing the message similar to this in server.log of both nodes: node_1 | 10:49:50,344 INFO? [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-10,shared=udp) ISPN000094: Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] * Make sure that you enable "infinispan" as provider of realmCache and userCache and configured connectionsInfinispan . When you open admin console on any node like: http://node-1:8080/auth/admin/master/console/index.html#/server-info you should see: connectionsInfinispan default realmCache infinispan userCache infinispan userSessions infinispan * If still seeing issues, you can try to enable trace logging for "org.keycloak.models.cache.infinispan" category. Hope this helps, Marek On 17.1.2015 04:32, prab rrrr wrote: Anyone noticed any issues with Infinispan? I saw a weird issue. After setting up a cluster with two nodes, made some changes on node-1 (created a user and changed the first name). While the user appeared on node-2, the change to the first name didn't make it. Restarting the node-2 didn't help either. Wondering if Infinispan is preventing all the changes to be picked up from database. If so, what settings would ensure that the data is consistent between the nodes? Thanks, Raghu _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/69163b7a/attachment-0001.html From stian at redhat.com Wed Jan 28 02:25:05 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 28 Jan 2015 02:25:05 -0500 (EST) Subject: [keycloak-user] Authentication throw a proxy on Undertow In-Reply-To: References: Message-ID: <266375727.1953405.1422429905380.JavaMail.zimbra@redhat.com> No, 1.0.5.Final is only a fix for EAP 6.4 Beta. ----- Original Message ----- > From: "Davide Ungari" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, January 27, 2015 9:46:33 PM > Subject: Re: [keycloak-user] Authentication throw a proxy on Undertow > > Hi everybody, > I saw release 1.0.5.Final. > > There is somenthing usefull for my usecase? > > Il giorno Fri Nov 21 2014 at 8:47:21 AM Davide Ungari < ungarida at gmail.com > > ha scritto: > > > > Hi Bill, > I see you have pushed some changes. > Tell me as soon as you need me to test it. > > Thank you, > Davide. > > > Weird... I'm actually screwing around with writing a security proxy > right now. I just started like an hour or so ago so I'm not exactly > sure...but I don't think you can implement this with the current > codebase. You need a Undertow only (no servlet) authentication > mechanism and to set up the security handler chain correctly. (See the > BasicAuthServer example in Undertow). > I should have something working in master by the end of the week. > On 11/19/2014 6:33 PM, Davide Ungari wrote: > > > > > Hi everybody, > this is the big picture: > a. frontend application with > > Undertow > b. backend application with Undertow and Resteasy for REST API > > > > > Both are using Keycloak as SSO. > > > I'm trying to configure a proxy from A to B in order to expose backend > > > API without CORS problems to the frontend. > > > I asked support also to Undertow guys but the issue seems around the > > > integration of Keycloack in Undertow. My proxy is implemented like: > > > final ProxyClient proxyClient = new > SimpleProxyClientProvider(new URI(" > > http://localhost:8181 > > > > < http://localhost:8181/ >")); > > > > final ProxyHandler proxyHandler = new > ProxyHandler(proxyClient, > > servletHandler); > proxyHandler.addRequestHeader(new > > > HttpString("Authorization"), new ExchangeAttribute() { > @Override > > > public String readAttribute(HttpServerExchange > exchange) { > exchange. > > > RefreshableKeycloakSecurityContext context = > > > (RefreshableKeycloakSecurityContext) exchange.getSecurityContext(); > > > return "Bearer " + context.getTokenString(); > } > > > @Override > public void writeAttribute(HttpServerExchange > exchange, > > String newValue) throws ReadOnlyAttributeException { > // TODO > > Auto-generated method stub > } > }); > > > The problem is that the exchange.getSecurityContext() is always null. > Any > > ideas? > > > Thanks > > > > > > > -- > Davide > > > > > > > _______________________________________________ > keycloak-user mailing > > list > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > > > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From christoph.machnik at traveltainment.de Wed Jan 28 04:38:32 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Wed, 28 Jan 2015 09:38:32 +0000 Subject: [keycloak-user] User rights after logout Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC473BC@EX-TT-AC-01.traveltainment.int> Hi all, I have a web-application with keycloak. When a user have to log in this user becomes the rights to see the following pages or not. When this user loggs out an a other user loggs in with other rights to see the following pages or not, he becomes the same rights as the first user that logged in. In the example i log in with support and just can see the support page in the application, when i logg out an log in with admin i just can see the support page and not the admin page, even though i have the admin role. When i restart the server and first log in as admin i can see the admin- and the support page. When i log out and now log in with support i have the support rule, but nevertheless i can see the admin- and support page. Is there any mistake in int web.xml file ? (following): TestWebApp Admins /views/admin/* admin Support /views/support/* admin support KEYCLOAK test admin support -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/064d57ff/attachment.html From mposolda at redhat.com Wed Jan 28 04:57:37 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Jan 2015 10:57:37 +0100 Subject: [keycloak-user] CORS Problem In-Reply-To: <5522F086A978AE45ADB4CE2A7FAF6E80211A2CE6@ex2010-db02.adesso.local> References: <5522F086A978AE45ADB4CE2A7FAF6E80211A2CE6@ex2010-db02.adesso.local> Message-ID: <54C8B291.3020704@redhat.com> Hi, it looks to me that your CORS settings on adapters side and also for your frontend application looks good. However keycloak returned 403 Forbidden and hence did not add cors headers (we are adding cors headers after successful authentication). Do you have something in the server log? What I would try is: - Temporary set "ssl-required" to "none" in the adapters configuration - If it doesn't help, then see how it will behave if both frontend application and rest application are on same origin (either http://162.244.28.89:8080 or http://162.244.28.89) - Maybe using hostname like "myhost.com" instead of IP address could help. If you have opportunity to temporarily add virtual host and use hostname it worth a try (it's strange, but who knows...) Marek On 27.1.2015 07:55, Brem, Robert wrote: > > Hy @ll, > > For my current project I use Docker and run each service in a own > container, and spread the services over multiple servers. All > connected via REST. > > For the security I found Keycloak, and I think it?s a really cool > tool. But I never was the best friend of security? JASS/Spring Security? > > My problem is, I try to use the cors example > (https://github.com/keycloak/keycloak/tree/master/examples/cors). I > also use AngularJS for the frontend that consumes multiple REST Services. > > But I don?t get it to work. I always get the following error: > > XMLHttpRequest cannot load > http://162.244.28.89:8080/BrandService/resources/brands/. No > 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://162.244.28.89' is therefore not allowed > access. The response had HTTP status code 403. > > Google Chrome give me the following output for the http request: > > Remote Address:162.244.28.89:8080 > > Request URL:http://162.244.28.89:8080/BrandService/resources/brands/ > > Request Method:GET > > Status Code:403 Forbidden > > *_Request Headersview source_* > > Accept:application/json, text/plain, */* > > Accept-Encoding:gzip, deflate, sdch > > Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 > > Authorization:Bearer > eyJhbGciOiJSUzI1NiJ9?.ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII > > Connection:keep-alive > > Host:162.244.28.89:8080 > > Origin:http://162.244.28.89 > > Referer:http://162.244.28.89/ > > User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 > > *_Response Headersview source_* > > Cache-Control:no-cache, no-store, must-revalidate > > Connection:keep-alive > > Content-Length:68 > > Content-Type:text/html;charset=UTF-8 > > Date:Fri, 23 Jan 2015 19:23:33 GMT > > Expires:0 > > Pragma:no-cache > > Server:WildFly/8 > > X-Powered-By:Undertow/1 > > ConsoleSearchEmulationRendering > > What I don?t get is the response header. Shouldn?t there be the > following header settings: > > Access-Control-Allow-Credentials:true > > Access-Control-Allow-Headers:origin,accept,content-type > > Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD > > Access-Control-Allow-Origin:* > > Access-Control-Max-Age:151200 > > Allow:HEAD, POST, GET, OPTIONS, PUT > > My keycloak.json looks like that: > > { > > "realm": "openPixx", > > "realm-public-key": "?bmwCckE..gWjLQIDAQAB", > > "ssl-required": "external", > > "resource": "BrandService", > > "bearer-only": true, > > "cors-max-age" : 1000, > > "enable-cors": true, > > "cors-allowed-methods" : "POST, PUT, DELETE, GET" > > } > > In Keycloak I?ve defined the BrandFrontend: > > Enabled: true > > Client Protocol: openid-connect > > Access Type: public > > Redirect URL: http://162.244.28.89/* > > Web Origin: http://162.244.28.89 > > For the AngularJS part I?ve used the authinterceptor from the example. > > If you have read until here. > > Thank you very much and sorry for my bad English J > > Greets > > Rob > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/31545c10/attachment-0001.html From mposolda at redhat.com Wed Jan 28 05:12:50 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Jan 2015 11:12:50 +0100 Subject: [keycloak-user] User rights after logout In-Reply-To: <9656B9D10BC6124A88D5E27DD02422855BC473BC@EX-TT-AC-01.traveltainment.int> References: <9656B9D10BC6124A88D5E27DD02422855BC473BC@EX-TT-AC-01.traveltainment.int> Message-ID: <54C8B622.4060802@redhat.com> Hi, I've just tried with latest Keycloak on Wildfly but did not see same behaviour. Do you have admin URL set in Keycloak admin console for your application? How are you doing logout in your application? Are you using httpServletRequest.logout() or are you directly logout by access to logoutURL like our demo example applications are doing? Marek On 28.1.2015 10:38, Christoph Machnik wrote: > Hi all, > > I have a web-application with keycloak. When a user have to log in > this user becomes the rights to see the following pages or not. When > this user loggs out an a other user loggs in with other rights to see > the following pages or not, he becomes the same rights as the first > user that logged in. > In the example i log in with support and just can see the support page > in the application, when i logg out an log in with admin i just can > see the support page and not the admin page, even though i have the > admin role. When i restart the server and first log in as admin i can > see the admin- and the support page. When i log out and now log in > with support i have the support rule, but nevertheless i can see the > admin- and support page. > > Is there any mistake in int web.xml file ? (following): > > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > http://java.sun.com/xml/ns/javaee/web-app_3_0.xml" > version="3.0"> > > TestWebApp > > > > Admins > /views/admin/* > > > admin > > > > > Support > /views/support/* > > > admin > support > > > > > KEYCLOAK > test > > > > admin > > > support > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/96797858/attachment.html From christoph.machnik at traveltainment.de Wed Jan 28 06:15:14 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Wed, 28 Jan 2015 11:15:14 +0000 Subject: [keycloak-user] User rights after logout In-Reply-To: <54C8B622.4060802@redhat.com> References: <9656B9D10BC6124A88D5E27DD02422855BC473BC@EX-TT-AC-01.traveltainment.int>, <54C8B622.4060802@redhat.com> Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC4740F@EX-TT-AC-01.traveltainment.int> Thanks, i forgott to type in the admin url in the admin console. ________________________________ Von: Marek Posolda [mposolda at redhat.com] Gesendet: Mittwoch, 28. Januar 2015 11:12 Bis: Christoph Machnik; keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] User rights after logout Hi, I've just tried with latest Keycloak on Wildfly but did not see same behaviour. Do you have admin URL set in Keycloak admin console for your application? How are you doing logout in your application? Are you using httpServletRequest.logout() or are you directly logout by access to logoutURL like our demo example applications are doing? Marek On 28.1.2015 10:38, Christoph Machnik wrote: Hi all, I have a web-application with keycloak. When a user have to log in this user becomes the rights to see the following pages or not. When this user loggs out an a other user loggs in with other rights to see the following pages or not, he becomes the same rights as the first user that logged in. In the example i log in with support and just can see the support page in the application, when i logg out an log in with admin i just can see the support page and not the admin page, even though i have the admin role. When i restart the server and first log in as admin i can see the admin- and the support page. When i log out and now log in with support i have the support rule, but nevertheless i can see the admin- and support page. Is there any mistake in int web.xml file ? (following): xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xml" version="3.0"> TestWebApp Admins /views/admin/* admin Support /views/support/* admin support KEYCLOAK test admin support _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/611389bc/attachment.html From mposolda at redhat.com Wed Jan 28 09:55:36 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Jan 2015 15:55:36 +0100 Subject: [keycloak-user] Keycloak Clustering Issues In-Reply-To: <1546120285.939822.1422408837116.JavaMail.yahoo@mail.yahoo.com> References: <02F1DA92-3C7B-41DC-82FB-7D5BDC8D50A8@yahoo.com> <1546120285.939822.1422408837116.JavaMail.yahoo@mail.yahoo.com> Message-ID: <54C8F868.6070500@redhat.com> If you enable debug logging for "org.keycloak.services.DefaultKeycloakSessionFactory" you should see in server log which providers are used? You should see "infinispan" for userSessions, realmCache and userCache providers. Am I understand correctly that you're using loadbalancer and keycloak servers are behind it? Marek On 28.1.2015 02:33, Raghu Prabhala wrote: > Hi Marek - Need some more help from you. I have a cluster of two nodes > now and I see the below message on both the nodes after I utilized tcp > instead of udp. >> Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, >> node2/keycloak] >> >> While testing the SAML IDP functionality using Spring SAML as service >> provider, I noticed that the session information on one node was not >> getting replicated on the second one (after successfully logging in >> with 1st node, I took it down and the second node redirected me to >> login page instead of picking up from where the first one left off) >> >> Tried to increase logging for INFINISPAN and JGroups in >> standalone.xml but didn't see any change in logs. Any suggestions on >> how I can figure out what is happening? >> >> Thanks, >> Raghu > ------------------------------------------------------------------------ > *From:* Raghu Prabhala > *To:* Marek Posolda > *Cc:* Keycloak-user > *Sent:* Friday, January 23, 2015 2:19 PM > *Subject:* Re: [keycloak-user] Keycloak Clustering Issues > > Figured out the issue. Udp communication was not allowed. So switched > to "tcp". Updated the Jira 979 with the settings for tcp. Please > update your documentation so that it can benefit others > > Sent from my iPhone > > > > On Jan 19, 2015, at 11:02 AM, Marek Posolda > wrote: > > oops, sorry. The server-info page was added recently and it's not in > 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to > build keycloak from master). Anyway, if you enable debug logging for > org.keycloak.services.DefaultKeycloakSessionFactory you should see in > server.log which providers are used and hence you should see > 'infinispan' for realmCache, userCache and userSessions. > > We also recently added "Troubleshooting" page to clustering docs, > which might help you to figure out what ports are needed > https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-US/modules/clustering.xml#L222 > . You can try to temporarily disable firewall and see if it helps with > cluster communication. Then you can figure more accurately which ports > you need to open. > > But generally we rely on infinispan/jgroups for cluster, so more info > about cluster config and switch between udp/tcp should be available in > their docs. > > Marek > > On 19.1.2015 13:32, prab rrrr wrote: >> Hi Marek - Thanks for the below pointers. I believe my setup is good >> but probably the udp communication is blocked in my organization as I >> do not see the specific log you mentioned. Here are some of the log >> messages I see: >> >> Starting JGroups channel >> Received new cluster view ... node 1 (no information about node2) >> I will look at JGroups documentation to have the communication setup >> using tcp on a different port. Hopefully that would address the problem. >> >> I tried out the url you provided to verify the setup but it doesn't >> work - checked on two different setups. fyi - I am using 1.1Beta2 >> version. >> >> Regards, >> Raghu >> ------------------------------------------------------------------------ >> *From:* Marek Posolda >> *To:* prab rrrr ; >> Keycloak-user >> >> *Sent:* Monday, January 19, 2015 6:09 AM >> *Subject:* Re: [keycloak-user] Keycloak Clustering Issues >> >> That's quite strange. I've just tested same scenario and works fine >> for me. If you do any change on user, the user is invalidated from >> cache on node-1 and this change about invalidation should be >> propagated to node-2 . As long as you have shared database, node-2 >> should then retrieve newest data about shared user from database. >> >> I would suggest to try this: >> >> * Make sure that your infinispan cluster is correctly set. You can >> check it by seeing the message similar to this in server.log of both >> nodes: node_1 | 10:49:50,344 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-10,shared=udp) ISPN000094: Received new cluster view: >> [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak] >> >> * Make sure that you enable "infinispan" as provider of realmCache >> and userCache and configured connectionsInfinispan . When you open >> admin console on any node like: >> http://node-1:8080/auth/admin/master/console/index.html#/server-info >> >> >> you should see: >> connectionsInfinispan default >> realmCache infinispan >> userCache infinispan >> userSessions infinispan >> >> * If still seeing issues, you can try to enable trace logging for >> "org.keycloak.models.cache.infinispan" category. >> >> Hope this helps, >> Marek >> >> >> On 17.1.2015 04:32, prab rrrr wrote: >>> >>> >>> Anyone noticed any issues with Infinispan? I saw a weird issue. >>> After setting up a cluster with two nodes, made some changes on >>> node-1 (created a user and changed the first name). While the user >>> appeared on node-2, the change to the first name didn't make it. >>> Restarting the node-2 didn't help either. Wondering if Infinispan is >>> preventing all the changes to be picked up from database. If so, >>> what settings would ensure that the data is consistent between the >>> nodes? >>> >>> Thanks, >>> Raghu >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/e94b13fb/attachment-0001.html From prabhalar at yahoo.com Wed Jan 28 16:27:51 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Wed, 28 Jan 2015 16:27:51 -0500 Subject: [keycloak-user] Keycloak 1.1 final issues Message-ID: <537F9477-7D5D-46EC-B599-12B9E8E1E44A@yahoo.com> Downloaded and tried 1.1 final today. Something is wrong - the web pages refresh every few seconds and they don't show any updates/ inserts made previously. Sent from my iPhone From stian at redhat.com Thu Jan 29 02:11:26 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 29 Jan 2015 02:11:26 -0500 (EST) Subject: [keycloak-user] Keycloak 1.1.0.Final Released Message-ID: <282508176.2775455.1422515486824.JavaMail.zimbra@redhat.com> The Keycloak team is proud to announce the release of Keycloak 1.1.0.Final. Highlights in this release includes: * SAML 2.0 * Clustering * Jetty, Tomcat and Fuse adapters * HTTP Security Proxy * Automatic migration of db schema We?re already started working on features for the next release. Some exiting features coming soon includes: * Identity brokering * Custom user profiles * Kerberos * OpenID Connect interop From stian at redhat.com Thu Jan 29 02:13:31 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 29 Jan 2015 02:13:31 -0500 (EST) Subject: [keycloak-user] Keycloak 1.1 final issues In-Reply-To: <537F9477-7D5D-46EC-B599-12B9E8E1E44A@yahoo.com> References: <537F9477-7D5D-46EC-B599-12B9E8E1E44A@yahoo.com> Message-ID: <222648820.2776148.1422515611007.JavaMail.zimbra@redhat.com> Try clearing your cache that should work ----- Original Message ----- > From: "Raghu Prabhala" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, January 28, 2015 10:27:51 PM > Subject: [keycloak-user] Keycloak 1.1 final issues > > Downloaded and tried 1.1 final today. Something is wrong - the web pages > refresh every few seconds and they don't show any updates/ inserts made > previously. > > Sent from my iPhone > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From christoph.machnik at traveltainment.de Thu Jan 29 05:36:56 2015 From: christoph.machnik at traveltainment.de (Christoph Machnik) Date: Thu, 29 Jan 2015 10:36:56 +0000 Subject: [keycloak-user] Call javascript function before session timeout Message-ID: <9656B9D10BC6124A88D5E27DD02422855BC47462@EX-TT-AC-01.traveltainment.int> Hi all, I have a keycloak web-application in that objects can be created and changed. This objects are saved in a databse. When someone logged in at the application and open one of this objects to change it. this object gets markes as locked in the database, so no other user can make changes to this object wihle someone else is editing it. Th problem, i have, is that, when someone is editig one of this objects and then runs in a session timeout the object has to marked as unlocked. So i have a javascript-method in the application that sends a ajax-request to a servlet to trigger a function that unlock this object. But i have to call this method BEFORE the timeout loggs the user out. What is the best practice in this case and how i can be sure the method is performed before the user comes to the login screen again ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150129/c5e8cd37/attachment.html From stian at redhat.com Thu Jan 29 07:00:02 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 29 Jan 2015 07:00:02 -0500 (EST) Subject: [keycloak-user] Keycloak OpenShift Cartridge updated to 1.1.0.Final Message-ID: <1029458686.2941961.1422532802250.JavaMail.zimbra@redhat.com> https://github.com/keycloak/openshift-keycloak-cartridge From prabhalar at yahoo.com Thu Jan 29 11:36:39 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 29 Jan 2015 11:36:39 -0500 Subject: [keycloak-user] Keycloak 1.1 final issues In-Reply-To: <222648820.2776148.1422515611007.JavaMail.zimbra@redhat.com> References: <537F9477-7D5D-46EC-B599-12B9E8E1E44A@yahoo.com> <222648820.2776148.1422515611007.JavaMail.zimbra@redhat.com> Message-ID: Thanks Stian. Cleared all the temp files and it works now, even in IE browser Sent from my iPhone > On Jan 29, 2015, at 2:13 AM, Stian Thorgersen wrote: > > Try clearing your cache that should work > > ----- Original Message ----- >> From: "Raghu Prabhala" >> To: keycloak-user at lists.jboss.org >> Sent: Wednesday, January 28, 2015 10:27:51 PM >> Subject: [keycloak-user] Keycloak 1.1 final issues >> >> Downloaded and tried 1.1 final today. Something is wrong - the web pages >> refresh every few seconds and they don't show any updates/ inserts made >> previously. >> >> Sent from my iPhone >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From prabhalar at yahoo.com Thu Jan 29 12:44:11 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Thu, 29 Jan 2015 12:44:11 -0500 Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <282508176.2775455.1422515486824.JavaMail.zimbra@redhat.com> References: <282508176.2775455.1422515486824.JavaMail.zimbra@redhat.com> Message-ID: Congrats Keycloak team. A great deal of features in this release - really like SAML and clustering. But what I am really looking for is the next release as we need all the features you listed -any tentative dates for the beta version? The functionality provided so far seems to be targeted toward users accounts. When can we expect support for System accounts (with diff auth mechanisms like certificates, Kerberos etc? Thanks, Raghu Sent from my iPhone > On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: > > The Keycloak team is proud to announce the release of Keycloak 1.1.0.Final. Highlights in this release includes: > > * SAML 2.0 > * Clustering > * Jetty, Tomcat and Fuse adapters > * HTTP Security Proxy > * Automatic migration of db schema > > We?re already started working on features for the next release. Some exiting features coming soon includes: > > * Identity brokering > * Custom user profiles > * Kerberos > * OpenID Connect interop > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri Jan 30 02:10:58 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 30 Jan 2015 02:10:58 -0500 (EST) Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: References: <282508176.2775455.1422515486824.JavaMail.zimbra@redhat.com> Message-ID: <808566761.3720687.1422601858175.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Stian Thorgersen" > Cc: "keycloak dev" , "keycloak-user" > Sent: Thursday, January 29, 2015 6:44:11 PM > Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > > Congrats Keycloak team. A great deal of features in this release - really > like SAML and clustering. > > But what I am really looking for is the next release as we need all the > features you listed -any tentative dates for the beta version? We might do a beta soon, but that'll only include identity brokering. The other features will be at least a month away. > > The functionality provided so far seems to be targeted toward users accounts. > When can we expect support for System accounts (with diff auth mechanisms > like certificates, Kerberos etc? Some time this year we aim to have system accounts with certificates, it'll depend on priorities. We don't have any plans to support Kerberos authentication with system accounts, but maybe that makes sense to add as well. > > Thanks, > Raghu > > Sent from my iPhone > > > On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: > > > > The Keycloak team is proud to announce the release of Keycloak 1.1.0.Final. > > Highlights in this release includes: > > > > * SAML 2.0 > > * Clustering > > * Jetty, Tomcat and Fuse adapters > > * HTTP Security Proxy > > * Automatic migration of db schema > > > > We?re already started working on features for the next release. Some > > exiting features coming soon includes: > > > > * Identity brokering > > * Custom user profiles > > * Kerberos > > * OpenID Connect interop > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From panulab at gmail.com Fri Jan 30 02:46:09 2015 From: panulab at gmail.com (Pablo N) Date: Fri, 30 Jan 2015 08:46:09 +0100 Subject: [keycloak-user] ClassNotFoundException: org.xnio.OptionMap Message-ID: Hello, I was running my web application in Wildfly 8.2 and Keycloak 1.0.4.Final and everything worked as expected. After updating Keycloak to version 1.1.0.Final (also wildfly adapter version) I get the following error when I try to access my application: 08:32:41,271 ERROR [io.undertow.request] (default task-11) UT005023: Exception handling request to /gui/main/home: java.lang.NoClassDefFo undError: org/xnio/OptionMap at org.keycloak.adapters.undertow.SavedRequest.trySaveRequest(SavedRequest.java:49) [keycloak-undertow-adapter-1.1.0.Final.jar:1.1.0.Fina l] at org.keycloak.adapters.undertow.ServletSessionTokenStore.saveRequest(ServletSessionTokenStore.java:111) [keycloak-undertow-adapter-1.1. 0.Final.jar:1.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator$2.challenge(OAuthRequestAuthenticator.java:182) [keycloak-adapter-core-1.1.0.Final.jar :1.1.0.Final] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.sendChallenge(AbstractUndertowKeycloakAuthMech.java:68) [keycloak-unde rtow-adapter-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:330) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:349) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:314) [undertow-core-1.1.0.Final.jar: 1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:135) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:109) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:114) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undert ow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1. 1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1. 0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja va:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undert ow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1. 1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [unde rtow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1. 0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-ada pter-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-ada pter-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.ja r:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1 .1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.F inal] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1 .1.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_11] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_11] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11] Caused by: java.lang.ClassNotFoundException: org.xnio.OptionMap from [Module "deployment.gui-web-0.14.0-SNAPSHOT.war:main" from Service M odule Loader] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.3.Final] at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.3.Final] ... 36 more As I can see this error was discovered and solved ( https://issues.jboss.org/browse/KEYCLOAK-899) so I dont know if any migration change is pending from my side. Thank you very much for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150130/c77731e0/attachment-0001.html From stian at redhat.com Fri Jan 30 03:48:37 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 30 Jan 2015 03:48:37 -0500 (EST) Subject: [keycloak-user] IPhone turns off local storage by default and that causes Keycloak.js to fail. In-Reply-To: References: Message-ID: <936442513.3767134.1422607717780.JavaMail.zimbra@redhat.com> Only option would be to disable state verification, which could leave it open to CSRF. ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org > Sent: Monday, 26 January, 2015 12:34:26 AM > Subject: [keycloak-user] IPhone turns off local storage by default and that causes Keycloak.js to fail. > > IPhones are in private mode by default. When in private mode, they do not > allow localstorage. Any application secured with the pure js keycloak file > fails. When I turn private mode off, the application works. Will Keycloak be > supporting IPhones with the pure javascript client in the future without > requiring users turn private mode off? > > I get the following error in private mode. The highlighted code is what > causes the error: > > QuotaExceededError: DOM Exception 22: An attempt was made to add something to > storage that exceeded the quota. > > Jessicakc.createLoginUrl = function(options) { > var state = createUUID(); > > var redirectUri = adapter.redirectUri(options); > if (options && options.prompt) { > if (redirectUri.indexOf('?') == -1) { > redirectUri += '?prompt=' + options.prompt; > } else { > redirectUri += '&prompt=' + options.prompt; > } > } > > sessionStorage.oauthState = state; > > var url = getRealmUrl() > + '/tokens/login' > + '?client_id=' + encodeURIComponent(kc.clientId) > + '&redirect_uri=' + encodeURIComponent(redirectUri) > + '&state=' + encodeURIComponent(state) > + '&response_type=code'; > > if (options && options.prompt) { > url += '&prompt=' + options.prompt; > } > > if (options && options.loginHint) { > url += '&login_hint=' + options.loginHint; > } > > return url; > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri Jan 30 08:18:09 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 30 Jan 2015 08:18:09 -0500 (EST) Subject: [keycloak-user] Best practice: timeouthandling In-Reply-To: <9656B9D10BC6124A88D5E27DD02422855BC4526C@EX-TT-AC-01.traveltainment.int> References: <9656B9D10BC6124A88D5E27DD02422855BC4526C@EX-TT-AC-01.traveltainment.int> Message-ID: <1934902979.3960811.1422623889344.JavaMail.zimbra@redhat.com> We don't have any events that are fired when a session times out, only if it's logged-out by the user. If I was you I'd implement a timeout on the lock on the server-side. ----- Original Message ----- > From: "Christoph Machnik" > To: keycloak-user at lists.jboss.org > Sent: Monday, 26 January, 2015 11:04:35 AM > Subject: [keycloak-user] Best practice: timeouthandling > > I have a keycloak web-application in that objects can be created and changed. > This objects are saved in a databse. When someone logged in at the > application and open one of this objects to change it. this object gets > markes as locked in the database, so no other user can make changes to this > object wihle someone else is editing it. > > Th problem, i have, is that, when someone is editig one of this objects and > then runs in a session timeout the object has to marked as unlocked. So i > have a javascript-method in the application that sends a ajax-request to a > servlet to trigger a function that unlock this object. But i have to call > this method BEFORE the timeout loggs the user out. > > What is the best practice in this case and how i can be sure the method is > performed before the user comes to the login screen again ? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri Jan 30 08:21:16 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 30 Jan 2015 08:21:16 -0500 (EST) Subject: [keycloak-user] Email verification : failed to turn code into token: java.net.SocketException In-Reply-To: <54C64590.7030406@jftechnology.com> References: <54C64590.7030406@jftechnology.com> Message-ID: <1484435844.3963809.1422624076777.JavaMail.zimbra@redhat.com> Do you have the same issue without multi-tenancy? Do you have the same issue with just a regular login, or is it just with email verification? ----- Original Message ----- > From: "Stephen Flynn" > To: keycloak-user at lists.jboss.org > Sent: Monday, 26 January, 2015 2:48:00 PM > Subject: [keycloak-user] Email verification : failed to turn code into token: java.net.SocketException > > > Hi guys , > > Struggling with an odd problem here - will try my best to explain. Scenario > is as follows (KC 1.1.Beta2 / Wildfly 8.2.0.Final)... > > > * KeyCloak running on 'host1', app is running on 'host2' (with > multi-tenancy) > * Created a user with credentials. > * Checked that user login/logout/timeout works fine - it does. > * Leave the user logged out. > * From the KeyCloak user interface on host1 I update the user to 'Email > verified' = 'Off' and required user action to 'Verify email' > * On next login attempt app landing page redirects to KeyCloak login page > - as expected . > * After I enter username/password I get the 'EMAIL VERIFICATION' page and > receive an email with a verification link - as expected . > * Following the email link verifies the KC user account (now 'Email > verified' = 'On' and required user actions are empty) - as expected . > * KeyCloak redirects back to the correct app landing page on 'host2' - as > expected . > * User is now authenticated but no principal or roles have been > propagated to the app (principal is 'anonymous'). > * An exception (see below) is logged by the KeyCloak adapter on 'host2' > > > Can't find any similar issues in JIRA/mailing lists - any thoughts ? Or where > I should be looking for more detail to clarify this ? > > > best rgds > > Steve F. > > > THIS EXCEPTION IS LOGGED ON THE APP HOST > 2015-01-26 11:00:00,006 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-21) failed > to turn code into token: java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:196) > [rt.jar:1.7.0_51] > at java.net.SocketInputStream.read(SocketInputStream.java:122) > [rt.jar:1.7.0_51] > at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) > [jsse.jar:1.7.0_51] > at sun.security.ssl.InputRecord.read(InputRecord.java:480) > [jsse.jar:1.7.0_51] > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) > [jsse.jar:1.7.0_51] > at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:884) > [jsse.jar:1.7.0_51] > at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) > [jsse.jar:1.7.0_51] > at > org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:166) > at > org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:90) > at > org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:281) > at > org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:92) > at > org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:62) > at > org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:254) > at > org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:289) > at > org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:252) > at > org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:219) > at > org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:300) > at > org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:127) > at > org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:712) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:517) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122) > [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95) > [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:261) > [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:208) > [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:90) > [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:93) > [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:60) > [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [rt.jar:1.7.0_51] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [rt.jar:1.7.0_51] > at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] > -- > =================================================== > > Stephen Flynn > > Director, JF Technology (UK) Ltd > > Cell (UK) : +44 7768 003 882 > Phone : +44 20 7833 8346 > IM : xmpp:stephen.flynn at jftechnology.com > IM : aim:stephen.flynn at jftechnology.com > Website : http://www.jftechnology.com > Tech support : support at jftechnology.com > =================================================== > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From prabhalar at yahoo.com Fri Jan 30 08:44:14 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Fri, 30 Jan 2015 13:44:14 +0000 (UTC) Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <808566761.3720687.1422601858175.JavaMail.zimbra@redhat.com> References: <808566761.3720687.1422601858175.JavaMail.zimbra@redhat.com> Message-ID: <974226441.1786830.1422625454868.JavaMail.yahoo@mail.yahoo.com> Great. Looking forward?to the?1.2 Beta version. Regarding the system account support, from my perspective, it is very important because?we?have thousands of?applications that interact with each other using system accounts (authentication with?Kerberos with keytabs) and till we have that functionality, we?will?not be able to consider?Keycloak as a SSO solution even though it?is coming?out to be a good product. The sooner we have it, the better. Hopefully, even other users will pitch in?to request that functionality so that you can bump it up in your priority list. Thanks once again.Raghu ? From: Stian Thorgersen To: Raghu Prabhala Cc: keycloak dev ; keycloak-user Sent: Friday, January 30, 2015 2:10 AM Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released ----- Original Message ----- > From: "Raghu Prabhala" > To: "Stian Thorgersen" > Cc: "keycloak dev" , "keycloak-user" > Sent: Thursday, January 29, 2015 6:44:11 PM > Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > > Congrats Keycloak team. A great deal of features in this release - really > like SAML and clustering. > > But what I am really looking for is the next release as we need all the > features you listed -any tentative dates for the beta version? We might do a beta soon, but that'll only include identity brokering. The other features will be at least a month away. > > The functionality provided so far seems to be targeted toward users accounts. > When can we expect support for System accounts (with diff auth mechanisms > like certificates, Kerberos etc? Some time this year we aim to have system accounts with certificates, it'll depend on priorities. We don't have any plans to support Kerberos authentication with system accounts, but maybe that makes sense to add as well. > > Thanks, > Raghu > > Sent from my iPhone > > > On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: > > > > The Keycloak team is proud to announce the release of Keycloak 1.1.0.Final. > > Highlights in this release includes: > > > > * SAML 2.0 > > * Clustering > > * Jetty, Tomcat and Fuse adapters > > * HTTP Security Proxy > > * Automatic migration of db schema > > > > We?re already started working on features for the next release. Some > > exiting features coming soon includes: > > > > * Identity brokering > > * Custom user profiles > > * Kerberos > > * OpenID Connect interop > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150130/23fd41b0/attachment-0001.html From stian at redhat.com Fri Jan 30 09:01:12 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 30 Jan 2015 09:01:12 -0500 (EST) Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <974226441.1786830.1422625454868.JavaMail.yahoo@mail.yahoo.com> References: <808566761.3720687.1422601858175.JavaMail.zimbra@redhat.com> <974226441.1786830.1422625454868.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1778785947.4002515.1422626472860.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Raghu Prabhala" > To: "Stian Thorgersen" > Cc: "keycloak dev" , "keycloak-user" > Sent: Friday, 30 January, 2015 2:44:14 PM > Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > > Great. Looking forward?to the?1.2 Beta version. > Regarding the system account support, from my perspective, it is very > important because?we?have thousands of?applications that interact with each > other using system accounts (authentication with?Kerberos with keytabs) and > till we have that functionality, we?will?not be able to consider?Keycloak as > a SSO solution even though it?is coming?out to be a good product. The sooner > we have it, the better. Hopefully, even other users will pitch in?to request > that functionality so that you can bump it up in your priority list. > Thanks once again.Raghu For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws. > ? From: Stian Thorgersen > To: Raghu Prabhala > Cc: keycloak dev ; keycloak-user > > Sent: Friday, January 30, 2015 2:10 AM > Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > > > > ----- Original Message ----- > > From: "Raghu Prabhala" > > To: "Stian Thorgersen" > > Cc: "keycloak dev" , "keycloak-user" > > > > Sent: Thursday, January 29, 2015 6:44:11 PM > > Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released > > > > Congrats Keycloak team. A great deal of features in this release - really > > like SAML and clustering. > > > > But what I am really looking for is the next release as we need all the > > features you listed -any tentative dates for the beta version? > > We might do a beta soon, but that'll only include identity brokering. The > other features will be at least a month away. > > > > > The functionality provided so far seems to be targeted toward users > > accounts. > > When can we expect support for System accounts (with diff auth mechanisms > > like certificates, Kerberos etc? > > Some time this year we aim to have system accounts with certificates, it'll > depend on priorities. We don't have any plans to support Kerberos > authentication with system accounts, but maybe that makes sense to add as > well. > > > > > > > Thanks, > > Raghu > > > > Sent from my iPhone > > > > > On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: > > > > > > The Keycloak team is proud to announce the release of Keycloak > > > 1.1.0.Final. > > > Highlights in this release includes: > > > > > > * SAML 2.0 > > > * Clustering > > > * Jetty, Tomcat and Fuse adapters > > > * HTTP Security Proxy > > > * Automatic migration of db schema > > > > > > We?re already started working on features for the next release. Some > > > exiting features coming soon includes: > > > > > > * Identity brokering > > > * Custom user profiles > > > * Kerberos > > > * OpenID Connect interop > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From prabhalar at yahoo.com Fri Jan 30 10:52:36 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Fri, 30 Jan 2015 10:52:36 -0500 Subject: [keycloak-user] Keycloak 1.1.0.Final Released In-Reply-To: <1778785947.4002515.1422626472860.JavaMail.zimbra@redhat.com> References: <808566761.3720687.1422601858175.JavaMail.zimbra@redhat.com> <974226441.1786830.1422625454868.JavaMail.yahoo@mail.yahoo.com> <1778785947.4002515.1422626472860.JavaMail.zimbra@redhat.com> Message-ID: <842A02C9-385A-493B-A740-7607E3E798DA@yahoo.com> Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos. If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users Sent from my iPhone > On Jan 30, 2015, at 9:01 AM, Stian Thorgersen wrote: > > > > ----- Original Message ----- >> From: "Raghu Prabhala" >> To: "Stian Thorgersen" >> Cc: "keycloak dev" , "keycloak-user" >> Sent: Friday, 30 January, 2015 2:44:14 PM >> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >> >> Great. Looking forward to the 1.2 Beta version. >> Regarding the system account support, from my perspective, it is very >> important because we have thousands of applications that interact with each >> other using system accounts (authentication with Kerberos with keytabs) and >> till we have that functionality, we will not be able to consider Keycloak as >> a SSO solution even though it is coming out to be a good product. The sooner >> we have it, the better. Hopefully, even other users will pitch in to request >> that functionality so that you can bump it up in your priority list. >> Thanks once again.Raghu > > For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws. > >> From: Stian Thorgersen >> To: Raghu Prabhala >> Cc: keycloak dev ; keycloak-user >> >> Sent: Friday, January 30, 2015 2:10 AM >> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >> >> >> >> ----- Original Message ----- >>> From: "Raghu Prabhala" >>> To: "Stian Thorgersen" >>> Cc: "keycloak dev" , "keycloak-user" >>> >>> Sent: Thursday, January 29, 2015 6:44:11 PM >>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released >>> >>> Congrats Keycloak team. A great deal of features in this release - really >>> like SAML and clustering. >>> >>> But what I am really looking for is the next release as we need all the >>> features you listed -any tentative dates for the beta version? >> >> We might do a beta soon, but that'll only include identity brokering. The >> other features will be at least a month away. >> >>> >>> The functionality provided so far seems to be targeted toward users >>> accounts. >>> When can we expect support for System accounts (with diff auth mechanisms >>> like certificates, Kerberos etc? >> >> Some time this year we aim to have system accounts with certificates, it'll >> depend on priorities. We don't have any plans to support Kerberos >> authentication with system accounts, but maybe that makes sense to add as >> well. >> >> >> >>> >>> Thanks, >>> Raghu >>> >>> Sent from my iPhone >>> >>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen wrote: >>>> >>>> The Keycloak team is proud to announce the release of Keycloak >>>> 1.1.0.Final. >>>> Highlights in this release includes: >>>> >>>> * SAML 2.0 >>>> * Clustering >>>> * Jetty, Tomcat and Fuse adapters >>>> * HTTP Security Proxy >>>> * Automatic migration of db schema >>>> >>>> We?re already started working on features for the next release. Some >>>> exiting features coming soon includes: >>>> >>>> * Identity brokering >>>> * Custom user profiles >>>> * Kerberos >>>> * OpenID Connect interop >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From stephen.flynn at jftechnology.com Fri Jan 30 12:53:58 2015 From: stephen.flynn at jftechnology.com (Stephen Flynn) Date: Fri, 30 Jan 2015 17:53:58 +0000 Subject: [keycloak-user] Email verification : failed to turn code into token: java.net.SocketException In-Reply-To: <1484435844.3963809.1422624076777.JavaMail.zimbra@redhat.com> References: <54C64590.7030406@jftechnology.com> <1484435844.3963809.1422624076777.JavaMail.zimbra@redhat.com> Message-ID: <54CBC536.1070505@jftechnology.com> > Do you have the same issue without multi-tenancy? Will check this against 1.1.0.Final as soon as I can. For what it is worth the multi-tenancy seems to be working as expected in every other way (hits the right realm, redirects back to the correct landing page, etc). > > Do you have the same issue with just a regular login, or is it just with email verification? Just with email verification - everything else works perfectly (and congrats on 1.1.0.Final BTW - sterling work) > > ----- Original Message ----- >> From: "Stephen Flynn" >> To: keycloak-user at lists.jboss.org >> Sent: Monday, 26 January, 2015 2:48:00 PM >> Subject: [keycloak-user] Email verification : failed to turn code into token: java.net.SocketException >> >> >> Hi guys , >> >> Struggling with an odd problem here - will try my best to explain. Scenario >> is as follows (KC 1.1.Beta2 / Wildfly 8.2.0.Final)... >> >> >> * KeyCloak running on 'host1', app is running on 'host2' (with >> multi-tenancy) >> * Created a user with credentials. >> * Checked that user login/logout/timeout works fine - it does. >> * Leave the user logged out. >> * From the KeyCloak user interface on host1 I update the user to 'Email >> verified' = 'Off' and required user action to 'Verify email' >> * On next login attempt app landing page redirects to KeyCloak login page >> - as expected . >> * After I enter username/password I get the 'EMAIL VERIFICATION' page and >> receive an email with a verification link - as expected . >> * Following the email link verifies the KC user account (now 'Email >> verified' = 'On' and required user actions are empty) - as expected . >> * KeyCloak redirects back to the correct app landing page on 'host2' - as >> expected . >> * User is now authenticated but no principal or roles have been >> propagated to the app (principal is 'anonymous'). >> * An exception (see below) is logged by the KeyCloak adapter on 'host2' >> >> >> Can't find any similar issues in JIRA/mailing lists - any thoughts ? Or where >> I should be looking for more detail to clarify this ? >> >> >> best rgds >> >> Steve F. >> >> >> THIS EXCEPTION IS LOGGED ON THE APP HOST >> 2015-01-26 11:00:00,006 ERROR >> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-21) failed >> to turn code into token: java.net.SocketException: Connection reset >> at java.net.SocketInputStream.read(SocketInputStream.java:196) >> [rt.jar:1.7.0_51] >> at java.net.SocketInputStream.read(SocketInputStream.java:122) >> [rt.jar:1.7.0_51] >> at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >> [jsse.jar:1.7.0_51] >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >> [jsse.jar:1.7.0_51] >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) >> [jsse.jar:1.7.0_51] >> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:884) >> [jsse.jar:1.7.0_51] >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> [jsse.jar:1.7.0_51] >> at >> org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:166) >> at >> org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:90) >> at >> org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:281) >> at >> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:92) >> at >> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:62) >> at >> org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:254) >> at >> org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:289) >> at >> org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:252) >> at >> org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:219) >> at >> org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:300) >> at >> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:127) >> at >> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:712) >> at >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:517) >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) >> at >> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) >> at >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122) >> [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95) >> [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:261) >> [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:208) >> [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:90) >> [keycloak-adapter-core-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:93) >> [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:60) >> [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >> [keycloak-undertow-adapter-1.1.0.Beta2.jar:1.1.0.Beta2] >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) >> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) >> [undertow-core-1.1.0.Final.jar:1.1.0.Final] >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> [rt.jar:1.7.0_51] >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> [rt.jar:1.7.0_51] >> at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51] >> -- >> =================================================== >> >> Stephen Flynn >> >> Director, JF Technology (UK) Ltd >> >> Cell (UK) : +44 7768 003 882 >> Phone : +44 20 7833 8346 >> IM : xmpp:stephen.flynn at jftechnology.com >> IM : aim:stephen.flynn at jftechnology.com >> Website : http://www.jftechnology.com >> Tech support : support at jftechnology.com >> =================================================== >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: stephen_flynn.vcf Type: text/x-vcard Size: 233 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150130/89613cdd/attachment.vcf From Mohan.Radhakrishnan at cognizant.com Sat Jan 31 07:42:39 2015 From: Mohan.Radhakrishnan at cognizant.com (Mohan.Radhakrishnan at cognizant.com) Date: Sat, 31 Jan 2015 12:42:39 +0000 Subject: [keycloak-user] Rest endpoint and AngularJS client Message-ID: Hi, This is my first post. We have a large HealthCare domain Rest application with an AngularJS client. We may require role-based access control of HTML views. We can consult LDAP to get these. But due to some internal reasons we are not going to use OAuth now. It may be a future enhancement. Are these types of HTML5/JS applications still protected effectively based on roles ? I wanted to know before I start reading more about Keycloak because OAuth is not used now. Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150131/85a064d2/attachment-0001.html From peterson.dean at gmail.com Sat Jan 31 12:27:11 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sat, 31 Jan 2015 11:27:11 -0600 Subject: [keycloak-user] IPhone turns off local storage by default and that causes Keycloak.js to fail. In-Reply-To: <936442513.3767134.1422607717780.JavaMail.zimbra@redhat.com> References: <936442513.3767134.1422607717780.JavaMail.zimbra@redhat.com> Message-ID: Do you have a suggested approach to handling this? Prompt the user that they should turn off private browsing on their Iphone? On Fri, Jan 30, 2015 at 2:48 AM, Stian Thorgersen wrote: > Only option would be to disable state verification, which could leave it > open to CSRF. > > ----- Original Message ----- > > From: "Dean Peterson" > > To: keycloak-user at lists.jboss.org > > Sent: Monday, 26 January, 2015 12:34:26 AM > > Subject: [keycloak-user] IPhone turns off local storage by default and > that causes Keycloak.js to fail. > > > > IPhones are in private mode by default. When in private mode, they do not > > allow localstorage. Any application secured with the pure js keycloak > file > > fails. When I turn private mode off, the application works. Will > Keycloak be > > supporting IPhones with the pure javascript client in the future without > > requiring users turn private mode off? > > > > I get the following error in private mode. The highlighted code is what > > causes the error: > > > > QuotaExceededError: DOM Exception 22: An attempt was made to add > something to > > storage that exceeded the quota. > > > > Jessicakc.createLoginUrl = function(options) { > > var state = createUUID(); > > > > var redirectUri = adapter.redirectUri(options); > > if (options && options.prompt) { > > if (redirectUri.indexOf('?') == -1) { > > redirectUri += '?prompt=' + options.prompt; > > } else { > > redirectUri += '&prompt=' + options.prompt; > > } > > } > > > > sessionStorage.oauthState = state; > > > > var url = getRealmUrl() > > + '/tokens/login' > > + '?client_id=' + encodeURIComponent(kc.clientId) > > + '&redirect_uri=' + encodeURIComponent(redirectUri) > > + '&state=' + encodeURIComponent(state) > > + '&response_type=code'; > > > > if (options && options.prompt) { > > url += '&prompt=' + options.prompt; > > } > > > > if (options && options.loginHint) { > > url += '&login_hint=' + options.loginHint; > > } > > > > return url; > > } > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150131/c40df0c0/attachment.html From peterson.dean at gmail.com Sat Jan 31 14:28:43 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sat, 31 Jan 2015 13:28:43 -0600 Subject: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop and failed login Message-ID: Going from 1.1.0-Alpha1-SNAPSHOT causes an infinite loop when logging in. First, it successfully transitions to the login page. When I log in, the application transitions back to the application and keeps calling keycloak.init over and over and over and over again. It keeps pasting codes to the url: http://localhost:9001/?redirect_fragment=%2F&code=2yUSElT2JIocE_X2oT1Ch3tg45585iA7y8SverL2zuE.c98648eb-78bc-4842-ba55-0fe06a6310e2&state=94770349-f618-4350-86f6-2d18a747f590&redirect_fragment=%2F&code=nfqgpQaGab4naoUhOjjaI-aEwgGXBAaab_VwhuATgKc.02e9893b-ce54-4f33-853e-5b32f4436607&state=9c2922ac-870f-41c3-83b7-e6f3c6d9515c&redirect_fragment=%2F&code=PIiKn8stYZdzyqvznivtjNcbYOIskuL_Z0ZUR8Pid68.a7788117-4bc9-48ea-a4ba-a684f9c07fa0&state=957c3760-3677-47f6-87d8-68702d992554&redirect_fragment=%2F&code=jVOdexjyoaet6IZZe3bsClcIcxfq0Fdg3EliMnRsWr4.f1c2c6a3-f9e8-48fd-aefc-cc11eee06ab8&state=babbff58-3ab2-4872-830f-e5740c1e7e6e&redirect_fragment=%2F&code=nmVJQVGlORshZ4ibRL_uQv19vZNUw3fn-F1RFDdbFHA.8c93dea7-e539-46d6-bb08-2d97c69b52e9&state=7e751210-c9ea-47c3-8204-15e001789f4f&redirect_fragment=%2F&code=wSn5hn8w1WiYzr5HSxHXNGM2K0AtmSO-BBDWr79V498.b74f26c3-2bd7-427e-9112-11f44c587202&state=48fa3e1f-5c54-40e2-8253-d5ad33bc9e31&redirect_fragment=%2F&code=CtXSrbKGq2kvmE1RQLervaGgYsfSY4WxSUaVoXrL6zs.64385b1b-b2d4-47e5-8d34-0a21f9b36ebc&state=d8d9c0f8-f50e-43a4-8dcd-7d4a7688a25e&redirect_fragment=%2F&code=M1pWroIoRx0A7t26PgVku6V7F7DHvIuxsdcTmW-6CUY.0485a560-2de2-4b8b-86af-a96d4740bd89&state=b9b10695-7530-4f72-8328-950a3eb33a6d&redirect_fragment=%2F&code=KFr4NK2oltNcHlo7-LipDN6nCogl8HQaVqd7Ta7CsLA.23761f01-f13e-48cf-a053-0c96a9f6dfe9&state=f758d86d-4752-4fc3-84e0-d8111e7d359b&redirect_fragment=%2F&code=8uMQnRXeMnrXZCkQCQ_p0Ts5oS63AA3nieWeKpVto8w.4bdb4eaa-2f16-4247-9d2d-e9c8da88941c&state=bdf787b8-f360-479c-a552-b8157ad5422a&redirect_fragment=%2F&code=dssl2GpIK7hRriXcrN0e55NSh0Odd8b3ShEFAw6FnLw.b50d4bf5-6e4f-4edd-82c0-d8c7b285e6aa&state=941953a2-994b-44ae-b811-ec0ac7516211&redirect_fragment=%2F&code=3_YPCYPpfWOO-DGGDzOajp9MloW-xNsPiM2k7JW8Occ.1a0b9340-201e-481f-8ae2-d3f40754f35d&state=f5450022-1592-41d3-b769-a121391d599e&redirect_fragment=%2F&code=-h9BxvTEuneA0FwCRN7Y6zPe1z-YugntHEAtvAdJWRI.ca710f93-6068-4b3c-85c0-6657f7b1b72e&state=f4721ed6-7de8-4ee4-8b3b-f7491eefc4f3&redirect_fragment=%2F&code=GQ9a3b4DqQH-QfLxeGwFeM-EQp1lqSqCnwKI4ojNgUA.71d4072f-06d9-4d1c-8cfb-f9fac2cf07f8&state=4a173d60-fd78-4d9b-8a8b-ba7db2e0e314&redirect_fragment=%2F&code=diBdfGHVtDEhW2Dp96cYLXdTlbFANWwOEHP0eK5RsJU.4754aec5-dcec-4d52-8de0-223589b00d7f&state=d9961b74-ae71-404e-8075-c8c10eb62976&redirect_fragment=%2F&code=Al9N8qK84uRSnnneeg94sR1mnT1A1_ZlVYeIgs3M6d8.383240fc-0638-4516-b462-e8cead8cda5a&state=7d79987f-4274-4234-b5fb-0558926a4d61&redirect_fragment=%2F&code=hYbgRbq7jZqz1n6CY8Y82E3Bnd_stpY7xgmsKoXWKJs.3e769fd7-bfc9-4e2e-876a-16b16332c954&state=a59bb636-57f7-4bd9-aca1-bec03395062b&redirect_fragment=%2F&code=APVKB_D4-lZlRfX8_4jU0mEqbLM0xDZtwd1HfZCpmgM.9809ebdf-7d68-4456-9a18-666862d531ed&state=8a2899f4-40a7-496f-ab45-aa7dd0ea44bc&redirect_fragment=%2F&code=7DrAdXC7Zmg1lOUCy7iGybgudpmmvc3G4LMLHsudh4U.73c35508-71f7-4230-ac79-2913a134f42a&state=9365dccc-5f68-4e02-81e9-0546a4b5c172&redirect_fragment=%2F&code=qz-ui_3j9h6oIlEtPJnf9n4Q1k4NBHWC84-rMnEcwaM.d9602cd1-aef0-4543-a0e3-0c172d624cc5&state=318603f5-2157-4b6c-8184-e87ce90edcf0&redirect_fragment=%2F&code=efoTaB6S9dZ7BZs1Ndk1lEhnVCHCbxpfa0wV3ciLUZo.686fcd96-c876-41f3-95a2-cf8edf70be9c&state=2c61b238-e530-454f-b86d-e125f48c20c3&redirect_fragment=%2F&code=tBivJlcq_RXh1C7SlzAkNn6WGsEpCBJaUD4IeHj59CQ.915b3b10-47d3-40d0-bf0a-397d1d902d99&state=01d6a256-e3ac-4bef-8430-cc692ee1ac3d&redirect_fragment=%2F&code=BP86r2awy-nXy5I6-4FSodUYjhmXcA-QHsZCvCYmR3Q.9056289c-6058-4d92-b08f-9f459d215327&state=ac32b483-08b6-4ff2-8d9f-552f0b09b8ad&redirect_fragment=%2F&code=YxV_agzHeUB_1BdC_llgpBXJBpQt40Ka38Zm_9bf5YU.c2f2cf35-61bb-4c19-8774-40911c7c6264&state=c737ec92-e876-49b4-8f0f-9fc4ae74085d&redirect_fragment=%2F&code=ru7PK7ZRenyKWhrClTTV9DGJWTclRm0-REMt0MFXJqE.147c7825-998d-4e6b-848c-7cf5b9629d27&state=fbe96433-166c-4408-8b1d-f0ee6615a46c&redirect_fragment=%2F&code=DI7xZGQ-p-XkXlTLztYtrerDdremPhnnsGzvpaN0uoU.bfb4cecb-9057-4aa8-a7dc-71cfb29f6a6f&state=8789c40c-9324-4efe-a8b4-91b75c9a9a9b&redirect_fragment=%2F&code=mjXyKsLUv0QjOvEaHxcZzi4qxCl9-AU85Er6Vcr_NTM.150d7721-824e-4b78-9738-05c60f30735d&state=252f2fb3-da19-4bb3-830b-412981fb4fdf&redirect_fragment=%2F&code=Ra1OxSO5dcQjNPHEbM9hvdVxykXofegFMw-5AkUdhE0.2af011ad-1dca-4d69-9506-ca8fbbb7ffd1&state=261a384f-2bb2-4d79-939b-69b8a5bff7f8&redirect_fragment=%2F&code=t02uT8YiKQFMcywReLdz19BeB91n7oFb8rpnj9wvzwc.1fbc112d-6743-4fdc-8143-c95b66159fc7&state=28151aa4-ee71-4b77-9cc7-d656289e4d00&redirect_fragment=%2F&code=pARWRhOUM9JjrcAl4vtlVWqJVZL6ADibYMRCR8CcWdY.d6176d98-da15-4d7c-a1d7-2227bce2054b&state=2e8f34cc-b0eb-42b6-a3c0-989e108b80a1&redirect_fragment=%2F&code=-hC0kenzpWz4d2FF_cCAT9BjuhzlQUUO331rnTfuiWc.d056e22e-7483-4f0f-9cea-79df4ef8c688&state=a9d015ce-e2c4-4e09-b512-14dc0fe81c19&redirect_fragment=%2F&code=DnX7JRBGWBAa-faSZhulNvt7sj3jXf4HlxKnunBOeg0.ae6ebd42-08e1-4477-8256-75bf16e4070b&state=50723b38-7e07-41c8-8c77-9ab3e4cdd2f4&redirect_fragment=%2F&code=Hol6EDplp4h3HR1ENbdggxvdC4CRMJ5zgxxRnsq200M.f476b27b-c220-41ce-b859-b47925a69d82&state=63c5603d-9248-41c8-bb06-173e2b1e20e9&redirect_fragment=%2F&code=iCJAEG6GGPoCUyZq3_3BdIRgxpnwFzNp6dKFTT3vmTo.c346dc83-384f-4495-8073-2ae477e32e81&state=dfd35aeb-723e-46b2-9849-7e3e3cdb19e8&redirect_fragment=%2F&code=0URNUCBRpAjttcFyLiX2aUJRKo7eSvE_zqiEn9K_kpg.446bd9f8-17b5-473b-8eb8-7d5bb0ba2f80&state=848f4682-8bc7-4434-880f-cea6e8240b77&redirect_fragment=%2F&code=oR_c11RrLlgsHmcefb-JLB9sMpBjeH7ObsKZivCMWfM.f340f86b-53b7-4c1b-9b95-b8477be159ff&state=52870ca6-db65-487d-b778-42d1c5d3ba73&redirect_fragment=%2F&code=-KQ-zo8wYMc7F2TuOrht3u_6kU5B26q7cYa0n7YVQDM.fff5658e-36b5-4cdc-b1d3-92742c9be7a1&state=8c909ef8-6e87-425a-aa25-ba1025f040a0&redirect_fragment=%2F&code=26EcSny6pVrgLc4EOWGT7x29jxb1lBzqRI5IU-Kvu4E.e0652809-7c3f-42b6-93c8-ca4e37f048be&state=5f1c4251-efc6-4996-ae02-85dd7e6b5d32&redirect_fragment=%2F&code=MuICKR6-kSTPhKy-KboxXKbsAmUsk9SDxD5iUrMjP5g.87a55f67-3c1b-4c1a-b3eb-51e3b87e36cb&state=124ad77a-a04e-4164-8cc2-9ad9ea62b993&redirect_fragment=%2F&code=74eDb8oSwATL9iBhrGOmlzkIKK1kB5Ukr4zgmatJu-w.562584ef-bf29-41a2-a4e0-06de60f94692&state=aa078c4b-2d19-4d5f-8a30-a2f23e11ebbc&redirect_fragment=%2F&code=TY8B2uTAO5hY1EVYPVn-j2ErmZcQ_mejizmhe4s39FY.e9e00594-7894-4bea-95b2-079d3e6b4bdd&state=13c4a88a-1b35-41c7-b27a-03ba960f0a03&redirect_fragment=%2F&code=YrlKEzdIS6L98o8mOR8EMHJL0hCUEV6KJtXJme7mFjE.8111c1e2-06be-4d7f-a896-d1bbd417c60b&state=ade7e140-0ff0-4022-9876-82cb2d43d584&redirect_fragment=%2F&code=XHsec992KGdkL8kxMyOZNrHOI758kC8P3fPrrJocRso.4251099a-85ee-4214-bded-4c3ee50e096b&state=0277da4d-3bae-4ff7-8c0d-d609fd9da9e6&redirect_fragment=%2F&code=h8itvnj3Og_Qb1tMNAkX-pVggHWWOkreceSnvCMzwY0.6abb9511-8880-4976-af35-8871d0189491&state=93a26fe6-724c-451d-8b15-f0c41df3b208&redirect_fragment=%2F&code=WKbxyUQaA9ayWk7gQYP0qD_10FZiatt1GEyTN2oWlvQ.ca495f09-0702-45f0-863b-81dde847de02&state=9a01fef5-f4cf-4c6f-aeb8-0696d3334052&redirect_fragment=%2F&code=d5hpwnOJgzgVj1pmgveR0pwWrqx1ts_4M6OmTYQ0REM.6fd63fed-ad00-42dc-9b37-93498cc92687&state=077899a4-28b4-4c01-8c22-f4248ed7a329&redirect_fragment=%2F&code=kYNN-4wFSGAE39NWC8azP57SUWaiWK57LLAu-_xeSD8.16e0bfd2-3413-41f9-be4b-1a4509fed5fa&state=01149fda-904d-4d7b-b9a6-d5d9353e99e2&redirect_fragment=%2F&code=nSvx6OyDIWqCxZhbeFAH4xEcNP63Wx8t5nmw17iaUh0.5efb8727-61f7-4410-9d6e-5efde3a06f01&state=df59cb84-caa3-4834-861c-1d09d6366f8a&redirect_fragment=%2F&code=pt2_mNt3XqMWqgMPhoKf8aCdN2I5e_D5rMMXEK5dEv4.31170b8b-4c29-422e-916e-096973e451a1&state=db977cc8-1641-4724-afdb-91e9e8182feb&redirect_fragment=%2F&code=0o0Tz3gnlOGMK2UGw_F0fGfy_RuMpoCLJbWfnhQRRxU.d4490e99-1381-4ff9-a835-dd46ca3fa36d&state=77dae174-18b9-4bf7-848f-aa805f570385&redirect_fragment=%2F&code=Isuf4fy2JZe4opWp9D0Tm5L2DRY2fYUwDwnQCHEKNnc.e071a377-fef1-4aed-a222-563befd32f90&state=9cca93d4-af39-4431-9390-661f9320ccc9&redirect_fragment=%2F&code=dSURtq4wigtgGHh_8lADlw_efDWTMjHM4NRNUJM0OJI.31286972-3ca8-4dce-bf94-22a469e433d2&state=95d9486e-c0e3-4c52-96e6-f7908240eda6&redirect_fragment=%2F&code=Sfdp-yRIj2gV8HjAP63thYypNfPBhsz_MBqlljTTS5E.8d7f80d4-05f1-4d94-b86b-6aea78cbcf7a&state=d5d31bba-1766-450a-9655-f94e02f1a961&redirect_fragment=%2F&code=9TQ_NIF2Fo57vJ4pTki4xljoFvlgEQUo2GGS7qJVXL8.003fa4fe-4d83-4d6b-8740-f6d161df5924&state=8e55c62f-54c6-4466-93fc-c7b19bfbc268&redirect_fragment=%2F&code=I376yS5PVONXEHQK4uZGnmRYLENTHh4Q9m7rln8h1jQ.db51d3c3-c7d6-4120-9bec-6ff668dc296e&state=3fef4050-2301-43a4-84af-e66b5772608c&redirect_fragment=%2F&code=zV3VDW3zDjeiF6suaQyfFi6_VkhcwpZruqMd-TM4gFI.357f5f58-edfe-403f-ae9f-a6840692fd80&state=ca4a311a-23ac-495c-830e-c239b59e6fe1&redirect_fragment=%2F&code=H5rua-kyePPnPBwXsWO5YMtO33k2IgAR1bT8d9C7Cdc.6d24e642-f57d-4b6d-9fae-70f1d2a7674e&state=4843d851-8b03-446c-96ab-0f1466f71eb5&redirect_fragment=%2F&code=Vv5ZrxknxKp9qFSgyTFAOx3X2BXWVTnPpFPQ5cdas_s.96269587-fe83-4541-a0a5-9e1187359331&state=fefedfa1-baaf-438d-80e0-ee8a22dbd9f8&redirect_fragment=%2F&code=1UUjSbGWlwkhBl7bKHnevN6aacsWRyPCx6FGaFHzXdA.11766fbb-6dec-4161-a26a-f010a501e299&state=5f40a4cc-148a-44ad-bf18-516b12018a51&redirect_fragment=%2F&code=Jdse-sa4ZdHfUiN6TzF_PJCBfohFR-Gf2V5Dkz-NR6E.f5749ec6-a668-4e4b-b5ca-145a2034c056&state=ca13aa35-682a-4655-84e9-290cb22b022f&redirect_fragment=%2F&code=C-riHUr97rgUoWSJv9eLiSQvY2iaZA_ymnpw1ZwfQIA.ff392a07-b294-4106-a5b6-1e96d3522cb4&state=4cee0bd8-83df-43f6-8ea1-59f7b4502f28&redirect_fragment=%2F&code=iwIslKy__2637mvcAxwBUYquXBIzjQfnJ9s4qZeNlrQ.af57a394-2653-4e93-8af1-f532eaa4c1b9&state=291f1d70-1dc1-4cfe-98ff-c1167dad45a8&redirect_fragment=%2F&code=jyxRPi11qAHDOXyuR-K11FjziPisq-oV51UMVjCuFWA.545d09d0-55b8-4838-ab89-d8b48a891769&state=b439de9b-ee78-4c3e-8dfa-69307972a918#/ I am running an angularjs javascript client running on a separate domain from the wildfly server. Everything was working prior to the "upgrade". -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150131/d296fa61/attachment-0001.html From prabhalar at yahoo.com Sat Jan 31 18:50:35 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sat, 31 Jan 2015 23:50:35 +0000 (UTC) Subject: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop and failed login In-Reply-To: References: Message-ID: <1273392275.188649.1422748235957.JavaMail.yahoo@mail.yahoo.com> Dean - Try cleaning your cache. Stian suggested it and it helped me login using both IE and chrome. Raghu ? From: Dean Peterson To: keycloak-user at lists.jboss.org Sent: Saturday, January 31, 2015 2:28 PM Subject: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop and failed login Going from 1.1.0-Alpha1-SNAPSHOT causes an infinite loop when logging in.? First, it successfully transitions to the login page.? When I log in, the application transitions back to the application and keeps calling keycloak.init over and over and over and over again.? It keeps pasting codes to the url: http://localhost:9001/?redirect_fragment=%2F&code=2yUSElT2JIocE_X2oT1Ch3tg45585iA7y8SverL2zuE.c98648eb-78bc-4842-ba55-0fe06a6310e2&state=94770349-f618-4350-86f6-2d18a747f590&redirect_fragment=%2F&code=nfqgpQaGab4naoUhOjjaI-aEwgGXBAaab_VwhuATgKc.02e9893b-ce54-4f33-853e-5b32f4436607&state=9c2922ac-870f-41c3-83b7-e6f3c6d9515c&redirect_fragment=%2F&code=PIiKn8stYZdzyqvznivtjNcbYOIskuL_Z0ZUR8Pid68.a7788117-4bc9-48ea-a4ba-a684f9c07fa0&state=957c3760-3677-47f6-87d8-68702d992554&redirect_fragment=%2F&code=jVOdexjyoaet6IZZe3bsClcIcxfq0Fdg3EliMnRsWr4.f1c2c6a3-f9e8-48fd-aefc-cc11eee06ab8&state=babbff58-3ab2-4872-830f-e5740c1e7e6e&redirect_fragment=%2F&code=nmVJQVGlORshZ4ibRL_uQv19vZNUw3fn-F1RFDdbFHA.8c93dea7-e539-46d6-bb08-2d97c69b52e9&state=7e751210-c9ea-47c3-8204-15e001789f4f&redirect_fragment=%2F&code=wSn5hn8w1WiYzr5HSxHXNGM2K0AtmSO-BBDWr79V498.b74f26c3-2bd7-427e-9112-11f44c587202&state=48fa3e1f-5c54-40e2-8253-d5ad33bc9e31&redirect_fragment=%2F&code=CtXSrbKGq2kvmE1RQLervaGgYsfSY4WxSUaVoXrL6zs.64385b1b-b2d4-47e5-8d34-0a21f9b36ebc&state=d8d9c0f8-f50e-43a4-8dcd-7d4a7688a25e&redirect_fragment=%2F&code=M1pWroIoRx0A7t26PgVku6V7F7DHvIuxsdcTmW-6CUY.0485a560-2de2-4b8b-86af-a96d4740bd89&state=b9b10695-7530-4f72-8328-950a3eb33a6d&redirect_fragment=%2F&code=KFr4NK2oltNcHlo7-LipDN6nCogl8HQaVqd7Ta7CsLA.23761f01-f13e-48cf-a053-0c96a9f6dfe9&state=f758d86d-4752-4fc3-84e0-d8111e7d359b&redirect_fragment=%2F&code=8uMQnRXeMnrXZCkQCQ_p0Ts5oS63AA3nieWeKpVto8w.4bdb4eaa-2f16-4247-9d2d-e9c8da88941c&state=bdf787b8-f360-479c-a552-b8157ad5422a&redirect_fragment=%2F&code=dssl2GpIK7hRriXcrN0e55NSh0Odd8b3ShEFAw6FnLw.b50d4bf5-6e4f-4edd-82c0-d8c7b285e6aa&state=941953a2-994b-44ae-b811-ec0ac7516211&redirect_fragment=%2F&code=3_YPCYPpfWOO-DGGDzOajp9MloW-xNsPiM2k7JW8Occ.1a0b9340-201e-481f-8ae2-d3f40754f35d&state=f5450022-1592-41d3-b769-a121391d599e&redirect_fragment=%2F&code=-h9BxvTEuneA0FwCRN7Y6zPe1z-YugntHEAtvAdJWRI.ca710f93-6068-4b3c-85c0-6657f7b1b72e&state=f4721ed6-7de8-4ee4-8b3b-f7491eefc4f3&redirect_fragment=%2F&code=GQ9a3b4DqQH-QfLxeGwFeM-EQp1lqSqCnwKI4ojNgUA.71d4072f-06d9-4d1c-8cfb-f9fac2cf07f8&state=4a173d60-fd78-4d9b-8a8b-ba7db2e0e314&redirect_fragment=%2F&code=diBdfGHVtDEhW2Dp96cYLXdTlbFANWwOEHP0eK5RsJU.4754aec5-dcec-4d52-8de0-223589b00d7f&state=d9961b74-ae71-404e-8075-c8c10eb62976&redirect_fragment=%2F&code=Al9N8qK84uRSnnneeg94sR1mnT1A1_ZlVYeIgs3M6d8.383240fc-0638-4516-b462-e8cead8cda5a&state=7d79987f-4274-4234-b5fb-0558926a4d61&redirect_fragment=%2F&code=hYbgRbq7jZqz1n6CY8Y82E3Bnd_stpY7xgmsKoXWKJs.3e769fd7-bfc9-4e2e-876a-16b16332c954&state=a59bb636-57f7-4bd9-aca1-bec03395062b&redirect_fragment=%2F&code=APVKB_D4-lZlRfX8_4jU0mEqbLM0xDZtwd1HfZCpmgM.9809ebdf-7d68-4456-9a18-666862d531ed&state=8a2899f4-40a7-496f-ab45-aa7dd0ea44bc&redirect_fragment=%2F&code=7DrAdXC7Zmg1lOUCy7iGybgudpmmvc3G4LMLHsudh4U.73c35508-71f7-4230-ac79-2913a134f42a&state=9365dccc-5f68-4e02-81e9-0546a4b5c172&redirect_fragment=%2F&code=qz-ui_3j9h6oIlEtPJnf9n4Q1k4NBHWC84-rMnEcwaM.d9602cd1-aef0-4543-a0e3-0c172d624cc5&state=318603f5-2157-4b6c-8184-e87ce90edcf0&redirect_fragment=%2F&code=efoTaB6S9dZ7BZs1Ndk1lEhnVCHCbxpfa0wV3ciLUZo.686fcd96-c876-41f3-95a2-cf8edf70be9c&state=2c61b238-e530-454f-b86d-e125f48c20c3&redirect_fragment=%2F&code=tBivJlcq_RXh1C7SlzAkNn6WGsEpCBJaUD4IeHj59CQ.915b3b10-47d3-40d0-bf0a-397d1d902d99&state=01d6a256-e3ac-4bef-8430-cc692ee1ac3d&redirect_fragment=%2F&code=BP86r2awy-nXy5I6-4FSodUYjhmXcA-QHsZCvCYmR3Q.9056289c-6058-4d92-b08f-9f459d215327&state=ac32b483-08b6-4ff2-8d9f-552f0b09b8ad&redirect_fragment=%2F&code=YxV_agzHeUB_1BdC_llgpBXJBpQt40Ka38Zm_9bf5YU.c2f2cf35-61bb-4c19-8774-40911c7c6264&state=c737ec92-e876-49b4-8f0f-9fc4ae74085d&redirect_fragment=%2F&code=ru7PK7ZRenyKWhrClTTV9DGJWTclRm0-REMt0MFXJqE.147c7825-998d-4e6b-848c-7cf5b9629d27&state=fbe96433-166c-4408-8b1d-f0ee6615a46c&redirect_fragment=%2F&code=DI7xZGQ-p-XkXlTLztYtrerDdremPhnnsGzvpaN0uoU.bfb4cecb-9057-4aa8-a7dc-71cfb29f6a6f&state=8789c40c-9324-4efe-a8b4-91b75c9a9a9b&redirect_fragment=%2F&code=mjXyKsLUv0QjOvEaHxcZzi4qxCl9-AU85Er6Vcr_NTM.150d7721-824e-4b78-9738-05c60f30735d&state=252f2fb3-da19-4bb3-830b-412981fb4fdf&redirect_fragment=%2F&code=Ra1OxSO5dcQjNPHEbM9hvdVxykXofegFMw-5AkUdhE0.2af011ad-1dca-4d69-9506-ca8fbbb7ffd1&state=261a384f-2bb2-4d79-939b-69b8a5bff7f8&redirect_fragment=%2F&code=t02uT8YiKQFMcywReLdz19BeB91n7oFb8rpnj9wvzwc.1fbc112d-6743-4fdc-8143-c95b66159fc7&state=28151aa4-ee71-4b77-9cc7-d656289e4d00&redirect_fragment=%2F&code=pARWRhOUM9JjrcAl4vtlVWqJVZL6ADibYMRCR8CcWdY.d6176d98-da15-4d7c-a1d7-2227bce2054b&state=2e8f34cc-b0eb-42b6-a3c0-989e108b80a1&redirect_fragment=%2F&code=-hC0kenzpWz4d2FF_cCAT9BjuhzlQUUO331rnTfuiWc.d056e22e-7483-4f0f-9cea-79df4ef8c688&state=a9d015ce-e2c4-4e09-b512-14dc0fe81c19&redirect_fragment=%2F&code=DnX7JRBGWBAa-faSZhulNvt7sj3jXf4HlxKnunBOeg0.ae6ebd42-08e1-4477-8256-75bf16e4070b&state=50723b38-7e07-41c8-8c77-9ab3e4cdd2f4&redirect_fragment=%2F&code=Hol6EDplp4h3HR1ENbdggxvdC4CRMJ5zgxxRnsq200M.f476b27b-c220-41ce-b859-b47925a69d82&state=63c5603d-9248-41c8-bb06-173e2b1e20e9&redirect_fragment=%2F&code=iCJAEG6GGPoCUyZq3_3BdIRgxpnwFzNp6dKFTT3vmTo.c346dc83-384f-4495-8073-2ae477e32e81&state=dfd35aeb-723e-46b2-9849-7e3e3cdb19e8&redirect_fragment=%2F&code=0URNUCBRpAjttcFyLiX2aUJRKo7eSvE_zqiEn9K_kpg.446bd9f8-17b5-473b-8eb8-7d5bb0ba2f80&state=848f4682-8bc7-4434-880f-cea6e8240b77&redirect_fragment=%2F&code=oR_c11RrLlgsHmcefb-JLB9sMpBjeH7ObsKZivCMWfM.f340f86b-53b7-4c1b-9b95-b8477be159ff&state=52870ca6-db65-487d-b778-42d1c5d3ba73&redirect_fragment=%2F&code=-KQ-zo8wYMc7F2TuOrht3u_6kU5B26q7cYa0n7YVQDM.fff5658e-36b5-4cdc-b1d3-92742c9be7a1&state=8c909ef8-6e87-425a-aa25-ba1025f040a0&redirect_fragment=%2F&code=26EcSny6pVrgLc4EOWGT7x29jxb1lBzqRI5IU-Kvu4E.e0652809-7c3f-42b6-93c8-ca4e37f048be&state=5f1c4251-efc6-4996-ae02-85dd7e6b5d32&redirect_fragment=%2F&code=MuICKR6-kSTPhKy-KboxXKbsAmUsk9SDxD5iUrMjP5g.87a55f67-3c1b-4c1a-b3eb-51e3b87e36cb&state=124ad77a-a04e-4164-8cc2-9ad9ea62b993&redirect_fragment=%2F&code=74eDb8oSwATL9iBhrGOmlzkIKK1kB5Ukr4zgmatJu-w.562584ef-bf29-41a2-a4e0-06de60f94692&state=aa078c4b-2d19-4d5f-8a30-a2f23e11ebbc&redirect_fragment=%2F&code=TY8B2uTAO5hY1EVYPVn-j2ErmZcQ_mejizmhe4s39FY.e9e00594-7894-4bea-95b2-079d3e6b4bdd&state=13c4a88a-1b35-41c7-b27a-03ba960f0a03&redirect_fragment=%2F&code=YrlKEzdIS6L98o8mOR8EMHJL0hCUEV6KJtXJme7mFjE.8111c1e2-06be-4d7f-a896-d1bbd417c60b&state=ade7e140-0ff0-4022-9876-82cb2d43d584&redirect_fragment=%2F&code=XHsec992KGdkL8kxMyOZNrHOI758kC8P3fPrrJocRso.4251099a-85ee-4214-bded-4c3ee50e096b&state=0277da4d-3bae-4ff7-8c0d-d609fd9da9e6&redirect_fragment=%2F&code=h8itvnj3Og_Qb1tMNAkX-pVggHWWOkreceSnvCMzwY0.6abb9511-8880-4976-af35-8871d0189491&state=93a26fe6-724c-451d-8b15-f0c41df3b208&redirect_fragment=%2F&code=WKbxyUQaA9ayWk7gQYP0qD_10FZiatt1GEyTN2oWlvQ.ca495f09-0702-45f0-863b-81dde847de02&state=9a01fef5-f4cf-4c6f-aeb8-0696d3334052&redirect_fragment=%2F&code=d5hpwnOJgzgVj1pmgveR0pwWrqx1ts_4M6OmTYQ0REM.6fd63fed-ad00-42dc-9b37-93498cc92687&state=077899a4-28b4-4c01-8c22-f4248ed7a329&redirect_fragment=%2F&code=kYNN-4wFSGAE39NWC8azP57SUWaiWK57LLAu-_xeSD8.16e0bfd2-3413-41f9-be4b-1a4509fed5fa&state=01149fda-904d-4d7b-b9a6-d5d9353e99e2&redirect_fragment=%2F&code=nSvx6OyDIWqCxZhbeFAH4xEcNP63Wx8t5nmw17iaUh0.5efb8727-61f7-4410-9d6e-5efde3a06f01&state=df59cb84-caa3-4834-861c-1d09d6366f8a&redirect_fragment=%2F&code=pt2_mNt3XqMWqgMPhoKf8aCdN2I5e_D5rMMXEK5dEv4.31170b8b-4c29-422e-916e-096973e451a1&state=db977cc8-1641-4724-afdb-91e9e8182feb&redirect_fragment=%2F&code=0o0Tz3gnlOGMK2UGw_F0fGfy_RuMpoCLJbWfnhQRRxU.d4490e99-1381-4ff9-a835-dd46ca3fa36d&state=77dae174-18b9-4bf7-848f-aa805f570385&redirect_fragment=%2F&code=Isuf4fy2JZe4opWp9D0Tm5L2DRY2fYUwDwnQCHEKNnc.e071a377-fef1-4aed-a222-563befd32f90&state=9cca93d4-af39-4431-9390-661f9320ccc9&redirect_fragment=%2F&code=dSURtq4wigtgGHh_8lADlw_efDWTMjHM4NRNUJM0OJI.31286972-3ca8-4dce-bf94-22a469e433d2&state=95d9486e-c0e3-4c52-96e6-f7908240eda6&redirect_fragment=%2F&code=Sfdp-yRIj2gV8HjAP63thYypNfPBhsz_MBqlljTTS5E.8d7f80d4-05f1-4d94-b86b-6aea78cbcf7a&state=d5d31bba-1766-450a-9655-f94e02f1a961&redirect_fragment=%2F&code=9TQ_NIF2Fo57vJ4pTki4xljoFvlgEQUo2GGS7qJVXL8.003fa4fe-4d83-4d6b-8740-f6d161df5924&state=8e55c62f-54c6-4466-93fc-c7b19bfbc268&redirect_fragment=%2F&code=I376yS5PVONXEHQK4uZGnmRYLENTHh4Q9m7rln8h1jQ.db51d3c3-c7d6-4120-9bec-6ff668dc296e&state=3fef4050-2301-43a4-84af-e66b5772608c&redirect_fragment=%2F&code=zV3VDW3zDjeiF6suaQyfFi6_VkhcwpZruqMd-TM4gFI.357f5f58-edfe-403f-ae9f-a6840692fd80&state=ca4a311a-23ac-495c-830e-c239b59e6fe1&redirect_fragment=%2F&code=H5rua-kyePPnPBwXsWO5YMtO33k2IgAR1bT8d9C7Cdc.6d24e642-f57d-4b6d-9fae-70f1d2a7674e&state=4843d851-8b03-446c-96ab-0f1466f71eb5&redirect_fragment=%2F&code=Vv5ZrxknxKp9qFSgyTFAOx3X2BXWVTnPpFPQ5cdas_s.96269587-fe83-4541-a0a5-9e1187359331&state=fefedfa1-baaf-438d-80e0-ee8a22dbd9f8&redirect_fragment=%2F&code=1UUjSbGWlwkhBl7bKHnevN6aacsWRyPCx6FGaFHzXdA.11766fbb-6dec-4161-a26a-f010a501e299&state=5f40a4cc-148a-44ad-bf18-516b12018a51&redirect_fragment=%2F&code=Jdse-sa4ZdHfUiN6TzF_PJCBfohFR-Gf2V5Dkz-NR6E.f5749ec6-a668-4e4b-b5ca-145a2034c056&state=ca13aa35-682a-4655-84e9-290cb22b022f&redirect_fragment=%2F&code=C-riHUr97rgUoWSJv9eLiSQvY2iaZA_ymnpw1ZwfQIA.ff392a07-b294-4106-a5b6-1e96d3522cb4&state=4cee0bd8-83df-43f6-8ea1-59f7b4502f28&redirect_fragment=%2F&code=iwIslKy__2637mvcAxwBUYquXBIzjQfnJ9s4qZeNlrQ.af57a394-2653-4e93-8af1-f532eaa4c1b9&state=291f1d70-1dc1-4cfe-98ff-c1167dad45a8&redirect_fragment=%2F&code=jyxRPi11qAHDOXyuR-K11FjziPisq-oV51UMVjCuFWA.545d09d0-55b8-4838-ab89-d8b48a891769&state=b439de9b-ee78-4c3e-8dfa-69307972a918#/ I am running an angularjs javascript client running on a separate domain from the wildfly server.? Everything was working prior to the "upgrade". _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150131/73e62960/attachment-0001.html From peterson.dean at gmail.com Sat Jan 31 20:34:47 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sat, 31 Jan 2015 19:34:47 -0600 Subject: [keycloak-user] Upgrade To 1.1.0.Final from 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop and failed login In-Reply-To: <1273392275.188649.1422748235957.JavaMail.yahoo@mail.yahoo.com> References: <1273392275.188649.1422748235957.JavaMail.yahoo@mail.yahoo.com> Message-ID: I did try that but no luck, thanks though. I have reverted back to the old version for now. On Sat, Jan 31, 2015 at 5:50 PM, Raghu Prabhala wrote: > Dean - Try cleaning your cache. Stian suggested it and it helped me login > using both IE and chrome. > > Raghu > > ------------------------------ > *From:* Dean Peterson > *To:* keycloak-user at lists.jboss.org > *Sent:* Saturday, January 31, 2015 2:28 PM > *Subject:* [keycloak-user] Upgrade To 1.1.0.Final from > 1.1.0-Alpha1-SNAPSHOT causes Javascript Client infinite loop and failed > login > > Going from 1.1.0-Alpha1-SNAPSHOT causes an infinite loop when logging in. > First, it successfully transitions to the login page. When I log in, the > application transitions back to the application and keeps calling > keycloak.init over and over and over and over again. It keeps pasting > codes to the url: > > > http://localhost:9001/?redirect_fragment=%2F&code=2yUSElT2JIocE_X2oT1Ch3tg45585iA7y8SverL2zuE.c98648eb-78bc-4842-ba55-0fe06a6310e2&state=94770349-f618-4350-86f6-2d18a747f590&redirect_fragment=%2F&code=nfqgpQaGab4naoUhOjjaI-aEwgGXBAaab_VwhuATgKc.02e9893b-ce54-4f33-853e-5b32f4436607&state=9c2922ac-870f-41c3-83b7-e6f3c6d9515c&redirect_fragment=%2F&code=PIiKn8stYZdzyqvznivtjNcbYOIskuL_Z0ZUR8Pid68.a7788117-4bc9-48ea-a4ba-a684f9c07fa0&state=957c3760-3677-47f6-87d8-68702d992554&redirect_fragment=%2F&code=jVOdexjyoaet6IZZe3bsClcIcxfq0Fdg3EliMnRsWr4.f1c2c6a3-f9e8-48fd-aefc-cc11eee06ab8&state=babbff58-3ab2-4872-830f-e5740c1e7e6e&redirect_fragment=%2F&code=nmVJQVGlORshZ4ibRL_uQv19vZNUw3fn-F1RFDdbFHA.8c93dea7-e539-46d6-bb08-2d97c69b52e9&state=7e751210-c9ea-47c3-8204-15e001789f4f&redirect_fragment=%2F&code=wSn5hn8w1WiYzr5HSxHXNGM2K0AtmSO-BBDWr79V498.b74f26c3-2bd7-427e-9112-11f44c587202&state=48fa3e1f-5c54-40e2-8253-d5ad33bc9e31&redirect_fragment=%2F&code=CtXSrbKGq2kvmE1RQLervaGgYsfSY4WxSUaVoXrL6zs.64385b1b-b2d4-47e5-8d34-0a21f9b36ebc&state=d8d9c0f8-f50e-43a4-8dcd-7d4a7688a25e&redirect_fragment=%2F&code=M1pWroIoRx0A7t26PgVku6V7F7DHvIuxsdcTmW-6CUY.0485a560-2de2-4b8b-86af-a96d4740bd89&state=b9b10695-7530-4f72-8328-950a3eb33a6d&redirect_fragment=%2F&code=KFr4NK2oltNcHlo7-LipDN6nCogl8HQaVqd7Ta7CsLA.23761f01-f13e-48cf-a053-0c96a9f6dfe9&state=f758d86d-4752-4fc3-84e0-d8111e7d359b&redirect_fragment=%2F&code=8uMQnRXeMnrXZCkQCQ_p0Ts5oS63AA3nieWeKpVto8w.4bdb4eaa-2f16-4247-9d2d-e9c8da88941c&state=bdf787b8-f360-479c-a552-b8157ad5422a&redirect_fragment=%2F&code=dssl2GpIK7hRriXcrN0e55NSh0Odd8b3ShEFAw6FnLw.b50d4bf5-6e4f-4edd-82c0-d8c7b285e6aa&state=941953a2-994b-44ae-b811-ec0ac7516211&redirect_fragment=%2F&code=3_YPCYPpfWOO-DGGDzOajp9MloW-xNsPiM2k7JW8Occ.1a0b9340-201e-481f-8ae2-d3f40754f35d&state=f5450022-1592-41d3-b769-a121391d599e&redirect_fragment=%2F&code=-h9BxvTEuneA0FwCRN7Y6zPe1z-YugntHEAtvAdJWRI.ca710f93-6068-4b3c-85c0-6657f7b1b72e&state=f4721ed6-7de8-4ee4-8b3b-f7491eefc4f3&redirect_fragment=%2F&code=GQ9a3b4DqQH-QfLxeGwFeM-EQp1lqSqCnwKI4ojNgUA.71d4072f-06d9-4d1c-8cfb-f9fac2cf07f8&state=4a173d60-fd78-4d9b-8a8b-ba7db2e0e314&redirect_fragment=%2F&code=diBdfGHVtDEhW2Dp96cYLXdTlbFANWwOEHP0eK5RsJU.4754aec5-dcec-4d52-8de0-223589b00d7f&state=d9961b74-ae71-404e-8075-c8c10eb62976&redirect_fragment=%2F&code=Al9N8qK84uRSnnneeg94sR1mnT1A1_ZlVYeIgs3M6d8.383240fc-0638-4516-b462-e8cead8cda5a&state=7d79987f-4274-4234-b5fb-0558926a4d61&redirect_fragment=%2F&code=hYbgRbq7jZqz1n6CY8Y82E3Bnd_stpY7xgmsKoXWKJs.3e769fd7-bfc9-4e2e-876a-16b16332c954&state=a59bb636-57f7-4bd9-aca1-bec03395062b&redirect_fragment=%2F&code=APVKB_D4-lZlRfX8_4jU0mEqbLM0xDZtwd1HfZCpmgM.9809ebdf-7d68-4456-9a18-666862d531ed&state=8a2899f4-40a7-496f-ab45-aa7dd0ea44bc&redirect_fragment=%2F&code=7DrAdXC7Zmg1lOUCy7iGybgudpmmvc3G4LMLHsudh4U.73c35508-71f7-4230-ac79-2913a134f42a&state=9365dccc-5f68-4e02-81e9-0546a4b5c172&redirect_fragment=%2F&code=qz-ui_3j9h6oIlEtPJnf9n4Q1k4NBHWC84-rMnEcwaM.d9602cd1-aef0-4543-a0e3-0c172d624cc5&state=318603f5-2157-4b6c-8184-e87ce90edcf0&redirect_fragment=%2F&code=efoTaB6S9dZ7BZs1Ndk1lEhnVCHCbxpfa0wV3ciLUZo.686fcd96-c876-41f3-95a2-cf8edf70be9c&state=2c61b238-e530-454f-b86d-e125f48c20c3&redirect_fragment=%2F&code=tBivJlcq_RXh1C7SlzAkNn6WGsEpCBJaUD4IeHj59CQ.915b3b10-47d3-40d0-bf0a-397d1d902d99&state=01d6a256-e3ac-4bef-8430-cc692ee1ac3d&redirect_fragment=%2F&code=BP86r2awy-nXy5I6-4FSodUYjhmXcA-QHsZCvCYmR3Q.9056289c-6058-4d92-b08f-9f459d215327&state=ac32b483-08b6-4ff2-8d9f-552f0b09b8ad&redirect_fragment=%2F&code=YxV_agzHeUB_1BdC_llgpBXJBpQt40Ka38Zm_9bf5YU.c2f2cf35-61bb-4c19-8774-40911c7c6264&state=c737ec92-e876-49b4-8f0f-9fc4ae74085d&redirect_fragment=%2F&code=ru7PK7ZRenyKWhrClTTV9DGJWTclRm0-REMt0MFXJqE.147c7825-998d-4e6b-848c-7cf5b9629d27&state=fbe96433-166c-4408-8b1d-f0ee6615a46c&redirect_fragment=%2F&code=DI7xZGQ-p-XkXlTLztYtrerDdremPhnnsGzvpaN0uoU.bfb4cecb-9057-4aa8-a7dc-71cfb29f6a6f&state=8789c40c-9324-4efe-a8b4-91b75c9a9a9b&redirect_fragment=%2F&code=mjXyKsLUv0QjOvEaHxcZzi4qxCl9-AU85Er6Vcr_NTM.150d7721-824e-4b78-9738-05c60f30735d&state=252f2fb3-da19-4bb3-830b-412981fb4fdf&redirect_fragment=%2F&code=Ra1OxSO5dcQjNPHEbM9hvdVxykXofegFMw-5AkUdhE0.2af011ad-1dca-4d69-9506-ca8fbbb7ffd1&state=261a384f-2bb2-4d79-939b-69b8a5bff7f8&redirect_fragment=%2F&code=t02uT8YiKQFMcywReLdz19BeB91n7oFb8rpnj9wvzwc.1fbc112d-6743-4fdc-8143-c95b66159fc7&state=28151aa4-ee71-4b77-9cc7-d656289e4d00&redirect_fragment=%2F&code=pARWRhOUM9JjrcAl4vtlVWqJVZL6ADibYMRCR8CcWdY.d6176d98-da15-4d7c-a1d7-2227bce2054b&state=2e8f34cc-b0eb-42b6-a3c0-989e108b80a1&redirect_fragment=%2F&code=-hC0kenzpWz4d2FF_cCAT9BjuhzlQUUO331rnTfuiWc.d056e22e-7483-4f0f-9cea-79df4ef8c688&state=a9d015ce-e2c4-4e09-b512-14dc0fe81c19&redirect_fragment=%2F&code=DnX7JRBGWBAa-faSZhulNvt7sj3jXf4HlxKnunBOeg0.ae6ebd42-08e1-4477-8256-75bf16e4070b&state=50723b38-7e07-41c8-8c77-9ab3e4cdd2f4&redirect_fragment=%2F&code=Hol6EDplp4h3HR1ENbdggxvdC4CRMJ5zgxxRnsq200M.f476b27b-c220-41ce-b859-b47925a69d82&state=63c5603d-9248-41c8-bb06-173e2b1e20e9&redirect_fragment=%2F&code=iCJAEG6GGPoCUyZq3_3BdIRgxpnwFzNp6dKFTT3vmTo.c346dc83-384f-4495-8073-2ae477e32e81&state=dfd35aeb-723e-46b2-9849-7e3e3cdb19e8&redirect_fragment=%2F&code=0URNUCBRpAjttcFyLiX2aUJRKo7eSvE_zqiEn9K_kpg.446bd9f8-17b5-473b-8eb8-7d5bb0ba2f80&state=848f4682-8bc7-4434-880f-cea6e8240b77&redirect_fragment=%2F&code=oR_c11RrLlgsHmcefb-JLB9sMpBjeH7ObsKZivCMWfM.f340f86b-53b7-4c1b-9b95-b8477be159ff&state=52870ca6-db65-487d-b778-42d1c5d3ba73&redirect_fragment=%2F&code=-KQ-zo8wYMc7F2TuOrht3u_6kU5B26q7cYa0n7YVQDM.fff5658e-36b5-4cdc-b1d3-92742c9be7a1&state=8c909ef8-6e87-425a-aa25-ba1025f040a0&redirect_fragment=%2F&code=26EcSny6pVrgLc4EOWGT7x29jxb1lBzqRI5IU-Kvu4E.e0652809-7c3f-42b6-93c8-ca4e37f048be&state=5f1c4251-efc6-4996-ae02-85dd7e6b5d32&redirect_fragment=%2F&code=MuICKR6-kSTPhKy-KboxXKbsAmUsk9SDxD5iUrMjP5g.87a55f67-3c1b-4c1a-b3eb-51e3b87e36cb&state=124ad77a-a04e-4164-8cc2-9ad9ea62b993&redirect_fragment=%2F&code=74eDb8oSwATL9iBhrGOmlzkIKK1kB5Ukr4zgmatJu-w.562584ef-bf29-41a2-a4e0-06de60f94692&state=aa078c4b-2d19-4d5f-8a30-a2f23e11ebbc&redirect_fragment=%2F&code=TY8B2uTAO5hY1EVYPVn-j2ErmZcQ_mejizmhe4s39FY.e9e00594-7894-4bea-95b2-079d3e6b4bdd&state=13c4a88a-1b35-41c7-b27a-03ba960f0a03&redirect_fragment=%2F&code=YrlKEzdIS6L98o8mOR8EMHJL0hCUEV6KJtXJme7mFjE.8111c1e2-06be-4d7f-a896-d1bbd417c60b&state=ade7e140-0ff0-4022-9876-82cb2d43d584&redirect_fragment=%2F&code=XHsec992KGdkL8kxMyOZNrHOI758kC8P3fPrrJocRso.4251099a-85ee-4214-bded-4c3ee50e096b&state=0277da4d-3bae-4ff7-8c0d-d609fd9da9e6&redirect_fragment=%2F&code=h8itvnj3Og_Qb1tMNAkX-pVggHWWOkreceSnvCMzwY0.6abb9511-8880-4976-af35-8871d0189491&state=93a26fe6-724c-451d-8b15-f0c41df3b208&redirect_fragment=%2F&code=WKbxyUQaA9ayWk7gQYP0qD_10FZiatt1GEyTN2oWlvQ.ca495f09-0702-45f0-863b-81dde847de02&state=9a01fef5-f4cf-4c6f-aeb8-0696d3334052&redirect_fragment=%2F&code=d5hpwnOJgzgVj1pmgveR0pwWrqx1ts_4M6OmTYQ0REM.6fd63fed-ad00-42dc-9b37-93498cc92687&state=077899a4-28b4-4c01-8c22-f4248ed7a329&redirect_fragment=%2F&code=kYNN-4wFSGAE39NWC8azP57SUWaiWK57LLAu-_xeSD8.16e0bfd2-3413-41f9-be4b-1a4509fed5fa&state=01149fda-904d-4d7b-b9a6-d5d9353e99e2&redirect_fragment=%2F&code=nSvx6OyDIWqCxZhbeFAH4xEcNP63Wx8t5nmw17iaUh0.5efb8727-61f7-4410-9d6e-5efde3a06f01&state=df59cb84-caa3-4834-861c-1d09d6366f8a&redirect_fragment=%2F&code=pt2_mNt3XqMWqgMPhoKf8aCdN2I5e_D5rMMXEK5dEv4.31170b8b-4c29-422e-916e-096973e451a1&state=db977cc8-1641-4724-afdb-91e9e8182feb&redirect_fragment=%2F&code=0o0Tz3gnlOGMK2UGw_F0fGfy_RuMpoCLJbWfnhQRRxU.d4490e99-1381-4ff9-a835-dd46ca3fa36d&state=77dae174-18b9-4bf7-848f-aa805f570385&redirect_fragment=%2F&code=Isuf4fy2JZe4opWp9D0Tm5L2DRY2fYUwDwnQCHEKNnc.e071a377-fef1-4aed-a222-563befd32f90&state=9cca93d4-af39-4431-9390-661f9320ccc9&redirect_fragment=%2F&code=dSURtq4wigtgGHh_8lADlw_efDWTMjHM4NRNUJM0OJI.31286972-3ca8-4dce-bf94-22a469e433d2&state=95d9486e-c0e3-4c52-96e6-f7908240eda6&redirect_fragment=%2F&code=Sfdp-yRIj2gV8HjAP63thYypNfPBhsz_MBqlljTTS5E.8d7f80d4-05f1-4d94-b86b-6aea78cbcf7a&state=d5d31bba-1766-450a-9655-f94e02f1a961&redirect_fragment=%2F&code=9TQ_NIF2Fo57vJ4pTki4xljoFvlgEQUo2GGS7qJVXL8.003fa4fe-4d83-4d6b-8740-f6d161df5924&state=8e55c62f-54c6-4466-93fc-c7b19bfbc268&redirect_fragment=%2F&code=I376yS5PVONXEHQK4uZGnmRYLENTHh4Q9m7rln8h1jQ.db51d3c3-c7d6-4120-9bec-6ff668dc296e&state=3fef4050-2301-43a4-84af-e66b5772608c&redirect_fragment=%2F&code=zV3VDW3zDjeiF6suaQyfFi6_VkhcwpZruqMd-TM4gFI.357f5f58-edfe-403f-ae9f-a6840692fd80&state=ca4a311a-23ac-495c-830e-c239b59e6fe1&redirect_fragment=%2F&code=H5rua-kyePPnPBwXsWO5YMtO33k2IgAR1bT8d9C7Cdc.6d24e642-f57d-4b6d-9fae-70f1d2a7674e&state=4843d851-8b03-446c-96ab-0f1466f71eb5&redirect_fragment=%2F&code=Vv5ZrxknxKp9qFSgyTFAOx3X2BXWVTnPpFPQ5cdas_s.96269587-fe83-4541-a0a5-9e1187359331&state=fefedfa1-baaf-438d-80e0-ee8a22dbd9f8&redirect_fragment=%2F&code=1UUjSbGWlwkhBl7bKHnevN6aacsWRyPCx6FGaFHzXdA.11766fbb-6dec-4161-a26a-f010a501e299&state=5f40a4cc-148a-44ad-bf18-516b12018a51&redirect_fragment=%2F&code=Jdse-sa4ZdHfUiN6TzF_PJCBfohFR-Gf2V5Dkz-NR6E.f5749ec6-a668-4e4b-b5ca-145a2034c056&state=ca13aa35-682a-4655-84e9-290cb22b022f&redirect_fragment=%2F&code=C-riHUr97rgUoWSJv9eLiSQvY2iaZA_ymnpw1ZwfQIA.ff392a07-b294-4106-a5b6-1e96d3522cb4&state=4cee0bd8-83df-43f6-8ea1-59f7b4502f28&redirect_fragment=%2F&code=iwIslKy__2637mvcAxwBUYquXBIzjQfnJ9s4qZeNlrQ.af57a394-2653-4e93-8af1-f532eaa4c1b9&state=291f1d70-1dc1-4cfe-98ff-c1167dad45a8&redirect_fragment=%2F&code=jyxRPi11qAHDOXyuR-K11FjziPisq-oV51UMVjCuFWA.545d09d0-55b8-4838-ab89-d8b48a891769&state=b439de9b-ee78-4c3e-8dfa-69307972a918#/ > > > I am running an angularjs javascript client running on a separate domain > from the wildfly server. Everything was working prior to the "upgrade". > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150131/86d1df4e/attachment-0001.html From prabhalar at yahoo.com Sat Jan 31 21:05:45 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sun, 1 Feb 2015 02:05:45 +0000 (UTC) Subject: [keycloak-user] Keycloak Adapters Message-ID: <1724654062.218718.1422756345516.JavaMail.yahoo@mail.yahoo.com> Dev team - A philosophical question about the adapters. Rather than building so many adapters for different Java Web containers including different versions, would it make sense to build a single Servlet Filter that would take care of all those cases and even other containers from Oracle/IBM etc? Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150201/7c26d8d2/attachment.html From peterson.dean at gmail.com Sat Jan 31 23:00:28 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Sat, 31 Jan 2015 22:00:28 -0600 Subject: [keycloak-user] How to get UserRepresentation by subject id Message-ID: I remember reading that the correct way to uniquely identify a keycloak user is by the subject id. That is what I associate with objects in my application. I need to get a UserRepresentation using the admin client by that subject id. However, the only option allowed is to use username. Ex. realm.users().get("username"). I need realm.users().get("subjectid"). Is there a way to get UserRepresentation by subject? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150131/2dc82d4b/attachment.html