From stian at redhat.com  Mon Jun  1 02:44:08 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 1 Jun 2015 02:44:08 -0400 (EDT)
Subject: [keycloak-user] Cancel button handling on keycloak login page
In-Reply-To: <CAP2q_vPo4PB9Gh_EHARg3RxSLJcPcEreibas_i7w9iEtuAsy-g@mail.gmail.com>
References: <CAP2q_vPo4PB9Gh_EHARg3RxSLJcPcEreibas_i7w9iEtuAsy-g@mail.gmail.com>
Message-ID: <294612284.9545570.1433141048537.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Roman Usatenko" <roman.usatenko at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Saturday, 30 May, 2015 1:39:33 AM
> Subject: [keycloak-user] Cancel button handling on keycloak login page
> 
> Hello,
> 
> I am trying to implement POC with keycloak as auth* server.
> 
> Here is my set up / use case:
> 
> 
>     * Tomcat server with keycloak adapter
>     * Web app with a URL http://x.y/app/secure protected by a security
>     constraint.
>     * An unauthenticated user goes to the URL and gets redirected by the
>     adapter to the keycloak login page.
>     * The user clicks Cancel button and gets redirected back to the URL with
>     parameters ?error=access_denied&state=1%2Fxxxx
>     * This redirect is intercepted by the adapter and user's browser gets 400
>     error from the adapter. My application never receives the request.
> So my questions are:
> 
> 1. Is this correct description of what's going on or am I missing something?
> 
> 2. If this is the behavior by design wouldn't it be better instead of the 400
> error to redirect user to some themed page on the keycloak server with a
> nice explanation, like "We're sorry, but you cannot access this resource
> without authentication, blablabla "

You can decide how the 400 error page looks like for your application by configuring error pages in web.xml (see for example https://blog.whitehatsec.com/error-handling-in-java-web-xml/)

> 
> Thank you,
> Roman Usatenko.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bburke at redhat.com  Mon Jun  1 07:14:02 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 01 Jun 2015 07:14:02 -0400
Subject: [keycloak-user] keycloak Identity broker for Custom
	Authentication
In-Reply-To: <1335464390.1624624.1432986911233.JavaMail.yahoo@mail.yahoo.com>
References: <55693A8B.4060207@redhat.com>
	<1335464390.1624624.1432986911233.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <556C3E7A.1020409@redhat.com>

No docs sorry.  We'll be refactoring our SPIs and deciding which will be 
made public post 1.3

On 5/30/2015 7:55 AM, Raghu Prabhala wrote:
> Thanks Bill. That helps. Now I am able to see the custom identity broker
> in the combobox. But when I choose it, I get a "page not found". It
> appears that I have to create a couple of html pages under the themes to
> display the content and perhaps modify some .js to show that page
> (looking at other identity providers to understand what needs to be
> done). Is there any documentation that outlines what we need to do?
> ------------------------------------------------------------------------
> *From:* Bill Burke <bburke at redhat.com>
> *To:* keycloak-user at lists.jboss.org
> *Sent:* Saturday, May 30, 2015 12:20 AM
> *Subject:* Re: [keycloak-user] keycloak Identity broker for Custom
> Authentication
>
> We haven't really made this SPI public, but you must specif a
> META-IN/services/org...IdentityProviderFactory file within the jar of
> your broker.  You'll see an example file in th eoidc module.
>
>
>
> On 5/29/2015 10:19 PM, Raghu Prabhala wrote:
>  > Hi,
>  >
>  > I am wondering if anyone implemented an Identity Broker for custom
>  > authentication? If so, would appreciate some input on how to achieve
> that?
>  >
>  > I tried implementing one using the existing OIDC broker as the starting
>  > point but the option to select this custom broker doesn't appear in the
>  > GUI. So my question is, what changes must be made in the GUI to make the
>  > custom broker visible? Appreciate any pointers
>  >
>  > Thanks,
>  > Raghu
>
>  >
>  >
>  > _______________________________________________
>  > keycloak-user mailing list
>  > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>  > https://lists.jboss.org/mailman/listinfo/keycloak-user
>  >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From vainnkiitta at gmail.com  Mon Jun  1 08:44:43 2015
From: vainnkiitta at gmail.com (John)
Date: Mon, 1 Jun 2015 18:14:43 +0530
Subject: [keycloak-user] Not able to forward to error page.
Message-ID: <CAKfisZf96KtLVoKwvL7=PkK5gxmfjrc6Xdssm3YcaJ8X2JGTMg@mail.gmail.com>

I am trying to integarte keycloak authentication for securing my application.
My server and client has different error status code mapping.

In case of accessToken expires keycloak sends 401 directly to client
where I have mapped token expiration to status code 5401.

I do not wish to change this mapping as code is already in production phase.

I found very helpful way to handle this situaltion by providing
error-page in my server web.xml as

<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>winterfell</realm-name>
<form-login-config>
<form-error-page>/error</form-error-page>
</form-login-config>
</login-config>

But somehow I am not able to get this error page.

Can someone please suggest correct way of doing this.

Note : Following way didn't worked for me
<error-page>
<error-code>404</error-code>
<location>/error</location>
</error-page>



-TR
John

From srossillo at smartling.com  Mon Jun  1 09:44:22 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Mon, 1 Jun 2015 09:44:22 -0400
Subject: [keycloak-user] Update user when "Email as username" enabled
In-Reply-To: <926AA9D1-A94B-48D1-8B20-FF9681CB6325@smartling.com>
References: <926AA9D1-A94B-48D1-8B20-FF9681CB6325@smartling.com>
Message-ID: <6B6C8DB3-5643-402F-AB14-2DAFED93B056@smartling.com>

Any advice here? Do I have to delete and re-create the user? I?d really rather not do that. Seems there should be a way to update the username.

Thanks in advance,
Scott


> On May 29, 2015, at 4:53 PM, Scott Rossillo <srossillo at smartling.com> wrote:
> 
> If I?m using email as username, I can update the email address on a user via the admin API, but the username doesn?t update even when explicitly setting a new username. This is true in the KC admin console as well.
> 
> How do I update the username to match the new email address?
> 
> Thanks,
> Scott
> 



From Henk.Laracker at planonsoftware.com  Mon Jun  1 15:06:55 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Mon, 1 Jun 2015 21:06:55 +0200
Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce
In-Reply-To: <554376F2.3090805@redhat.com>
References: <5542BA2B.2010608@redhat.com>
	<1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com>
	<55437613.3030501@redhat.com> <554376F2.3090805@redhat.com>
Message-ID: <D19279AD.1D8A8%henk.laracker@planonsoftware.com>

Hi Bill,

Can you please help me out how I have to make a mapping so that I can
remove the prefix. 

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s
cordialement,

Henk Laracker




On 01/05/15 14:52, "Bill Burke" <bburke at redhat.com> wrote:

>I'll add a username mapper.
>
>On 5/1/2015 8:48 AM, Bill Burke wrote:
>> You can map the SAML/OIDC assertion/token that is sent to your
>> applications however you want.
>>
>> On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
>>> Bill - That would be an issue for us as we cannot manipulate the values
>>> (especially username) sent by an external IDP which is the
>>>authoritative
>>> source of user information. We will have to figure out another way,
>>> perhaps, an internal KC user attribute that can be made unique to
>>> prevent name clashes.
>>>
>>> Thanks,
>>> Raghu
>>> 
>>>------------------------------------------------------------------------
>>> *From:* Bill Burke <bburke at redhat.com>
>>> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>> *Sent:* Thursday, April 30, 2015 7:26 PM
>>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>>>
>>> Right now, the username is prefixed with the broker name.  THis is to
>>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>>> social providers).
>>>
>>> On 4/30/2015 2:51 PM, Henk Laracker wrote:
>>>   > Hi Bill,
>>>   >
>>>   > Thank you this worked out! I user is created with my name
>>>   > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do you
>>> have any idee why the ?saml? prefix
>>>   > is added?
>>>   >
>>>   >
>>>   > Henk
>>>   >
>>>   > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>   >
>>>   >> Ok, I was able to get this to work.  The problem was I had to set
>>>a
>>>   >> "profile" for the connected app on Salesforce.  I added a "System
>>>   >> Adminstrator" profile to the Connected App and it worked.
>>>   >>
>>>   >> I'm not sure how to upload a app certificate yet.  Not sure what
>>>format
>>>   >> Salesforce is looking for.
>>>   >>
>>>   >> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>>   >>> I set up a salesforce example and looked at the login response
>>>SAML
>>>   >>> document.  Looks like no assertion data is being sent back at
>>>all by
>>>   >>> salesforce.
>>>   >>>
>>>   >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>   >>>> i have no idea.  Basically this error is stating that the login
>>>   >>>> response
>>>   >>>> saml document has no assertions within it.  If there are no
>>> assertions,
>>>   >>>> then there has been no identity data sent.
>>>   >>>>
>>>   >>>> I'm looking now, but can you send me a link on how to set up
>>> Salesforce
>>>   >>>> as an IDP?  Is one able to set up a free account and such?
>>>   >>>>
>>>   >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>   >>>>> Hi Bill,
>>>   >>>>>
>>>   >>>>> I don?t know why I missed that, thanks! Salesforce respons
>>>know with
>>>   >>>>> the
>>>   >>>>> correct login page. After logging in in Salesforce, I?m
>>>redirected to
>>>   >>>>> keycloak again with a internal error:
>>>   >>>>>
>>>   >>>>> Caused by:
>>>org.keycloak.broker.provider.IdentityBrokerException:
>>>   >>>>> Could not
>>>   >>>>> process response from SAML identity provider.
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>   >>>>> ndpo
>>>   >>>>> int.java:299)
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>>   >>>>> dpoi
>>>   >>>>> nt.java:343)
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>>   >>>>> :169
>>>   >>>>> )
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>>   >>>>> )
>>>   >>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>Method)
>>>   >>>>> [rt.jar:1.8.0_45]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>>   >>>>> va:6
>>>   >>>>> 2) [rt.jar:1.8.0_45]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>>   >>>>> rImp
>>>   >>>>> l.java:43) [rt.jar:1.8.0_45]
>>>   >>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>>> [rt.jar:1.8.0_45]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>>   >>>>> va:1
>>>   >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>>   >>>>> thod
>>>   >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>>   >>>>> ker.
>>>   >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>   >>>>> ourc
>>>   >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>   >>>>> voke
>>>   >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>   >>>>> ourc
>>>   >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>   >>>>> voke
>>>   >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>>   >>>>> her.
>>>   >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>   >>>>>     ... 39 more
>>>   >>>>> Caused by:
>>>org.keycloak.broker.provider.IdentityBrokerException: No
>>>   >>>>> assertion from response.
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>>   >>>>> .jav
>>>   >>>>> a:309)
>>>   >>>>>     at
>>>   >>>>>
>>>   >>>>>
>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>   >>>>> ndpo
>>>   >>>>> int.java:264)
>>>   >>>>>     ... 54 more
>>>   >>>>>
>>>   >>>>> Any idea?
>>>   >>>>>
>>>   >>>>> Henk
>>>   >>>>>
>>>   >>>>>
>>>   >>>>>
>>>   >>>>>
>>>   >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
>>> <mailto:bburke at redhat.com>> wrote:
>>>   >>>>>
>>>   >>>>>> You want to chain keycloak server to Salesforce?
>>>   >>>>>>
>>>   >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that
>>>points to
>>>   >>>>>> Salesforce, you;ll see after you create it, an Export button.
>>> Click
>>>   >>>>>> that.  That will create an entity descriptor with all the
>>> information
>>>   >>>>>> you need.
>>>   >>>>>>
>>>   >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>   >>>>>>> Hi,
>>>   >>>>>>>
>>>   >>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>   >>>>>>> provided by
>>>   >>>>>>> salesforce can be imported.
>>>   >>>>>>> But I need to specify the Service Provider in salesforce, I
>>>have to
>>>   >>>>>>> fill
>>>   >>>>>>> in a couple of fields, but two of them I don?t understand
>>>(and are
>>>   >>>>>>> mandatory). Does someone have any clue
>>>   >>>>>>>
>>>   >>>>>>>      1. entity id , remark of salesforce : get this value
>>>from your
>>>   >>>>>>>        serviceprovider
>>>   >>>>>>>      2. ACS URL, remark of slaesforce : The assertion
>>>consumer
>>>   >>>>>>> service. Get
>>>   >>>>>>>        this value from your service provider.
>>>   >>>>>>>
>>>   >>>>>>> I have tried a lot of values but every-time I click the saml
>>>button
>>>   >>>>>>> on
>>>   >>>>>>> my app, it redirects to salesforce but I get a page with the
>>> error :
>>>   >>>>>>> Error: Unable to resolve request into a Service Provider
>>>   >>>>>>>
>>>   >>>>>>> Henk
>>>   >>>>>>>
>>>   >>>>>>>
>>>   >>>>>>> _______________________________________________
>>>   >>>>>>> keycloak-user mailing list
>>>   >>>>>>> keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>>   >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>   >>>>>>>
>>>   >>>>>>
>>>   >>>>>> --
>>>   >>>>>> Bill Burke
>>>   >>>>>> JBoss, a division of Red Hat
>>>   >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>
>>>
>>>
>>>   >>>>>> _______________________________________________
>>>   >>>>>> keycloak-user mailing list
>>>   >>>>>> keycloak-user at lists.jboss.org
>>><mailto:keycloak-user at lists.jboss.org>
>>>   >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>   >>>>>
>>>   >>>>
>>>   >>>
>>>   >>
>>>   >> --
>>>   >> Bill Burke
>>>   >> JBoss, a division of Red Hat
>>>   >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>   >> _______________________________________________
>>>   >> keycloak-user mailing list
>>>   >> keycloak-user at lists.jboss.org
>>><mailto:keycloak-user at lists.jboss.org>
>>>   >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>   >
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>
>-- 
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user



From bburke at redhat.com  Mon Jun  1 15:31:55 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 01 Jun 2015 15:31:55 -0400
Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce
In-Reply-To: <D19279AD.1D8A8%henk.laracker@planonsoftware.com>
References: <5542BA2B.2010608@redhat.com>
	<1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com>
	<55437613.3030501@redhat.com> <554376F2.3090805@redhat.com>
	<D19279AD.1D8A8%henk.laracker@planonsoftware.com>
Message-ID: <556CB32B.3010406@redhat.com>

Its in master, will be in next release.

On 6/1/2015 3:06 PM, Henk Laracker wrote:
> Hi Bill,
>
> Can you please help me out how I have to make a mapping so that I can
> remove the prefix.
>
> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s
> cordialement,
>
> Henk Laracker
>
>
>
>
> On 01/05/15 14:52, "Bill Burke" <bburke at redhat.com> wrote:
>
>> I'll add a username mapper.
>>
>> On 5/1/2015 8:48 AM, Bill Burke wrote:
>>> You can map the SAML/OIDC assertion/token that is sent to your
>>> applications however you want.
>>>
>>> On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
>>>> Bill - That would be an issue for us as we cannot manipulate the values
>>>> (especially username) sent by an external IDP which is the
>>>> authoritative
>>>> source of user information. We will have to figure out another way,
>>>> perhaps, an internal KC user attribute that can be made unique to
>>>> prevent name clashes.
>>>>
>>>> Thanks,
>>>> Raghu
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Bill Burke <bburke at redhat.com>
>>>> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
>>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>>> *Sent:* Thursday, April 30, 2015 7:26 PM
>>>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>>>>
>>>> Right now, the username is prefixed with the broker name.  THis is to
>>>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>>>> social providers).
>>>>
>>>> On 4/30/2015 2:51 PM, Henk Laracker wrote:
>>>>    > Hi Bill,
>>>>    >
>>>>    > Thank you this worked out! I user is created with my name
>>>>    > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do you
>>>> have any idee why the ?saml? prefix
>>>>    > is added?
>>>>    >
>>>>    >
>>>>    > Henk
>>>>    >
>>>>    > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>    >
>>>>    >> Ok, I was able to get this to work.  The problem was I had to set
>>>> a
>>>>    >> "profile" for the connected app on Salesforce.  I added a "System
>>>>    >> Adminstrator" profile to the Connected App and it worked.
>>>>    >>
>>>>    >> I'm not sure how to upload a app certificate yet.  Not sure what
>>>> format
>>>>    >> Salesforce is looking for.
>>>>    >>
>>>>    >> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>>>    >>> I set up a salesforce example and looked at the login response
>>>> SAML
>>>>    >>> document.  Looks like no assertion data is being sent back at
>>>> all by
>>>>    >>> salesforce.
>>>>    >>>
>>>>    >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>>    >>>> i have no idea.  Basically this error is stating that the login
>>>>    >>>> response
>>>>    >>>> saml document has no assertions within it.  If there are no
>>>> assertions,
>>>>    >>>> then there has been no identity data sent.
>>>>    >>>>
>>>>    >>>> I'm looking now, but can you send me a link on how to set up
>>>> Salesforce
>>>>    >>>> as an IDP?  Is one able to set up a free account and such?
>>>>    >>>>
>>>>    >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>    >>>>> Hi Bill,
>>>>    >>>>>
>>>>    >>>>> I don?t know why I missed that, thanks! Salesforce respons
>>>> know with
>>>>    >>>>> the
>>>>    >>>>> correct login page. After logging in in Salesforce, I?m
>>>> redirected to
>>>>    >>>>> keycloak again with a internal error:
>>>>    >>>>>
>>>>    >>>>> Caused by:
>>>> org.keycloak.broker.provider.IdentityBrokerException:
>>>>    >>>>> Could not
>>>>    >>>>> process response from SAML identity provider.
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>    >>>>> ndpo
>>>>    >>>>> int.java:299)
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn
>>>>    >>>>> dpoi
>>>>    >>>>> nt.java:343)
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java
>>>>    >>>>> :169
>>>>    >>>>> )
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117
>>>>    >>>>> )
>>>>    >>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>> Method)
>>>>    >>>>> [rt.jar:1.8.0_45]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja
>>>>    >>>>> va:6
>>>>    >>>>> 2) [rt.jar:1.8.0_45]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
>>>>    >>>>> rImp
>>>>    >>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>    >>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>>>> [rt.jar:1.8.0_45]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja
>>>>    >>>>> va:1
>>>>    >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe
>>>>    >>>>> thod
>>>>    >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo
>>>>    >>>>> ker.
>>>>    >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>    >>>>> ourc
>>>>    >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>    >>>>> voke
>>>>    >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res
>>>>    >>>>> ourc
>>>>    >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn
>>>>    >>>>> voke
>>>>    >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc
>>>>    >>>>> her.
>>>>    >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>    >>>>>     ... 39 more
>>>>    >>>>> Caused by:
>>>> org.keycloak.broker.provider.IdentityBrokerException: No
>>>>    >>>>> assertion from response.
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint
>>>>    >>>>> .jav
>>>>    >>>>> a:309)
>>>>    >>>>>     at
>>>>    >>>>>
>>>>    >>>>>
>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE
>>>>    >>>>> ndpo
>>>>    >>>>> int.java:264)
>>>>    >>>>>     ... 54 more
>>>>    >>>>>
>>>>    >>>>> Any idea?
>>>>    >>>>>
>>>>    >>>>> Henk
>>>>    >>>>>
>>>>    >>>>>
>>>>    >>>>>
>>>>    >>>>>
>>>>    >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
>>>> <mailto:bburke at redhat.com>> wrote:
>>>>    >>>>>
>>>>    >>>>>> You want to chain keycloak server to Salesforce?
>>>>    >>>>>>
>>>>    >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that
>>>> points to
>>>>    >>>>>> Salesforce, you;ll see after you create it, an Export button.
>>>> Click
>>>>    >>>>>> that.  That will create an entity descriptor with all the
>>>> information
>>>>    >>>>>> you need.
>>>>    >>>>>>
>>>>    >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>    >>>>>>> Hi,
>>>>    >>>>>>>
>>>>    >>>>>>> I like to use Salesforce as Identity Provider, the metadata
>>>>    >>>>>>> provided by
>>>>    >>>>>>> salesforce can be imported.
>>>>    >>>>>>> But I need to specify the Service Provider in salesforce, I
>>>> have to
>>>>    >>>>>>> fill
>>>>    >>>>>>> in a couple of fields, but two of them I don?t understand
>>>> (and are
>>>>    >>>>>>> mandatory). Does someone have any clue
>>>>    >>>>>>>
>>>>    >>>>>>>      1. entity id , remark of salesforce : get this value
>>> >from your
>>>>    >>>>>>>        serviceprovider
>>>>    >>>>>>>      2. ACS URL, remark of slaesforce : The assertion
>>>> consumer
>>>>    >>>>>>> service. Get
>>>>    >>>>>>>        this value from your service provider.
>>>>    >>>>>>>
>>>>    >>>>>>> I have tried a lot of values but every-time I click the saml
>>>> button
>>>>    >>>>>>> on
>>>>    >>>>>>> my app, it redirects to salesforce but I get a page with the
>>>> error :
>>>>    >>>>>>> Error: Unable to resolve request into a Service Provider
>>>>    >>>>>>>
>>>>    >>>>>>> Henk
>>>>    >>>>>>>
>>>>    >>>>>>>
>>>>    >>>>>>> _______________________________________________
>>>>    >>>>>>> keycloak-user mailing list
>>>>    >>>>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>    >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>    >>>>>>>
>>>>    >>>>>>
>>>>    >>>>>> --
>>>>    >>>>>> Bill Burke
>>>>    >>>>>> JBoss, a division of Red Hat
>>>>    >>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>
>>>>
>>>>
>>>>    >>>>>> _______________________________________________
>>>>    >>>>>> keycloak-user mailing list
>>>>    >>>>>> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>    >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>    >>>>>
>>>>    >>>>
>>>>    >>>
>>>>    >>
>>>>    >> --
>>>>    >> Bill Burke
>>>>    >> JBoss, a division of Red Hat
>>>>    >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>    >> _______________________________________________
>>>>    >> keycloak-user mailing list
>>>>    >> keycloak-user at lists.jboss.org
>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>    >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>    >
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From Henk.Laracker at planonsoftware.com  Mon Jun  1 17:09:06 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Mon, 1 Jun 2015 23:09:06 +0200
Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce
In-Reply-To: <556CB32B.3010406@redhat.com>
References: <5542BA2B.2010608@redhat.com>
	<1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com>
	<55437613.3030501@redhat.com> <554376F2.3090805@redhat.com>
	<D19279AD.1D8A8%henk.laracker@planonsoftware.com>
	<556CB32B.3010406@redhat.com>
Message-ID: <D192957B.1D8B6%henk.laracker@planonsoftware.com>

Hi Bill,

I use the tomcat wrapper, with a saml 2.0 Identity provider configured in
keycloak. I added the "principal-attribute": ?preferred_username? to the
json file. I?m just a starter in SAML, Mappers etc, is there no other way
to get the original email adres? Because I have no influence on the unique
identifier in the application, and this value is shown in the gui, which
doesn?t look nice with the prefix.

If there is no possibility, can you tell me what to patch to 1.2, to make
my own build.  

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s
cordialement,

Henk Laracker


On 01/06/15 21:31, "Bill Burke" <bburke at redhat.com> wrote:

>Its in master, will be in next release.
>
>On 6/1/2015 3:06 PM, Henk Laracker wrote:
>> Hi Bill,
>>
>> Can you please help me out how I have to make a mapping so that I can
>> remove the prefix.
>>
>> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en /
>>Tr?s
>> cordialement,
>>
>> Henk Laracker
>>
>>
>>
>>
>> On 01/05/15 14:52, "Bill Burke" <bburke at redhat.com> wrote:
>>
>>> I'll add a username mapper.
>>>
>>> On 5/1/2015 8:48 AM, Bill Burke wrote:
>>>> You can map the SAML/OIDC assertion/token that is sent to your
>>>> applications however you want.
>>>>
>>>> On 4/30/2015 9:23 PM, Raghu Prabhala wrote:
>>>>> Bill - That would be an issue for us as we cannot manipulate the
>>>>>values
>>>>> (especially username) sent by an external IDP which is the
>>>>> authoritative
>>>>> source of user information. We will have to figure out another way,
>>>>> perhaps, an internal KC user attribute that can be made unique to
>>>>> prevent name clashes.
>>>>>
>>>>> Thanks,
>>>>> Raghu
>>>>>
>>>>> 
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>> *From:* Bill Burke <bburke at redhat.com>
>>>>> *To:* Henk Laracker <Henk.Laracker at planonsoftware.com>;
>>>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>>>> *Sent:* Thursday, April 30, 2015 7:26 PM
>>>>> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce
>>>>>
>>>>> Right now, the username is prefixed with the broker name.  THis is to
>>>>> avoid name clashes if you are brokering multiple IDPS (i.e. multiple
>>>>> social providers).
>>>>>
>>>>> On 4/30/2015 2:51 PM, Henk Laracker wrote:
>>>>>    > Hi Bill,
>>>>>    >
>>>>>    > Thank you this worked out! I user is created with my name
>>>>>    > saml.henk.laracker at p <mailto:saml.henk.laracker at p>***n.nl , do
>>>>>you
>>>>> have any idee why the ?saml? prefix
>>>>>    > is added?
>>>>>    >
>>>>>    >
>>>>>    > Henk
>>>>>    >
>>>>>    > On 30/04/15 18:44, "Bill Burke" <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>    >
>>>>>    >> Ok, I was able to get this to work.  The problem was I had to
>>>>>set
>>>>> a
>>>>>    >> "profile" for the connected app on Salesforce.  I added a
>>>>>"System
>>>>>    >> Adminstrator" profile to the Connected App and it worked.
>>>>>    >>
>>>>>    >> I'm not sure how to upload a app certificate yet.  Not sure
>>>>>what
>>>>> format
>>>>>    >> Salesforce is looking for.
>>>>>    >>
>>>>>    >> On 4/30/2015 11:39 AM, Bill Burke wrote:
>>>>>    >>> I set up a salesforce example and looked at the login response
>>>>> SAML
>>>>>    >>> document.  Looks like no assertion data is being sent back at
>>>>> all by
>>>>>    >>> salesforce.
>>>>>    >>>
>>>>>    >>> On 4/30/2015 9:43 AM, Bill Burke wrote:
>>>>>    >>>> i have no idea.  Basically this error is stating that the
>>>>>login
>>>>>    >>>> response
>>>>>    >>>> saml document has no assertions within it.  If there are no
>>>>> assertions,
>>>>>    >>>> then there has been no identity data sent.
>>>>>    >>>>
>>>>>    >>>> I'm looking now, but can you send me a link on how to set up
>>>>> Salesforce
>>>>>    >>>> as an IDP?  Is one able to set up a free account and such?
>>>>>    >>>>
>>>>>    >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote:
>>>>>    >>>>> Hi Bill,
>>>>>    >>>>>
>>>>>    >>>>> I don?t know why I missed that, thanks! Salesforce respons
>>>>> know with
>>>>>    >>>>> the
>>>>>    >>>>> correct login page. After logging in in Salesforce, I?m
>>>>> redirected to
>>>>>    >>>>> keycloak again with a internal error:
>>>>>    >>>>>
>>>>>    >>>>> Caused by:
>>>>> org.keycloak.broker.provider.IdentityBrokerException:
>>>>>    >>>>> Could not
>>>>>    >>>>> process response from SAML identity provider.
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAML
>>>>>E
>>>>>    >>>>> ndpo
>>>>>    >>>>> int.java:299)
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLE
>>>>>n
>>>>>    >>>>> dpoi
>>>>>    >>>>> nt.java:343)
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.jav
>>>>>a
>>>>>    >>>>> :169
>>>>>    >>>>> )
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:11
>>>>>7
>>>>>    >>>>> )
>>>>>    >>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>> Method)
>>>>>    >>>>> [rt.jar:1.8.0_45]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
>>>>>a
>>>>>    >>>>> va:6
>>>>>    >>>>> 2) [rt.jar:1.8.0_45]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
>>>>>o
>>>>>    >>>>> rImp
>>>>>    >>>>> l.java:43) [rt.jar:1.8.0_45]
>>>>>    >>>>>     at java.lang.reflect.Method.invoke(Method.java:497)
>>>>> [rt.jar:1.8.0_45]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j
>>>>>a
>>>>>    >>>>> va:1
>>>>>    >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceM
>>>>>e
>>>>>    >>>>> thod
>>>>>    >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv
>>>>>o
>>>>>    >>>>> ker.
>>>>>    >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re
>>>>>s
>>>>>    >>>>> ourc
>>>>>    >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI
>>>>>n
>>>>>    >>>>> voke
>>>>>    >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re
>>>>>s
>>>>>    >>>>> ourc
>>>>>    >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI
>>>>>n
>>>>>    >>>>> voke
>>>>>    >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat
>>>>>c
>>>>>    >>>>> her.
>>>>>    >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
>>>>>    >>>>>     ... 39 more
>>>>>    >>>>> Caused by:
>>>>> org.keycloak.broker.provider.IdentityBrokerException: No
>>>>>    >>>>> assertion from response.
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoin
>>>>>t
>>>>>    >>>>> .jav
>>>>>    >>>>> a:309)
>>>>>    >>>>>     at
>>>>>    >>>>>
>>>>>    >>>>>
>>>>> 
>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAML
>>>>>E
>>>>>    >>>>> ndpo
>>>>>    >>>>> int.java:264)
>>>>>    >>>>>     ... 54 more
>>>>>    >>>>>
>>>>>    >>>>> Any idea?
>>>>>    >>>>>
>>>>>    >>>>> Henk
>>>>>    >>>>>
>>>>>    >>>>>
>>>>>    >>>>>
>>>>>    >>>>>
>>>>>    >>>>> On 30/04/15 14:31, "Bill Burke" <bburke at redhat.com
>>>>> <mailto:bburke at redhat.com>> wrote:
>>>>>    >>>>>
>>>>>    >>>>>> You want to chain keycloak server to Salesforce?
>>>>>    >>>>>>
>>>>>    >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that
>>>>> points to
>>>>>    >>>>>> Salesforce, you;ll see after you create it, an Export
>>>>>button.
>>>>> Click
>>>>>    >>>>>> that.  That will create an entity descriptor with all the
>>>>> information
>>>>>    >>>>>> you need.
>>>>>    >>>>>>
>>>>>    >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote:
>>>>>    >>>>>>> Hi,
>>>>>    >>>>>>>
>>>>>    >>>>>>> I like to use Salesforce as Identity Provider, the
>>>>>metadata
>>>>>    >>>>>>> provided by
>>>>>    >>>>>>> salesforce can be imported.
>>>>>    >>>>>>> But I need to specify the Service Provider in salesforce,
>>>>>I
>>>>> have to
>>>>>    >>>>>>> fill
>>>>>    >>>>>>> in a couple of fields, but two of them I don?t understand
>>>>> (and are
>>>>>    >>>>>>> mandatory). Does someone have any clue
>>>>>    >>>>>>>
>>>>>    >>>>>>>      1. entity id , remark of salesforce : get this value
>>>> >from your
>>>>>    >>>>>>>        serviceprovider
>>>>>    >>>>>>>      2. ACS URL, remark of slaesforce : The assertion
>>>>> consumer
>>>>>    >>>>>>> service. Get
>>>>>    >>>>>>>        this value from your service provider.
>>>>>    >>>>>>>
>>>>>    >>>>>>> I have tried a lot of values but every-time I click the
>>>>>saml
>>>>> button
>>>>>    >>>>>>> on
>>>>>    >>>>>>> my app, it redirects to salesforce but I get a page with
>>>>>the
>>>>> error :
>>>>>    >>>>>>> Error: Unable to resolve request into a Service Provider
>>>>>    >>>>>>>
>>>>>    >>>>>>> Henk
>>>>>    >>>>>>>
>>>>>    >>>>>>>
>>>>>    >>>>>>> _______________________________________________
>>>>>    >>>>>>> keycloak-user mailing list
>>>>>    >>>>>>> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>>    >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>    >>>>>>>
>>>>>    >>>>>>
>>>>>    >>>>>> --
>>>>>    >>>>>> Bill Burke
>>>>>    >>>>>> JBoss, a division of Red Hat
>>>>>    >>>>>> http://bill.burkecentral.com
>>>>><http://bill.burkecentral.com/>
>>>>>
>>>>>
>>>>>
>>>>>    >>>>>> _______________________________________________
>>>>>    >>>>>> keycloak-user mailing list
>>>>>    >>>>>> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>>    >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>    >>>>>
>>>>>    >>>>
>>>>>    >>>
>>>>>    >>
>>>>>    >> --
>>>>>    >> Bill Burke
>>>>>    >> JBoss, a division of Red Hat
>>>>>    >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>>    >> _______________________________________________
>>>>>    >> keycloak-user mailing list
>>>>>    >> keycloak-user at lists.jboss.org
>>>>> <mailto:keycloak-user at lists.jboss.org>
>>>>>    >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>    >
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>-- 
>Bill Burke
>JBoss, a division of Red Hat
>http://bill.burkecentral.com



From juandiego83 at gmail.com  Mon Jun  1 19:56:10 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Mon, 1 Jun 2015 18:56:10 -0500
Subject: [keycloak-user] keycloak with angular/restfull
Message-ID: <CAJGEj6dOmcc9A4P08sRBm6R78gC4FR8=3VBkhZ+HV00=nStrnQ@mail.gmail.com>

Hi

I am doing an app with angularjs with keycloak.  There a few things that I
dont know how to do it, I have being seing the videos and reading
documentation so I have 2 questions.


Regarding the model of the database, how am I supposed to link Users to
Tables.   How do you recommend to work on the model, I am kind of cluless
there.
For example before I had a table User and a Table Pictures. Now my users
are in the KeyCloak database, how are you supposed to handle tables that
would have been linked to a user.
My second question is about my front and backend.  I am just allowing my
users to upload pictures it is a small app.  I am doing the front end with
AngularJS so it is basically html+javascript, and the backend handles the
services.  Should I create a client in my KeyCloak for the frontend and
another for the backend. It seems to my that I should create a  client only
for the backend , and the front end needs to validate against that.

Thanks

Juan Diego Calle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150601/9a701ca5/attachment.html 

From stian at redhat.com  Tue Jun  2 02:59:30 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 2 Jun 2015 02:59:30 -0400 (EDT)
Subject: [keycloak-user] keycloak with angular/restfull
In-Reply-To: <CAJGEj6dOmcc9A4P08sRBm6R78gC4FR8=3VBkhZ+HV00=nStrnQ@mail.gmail.com>
References: <CAJGEj6dOmcc9A4P08sRBm6R78gC4FR8=3VBkhZ+HV00=nStrnQ@mail.gmail.com>
Message-ID: <1471386871.10276203.1433228370629.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Juan Diego" <juandiego83 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 2 June, 2015 1:56:10 AM
> Subject: [keycloak-user] keycloak with angular/restfull
> 
> Hi
> 
> I am doing an app with angularjs with keycloak. There a few things that I
> dont know how to do it, I have being seing the videos and reading
> documentation so I have 2 questions.
> 
> 
> Regarding the model of the database, how am I supposed to link Users to
> Tables. How do you recommend to work on the model, I am kind of cluless
> there.
> For example before I had a table User and a Table Pictures. Now my users are
> in the KeyCloak database, how are you supposed to handle tables that would
> have been linked to a user.

Depending on your use-case I'd recommend storing the details you need about users in your apps database as well. You can do this when the user logs in and sync the profile from the token into your users table and link it with the user id. 

> My second question is about my front and backend. I am just allowing my users
> to upload pictures it is a small app. I am doing the front end with
> AngularJS so it is basically html+javascript, and the backend handles the
> services. Should I create a client in my KeyCloak for the frontend and
> another for the backend. It seems to my that I should create a client only
> for the backend , and the front end needs to validate against that.

Both - angularjs app needs a public client and is the one that drives the login (by using keycloak.js). The backend should be a bearer-only client and only verifies the tokens.

> 
> Thanks
> 
> Juan Diego Calle
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Tue Jun  2 04:17:08 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 02 Jun 2015 10:17:08 +0200
Subject: [keycloak-user] Not able to forward to error page.
In-Reply-To: <CAKfisZf96KtLVoKwvL7=PkK5gxmfjrc6Xdssm3YcaJ8X2JGTMg@mail.gmail.com>
References: <CAKfisZf96KtLVoKwvL7=PkK5gxmfjrc6Xdssm3YcaJ8X2JGTMg@mail.gmail.com>
Message-ID: <556D6684.6050900@redhat.com>

On 1.6.2015 14:44, John wrote:
> I am trying to integarte keycloak authentication for securing my application.
> My server and client has different error status code mapping.
>
> In case of accessToken expires keycloak sends 401 directly to client
> where I have mapped token expiration to status code 5401.
>
> I do not wish to change this mapping as code is already in production phase.
>
> I found very helpful way to handle this situaltion by providing
> error-page in my server web.xml as
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>winterfell</realm-name>
> <form-login-config>
> <form-error-page>/error</form-error-page>
> </form-login-config>
> </login-config>
>
> But somehow I am not able to get this error page.
>
> Can someone please suggest correct way of doing this.
>
> Note : Following way didn't worked for me
> <error-page>
> <error-code>404</error-code>
> <location>/error</location>
> </error-page>
Will it work if you use status 401 instead of 404?

Marek
>
>
>
> -TR
> John
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From niko at n-k.de  Tue Jun  2 04:18:44 2015
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 2 Jun 2015 10:18:44 +0200
Subject: [keycloak-user] Update user when "Email as username" enabled
In-Reply-To: <6B6C8DB3-5643-402F-AB14-2DAFED93B056@smartling.com>
References: <926AA9D1-A94B-48D1-8B20-FF9681CB6325@smartling.com>
	<6B6C8DB3-5643-402F-AB14-2DAFED93B056@smartling.com>
Message-ID: <E9B06CD1-760A-4FAE-9EFB-FF5916FE1281@n-k.de>

Hi Scott,

fyi:
I?m currently working on https://issues.jboss.org/browse/KEYCLOAK-1305 <https://issues.jboss.org/browse/KEYCLOAK-1305>

- Niko



> Am 01.06.2015 um 15:44 schrieb Scott Rossillo <srossillo at smartling.com>:
> 
> Any advice here? Do I have to delete and re-create the user? I?d really rather not do that. Seems there should be a way to update the username.
> 
> Thanks in advance,
> Scott
> 
> 
>> On May 29, 2015, at 4:53 PM, Scott Rossillo <srossillo at smartling.com> wrote:
>> 
>> If I?m using email as username, I can update the email address on a user via the admin API, but the username doesn?t update even when explicitly setting a new username. This is true in the KC admin console as well.
>> 
>> How do I update the username to match the new email address?
>> 
>> Thanks,
>> Scott
>> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/b712dc12/attachment.html 

From Nishi.Kant at csr.com  Tue Jun  2 04:36:00 2015
From: Nishi.Kant at csr.com (Nishi Kant)
Date: Tue, 2 Jun 2015 08:36:00 +0000
Subject: [keycloak-user] Single app, multiple realm
Message-ID: <59A15DB8B7B84F47BF5678A6F4AB0BB5AEEB9850@banasiexm01.ASIA.ROOT.PRI>

Hi,

I'm new to keycloak, have tried few samples only.

I have a requirement where, a single application/client is used with  multiple realm. Users belonging to different organization (realm) uses same app to login, realm information is passed in URL. I want keycloak to authenticate the users against the specified realm.  Samples I have seen, takes the realm information from keycloak.json file, here I have requirement for dynamically provided the realm information and redirecting to keycloak server for authentication.

Any pointer will be really useful.

Thanks,
Nishi


Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom
More information can be found at www.csr.com. Keep up to date with CSR on our technical blog, www.csr.com/blog, CSR people blog, www.csr.com/people, YouTube, www.youtube.com/user/CSRplc, Facebook, www.facebook.com/pages/CSR/191038434253534, or follow us on Twitter at www.twitter.com/CSR_plc.
You can now access the wide range of products powered by aptX at www.aptx.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/33a445a5/attachment.html 

From stian at redhat.com  Tue Jun  2 04:47:58 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 2 Jun 2015 04:47:58 -0400 (EDT)
Subject: [keycloak-user] Single app, multiple realm
In-Reply-To: <59A15DB8B7B84F47BF5678A6F4AB0BB5AEEB9850@banasiexm01.ASIA.ROOT.PRI>
References: <59A15DB8B7B84F47BF5678A6F4AB0BB5AEEB9850@banasiexm01.ASIA.ROOT.PRI>
Message-ID: <847297706.10320698.1433234878785.JavaMail.zimbra@redhat.com>

Check out the multi-tenancy example

----- Original Message -----
> From: "Nishi Kant" <Nishi.Kant at csr.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 2 June, 2015 10:36:00 AM
> Subject: [keycloak-user] Single app, multiple realm
> 
> 
> 
> Hi,
> 
> 
> 
> I?m new to keycloak, have tried few samples only.
> 
> 
> 
> I have a requirement where, a single application/client is used with multiple
> realm. Users belonging to different organization (realm) uses same app to
> login, realm information is passed in URL. I want keycloak to authenticate
> the users against the specified realm. Samples I have seen, takes the realm
> information from keycloak.json file, here I have requirement for dynamically
> provided the realm information and redirecting to keycloak server for
> authentication.
> 
> 
> 
> Any pointer will be really useful.
> 
> 
> 
> Thanks,
> 
> Nishi
> 
> 
> Member of the CSR plc group of companies. CSR plc registered in England and
> Wales, registered number 4187346, registered office Churchill House,
> Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom
> More information can be found at www.csr.com . Keep up to date with CSR on
> our technical blog or CSR people blog , YouTube , Facebook or follow us on
> Twitter at twitter.com/CSR_plc .
> You can now access the wide range of products powered by aptX .
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From fadiabdeen at gmail.com  Tue Jun  2 07:06:22 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Tue, 2 Jun 2015 07:06:22 -0400
Subject: [keycloak-user] iss
Message-ID: <CABXXV0SYCUp=ZLRWpBPtp91dtO2hsJTG-E+-7z1B_Omfpnat9g@mail.gmail.com>

Does anyone know how to control the "iss":  value in the token ?

Seems there is a problem , in the last version it was the realm name i.e
"test" .. but now the full uri http:://server.8080/auth/realms/test and
this is causing a problem for me
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/ac495cc9/attachment-0001.html 

From stian at redhat.com  Tue Jun  2 07:39:46 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 2 Jun 2015 07:39:46 -0400 (EDT)
Subject: [keycloak-user] iss
In-Reply-To: <CABXXV0SYCUp=ZLRWpBPtp91dtO2hsJTG-E+-7z1B_Omfpnat9g@mail.gmail.com>
References: <CABXXV0SYCUp=ZLRWpBPtp91dtO2hsJTG-E+-7z1B_Omfpnat9g@mail.gmail.com>
Message-ID: <1378184402.10384925.1433245186502.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Fadi Abdin" <fadiabdeen at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Tuesday, 2 June, 2015 1:06:22 PM
> Subject: [keycloak-user] iss
> 
> Does anyone know how to control the "iss": value in the token ?
> 
> Seems there is a problem , in the last version it was the realm name i.e
> "test" .. but now the full uri http:://server.8080/auth/realms/test and this
> is causing a problem for me

It should be full uri according to openid connect spec

> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Henk.Laracker at planonsoftware.com  Tue Jun  2 07:40:58 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Tue, 2 Jun 2015 13:40:58 +0200
Subject: [keycloak-user] SAML2  Identity provider Mappers
Message-ID: <D19362EA.1D8EB%henk.laracker@planonsoftware.com>

Hi,

We have created a salesforce SAML2 identity provider, a part of the response xml from salesforce is added below.
Next to this we configured a tomcat with a json file with argument : "principal-attribute": ?preferred_username?

When we do nothing more we get the NameID with the prefix in Tomcat as the logged in user.
We like to map the SAML Attribute Name=?email? to the ?preferred_username?

How do we do this?

<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">henk.laracker at p*n.nl</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="ID_e44eedb6-2f93-4c7e-aecd-90f355e3cbc3"
                                              NotOnOrAfter="2015-06-02T08:12:07.080Z"
                                              Recipient="https://fr-authtest.planoncloud.com/auth/realms/ciwwa-test/broker/salesforce/endpoint"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2015-06-02T08:06:37.080Z"
                         NotOnOrAfter="2015-06-02T08:12:07.080Z"
                         xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://fr-authtest.planoncloud.com/auth/realms/ciwwa-test</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2015-06-02T08:07:07.080Z"
                             xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml:Attribute Name="userId"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >005b0000000jBgI</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="username"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >henk.laracker at p*n.nl</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >henk.laracker at c*e.com</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="is_portal_user"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:anyType"
                                     >false</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,
Henk Laracker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/cff73ffd/attachment.html 

From giriraj.sharma27 at gmail.com  Tue Jun  2 07:46:35 2015
From: giriraj.sharma27 at gmail.com (Giriraj Sharma)
Date: Tue, 2 Jun 2015 17:16:35 +0530
Subject: [keycloak-user] iss
In-Reply-To: <1378184402.10384925.1433245186502.JavaMail.zimbra@redhat.com>
References: <CABXXV0SYCUp=ZLRWpBPtp91dtO2hsJTG-E+-7z1B_Omfpnat9g@mail.gmail.com>
	<1378184402.10384925.1433245186502.JavaMail.zimbra@redhat.com>
Message-ID: <CAB5vuUx8737gyWnQpEP4Px=56C2AnykQ4_zvonKv-XD+3aiRsQ@mail.gmail.com>

The "iss" field is one of the Claim used within the ID Token for all OAuth
2.0 flows used by OpenID Connect:

iss : REQUIRED. Issuer Identifier for the Issuer of the response. The iss value
is a case sensitive URL using the https scheme that contains scheme, host,
and optionally, port number and path components and no query or fragment
components.

http://openid.net/specs/openid-connect-core-1_0.html#IDToken


On Tue, Jun 2, 2015 at 5:09 PM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Fadi Abdin" <fadiabdeen at gmail.com>
> > To: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Tuesday, 2 June, 2015 1:06:22 PM
> > Subject: [keycloak-user] iss
> >
> > Does anyone know how to control the "iss": value in the token ?
> >
> > Seems there is a problem , in the last version it was the realm name i.e
> > "test" .. but now the full uri http:://server.8080/auth/realms/test and
> this
> > is causing a problem for me
>
> It should be full uri according to openid connect spec
>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

Giriraj Sharma
about.me/girirajsharma
<http://about.me/girirajsharma?promo=email_sig>
 Giriraj Sharma,
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India 177005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/34cd1d1a/attachment-0001.html 

From chenkeong.yap at izeno.com  Tue Jun  2 09:42:32 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 2 Jun 2015 21:42:32 +0800
Subject: [keycloak-user] Keycloak integration for php app
Message-ID: <CAC2UnuVoAoG3DEkfkOzF=UDb+divAxh+Y7bVeGFMc5pSEDkHSw@mail.gmail.com>

Hi,

Pease share how php app can be secured using keycloak saml protocol?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/555b3802/attachment.html 

From chenkeong.yap at izeno.com  Tue Jun  2 10:07:31 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Tue, 2 Jun 2015 22:07:31 +0800
Subject: [keycloak-user] Keycloak
Message-ID: <CAC2UnuV_p2CpdSjHPJYD2E-vBc01J8Xgn+K6JON9uCBJki9G5Q@mail.gmail.com>

Hi,

please share your ideas.

1) i have 1 app is secured using PL SP Filter. Once login successful, there
is a session created in keycloak idp and we called it as sp session and app
http session is created too. Is the app http session is stored in keycloak
db?

2) when global logout is performed, it will call admin url for all the apps
to do application logout. So the question is we need the app http session.
Is it stored in memory or keycloak db?

3) we have requirement to hard kill the sp session and the app http session
if is active for more than 24 hours. Do you think is better to implement in
keycloak idp as servlet or from PL SP filter?

4) we need to implement session fixation. Which means 1 client ip is
binding to 1 jsessionid and the other client ip cannot make http request
using this jsessionid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/6360f3fb/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Jun  2 13:53:02 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 2 Jun 2015 20:53:02 +0300
Subject: [keycloak-user] Client's REST api returns blank after switching
	keycloak to HTTPS
Message-ID: <CABjN76902fKhDuwdd+Y6ezwfeUReLoKHOwVTYkNB0fjwX=MbcA@mail.gmail.com>

Hello,

I had a working setup of a Java web application running on machine A
secured by keycloak  on machine B (login.restcomm.com).  The application
running on A provides a REST api is used from the UI. The application also
contains a UI (angular) that accesses the REST api. login.restcomm.com is
the keycloak running on docker and resolves to 172.17.42.1 (overriden in
/etc/hosts). I'm using keycloak 1.2.0.Final. Both the UI and the REST api
have been secured and the application worked fine with "ssl-required" ->
"external".

I switched keycloak configuration to HTTPS (using "all") and i'm experience
the following:

Login seems to work fine. When trying to access the UI i'm redirected to
https://login.restcomm.com, i login and back to the UI. BUT, the request to
A's services though succesfull (200 OK) return blank content. As if the
adapter get in the way and overrides the response. I'm also getting the
following message in A's log:

12:21:55,083 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(http-/192.168.1.39:8080-4) adminRequest
http://192.168.1.39:8080/restcomm-rvd/api/projects
12:21:55,085 WARN  [org.keycloak.adapters.RequestAuthenticator]
(http-/192.168.1.39:8080-4) SSL is required to authenticate

http://192.168.1.39:8080/restcomm-rvd/api/projects is the endpoint that is
supposed to return a block of JSON.

The same happens when trying to access the endpoint directly using an
independent REST client. I get back a 200 OK and the same message appears
in the log but there is no content in the response.

Keep in mind that HTTPS is only enabled for accessing keycloak. The web
application still runs on HTTP. Is this supported?

I have also made various experiments in keycloak.json (for the REST api)
starting from this:

{
  "realm": "restcomm",
  "realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
  "bearer-only": true,
  "auth-server-url": "https://login.restcomm.com/auth",
  "ssl-required": "all",
  "disable-trust-manager": true,
  "resource": "restcomm-rvd",
  "enable-cors": true
}

down to this:

{
  "realm": "restcomm",
  "realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
  "bearer-only": true,
  "auth-server-url": "https://login.restcomm.com/auth",
  "ssl-required": "all",
  "allow-any-hostname":true,
  "disable-trust-manager": false,
  "truststore": "/tmp/trusted_keycloak.jks",
  "truststore-password" : "password",
  "resource": "restcomm-rvd"
}


Any pointers will be great help.

Thanks in advance

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150602/4dfc1c02/attachment.html 

From stian at redhat.com  Wed Jun  3 02:38:27 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 3 Jun 2015 02:38:27 -0400 (EDT)
Subject: [keycloak-user] Keycloak integration for php app
In-Reply-To: <CAC2UnuVoAoG3DEkfkOzF=UDb+divAxh+Y7bVeGFMc5pSEDkHSw@mail.gmail.com>
References: <CAC2UnuVoAoG3DEkfkOzF=UDb+divAxh+Y7bVeGFMc5pSEDkHSw@mail.gmail.com>
Message-ID: <589833457.10908050.1433313507084.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 2 June, 2015 3:42:32 PM
> Subject: [keycloak-user] Keycloak integration for php app
> 
> 
> 
> Hi,
> 
> Pease share how php app can be secured using keycloak saml protocol?

Our priority is first OpenID Connect, and we still don't have that for PHP.

I'd recommend looking for a generic SAML SP library for PHP. With Keycloak you can also combine the protocols and have some apps use SAML and others OpenID Connect. So if you can't find one for SAML there are ones for OpenID Connect

> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pubudupg at gmail.com  Wed Jun  3 06:02:00 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Wed, 3 Jun 2015 15:32:00 +0530
Subject: [keycloak-user] Keycloak integration for php app
In-Reply-To: <CAC2UnuVoAoG3DEkfkOzF=UDb+divAxh+Y7bVeGFMc5pSEDkHSw@mail.gmail.com>
References: <CAC2UnuVoAoG3DEkfkOzF=UDb+divAxh+Y7bVeGFMc5pSEDkHSw@mail.gmail.com>
Message-ID: <CAFqgz0hkdJNeZVsQC1yWmMg41T-QwFw8yogU6bZRmz1MRMe=Hg@mail.gmail.com>

I have successfully used keycloak with simplesamlphp[1]. At [2] you
can see how to configure a service provider using simplesamlphp. At
[3] you can find the configuration that you have to do form keycloak.


[1]https://simplesamlphp.org/
[2]https://simplesamlphp.org/docs/stable/simplesamlphp-sp
[3]http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1760

On Tue, Jun 2, 2015 at 7:12 PM, Chen Keong Yap <chenkeong.yap at izeno.com> wrote:
> Hi,
>
> Pease share how php app can be secured using keycloak saml protocol?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Thanks,
Pubudu

From fadiabdeen at gmail.com  Wed Jun  3 09:37:55 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Wed, 3 Jun 2015 09:37:55 -0400
Subject: [keycloak-user] Deprecated APIs
Message-ID: <CABXXV0QuJ2uVNFGVg91Dk4-QwNRnMesry4kmNKXbK-_2LnA2EQ@mail.gmail.com>

Hello,

I have been using below APIs and when i looked at the logs it says
" Invoking deprecated endpoint .."

/auth/realms/test/tokens/login
/auth/realms/test/tokens/access/codes


What are the new APIs ? is there documentation ?

Thanks,
Fadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150603/3fbcf752/attachment.html 

From stian at redhat.com  Wed Jun  3 09:44:31 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 3 Jun 2015 09:44:31 -0400 (EDT)
Subject: [keycloak-user] Deprecated APIs
In-Reply-To: <CABXXV0QuJ2uVNFGVg91Dk4-QwNRnMesry4kmNKXbK-_2LnA2EQ@mail.gmail.com>
References: <CABXXV0QuJ2uVNFGVg91Dk4-QwNRnMesry4kmNKXbK-_2LnA2EQ@mail.gmail.com>
Message-ID: <772688121.11305720.1433339071613.JavaMail.zimbra@redhat.com>

http://keycloak.github.io/docs/userguide/html/Migration_from_older_versions.html#d4e3147

----- Original Message -----
> From: "Fadi Abdin" <fadiabdeen at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, 3 June, 2015 3:37:55 PM
> Subject: [keycloak-user] Deprecated APIs
> 
> Hello,
> 
> I have been using below APIs and when i looked at the logs it says " Invoking
> deprecated endpoint .."
> 
> /auth/realms/test/tokens/login
> /auth/realms/test/tokens/access/codes
> 
> 
> What are the new APIs ? is there documentation ?
> 
> Thanks,
> Fadi
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From juandiego83 at gmail.com  Wed Jun  3 13:40:48 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Wed, 3 Jun 2015 12:40:48 -0500
Subject: [keycloak-user] Calling a method after log
Message-ID: <CAJGEj6cZYHHQFK3JBvSyF7SO3uA1fhn7wz8_t0jfxKLHjk+ujQ@mail.gmail.com>

Hi
I am doing a portal with angularJS and the backend with java, and it seems
to be working with the basics.
I am having trouble figuring out a way to do the following:
I have a table user with info like username, email and userid, avatar, etc,
and I want to update that table with the user info if it is the first time
they log in.

The only way I can think to do this is to create a controller and set it on
all my pages so it looks if the user is already in the database, but it
seems like it will try to do that all the time, which doesnt seems
practical.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150603/874bd2cc/attachment-0001.html 

From mposolda at redhat.com  Wed Jun  3 17:14:31 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 03 Jun 2015 23:14:31 +0200
Subject: [keycloak-user] Calling a method after log
In-Reply-To: <CAJGEj6cZYHHQFK3JBvSyF7SO3uA1fhn7wz8_t0jfxKLHjk+ujQ@mail.gmail.com>
References: <CAJGEj6cZYHHQFK3JBvSyF7SO3uA1fhn7wz8_t0jfxKLHjk+ujQ@mail.gmail.com>
Message-ID: <556F6E37.9060909@redhat.com>

I think there are more ways to do something like this. One way can be 
doing Angular HTTP interceptor at your application side. Another 
possibility can be handle this on Keycloak side and create Event 
listener, which will listen for LOGIN event and then check your DB (See 
our provider's example and especially 
examples/providers/event-listener-sysout for the inspiration).

Not sure which possibility is better for you, I am not sure I correctly 
understand your use-case well.

Marek

On 3.6.2015 19:40, Juan Diego wrote:
> Hi
> I am doing a portal with angularJS and the backend with java, and it 
> seems to be working with the basics.
> I am having trouble figuring out a way to do the following:
> I have a table user with info like username, email and userid, avatar, 
> etc, and I want to update that table with the user info if it is the 
> first time they log in.
>
> The only way I can think to do this is to create a controller and set 
> it on all my pages so it looks if the user is already in the database, 
> but it seems like it will try to do that all the time, which doesnt 
> seems practical.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150603/3aa545dd/attachment.html 

From carlosthe19916 at gmail.com  Wed Jun  3 17:28:58 2015
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Wed, 3 Jun 2015 16:28:58 -0500
Subject: [keycloak-user] Keycloak SecurityDomain is removed?
Message-ID: <CAAdSQ6gerXan-F79SWnfqStUS9sUxuQ4Q18JnB1x2mxUnmdNFg@mail.gmail.com>

Hello, i have a applicationn on *keycloak-1.1.0.Final*. The keycloak had

<security-domain name="keycloak">
                    <authentication>
                        <login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
                    </authentication>
</security-domain>

and i my classes was anotation as:

*@Stateless*
*@SecurityDomain("keycloak")*

When i migrate to *keycloak-1.2.0.Final* i have an exception on deploy, and
i can't see the *security domain keycloak* on standalone.xml

the annotation @SecurityDomain("keycloak") is no more need on
keycloak-1.2.0.Final?

-- 
Carlos E. Feria Vila
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150603/0d1b9abf/attachment.html 

From arjit.agrawal.07 at gmail.com  Wed Jun  3 23:49:08 2015
From: arjit.agrawal.07 at gmail.com (Arjit Agrawal)
Date: Thu, 4 Jun 2015 09:19:08 +0530
Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer only
	application
Message-ID: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>

Hi,

I have a new application - 'testapi' under a new realm - 'testrealm'. This
application is to be used as  an API. Its an *bearer only application*.

I have also made an *OAuth Client* to access this service.

I am using *iOS AeroGear* plugin in my project to connect to API service
with all the required creditionals like clientId, roles etc.

Version of Keycloak - *1.0-beta3*.
Version of Jboss - *JBoss AS 7.1.1*

Its hosted on *Amazon AWS*. (I tried the same in my local environment it
was working but when i have done the same on Amazon server, i am getting
this issue.)


Thanks for any help on this one.

Regards,
Arjit Agrawal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/d8760524/attachment.html 

From kalinga at leapset.com  Wed Jun  3 23:55:26 2015
From: kalinga at leapset.com (Kalinga Dissanayake)
Date: Thu, 4 Jun 2015 09:25:26 +0530 (IST)
Subject: [keycloak-user] Distinguish between Existing user login and new
	registration
Message-ID: <1433390126.77812807@apps.rackspace.com>


 
Hi guys,
 
Is there an easy to way to distinguish between  a JWT token received after a brand new user registration or an existing user login?
Basically in my use case the client will be given the responsibility to update roles if its a brand new user registration or deny access if its an existing user. Is there an easy way to distinguish between the two.
 
Thanks.
 
Kalinga
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/f91e5cd0/attachment.html 

From pubudupg at gmail.com  Thu Jun  4 07:44:38 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Thu, 4 Jun 2015 17:14:38 +0530
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
Message-ID: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>

Hi All,

I am trying to use the OneLogin php-saml library[1] as a service
provider that uses keycloak as a SAML identity provider. The
"RelayState" parameter is sent properly form the SP to the IDP but in
the response, the forward slashes are missing from the RelayState.
For example in the post parameters of the authentication request, the
RelayState shows "http://phpsaml/demo1/" but in the response from
keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
library to throw exceptions. I'm using keycloak 1.2.0.Final.

How can I overcome this problem?


[1]https://github.com/onelogin/php-saml

-- 
Thanks,
Pubudu

From pubudupg at gmail.com  Thu Jun  4 08:13:53 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Thu, 4 Jun 2015 17:43:53 +0530
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
Message-ID: <CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>

After debugging found a possible cause for this. In line 305 of
SAML2BindingBuilder2 there is code as following

escapeAttribute(relayState)

which removes the forward slashes from the url. So I guess this is a bug?

On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
> Hi All,
>
> I am trying to use the OneLogin php-saml library[1] as a service
> provider that uses keycloak as a SAML identity provider. The
> "RelayState" parameter is sent properly form the SP to the IDP but in
> the response, the forward slashes are missing from the RelayState.
> For example in the post parameters of the authentication request, the
> RelayState shows "http://phpsaml/demo1/" but in the response from
> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>
> How can I overcome this problem?
>
>
> [1]https://github.com/onelogin/php-saml
>
> --
> Thanks,
> Pubudu



-- 
Thanks,
Pubudu

From chenkeong.yap at izeno.com  Thu Jun  4 08:29:15 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Thu, 4 Jun 2015 20:29:15 +0800
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
	<CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>
Message-ID: <8067D077-7764-421F-B032-57E2539F3E44@izeno.com>

hi,

can i know what is the error you received from keycloak? is it invalid requester?

Regards,
CK Yap

> On 4 Jun 2015, at 8:13 pm, pubudu gunawardena <pubudupg at gmail.com> wrote:
> 
> After debugging found a possible cause for this. In line 305 of
> SAML2BindingBuilder2 there is code as following
> 
> escapeAttribute(relayState)
> 
> which removes the forward slashes from the url. So I guess this is a bug?
> 
>> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>> Hi All,
>> 
>> I am trying to use the OneLogin php-saml library[1] as a service
>> provider that uses keycloak as a SAML identity provider. The
>> "RelayState" parameter is sent properly form the SP to the IDP but in
>> the response, the forward slashes are missing from the RelayState.
>> For example in the post parameters of the authentication request, the
>> RelayState shows "http://phpsaml/demo1/" but in the response from
>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>> 
>> How can I overcome this problem?
>> 
>> 
>> [1]https://github.com/onelogin/php-saml
>> 
>> --
>> Thanks,
>> Pubudu
> 
> 
> 
> -- 
> Thanks,
> Pubudu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Jun  4 08:32:14 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 4 Jun 2015 08:32:14 -0400 (EDT)
Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer
 only	application
In-Reply-To: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>
References: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>
Message-ID: <1736491496.12047414.1433421134929.JavaMail.zimbra@redhat.com>

We'll need much more info here. How have you secured the app? Is it a WAR? Do you require any roles for the resource you're invoking? Are you sending a bearer token with the request? How do you get the request? Does the user have the required roles? Does the client have the required scope?

----- Original Message -----
> From: "Arjit Agrawal" <arjit.agrawal.07 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 4 June, 2015 5:49:08 AM
> Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer only	application
> 
> Hi,
> 
> I have a new application - 'testapi' under a new realm - 'testrealm'. This
> application is to be used as an API. Its an bearer only application .
> 
> I have also made an OAuth Client to access this service.
> 
> I am using iOS AeroGear plugin in my project to connect to API service with
> all the required creditionals like clientId, roles etc.
> 
> Version of Keycloak - 1.0-beta3 .
> Version of Jboss - JBoss AS 7.1.1
> 
> Its hosted on Amazon AWS . (I tried the same in my local environment it was
> working but when i have done the same on Amazon server, i am getting this
> issue.)
> 
> 
> Thanks for any help on this one.
> 
> Regards,
> Arjit Agrawal
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jun  4 08:33:55 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 4 Jun 2015 08:33:55 -0400 (EDT)
Subject: [keycloak-user] Distinguish between Existing user login and
	new	registration
In-Reply-To: <1433390126.77812807@apps.rackspace.com>
References: <1433390126.77812807@apps.rackspace.com>
Message-ID: <814583695.12047974.1433421235334.JavaMail.zimbra@redhat.com>

No we don't have that atm. Not sure it makes sense doing it that way either.

You could do an event listener that listens for registrations instead?

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 4 June, 2015 5:55:26 AM
> Subject: [keycloak-user] Distinguish between Existing user login and new	registration
> 
> 
> 
> 
> 
> Hi guys,
> 
> 
> 
> Is there an easy to way to distinguish between a JWT token received after a
> brand new user registration or an existing user login?
> 
> Basically in my use case the client will be given the responsibility to
> update roles if its a brand new user registration or deny access if its an
> existing user. Is there an easy way to distinguish between the two.
> 
> 
> 
> Thanks.
> 
> 
> 
> Kalinga
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From arjit.agrawal.07 at gmail.com  Thu Jun  4 10:17:09 2015
From: arjit.agrawal.07 at gmail.com (Arjit Agrawal)
Date: Thu, 4 Jun 2015 19:47:09 +0530
Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer
 only application
In-Reply-To: <1736491496.12047414.1433421134929.JavaMail.zimbra@redhat.com>
References: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>
	<1736491496.12047414.1433421134929.JavaMail.zimbra@redhat.com>
Message-ID: <CAKxi64VcyOxyO9iSgJBRpSve5+PE_tf40r=zN31fbGhpgRySYA@mail.gmail.com>

Hi,

I have the war file of service bearer only application in *jboss
deployments folder, *the auth-server.war for keycloak is also at the same
location.

Roles configured:-
[image: Inline image 1]

Here' my web.xml for service bearer only application:-

[image: Inline image 2]

Here's the setting for the bearer only application in keycloak

[image: Inline image 3]

User Role Mappings

[image: Inline image 1]

I am using REST services to fulfill the request. Here's a snippet of code:-

*KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
httpRequest*
* .getAttribute(KeycloakSecurityContext.class.getName());*
*AccessToken accessToken = securityContext.getToken();*


OAuth Client Scope Mappings:-

[image: Inline image 2]


Please let me know, if any more information is required.


Regards,
Arjit Agrawal


On Thu, Jun 4, 2015 at 6:02 PM, Stian Thorgersen <stian at redhat.com> wrote:

> We'll need much more info here. How have you secured the app? Is it a WAR?
> Do you require any roles for the resource you're invoking? Are you sending
> a bearer token with the request? How do you get the request? Does the user
> have the required roles? Does the client have the required scope?
>
> ----- Original Message -----
> > From: "Arjit Agrawal" <arjit.agrawal.07 at gmail.com>
> > To: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Thursday, 4 June, 2015 5:49:08 AM
> > Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer
> only   application
> >
> > Hi,
> >
> > I have a new application - 'testapi' under a new realm - 'testrealm'.
> This
> > application is to be used as an API. Its an bearer only application .
> >
> > I have also made an OAuth Client to access this service.
> >
> > I am using iOS AeroGear plugin in my project to connect to API service
> with
> > all the required creditionals like clientId, roles etc.
> >
> > Version of Keycloak - 1.0-beta3 .
> > Version of Jboss - JBoss AS 7.1.1
> >
> > Its hosted on Amazon AWS . (I tried the same in my local environment it
> was
> > working but when i have done the same on Amazon server, i am getting this
> > issue.)
> >
> >
> > Thanks for any help on this one.
> >
> > Regards,
> > Arjit Agrawal
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Arjit Agrawal
AKGEC, Ghaziabad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/80cd45c4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 29442 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/80cd45c4/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 25982 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/80cd45c4/attachment-0006.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 17372 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/80cd45c4/attachment-0007.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 22110 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/80cd45c4/attachment-0008.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 34590 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/80cd45c4/attachment-0009.png 

From bburke at redhat.com  Thu Jun  4 10:29:31 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 04 Jun 2015 10:29:31 -0400
Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer
 only application
In-Reply-To: <CAKxi64VcyOxyO9iSgJBRpSve5+PE_tf40r=zN31fbGhpgRySYA@mail.gmail.com>
References: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>	<1736491496.12047414.1433421134929.JavaMail.zimbra@redhat.com>
	<CAKxi64VcyOxyO9iSgJBRpSve5+PE_tf40r=zN31fbGhpgRySYA@mail.gmail.com>
Message-ID: <557060CB.9060707@redhat.com>



On 6/4/2015 10:17 AM, Arjit Agrawal wrote:
>     > Version of Keycloak - 1.0-beta3 .
>     > Version of Jboss - JBoss AS 7.1.1
>     >

I'm sorry.  Too much has changed since Keycloak 1.0-beta3.  You need to 
upgrade.  We also do not support running on JBoss AS 7.1.1 anymore. 
Upgrade to JBoss EAP 6.x or Wildfly 8+


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From arjit.agrawal.07 at gmail.com  Thu Jun  4 10:33:30 2015
From: arjit.agrawal.07 at gmail.com (Arjit Agrawal)
Date: Thu, 4 Jun 2015 20:03:30 +0530
Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer
 only application
In-Reply-To: <557060CB.9060707@redhat.com>
References: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>
	<1736491496.12047414.1433421134929.JavaMail.zimbra@redhat.com>
	<CAKxi64VcyOxyO9iSgJBRpSve5+PE_tf40r=zN31fbGhpgRySYA@mail.gmail.com>
	<557060CB.9060707@redhat.com>
Message-ID: <CAKxi64UzVeU2HDkSKQ3GS89JSxmDUANDBpCQ3f_X57KmG4c4Ag@mail.gmail.com>

I will update the version but please let me know, how to resolve this
first. I need to make it running.

On Thu, Jun 4, 2015 at 7:59 PM, Bill Burke <bburke at redhat.com> wrote:

>
>
> On 6/4/2015 10:17 AM, Arjit Agrawal wrote:
> >     > Version of Keycloak - 1.0-beta3 .
> >     > Version of Jboss - JBoss AS 7.1.1
> >     >
>
> I'm sorry.  Too much has changed since Keycloak 1.0-beta3.  You need to
> upgrade.  We also do not support running on JBoss AS 7.1.1 anymore.
> Upgrade to JBoss EAP 6.x or Wildfly 8+
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Arjit Agrawal
AKGEC, Ghaziabad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/af420ed9/attachment.html 

From juandiego83 at gmail.com  Thu Jun  4 14:04:19 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 4 Jun 2015 13:04:19 -0500
Subject: [keycloak-user] keycloak.js with a different domain (cross domain
	problems)
Message-ID: <CAJGEj6cnvSVfdXTq8GWM6FjvK6Jzf1L_7TfxjFKn08z0AMUK3g@mail.gmail.com>

Hi,

I am getting this error when I try to run this from my apache server
instead from my app with jboss,

XMLHttpRequest cannot load
http://unika.localdomain:8080/auth/realms/unika/tokens/access/codes. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://unika.localdomain' is therefore not allowed access

unica.localdomain is set on my /etc/hosts

Do I have to run my web app on the same server to avoid this?

GET http://localhost:8080/unika/test/undefined/realms/undefined/account 401
(Unauthorized)


Also when I try to run it from as part of my war file on my server
12:48:27,159 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-122) No state cookie
12:48:56,153 WARN
[org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default
task-127) Invoking deprecated endpoint
http://localhost:8080/auth/realms/unika/tokens/login?client_id=unika-angular&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Funika%2Ftest%2Fcustomers%2Fview.html&state=48084ae8-d454-4e7e-8c42-01c51ec09a3c&response_type=code
12:48:58,570 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-1) No state cookie

And I get a "bad request" on my browser.

My test app is basically the customer-portal-js example with a different
keycloak.json file


I also set in web.xml to secure some folders, and it works fine.  So
basically when I log on to those folders and go back to my web-app it shows
the correct info.

thanks,

Juan Diego
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/9155a963/attachment.html 

From juandiego83 at gmail.com  Thu Jun  4 14:43:20 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 4 Jun 2015 13:43:20 -0500
Subject: [keycloak-user] HTTP 403 Forbidden while connecting to bearer
 only application
In-Reply-To: <CAKxi64UzVeU2HDkSKQ3GS89JSxmDUANDBpCQ3f_X57KmG4c4Ag@mail.gmail.com>
References: <CAKxi64V+XRdmw3PDTQ4dY4xGDZcM1WV6dH0ikUx4w-=_C7=LPw@mail.gmail.com>
	<1736491496.12047414.1433421134929.JavaMail.zimbra@redhat.com>
	<CAKxi64VcyOxyO9iSgJBRpSve5+PE_tf40r=zN31fbGhpgRySYA@mail.gmail.com>
	<557060CB.9060707@redhat.com>
	<CAKxi64UzVeU2HDkSKQ3GS89JSxmDUANDBpCQ3f_X57KmG4c4Ag@mail.gmail.com>
Message-ID: <CAJGEj6f=q0pWBqmfyMWnkefY4gLK1vQk739xfbEyqgFvA4EWfQ@mail.gmail.com>

Hi,

I dont know it is realted but 403 errors can be related to cross domain
problems, does you keycloak.json is set to  "auth-server-url": "
http://localhost:8080/auth" maybe try an external url or something like
that.



On Thu, Jun 4, 2015 at 9:33 AM, Arjit Agrawal <arjit.agrawal.07 at gmail.com>
wrote:

> I will update the version but please let me know, how to resolve this
> first. I need to make it running.
>
> On Thu, Jun 4, 2015 at 7:59 PM, Bill Burke <bburke at redhat.com> wrote:
>
>>
>>
>> On 6/4/2015 10:17 AM, Arjit Agrawal wrote:
>> >     > Version of Keycloak - 1.0-beta3 .
>> >     > Version of Jboss - JBoss AS 7.1.1
>> >     >
>>
>> I'm sorry.  Too much has changed since Keycloak 1.0-beta3.  You need to
>> upgrade.  We also do not support running on JBoss AS 7.1.1 anymore.
>> Upgrade to JBoss EAP 6.x or Wildfly 8+
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Arjit Agrawal
> AKGEC, Ghaziabad
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/aace3db3/attachment.html 

From juandiego83 at gmail.com  Thu Jun  4 17:46:58 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 4 Jun 2015 16:46:58 -0500
Subject: [keycloak-user] Multilingual support
Message-ID: <CAJGEj6dOPee5m+46p2sViSowkfoeJ_BuYWV=KnNGi98inrLaWg@mail.gmail.com>

Is it possible to set the login and register form different languages?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/4e9b153b/attachment.html 

From shivasaxena999 at gmail.com  Thu Jun  4 18:05:19 2015
From: shivasaxena999 at gmail.com (Shiva Saxena)
Date: Fri, 5 Jun 2015 03:35:19 +0530
Subject: [keycloak-user] Multilingual support
In-Reply-To: <CAJGEj6dOPee5m+46p2sViSowkfoeJ_BuYWV=KnNGi98inrLaWg@mail.gmail.com>
References: <CAJGEj6dOPee5m+46p2sViSowkfoeJ_BuYWV=KnNGi98inrLaWg@mail.gmail.com>
Message-ID: <CADjggumkB9S4_yfKt7o-y7-7zvmXsb6ZjyUYTDQLHPCbeKfObw@mail.gmail.com>

Yes, its possible,please refer to this feature request
https://issues.jboss.org/browse/KEYCLOAK-301

On Fri, Jun 5, 2015 at 3:16 AM, Juan Diego <juandiego83 at gmail.com> wrote:

> Is it possible to set the login and register form different languages?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150605/c3345edd/attachment.html 

From juandiego83 at gmail.com  Thu Jun  4 21:21:00 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 4 Jun 2015 20:21:00 -0500
Subject: [keycloak-user] Multilingual support
In-Reply-To: <CADjggumkB9S4_yfKt7o-y7-7zvmXsb6ZjyUYTDQLHPCbeKfObw@mail.gmail.com>
References: <CAJGEj6dOPee5m+46p2sViSowkfoeJ_BuYWV=KnNGi98inrLaWg@mail.gmail.com>
	<CADjggumkB9S4_yfKt7o-y7-7zvmXsb6ZjyUYTDQLHPCbeKfObw@mail.gmail.com>
Message-ID: <CAJGEj6e5vdsVUtpgPhu2LsDhMC6gHcwexjkxsQ9Ac4-o+OQDhw@mail.gmail.com>

Thanks

On Thu, Jun 4, 2015 at 5:05 PM, Shiva Saxena <shivasaxena999 at gmail.com>
wrote:

> Yes, its possible,please refer to this feature request
> https://issues.jboss.org/browse/KEYCLOAK-301
>
> On Fri, Jun 5, 2015 at 3:16 AM, Juan Diego <juandiego83 at gmail.com> wrote:
>
>> Is it possible to set the login and register form different languages?
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/02e7fe40/attachment-0001.html 

From juandiego83 at gmail.com  Thu Jun  4 21:24:36 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 4 Jun 2015 20:24:36 -0500
Subject: [keycloak-user] Multilingual support
In-Reply-To: <CAJGEj6e5vdsVUtpgPhu2LsDhMC6gHcwexjkxsQ9Ac4-o+OQDhw@mail.gmail.com>
References: <CAJGEj6dOPee5m+46p2sViSowkfoeJ_BuYWV=KnNGi98inrLaWg@mail.gmail.com>
	<CADjggumkB9S4_yfKt7o-y7-7zvmXsb6ZjyUYTDQLHPCbeKfObw@mail.gmail.com>
	<CAJGEj6e5vdsVUtpgPhu2LsDhMC6gHcwexjkxsQ9Ac4-o+OQDhw@mail.gmail.com>
Message-ID: <CAJGEj6fdtcviQ5ebP=YmsvSX=e6PXzNw43oV5tHdQK4dotpkJQ@mail.gmail.com>

Is it possible to add your custom Locales

On Thu, Jun 4, 2015 at 8:21 PM, Juan Diego <juandiego83 at gmail.com> wrote:

> Thanks
>
> On Thu, Jun 4, 2015 at 5:05 PM, Shiva Saxena <shivasaxena999 at gmail.com>
> wrote:
>
>> Yes, its possible,please refer to this feature request
>> https://issues.jboss.org/browse/KEYCLOAK-301
>>
>> On Fri, Jun 5, 2015 at 3:16 AM, Juan Diego <juandiego83 at gmail.com> wrote:
>>
>>> Is it possible to set the login and register form different languages?
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150604/1e08c890/attachment.html 

From stian at redhat.com  Fri Jun  5 00:47:22 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 5 Jun 2015 00:47:22 -0400 (EDT)
Subject: [keycloak-user] keycloak.js with a different domain (cross
 domain	problems)
In-Reply-To: <CAJGEj6cnvSVfdXTq8GWM6FjvK6Jzf1L_7TfxjFKn08z0AMUK3g@mail.gmail.com>
References: <CAJGEj6cnvSVfdXTq8GWM6FjvK6Jzf1L_7TfxjFKn08z0AMUK3g@mail.gmail.com>
Message-ID: <2132888715.12465779.1433479642703.JavaMail.zimbra@redhat.com>

You need to add web origins to your client to allow CORS requests to Keycloak.

Open the  admin console, find your client, in web origins add 'http://unika.localdomain'.

----- Original Message -----
> From: "Juan Diego" <juandiego83 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 4 June, 2015 8:04:19 PM
> Subject: [keycloak-user] keycloak.js with a different domain (cross domain	problems)
> 
> Hi,
> 
> I am getting this error when I try to run this from my apache server instead
> from my app with jboss,
> 
> XMLHttpRequest cannot load
> http://unika.localdomain:8080/auth/realms/unika/tokens/access/codes . No
> 'Access-Control-Allow-Origin' header is present on the requested resource.
> Origin ' http://unika.localdomain ' is therefore not allowed access
> 
> unica.localdomain is set on my /etc/hosts
> 
> Do I have to run my web app on the same server to avoid this?
> 
> GET http://localhost:8080/unika/test/undefined/realms/undefined/account 401
> (Unauthorized)
> 
> 
> Also when I try to run it from as part of my war file on my server
> 12:48:27,159 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
> task-122) No state cookie
> 12:48:56,153 WARN
> [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default
> task-127) Invoking deprecated endpoint
> http://localhost:8080/auth/realms/unika/tokens/login?client_id=unika-angular&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Funika%2Ftest%2Fcustomers%2Fview.html&state=48084ae8-d454-4e7e-8c42-01c51ec09a3c&response_type=code
> 12:48:58,570 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default
> task-1) No state cookie
> 
> And I get a "bad request" on my browser.
> 
> My test app is basically the customer-portal-js example with a different
> keycloak.json file
> 
> 
> I also set in web.xml to secure some folders, and it works fine. So basically
> when I log on to those folders and go back to my web-app it shows the
> correct info.
> 
> thanks,
> 
> Juan Diego
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pubudupg at gmail.com  Fri Jun  5 02:43:44 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Fri, 5 Jun 2015 12:13:44 +0530
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
	<CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>
Message-ID: <CAFqgz0iviAq65WDt_pcMF7rTyXK68NpydtVyFAweVYhc0UtCxA@mail.gmail.com>

Quoting from section "3.1.1 Use of RelayState" in the spec
(https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf),

"Namely, if a SAML request message is accompanied by RelayState data,
then the SAML responder MUST return its SAML protocol response using a
binding that also supports a RelayState mechanism, and it MUST place
the exact RelayState data it received with the request into the
corresponding RelayState parameter in the response."

which is not the case if keycloak is removing the forward slashes from
the RelayState. So I think there should be a mechanism to escape the
RelayState data and yet return the data to the Service Provider
unmodified.

On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
> After debugging found a possible cause for this. In line 305 of
> SAML2BindingBuilder2 there is code as following
>
> escapeAttribute(relayState)
>
> which removes the forward slashes from the url. So I guess this is a bug?
>
> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>> Hi All,
>>
>> I am trying to use the OneLogin php-saml library[1] as a service
>> provider that uses keycloak as a SAML identity provider. The
>> "RelayState" parameter is sent properly form the SP to the IDP but in
>> the response, the forward slashes are missing from the RelayState.
>> For example in the post parameters of the authentication request, the
>> RelayState shows "http://phpsaml/demo1/" but in the response from
>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>
>> How can I overcome this problem?
>>
>>
>> [1]https://github.com/onelogin/php-saml
>>
>> --
>> Thanks,
>> Pubudu
>
>
>
> --
> Thanks,
> Pubudu



-- 
Thanks,
Pubudu

From bburke at redhat.com  Fri Jun  5 02:51:03 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Jun 2015 02:51:03 -0400
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0iviAq65WDt_pcMF7rTyXK68NpydtVyFAweVYhc0UtCxA@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>	<CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>
	<CAFqgz0iviAq65WDt_pcMF7rTyXK68NpydtVyFAweVYhc0UtCxA@mail.gmail.com>
Message-ID: <557146D7.5010500@redhat.com>

How is the relay state transfered?  POST or Redirect GET?  How is it 
encoded?

On 6/5/2015 2:43 AM, pubudu gunawardena wrote:
> Quoting from section "3.1.1 Use of RelayState" in the spec
> (https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf),
>
> "Namely, if a SAML request message is accompanied by RelayState data,
> then the SAML responder MUST return its SAML protocol response using a
> binding that also supports a RelayState mechanism, and it MUST place
> the exact RelayState data it received with the request into the
> corresponding RelayState parameter in the response."
>
> which is not the case if keycloak is removing the forward slashes from
> the RelayState. So I think there should be a mechanism to escape the
> RelayState data and yet return the data to the Service Provider
> unmodified.
>
> On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>> After debugging found a possible cause for this. In line 305 of
>> SAML2BindingBuilder2 there is code as following
>>
>> escapeAttribute(relayState)
>>
>> which removes the forward slashes from the url. So I guess this is a bug?
>>
>> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>> Hi All,
>>>
>>> I am trying to use the OneLogin php-saml library[1] as a service
>>> provider that uses keycloak as a SAML identity provider. The
>>> "RelayState" parameter is sent properly form the SP to the IDP but in
>>> the response, the forward slashes are missing from the RelayState.
>>> For example in the post parameters of the authentication request, the
>>> RelayState shows "http://phpsaml/demo1/" but in the response from
>>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>>
>>> How can I overcome this problem?
>>>
>>>
>>> [1]https://github.com/onelogin/php-saml
>>>
>>> --
>>> Thanks,
>>> Pubudu
>>
>>
>>
>> --
>> Thanks,
>> Pubudu
>
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From pubudupg at gmail.com  Fri Jun  5 02:51:19 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Fri, 5 Jun 2015 12:21:19 +0530
Subject: [keycloak-user] Problem with SAML SLO with Redirect Binding
Message-ID: <CAFqgz0gNqs19H8GfiqLdM8MA1h35A4uq=r_Y8KBBOmc=QYocOQ@mail.gmail.com>

Hi All,

When trying out SAML SLO with keycloak using Redirect Binding, noticed
that the "SigAlg" GET parameter of the logout response was set to
something like "SHA256withRSA". Quoting from section "3.4.4.1 DEFLATE
Encoding" of the spec,

"The signature algorithm identifier MUST be included as an additional
query string parameter,named SigAlg. The value of this parameter MUST
be a URI that identifies the algorithm used to sign the URL-encoded
SAML protocol message, specified according to [XMLSig] or whatever
specification governs the algorithm"

and libraries such as simplesamlphp and php-saml expect it to be a uri
in the form of "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".
The mismatch causes those libraries to give errors when used with
keycloak idp.

-- 
Thanks,
Pubudu

From pubudupg at gmail.com  Fri Jun  5 02:55:52 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Fri, 5 Jun 2015 12:25:52 +0530
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <557146D7.5010500@redhat.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
	<CAFqgz0gKuvJws+VuDsR-AX4qcWx3d3p-wjRmqoiXzRVJui9s3Q@mail.gmail.com>
	<CAFqgz0iviAq65WDt_pcMF7rTyXK68NpydtVyFAweVYhc0UtCxA@mail.gmail.com>
	<557146D7.5010500@redhat.com>
Message-ID: <CAFqgz0jyHxbAf8ErfpzfRL4jvtBJW=RJHVWz8XMFpTUBbV2ZKg@mail.gmail.com>

The relay state is transferred to keycloak in an HTTP GET. It seems to
be urlencoded by the library that I'm using. The parameter looks like
"RelayState=http%3A%2F%2Fportal-simulator%2Fprotected.php".


On Fri, Jun 5, 2015 at 12:21 PM, Bill Burke <bburke at redhat.com> wrote:
> How is the relay state transfered?  POST or Redirect GET?  How is it
> encoded?
>
> On 6/5/2015 2:43 AM, pubudu gunawardena wrote:
>> Quoting from section "3.1.1 Use of RelayState" in the spec
>> (https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf),
>>
>> "Namely, if a SAML request message is accompanied by RelayState data,
>> then the SAML responder MUST return its SAML protocol response using a
>> binding that also supports a RelayState mechanism, and it MUST place
>> the exact RelayState data it received with the request into the
>> corresponding RelayState parameter in the response."
>>
>> which is not the case if keycloak is removing the forward slashes from
>> the RelayState. So I think there should be a mechanism to escape the
>> RelayState data and yet return the data to the Service Provider
>> unmodified.
>>
>> On Thu, Jun 4, 2015 at 5:43 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>> After debugging found a possible cause for this. In line 305 of
>>> SAML2BindingBuilder2 there is code as following
>>>
>>> escapeAttribute(relayState)
>>>
>>> which removes the forward slashes from the url. So I guess this is a bug?
>>>
>>> On Thu, Jun 4, 2015 at 5:14 PM, pubudu gunawardena <pubudupg at gmail.com> wrote:
>>>> Hi All,
>>>>
>>>> I am trying to use the OneLogin php-saml library[1] as a service
>>>> provider that uses keycloak as a SAML identity provider. The
>>>> "RelayState" parameter is sent properly form the SP to the IDP but in
>>>> the response, the forward slashes are missing from the RelayState.
>>>> For example in the post parameters of the authentication request, the
>>>> RelayState shows "http://phpsaml/demo1/" but in the response from
>>>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>>>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>>>
>>>> How can I overcome this problem?
>>>>
>>>>
>>>> [1]https://github.com/onelogin/php-saml
>>>>
>>>> --
>>>> Thanks,
>>>> Pubudu
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Pubudu
>>
>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Thanks,
Pubudu

From bburke at redhat.com  Fri Jun  5 08:50:55 2015
From: bburke at redhat.com (Bill Burke)
Date: Fri, 05 Jun 2015 08:50:55 -0400
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
Message-ID: <55719B2F.2020009@redhat.com>

https://issues.jboss.org/browse/KEYCLOAK-1408

Its in my queue now.

On 6/4/2015 7:44 AM, pubudu gunawardena wrote:
> Hi All,
>
> I am trying to use the OneLogin php-saml library[1] as a service
> provider that uses keycloak as a SAML identity provider. The
> "RelayState" parameter is sent properly form the SP to the IDP but in
> the response, the forward slashes are missing from the RelayState.
> For example in the post parameters of the authentication request, the
> RelayState shows "http://phpsaml/demo1/" but in the response from
> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>
> How can I overcome this problem?
>
>
> [1]https://github.com/onelogin/php-saml
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From akurdyukov at gmail.com  Fri Jun  5 09:35:13 2015
From: akurdyukov at gmail.com (Alik Kurdyukov)
Date: Fri, 5 Jun 2015 16:35:13 +0300
Subject: [keycloak-user] Keycloak and desktop
Message-ID: <etPan.5571a591.2ae8944a.1168e@AlikMacBookPro.local>

Hello,

I have a little question on integrating desktop application with Keycloak. I have
1. Desktop application that is a client to (1) a non-web server application and (2) a web server application
2. Non-web server application
3. Web application that is a Keycloak client
4. Keycloak server

I want to ask user to auth once with Keycloak (using native WPF window) and use token of some kind for both servers.

The questions are
1. What API should desktop application use to auth user with Keycloak? (maybe, I need to read keycloak.js code?)
2. What API should non-web server use to verify token?
3. Can I use bearer token with keycloak client that has access type ?confidential', not ?bearer only??

Thank you for your work :)

--?
Best regards,
Alik Kurdyukov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150605/b03df148/attachment-0001.html 

From juandiego83 at gmail.com  Fri Jun  5 11:18:41 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 5 Jun 2015 10:18:41 -0500
Subject: [keycloak-user] keycloak.js with a different domain (cross
	domain problems)
In-Reply-To: <2132888715.12465779.1433479642703.JavaMail.zimbra@redhat.com>
References: <CAJGEj6cnvSVfdXTq8GWM6FjvK6Jzf1L_7TfxjFKn08z0AMUK3g@mail.gmail.com>
	<2132888715.12465779.1433479642703.JavaMail.zimbra@redhat.com>
Message-ID: <CAJGEj6enZ-h1Cb1GbpJ+4Nr_uFyiJ96FuAxXjNTsS-CvhkncUQ@mail.gmail.com>

Thanks, yes the problem was that I added http://unika.localdomain/ with a
slash at the end, it took me a while to realize the problem

On Thu, Jun 4, 2015 at 11:47 PM, Stian Thorgersen <stian at redhat.com> wrote:

> You need to add web origins to your client to allow CORS requests to
> Keycloak.
>
> Open the  admin console, find your client, in web origins add '
> http://unika.localdomain'.
>
> ----- Original Message -----
> > From: "Juan Diego" <juandiego83 at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Thursday, 4 June, 2015 8:04:19 PM
> > Subject: [keycloak-user] keycloak.js with a different domain (cross
> domain    problems)
> >
> > Hi,
> >
> > I am getting this error when I try to run this from my apache server
> instead
> > from my app with jboss,
> >
> > XMLHttpRequest cannot load
> > http://unika.localdomain:8080/auth/realms/unika/tokens/access/codes . No
> > 'Access-Control-Allow-Origin' header is present on the requested
> resource.
> > Origin ' http://unika.localdomain ' is therefore not allowed access
> >
> > unica.localdomain is set on my /etc/hosts
> >
> > Do I have to run my web app on the same server to avoid this?
> >
> > GET http://localhost:8080/unika/test/undefined/realms/undefined/account
> 401
> > (Unauthorized)
> >
> >
> > Also when I try to run it from as part of my war file on my server
> > 12:48:27,159 WARN [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default
> > task-122) No state cookie
> > 12:48:56,153 WARN
> > [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default
> > task-127) Invoking deprecated endpoint
> >
> http://localhost:8080/auth/realms/unika/tokens/login?client_id=unika-angular&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Funika%2Ftest%2Fcustomers%2Fview.html&state=48084ae8-d454-4e7e-8c42-01c51ec09a3c&response_type=code
> > 12:48:58,570 WARN [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default
> > task-1) No state cookie
> >
> > And I get a "bad request" on my browser.
> >
> > My test app is basically the customer-portal-js example with a different
> > keycloak.json file
> >
> >
> > I also set in web.xml to secure some folders, and it works fine. So
> basically
> > when I log on to those folders and go back to my web-app it shows the
> > correct info.
> >
> > thanks,
> >
> > Juan Diego
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150605/9833c548/attachment.html 

From shivasaxena999 at gmail.com  Fri Jun  5 18:06:30 2015
From: shivasaxena999 at gmail.com (Shiva Saxena)
Date: Sat, 6 Jun 2015 03:36:30 +0530
Subject: [keycloak-user] Multilingual support
In-Reply-To: <CAJGEj6fdtcviQ5ebP=YmsvSX=e6PXzNw43oV5tHdQK4dotpkJQ@mail.gmail.com>
References: <CAJGEj6dOPee5m+46p2sViSowkfoeJ_BuYWV=KnNGi98inrLaWg@mail.gmail.com>
	<CADjggumkB9S4_yfKt7o-y7-7zvmXsb6ZjyUYTDQLHPCbeKfObw@mail.gmail.com>
	<CAJGEj6e5vdsVUtpgPhu2LsDhMC6gHcwexjkxsQ9Ac4-o+OQDhw@mail.gmail.com>
	<CAJGEj6fdtcviQ5ebP=YmsvSX=e6PXzNw43oV5tHdQK4dotpkJQ@mail.gmail.com>
Message-ID: <CADjggumBo95=uiBrb2GcqqxEwUu0UxbDP+qfvSuo0z+3Km8q3Q@mail.gmail.com>

Hi Juan,

Its possible to create new Locales just go to the web keycloak admin
console >select your realm>settings>Themes tab

Here you can enable internationalization and type a Locale(if already not
present in dropdown) and hit enter.

Then you will have to create a property file for the messages(that will
contain the text in the new language).I am giving an example for login page
but you can use the same every where.


   1. open folder
   "KEYCLOAK_HOME/standalone/configuration/themes/base/login/messages"
   2. create a file  *messages_NEWLOCALE.properties* and enter the messages
   in the translated language.

You can use the existing properties files as reference.
Here KEYCLOAK_HOME is the location where keycloak is located and NEWLOCALE
should be the name of the local you have created.

--
Best Regards
*Shiva Saxena*
*Blog <http://metalop.com/> | Linkedin
<http://in.linkedin.com/in/shivasaxena/> | StackOverflow
<http://stackoverflow.com/users/2490343/shiva>*

On Fri, Jun 5, 2015 at 6:54 AM, Juan Diego <juandiego83 at gmail.com> wrote:

> Is it possible to add your custom Locales
>
> On Thu, Jun 4, 2015 at 8:21 PM, Juan Diego <juandiego83 at gmail.com> wrote:
>
>> Thanks
>>
>> On Thu, Jun 4, 2015 at 5:05 PM, Shiva Saxena <shivasaxena999 at gmail.com>
>> wrote:
>>
>>> Yes, its possible,please refer to this feature request
>>> https://issues.jboss.org/browse/KEYCLOAK-301
>>>
>>> On Fri, Jun 5, 2015 at 3:16 AM, Juan Diego <juandiego83 at gmail.com>
>>> wrote:
>>>
>>>> Is it possible to set the login and register form different languages?
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150606/071240de/attachment.html 

From juandiego83 at gmail.com  Fri Jun  5 21:07:02 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 5 Jun 2015 20:07:02 -0500
Subject: [keycloak-user] After reloading web page I loose the token.
Message-ID: <CAJGEj6eeE_eY1a9GYVDXfdqQz863Qiwb+=zFpRv=NEzWfGhnnw@mail.gmail.com>

I am trying to understando how to use keycloak.js in a web app with
angular, I created a button that calls keycloak.login(); and it seems to
work I am prompted with keycloaks login form, and it seems to work, I am
able to retrieve my username and display it on my page.  But when I refresh
my page, it seems to loses the token.  The idtoken is null or not defined.
Here it is an example of my code, http://pastebin.com/W0ZHbtUW,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150605/34a7d8fd/attachment.html 

From stan.ieugen at gmail.com  Sat Jun  6 04:38:43 2015
From: stan.ieugen at gmail.com (Ioan Eugen Stan)
Date: Sat, 06 Jun 2015 08:38:43 +0000
Subject: [keycloak-user] After reloading web page I loose the token.
In-Reply-To: <CAJGEj6eeE_eY1a9GYVDXfdqQz863Qiwb+=zFpRv=NEzWfGhnnw@mail.gmail.com>
References: <CAJGEj6eeE_eY1a9GYVDXfdqQz863Qiwb+=zFpRv=NEzWfGhnnw@mail.gmail.com>
Message-ID: <EB92358A-1AF9-469B-A37B-453AFFE4ED69@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Juan,

It is expected. You are reloading your app. Try persisting the token in local storage.

Regards,

On 6 iunie 2015 04:07:02 EEST, Juan Diego <juandiego83 at gmail.com> wrote:
>I am trying to understando how to use keycloak.js in a web app with
>angular, I created a button that calls keycloak.login(); and it seems
>to
>work I am prompted with keycloaks login form, and it seems to work, I
>am
>able to retrieve my username and display it on my page.  But when I
>refresh
>my page, it seems to loses the token.  The idtoken is null or not
>defined.
>Here it is an example of my code, http://pastebin.com/W0ZHbtUW,
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

- --
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-----BEGIN PGP SIGNATURE-----

iQFOBAEBCAA4MRxJb2FuIEV1Z2VuIFN0YW4gKGlldWdlbikgPHN0YW4uaWV1Z2Vu
QGdtYWlsLmNvbT4FAlVysZIACgkQ7Qltk+7tR9qaLAf/ds46CpbiCVcmFdYwD6WI
mOi/hse+BegoweWrUa7aeKP9mH8sy6cRvPQ4aWYl6qOojmWwNPKE/modSx1B8qA0
+lCII0BmVsCJyhJXD88aY1bEITLYX/G768qhA/kZmWa9tyLCYgLq52q/maZa3OlH
0ZF/iZPrf1ASvnWZkriI9ZjBSMhA+RDYWdbvC0pwwiM2cOPhIlBipWdiiiuPJCtJ
bqAfKPtcn0G0F8P8ykQK1fk5rrjkfbK/shZ3R4bGU6/Q5Sj5a8s9E9Nw7Y9S/7ux
1HUsYXgl32+XE3oc2A0Ec4/McOJ5TNW9LGUc+ByJLL3QRcUO4VzKFxN0OeH+iVl/
Vg==
=WPo4
-----END PGP SIGNATURE-----


From chrisflatley at gmx.net  Mon Jun  8 07:16:50 2015
From: chrisflatley at gmx.net (Chris Flatley)
Date: Mon, 8 Jun 2015 12:16:50 +0100
Subject: [keycloak-user] Get user by id
Message-ID: <CAHnzGWXP-=4X6UiE6N4NNxRxWC0jM2B7=8ETmYyrf5QZJNsd8w@mail.gmail.com>

This is probably really obvious, but I can't find it.

I'm currently using the Admin REST API to find users by search.

I see that the Admin REST API has get user representation by username, but
I want to also find user info (UserRepresentation) given the id.

If this possible through REST?

(Use case being it makes more sense to me to store the user id in my
database as a reference back to keycloak rather than the username or
replicate any of the user info which keycloak has stored).

Many thanks (great product!)

C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/e4d92c3c/attachment.html 

From stian at redhat.com  Mon Jun  8 07:21:25 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 8 Jun 2015 07:21:25 -0400 (EDT)
Subject: [keycloak-user] Get user by id
In-Reply-To: <CAHnzGWXP-=4X6UiE6N4NNxRxWC0jM2B7=8ETmYyrf5QZJNsd8w@mail.gmail.com>
References: <CAHnzGWXP-=4X6UiE6N4NNxRxWC0jM2B7=8ETmYyrf5QZJNsd8w@mail.gmail.com>
Message-ID: <1848033160.13483940.1433762485643.JavaMail.zimbra@redhat.com>

In the past we had a mix of lookup by username/name and id. To make it more consistent in 1.3 we're changing this to only allow lookup by id. 1.3 should be out next week.

----- Original Message -----
> From: "Chris Flatley" <chrisflatley at gmx.net>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 8 June, 2015 1:16:50 PM
> Subject: [keycloak-user] Get user by id
> 
> This is probably really obvious, but I can't find it.
> 
> I'm currently using the Admin REST API to find users by search.
> 
> I see that the Admin REST API has get user representation by username, but I
> want to also find user info (UserRepresentation) given the id.
> 
> If this possible through REST?
> 
> (Use case being it makes more sense to me to store the user id in my database
> as a reference back to keycloak rather than the username or replicate any of
> the user info which keycloak has stored).
> 
> Many thanks (great product!)
> 
> C
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From chrisflatley at gmx.net  Mon Jun  8 08:52:12 2015
From: chrisflatley at gmx.net (Chris Flatley)
Date: Mon, 8 Jun 2015 13:52:12 +0100
Subject: [keycloak-user] Get user by id
In-Reply-To: <CAHnzGWUf9bhsbBqRbzZY368j_-QFUF3N5oVOusU=RRL5hrohHg@mail.gmail.com>
References: <CAHnzGWXP-=4X6UiE6N4NNxRxWC0jM2B7=8ETmYyrf5QZJNsd8w@mail.gmail.com>
	<1848033160.13483940.1433762485643.JavaMail.zimbra@redhat.com>
	<CAHnzGWUf9bhsbBqRbzZY368j_-QFUF3N5oVOusU=RRL5hrohHg@mail.gmail.com>
Message-ID: <CAHnzGWVDX80Z3f=bY5M6yZhZjkxGQGf1iadv-XV7LAsyLHY+_g@mail.gmail.com>

Thanks. I noticed some comments on that, changing usernames, etc in the dev
mailing list. I couldn't quite see what the end results was (between the
mailing list, jira, etc).

Is the preferredUsername going to change too?

Just wondered since I can register google.username at domain.com (as my
username on keycloak's user inbuilt db). That overlaps with
username at domain.com for a google provided account. Then the
username at domain.com can't do social login through google.

It would be nice if all brokers (including the internal one prefixed an
brokerid to avoid this),

C


> C
>
> On Mon, Jun 8, 2015 at 12:21 PM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> In the past we had a mix of lookup by username/name and id. To make it
>> more consistent in 1.3 we're changing this to only allow lookup by id. 1.3
>> should be out next week.
>>
>> ----- Original Message -----
>> > From: "Chris Flatley" <chrisflatley at gmx.net>
>> > To: keycloak-user at lists.jboss.org
>> > Sent: Monday, 8 June, 2015 1:16:50 PM
>> > Subject: [keycloak-user] Get user by id
>> >
>> > This is probably really obvious, but I can't find it.
>> >
>> > I'm currently using the Admin REST API to find users by search.
>> >
>> > I see that the Admin REST API has get user representation by username,
>> but I
>> > want to also find user info (UserRepresentation) given the id.
>> >
>> > If this possible through REST?
>> >
>> > (Use case being it makes more sense to me to store the user id in my
>> database
>> > as a reference back to keycloak rather than the username or replicate
>> any of
>> > the user info which keycloak has stored).
>> >
>> > Many thanks (great product!)
>> >
>> > C
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/c4a264cb/attachment.html 

From Henk.Laracker at planonsoftware.com  Mon Jun  8 09:51:47 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Mon, 8 Jun 2015 15:51:47 +0200
Subject: [keycloak-user] Import External IDP Config
Message-ID: <D19B6A93.1DC77%henk.laracker@planonsoftware.com>

Hi,

>From two different customers I received a idp config xml file. Both files I can import without a error, but nothing is filled in the fields. From security reasons I can not send the files. What is input you need to solve this problem? Is it possible to change the log level of the keycloak server. We are running it on openshift (private)

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/93561932/attachment.html 

From carlosthe19916 at gmail.com  Mon Jun  8 11:56:54 2015
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Mon, 8 Jun 2015 10:56:54 -0500
Subject: [keycloak-user] org.keycloak.VerificationException: Token is not
	active
Message-ID: <CAAdSQ6h0vgS48Uwi1Q-QnBoqsbiSa2q3B0-qbbBPjyvqXZDqvg@mail.gmail.com>

Hi all.

I'm migrating my app to *keycloak-1.2.0.Final*. In this escenario i *have
two servers*, one for *keycloak* and other *wildfly+keycloak-adapter* for
myApp.war, both servers are in diferent hosts.

I'm using javascript adapter for my app and a wildfly-adapter for my
restApi.war.

Javascript adapter send a requests as:
*Bearer eyJhb..............b-ckM2WKRPgopaeQ3I3ZXQwOyYWFGEd5OIHqA*

my problem is that when i send a request to restApi.war i have an exception
as:

ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default
task-14) Failed to verify token: *org.keycloak.VerificationException: Token
is not active.*

this tell me that my token is not active....i can't find where is the
problem. In keycloak-1.1.Final this configuration was good. Please help me.


-- 
Carlos E. Feria Vila
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/33315b17/attachment.html 

From bburke at redhat.com  Mon Jun  8 12:47:28 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 08 Jun 2015 12:47:28 -0400
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
Message-ID: <5575C720.3020905@redhat.com>

Should be fixed in master and will be in 1.3 release.

On 6/4/2015 7:44 AM, pubudu gunawardena wrote:
> Hi All,
>
> I am trying to use the OneLogin php-saml library[1] as a service
> provider that uses keycloak as a SAML identity provider. The
> "RelayState" parameter is sent properly form the SP to the IDP but in
> the response, the forward slashes are missing from the RelayState.
> For example in the post parameters of the authentication request, the
> RelayState shows "http://phpsaml/demo1/" but in the response from
> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>
> How can I overcome this problem?
>
>
> [1]https://github.com/onelogin/php-saml
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From peterson.dean at gmail.com  Mon Jun  8 14:46:52 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 8 Jun 2015 13:46:52 -0500
Subject: [keycloak-user] When will Keycloak be a supported service?
Message-ID: <CAFGzvP=ZFCqPgdDgvUYOcVGw4C4bbbyBJ50G3GfQ9AWd1f8chA@mail.gmail.com>

I have been using Keycloak for some time now.  I love it.  I am doing a
proof of concept for work.  Unfortunately I am one of two architects.  For
reasons I won't go into, the other architect keeps changing his
requirements.  The new requirement is that security be a supported and
externally hosted service.  Do you have a time frame when Keycloak will be
something we can just pay support for and have it hosted externally?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/32959824/attachment.html 

From bburke at redhat.com  Mon Jun  8 14:59:45 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 08 Jun 2015 14:59:45 -0400
Subject: [keycloak-user] When will Keycloak be a supported service?
In-Reply-To: <CAFGzvP=ZFCqPgdDgvUYOcVGw4C4bbbyBJ50G3GfQ9AWd1f8chA@mail.gmail.com>
References: <CAFGzvP=ZFCqPgdDgvUYOcVGw4C4bbbyBJ50G3GfQ9AWd1f8chA@mail.gmail.com>
Message-ID: <5575E621.6010008@redhat.com>

I'm not supposed to talk about productization timelines, but Keycloak is 
in the pipeline to be a supported product at Red Hat.  So, its not an 
if, but a when...  That's all I can say, sorry.

On 6/8/2015 2:46 PM, Dean Peterson wrote:
> I have been using Keycloak for some time now.  I love it.  I am doing a
> proof of concept for work.  Unfortunately I am one of two architects.
> For reasons I won't go into, the other architect keeps changing his
> requirements.  The new requirement is that security be a supported and
> externally hosted service.  Do you have a time frame when Keycloak will
> be something we can just pay support for and have it hosted externally?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From ayrton at ubuntu.com  Mon Jun  8 15:58:19 2015
From: ayrton at ubuntu.com (=?UTF-8?Q?Ayrton_Ara=C3=BAjo?=)
Date: Mon, 8 Jun 2015 15:58:19 -0400
Subject: [keycloak-user] LDAP configuration
In-Reply-To: <555D77F6.6050905@redhat.com>
References: <CALqxV3d19wZU-UcOrGdjj+6JGc4aiG4HfVhzKn6sdMUzQwTB-A@mail.gmail.com>
	<555D77F6.6050905@redhat.com>
Message-ID: <CALqxV3ceU712Nrghw=Pr+4c57X=WSvug1rNHGDHoBZxmwC-=Vw@mail.gmail.com>

Okay,

as your suggestion I changed to the complete DN, but now I get this:

Caused by: org.picketlink.idm.IdentityManagementException: PLIDM000501:
Could not query IdentityType using query
[org.picketlink.idm.query.internal.D
efaultIdentityQuery at 69d4fcb8].
at
org.picketlink.idm.ldap.internal.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:236)
at
org.picketlink.idm.query.internal.DefaultIdentityQuery.getResultList(DefaultIdentityQuery.java:190)
... 57 more
Caused by: org.picketlink.idm.IdentityManagementException: Could not
populate attribute type org.picketlink.idm.model.basic.User at 8665a20.
at
org.picketlink.idm.ldap.internal.LDAPIdentityStore.populateAttributedType(LDAPIdentityStore.java:815)
at
org.picketlink.idm.ldap.internal.LDAPIdentityStore.populateAttributedType(LDAPIdentityStore.java:682)
at
org.picketlink.idm.ldap.internal.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:231)
... 58 more
Caused by: java.lang.NullPointerException


Em quinta-feira, 21 de maio de 2015, Marek Posolda <mposolda at redhat.com>
escreveu:

>  On 20.5.2015 22:00, Ayrton Ara?jo wrote:
>
>  I'm trying do add a new user federation provider for integrate keycloak
> with a ldap server.
>
>  The parameters:
> Console display name -> Active Directory
> Priority -> 0
> Edit Mode -> READ_ONLY
> Sync Registrations -> OFF
> Vendor -> Active Directory
> Username LDAP attribute -> sAMAccountName
> User Object Classes -> person, organizationPerson, user
> Connection URL -> ldap://dom.example.com:389
> Base DN -> DC=dom,DC=example,DC=com
> User DN Suffix -> CN=Users
> Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com
> Bind Credential -> ********
> Connection pooling -> ON
> Pagination -> ON
> Enable Account After Password Update -> OFF
> Batch Size -> 100
> Periodic Full Sync -> OFF
> Periodic changed users sync -> ON
> Changed users sync period -> 86400
>
>  I tried change User DN Suffix to only Users, but it not works. The log
> always saying:
> LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012
> (DIR_ERROR)
> And it says this when it tries to parse the User DN Suffix.
>
> Currently "User DN Suffix" is supposed to contain whole DN. So in your
> case it should be probably something like: CN=Users,DC=dom,DC=example,DC=com
>
> I agree that name of the parameter "User DN Suffix" is misleading. It will
> be improved in next version ( 1.3.0.Beta1 ) and also it will be possible to
> configure more User DNs to search for users.
>
> Marek
>
>
>  Theres something wrong with my conf?
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.org <javascript:_e(%7B%7D,'cvml','keycloak-user at lists.jboss.org');>https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-- 
Ayrton Ara?jo
"If you can tell the false from the true you are already a scientist."

--
http://ayr-ton.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/8286b9b5/attachment-0001.html 

From John.Schneider at carrier.utc.com  Mon Jun  8 16:45:19 2015
From: John.Schneider at carrier.utc.com (Schneider, John           DODGE CONSULTING SERVICES, LLC)
Date: Mon, 8 Jun 2015 20:45:19 +0000
Subject: [keycloak-user] When will Keycloak be a supported
Message-ID: <D5998B55A61D334EA803FEB70395CFD70B186C5A@UUSNWE3K.na.utcmail.com>

+1 for paid Keycloak support services from JBoss.  If you could advocate for this by 2016, it'd be much appreciated.  My client is evaluating other products mainly because of the FUD of free products and lack of commercial support.  Some people in big companies think a product is better just because they have to pay for support.

In the meantime, keep up the great work on development and don't take this as a message that you're not already doing a fantastic job supporting Keycloak.  You are!

Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/9670bdef/attachment.html 

From prabhalar at yahoo.com  Mon Jun  8 17:31:36 2015
From: prabhalar at yahoo.com (Raghu Prabhala)
Date: Mon, 8 Jun 2015 21:31:36 +0000 (UTC)
Subject: [keycloak-user] Import External IDP Config
In-Reply-To: <D19B6A93.1DC77%henk.laracker@planonsoftware.com>
References: <D19B6A93.1DC77%henk.laracker@planonsoftware.com>
Message-ID: <1563197306.7542120.1433799096176.JavaMail.yahoo@mail.yahoo.com>

Even I had similar issue earlier. Cleaning the browser cache and?importing the config files?addressed it?You can give it a try.
?   

   From: Henk Laracker <Henk.Laracker at planonsoftware.com>
 To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org> 
 Sent: Monday, June 8, 2015 9:51 AM
 Subject: [keycloak-user] Import External IDP Config
   
Hi,
>From two different customers I received a idp config xml file. Both files I can import without a error, but nothing is filled in the fields. From security reasons I can not send the files. What is input you need to solve this problem? Is it possible to change the log level of the keycloak server. We are running it on openshift (private)?
Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,
Henk Laracker

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150608/fcdbd46d/attachment.html 

From pubudupg at gmail.com  Mon Jun  8 20:43:44 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Tue, 9 Jun 2015 06:13:44 +0530
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <5575C720.3020905@redhat.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
	<5575C720.3020905@redhat.com>
Message-ID: <CAFqgz0i__LUX=69sUxqcePVYP=5T9JpFjYKcZYb2y3OiM8CQbQ@mail.gmail.com>

That's great. And thanks for the great product.

On Mon, Jun 8, 2015 at 10:17 PM, Bill Burke <bburke at redhat.com> wrote:
> Should be fixed in master and will be in 1.3 release.
>
> On 6/4/2015 7:44 AM, pubudu gunawardena wrote:
>> Hi All,
>>
>> I am trying to use the OneLogin php-saml library[1] as a service
>> provider that uses keycloak as a SAML identity provider. The
>> "RelayState" parameter is sent properly form the SP to the IDP but in
>> the response, the forward slashes are missing from the RelayState.
>> For example in the post parameters of the authentication request, the
>> RelayState shows "http://phpsaml/demo1/" but in the response from
>> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
>> library to throw exceptions. I'm using keycloak 1.2.0.Final.
>>
>> How can I overcome this problem?
>>
>>
>> [1]https://github.com/onelogin/php-saml
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Thanks,
Pubudu

From Henk.Laracker at planonsoftware.com  Tue Jun  9 05:14:11 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Tue, 9 Jun 2015 11:14:11 +0200
Subject: [keycloak-user] Import External IDP Config
In-Reply-To: <1563197306.7542120.1433799096176.JavaMail.yahoo@mail.yahoo.com>
References: <D19B6A93.1DC77%henk.laracker@planonsoftware.com>
	<1563197306.7542120.1433799096176.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <D19C7A8D.1DCD8%henk.laracker@planonsoftware.com>

Hi,

It is not related to the cache, I tired it in different browser and cleaning the cache.

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker

From: Raghu Prabhala <prabhalar at yahoo.com<mailto:prabhalar at yahoo.com>>
Reply-To: Raghu Prabhala <prabhalar at yahoo.com<mailto:prabhalar at yahoo.com>>
Date: Monday 8 June 2015 23:31
To: Henk Laracker <henk.laracker at planonsoftware.com<mailto:henk.laracker at planonsoftware.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Import External IDP Config

Even I had similar issue earlier. Cleaning the browser cache and importing the config files addressed it You can give it a try.



________________________________
From: Henk Laracker <Henk.Laracker at planonsoftware.com<mailto:Henk.Laracker at planonsoftware.com>>
To: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Sent: Monday, June 8, 2015 9:51 AM
Subject: [keycloak-user] Import External IDP Config

Hi,

>From two different customers I received a idp config xml file. Both files I can import without a error, but nothing is filled in the fields. From security reasons I can not send the files. What is input you need to solve this problem? Is it possible to change the log level of the keycloak server. We are running it on openshift (private)

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150609/3809539c/attachment.html 

From mposolda at redhat.com  Tue Jun  9 10:07:12 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 09 Jun 2015 16:07:12 +0200
Subject: [keycloak-user] LDAP configuration
In-Reply-To: <CALqxV3ceU712Nrghw=Pr+4c57X=WSvug1rNHGDHoBZxmwC-=Vw@mail.gmail.com>
References: <CALqxV3d19wZU-UcOrGdjj+6JGc4aiG4HfVhzKn6sdMUzQwTB-A@mail.gmail.com>	<555D77F6.6050905@redhat.com>
	<CALqxV3ceU712Nrghw=Pr+4c57X=WSvug1rNHGDHoBZxmwC-=Vw@mail.gmail.com>
Message-ID: <5576F310.8090502@redhat.com>

You did not include whole exception though. Especially you omit on which 
line NullPointerException is thrown, which is most important here. Could 
you also please enable TRACE logging for 
org.picketlink.idm.ldap.internal.LDAPIdentityStore and send some log 
snippet with few lines before this exception is thrown?

Thanks,
Marek

On 8.6.2015 21:58, Ayrton Ara?jo wrote:
> Okay,
>
> as your suggestion I changed to the complete DN, but now I get this:
>
> Caused by: org.picketlink.idm.IdentityManagementException: 
> PLIDM000501: Could not query IdentityType using query 
> [org.picketlink.idm.query.internal.D
> efaultIdentityQuery at 69d4fcb8].
> at 
> org.picketlink.idm.ldap.internal.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:236)
> at 
> org.picketlink.idm.query.internal.DefaultIdentityQuery.getResultList(DefaultIdentityQuery.java:190)
> ... 57 more
> Caused by: org.picketlink.idm.IdentityManagementException: Could not 
> populate attribute type org.picketlink.idm.model.basic.User at 8665a20.
> at 
> org.picketlink.idm.ldap.internal.LDAPIdentityStore.populateAttributedType(LDAPIdentityStore.java:815)
> at 
> org.picketlink.idm.ldap.internal.LDAPIdentityStore.populateAttributedType(LDAPIdentityStore.java:682)
> at 
> org.picketlink.idm.ldap.internal.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:231)
> ... 58 more
> Caused by: java.lang.NullPointerException
>
>
> Em quinta-feira, 21 de maio de 2015, Marek Posolda 
> <mposolda at redhat.com <mailto:mposolda at redhat.com>> escreveu:
>
>     On 20.5.2015 22:00, Ayrton Ara?jo wrote:
>>     I'm trying do add a new user federation provider for integrate
>>     keycloak with a ldap server.
>>
>>     The parameters:
>>     Console display name -> Active Directory
>>     Priority -> 0
>>     Edit Mode -> READ_ONLY
>>     Sync Registrations -> OFF
>>     Vendor -> Active Directory
>>     Username LDAP attribute -> sAMAccountName
>>     User Object Classes -> person, organizationPerson, user
>>     Connection URL -> ldap://dom.example.com:389
>>     <http://dom.example.com:389/>
>>     Base DN -> DC=dom,DC=example,DC=com
>>     User DN Suffix -> CN=Users
>>     Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com
>>     Bind Credential -> ********
>>     Connection pooling -> ON
>>     Pagination -> ON
>>     Enable Account After Password Update -> OFF
>>     Batch Size -> 100
>>     Periodic Full Sync -> OFF
>>     Periodic changed users sync -> ON
>>     Changed users sync period -> 86400
>>
>>     I tried change User DN Suffix to only Users, but it not works.
>>     The log always saying:
>>     LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem
>>     5012 (DIR_ERROR)
>>     And it says this when it tries to parse the User DN Suffix.
>     Currently "User DN Suffix" is supposed to contain whole DN. So in
>     your case it should be probably something like:
>     CN=Users,DC=dom,DC=example,DC=com
>
>     I agree that name of the parameter "User DN Suffix" is misleading.
>     It will be improved in next version ( 1.3.0.Beta1 ) and also it
>     will be possible to configure more User DNs to search for users.
>
>     Marek
>>
>>     Theres something wrong with my conf?
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <javascript:_e(%7B%7D,'cvml','keycloak-user at lists.jboss.org');>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> -- 
> Ayrton Ara?jo
> "If you can tell the false from the true you are already a scientist."
>
> --
> http://ayr-ton.net/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150609/8cb9bc12/attachment-0001.html 

From emorny at gmail.com  Tue Jun  9 11:42:17 2015
From: emorny at gmail.com (Edem Morny)
Date: Tue, 09 Jun 2015 15:42:17 +0000
Subject: [keycloak-user] Unable to Import Realm Json file in 1.2.0-RC1
Message-ID: <1433864537.6083.5.camel@localhost.localdomain>

Hi,

I created a realm in keycloak 1.2.0-RC1, exported it with the following
command

standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=carewexmh-realm.json

Unfortunately my colleagues are unable to import the exported realm
file, and when I intentionally delete the realm and try to import it
myself, I get the same exception as they do. Any idea what's wrong?

Find the stacktrace below. If I need to include the jon file, do let me
know and i'll include it.



15:25:35,904 ERROR [io.undertow.request] (default task-30) UT005023: Exception handling request to /auth/admin/realms: java.lang.RuntimeException: request path: /auth/admin/realms
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Caused by: org.jboss.resteasy.spi.UnhandledException: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.RealmRepresentation out of START_ARRAY token
 at [Source: java.io.StringReader at 3119350b; line: 1, column: 1]
	at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.10.Final.jar:]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
	... 28 more
Caused by: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.RealmRepresentation out of START_ARRAY token
 at [Source: java.io.StringReader at 3119350b; line: 1, column: 1]
	at org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:212) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromArray(BeanDeserializer.java:875) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:597) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2732) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1863) [jackson-mapper-asl-1.9.13.jar:1.9.13]
	at org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:50) [keycloak-core-1.2.0.CR1.jar:1.2.0.CR1]
	at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:164) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_25]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_25]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_25]
	at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_25]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
	... 39 more

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150609/09ff180e/attachment.html 

From mposolda at redhat.com  Tue Jun  9 11:57:28 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 09 Jun 2015 17:57:28 +0200
Subject: [keycloak-user] Unable to Import Realm Json file in 1.2.0-RC1
In-Reply-To: <1433864537.6083.5.camel@localhost.localdomain>
References: <1433864537.6083.5.camel@localhost.localdomain>
Message-ID: <55770CE8.3090603@redhat.com>

Your colleagues are importing the realm file through admin console, 
right? That won't work because you did full export (you exported all the 
realms to the file) and hence the file contains the array of realms, not 
single realm, which admin console expects.

To fix it, you can either:
1) Export just the single realm instead of all realms. You can do it by 
adding the additional property -Dkeycloak.migration.realmName (See docs 
for details). In this case file will contain just one realm and your 
colleagues can import it via admin console

2) Your colleagues will import file with all realms at startup with the 
system properties:
/*standalone.sh -Dkeycloak.migration.action=import 
-Dkeycloak.migration.provider=singleFile 
-Dkeycloak.migration.file=carewexmh-realm.json*/
but not through admin console.

Case (1) is when you want to export and import just one realm. Case (2) 
when you want to export and import all realms including master realm.

Marek

On 9.6.2015 17:42, Edem Morny wrote:
> Hi,
>
> I created a realm in keycloak 1.2.0-RC1, exported it with the 
> following command
>
> /*standalone.sh -Dkeycloak.migration.action=export 
> -Dkeycloak.migration.provider=singleFile 
> -Dkeycloak.migration.file=carewexmh-realm.json*/
>
> Unfortunately my colleagues are unable to import the exported realm 
> file, and when I intentionally delete the realm and try to import it 
> myself, I get the same exception as they do. Any idea what's wrong?
>
> Find the stacktrace below. If I need to include the jon file, do let 
> https://github.com/aerogear/aerogear-unifiedpush-server-integration-tests/blob/rewrite/tools/test-extension/server/src/main/java/org/jboss/aerogear/unifiedpush/test/KeycloakConfigurator.java#L96-L121me 
> know and i'll include it.
>
>
> 15:25:35,904 ERROR [io.undertow.request] (default task-30) UT005023: Exception handling request to /auth/admin/realms: java.lang.RuntimeException: request path: /auth/admin/realms
> 	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final]
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
> 	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
> Caused by: org.jboss.resteasy.spi.UnhandledException: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.RealmRepresentation out of START_ARRAY token
>   at [Source:java.io.StringReader at 3119350b  <mailto:java.io.StringReader at 3119350b>; line: 1, column: 1]
> 	at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
> 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
> 	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
> 	... 28 more
> Caused by: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.RealmRepresentation out of START_ARRAY token
>   at [Source:java.io.StringReader at 3119350b  <mailto:java.io.StringReader at 3119350b>; line: 1, column: 1]
> 	at org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:212) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromArray(BeanDeserializer.java:875) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.codehaus.jackson.map.deser.BeanDeserializer.deserialize(BeanDeserializer.java:597) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.codehaus.jackson.map.ObjectMapper._readMapAndClose(ObjectMapper.java:2732) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1863) [jackson-mapper-asl-1.9.13.jar:1.9.13]
> 	at org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:50) [keycloak-core-1.2.0.CR1.jar:1.2.0.CR1]
> 	at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:164) [keycloak-services-1.2.0.CR1.jar:1.2.0.CR1]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_25]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_25]
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_25]
> 	at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_25]
> 	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.10.Final.jar:]
> 	... 39 more
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150609/9c383a72/attachment-0001.html 

From orestis.tsakiridis at telestax.com  Wed Jun 10 02:57:01 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Wed, 10 Jun 2015 09:57:01 +0300
Subject: [keycloak-user] Mixing https/http schemes with sslRequired == all
Message-ID: <CABjN768dFrvR=M2Ok5Nbo2qfm98O=EGyFLv-hTmPJPNRVxMBXw@mail.gmail.com>

Hello,

Can keycloak operate on HTTPS while the REST application it protects runs
on HTTP?

I've also set "Require SSL" to "all requests"


Regards

Orestis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150610/7db1fb4d/attachment.html 

From stian at redhat.com  Wed Jun 10 03:14:06 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 10 Jun 2015 03:14:06 -0400 (EDT)
Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
 all
In-Reply-To: <CABjN768dFrvR=M2Ok5Nbo2qfm98O=EGyFLv-hTmPJPNRVxMBXw@mail.gmail.com>
References: <CABjN768dFrvR=M2Ok5Nbo2qfm98O=EGyFLv-hTmPJPNRVxMBXw@mail.gmail.com>
Message-ID: <1651616328.14982265.1433920446105.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 10 June, 2015 8:57:01 AM
> Subject: [keycloak-user] Mixing https/http schemes with sslRequired == all
> 
> Hello,
> 
> Can keycloak operate on HTTPS while the REST application it protects runs on
> HTTP?
> 
> I've also set "Require SSL" to "all requests"

Keycloak only deals with request made to the Keycloak Server and doesn't put any restriction on the request to your rest endpoints. However, as you are passing the token in requests to your rest endpoints it wouldn't be the best idea to not use ssl. Although the risk can be mitigated slightly by having short lifespan on access tokens.

> 
> 
> Regards
> 
> Orestis
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Wed Jun 10 03:28:06 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 10 Jun 2015 03:28:06 -0400 (EDT)
Subject: [keycloak-user] Keycloak and desktop
In-Reply-To: <etPan.5571a591.2ae8944a.1168e@AlikMacBookPro.local>
References: <etPan.5571a591.2ae8944a.1168e@AlikMacBookPro.local>
Message-ID: <2049049799.14988770.1433921286761.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Alik Kurdyukov" <akurdyukov at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 5 June, 2015 3:35:13 PM
> Subject: [keycloak-user] Keycloak and desktop
> 
> Hello,
> 
> I have a little question on integrating desktop application with Keycloak. I
> have
> 1. Desktop application that is a client to (1) a non-web server application
> and (2) a web server application
> 2. Non-web server application
> 3. Web application that is a Keycloak client
> 4. Keycloak server
> 
> I want to ask user to auth once with Keycloak (using native WPF window) and
> use token of some kind for both servers.
> 
> The questions are
> 1. What API should desktop application use to auth user with Keycloak?
> (maybe, I need to read keycloak.js code?)

Look at the customer-app-cli and https://github.com/keycloak/keycloak/blob/master/integration/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java

KeycloakInstalled uses the desktop browser, but you should be able to easily modify it to use a native WPF window.

> 2. What API should non-web server use to verify token?

You can use org.keycloak.RSATokenVerifier from keycloak-core. 

> 3. Can I use bearer token with keycloak client that has access type
> ?confidential', not ?bearer only??

Not sure what you mean about this question, but the intention is that a 'confidential' client is an app that initiates a login, while the 'bearer only' is a service that verifies the token. In your case the desktop app would be a confidential client (or a public if the app is publicly available as you can't keep the client secret private in that case) and the non-web server aka services would be a 'bearer only'.

> 
> Thank you for your work :)
> 
> --
> Best regards,
> Alik Kurdyukov
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Wed Jun 10 03:35:50 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 10 Jun 2015 03:35:50 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.2.0.Final released
In-Reply-To: <5568277F.7080907@akvo.org>
References: <815638486.1574215.1432036940104.JavaMail.zimbra@redhat.com>
	<5568277F.7080907@akvo.org>
Message-ID: <1130181371.14991592.1433921750557.JavaMail.zimbra@redhat.com>

We'll consider something (https://issues.jboss.org/browse/KEYCLOAK-1437)

The files are also posted to JBoss Nexus [1] as well as Maven Central [2] so if you're concerned you can get them from one of these locations instead.

[1] https://repository.jboss.org/nexus/#nexus-search;quick~keycloak-server-dist
[2] http://search.maven.org/#artifactdetails%7Corg.keycloak%7Ckeycloak-server-dist%7C1.2.0.Final%7Cpom

----- Original Message -----
> From: "Iv?n Perdomo" <ivan at akvo.org>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 29 May, 2015 10:46:55 AM
> Subject: Re: [keycloak-user] Keycloak 1.2.0.Final released
> 
> Hi,
> 
> On 05/19/2015 02:02 PM, Stian Thorgersen wrote:
> > to download go to
> > https://sourceforge.net/projects/keycloak/files/1.2.0.Final/.
> 
> Given the latest news on SF.net [1] I would suggest you publish the
> files checksum, and/or perhaps sign the files [2] ?
> 
> [1]
> https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
> [2] https://www.gnupg.org/gph/en/manual/x135.html
> 
> Cheers,
> 
> --
> Iv?n
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From orestis.tsakiridis at telestax.com  Wed Jun 10 06:57:28 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Wed, 10 Jun 2015 13:57:28 +0300
Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
	all
Message-ID: <CABjN76-6P6RO0hhcepXfvBJnZKO2i=ZUUOsgQ3JWAoJ-BbkccQ@mail.gmail.com>

Indeed. I've already switched my application to https.

The reason i'm asking this is because before switching i got blank (no
content) responses from the application's endpoints. HTTP status code was
200 but there was no content returned. At the same time the following
warning appeared in the logs.

12:21:55,085 WARN  [org.keycloak.adapters.RequestAuthenticator]
(http-/192.168.1.39:8080-4) SSL is required to authenticate


On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
> all
> >
> > Hello,
> >
> > Can keycloak operate on HTTPS while the REST application it protects
> runs on
> > HTTP?
> >
> > I've also set "Require SSL" to "all requests"
>
> Keycloak only deals with request made to the Keycloak Server and doesn't
> put any restriction on the request to your rest endpoints. However, as you
> are passing the token in requests to your rest endpoints it wouldn't be the
> best idea to not use ssl. Although the risk can be mitigated slightly by
> having short lifespan on access tokens.
>
> >
> >
> > Regards
> >
> > Orestis
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150610/48e9d981/attachment.html 

From stian at redhat.com  Wed Jun 10 07:13:50 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 10 Jun 2015 07:13:50 -0400 (EDT)
Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
 all
In-Reply-To: <CABjN76-6P6RO0hhcepXfvBJnZKO2i=ZUUOsgQ3JWAoJ-BbkccQ@mail.gmail.com>
References: <CABjN76-6P6RO0hhcepXfvBJnZKO2i=ZUUOsgQ3JWAoJ-BbkccQ@mail.gmail.com>
Message-ID: <1724436949.15170259.1433934830369.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 10 June, 2015 12:57:28 PM
> Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired == all
> 
> Indeed. I've already switched my application to https.
> 
> The reason i'm asking this is because before switching i got blank (no
> content) responses from the application's endpoints. HTTP status code was
> 200 but there was no content returned. At the same time the following
> warning appeared in the logs.
> 
> 12:21:55,085 WARN  [org.keycloak.adapters.RequestAuthenticator]
> (http-/192.168.1.39:8080-4) SSL is required to authenticate

In that case I'm probably mistaken and the Keycloak adapter actually checks that the request uses SSL when there's a token in it. That would make sense to me that it does, but I wasn't aware that it did ;)

> 
> 
> On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > > Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
> > all
> > >
> > > Hello,
> > >
> > > Can keycloak operate on HTTPS while the REST application it protects
> > runs on
> > > HTTP?
> > >
> > > I've also set "Require SSL" to "all requests"
> >
> > Keycloak only deals with request made to the Keycloak Server and doesn't
> > put any restriction on the request to your rest endpoints. However, as you
> > are passing the token in requests to your rest endpoints it wouldn't be the
> > best idea to not use ssl. Although the risk can be mitigated slightly by
> > having short lifespan on access tokens.
> >
> > >
> > >
> > > Regards
> > >
> > > Orestis
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From orestis.tsakiridis at telestax.com  Wed Jun 10 11:09:31 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Wed, 10 Jun 2015 18:09:31 +0300
Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
	all
In-Reply-To: <1724436949.15170259.1433934830369.JavaMail.zimbra@redhat.com>
References: <CABjN76-6P6RO0hhcepXfvBJnZKO2i=ZUUOsgQ3JWAoJ-BbkccQ@mail.gmail.com>
	<1724436949.15170259.1433934830369.JavaMail.zimbra@redhat.com>
Message-ID: <CABjN76_ARAcPAqiGM9SaAWjmxNaD0A_J=mugmiu1isZSO-GhZA@mail.gmail.com>

Yep, it appears so.

So, we're either talking about a feature, or some sort behaviour that is
desired. Right?


Anyway, thanks for clarifying this.

On Wed, Jun 10, 2015 at 2:13 PM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 10 June, 2015 12:57:28 PM
> > Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired
> == all
> >
> > Indeed. I've already switched my application to https.
> >
> > The reason i'm asking this is because before switching i got blank (no
> > content) responses from the application's endpoints. HTTP status code was
> > 200 but there was no content returned. At the same time the following
> > warning appeared in the logs.
> >
> > 12:21:55,085 WARN  [org.keycloak.adapters.RequestAuthenticator]
> > (http-/192.168.1.39:8080-4) SSL is required to authenticate
>
> In that case I'm probably mistaken and the Keycloak adapter actually
> checks that the request uses SSL when there's a token in it. That would
> make sense to me that it does, but I wasn't aware that it did ;)
>
> >
> >
> > On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > > To: keycloak-user at lists.jboss.org
> > > > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > > > Subject: [keycloak-user] Mixing https/http schemes with sslRequired
> ==
> > > all
> > > >
> > > > Hello,
> > > >
> > > > Can keycloak operate on HTTPS while the REST application it protects
> > > runs on
> > > > HTTP?
> > > >
> > > > I've also set "Require SSL" to "all requests"
> > >
> > > Keycloak only deals with request made to the Keycloak Server and
> doesn't
> > > put any restriction on the request to your rest endpoints. However, as
> you
> > > are passing the token in requests to your rest endpoints it wouldn't
> be the
> > > best idea to not use ssl. Although the risk can be mitigated slightly
> by
> > > having short lifespan on access tokens.
> > >
> > > >
> > > >
> > > > Regards
> > > >
> > > > Orestis
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150610/cec0203a/attachment-0001.html 

From fadiabdeen at gmail.com  Wed Jun 10 12:04:58 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Wed, 10 Jun 2015 12:04:58 -0400
Subject: [keycloak-user] Token is not active
Message-ID: <CABXXV0RiqJ9EPwN789bXxkx_KyrhOfFHOZgkzmR8juAKWXjNVw@mail.gmail.com>

When my keycloak server run for few days, it start acting weird and start
returning "Token is not active" when i just issued the token.

My server is synced with a time server so the system date should be always
valid.

The solution is to restart keycloak.

Have anyone faced this issue before ?? this issue is driving me crazy and i
cant figure it out, i  appreciate some help . .

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150610/c723b8f3/attachment.html 

From stian at redhat.com  Wed Jun 10 13:16:08 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 10 Jun 2015 13:16:08 -0400 (EDT)
Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
 all
In-Reply-To: <CABjN76_ARAcPAqiGM9SaAWjmxNaD0A_J=mugmiu1isZSO-GhZA@mail.gmail.com>
References: <CABjN76-6P6RO0hhcepXfvBJnZKO2i=ZUUOsgQ3JWAoJ-BbkccQ@mail.gmail.com>
	<1724436949.15170259.1433934830369.JavaMail.zimbra@redhat.com>
	<CABjN76_ARAcPAqiGM9SaAWjmxNaD0A_J=mugmiu1isZSO-GhZA@mail.gmail.com>
Message-ID: <839205973.15528041.1433956568553.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 10 June, 2015 5:09:31 PM
> Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired == all
> 
> Yep, it appears so.
> 
> So, we're either talking about a feature, or some sort behaviour that is
> desired. Right?

Yes, it is indeed the desired behavior.

> 
> 
> Anyway, thanks for clarifying this.
> 
> On Wed, Jun 10, 2015 at 2:13 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> >
> >
> > ----- Original Message -----
> > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Wednesday, 10 June, 2015 12:57:28 PM
> > > Subject: Re: [keycloak-user] Mixing https/http schemes with sslRequired
> > == all
> > >
> > > Indeed. I've already switched my application to https.
> > >
> > > The reason i'm asking this is because before switching i got blank (no
> > > content) responses from the application's endpoints. HTTP status code was
> > > 200 but there was no content returned. At the same time the following
> > > warning appeared in the logs.
> > >
> > > 12:21:55,085 WARN  [org.keycloak.adapters.RequestAuthenticator]
> > > (http-/192.168.1.39:8080-4) SSL is required to authenticate
> >
> > In that case I'm probably mistaken and the Keycloak adapter actually
> > checks that the request uses SSL when there's a token in it. That would
> > make sense to me that it does, but I wasn't aware that it did ;)
> >
> > >
> > >
> > > On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian at redhat.com>
> > wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Orestis Tsakiridis" <orestis.tsakiridis at telestax.com>
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > > > > Subject: [keycloak-user] Mixing https/http schemes with sslRequired
> > ==
> > > > all
> > > > >
> > > > > Hello,
> > > > >
> > > > > Can keycloak operate on HTTPS while the REST application it protects
> > > > runs on
> > > > > HTTP?
> > > > >
> > > > > I've also set "Require SSL" to "all requests"
> > > >
> > > > Keycloak only deals with request made to the Keycloak Server and
> > doesn't
> > > > put any restriction on the request to your rest endpoints. However, as
> > you
> > > > are passing the token in requests to your rest endpoints it wouldn't
> > be the
> > > > best idea to not use ssl. Although the risk can be mitigated slightly
> > by
> > > > having short lifespan on access tokens.
> > > >
> > > > >
> > > > >
> > > > > Regards
> > > > >
> > > > > Orestis
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> >
> 

From pubudupg at gmail.com  Thu Jun 11 02:10:04 2015
From: pubudupg at gmail.com (pubudu gunawardena)
Date: Thu, 11 Jun 2015 11:40:04 +0530
Subject: [keycloak-user] Client Configuration - SAML Direct Grants
Message-ID: <CAFqgz0i64UOqRukoK=Mm5yEDGD8k9zZ2uMOVnF8Fa_d0ZEgSGQ@mail.gmail.com>

Hi All,

In the client configuration, there is a toggle option "Direct Grants
Only". From the documentation at
http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/direct-access-grants.html,
it seemed to me that direct grants are only applicable to openid
connect clients. But after turning that option on, I can still select
SAML under "Client Protocol". Is it possible to get direct grants
using SAML client protocol? Or have I misunderstood the settings in
some way?

-- 
Thanks,
Pubudu

From mposolda at redhat.com  Thu Jun 11 04:47:57 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 11 Jun 2015 10:47:57 +0200
Subject: [keycloak-user] Keycloak Oracle WebLogic Adapter
In-Reply-To: <5579477A.20809@redhat.com>
References: <5579477A.20809@redhat.com>
Message-ID: <55794B3D.5070807@redhat.com>

CCing keycloak-user mailing list (Please write rather to this ML instead 
of personally).

We don't have Oracle WebLogic adapter and I am not sure if there is plan 
to have one. Maybe it's possible to use jaspic ( 
https://jaspic-spec.java.net/ ) and write some generic jaspic adapter, 
which can be reused for more servers (Weblogic, Websphere, Glassfish, 
...), but I am not sure. If you want to investigate and contribute the 
adapter, it will be great. I would suggest to look at source code of 
existing adapters as you're already doing and inspire here.

Cheers,
Marek

On 11.6.2015 00:30, Monis Khan wrote:
>
> Good afternoon Bill and Marek,
>
> Recently we (Quintiles) have been evaluating Keycloak as a SSO 
> solution for various web apps. Keycloak?s large feature set is 
> impressive and meets our requirements.
>
> However, our apps are deployed on Oracle WebLogic servers, and thus we 
> require an adapter to interface with Keycloak.  Are there any current 
> or future plans to write such an adapter?  If there are not any plans 
> to develop such an adapter, could you point me to some documentation 
> or source code that would help me write one myself?  I have begun to 
> review Keycloak?s Tomcat and Jetty adapter source code to get an idea 
> of what is required.
>
> Any help that you can provide is greatly appreciated.
>
> Kind regards,
>
> Monis Khan
>
> ********************** IMPORTANT--PLEASE READ ************************ 
> This electronic message, including its attachments, is COMPANY 
> CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED 
> information. If you are not the intended recipient, you are hereby 
> notified that any use, disclosure, copying, or distribution of this 
> message or any of the information included in it is unauthorized and 
> strictly prohibited. If you have received this message in error, 
> please immediately notify the sender by reply e-mail and permanently 
> delete this message and its attachments, along with any copies 
> thereof. Thank you. 
> ************************************************************************ 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150611/56ab8975/attachment.html 

From tair.sabirgaliev at bee.kz  Thu Jun 11 10:41:23 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Thu, 11 Jun 2015 20:41:23 +0600
Subject: [keycloak-user] Load bearer-only app resource to iframe
Message-ID: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>

Hi!

I have a REST resource /rest/some/pdf in bearer-only application. The client app uses angular, I have setup it according to keycloak demos.
On my angular page i have an <iframe src=?/rest/some/pdf??.>. I can?t pass auth headers to iframe url. What is the right thing to do here?

Thank you!


--?
Tair Sabirgaliev
Bee Software, LLP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150611/a7951193/attachment.html 

From kevin.thorpe at p-i.net  Thu Jun 11 13:13:53 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Thu, 11 Jun 2015 18:13:53 +0100
Subject: [keycloak-user] Broken after changing theme - how to reset theme
	without UI?
Message-ID: <CAFMa6BayAGNhYV2XyVSE10k6MSexPN-ZA7SSB1WxPMEY18s8Mw@mail.gmail.com>

Hi,
   we had an install of Keycloak 1.2.0-beta (Ithink) and I changed the
admin theme to 'base'. After that the admin console
doesn't work. All I get is
 *{{notification.header}}* {{notification.message}}
Loading...
because there are loads of 404 requests for javascript components eg:
http://ld5-keycloak.p-i.net:8080/auth/resources/1.2.0.final/admin/base/lib/jquery/jquery-1.10.2.js
Failed to load resource: the server responded with a status of 404 (Not
Found)
We upgraded to 1.2.0-final but that didn't help

How do I manually reset the theme to keycloak to get over this? The
documentation only covers using the admin console to do
that and I've lost that.


*Kevin Thorpe*
CTO
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150611/d974e1bc/attachment-0001.html 

From srossillo at smartling.com  Thu Jun 11 13:39:54 2015
From: srossillo at smartling.com (Scott Rossillo)
Date: Thu, 11 Jun 2015 13:39:54 -0400
Subject: [keycloak-user] Broken after changing theme - how to reset
	theme without UI?
In-Reply-To: <CAFMa6BayAGNhYV2XyVSE10k6MSexPN-ZA7SSB1WxPMEY18s8Mw@mail.gmail.com>
References: <CAFMa6BayAGNhYV2XyVSE10k6MSexPN-ZA7SSB1WxPMEY18s8Mw@mail.gmail.com>
Message-ID: <38B74C5F-FEE8-4811-BE9B-F916FF1F810D@smartling.com>


Shut down the Keycloak server a login to the database and run:

update REALM set ACCOUNT_THEME = null, ADMIN_THEME = null, LOGIN_THEME = null

It will use the theme specified in keycloak-server.json then, which by default is keycloak.

~ Scott

> On Jun 11, 2015, at 1:13 PM, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
> 
> Hi, 
>    we had an install of Keycloak 1.2.0-beta (Ithink) and I changed the admin theme to 'base'. After that the admin console
> doesn't work. All I get is 
>  {{notification.header}} {{notification.message}}
> Loading...
> because there are loads of 404 requests for javascript components eg:
> http://ld5-keycloak.p-i.net:8080/auth/resources/1.2.0.final/admin/base/lib/jquery/jquery-1.10.2.js <http://ld5-keycloak.p-i.net:8080/auth/resources/1.2.0.final/admin/base/lib/jquery/jquery-1.10.2.js> Failed to load resource: the server responded with a status of 404 (Not Found)
> We upgraded to 1.2.0-final but that didn't help
> 
> How do I manually reset the theme to keycloak to get over this? The documentation only covers using the admin console to do 
> that and I've lost that.
> 
> Kevin Thorpe
> CTO
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150611/a3039caa/attachment.html 

From juandiego83 at gmail.com  Thu Jun 11 16:51:10 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 11 Jun 2015 15:51:10 -0500
Subject: [keycloak-user] keycloak and angular
Message-ID: <CAJGEj6cazV2NB9AEgdO32zH9BFO2ST_9=Z3tdzQR_W-LWUkztQ@mail.gmail.com>

Hi,

I was looking at the angular product app in the demos.  And I am trying
having some issues, if you use it with angular 1.3 it says that
responseInterceptors  are deprecated, but I got around that.

I am not using

angular.element(document).ready() and
keycloakAuth.init({ onLoad: 'login-required' })

like in the example because I want my users to click on a login
button.  So I have a function like this

var login = function () {
    keycloakAuth.login();
}

I also have a init() function that is like this:
var init = function(){
    auth.loggedIn = false;

    keycloakAuth.init().success(function(authenticated) {
        if(authenticated ){
            auth.loggedIn = true;
            //auth.authz = keycloakAuth;
        }else{
            auth.loggedIn = false;
        }
        console.log('Init Autenticado ' +auth.loggedIn );
    }).error(function() {
        console.log('failed to initialize');
        auth.loggedIn = false;
    });

}

And I call it on my script at the end.

And it seems to work.  But I am trying to do 2 things, save the token
and use angular.  I know javascript but I am just starting with
angular.

So here I have some questions.

In the angular example is the 'authInterceptor' supposed to replace
onAuthSuccess callback.  Or am I wrong.
Using angular how should I talk the callback listeners

Second part, is that in the "authInterceptor" I am getting
Auth.authz.token as undefined, but in my console.log I can see it.

So apparently console.log gets executed after a while, so that is why
i can see the token on console.log, but authz.token is undefined
aparently.

Maybe I am wrong with my logic, so here is what I think are the basic
parts of using keycloak.js.
Should I use document ready and remove ng-app on my page for keycloak to work

thanks,

Juan Diego
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150611/cce36447/attachment.html 

From kalc04 at gmail.com  Fri Jun 12 01:33:42 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 12 Jun 2015 11:03:42 +0530
Subject: [keycloak-user] Exception thrown when deleting user through API
 (when Keycloak servers are highly available)
Message-ID: <CAPj1eSyxkGxnmhSQJ_Pif34qvWcrj1VhCmd4KahDR=ciUC1F1A@mail.gmail.com>

Hi,

We're running into a bit of a problem when trying to delete users through
the API. The error returned is of HTML format with 500 error code:
<html><head><title>Error</title></head><body>Internal Server
Error</body></html>

Please note:
- We're using Infinispan for userSessions, realmCache and userCache. Rest
of the data is in MySQL.
- Issue only occurs when Keycloak servers are highly available (2 servers
in our case). Works fine when only one server is up.

Logs reveal that this is possibly a serialization issue related to
Infinispan:

[2015-06-12 04:56:54.0303], ERROR,
org.infinispan.interceptors.InvocationContextInterceptor default task-11 -
ISPN000136: Execution error: org.infinispan.commons.CacheException:
java.lang.RuntimeException: Failure to marshal argument(s)
    at
org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
    at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:176)
    at
org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:521)
    at
org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
    at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
    at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processSingleCall(CommandAwareRpcDispatcher.java:352)
    at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:167)
    ... 94 more
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
Caused by: an exception which occurred:
    in object
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
        -> toString =
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
    in object org.infinispan.commands.write.RemoveCommand at 914fd0ce
        -> toString =
RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72,
value=null, flags=null, valueMatcher=MATCH_ALWAYS}
    in object org.infinispan.commands.remote.SingleRpcCommand at bfee4c5c
        -> toString = SingleRpcCommand{cacheName='loginFailures',
command=RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72,
value=null, flags=null, valueMatcher=MATCH_ALWAYS}}


Also there's a DEBUG log as follows:

[2015-06-12 04:56:54.0301], DEBUG,
org.infinispan.marshall.core.VersionAwareMarshaller default task-11 -
Object is not serializable: java.io.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
    at
org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:860)
    at
org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:58)
    at
org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:111)
    at
org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeCommandParameters(ReplicableCommandExternalizer.java:57)
    at
org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:42)
    at
org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:30)
    at
org.infinispan.marshall.core.ExternalizerTable$ExternalizerAdapter.writeObject(ExternalizerTable.java:395)
    at
org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:138)


Our Keycloak HA system works fine except for this issue. Please advise on
how tackle this.


Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/70b2b0ea/attachment.html 

From Henk.Laracker at planonsoftware.com  Fri Jun 12 02:37:55 2015
From: Henk.Laracker at planonsoftware.com (Henk Laracker)
Date: Fri, 12 Jun 2015 08:37:55 +0200
Subject: [keycloak-user] Import External IDP Config
In-Reply-To: <1563197306.7542120.1433799096176.JavaMail.yahoo@mail.yahoo.com>
References: <D19B6A93.1DC77%henk.laracker@planonsoftware.com>
	<1563197306.7542120.1433799096176.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <D1A04A9D.1DF2A%henk.laracker@planonsoftware.com>

Hi,

This is the metadata file which give a feedback that everything is ok, but nothing is read:

<?xml version="1.0" encoding="UTF-8"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_17f4835f-df3b-41eb-bf98-4321cdab2bf6" entityID="http://bla.com/trust">
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
         <ds:Reference URI="#_17f4835f-df3b-41eb-bf98-4321cdab2bf6">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
            <ds:DigestValue>mErB5PiBx2+KMZYu8prJSZxSy6o4FeJc/OZUuckhie0=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>iUfHqj48oYZA+sy+mogIJG3ooSl4l/XBE1NCnnSYzqxHgftNXqLBMcgldnIIiDwwGXyKAHN5d7aFk3FbURwQ1/1V4LlaUrh8Ppm82/DXTJDLrLyyj1zk/5FBsSRW8gW3roB0+LCAE+xzr4qKWiCtVroIPwTP1wyGwdpfiF+RUd9EnRdPmRDb3hYV3/77tXBfsbDv0bz5EPzbAmsXaufndjpnuDluz5kddJyjdjX/77MCpTdBR2oLWx6/lxH2ZGEJf/MtyMB58TnmPLFQ5sHW9S2KkO3ODGbpy1+rw5/sYe5TFYYWGhIu7+uHGuhl94k4x/i1N1ch9Zs02Ou1V6CmOg==</ds:SignatureValue>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <X509Data>
            <X509Certificate>MIIC5jCCAc6gAwIBAgIQXn1r5kqQao9JlOksbxZDXjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDM0WhcNMTYwMTIzMjIwNDM0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wggEiLA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDilI+XZfNZ/b2pQWeqDLVyXEIn+6BL3KcAv/R0tRtC2mlnQFpf3uHxF8sd3kdHcexB/ugihNvVdZJExlnkKCoL8kvNFGeDc0T9vOItd2A/Hm1WCRtqc+cZ/z9uPwqZxnRTjEfCn+X/mbCrG4VQbeMsGy/UKib5WUUuXpnjOaaZmfIoTMeJ0vMj9GBZUGBJu56bbiWOK/mYsXy8Xb2uNf7uXvFmWcAIriZMhHgML6KhDHeqhu3QAwrXEbp4co5+FSNaaelUHhrDxz/0yc9Lxmuf+OnKJu/CYcdAQPzaFvn33ceJE/yJDe2lYFocSx0930lM5Q/SWMMGT+OvQZVsDaLTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKe6zgWy6jIOFCCyTtA/9NFaJP54GnSOhRpbApK+PvPDUBjRUj5hpWMKg9O964HofAorO5KZOsiPMfKI5dAfLzAgts0n0ji41UMGbnpTKJ3N9pWTsTG1s+sTOA63mmIRms+So/y/JsA3YWa+Apx9EvB/GkOrT9vRIbCz31bMAY9ohwMyhfYv7i5qLjWYnbF19ioLHvO527nfr8XcsSNYJLkHt3VMWX2Q1OfjgWN/XFkBY/Moj0J/PUkXDii928RAfylLD3JZdeuhw5kQBOvWFh8BiVQpvaETZcGeUzit6O1072kDfq+UGOMSUB9DOQde2/4nExr6Qr6XW9vp3JetmPU=</X509Certificate>
         </X509Data>
      </KeyInfo>
   </ds:Signature>
   <RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="bla.com">
      <KeyDescriptor use="encryption">
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
               <X509Certificate>MIIC7DCCAdSgAwIBAgIQdtaCBGq5JZlHSOqPMWkKjjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDEydBREZTIEVuY3J5cHRpb24gLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDI2WhcNMTYwMTIzMjIwNDI2WjAyMTAwLgYDVQQDEydBREZTIEVuY3J5cHRpb24gLSBhZGZzLmSpcmVjdGVuZXJneS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKq1rfU0BsBW8cEPxpla6sWZhEA7AvTPFiNUJ8B1Ih3O01A6dq7mGycTHdxG+m3ZIUcCmihExjxrGRT4pd9f78uJCCHxm+gBfq8gHgA2gml/jtxeRRc4h8cl3qgBdTdpyEN6dFLbGYRgNo1JIDSJzSrNbmNggoKpzuWLMBjJ2AHfnG6hAzJWtvM2phf88WbWoxYAQmm1Fq3Usy6WgYFg+Iz1Z4XEgAB35bG4nmqROU4U3djmR4DxZup4zbKi422t32tFy8MU/VEshiREKB22BcxNHTXi1YHXNtCQixMcOvK21w/Ha1o8AypZ9yBBj3cfwTJ9NLO4Xf9+Mf9FeA6BgZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJHmw9MjdjXYf9q4Szo76xDfZC1jV+MXPizPEKzujjF5V90u6WWWbmR4ye9zT6nuMfFP7fNbm46A9yhuUiqeXpLQP80rC7d5XJeEhIhogLRH6xJXKOF5XVbN0RGi7ARTHsEzjyuZWs2N2ibPU55gLTlGTr/aW7jbs5UWEXG2ymM4SmiAUQbG8bRXNI6bQYe7Db2XEZ4H2D8TUMcHn0LtTF+dhpQTOep9Yf8/6Qdci/6FptSfi4nNPPKzvGfBu9uVaeCl/aGI3LA8QYIPbdIfUoJge5ym04j9sUVW7fkyWY8WkmQPZHntjeTYkBH4nLUH/OkLCa1KC6a3K67cp3j6AE=</X509Certificate>
            </X509Data>
         </KeyInfo>
      </KeyDescriptor>
      <fed:ClaimTypesRequested>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">
            <auth:DisplayName>E-Mail Address</auth:DisplayName>
            <auth:Description>The e-mail address of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">
            <auth:DisplayName>Given Name</auth:DisplayName>
            <auth:Description>The given name of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">
            <auth:DisplayName>Name</auth:DisplayName>
            <auth:Description>The unique name of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">
            <auth:DisplayName>UPN</auth:DisplayName>
            <auth:Description>The user principal name (UPN) of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">
            <auth:DisplayName>Common Name</auth:DisplayName>
            <auth:Description>The common name of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">
            <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>
            <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">
            <auth:DisplayName>Group</auth:DisplayName>
            <auth:Description>A group that the user is a member of</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">
            <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>
            <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">
            <auth:DisplayName>Role</auth:DisplayName>
            <auth:Description>A role that the user has</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">
            <auth:DisplayName>Surname</auth:DisplayName>
            <auth:Description>The surname of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">
            <auth:DisplayName>PPID</auth:DisplayName>
            <auth:Description>The private identifier of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">
            <auth:DisplayName>Name ID</auth:DisplayName>
            <auth:Description>The SAML name identifier of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">
            <auth:DisplayName>Authentication time stamp</auth:DisplayName>
            <auth:Description>Used to display the time and date that the user was authenticated</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">
            <auth:DisplayName>Authentication method</auth:DisplayName>
            <auth:Description>The method used to authenticate the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">
            <auth:DisplayName>Deny only group SID</auth:DisplayName>
            <auth:Description>The deny-only group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">
            <auth:DisplayName>Deny only primary SID</auth:DisplayName>
            <auth:Description>The deny-only primary SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">
            <auth:DisplayName>Deny only primary group SID</auth:DisplayName>
            <auth:Description>The deny-only primary group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">
            <auth:DisplayName>Group SID</auth:DisplayName>
            <auth:Description>The group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">
            <auth:DisplayName>Primary group SID</auth:DisplayName>
            <auth:Description>The primary group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">
            <auth:DisplayName>Primary SID</auth:DisplayName>
            <auth:Description>The primary SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">
            <auth:DisplayName>Windows account name</auth:DisplayName>
            <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description>
         </auth:ClaimType>
      </fed:ClaimTypesRequested>
      <fed:TargetScopes>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
         </EndpointReference>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address>
         </EndpointReference>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address>
         </EndpointReference>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address>
         </EndpointReference>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/ls/</Address>
         </EndpointReference>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://bla.com/adfs/services/trust</Address>
         </EndpointReference>
      </fed:TargetScopes>
      <fed:ApplicationServiceEndpoint>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
         </EndpointReference>
      </fed:ApplicationServiceEndpoint>
      <fed:PassiveRequestorEndpoint>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/ls/</Address>
         </EndpointReference>
      </fed:PassiveRequestorEndpoint>
   </RoleDescriptor>
   <RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="bla.com">
      <KeyDescriptor use="signing">
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
               <X509Certificate>MIIC5jCCAc6gAwIBAgIQXn1r5kqQao9JlOksbxZDXjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDM0WhcNMTYwMTIzMjIwNDM0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDilI+XZfNZ/b2pQWeqDLVyXEIn+6BL3KcAv/R0tRtC2mlnQFpf3uHxF8sd3kdHcexB/ugihNvVdZJExlnkKCoL8kvNFGeDc0T9vOItd2A/Hm1WCRtqc+cZ/z9uPwqZxnRTjEfCn+X/mbCrG4VQbeMsGy/UKib5WUUuXpnjOaaZmfIoTMeJ0vLj9GBZUGBJu56bbiWOK/mYsXy8Xb2uNf7uXvFmWcAIriZMhHgML6KhDHeqhu3QAwrXEbp4co5+FSNaaelUHhrDxz/0yc9Lxmuf+OnKJu/CYcdAQPzaFvn33ceJE/yJDe2lYFocSx0930lM5Q/SWMMGT+OvQZVsDaLTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKe6zgWy6jIOFCCyTtA/9NFaJP54GnSOhRpbApK+PvPDUBjRUj5hpWMKg9O964HofAorO5VZOsiPMfKI5dAfLzAgts0n0ji41UMGbnpTKJ3N9pWTsTG1s+sTOA63mmIRms+So/y/JsA3YWa+Apx9EvB/GkOrT9vRIbCz31bMAY6ohwMyhfYv7i5qLjWYnbF19ioLHvO527nfr8XcsSNYJLkHt3VMWX2Q1OfjgWN/XFkBY/Moj0J/PUkXDii928RAfylLD3JZdeuhw5kQBOvWFh8BiVQpvaETZcGeUzit6O1072kDfq+UGOMSUB9DOQde2/4nExr6Qr6XW9vp3JetmPU=</X509Certificate>
            </X509Data>
         </KeyInfo>
      </KeyDescriptor>
      <fed:TokenTypesOffered>
         <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion" />
         <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion" />
      </fed:TokenTypesOffered>
      <fed:ClaimTypesOffered>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true">
            <auth:DisplayName>E-Mail Address</auth:DisplayName>
            <auth:Description>The e-mail address of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true">
            <auth:DisplayName>Given Name</auth:DisplayName>
            <auth:Description>The given name of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true">
            <auth:DisplayName>Name</auth:DisplayName>
            <auth:Description>The unique name of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" Optional="true">
            <auth:DisplayName>UPN</auth:DisplayName>
            <auth:Description>The user principal name (UPN) of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/CommonName" Optional="true">
            <auth:DisplayName>Common Name</auth:DisplayName>
            <auth:Description>The common name of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/EmailAddress" Optional="true">
            <auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName>
            <auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/Group" Optional="true">
            <auth:DisplayName>Group</auth:DisplayName>
            <auth:Description>A group that the user is a member of</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/claims/UPN" Optional="true">
            <auth:DisplayName>AD FS 1.x UPN</auth:DisplayName>
            <auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true">
            <auth:DisplayName>Role</auth:DisplayName>
            <auth:Description>A role that the user has</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true">
            <auth:DisplayName>Surname</auth:DisplayName>
            <auth:Description>The surname of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" Optional="true">
            <auth:DisplayName>PPID</auth:DisplayName>
            <auth:Description>The private identifier of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" Optional="true">
            <auth:DisplayName>Name ID</auth:DisplayName>
            <auth:Description>The SAML name identifier of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" Optional="true">
            <auth:DisplayName>Authentication time stamp</auth:DisplayName>
            <auth:Description>Used to display the time and date that the user was authenticated</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" Optional="true">
            <auth:DisplayName>Authentication method</auth:DisplayName>
            <auth:Description>The method used to authenticate the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" Optional="true">
            <auth:DisplayName>Deny only group SID</auth:DisplayName>
            <auth:Description>The deny-only group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" Optional="true">
            <auth:DisplayName>Deny only primary SID</auth:DisplayName>
            <auth:Description>The deny-only primary SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" Optional="true">
            <auth:DisplayName>Deny only primary group SID</auth:DisplayName>
            <auth:Description>The deny-only primary group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" Optional="true">
            <auth:DisplayName>Group SID</auth:DisplayName>
            <auth:Description>The group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" Optional="true">
            <auth:DisplayName>Primary group SID</auth:DisplayName>
            <auth:Description>The primary group SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" Optional="true">
            <auth:DisplayName>Primary SID</auth:DisplayName>
            <auth:Description>The primary SID of the user</auth:Description>
         </auth:ClaimType>
         <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" Optional="true">
            <auth:DisplayName>Windows account name</auth:DisplayName>
            <auth:Description>The domain account name of the user in the form of &lt;domain&gt;\&lt;user&gt;</auth:Description>
         </auth:ClaimType>
      </fed:ClaimTypesOffered>
      <fed:SecurityTokenServiceEndpoint>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/services/trust/2005/certificatemixed</Address>
            <Metadata>
               <Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                  <wsx:MetadataSection xmlns="" Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">
                     <wsx:MetadataReference>
                        <Address xmlns="http://www.w3.org/2005/08/addressing">https://bla.com/adfs/services/trust/mex</Address>
                     </wsx:MetadataReference>
                  </wsx:MetadataSection>
               </Metadata>
            </Metadata>
         </EndpointReference>
      </fed:SecurityTokenServiceEndpoint>
      <fed:PassiveRequestorEndpoint>
         <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://bla.com/adfs/ls/</Address>
         </EndpointReference>
      </fed:PassiveRequestorEndpoint>
   </RoleDescriptor>
   <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="encryption">
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
               <X509Certificate>MIIC7DCCAdSgAwIBAgIQdtaCBGq5JZlHSOqPMWkKjjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDEydBREZTIEVuY3J5cHRpb24gLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDI2WhcNMTYwMTIzMjIwNDI2WjAyMTAwLgYDVQQDEydBREZTIEVuY3J5cHRpb24gLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKq1rfU0BsBW8cEPxpla6sWZhEA7AvTPFiNUJ8B1Ii3O01A6dq7mGycTHdxG+m3ZIUcCmihExjxrGRT4pd9f78uJCCHxm+gBfq8gHgA2gml/jtxeRRc4h8cl3qgBdTdpyEN6dFLbGYRgNo1JIDSJzSrNbmNggoKpzuWLMBjJ2AHfnG6hAzJWtvM2phf88WbWoxYAQmm1Fq3Usy6WgYFg+Iz1Z4XEgAB35bG4nmqROU4U3djmR4DxZup4zbKi422t32tFy8MU/VEshiREKB22BcxNHTXi1YHXNtCQixMcOvK21w/Ha1o8AypZ8yBBj3cfwTJ9NLO4Xf9+Mf9FeA6BgZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJHmw9MjdjXYf9q4Szo76xDfZC1jV+MXPizPEKzujjF5V90u6WWWbmR4ye9zT6nuMfFP7fNbm46A9yhuUiqeXpLQP80rC7d5XJeEhIhogLRH6xJXKOF5XVbN0RGi7ARTHsFzjyuZWs2N2ibPU55gLTlGTr/aW7jbs5UWEXG2ymM4SmiAUQbG8bRXNI6bQYe7Db2XEZ4H2D8TUMcHn0LtTF+dhpQTOep9Yf8/6Qdci/6FptSfi4nNPPKzvGfBu9uVaeCl/aGI3LA8QYIPbdIfUoJge5ym04j9sUVW7fkyWY8WkmQPZHntjeTYkBH4nLUH/OkLCa1KC6a3K67cp3j6AE=</X509Certificate>
            </X509Data>
         </KeyInfo>
      </KeyDescriptor>
      <KeyDescriptor use="signing">
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
               <X509Certificate>MIIC5jCCAc6gAwIBAgIQXn1r5kqQao9JlOksbxZDXjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDM0WhcNMTYwMTIzMjIwNDM0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuYXJneS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDilI+XZfNZ/b2pQWeqDLVyXEIn+6BL3KcAv/R0tRtC2mlnQFpf3uHxF8sd3kdHcexB/ugihNvVdZJExlnkKCoL8kvNFGeDc0T9vOItd2A/Hm1WCRtqc+cZ/z9uPwqZxnRTjEfCn+X/mbCrG4VQbeMsGy/UKib5WUUuXpnjOaaZmfIoTMeJ0vMj9GBZUGBJu56bbiWOK/mYsXy8Xb2uNf7uXvFmWcAIriZMhHgML6KhDHeqhu3QAwrXEbp4co5+FSNaaelUHhrDxz/0yc9Lxmuf+OnKJu/CYcdAQPzaFvn33ceJE/yJDe2lYFocSx0930lM5Q/SWMMGT+OvQZVsDaLTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKe6zgWy6jIOFCCyTtA/9NFaJP54GnSOhRpbApK+PvPDUBjRUj5hpVMKg9O964HofAorO5VZOsiPMfKI5dAfLzAgts0n0ji41UMGbnpTKJ3N9pWTsTG1s+sTOA63mmIRms+So/y/JsA3YWa+Apx9EvB/GkOrT9vRIbCz31bMAY9ohwMyhfYv7i5qLjWYnbF19ioLHvO527nfr8XcsSNYJLkHt3VMWX2Q1OfjgWN/XFkBY/Moj0J/PUkXDii928RAfylLD3JZdeuhw5kQBOvWFh8BiVQpvaETZcGeUzit6O1072kDfq+UGOMSUB9DOQde2/4nExr6Qr6XW9vp3JetmPU=</X509Certificate>
            </X509Data>
         </KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://bla.com/adfs/ls/" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://bla.com/adfs/ls/" />
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://bla.com/adfs/ls/" index="0" isDefault="true" />
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://bla.com/adfs/ls/" index="1" />
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://bla.com/adfs/ls/" index="2" />
   </SPSSODescriptor>
   <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="encryption">
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
               <X509Certificate>MIIC7DCCAdSgAwIBAgIQdtaCBGq5JZlHSOqPMWkKjjANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDEydBREZTIEVuY3J5cHRpb24gLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDI2WhcNMTYwMTIzMjIwNDI2WjAyMTAwLgYDVQQDEydBREZTIEVuY3J5cHRpb24gLSBhZGZzLlRpcmVjdGVuZXJneS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKq1rfU0BsBW8cEPxpla6sWZhEA7AvTPFiNUJ8B1Ih3O01A6dq7mGycTHdxG+m3ZIUcCmihExjxrGRT4pd9f78uJCCHxm+gBfq8gHgA2gml/jtxeRRc4h8cl3qgBdTdpyEN6dFLbGYRgNo1JIDSJzSrNbmNggoKpzuWLMBjJ2AHfnG6hAzJWtvM2phf88WbWoxYAQmm1Fq3Usy6WgYFg+Iz1Z4XEgAB35bG4nmqROU4U3djmR4DxZup4zbKi422t32tFy8MU/VEshiREKB22BcxNHTXi1YHXNtCQixMcOvK21w/Ha1o8AypZ8yBBj3cfwTJ9NLO4Xf9+Mf9FeA6BgZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJHmw9MjdjXYf9q4Szo76xDfZC1jV+MXPizPEKzujjF5V90u6WWWbmR4ye9zT6nuMfFP7fNbm46A9yhuUiqeXpLQP80rC7d5XJeEhIhogLRH6xJXKOF5XVbN0RGi7ARTHsEzjyuZWs2N2ibPU55gLTlGTr/aW7jbs5UWEXG2ymM4SmiAUQbG8bRXNI6bQYe7Db2XEZ4H2D8TUMcHn0LtTF+dhpQTOep9Yf8/6Qdci/6FptSfi4nNPPKzvGfBu9uVaeCl/aGI3LA8QYIPbdIfUoJge5ym04j9sUVW7fkyWY8WkmQPZHntjeTYkBH4nLUH/OkLCa1KC6a3K67cp3j6AE=</X509Certificate>
            </X509Data>
         </KeyInfo>
      </KeyDescriptor>
      <KeyDescriptor use="signing">
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
               <X509Certificate>MIIC5jCCAc6gAwIBAgIQXn1r5kqQao9JlOksbxZDXjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wHhcNMTUwMTIzMjIwNDM0WhcNMTYwMTIzMjIwNDM0WjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBhZGZzLmRpcmVjdGVuZXJneS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDilI+XZfNZ/b2pQWeqDLVyXEIn+6BL3KcAv/R0tRtC2mlnQFpf3uHxF8sd3kdHcexB/ugihNvVeZJExlnkKCoL8kvNFGeDc0T9vOItd2A/Hm1WCRtqc+cZ/z9uPwqZxnRTjEfCn+X/mbCrG4VQbeMsGy/UKib5WUUuXpnjOaaZmfIoTMeJ0vMj9GBZUGBJu56bbiWOK/mYsXy8Xb2uNf7uXvFmWcAIriZMhHgML6KhDHeqhu3QAwrXEbp4co5+FSNaaelUHhrDxz/0yc9Lxmuf+OnKJu/CYcdAQPzaFvn33ceJE/yJDe2lYFocSx0930lM5Q/SWMMGT+OvQZVsDaLTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKe6zgWy6jIOFCCyTtA/9NFaJP54GnSOhRpbApK+PvPDUBjRUj5hpWMKg9O964HofAorO5VZOsiPMfKI5dAfLzAgts0n0ji41UMGbnpTKJ3N9pWTsTG1s+sTOA63mmIRms+So/y/JsA3YWa+Apx9EvB/GkOrT9vRIbCz31bMAY9ohwMyhfYv7i5qLjWYnbF19ioLHvO527nfr8XcsSNYJLkHt3VMWX2Q1OfjgWN/XFkBY/Moj0J/PUkXDii928RAfylLD3JZdeuhw5kQBOvWFh8BiVQpvaETZcGeUzit6O1072kDfq+UGOMSUB9DOQde2/4nExr6Qr6XW9vp3JetmPU=</X509Certificate>
            </X509Data>
         </KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://bla.com/adfs/ls/" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://bla.com/adfs/ls/" />
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://bla.com/adfs/ls/" />
      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://bla.com/adfs/ls/" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="UPN" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/CommonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Common Name" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x E-Mail Address" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD FS 1.x UPN" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Role" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Surname" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="PPID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication time stamp" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Authentication method" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only group SID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary SID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Deny only primary group SID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Group SID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary group SID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Primary SID" />
      <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name" />
   </IDPSSODescriptor>
</EntityDescriptor>

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker

From: Raghu Prabhala <prabhalar at yahoo.com<mailto:prabhalar at yahoo.com>>
Reply-To: Raghu Prabhala <prabhalar at yahoo.com<mailto:prabhalar at yahoo.com>>
Date: Monday 8 June 2015 23:31
To: Henk Laracker <henk.laracker at planonsoftware.com<mailto:henk.laracker at planonsoftware.com>>, "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Import External IDP Config

Even I had similar issue earlier. Cleaning the browser cache and importing the config files addressed it You can give it a try.



________________________________
From: Henk Laracker <Henk.Laracker at planonsoftware.com<mailto:Henk.Laracker at planonsoftware.com>>
To: "keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Sent: Monday, June 8, 2015 9:51 AM
Subject: [keycloak-user] Import External IDP Config

Hi,

>From two different customers I received a idp config xml file. Both files I can import without a error, but nothing is filled in the fields. From security reasons I can not send the files. What is input you need to solve this problem? Is it possible to change the log level of the keycloak server. We are running it on openshift (private)

Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement,

Henk Laracker


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/635553d4/attachment-0001.html 

From stian at redhat.com  Fri Jun 12 02:39:20 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 12 Jun 2015 02:39:20 -0400 (EDT)
Subject: [keycloak-user] Exception thrown when deleting user through API
 (when Keycloak servers are highly available)
In-Reply-To: <CAPj1eSyxkGxnmhSQJ_Pif34qvWcrj1VhCmd4KahDR=ciUC1F1A@mail.gmail.com>
References: <CAPj1eSyxkGxnmhSQJ_Pif34qvWcrj1VhCmd4KahDR=ciUC1F1A@mail.gmail.com>
Message-ID: <719385361.16360079.1434091160950.JavaMail.zimbra@redhat.com>

Please upgrade to latest release - this issue should already be fixed

----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 12 June, 2015 7:33:42 AM
> Subject: [keycloak-user] Exception thrown when deleting user through API (when Keycloak servers are highly available)
> 
> Hi,
> 
> We're running into a bit of a problem when trying to delete users through the
> API. The error returned is of HTML format with 500 error code:
> <html><head><title>Error</title></head><body>Internal Server
> Error</body></html>
> 
> Please note:
> - We're using Infinispan for userSessions, realmCache and userCache. Rest of
> the data is in MySQL.
> - Issue only occurs when Keycloak servers are highly available (2 servers in
> our case). Works fine when only one server is up.
> 
> Logs reveal that this is possibly a serialization issue related to
> Infinispan:
> 
> [2015-06-12 04:56:54.0303], ERROR,
> org.infinispan.interceptors.InvocationContextInterceptor default task-11 -
> ISPN000136: Execution error: org.infinispan.commons.CacheException:
> java.lang.RuntimeException: Failure to marshal argument(s)
> at org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:176)
> at
> org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:521)
> at
> org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
> Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processSingleCall(CommandAwareRpcDispatcher.java:352)
> at
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:167)
> ... 94 more
> Caused by: org.infinispan.commons.marshall.NotSerializableException:
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> Caused by: an exception which occurred:
> in object
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> -> toString =
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> in object org.infinispan.commands.write.RemoveCommand at 914fd0ce
> -> toString =
> RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72,
> value=null, flags=null, valueMatcher=MATCH_ALWAYS}
> in object org.infinispan.commands.remote.SingleRpcCommand at bfee4c5c
> -> toString = SingleRpcCommand{cacheName='loginFailures',
> command=RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72,
> value=null, flags=null, valueMatcher=MATCH_ALWAYS}}
> 
> 
> Also there's a DEBUG log as follows:
> 
> [2015-06-12 04:56:54.0301], DEBUG,
> org.infinispan.marshall.core.VersionAwareMarshaller default task-11 - Object
> is not serializable: java.io.NotSerializableException:
> org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> at
> org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:860)
> at
> org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:58)
> at
> org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:111)
> at
> org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeCommandParameters(ReplicableCommandExternalizer.java:57)
> at
> org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:42)
> at
> org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:30)
> at
> org.infinispan.marshall.core.ExternalizerTable$ExternalizerAdapter.writeObject(ExternalizerTable.java:395)
> at
> org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:138)
> 
> 
> Our Keycloak HA system works fine except for this issue. Please advise on how
> tackle this.
> 
> 
> Regards,
> Lohitha.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From g.leon at betiator.com  Fri Jun 12 03:13:42 2015
From: g.leon at betiator.com (George Leon)
Date: Fri, 12 Jun 2015 10:13:42 +0300
Subject: [keycloak-user] Help us understand integration options that would
 allow us easy future upgrades
Message-ID: <557A86A6.3030707@betiator.com>

Good Morning everybody,


We need to send / propagate in real time   some  user  data ( user_name 
and email for example  )   when a new user registers via Keycloak 
registration form
to our operations database that is in Couchbase .  I like to explore 
what would be the best solution as to allow us easy future upgrades.

Our scenario is to use JBoss Keycloak  with Mysql DB  and have our 
application   frontend    a Javascript client  that hits the Restful API 
backend on Wildfly  that talks to Couchbase database. Our Frontend app 
will use the JBoss Keycloak  login / registration to allow users to get 
token and then use the restful API that is based on RestEasy and is 
under Keycloak security.   Now as Couchbase is high performance    we 
need to minimize the mysql exposure .


Totally exteranlly to JBoss Keycloak
1) one way  I see this is if we can do at the Database layer  with a 
table trigger on the user table to run a external java program .
2) with a process running and checking and syncing the data
     ,but they do not seem natural and as programmers we might do better.


With minimal intervention in front end
3) Overriding some code in the JBoss Keycloak front-end registration 
page   (  can't seen to find it however is it a JSP?  where might i find 
it ? )

With intervention in JBoss Keycloak if it is supported some how
4)  Hook in to  JBoss Keyclock some where  to run our custom java code 
when user registration happens ?

5) Also I see that the admin API   has create, update delete user 
endpoints but we would really like to use JBoss Keycloak
   for login and registration etc to get the added features  you provide.

6) Does Keycloak  have a work flow engine  for user registration that we 
could add pragmatically   a custom java action to it  ?

Basically we need help on understanding  integration options   that 
would allow us easy future upgrades.


Thanks in advanced
George Leon





From stian at redhat.com  Fri Jun 12 03:40:37 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 12 Jun 2015 03:40:37 -0400 (EDT)
Subject: [keycloak-user] Help us understand integration options that
 would allow us easy future upgrades
In-Reply-To: <557A86A6.3030707@betiator.com>
References: <557A86A6.3030707@betiator.com>
Message-ID: <410449677.16385722.1434094837712.JavaMail.zimbra@redhat.com>

http://keycloak.github.io/docs/userguide/html/events.html


----- Original Message -----
> From: "George Leon" <g.leon at betiator.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 12 June, 2015 9:13:42 AM
> Subject: [keycloak-user] Help us understand integration options that would allow us easy future upgrades
> 
> Good Morning everybody,
> 
> 
> We need to send / propagate in real time   some  user  data ( user_name
> and email for example  )   when a new user registers via Keycloak
> registration form
> to our operations database that is in Couchbase .  I like to explore
> what would be the best solution as to allow us easy future upgrades.
> 
> Our scenario is to use JBoss Keycloak  with Mysql DB  and have our
> application   frontend    a Javascript client  that hits the Restful API
> backend on Wildfly  that talks to Couchbase database. Our Frontend app
> will use the JBoss Keycloak  login / registration to allow users to get
> token and then use the restful API that is based on RestEasy and is
> under Keycloak security.   Now as Couchbase is high performance    we
> need to minimize the mysql exposure .
> 
> 
> Totally exteranlly to JBoss Keycloak
> 1) one way  I see this is if we can do at the Database layer  with a
> table trigger on the user table to run a external java program .
> 2) with a process running and checking and syncing the data
>      ,but they do not seem natural and as programmers we might do better.
> 
> 
> With minimal intervention in front end
> 3) Overriding some code in the JBoss Keycloak front-end registration
> page   (  can't seen to find it however is it a JSP?  where might i find
> it ? )
> 
> With intervention in JBoss Keycloak if it is supported some how
> 4)  Hook in to  JBoss Keyclock some where  to run our custom java code
> when user registration happens ?
> 
> 5) Also I see that the admin API   has create, update delete user
> endpoints but we would really like to use JBoss Keycloak
>    for login and registration etc to get the added features  you provide.
> 
> 6) Does Keycloak  have a work flow engine  for user registration that we
> could add pragmatically   a custom java action to it  ?
> 
> Basically we need help on understanding  integration options   that
> would allow us easy future upgrades.
> 
> 
> Thanks in advanced
> George Leon
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From g.leon at betiator.com  Fri Jun 12 06:07:27 2015
From: g.leon at betiator.com (George Leon)
Date: Fri, 12 Jun 2015 13:07:27 +0300
Subject: [keycloak-user] How to add Unique constraint to say username and
 email in Keycloak ?
Message-ID: <557AAF5F.8050506@betiator.com>



Hi Keycloak Team ,



Best way to add Unique constraint  to username and email in Keycloak ?


Best Regards
George Leon







From g.leon at betiator.com  Fri Jun 12 06:23:27 2015
From: g.leon at betiator.com (George Leon)
Date: Fri, 12 Jun 2015 13:23:27 +0300
Subject: [keycloak-user] How to add Unique constraint to say username
 and email in Keycloak ?
In-Reply-To: <557AAF5F.8050506@betiator.com>
References: <557AAF5F.8050506@betiator.com>
Message-ID: <557AB31F.2070100@betiator.com>


I will answer my own question
It is supported out of the box   in

org.keycloak.models.jpa.entitiesUserEntity

@Table(name="USER_ENTITY", uniqueConstraints = {
         @UniqueConstraint(columnNames = {"REALM_ID","USERNAME"}),
         @UniqueConstraint(columnNames = {"REALM_ID","EMAIL_CONSTRAINT"})

Cool stuff,
George







On 06/12/2015 01:07 PM, George Leon wrote:
>
>
> Hi Keycloak Team ,
>
>
>
> Best way to add Unique constraint  to username and email in Keycloak ?
>
>
> Best Regards
> George Leon
>
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/b7a2ade0/attachment.html 

From kalc04 at gmail.com  Fri Jun 12 09:22:06 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 12 Jun 2015 18:52:06 +0530
Subject: [keycloak-user] Exception thrown when deleting user through API
 (when Keycloak servers are highly available)
In-Reply-To: <719385361.16360079.1434091160950.JavaMail.zimbra@redhat.com>
References: <CAPj1eSyxkGxnmhSQJ_Pif34qvWcrj1VhCmd4KahDR=ciUC1F1A@mail.gmail.com>
	<719385361.16360079.1434091160950.JavaMail.zimbra@redhat.com>
Message-ID: <CAPj1eSy9=dzoARkFkgNnDXo8070Qy1MpCQbCW8FzwVLK+u2+zA@mail.gmail.com>

We're using 1.2.0 Final as of now. Is there a newer version?


Regards,
Lohitha

On Fri, Jun 12, 2015 at 12:09 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Please upgrade to latest release - this issue should already be fixed
>
> ----- Original Message -----
> > From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Friday, 12 June, 2015 7:33:42 AM
> > Subject: [keycloak-user] Exception thrown when deleting user through API
> (when Keycloak servers are highly available)
> >
> > Hi,
> >
> > We're running into a bit of a problem when trying to delete users
> through the
> > API. The error returned is of HTML format with 500 error code:
> > <html><head><title>Error</title></head><body>Internal Server
> > Error</body></html>
> >
> > Please note:
> > - We're using Infinispan for userSessions, realmCache and userCache.
> Rest of
> > the data is in MySQL.
> > - Issue only occurs when Keycloak servers are highly available (2
> servers in
> > our case). Works fine when only one server is up.
> >
> > Logs reveal that this is possibly a serialization issue related to
> > Infinispan:
> >
> > [2015-06-12 04:56:54.0303], ERROR,
> > org.infinispan.interceptors.InvocationContextInterceptor default task-11
> -
> > ISPN000136: Execution error: org.infinispan.commons.CacheException:
> > java.lang.RuntimeException: Failure to marshal argument(s)
> > at org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
> > at
> >
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:176)
> > at
> >
> org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:521)
> > at
> >
> org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
> > Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
> > at
> >
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
> > at
> >
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processSingleCall(CommandAwareRpcDispatcher.java:352)
> > at
> >
> org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:167)
> > ... 94 more
> > Caused by: org.infinispan.commons.marshall.NotSerializableException:
> > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> > Caused by: an exception which occurred:
> > in object
> > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> > -> toString =
> > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> > in object org.infinispan.commands.write.RemoveCommand at 914fd0ce
> > -> toString =
> >
> RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> ,
> > value=null, flags=null, valueMatcher=MATCH_ALWAYS}
> > in object org.infinispan.commands.remote.SingleRpcCommand at bfee4c5c
> > -> toString = SingleRpcCommand{cacheName='loginFailures',
> >
> command=RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> ,
> > value=null, flags=null, valueMatcher=MATCH_ALWAYS}}
> >
> >
> > Also there's a DEBUG log as follows:
> >
> > [2015-06-12 04:56:54.0301], DEBUG,
> > org.infinispan.marshall.core.VersionAwareMarshaller default task-11 -
> Object
> > is not serializable: java.io.NotSerializableException:
> > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> > at
> >
> org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:860)
> > at
> >
> org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:58)
> > at
> >
> org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:111)
> > at
> >
> org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeCommandParameters(ReplicableCommandExternalizer.java:57)
> > at
> >
> org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:42)
> > at
> >
> org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:30)
> > at
> >
> org.infinispan.marshall.core.ExternalizerTable$ExternalizerAdapter.writeObject(ExternalizerTable.java:395)
> > at
> >
> org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:138)
> >
> >
> > Our Keycloak HA system works fine except for this issue. Please advise
> on how
> > tackle this.
> >
> >
> > Regards,
> > Lohitha.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/845e7fab/attachment-0001.html 

From stian at redhat.com  Fri Jun 12 09:32:48 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 12 Jun 2015 09:32:48 -0400 (EDT)
Subject: [keycloak-user] Exception thrown when deleting user through API
 (when Keycloak servers are highly available)
In-Reply-To: <CAPj1eSy9=dzoARkFkgNnDXo8070Qy1MpCQbCW8FzwVLK+u2+zA@mail.gmail.com>
References: <CAPj1eSyxkGxnmhSQJ_Pif34qvWcrj1VhCmd4KahDR=ciUC1F1A@mail.gmail.com>
	<719385361.16360079.1434091160950.JavaMail.zimbra@redhat.com>
	<CAPj1eSy9=dzoARkFkgNnDXo8070Qy1MpCQbCW8FzwVLK+u2+zA@mail.gmail.com>
Message-ID: <1162164607.16559798.1434115968985.JavaMail.zimbra@redhat.com>

Sorry, memory lapse. I thought it was fixed in 1.2.0.Final. It'll be fixed in 1.3 which is due early next week (https://issues.jboss.org/browse/KEYCLOAK-1333).

----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 12 June, 2015 3:22:06 PM
> Subject: Re: [keycloak-user] Exception thrown when deleting user through API (when Keycloak servers are highly
> available)
> 
> We're using 1.2.0 Final as of now. Is there a newer version?
> 
> 
> Regards,
> Lohitha
> 
> On Fri, Jun 12, 2015 at 12:09 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > Please upgrade to latest release - this issue should already be fixed
> >
> > ----- Original Message -----
> > > From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Friday, 12 June, 2015 7:33:42 AM
> > > Subject: [keycloak-user] Exception thrown when deleting user through API
> > (when Keycloak servers are highly available)
> > >
> > > Hi,
> > >
> > > We're running into a bit of a problem when trying to delete users
> > through the
> > > API. The error returned is of HTML format with 500 error code:
> > > <html><head><title>Error</title></head><body>Internal Server
> > > Error</body></html>
> > >
> > > Please note:
> > > - We're using Infinispan for userSessions, realmCache and userCache.
> > Rest of
> > > the data is in MySQL.
> > > - Issue only occurs when Keycloak servers are highly available (2
> > servers in
> > > our case). Works fine when only one server is up.
> > >
> > > Logs reveal that this is possibly a serialization issue related to
> > > Infinispan:
> > >
> > > [2015-06-12 04:56:54.0303], ERROR,
> > > org.infinispan.interceptors.InvocationContextInterceptor default task-11
> > -
> > > ISPN000136: Execution error: org.infinispan.commons.CacheException:
> > > java.lang.RuntimeException: Failure to marshal argument(s)
> > > at org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
> > > at
> > >
> > org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:176)
> > > at
> > >
> > org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:521)
> > > at
> > >
> > org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
> > > Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
> > > at
> > >
> > org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
> > > at
> > >
> > org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processSingleCall(CommandAwareRpcDispatcher.java:352)
> > > at
> > >
> > org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:167)
> > > ... 94 more
> > > Caused by: org.infinispan.commons.marshall.NotSerializableException:
> > > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> > > Caused by: an exception which occurred:
> > > in object
> > > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> > > -> toString =
> > > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> > > in object org.infinispan.commands.write.RemoveCommand at 914fd0ce
> > > -> toString =
> > >
> > RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> > ,
> > > value=null, flags=null, valueMatcher=MATCH_ALWAYS}
> > > in object org.infinispan.commands.remote.SingleRpcCommand at bfee4c5c
> > > -> toString = SingleRpcCommand{cacheName='loginFailures',
> > >
> > command=RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey at f42bdd72
> > ,
> > > value=null, flags=null, valueMatcher=MATCH_ALWAYS}}
> > >
> > >
> > > Also there's a DEBUG log as follows:
> > >
> > > [2015-06-12 04:56:54.0301], DEBUG,
> > > org.infinispan.marshall.core.VersionAwareMarshaller default task-11 -
> > Object
> > > is not serializable: java.io.NotSerializableException:
> > > org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
> > > at
> > >
> > org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:860)
> > > at
> > >
> > org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:58)
> > > at
> > >
> > org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:111)
> > > at
> > >
> > org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeCommandParameters(ReplicableCommandExternalizer.java:57)
> > > at
> > >
> > org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:42)
> > > at
> > >
> > org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:30)
> > > at
> > >
> > org.infinispan.marshall.core.ExternalizerTable$ExternalizerAdapter.writeObject(ExternalizerTable.java:395)
> > > at
> > >
> > org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:138)
> > >
> > >
> > > Our Keycloak HA system works fine except for this issue. Please advise
> > on how
> > > tackle this.
> > >
> > >
> > > Regards,
> > > Lohitha.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From John.Schneider at carrier.utc.com  Fri Jun 12 09:41:18 2015
From: John.Schneider at carrier.utc.com (Schneider, John           DODGE CONSULTING SERVICES, LLC)
Date: Fri, 12 Jun 2015 13:41:18 +0000
Subject: [keycloak-user] Exception thrown when deleting user through API
 (when Keycloak servers are highly available)
Message-ID: <D5998B55A61D334EA803FEB70395CFD70B195D06@UUSNWE3K.na.utcmail.com>

We've experienced the same problems, but figured it was a problem with our server config so did not submit a Keycloak bug report yet.  Unfortunately have not found any workaround yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/e1f4186e/attachment.html 

From fadiabdeen at gmail.com  Fri Jun 12 14:11:57 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Fri, 12 Jun 2015 14:11:57 -0400
Subject: [keycloak-user] Backup
Message-ID: <CABXXV0SNZK3rVrpJ8_Wyktx89i4r9=jdbxmNKw+fUfhwbvGx5Q@mail.gmail.com>

Is there a way to export realm data and load them back in another server ?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/cc5fbba3/attachment.html 

From kalc04 at gmail.com  Fri Jun 12 15:59:52 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Sat, 13 Jun 2015 01:29:52 +0530
Subject: [keycloak-user] Exception thrown when deleting user through API
 (when Keycloak servers are highly available)
In-Reply-To: <D5998B55A61D334EA803FEB70395CFD70B195D06@UUSNWE3K.na.utcmail.com>
References: <D5998B55A61D334EA803FEB70395CFD70B195D06@UUSNWE3K.na.utcmail.com>
Message-ID: <CAPj1eSwXDEwoDMSaGvLMFfJ46Y1u-KtHn6YpZFw-2NKzdkqCXg@mail.gmail.com>

Thanks Stian, we'll keep an eye on the release date.


Regards,
Lohitha.

On Fri, Jun 12, 2015 at 7:11 PM, Schneider, John DODGE CONSULTING SERVICES,
LLC <John.Schneider at carrier.utc.com> wrote:

>  We?ve experienced the same problems, but figured it was a problem with
> our server config so did not submit a Keycloak bug report yet.
> Unfortunately have not found any workaround yet.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150613/74d4197c/attachment.html 

From ssilvert at redhat.com  Fri Jun 12 20:18:58 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 12 Jun 2015 20:18:58 -0400
Subject: [keycloak-user] Backup
In-Reply-To: <CABXXV0SNZK3rVrpJ8_Wyktx89i4r9=jdbxmNKw+fUfhwbvGx5Q@mail.gmail.com>
References: <CABXXV0SNZK3rVrpJ8_Wyktx89i4r9=jdbxmNKw+fUfhwbvGx5Q@mail.gmail.com>
Message-ID: <557B76F2.1030803@redhat.com>

Read the fine manual.
http://keycloak.github.io/docs/userguide/html_single/index.html#export-import

On 6/12/2015 2:11 PM, Fadi Abdin wrote:
> Is there a way to export realm data and load them back in another 
> server ?
>
> Thanks,
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150612/aedc472c/attachment.html 

From peterson.dean at gmail.com  Sun Jun 14 23:43:52 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sun, 14 Jun 2015 22:43:52 -0500
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
	1.2.0.Final
Message-ID: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>

I receive this error:

Caused by: java.lang.RuntimeException: Failed to update database
at
org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
at
org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
... 35 more
Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
172.17.5.191:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
not found with name [realmId_1_name_1]"}
at com.mongodb.CommandResult.getException(CommandResult.java:71)
at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150614/8cd89bdc/attachment.html 

From peterson.dean at gmail.com  Sun Jun 14 23:50:12 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sun, 14 Jun 2015 22:50:12 -0500
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
	1.2.0.Final
In-Reply-To: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
Message-ID: <CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>

The end of the error message is strange since I am trying to update to
1.2.0.Final.  It refers to a candidate release:

Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
172.17.5.191:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
not found with name [realmId_1_name_1]"}
at com.mongodb.CommandResult.getException(CommandResult.java:71)
at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
at
org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
at
org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
at
org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)


On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I receive this error:
>
> Caused by: java.lang.RuntimeException: Failed to update database
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
> at
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
> ... 35 more
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> 172.17.5.191:27017" , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
> not found with name [realmId_1_name_1]"}
> at com.mongodb.CommandResult.getException(CommandResult.java:71)
> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150614/8e1f8e5d/attachment-0001.html 

From stian at redhat.com  Mon Jun 15 01:28:51 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Mon, 15 Jun 2015 01:28:51 -0400 (EDT)
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1
	to	1.2.0.Final
In-Reply-To: <CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
Message-ID: <170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>

What version are you upgrading from?

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 15 June, 2015 5:50:12 AM
> Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1 to	1.2.0.Final
> 
> The end of the error message is strange since I am trying to update to
> 1.2.0.Final. It refers to a candidate release:

When updating the db it goes through a list of updates, so if you haven't upgraded to 1.2.0.cr1 in the past that update is on the list as well.

> 
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
> not found with name [realmId_1_name_1]"}
> at com.mongodb.CommandResult.getException(CommandResult.java:71)
> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> at
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
> 
> 
> On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson < peterson.dean at gmail.com >
> wrote:
> 
> 
> 
> I receive this error:
> 
> Caused by: java.lang.RuntimeException: Failed to update database
> at
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
> at
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
> ... 35 more
> Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" : "index
> not found with name [realmId_1_name_1]"}
> at com.mongodb.CommandResult.getException(CommandResult.java:71)
> at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From peterson.dean at gmail.com  Mon Jun 15 07:54:13 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Mon, 15 Jun 2015 06:54:13 -0500
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
	1.2.0.Final
In-Reply-To: <170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>
Message-ID: <CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>

I put the version in the subject: 1.2.0.Beta1
On Jun 15, 2015 12:28 AM, "Stian Thorgersen" <stian at redhat.com> wrote:

> What version are you upgrading from?
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 15 June, 2015 5:50:12 AM
> > Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1
> to     1.2.0.Final
> >
> > The end of the error message is strange since I am trying to update to
> > 1.2.0.Final. It refers to a candidate release:
>
> When updating the db it goes through a list of updates, so if you haven't
> upgraded to 1.2.0.cr1 in the past that update is on the list as well.
>
> >
> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
> "index
> > not found with name [realmId_1_name_1]"}
> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> > at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> > at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> > at
> >
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> > at
> >
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> > at
> >
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
> >
> >
> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
> peterson.dean at gmail.com >
> > wrote:
> >
> >
> >
> > I receive this error:
> >
> > Caused by: java.lang.RuntimeException: Failed to update database
> > at
> >
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
> > at
> >
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
> > ... 35 more
> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
> "index
> > not found with name [realmId_1_name_1]"}
> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150615/07a61deb/attachment.html 

From sanjibbag at gmail.com  Mon Jun 15 09:11:30 2015
From: sanjibbag at gmail.com (Sanjib Bag)
Date: Mon, 15 Jun 2015 09:11:30 -0400
Subject: [keycloak-user] Kecloak support of .p12 or .pfx files
Message-ID: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>

Hi,

Does Keycloack support integration using .p12 or .pfx files to do
authentication? If yes, is there an example which can be refereed.

Thanks
Sanjib
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150615/5c50d7b4/attachment.html 

From bburke at redhat.com  Mon Jun 15 09:24:11 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 15 Jun 2015 09:24:11 -0400
Subject: [keycloak-user] Kecloak support of .p12 or .pfx files
In-Reply-To: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>
References: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>
Message-ID: <557ED1FB.9040903@redhat.com>

What do you even mean by that?  .p12 files are just a format for storing 
keys/certs.

On 6/15/2015 9:11 AM, Sanjib Bag wrote:
> Hi,
>
> Does Keycloack support integration using .p12 or .pfx files to do
> authentication? If yes, is there an example which can be refereed.
>
> Thanks
> Sanjib
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sanjibbag at gmail.com  Mon Jun 15 09:59:40 2015
From: sanjibbag at gmail.com (Sanjib Bag)
Date: Mon, 15 Jun 2015 09:59:40 -0400
Subject: [keycloak-user] Kecloak support of .p12 or .pfx files
In-Reply-To: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>
References: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>
Message-ID: <CAB67wHdRLK1m180pbw8CzzCzLv=y6N05dTLOmB4iSKqpzt=39g@mail.gmail.com>

I meant to say that how can I use keys/certs and user information stored in
.p12 file to authenticate against Keycloak? How this can be achieved? Is
there a example available in keycloak project?

On Mon, Jun 15, 2015 at 9:11 AM, Sanjib Bag <sanjibbag at gmail.com> wrote:

> Hi,
>
> Does Keycloack support integration using .p12 or .pfx files to do
> authentication? If yes, is there an example which can be refereed.
>
> Thanks
> Sanjib
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150615/b26b80ae/attachment.html 

From bburke at redhat.com  Mon Jun 15 10:05:06 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 15 Jun 2015 10:05:06 -0400
Subject: [keycloak-user] Kecloak support of .p12 or .pfx files
In-Reply-To: <CAB67wHdRLK1m180pbw8CzzCzLv=y6N05dTLOmB4iSKqpzt=39g@mail.gmail.com>
References: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>
	<CAB67wHdRLK1m180pbw8CzzCzLv=y6N05dTLOmB4iSKqpzt=39g@mail.gmail.com>
Message-ID: <557EDB92.5010601@redhat.com>

You mean 2-factor SSL authentication, aka CLIENT_CERT auth?

On 6/15/2015 9:59 AM, Sanjib Bag wrote:
> I meant to say that how can I use keys/certs and user information stored
> in .p12 file to authenticate against Keycloak? How this can be achieved?
> Is there a example available in keycloak project?
>
> On Mon, Jun 15, 2015 at 9:11 AM, Sanjib Bag <sanjibbag at gmail.com
> <mailto:sanjibbag at gmail.com>> wrote:
>
>     Hi,
>
>     Does Keycloack support integration using .p12 or .pfx files to do
>     authentication? If yes, is there an example which can be refereed.
>
>     Thanks
>     Sanjib
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sanjibbag at gmail.com  Mon Jun 15 10:27:49 2015
From: sanjibbag at gmail.com (Sanjib Bag)
Date: Mon, 15 Jun 2015 10:27:49 -0400
Subject: [keycloak-user] Kecloak support of .p12 or .pfx files
In-Reply-To: <557EDB92.5010601@redhat.com>
References: <CAB67wHdeJ1S_3j+HY5SODgyB3Qy2O03-iGQUZhLWHoaAW-WOGg@mail.gmail.com>
	<CAB67wHdRLK1m180pbw8CzzCzLv=y6N05dTLOmB4iSKqpzt=39g@mail.gmail.com>
	<557EDB92.5010601@redhat.com>
Message-ID: <CAB67wHfy6kQk-ob+VXSz=7qWivGJR3XewKaGDPO_gE2h9CyjzQ@mail.gmail.com>

Yes.

On Mon, Jun 15, 2015 at 10:05 AM, Bill Burke <bburke at redhat.com> wrote:

> You mean 2-factor SSL authentication, aka CLIENT_CERT auth?
>
> On 6/15/2015 9:59 AM, Sanjib Bag wrote:
> > I meant to say that how can I use keys/certs and user information stored
> > in .p12 file to authenticate against Keycloak? How this can be achieved?
> > Is there a example available in keycloak project?
> >
> > On Mon, Jun 15, 2015 at 9:11 AM, Sanjib Bag <sanjibbag at gmail.com
> > <mailto:sanjibbag at gmail.com>> wrote:
> >
> >     Hi,
> >
> >     Does Keycloack support integration using .p12 or .pfx files to do
> >     authentication? If yes, is there an example which can be refereed.
> >
> >     Thanks
> >     Sanjib
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150615/be3378fb/attachment-0001.html 

From Carsten.Saathoff at kisters.de  Mon Jun 15 11:23:31 2015
From: Carsten.Saathoff at kisters.de (Carsten Saathoff)
Date: Mon, 15 Jun 2015 17:23:31 +0200
Subject: [keycloak-user] Authorizing Backend Services
Message-ID: <OFE330DF0D.58F61E28-ONC1257E65.005248AB-C1257E65.00548D3B@kisters.de>

Hi,

we are currently struggling to find an elegant solution for the following 
problem. We have a system consisting of a bunch of microservices. The UI 
interacts with the system using an API Gateway. Authenticating the user is 
done via OAuth using the password grant and probably using the implicit 
grant in the future. While we initially planned to store user roles in 
each microservice, we changed that approach to go for the token based 
approach used by keycloak, i.e., we use the roles present in the access 
token to determine the role of the user for a request. So far so good, 
authentication works like a breeze and keycloak is also easy to use and 
looks great.

However, besides the user facing processes (i.e. the user actually 
interacting with the system via the UI), we also have offline processes. 
E.g., a reporting service that needs to access data in other services in 
order to generate a report once a day or a week. In these offline 
service-to-service requests, we want to be able to enforce the same set of 
access rules as for normal requests directly triggered by the user. In 
other words, the reporting service would need an access token for the user 
that contains the roles of the user. In order to obtain that access token, 
however, either the user would need to be involved or we would need a 
refresh token. Involving the user in a process that takes place in the 
middle of the night is obviously not a viable solution, so I think we need 
to authorize the user once somehow. But we are actually not sure how to 
best do this. In an enterprise application it would be a bit uncommon to 
pop up a "Please authorize Service X to access Service Y" window, when the 
user doesn't really care about what services are involved. Furthermore, 
it's also not absolutely clear how to best integrate this into a UI 
anyway. So we are actually wondering, if this is right path anyway. How 
are such cases are usually handled using keycloak? Is there a pattern or 
any best practice? Am I completely on the wrong road and need to do 
something completely different?

Are there any plans to extend keycloak with functionality that would ease 
such scenarios? One idea we had was to allow for direct token generation 
of backend services via some API and the means to configure what tokens 
and roles are allowed by a service. In our problem above, I could imagine 
that in keycloak there would be the possibility to allow the report 
service to generate tokens with the GUEST role for all users for the data 
service. Independently of the real role of the user, a token generated by 
that means would only allow access with GUEST rights. Furthermore, the 
report service would not be able to generate tokens for any other services 
on its own. That would obviously be outside of OAuth and probably it 
should be required to enable this feature explicitly, but I would greatly 
ease such scenarios. Specifically, it would help in setting up a system 
such that is secure without requiring the user to perform explicit grants 
for services he shouldn't even know about.

Thanks and best regards

Carsten

--------------------------------------------------------------------------------------------------------------------------------------------
 Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany
Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de
--------------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. 
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150615/99fdb591/attachment.html 

From fadiabdeen at gmail.com  Mon Jun 15 14:15:59 2015
From: fadiabdeen at gmail.com (Fadi Abdin)
Date: Mon, 15 Jun 2015 14:15:59 -0400
Subject: [keycloak-user] Backup
In-Reply-To: <557B76F2.1030803@redhat.com>
References: <CABXXV0SNZK3rVrpJ8_Wyktx89i4r9=jdbxmNKw+fUfhwbvGx5Q@mail.gmail.com>
	<557B76F2.1030803@redhat.com>
Message-ID: <CABXXV0SqMsJ98bdQUuw9ikSBNs44y1LPwG0vA3NbvByYBSJgLQ@mail.gmail.com>

Thank you Stan

On Fri, Jun 12, 2015 at 8:18 PM, Stan Silvert <ssilvert at redhat.com> wrote:

>  Read the fine manual.
>
> http://keycloak.github.io/docs/userguide/html_single/index.html#export-import
>
> On 6/12/2015 2:11 PM, Fadi Abdin wrote:
>
> Is there a way to export realm data and load them back in another server ?
>
>  Thanks,
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150615/9d2c132c/attachment.html 

From emorny at gmail.com  Tue Jun 16 09:58:14 2015
From: emorny at gmail.com (Edem Morny)
Date: Tue, 16 Jun 2015 13:58:14 +0000
Subject: [keycloak-user] Application and Realm Roles
Message-ID: <1434463094.4281.7.camel@localhost.localdomain>

Hi,

I've created a realm, and a default role in that realm called "user". I
then created a client and added an application role to the client. I've
set "use-resource-role-mappings" to true in the keycloak.json file
inside my war file.

I attempt to access a path that is protected by the role "user", and log
in with an account that has both the realm role "user" and the
application role "mdc-staff", and I'm redirected to my 403 page, meaning
the "user" role didn't seem to be available to the user. When I attempt
to access a path protected by the "mdc-staff" role, i don't get a 403,
meaning that the application specific role is available.

Is there something I need to do to enable both realm and application
level roles available to the user when I login? This is very key for us
to implementing SSO for different client secured by the same realm. I
thought "Full Scopes Allowed" was not enabled, but it was and still
things don't work as expected.

Cheers.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150616/015466d9/attachment.html 

From juandiego83 at gmail.com  Tue Jun 16 19:52:08 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Tue, 16 Jun 2015 18:52:08 -0500
Subject: [keycloak-user] 405 method not allowed
Message-ID: <CAJGEj6fK9nxXh9OdPuORs6gRk0sfEtGL72yaTz7T20-FLwFfZw@mail.gmail.com>

Hi

I get the following error
POST http://localhost:8080/unika/usuarios/login 405 (Method Not Allowed)

I think I did this right, after tinkering with my config for a while I
added  unika.localdomain as a web origin. (unika.localdomain is set on my
/etc/hosts)
I also added to both keycloak.json files, backend and front end.

"enable-cors" : true,

I dont know if this is neccesary-

If I disable the security in my web.xml of the backend I can access
POST  http://localhost:8080/unika/usuarios/login with no problems.

So I know it has something to do with keycloak.  Is there anything
else I have to do allow CORS.

Before enabling keycloak, i added corsfilter to my resteasy app in the
backend, so it was working.  Is this redundant? Does this causes
problems?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150616/eac5fa68/attachment.html 

From chenkeong.yap at izeno.com  Tue Jun 16 22:09:36 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Wed, 17 Jun 2015 10:09:36 +0800
Subject: [keycloak-user] Using OneLogin php-saml library with keycloak
In-Reply-To: <CAFqgz0i__LUX=69sUxqcePVYP=5T9JpFjYKcZYb2y3OiM8CQbQ@mail.gmail.com>
References: <CAFqgz0hMfU495kWPJgPTiLCHRkbf6bNF3rWQpMcXA4X8NZxGSw@mail.gmail.com>
	<5575C720.3020905@redhat.com>
	<CAFqgz0i__LUX=69sUxqcePVYP=5T9JpFjYKcZYb2y3OiM8CQbQ@mail.gmail.com>
Message-ID: <CAC2UnuUq3d5XQMZnzLh-Vu=5Q-1URWXKL5=KueeOcv2M6cNNxg@mail.gmail.com>

Hi bill,

can i know when is the release date for keycloak 1.3?

On Tue, Jun 9, 2015 at 8:43 AM, pubudu gunawardena <pubudupg at gmail.com>
wrote:

> That's great. And thanks for the great product.
>
> On Mon, Jun 8, 2015 at 10:17 PM, Bill Burke <bburke at redhat.com> wrote:
> > Should be fixed in master and will be in 1.3 release.
> >
> > On 6/4/2015 7:44 AM, pubudu gunawardena wrote:
> >> Hi All,
> >>
> >> I am trying to use the OneLogin php-saml library[1] as a service
> >> provider that uses keycloak as a SAML identity provider. The
> >> "RelayState" parameter is sent properly form the SP to the IDP but in
> >> the response, the forward slashes are missing from the RelayState.
> >> For example in the post parameters of the authentication request, the
> >> RelayState shows "http://phpsaml/demo1/" but in the response from
> >> keycloak, it shows "http:phpsamldemo1". This is causing the php-saml
> >> library to throw exceptions. I'm using keycloak 1.2.0.Final.
> >>
> >> How can I overcome this problem?
> >>
> >>
> >> [1]https://github.com/onelogin/php-saml
> >>
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> Thanks,
> Pubudu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150617/9a795131/attachment-0001.html 

From peterson.dean at gmail.com  Wed Jun 17 01:32:24 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Wed, 17 Jun 2015 00:32:24 -0500
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
	1.2.0.Final
In-Reply-To: <CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>
	<CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>
Message-ID: <CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>

Any suggestions?

On Mon, Jun 15, 2015 at 6:54 AM, Dean Peterson <peterson.dean at gmail.com>
wrote:

> I put the version in the subject: 1.2.0.Beta1
> On Jun 15, 2015 12:28 AM, "Stian Thorgersen" <stian at redhat.com> wrote:
>
>> What version are you upgrading from?
>>
>> ----- Original Message -----
>> > From: "Dean Peterson" <peterson.dean at gmail.com>
>> > To: keycloak-user at lists.jboss.org
>> > Sent: Monday, 15 June, 2015 5:50:12 AM
>> > Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1
>> to     1.2.0.Final
>> >
>> > The end of the error message is strange since I am trying to update to
>> > 1.2.0.Final. It refers to a candidate release:
>>
>> When updating the db it goes through a list of updates, so if you haven't
>> upgraded to 1.2.0.cr1 in the past that update is on the list as well.
>>
>> >
>> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
>> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>> "index
>> > not found with name [realmId_1_name_1]"}
>> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
>> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>> > at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>> > at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>> > at
>> >
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>> > at
>> >
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>> > at
>> >
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
>> >
>> >
>> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
>> peterson.dean at gmail.com >
>> > wrote:
>> >
>> >
>> >
>> > I receive this error:
>> >
>> > Caused by: java.lang.RuntimeException: Failed to update database
>> > at
>> >
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
>> > at
>> >
>> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
>> > ... 35 more
>> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
>> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>> "index
>> > not found with name [realmId_1_name_1]"}
>> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
>> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150617/926f595a/attachment.html 

From stian at redhat.com  Wed Jun 17 02:06:42 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 17 Jun 2015 02:06:42 -0400 (EDT)
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
 1.2.0.Final
In-Reply-To: <CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>
	<CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>
	<CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>
Message-ID: <230363077.19971361.1434521202436.JavaMail.zimbra@redhat.com>

Could you run listIndexes[1] on the applications and clients collections?

[1] http://docs.mongodb.org/manual/tutorial/list-indexes/#list-all-indexes-on-a-collection

----- Original Message -----
> From: "Dean Peterson" <peterson.dean at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 17 June, 2015 7:32:24 AM
> Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1 to 1.2.0.Final
> 
> Any suggestions?
> 
> On Mon, Jun 15, 2015 at 6:54 AM, Dean Peterson <peterson.dean at gmail.com>
> wrote:
> 
> > I put the version in the subject: 1.2.0.Beta1
> > On Jun 15, 2015 12:28 AM, "Stian Thorgersen" <stian at redhat.com> wrote:
> >
> >> What version are you upgrading from?
> >>
> >> ----- Original Message -----
> >> > From: "Dean Peterson" <peterson.dean at gmail.com>
> >> > To: keycloak-user at lists.jboss.org
> >> > Sent: Monday, 15 June, 2015 5:50:12 AM
> >> > Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1
> >> to     1.2.0.Final
> >> >
> >> > The end of the error message is strange since I am trying to update to
> >> > 1.2.0.Final. It refers to a candidate release:
> >>
> >> When updating the db it goes through a list of updates, so if you haven't
> >> upgraded to 1.2.0.cr1 in the past that update is on the list as well.
> >>
> >> >
> >> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> >> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
> >> "index
> >> > not found with name [realmId_1_name_1]"}
> >> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
> >> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> >> > at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> >> > at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> >> > at
> >> >
> >> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> >> > at
> >> >
> >> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> >> > at
> >> >
> >> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
> >> >
> >> >
> >> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
> >> peterson.dean at gmail.com >
> >> > wrote:
> >> >
> >> >
> >> >
> >> > I receive this error:
> >> >
> >> > Caused by: java.lang.RuntimeException: Failed to update database
> >> > at
> >> >
> >> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
> >> > at
> >> >
> >> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
> >> > ... 35 more
> >> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "kcdb/
> >> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
> >> "index
> >> > not found with name [realmId_1_name_1]"}
> >> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
> >> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> 

From subhrajyotim at gmail.com  Wed Jun 17 03:03:31 2015
From: subhrajyotim at gmail.com (Subhrajyoti Moitra)
Date: Wed, 17 Jun 2015 12:33:31 +0530
Subject: [keycloak-user] Using Keycloak to build organization SSO server.
Message-ID: <CAB6P+-Fgf70Kuoq8KSvEeokM+6rx9jC68OaXebMyh08jfFc0LA@mail.gmail.com>

Hello,
My organization, is trying to implement a SSO service internally, so that
various business applications can authenticate against it. We also want
this SSO service to manage roles, groups,permissions, role-group
memberships etc.

Currently this authentication is happening using DB tables and Active
Directory server.
We want to hook up these with the keycloak server.

Can this be done using Keycloak? how does keycloak compare to shibboleth?
Will using picketlink in client applications help in anyway to speed up
development.


Thanks for your patience,
Subhro.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150617/f04f650a/attachment.html 

From mposolda at redhat.com  Wed Jun 17 06:43:09 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 17 Jun 2015 12:43:09 +0200
Subject: [keycloak-user] Application and Realm Roles
In-Reply-To: <1434463094.4281.7.camel@localhost.localdomain>
References: <1434463094.4281.7.camel@localhost.localdomain>
Message-ID: <55814F3D.8030607@redhat.com>

Currently if you use "use-resource-role-mappings" to true, the JEE roles 
(those used for protection in security-constraints in web.xml) are used 
from Application roles, otherwise from Realm roles. Currently we don't 
have possibility to use both realm and application roles for that.

However the alternative is, that you can retrieve the keycloak 
accessToken in your application (See our examples on how to do that) and 
this accessToken will contain all the realm and application roles of the 
user. This allows you to do some more role based filtering 
programmatically in your application.

Marek

On 16.6.2015 15:58, Edem Morny wrote:
> Hi,
>
> I've created a realm, and a default role in that realm called "user". 
> I then created a client and added an application role to the client. 
> I've set "use-resource-role-mappings" to true in the keycloak.json 
> file inside my war file.
>
> I attempt to access a path that is protected by the role "user", and 
> log in with an account that has both the realm role "user" and the 
> application role "mdc-staff", and I'm redirected to my 403 page, 
> meaning the "user" role didn't seem to be available to the user. When 
> I attempt to access a path protected by the "mdc-staff" role, i don't 
> get a 403, meaning that the application specific role is available.
>
> Is there something I need to do to enable both realm and application 
> level roles available to the user when I login? This is very key for 
> us to implementing SSO for different client secured by the same realm. 
> I thought "Full Scopes Allowed" was not enabled, but it was and still 
> things don't work as expected.
>
> Cheers.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150617/5c9eb5d3/attachment.html 

From emorny at gmail.com  Wed Jun 17 08:13:01 2015
From: emorny at gmail.com (Edem Morny)
Date: Wed, 17 Jun 2015 12:13:01 +0000
Subject: [keycloak-user] [Fwd: Re:  Application and Realm Roles]
Message-ID: <1434543181.3440.11.camel@localhost.localdomain>

Sorry. Forwarding my response to the mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150617/2ec698fc/attachment-0001.html 
-------------- next part --------------
An embedded message was scrubbed...
From: Edem Morny <emorny at gmail.com>
Subject: Re: [keycloak-user] Application and Realm Roles
Date: Wed, 17 Jun 2015 12:02:46 +0000
Size: 7419
Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150617/2ec698fc/attachment-0001.mht 

From bburke at redhat.com  Wed Jun 17 08:41:25 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 17 Jun 2015 08:41:25 -0400
Subject: [keycloak-user] Using Keycloak to build organization SSO server.
In-Reply-To: <CAB6P+-Fgf70Kuoq8KSvEeokM+6rx9jC68OaXebMyh08jfFc0LA@mail.gmail.com>
References: <CAB6P+-Fgf70Kuoq8KSvEeokM+6rx9jC68OaXebMyh08jfFc0LA@mail.gmail.com>
Message-ID: <55816AF5.5010701@redhat.com>

Keycloak can manage SSO and roles.  We don't have the concept of groups 
or permissions.  Role groups are something we call a "composite role". 
The way roles work is that you can have realm-level roles, or roles that 
are associated with an application/client.   You can federate user 
storage in AD and DBs together.  ADs should probably work out of the box 
with some configuration.  DBs would take custom coding to work with your 
schema, but was have an SPI for it.

I don't know how Shibboleth compares to Keycloak.  We're moving fast 
though.  We currently rely on Picketlink for our SAML client adapter. 
That's it though.  In the near future we will be porting the PL SAML 
client adapter to Keycloak.

On 6/17/2015 3:03 AM, Subhrajyoti Moitra wrote:
> Hello,
> My organization, is trying to implement a SSO service internally, so
> that various business applications can authenticate against it. We also
> want this SSO service to manage roles, groups,permissions, role-group
> memberships etc.
> Currently this authentication is happening using DB tables and Active
> Directory server.
> We want to hook up these with the keycloak server.
>
> Can this be done using Keycloak? how does keycloak compare to shibboleth?
> Will using picketlink in client applications help in anyway to speed up
> development.
>
>
> Thanks for your patience,
> Subhro.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From bburke at redhat.com  Wed Jun 17 08:49:00 2015
From: bburke at redhat.com (Bill Burke)
Date: Wed, 17 Jun 2015 08:49:00 -0400
Subject: [keycloak-user] Application and Realm Roles
In-Reply-To: <55814F3D.8030607@redhat.com>
References: <1434463094.4281.7.camel@localhost.localdomain>
	<55814F3D.8030607@redhat.com>
Message-ID: <55816CBC.6010104@redhat.com>

If you are using 1.2 then you can map role mappings to the token however 
you want.   Go to the client in admin console, click on mappers, click 
create, select Role Name Mapper.  Hover over the '?' to get a 
description of the fields.


On 6/17/2015 6:43 AM, Marek Posolda wrote:
> Currently if you use "use-resource-role-mappings" to true, the JEE roles
> (those used for protection in security-constraints in web.xml) are used
> from Application roles, otherwise from Realm roles. Currently we don't
> have possibility to use both realm and application roles for that.
>
> However the alternative is, that you can retrieve the keycloak
> accessToken in your application (See our examples on how to do that) and
> this accessToken will contain all the realm and application roles of the
> user. This allows you to do some more role based filtering
> programmatically in your application.
>
> Marek
>
> On 16.6.2015 15:58, Edem Morny wrote:
>> Hi,
>>
>> I've created a realm, and a default role in that realm called "user".
>> I then created a client and added an application role to the client.
>> I've set "use-resource-role-mappings" to true in the keycloak.json
>> file inside my war file.
>>
>> I attempt to access a path that is protected by the role "user", and
>> log in with an account that has both the realm role "user" and the
>> application role "mdc-staff", and I'm redirected to my 403 page,
>> meaning the "user" role didn't seem to be available to the user. When
>> I attempt to access a path protected by the "mdc-staff" role, i don't
>> get a 403, meaning that the application specific role is available.
>>
>> Is there something I need to do to enable both realm and application
>> level roles available to the user when I login? This is very key for
>> us to implementing SSO for different client secured by the same realm.
>> I thought "Full Scopes Allowed" was not enabled, but it was and still
>> things don't work as expected.
>>
>> Cheers.
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Thu Jun 18 02:16:23 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Jun 2015 02:16:23 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.3.0.Final released
Message-ID: <1722981063.20879613.1434608183300.JavaMail.zimbra@redhat.com>

http://blog.keycloak.org/2015/06/keycloak-130final-released.html

From chenkeong.yap at izeno.com  Thu Jun 18 02:47:58 2015
From: chenkeong.yap at izeno.com (Chen Keong Yap)
Date: Thu, 18 Jun 2015 14:47:58 +0800
Subject: [keycloak-user] Keycloak 1.3.0.Final released
In-Reply-To: <1722981063.20879613.1434608183300.JavaMail.zimbra@redhat.com>
References: <1722981063.20879613.1434608183300.JavaMail.zimbra@redhat.com>
Message-ID: <CAC2UnuVkozsf7sDpiZJ3SmnNzmy29Z8OM-761LCFTHT5rkbSKw@mail.gmail.com>

Hi,

Getting some issues when starting keycloak V1.3 server ....


erver.war")
4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service
hread 1-7) WFLYJCA0001: Bound data source
[java:jboss/datasources/KeycloakDS]
4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
service
hread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
4:46:07,837 INFO  [org.jboss.ws.common.management] (MSC service thread 1-5)
JBW
022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
4:46:08,941 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 62
 MSC000001: Failed to start service
jboss.undertow.deployment.default-server.de
ault-host./auth: org.jboss.msc.service.StartException in service
jboss.undertow
deployment.default-server.default-host./auth:
java.lang.IllegalStateException:
T010050: Filter Keycloak Client Connection Filter used in filter mapping
URL -
* not found
       at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
run(UndertowDeploymentService.java:85)
       at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:47
)
       at java.util.concurrent.FutureTask.run(FutureTask.java:262)
       at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
ava:1145)
       at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
java:615)
       at java.lang.Thread.run(Thread.java:745)
       at org.jboss.threads.JBossThread.run(JBossThread.java:320)
aused by: java.lang.IllegalStateException: UT010050: Filter Keycloak Client
Con
ection Filter used in filter mapping URL - /* not found
       at
io.undertow.servlet.api.DeploymentInfo.validate(DeploymentInfo.java:1
4)
       at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManag
rImpl.java:144)
       at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.s
artContext(UndertowDeploymentService.java:100)
       at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
run(UndertowDeploymentService.java:82)
       ... 6 more

4:46:09,082 ERROR [org.jboss.as.controller.management-operation]
(Controller Bo
t Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment"
=> "
eycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed
services" =
 {"jboss.undertow.deployment.default-server.default-host./auth" =>
"org.jboss.m
c.service.StartException in service
jboss.undertow.deployment.default-server.de
ault-host./auth: java.lang.IllegalStateException: UT010050: Filter Keycloak
Cli
nt Connection Filter used in filter mapping URL - /* not found
   Caused by: java.lang.IllegalStateException: UT010050: Filter Keycloak
Client
Connection Filter used in filter mapping URL - /* not found"}}
4:46:09,160 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 57)
WFLYS
V0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
4:46:09,163 INFO  [org.jboss.as.controller] (Controller Boot Thread)
WFLYCTL018
: Service status report
FLYCTL0186:   Services which failed to start:      service
jboss.undertow.deplo
ment.default-server.default-host./auth:
org.jboss.msc.service.StartException in
service jboss.undertow.deployment.default-server.default-host./auth:
java.lang.

On Thu, Jun 18, 2015 at 2:16 PM, Stian Thorgersen <stian at redhat.com> wrote:

> http://blog.keycloak.org/2015/06/keycloak-130final-released.html
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/a3949833/attachment.html 

From stian at redhat.com  Thu Jun 18 03:05:16 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Jun 2015 03:05:16 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.3.0.Final released
In-Reply-To: <CAC2UnuVkozsf7sDpiZJ3SmnNzmy29Z8OM-761LCFTHT5rkbSKw@mail.gmail.com>
References: <1722981063.20879613.1434608183300.JavaMail.zimbra@redhat.com>
	<CAC2UnuVkozsf7sDpiZJ3SmnNzmy29Z8OM-761LCFTHT5rkbSKw@mail.gmail.com>
Message-ID: <954148452.20938844.1434611116750.JavaMail.zimbra@redhat.com>

More info please!

----- Original Message -----
> From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 18 June, 2015 8:47:58 AM
> Subject: Re: [keycloak-user] Keycloak 1.3.0.Final released
> 
> Hi,
> 
> Getting some issues when starting keycloak V1.3 server ....
> 
> 
> erver.war")
> 4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service
> hread 1-7) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service
> hread 1-4) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
> 4:46:07,837 INFO  [org.jboss.ws.common.management] (MSC service thread 1-5)
> JBW
> 022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 4:46:08,941 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 62
>  MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.de
> ault-host./auth: org.jboss.msc.service.StartException in service
> jboss.undertow
> deployment.default-server.default-host./auth:
> java.lang.IllegalStateException:
> T010050: Filter Keycloak Client Connection Filter used in filter mapping
> URL -
> * not found
>        at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
> run(UndertowDeploymentService.java:85)
>        at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:47
> )
>        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>        at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> ava:1145)
>        at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> java:615)
>        at java.lang.Thread.run(Thread.java:745)
>        at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> aused by: java.lang.IllegalStateException: UT010050: Filter Keycloak Client
> Con
> ection Filter used in filter mapping URL - /* not found
>        at
> io.undertow.servlet.api.DeploymentInfo.validate(DeploymentInfo.java:1
> 4)
>        at
> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManag
> rImpl.java:144)
>        at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.s
> artContext(UndertowDeploymentService.java:100)
>        at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
> run(UndertowDeploymentService.java:82)
>        ... 6 more
> 
> 4:46:09,082 ERROR [org.jboss.as.controller.management-operation]
> (Controller Bo
> t Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment"
> => "
> eycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed
> services" =
>  {"jboss.undertow.deployment.default-server.default-host./auth" =>
> "org.jboss.m
> c.service.StartException in service
> jboss.undertow.deployment.default-server.de
> ault-host./auth: java.lang.IllegalStateException: UT010050: Filter Keycloak
> Cli
> nt Connection Filter used in filter mapping URL - /* not found
>    Caused by: java.lang.IllegalStateException: UT010050: Filter Keycloak
> Client
> Connection Filter used in filter mapping URL - /* not found"}}
> 4:46:09,160 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 57)
> WFLYS
> V0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")
> 4:46:09,163 INFO  [org.jboss.as.controller] (Controller Boot Thread)
> WFLYCTL018
> : Service status report
> FLYCTL0186:   Services which failed to start:      service
> jboss.undertow.deplo
> ment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in
> service jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.
> 
> On Thu, Jun 18, 2015 at 2:16 PM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > http://blog.keycloak.org/2015/06/keycloak-130final-released.html
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 

From kalc04 at gmail.com  Thu Jun 18 03:05:44 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Thu, 18 Jun 2015 12:35:44 +0530
Subject: [keycloak-user] Keycloak 1.3.0.Final released
In-Reply-To: <CAC2UnuVkozsf7sDpiZJ3SmnNzmy29Z8OM-761LCFTHT5rkbSKw@mail.gmail.com>
References: <1722981063.20879613.1434608183300.JavaMail.zimbra@redhat.com>
	<CAC2UnuVkozsf7sDpiZJ3SmnNzmy29Z8OM-761LCFTHT5rkbSKw@mail.gmail.com>
Message-ID: <CAPj1eSz9wZ7Rcm__AfKOCD2CFGoOvOKjF51O7AWiNi9s=ESjWw@mail.gmail.com>

Stian,

Links for the change log and migration guide aren't working at
http://blog.keycloak.org/2015/06/keycloak-130final-released.html.


Regards,
Lohitha.

On Thu, Jun 18, 2015 at 12:17 PM, Chen Keong Yap <chenkeong.yap at izeno.com>
wrote:

> Hi,
>
> Getting some issues when starting keycloak V1.3 server ....
>
>
> erver.war")
> 4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service
> hread 1-7) WFLYJCA0001: Bound data source
> [java:jboss/datasources/KeycloakDS]
> 4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> service
> hread 1-4) WFLYJCA0001: Bound data source
> [java:jboss/datasources/ExampleDS]
> 4:46:07,837 INFO  [org.jboss.ws.common.management] (MSC service thread
> 1-5) JBW
> 022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> 4:46:08,941 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> -- 62
>  MSC000001: Failed to start service
> jboss.undertow.deployment.default-server.de
> ault-host./auth: org.jboss.msc.service.StartException in service
> jboss.undertow
> deployment.default-server.default-host./auth:
> java.lang.IllegalStateException:
> T010050: Filter Keycloak Client Connection Filter used in filter mapping
> URL -
> * not found
>        at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
> run(UndertowDeploymentService.java:85)
>        at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:47
> )
>        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>        at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> ava:1145)
>        at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> java:615)
>        at java.lang.Thread.run(Thread.java:745)
>        at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> aused by: java.lang.IllegalStateException: UT010050: Filter Keycloak
> Client Con
> ection Filter used in filter mapping URL - /* not found
>        at
> io.undertow.servlet.api.DeploymentInfo.validate(DeploymentInfo.java:1
> 4)
>        at
> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManag
> rImpl.java:144)
>        at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.s
> artContext(UndertowDeploymentService.java:100)
>        at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
> run(UndertowDeploymentService.java:82)
>        ... 6 more
>
> 4:46:09,082 ERROR [org.jboss.as.controller.management-operation]
> (Controller Bo
> t Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment"
> => "
> eycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed
> services" =
>  {"jboss.undertow.deployment.default-server.default-host./auth" =>
> "org.jboss.m
> c.service.StartException in service
> jboss.undertow.deployment.default-server.de
> ault-host./auth: java.lang.IllegalStateException: UT010050: Filter
> Keycloak Cli
> nt Connection Filter used in filter mapping URL - /* not found
>    Caused by: java.lang.IllegalStateException: UT010050: Filter Keycloak
> Client
> Connection Filter used in filter mapping URL - /* not found"}}
> 4:46:09,160 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 57)
> WFLYS
> V0010: Deployed "keycloak-server.war" (runtime-name :
> "keycloak-server.war")
> 4:46:09,163 INFO  [org.jboss.as.controller] (Controller Boot Thread)
> WFLYCTL018
> : Service status report
> FLYCTL0186:   Services which failed to start:      service
> jboss.undertow.deplo
> ment.default-server.default-host./auth:
> org.jboss.msc.service.StartException in
> service jboss.undertow.deployment.default-server.default-host./auth:
> java.lang.
>
> On Thu, Jun 18, 2015 at 2:16 PM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> http://blog.keycloak.org/2015/06/keycloak-130final-released.html
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/7f8840d3/attachment-0001.html 

From stian at redhat.com  Thu Jun 18 03:12:10 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Jun 2015 03:12:10 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.3.0.Final released
In-Reply-To: <954148452.20938844.1434611116750.JavaMail.zimbra@redhat.com>
References: <1722981063.20879613.1434608183300.JavaMail.zimbra@redhat.com>
	<CAC2UnuVkozsf7sDpiZJ3SmnNzmy29Z8OM-761LCFTHT5rkbSKw@mail.gmail.com>
	<954148452.20938844.1434611116750.JavaMail.zimbra@redhat.com>
Message-ID: <962092498.20941634.1434611530639.JavaMail.zimbra@redhat.com>

It's completely broken! Wait to download while I'm fixing this.

Sorry everyone, looks like I pushed it out a bit quick this time

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 18 June, 2015 9:05:16 AM
> Subject: Re: [keycloak-user] Keycloak 1.3.0.Final released
> 
> More info please!
> 
> ----- Original Message -----
> > From: "Chen Keong Yap" <chenkeong.yap at izeno.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Thursday, 18 June, 2015 8:47:58 AM
> > Subject: Re: [keycloak-user] Keycloak 1.3.0.Final released
> > 
> > Hi,
> > 
> > Getting some issues when starting keycloak V1.3 server ....
> > 
> > 
> > erver.war")
> > 4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> > service
> > hread 1-7) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/KeycloakDS]
> > 4:46:07,560 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC
> > service
> > hread 1-4) WFLYJCA0001: Bound data source
> > [java:jboss/datasources/ExampleDS]
> > 4:46:07,837 INFO  [org.jboss.ws.common.management] (MSC service thread 1-5)
> > JBW
> > 022052: Starting JBoss Web Services - Stack CXF Server 5.0.0.Final
> > 4:46:08,941 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
> > -- 62
> >  MSC000001: Failed to start service
> > jboss.undertow.deployment.default-server.de
> > ault-host./auth: org.jboss.msc.service.StartException in service
> > jboss.undertow
> > deployment.default-server.default-host./auth:
> > java.lang.IllegalStateException:
> > T010050: Filter Keycloak Client Connection Filter used in filter mapping
> > URL -
> > * not found
> >        at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
> > run(UndertowDeploymentService.java:85)
> >        at
> > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:47
> > )
> >        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> >        at
> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> > ava:1145)
> >        at
> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> > java:615)
> >        at java.lang.Thread.run(Thread.java:745)
> >        at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> > aused by: java.lang.IllegalStateException: UT010050: Filter Keycloak Client
> > Con
> > ection Filter used in filter mapping URL - /* not found
> >        at
> > io.undertow.servlet.api.DeploymentInfo.validate(DeploymentInfo.java:1
> > 4)
> >        at
> > io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManag
> > rImpl.java:144)
> >        at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.s
> > artContext(UndertowDeploymentService.java:100)
> >        at
> > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1
> > run(UndertowDeploymentService.java:82)
> >        ... 6 more
> > 
> > 4:46:09,082 ERROR [org.jboss.as.controller.management-operation]
> > (Controller Bo
> > t Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment"
> > => "
> > eycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed
> > services" =
> >  {"jboss.undertow.deployment.default-server.default-host./auth" =>
> > "org.jboss.m
> > c.service.StartException in service
> > jboss.undertow.deployment.default-server.de
> > ault-host./auth: java.lang.IllegalStateException: UT010050: Filter Keycloak
> > Cli
> > nt Connection Filter used in filter mapping URL - /* not found
> >    Caused by: java.lang.IllegalStateException: UT010050: Filter Keycloak
> > Client
> > Connection Filter used in filter mapping URL - /* not found"}}
> > 4:46:09,160 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 57)
> > WFLYS
> > V0010: Deployed "keycloak-server.war" (runtime-name :
> > "keycloak-server.war")
> > 4:46:09,163 INFO  [org.jboss.as.controller] (Controller Boot Thread)
> > WFLYCTL018
> > : Service status report
> > FLYCTL0186:   Services which failed to start:      service
> > jboss.undertow.deplo
> > ment.default-server.default-host./auth:
> > org.jboss.msc.service.StartException in
> > service jboss.undertow.deployment.default-server.default-host./auth:
> > java.lang.
> > 
> > On Thu, Jun 18, 2015 at 2:16 PM, Stian Thorgersen <stian at redhat.com> wrote:
> > 
> > > http://blog.keycloak.org/2015/06/keycloak-130final-released.html
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From stian at redhat.com  Thu Jun 18 03:21:47 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Jun 2015 03:21:47 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.3.0 release broken
In-Reply-To: <1573846276.20943235.1434612067204.JavaMail.zimbra@redhat.com>
Message-ID: <381788803.20943439.1434612107672.JavaMail.zimbra@redhat.com>

Sorry everyone,

Looks like I've pushed the button a bit to quick this time. The Keycloak 1.3.0 release is completely broken.

Fix coming and 1.3.1 will be released soon.

Cheers,
Stian

From stian at redhat.com  Thu Jun 18 05:42:43 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Jun 2015 05:42:43 -0400 (EDT)
Subject: [keycloak-user] Keycloak 1.3.1.Final released
Message-ID: <1860218755.20989775.1434620563319.JavaMail.zimbra@redhat.com>

http://blog.keycloak.org/2015/06/keycloak-131final-released.html

From kevin.thorpe at p-i.net  Thu Jun 18 11:50:32 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Thu, 18 Jun 2015 16:50:32 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in 1.3.1
Message-ID: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>

Thanks to the team for 1.3.1. We were eagerly waiting for that to add LDAP
attribute mappings which I see has now been done. Unfortunately I can't
seem to get it to work.

I have added a user attribute mapper to my ldap federation. This maps the
LDAP atribute 'applications' which exists on my LDAP user record to
'applications' in Keycloak.

I have also added a user attribute token mapper to my Keycloak client
definition to map user attribute 'applications' to token claim
'applications'. I've also asked to add to both id and access token.

However this attribute is not present in either the ID or access token when
testing. Is there something I've missed?

Something that may be an issue though is that I'm using a home written
openid-connect Lua client based on your javascript one. This uses the
endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
openid-connect endpoint doesn't support these attributes yet?


*Kevin Thorpe*
CTO, PI ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/678bbcaa/attachment.html 

From jean.merelis at gmail.com  Thu Jun 18 12:28:58 2015
From: jean.merelis at gmail.com (Jeandeson O. Merelis)
Date: Thu, 18 Jun 2015 13:28:58 -0300
Subject: [keycloak-user] I am getting several 404 in version 1.3.1.Final
Message-ID: <CAAjz7KLWT7bwgc6HodCm4X+skKW62LWZBPuEk0xgeixJG8esSw@mail.gmail.com>

I did a clean install to version 1.3.1.Final and I am getting several 404.

I am  using : Wildfly 9 RC2, keycloak-overlay-1.3.1.Final.tar.gz


For instance:

Menu > Clients
GET https://localhost:8443/auth/admin/realms/myrealm/clients-by-id 404 (Not
Found)

Menu > Roles > Add role
GET https://localhost:8443/auth/admin/realms/myrealm/clients-by-id 404 (Not
Found)

Menu > Sessions
GET
https://localhost:8443/auth/admin/realms/myrealm/client-by-id-session-stats
404 (Not Found)



Att,
Jeandeson O. Merelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/f593cb0f/attachment.html 

From stian at redhat.com  Thu Jun 18 13:48:43 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 18 Jun 2015 13:48:43 -0400 (EDT)
Subject: [keycloak-user] I am getting several 404 in version 1.3.1.Final
In-Reply-To: <CAAjz7KLWT7bwgc6HodCm4X+skKW62LWZBPuEk0xgeixJG8esSw@mail.gmail.com>
References: <CAAjz7KLWT7bwgc6HodCm4X+skKW62LWZBPuEk0xgeixJG8esSw@mail.gmail.com>
Message-ID: <434273695.21737544.1434649723359.JavaMail.zimbra@redhat.com>

Have you tried clearing you're cache? I imagine you're upgrading from an old version, from more recent versions you shouldn't have to clear the cache, but that's the only thing that can explain the issues you're seeing.

----- Original Message -----
> From: "Jeandeson O. Merelis" <jean.merelis at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 18 June, 2015 6:28:58 PM
> Subject: [keycloak-user] I am getting several 404 in version 1.3.1.Final
> 
> I did a clean install to version 1.3.1.Final and I am getting several 404.
> 
> I am using : Wildfly 9 RC2, keycloak-overlay-1.3.1.Final.tar.gz
> 
> 
> For instance:
> 
> Menu > Clients
> GET https://localhost:8443/auth/admin/realms/myrealm/clients-by-id 404 (Not
> Found)
> 
> Menu > Roles > Add role
> GET https://localhost:8443/auth/admin/realms/myrealm/clients-by-id 404 (Not
> Found)
> 
> Menu > Sessions
> GET
> https://localhost:8443/auth/admin/realms/myrealm/client-by-id-session-stats
> 404 (Not Found)
> 
> 
> 
> Att,
> Jeandeson O. Merelis
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From juandiego83 at gmail.com  Thu Jun 18 14:35:08 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 18 Jun 2015 13:35:08 -0500
Subject: [keycloak-user] Securing backend rest methods
Message-ID: <CAJGEj6drnSA--=PD8wo9kD2ifcGuk3VNkyvvKRXidG8TPsvu6Q@mail.gmail.com>

Hi,

I was looking in the examples but I cannot find the right one.  Is there an
example that shows how to secure just a method of a rest for a certain
group, allow all groups to the rest method. Like in picketlinks you could
create your own @Admin @Mygroup annotation and add it to a function.

Thanks,

Juan diego
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/f544ec55/attachment.html 

From tair.sabirgaliev at bee.kz  Thu Jun 18 15:44:00 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Fri, 19 Jun 2015 01:44:00 +0600
Subject: [keycloak-user] Load bearer-only app resource to iframe
In-Reply-To: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>
References: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>
Message-ID: <etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>

Any idea on this?

--?
Tair Sabirgaliev
Bee Software, LLP

On June 11, 2015 at 20:41:25, Tair Sabirgaliev (tair.sabirgaliev at bee.kz) wrote:

Hi!

I have a REST resource /rest/some/pdf in bearer-only application. The client app uses angular, I have setup it according to keycloak demos.
On my angular page i have an <iframe src=?/rest/some/pdf??.>. I can?t pass auth headers to iframe url. What is the right thing to do here?

Thank you!


--?
Tair Sabirgaliev
Bee Software, LLP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/212cc676/attachment-0001.html 

From bburke at redhat.com  Thu Jun 18 16:21:51 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 18 Jun 2015 16:21:51 -0400
Subject: [keycloak-user] Load bearer-only app resource to iframe
In-Reply-To: <etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>
References: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>
	<etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>
Message-ID: <5583285F.9080505@redhat.com>

invoke the rest service via XHR , then render the <iframe>?

On 6/18/2015 3:44 PM, Tair Sabirgaliev wrote:
> Any idea on this?
>
> --
> Tair Sabirgaliev
> Bee Software, LLP
>
> On June 11, 2015 at 20:41:25, Tair Sabirgaliev (tair.sabirgaliev at bee.kz
> <mailto:tair.sabirgaliev at bee.kz>) wrote:
>
>> Hi!
>>
>> I have a REST resource /rest/some/pdf in bearer-only application. The
>> client app uses angular, I have setup it according to keycloak demos.
>> On my angular page i have an <iframe src=?/rest/some/pdf??.>. I can?t
>> pass auth headers to iframe url. What is the right thing to do here?
>>
>> Thank you!
>>
>>
>> --
>> Tair Sabirgaliev
>> Bee Software, LLP
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From tair.sabirgaliev at bee.kz  Thu Jun 18 16:45:44 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Fri, 19 Jun 2015 02:45:44 +0600
Subject: [keycloak-user] Load bearer-only app resource to iframe
In-Reply-To: <5583285F.9080505@redhat.com>
References: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>	<etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>
	<5583285F.9080505@redhat.com>
Message-ID: <55832DF8.1020907@bee.kz>



On 6/19/15 02:21, Bill Burke wrote:
> invoke the rest service via XHR , then render the <iframe>?

The problem is when iframe tries to download its contents, keycloak
adapter doesn't let it through. I assume this is because iframe doesn't
sent Authorization header.

> 
> On 6/18/2015 3:44 PM, Tair Sabirgaliev wrote:
>> Any idea on this?
>>
>> --
>> Tair Sabirgaliev
>> Bee Software, LLP
>>
>> On June 11, 2015 at 20:41:25, Tair Sabirgaliev (tair.sabirgaliev at bee.kz
>> <mailto:tair.sabirgaliev at bee.kz>) wrote:
>>
>>> Hi!
>>>
>>> I have a REST resource /rest/some/pdf in bearer-only application. The
>>> client app uses angular, I have setup it according to keycloak demos.
>>> On my angular page i have an <iframe src=?/rest/some/pdf??.>. I can?t
>>> pass auth headers to iframe url. What is the right thing to do here?
>>>
>>> Thank you!
>>>
>>>
>>> --
>>> Tair Sabirgaliev
>>> Bee Software, LLP
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> 

From bburke at redhat.com  Thu Jun 18 16:52:02 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 18 Jun 2015 16:52:02 -0400
Subject: [keycloak-user] Load bearer-only app resource to iframe
In-Reply-To: <55832DF8.1020907@bee.kz>
References: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>	<etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>	<5583285F.9080505@redhat.com>
	<55832DF8.1020907@bee.kz>
Message-ID: <55832F72.60908@redhat.com>

Yeah, sorry, that was a stupid response to your question by me...I 
wasn't thinking....

Yeah, you're screwed. :)  There is no way around it. I guess the adapter 
could set a cookie on bearer-only requests like it does for auth-code 
requests and then authenticate via the cookie next time around, but then 
you are vulnerable to CSRF attacks.

On 6/18/2015 4:45 PM, Tair Sabirgaliev wrote:
>
>
> On 6/19/15 02:21, Bill Burke wrote:
>> invoke the rest service via XHR , then render the <iframe>?
>
> The problem is when iframe tries to download its contents, keycloak
> adapter doesn't let it through. I assume this is because iframe doesn't
> sent Authorization header.
>
>>
>> On 6/18/2015 3:44 PM, Tair Sabirgaliev wrote:
>>> Any idea on this?
>>>
>>> --
>>> Tair Sabirgaliev
>>> Bee Software, LLP
>>>
>>> On June 11, 2015 at 20:41:25, Tair Sabirgaliev (tair.sabirgaliev at bee.kz
>>> <mailto:tair.sabirgaliev at bee.kz>) wrote:
>>>
>>>> Hi!
>>>>
>>>> I have a REST resource /rest/some/pdf in bearer-only application. The
>>>> client app uses angular, I have setup it according to keycloak demos.
>>>> On my angular page i have an <iframe src=?/rest/some/pdf??.>. I can?t
>>>> pass auth headers to iframe url. What is the right thing to do here?
>>>>
>>>> Thank you!
>>>>
>>>>
>>>> --
>>>> Tair Sabirgaliev
>>>> Bee Software, LLP
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From tair.sabirgaliev at bee.kz  Thu Jun 18 17:06:35 2015
From: tair.sabirgaliev at bee.kz (Tair Sabirgaliev)
Date: Fri, 19 Jun 2015 03:06:35 +0600
Subject: [keycloak-user] Load bearer-only app resource to iframe
In-Reply-To: <55832F72.60908@redhat.com>
References: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>	<etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>	<5583285F.9080505@redhat.com>	<55832DF8.1020907@bee.kz>
	<55832F72.60908@redhat.com>
Message-ID: <558332DB.7070008@bee.kz>



On 6/19/15 02:52, Bill Burke wrote:
> Yeah, sorry, that was a stupid response to your question by me...I 
> wasn't thinking....
> 
> Yeah, you're screwed. :)  There is no way around it. I guess the adapter 
> could set a cookie on bearer-only requests like it does for auth-code 
> requests and then authenticate via the cookie next time around, but then 
> you are vulnerable to CSRF attacks.

Got this one:
https://developer.mozilla.org/en-US/docs/Using_files_from_web_applications#Example.3A_Using_object_URLs_to_display_PDF

Didn't try yet, but looks promising.

The idea is to load the resource with XHR and render it in iframe using
Object URLs.

> 
> On 6/18/2015 4:45 PM, Tair Sabirgaliev wrote:
>>
>>
>> On 6/19/15 02:21, Bill Burke wrote:
>>> invoke the rest service via XHR , then render the <iframe>?
>>
>> The problem is when iframe tries to download its contents, keycloak
>> adapter doesn't let it through. I assume this is because iframe doesn't
>> sent Authorization header.
>>
>>>
>>> On 6/18/2015 3:44 PM, Tair Sabirgaliev wrote:
>>>> Any idea on this?
>>>>
>>>> --
>>>> Tair Sabirgaliev
>>>> Bee Software, LLP
>>>>
>>>> On June 11, 2015 at 20:41:25, Tair Sabirgaliev (tair.sabirgaliev at bee.kz
>>>> <mailto:tair.sabirgaliev at bee.kz>) wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> I have a REST resource /rest/some/pdf in bearer-only application. The
>>>>> client app uses angular, I have setup it according to keycloak demos.
>>>>> On my angular page i have an <iframe src=?/rest/some/pdf??.>. I can?t
>>>>> pass auth headers to iframe url. What is the right thing to do here?
>>>>>
>>>>> Thank you!
>>>>>
>>>>>
>>>>> --
>>>>> Tair Sabirgaliev
>>>>> Bee Software, LLP
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> 

From bburke at redhat.com  Thu Jun 18 17:42:19 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 18 Jun 2015 17:42:19 -0400
Subject: [keycloak-user] Load bearer-only app resource to iframe
In-Reply-To: <558332DB.7070008@bee.kz>
References: <etPan.55799e13.2794ba4e.3aa4@MacBook-Pro.local>	<etPan.55831f81.3b30b8c1.4662@MacBook-Pro.local>	<5583285F.9080505@redhat.com>	<55832DF8.1020907@bee.kz>	<55832F72.60908@redhat.com>
	<558332DB.7070008@bee.kz>
Message-ID: <55833B3B.3020101@redhat.com>



On 6/18/2015 5:06 PM, Tair Sabirgaliev wrote:
>
>
> On 6/19/15 02:52, Bill Burke wrote:
>> Yeah, sorry, that was a stupid response to your question by me...I
>> wasn't thinking....
>>
>> Yeah, you're screwed. :)  There is no way around it. I guess the adapter
>> could set a cookie on bearer-only requests like it does for auth-code
>> requests and then authenticate via the cookie next time around, but then
>> you are vulnerable to CSRF attacks.
>
> Got this one:
> https://developer.mozilla.org/en-US/docs/Using_files_from_web_applications#Example.3A_Using_object_URLs_to_display_PDF
>
> Didn't try yet, but looks promising.
>
> The idea is to load the resource with XHR and render it in iframe using
> Object URLs.
>

I guess I wasn't crazy then ;)

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From sarbx at hotmail.com  Thu Jun 18 21:14:34 2015
From: sarbx at hotmail.com (Bellan Saravanan)
Date: Thu, 18 Jun 2015 18:14:34 -0700
Subject: [keycloak-user] Multi tenant
Message-ID: <COL126-W31ED312101E4903BA0E4DCB5A40@phx.gbl>

If we are managing users for multiple customers in a single keycloak instance, is it recommended to have users from those tenants in different realms?
The problem I'm having is since we have single application which resolves to different realms based on the user's email address, I have to duplicate the Client/Application configuration under each of the realm. Is there some way to avoid these duplicate Client/Application configurations?
Thanks,
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/71740668/attachment.html 

From peterson.dean at gmail.com  Thu Jun 18 21:26:44 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Thu, 18 Jun 2015 20:26:44 -0500
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
	1.2.0.Final
In-Reply-To: <230363077.19971361.1434521202436.JavaMail.zimbra@redhat.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>
	<CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>
	<CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>
	<230363077.19971361.1434521202436.JavaMail.zimbra@redhat.com>
Message-ID: <CAFGzvPnAV-WgKy+nf78Cs3XJnfK+1eBD0KLz+DEga-hiTp2iXQ@mail.gmail.com>

Neither returned any indexes

On Wed, Jun 17, 2015 at 1:06 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Could you run listIndexes[1] on the applications and clients collections?
>
> [1]
> http://docs.mongodb.org/manual/tutorial/list-indexes/#list-all-indexes-on-a-collection
>
> ----- Original Message -----
> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 17 June, 2015 7:32:24 AM
> > Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1
> to 1.2.0.Final
> >
> > Any suggestions?
> >
> > On Mon, Jun 15, 2015 at 6:54 AM, Dean Peterson <peterson.dean at gmail.com>
> > wrote:
> >
> > > I put the version in the subject: 1.2.0.Beta1
> > > On Jun 15, 2015 12:28 AM, "Stian Thorgersen" <stian at redhat.com> wrote:
> > >
> > >> What version are you upgrading from?
> > >>
> > >> ----- Original Message -----
> > >> > From: "Dean Peterson" <peterson.dean at gmail.com>
> > >> > To: keycloak-user at lists.jboss.org
> > >> > Sent: Monday, 15 June, 2015 5:50:12 AM
> > >> > Subject: Re: [keycloak-user] Tried to update database from
> 1.2.0.Beta1
> > >> to     1.2.0.Final
> > >> >
> > >> > The end of the error message is strange since I am trying to update
> to
> > >> > 1.2.0.Final. It refers to a candidate release:
> > >>
> > >> When updating the db it goes through a list of updates, so if you
> haven't
> > >> upgraded to 1.2.0.cr1 in the past that update is on the list as well.
> > >>
> > >> >
> > >> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
> "kcdb/
> > >> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
> > >> "index
> > >> > not found with name [realmId_1_name_1]"}
> > >> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
> > >> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> > >> > at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
> > >> > at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
> > >> > at
> > >> >
> > >>
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
> > >> > at
> > >> >
> > >>
> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
> > >> > at
> > >> >
> > >>
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
> > >> >
> > >> >
> > >> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
> > >> peterson.dean at gmail.com >
> > >> > wrote:
> > >> >
> > >> >
> > >> >
> > >> > I receive this error:
> > >> >
> > >> > Caused by: java.lang.RuntimeException: Failed to update database
> > >> > at
> > >> >
> > >>
> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
> > >> > at
> > >> >
> > >>
> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
> > >> > ... 35 more
> > >> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
> "kcdb/
> > >> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
> > >> "index
> > >> > not found with name [realmId_1_name_1]"}
> > >> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
> > >> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
> > >> >
> > >> >
> > >> >
> > >> > _______________________________________________
> > >> > keycloak-user mailing list
> > >> > keycloak-user at lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150618/69882ba6/attachment-0001.html 

From bburke at redhat.com  Thu Jun 18 23:45:31 2015
From: bburke at redhat.com (Bill Burke)
Date: Thu, 18 Jun 2015 23:45:31 -0400
Subject: [keycloak-user] Multi tenant
In-Reply-To: <COL126-W31ED312101E4903BA0E4DCB5A40@phx.gbl>
References: <COL126-W31ED312101E4903BA0E4DCB5A40@phx.gbl>
Message-ID: <5583905B.2060304@redhat.com>

you should keep users in separate realms.  I'm assuming this is a SaaS 
you are building?

No way around this.  Should be easy enough to provision though with a 
REST call to the new realm though.  But I could see it would be hard to 
configure each client.  We're looking to make it easier to configure 
clients as well if you are running on Wildfly/EAP.  But that is awhile away.

On 6/18/2015 9:14 PM, Bellan Saravanan wrote:
> If we are managing users for multiple customers in a single keycloak
> instance, is it recommended to have users from those tenants in
> different realms?
>
> The problem I'm having is since we have single application which
> resolves to different realms based on the user's email address, I have
> to duplicate the Client/Application configuration under each of the
> realm. Is there some way to avoid these duplicate Client/Application
> configurations?
>
> Thanks,
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From stian at redhat.com  Fri Jun 19 03:49:44 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Fri, 19 Jun 2015 03:49:44 -0400 (EDT)
Subject: [keycloak-user] Securing backend rest methods
In-Reply-To: <CAJGEj6drnSA--=PD8wo9kD2ifcGuk3VNkyvvKRXidG8TPsvu6Q@mail.gmail.com>
References: <CAJGEj6drnSA--=PD8wo9kD2ifcGuk3VNkyvvKRXidG8TPsvu6Q@mail.gmail.com>
Message-ID: <1657212935.22258867.1434700184588.JavaMail.zimbra@redhat.com>

Keycloak is based on roles and we don't have support for groups. By using composite roles you can model groups as a role though.

----- Original Message -----
> From: "Juan Diego" <juandiego83 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, 18 June, 2015 8:35:08 PM
> Subject: [keycloak-user] Securing backend rest methods
> 
> Hi,
> 
> I was looking in the examples but I cannot find the right one. Is there an
> example that shows how to secure just a method of a rest for a certain
> group, allow all groups to the rest method. Like in picketlinks you could
> create your own @Admin @Mygroup annotation and add it to a function.
> 
> Thanks,
> 
> Juan diego
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From mposolda at redhat.com  Fri Jun 19 05:15:54 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 Jun 2015 11:15:54 +0200
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
 1.3.1
In-Reply-To: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
Message-ID: <5583DDCA.10607@redhat.com>

There are few steps here and the result will work only if all steps 
success. So it might help to try which step could be wrong here:

1) You can doublecheck if your user really has 'applications' attribute 
in LDAP

2) If (1) is ok, you can enable TRACE logging for 
"org.keycloak.federation.ldap" category in standalone.xml . With it, you 
should see some trace messages with the names and values of all LDAP 
attributes, which are loaded in user record. You should see the 
'applications' attribute loaded

3) If (2) is ok, you can browse keycloak database and check if attribute 
'applications' is really here. The user attributes are saved in table 
USER_ATTRIBUTES. Currently it's not possible to browse user attributes 
generically in admin console (unless you do custom theme) so browse DB 
seems to be the only possibility.

4) If (3) is ok, the issue is not in LDAP interaction, but in protocol 
mapper configuration. Make sure you use correct protocol mapper (In your 
case it should be "User attributes" mapper, not "User property" mapper). 
Also if your application is Java based, the value of 'applications' 
claim is saved in accessToken in 'otherClaims' map and can be retrieved 
with something like: accessToken.getOtherClaims().get("applications");

Marek


On 18.6.2015 17:50, Kevin Thorpe wrote:
> Thanks to the team for 1.3.1. We were eagerly waiting for that to add 
> LDAP attribute mappings which I see has now been done. Unfortunately I 
> can't seem to get it to work.
>
> I have added a user attribute mapper to my ldap federation. This maps 
> the LDAP atribute 'applications' which exists on my LDAP user record 
> to 'applications' in Keycloak.
>
> I have also added a user attribute token mapper to my Keycloak client 
> definition to map user attribute 'applications' to token claim 
> 'applications'. I've also asked to add to both id and access token.
>
> However this attribute is not present in either the ID or access token 
> when testing. Is there something I've missed?
>
> Something that may be an issue though is that I'm using a home written 
> openid-connect Lua client based on your javascript one. This uses the 
> endpoint /auth/realms/master/protocol/openid-connect/token. Is it that 
> the openid-connect endpoint doesn't support these attributes yet?
>
> *Kevin Thorpe
> *
> CTO, PI ltd
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/19688cf0/attachment.html 

From mposolda at redhat.com  Fri Jun 19 05:19:31 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 Jun 2015 11:19:31 +0200
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
 1.2.0.Final
In-Reply-To: <CAFGzvPnAV-WgKy+nf78Cs3XJnfK+1eBD0KLz+DEga-hiTp2iXQ@mail.gmail.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>	<CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>	<CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>	<230363077.19971361.1434521202436.JavaMail.zimbra@redhat.com>
	<CAFGzvPnAV-WgKy+nf78Cs3XJnfK+1eBD0KLz+DEga-hiTp2iXQ@mail.gmail.com>
Message-ID: <5583DEA3.5050304@redhat.com>

Which version of MongoDB are you using?

Marek

On 19.6.2015 03:26, Dean Peterson wrote:
> Neither returned any indexes
>
> On Wed, Jun 17, 2015 at 1:06 AM, Stian Thorgersen <stian at redhat.com 
> <mailto:stian at redhat.com>> wrote:
>
>     Could you run listIndexes[1] on the applications and clients
>     collections?
>
>     [1]
>     http://docs.mongodb.org/manual/tutorial/list-indexes/#list-all-indexes-on-a-collection
>
>     ----- Original Message -----
>     > From: "Dean Peterson" <peterson.dean at gmail.com
>     <mailto:peterson.dean at gmail.com>>
>     > To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
>     > Cc: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > Sent: Wednesday, 17 June, 2015 7:32:24 AM
>     > Subject: Re: [keycloak-user] Tried to update database from
>     1.2.0.Beta1 to 1.2.0.Final
>     >
>     > Any suggestions?
>     >
>     > On Mon, Jun 15, 2015 at 6:54 AM, Dean Peterson
>     <peterson.dean at gmail.com <mailto:peterson.dean at gmail.com>>
>     > wrote:
>     >
>     > > I put the version in the subject: 1.2.0.Beta1
>     > > On Jun 15, 2015 12:28 AM, "Stian Thorgersen" <stian at redhat.com
>     <mailto:stian at redhat.com>> wrote:
>     > >
>     > >> What version are you upgrading from?
>     > >>
>     > >> ----- Original Message -----
>     > >> > From: "Dean Peterson" <peterson.dean at gmail.com
>     <mailto:peterson.dean at gmail.com>>
>     > >> > To: keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > >> > Sent: Monday, 15 June, 2015 5:50:12 AM
>     > >> > Subject: Re: [keycloak-user] Tried to update database from
>     1.2.0.Beta1
>     > >> to     1.2.0.Final
>     > >> >
>     > >> > The end of the error message is strange since I am trying
>     to update to
>     > >> > 1.2.0.Final. It refers to a candidate release:
>     > >>
>     > >> When updating the db it goes through a list of updates, so if
>     you haven't
>     > >> upgraded to 1.2.0.cr1 in the past that update is on the list
>     as well.
>     > >>
>     > >> >
>     > >> > Caused by: com.mongodb.CommandFailureException: {
>     "serverUsed" : "kcdb/
>     > >> > 172.17.5.191:27017 <http://172.17.5.191:27017> " ,
>     "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>     > >> "index
>     > >> > not found with name [realmId_1_name_1]"}
>     > >> > at
>     com.mongodb.CommandResult.getException(CommandResult.java:71)
>     > >> > at
>     com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>     > >> > at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>     > >> > at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>     > >> > at
>     > >> >
>     > >>
>     org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>     > >> > at
>     > >> >
>     > >>
>     org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>     > >> > at
>     > >> >
>     > >>
>     org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
>     > >> >
>     > >> >
>     > >> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
>     > >> peterson.dean at gmail.com <mailto:peterson.dean at gmail.com> >
>     > >> > wrote:
>     > >> >
>     > >> >
>     > >> >
>     > >> > I receive this error:
>     > >> >
>     > >> > Caused by: java.lang.RuntimeException: Failed to update
>     database
>     > >> > at
>     > >> >
>     > >>
>     org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
>     > >> > at
>     > >> >
>     > >>
>     org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
>     > >> > ... 35 more
>     > >> > Caused by: com.mongodb.CommandFailureException: {
>     "serverUsed" : "kcdb/
>     > >> > 172.17.5.191:27017 <http://172.17.5.191:27017> " ,
>     "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>     > >> "index
>     > >> > not found with name [realmId_1_name_1]"}
>     > >> > at
>     com.mongodb.CommandResult.getException(CommandResult.java:71)
>     > >> > at
>     com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>     > >> >
>     > >> >
>     > >> >
>     > >> > _______________________________________________
>     > >> > keycloak-user mailing list
>     > >> > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     > >>
>     > >
>     >
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/0d0ed379/attachment-0001.html 

From kevin.thorpe at p-i.net  Fri Jun 19 05:42:39 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 19 Jun 2015 10:42:39 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <5583DDCA.10607@redhat.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
Message-ID: <CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>

Hi Marek, thanks for the quick reply.

1. I am definitely sure that the attributes I need are in the LDAP record.

2. adding trace to federation.ldap shows my mapped attributes being read

3. there is no USER_ATTRIBUTES table I'm assuming you meant USER_ATTRIBUTE
but it doesn't have my attributes.
   it does have a reference to my LDAP_ID so i8t looks like it should be
here

MariaDB [keycloak]> select * from USER_ATTRIBUTE;
+---------+-------------------------------------+--------------------------------------+
| NAME    | VALUE                               | USER_ID
           |
+---------+-------------------------------------+--------------------------------------+
| LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
| LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
+---------+-------------------------------------+--------------------------------------+

thanks for your time on this


*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:

>  There are few steps here and the result will work only if all steps
> success. So it might help to try which step could be wrong here:
>
> 1) You can doublecheck if your user really has 'applications' attribute in
> LDAP
>
> 2) If (1) is ok, you can enable TRACE logging for
> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
> should see some trace messages with the names and values of all LDAP
> attributes, which are loaded in user record. You should see the
> 'applications' attribute loaded
>
> 3) If (2) is ok, you can browse keycloak database and check if attribute
> 'applications' is really here. The user attributes are saved in table
> USER_ATTRIBUTES. Currently it's not possible to browse user attributes
> generically in admin console (unless you do custom theme) so browse DB
> seems to be the only possibility.
>
> 4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
> mapper configuration. Make sure you use correct protocol mapper (In your
> case it should be "User attributes" mapper, not "User property" mapper).
> Also if your application is Java based, the value of 'applications' claim
> is saved in accessToken in 'otherClaims' map and can be retrieved with
> something like: accessToken.getOtherClaims().get("applications");
>
> Marek
>
>
>
> On 18.6.2015 17:50, Kevin Thorpe wrote:
>
>  Thanks to the team for 1.3.1. We were eagerly waiting for that to add
> LDAP attribute mappings which I see has now been done. Unfortunately I
> can't seem to get it to work.
>
>  I have added a user attribute mapper to my ldap federation. This maps
> the LDAP atribute 'applications' which exists on my LDAP user record to
> 'applications' in Keycloak.
>
>  I have also added a user attribute token mapper to my Keycloak client
> definition to map user attribute 'applications' to token claim
> 'applications'. I've also asked to add to both id and access token.
>
>  However this attribute is not present in either the ID or access token
> when testing. Is there something I've missed?
>
>  Something that may be an issue though is that I'm using a home written
> openid-connect Lua client based on your javascript one. This uses the
> endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
> openid-connect endpoint doesn't support these attributes yet?
>
>
> *Kevin Thorpe *
> CTO, PI ltd
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/71c61dba/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/71c61dba/attachment.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/71c61dba/attachment-0001.jpg 

From kevin.thorpe at p-i.net  Fri Jun 19 05:56:50 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 19 Jun 2015 10:56:50 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
Message-ID: <CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>

I had a hunch so I added a record in USER_ATTRIBUTE for applications and it
is getting passed
in the JWT claims now. That squarely points at the ldap federation part.


*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:

> Hi Marek, thanks for the quick reply.
>
> 1. I am definitely sure that the attributes I need are in the LDAP record.
>
> 2. adding trace to federation.ldap shows my mapped attributes being read
>
> 3. there is no USER_ATTRIBUTES table I'm assuming you meant USER_ATTRIBUTE
> but it doesn't have my attributes.
>    it does have a reference to my LDAP_ID so i8t looks like it should be
> here
>
> MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>
> +---------+-------------------------------------+--------------------------------------+
> | NAME    | VALUE                               | USER_ID
>              |
>
> +---------+-------------------------------------+--------------------------------------+
> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>
> +---------+-------------------------------------+--------------------------------------+
>
> thanks for your time on this
>
>
> *Kevin Thorpe*
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  There are few steps here and the result will work only if all steps
>> success. So it might help to try which step could be wrong here:
>>
>> 1) You can doublecheck if your user really has 'applications' attribute
>> in LDAP
>>
>> 2) If (1) is ok, you can enable TRACE logging for
>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>> should see some trace messages with the names and values of all LDAP
>> attributes, which are loaded in user record. You should see the
>> 'applications' attribute loaded
>>
>> 3) If (2) is ok, you can browse keycloak database and check if attribute
>> 'applications' is really here. The user attributes are saved in table
>> USER_ATTRIBUTES. Currently it's not possible to browse user attributes
>> generically in admin console (unless you do custom theme) so browse DB
>> seems to be the only possibility.
>>
>> 4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
>> mapper configuration. Make sure you use correct protocol mapper (In your
>> case it should be "User attributes" mapper, not "User property" mapper).
>> Also if your application is Java based, the value of 'applications' claim
>> is saved in accessToken in 'otherClaims' map and can be retrieved with
>> something like: accessToken.getOtherClaims().get("applications");
>>
>> Marek
>>
>>
>>
>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>
>>  Thanks to the team for 1.3.1. We were eagerly waiting for that to add
>> LDAP attribute mappings which I see has now been done. Unfortunately I
>> can't seem to get it to work.
>>
>>  I have added a user attribute mapper to my ldap federation. This maps
>> the LDAP atribute 'applications' which exists on my LDAP user record to
>> 'applications' in Keycloak.
>>
>>  I have also added a user attribute token mapper to my Keycloak client
>> definition to map user attribute 'applications' to token claim
>> 'applications'. I've also asked to add to both id and access token.
>>
>>  However this attribute is not present in either the ID or access token
>> when testing. Is there something I've missed?
>>
>>  Something that may be an issue though is that I'm using a home written
>> openid-connect Lua client based on your javascript one. This uses the
>> endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
>> openid-connect endpoint doesn't support these attributes yet?
>>
>>
>> *Kevin Thorpe *
>> CTO, PI ltd
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/6bdb0a43/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/6bdb0a43/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/6bdb0a43/attachment-0003.jpg 

From mposolda at redhat.com  Fri Jun 19 08:50:07 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 Jun 2015 14:50:07 +0200
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
 1.3.1
In-Reply-To: <CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
Message-ID: <55840FFF.7080208@redhat.com>

Thanks for the info. Now I think I know what's going on.

The issue is that currently when we import users from LDAP (federation 
in general), we sync the configured attributes to the Keycloak DB. But 
during searching, we don't sync the attributes from LDAP to Keycloak DB 
anymore. So I guess you did the steps like this:
- You first authenticate as LDAP user "joe" (or search this user from 
admin console), which imported this user into Keycloak DB
- Then you created mapper for the 'applications' attribute. But user 
'joe' was already imported into Keycloak DB from the previous step, right?

I believe that when you import some other user from LDAP, which is not 
yet exist in Keycloak DB, the 'applications' attribute will be there. 
For the existing user, the only possibility right now is to use 
"Synchronize all users" or "Synchronize changed users" on LDAP 
federation screen. This will update existing users into Keycloak DB as 
well, so 'joe' will be updated.

Please let me know if it helps.  Looks that it's something we should 
address better in Keycloak.

Marek

On 19.6.2015 11:56, Kevin Thorpe wrote:
> I had a hunch so I added a record in USER_ATTRIBUTE for applications 
> and it is getting passed
> in the JWT claims now. That squarely points at the ldap federation part.
>
> *Kevin Thorpe
> *
> CTO
>
> <https://www.p-i.net/> <https://twitter.com/@PI_150>
>
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
> **
> _____________________________
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager. This message contains confidential information and 
> is intended only for the individual named. If you are not the named 
> addressee you should not disseminate, distribute or copy this e-mail. 
> Please notify the sender immediately by e-mail if you have received 
> this e-mail by mistake and delete this e-mail from your system. If you 
> are not the intended recipient you are notified that disclosing, 
> copying, distributing or taking any action in reliance on the contents 
> of this information is strictly prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net 
> <mailto:kevin.thorpe at p-i.net>> wrote:
>
>     Hi Marek, thanks for the quick reply.
>
>     1. I am definitely sure that the attributes I need are in the LDAP
>     record.
>
>     2. adding trace to federation.ldap shows my mapped attributes
>     being read
>
>     3. there is no USER_ATTRIBUTES table I'm assuming you meant
>     USER_ATTRIBUTE but it doesn't have my attributes.
>        it does have a reference to my LDAP_ID so i8t looks like it
>     should be here
>
>     MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>     +---------+-------------------------------------+--------------------------------------+
>     | NAME    | VALUE                               | USER_ID        
>              |
>     +---------+-------------------------------------+--------------------------------------+
>     | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>     471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>     | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>     6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>     +---------+-------------------------------------+--------------------------------------+
>
>     thanks for your time on this
>
>     *Kevin Thorpe
>     *
>     CTO
>
>     <https://www.p-i.net/> <https://twitter.com/@PI_150>
>
>     www.p-i.net <http://www.p-i.net/> | @PI_150
>     <https://twitter.com/@PI_150>
>
>     M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730
>     2635
>     150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>     **
>     _____________________________
>
>     This email and any files transmitted with it are confidential and
>     intended solely for the use of the individual or entity to whom
>     they are addressed. If you have received this email in error
>     please notify the system manager. This message contains
>     confidential information and is intended only for the individual
>     named. If you are not the named addressee you should not
>     disseminate, distribute or copy this e-mail. Please notify the
>     sender immediately by e-mail if you have received this e-mail by
>     mistake and delete this e-mail from your system. If you are not
>     the intended recipient you are notified that disclosing, copying,
>     distributing or taking any action in reliance on the contents of
>     this information is strictly prohibited.
>
>     *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
>     On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com
>     <mailto:mposolda at redhat.com>> wrote:
>
>         There are few steps here and the result will work only if all
>         steps success. So it might help to try which step could be
>         wrong here:
>
>         1) You can doublecheck if your user really has 'applications'
>         attribute in LDAP
>
>         2) If (1) is ok, you can enable TRACE logging for
>         "org.keycloak.federation.ldap" category in standalone.xml .
>         With it, you should see some trace messages with the names and
>         values of all LDAP attributes, which are loaded in user
>         record. You should see the 'applications' attribute loaded
>
>         3) If (2) is ok, you can browse keycloak database and check if
>         attribute 'applications' is really here. The user attributes
>         are saved in table USER_ATTRIBUTES. Currently it's not
>         possible to browse user attributes generically in admin
>         console (unless you do custom theme) so browse DB seems to be
>         the only possibility.
>
>         4) If (3) is ok, the issue is not in LDAP interaction, but in
>         protocol mapper configuration. Make sure you use correct
>         protocol mapper (In your case it should be "User attributes"
>         mapper, not "User property" mapper). Also if your application
>         is Java based, the value of 'applications' claim is saved in
>         accessToken in 'otherClaims' map and can be retrieved with
>         something like: accessToken.getOtherClaims().get("applications");
>
>         Marek
>
>
>
>         On 18.6.2015 17:50, Kevin Thorpe wrote:
>>         Thanks to the team for 1.3.1. We were eagerly waiting for
>>         that to add LDAP attribute mappings which I see has now been
>>         done. Unfortunately I can't seem to get it to work.
>>
>>         I have added a user attribute mapper to my ldap federation.
>>         This maps the LDAP atribute 'applications' which exists on my
>>         LDAP user record to 'applications' in Keycloak.
>>
>>         I have also added a user attribute token mapper to my
>>         Keycloak client definition to map user attribute
>>         'applications' to token claim 'applications'. I've also asked
>>         to add to both id and access token.
>>
>>         However this attribute is not present in either the ID or
>>         access token when testing. Is there something I've missed?
>>
>>         Something that may be an issue though is that I'm using a
>>         home written openid-connect Lua client based on your
>>         javascript one. This uses the endpoint
>>         /auth/realms/master/protocol/openid-connect/token. Is it that
>>         the openid-connect endpoint doesn't support these attributes yet?
>>
>>         *Kevin Thorpe
>>         *
>>         CTO, PI ltd
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/3f4e48bd/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/3f4e48bd/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/3f4e48bd/attachment-0003.jpe 

From kevin.thorpe at p-i.net  Fri Jun 19 09:22:23 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 19 Jun 2015 14:22:23 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <55840FFF.7080208@redhat.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
Message-ID: <CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>

Ok, I think I understand. I tried 'sync all users' and got an error. Is
this because applications is a multiple
attribute? Obviously I will probably have access to more than one
application. In the meantime I'll try a brand
new user and see if that works.

Log shows:

2015-06-19 14:19:26,361 INFO
 [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
task-2) Sync all users from LDAP to local store: realm: master, federation
provider: PI  ordinary users
2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2)
UT005023: Exception handling request to
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
java.lang.RuntimeException: request path:
/auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.ClassCastException: java.util.TreeSet cannot be cast to
java.lang.String
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
        at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
        ... 29 more
Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be cast
to java.lang.String
        at
org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
        at
org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
        at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
        at
org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
        at
org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
        at
org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
        ... 40 more



*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:

>  Thanks for the info. Now I think I know what's going on.
>
> The issue is that currently when we import users from LDAP (federation in
> general), we sync the configured attributes to the Keycloak DB. But during
> searching, we don't sync the attributes from LDAP to Keycloak DB anymore.
> So I guess you did the steps like this:
> - You first authenticate as LDAP user "joe" (or search this user from
> admin console), which imported this user into Keycloak DB
> - Then you created mapper for the 'applications' attribute. But user 'joe'
> was already imported into Keycloak DB from the previous step, right?
>
> I believe that when you import some other user from LDAP, which is not yet
> exist in Keycloak DB, the 'applications' attribute will be there. For the
> existing user, the only possibility right now is to use "Synchronize all
> users" or "Synchronize changed users" on LDAP federation screen. This will
> update existing users into Keycloak DB as well, so 'joe' will be updated.
>
> Please let me know if it helps.  Looks that it's something we should
> address better in Keycloak.
>
> Marek
>
>
> On 19.6.2015 11:56, Kevin Thorpe wrote:
>
> I had a hunch so I added a record in USER_ATTRIBUTE for applications and
> it is getting passed
> in the JWT claims now. That squarely points at the ldap federation part.
>
>
> *Kevin Thorpe *
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>
>> Hi Marek, thanks for the quick reply.
>>
>>  1. I am definitely sure that the attributes I need are in the LDAP
>> record.
>>
>>  2. adding trace to federation.ldap shows my mapped attributes being read
>>
>>  3. there is no USER_ATTRIBUTES table I'm assuming you meant
>> USER_ATTRIBUTE but it doesn't have my attributes.
>>    it does have a reference to my LDAP_ID so i8t looks like it should be
>> here
>>
>>  MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>
>> +---------+-------------------------------------+--------------------------------------+
>> | NAME    | VALUE                               | USER_ID
>>              |
>>
>> +---------+-------------------------------------+--------------------------------------+
>> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>
>> +---------+-------------------------------------+--------------------------------------+
>>
>>  thanks for your time on this
>>
>>
>> *Kevin Thorpe *
>> CTO
>>
>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>
>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>>  There are few steps here and the result will work only if all steps
>>> success. So it might help to try which step could be wrong here:
>>>
>>> 1) You can doublecheck if your user really has 'applications' attribute
>>> in LDAP
>>>
>>> 2) If (1) is ok, you can enable TRACE logging for
>>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>>> should see some trace messages with the names and values of all LDAP
>>> attributes, which are loaded in user record. You should see the
>>> 'applications' attribute loaded
>>>
>>> 3) If (2) is ok, you can browse keycloak database and check if attribute
>>> 'applications' is really here. The user attributes are saved in table
>>> USER_ATTRIBUTES. Currently it's not possible to browse user attributes
>>> generically in admin console (unless you do custom theme) so browse DB
>>> seems to be the only possibility.
>>>
>>> 4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
>>> mapper configuration. Make sure you use correct protocol mapper (In your
>>> case it should be "User attributes" mapper, not "User property" mapper).
>>> Also if your application is Java based, the value of 'applications' claim
>>> is saved in accessToken in 'otherClaims' map and can be retrieved with
>>> something like: accessToken.getOtherClaims().get("applications");
>>>
>>> Marek
>>>
>>>
>>>
>>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>
>>>   Thanks to the team for 1.3.1. We were eagerly waiting for that to add
>>> LDAP attribute mappings which I see has now been done. Unfortunately I
>>> can't seem to get it to work.
>>>
>>>  I have added a user attribute mapper to my ldap federation. This maps
>>> the LDAP atribute 'applications' which exists on my LDAP user record to
>>> 'applications' in Keycloak.
>>>
>>>  I have also added a user attribute token mapper to my Keycloak client
>>> definition to map user attribute 'applications' to token claim
>>> 'applications'. I've also asked to add to both id and access token.
>>>
>>>  However this attribute is not present in either the ID or access token
>>> when testing. Is there something I've missed?
>>>
>>>  Something that may be an issue though is that I'm using a home written
>>> openid-connect Lua client based on your javascript one. This uses the
>>> endpoint /auth/realms/master/protocol/openid-connect/token. Is it that the
>>> openid-connect endpoint doesn't support these attributes yet?
>>>
>>>
>>> *Kevin Thorpe *
>>> CTO, PI ltd
>>>
>>>
>>>  _______________________________________________
>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/35e77f24/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/35e77f24/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/35e77f24/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/35e77f24/attachment-0003.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/35e77f24/attachment-0003.jpg 

From kevin.thorpe at p-i.net  Fri Jun 19 10:17:02 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 19 Jun 2015 15:17:02 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
Message-ID: <CAFMa6BYJahZKN_yE6yGrsWQ2FOQ1qBf-1-CEb85c86A8xCit_w@mail.gmail.com>

Just to confirm, a new user works ok and correctly imports the custom
mapped attributes.

It doesn't seem to synchronise If I change the attributes though. This is
the same even through
logging back in again. Might be connected to my last message.


*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 19 June 2015 at 14:22, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:

> Ok, I think I understand. I tried 'sync all users' and got an error. Is
> this because applications is a multiple
> attribute? Obviously I will probably have access to more than one
> application. In the meantime I'll try a brand
> new user and see if that works.
>
> Log shows:
>
> 2015-06-19 14:19:26,361 INFO
>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
> task-2) Sync all users from LDAP to local store: realm: master, federation
> provider: PI  ordinary users
> 2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2)
> UT005023: Exception handling request to
> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
> java.lang.RuntimeException: request path:
> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>         at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.ClassCastException: java.util.TreeSet cannot be cast to
> java.lang.String
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>         at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>         ... 29 more
> Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be cast
> to java.lang.String
>         at
> org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>         at
> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>         at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>         at
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>         at
> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:497)
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>         ... 40 more
>
>
>
> *Kevin Thorpe*
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  Thanks for the info. Now I think I know what's going on.
>>
>> The issue is that currently when we import users from LDAP (federation in
>> general), we sync the configured attributes to the Keycloak DB. But during
>> searching, we don't sync the attributes from LDAP to Keycloak DB anymore.
>> So I guess you did the steps like this:
>> - You first authenticate as LDAP user "joe" (or search this user from
>> admin console), which imported this user into Keycloak DB
>> - Then you created mapper for the 'applications' attribute. But user
>> 'joe' was already imported into Keycloak DB from the previous step, right?
>>
>> I believe that when you import some other user from LDAP, which is not
>> yet exist in Keycloak DB, the 'applications' attribute will be there. For
>> the existing user, the only possibility right now is to use "Synchronize
>> all users" or "Synchronize changed users" on LDAP federation screen. This
>> will update existing users into Keycloak DB as well, so 'joe' will be
>> updated.
>>
>> Please let me know if it helps.  Looks that it's something we should
>> address better in Keycloak.
>>
>> Marek
>>
>>
>> On 19.6.2015 11:56, Kevin Thorpe wrote:
>>
>> I had a hunch so I added a record in USER_ATTRIBUTE for applications and
>> it is getting passed
>> in the JWT claims now. That squarely points at the ldap federation part.
>>
>>
>> *Kevin Thorpe *
>> CTO
>>
>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>
>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>>
>>> Hi Marek, thanks for the quick reply.
>>>
>>>  1. I am definitely sure that the attributes I need are in the LDAP
>>> record.
>>>
>>>  2. adding trace to federation.ldap shows my mapped attributes being
>>> read
>>>
>>>  3. there is no USER_ATTRIBUTES table I'm assuming you meant
>>> USER_ATTRIBUTE but it doesn't have my attributes.
>>>    it does have a reference to my LDAP_ID so i8t looks like it should be
>>> here
>>>
>>>  MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>>
>>> +---------+-------------------------------------+--------------------------------------+
>>> | NAME    | VALUE                               | USER_ID
>>>                |
>>>
>>> +---------+-------------------------------------+--------------------------------------+
>>> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>>
>>> +---------+-------------------------------------+--------------------------------------+
>>>
>>>  thanks for your time on this
>>>
>>>
>>> *Kevin Thorpe *
>>> CTO
>>>
>>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>
>>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>
>>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>
>>> _____________________________
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately by e-mail if you have received this e-mail by
>>> mistake and delete this e-mail from your system. If you are not the
>>> intended recipient you are notified that disclosing, copying, distributing
>>> or taking any action in reliance on the contents of this information is
>>> strictly prohibited.
>>>
>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>>  There are few steps here and the result will work only if all steps
>>>> success. So it might help to try which step could be wrong here:
>>>>
>>>> 1) You can doublecheck if your user really has 'applications' attribute
>>>> in LDAP
>>>>
>>>> 2) If (1) is ok, you can enable TRACE logging for
>>>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>>>> should see some trace messages with the names and values of all LDAP
>>>> attributes, which are loaded in user record. You should see the
>>>> 'applications' attribute loaded
>>>>
>>>> 3) If (2) is ok, you can browse keycloak database and check if
>>>> attribute 'applications' is really here. The user attributes are saved in
>>>> table USER_ATTRIBUTES. Currently it's not possible to browse user
>>>> attributes generically in admin console (unless you do custom theme) so
>>>> browse DB seems to be the only possibility.
>>>>
>>>> 4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
>>>> mapper configuration. Make sure you use correct protocol mapper (In your
>>>> case it should be "User attributes" mapper, not "User property" mapper).
>>>> Also if your application is Java based, the value of 'applications' claim
>>>> is saved in accessToken in 'otherClaims' map and can be retrieved with
>>>> something like: accessToken.getOtherClaims().get("applications");
>>>>
>>>> Marek
>>>>
>>>>
>>>>
>>>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>>
>>>>   Thanks to the team for 1.3.1. We were eagerly waiting for that to
>>>> add LDAP attribute mappings which I see has now been done. Unfortunately I
>>>> can't seem to get it to work.
>>>>
>>>>  I have added a user attribute mapper to my ldap federation. This maps
>>>> the LDAP atribute 'applications' which exists on my LDAP user record to
>>>> 'applications' in Keycloak.
>>>>
>>>>  I have also added a user attribute token mapper to my Keycloak client
>>>> definition to map user attribute 'applications' to token claim
>>>> 'applications'. I've also asked to add to both id and access token.
>>>>
>>>>  However this attribute is not present in either the ID or access
>>>> token when testing. Is there something I've missed?
>>>>
>>>>  Something that may be an issue though is that I'm using a home
>>>> written openid-connect Lua client based on your javascript one. This uses
>>>> the endpoint /auth/realms/master/protocol/openid-connect/token. Is it that
>>>> the openid-connect endpoint doesn't support these attributes yet?
>>>>
>>>>
>>>> *Kevin Thorpe *
>>>> CTO, PI ltd
>>>>
>>>>
>>>>  _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/489c7f8e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/489c7f8e/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/489c7f8e/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/489c7f8e/attachment-0003.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/489c7f8e/attachment-0003.jpe 

From mposolda at redhat.com  Fri Jun 19 10:22:17 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 19 Jun 2015 16:22:17 +0200
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
 1.3.1
In-Reply-To: <CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
Message-ID: <55842599.8000301@redhat.com>

Ouch, this is a bug:-(

Feel free to create JIRA.

The UserModel in Keycloak DB has each attribute modelled as one string 
value. But I think I can address it with the usage of some delimiter and 
then for access token has the protocol mapper, which will handle it.

So for example if your LDAP user has 3 values of attribute 
"applications" with values "finance", "sales", "development", the 
attribute on the Keycloak UserModel will have value like 
"finance###sales###development" (The sequence ### will be used as 
delimiter), but for the access token it will be divided again. So in 
your application, you will have possibility to have something like:

Set<String> applications = 
accessToken.getOtherClaims().getAttribute("applications");

which will return set with 3 values "finance", "sales", "development".

Marek

On 19.6.2015 15:22, Kevin Thorpe wrote:
> Ok, I think I understand. I tried 'sync all users' and got an error. 
> Is this because applications is a multiple
> attribute? Obviously I will probably have access to more than one 
> application. In the meantime I'll try a brand
> new user and see if that works.
>
> Log shows:
>
> 2015-06-19 14:19:26,361 INFO 
>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default 
> task-2) Sync all users from LDAP to local store: realm: master, 
> federation provider: PI  ordinary users
> 2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2) 
> UT005023: Exception handling request to 
> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync: 
> java.lang.RuntimeException: request path: 
> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>         at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>         at 
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>         at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>         at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>         at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at 
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>         at 
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>         at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: org.jboss.resteasy.spi.UnhandledException: 
> java.lang.ClassCastException: java.util.TreeSet cannot be cast to 
> java.lang.String
>         at 
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>         at 
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>         at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>         at 
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>         at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>         ... 29 more
> Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be 
> cast to java.lang.String
>         at 
> org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>         at 
> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>         at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>         at 
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>         at 
> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:497)
>         at 
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>         ... 40 more
>
>
> *Kevin Thorpe
> *
> CTO
>
> <https://www.p-i.net/> <https://twitter.com/@PI_150>
>
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
> **
> _____________________________
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager. This message contains confidential information and 
> is intended only for the individual named. If you are not the named 
> addressee you should not disseminate, distribute or copy this e-mail. 
> Please notify the sender immediately by e-mail if you have received 
> this e-mail by mistake and delete this e-mail from your system. If you 
> are not the intended recipient you are notified that disclosing, 
> copying, distributing or taking any action in reliance on the contents 
> of this information is strictly prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
> On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Thanks for the info. Now I think I know what's going on.
>
>     The issue is that currently when we import users from LDAP
>     (federation in general), we sync the configured attributes to the
>     Keycloak DB. But during searching, we don't sync the attributes
>     from LDAP to Keycloak DB anymore. So I guess you did the steps
>     like this:
>     - You first authenticate as LDAP user "joe" (or search this user
>     from admin console), which imported this user into Keycloak DB
>     - Then you created mapper for the 'applications' attribute. But
>     user 'joe' was already imported into Keycloak DB from the previous
>     step, right?
>
>     I believe that when you import some other user from LDAP, which is
>     not yet exist in Keycloak DB, the 'applications' attribute will be
>     there. For the existing user, the only possibility right now is to
>     use "Synchronize all users" or "Synchronize changed users" on LDAP
>     federation screen. This will update existing users into Keycloak
>     DB as well, so 'joe' will be updated.
>
>     Please let me know if it helps.  Looks that it's something we
>     should address better in Keycloak.
>
>     Marek
>
>
>     On 19.6.2015 11:56, Kevin Thorpe wrote:
>>     I had a hunch so I added a record in USER_ATTRIBUTE for
>>     applications and it is getting passed
>>     in the JWT claims now. That squarely points at the ldap
>>     federation part.
>>
>>     *Kevin Thorpe
>>     *
>>     CTO
>>
>>     <https://www.p-i.net/> <https://twitter.com/@PI_150>
>>
>>     www.p-i.net <http://www.p-i.net/> | @PI_150
>>     <https://twitter.com/@PI_150>
>>
>>     M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207
>>     730 2635
>>     150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>     **
>>     _____________________________
>>
>>     This email and any files transmitted with it are confidential and
>>     intended solely for the use of the individual or entity to whom
>>     they are addressed. If you have received this email in error
>>     please notify the system manager. This message contains
>>     confidential information and is intended only for the individual
>>     named. If you are not the named addressee you should not
>>     disseminate, distribute or copy this e-mail. Please notify the
>>     sender immediately by e-mail if you have received this e-mail by
>>     mistake and delete this e-mail from your system. If you are not
>>     the intended recipient you are notified that disclosing, copying,
>>     distributing or taking any action in reliance on the contents of
>>     this information is strictly prohibited.
>>
>>     *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>>
>>     On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net
>>     <mailto:kevin.thorpe at p-i.net>> wrote:
>>
>>         Hi Marek, thanks for the quick reply.
>>
>>         1. I am definitely sure that the attributes I need are in the
>>         LDAP record.
>>
>>         2. adding trace to federation.ldap shows my mapped attributes
>>         being read
>>
>>         3. there is no USER_ATTRIBUTES table I'm assuming you meant
>>         USER_ATTRIBUTE but it doesn't have my attributes.
>>            it does have a reference to my LDAP_ID so i8t looks like
>>         it should be here
>>
>>         MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>         +---------+-------------------------------------+--------------------------------------+
>>         | NAME    | VALUE         | USER_ID          |
>>         +---------+-------------------------------------+--------------------------------------+
>>         | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>         471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>         | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>         6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>         +---------+-------------------------------------+--------------------------------------+
>>
>>         thanks for your time on this
>>
>>         *Kevin Thorpe
>>         *
>>         CTO
>>
>>         <https://www.p-i.net/> <https://twitter.com/@PI_150>
>>
>>         www.p-i.net <http://www.p-i.net/> | @PI_150
>>         <https://twitter.com/@PI_150>
>>
>>         M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F:
>>         +44(0)207 730 2635
>>         150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>         **
>>         _____________________________
>>
>>         This email and any files transmitted with it are confidential
>>         and intended solely for the use of the individual or entity
>>         to whom they are addressed. If you have received this email
>>         in error please notify the system manager. This message
>>         contains confidential information and is intended only for
>>         the individual named. If you are not the named addressee you
>>         should not disseminate, distribute or copy this e-mail.
>>         Please notify the sender immediately by e-mail if you have
>>         received this e-mail by mistake and delete this e-mail from
>>         your system. If you are not the intended recipient you are
>>         notified that disclosing, copying, distributing or taking any
>>         action in reliance on the contents of this information is
>>         strictly prohibited.
>>
>>         *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>>
>>         On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com
>>         <mailto:mposolda at redhat.com>> wrote:
>>
>>             There are few steps here and the result will work only if
>>             all steps success. So it might help to try which step
>>             could be wrong here:
>>
>>             1) You can doublecheck if your user really has
>>             'applications' attribute in LDAP
>>
>>             2) If (1) is ok, you can enable TRACE logging for
>>             "org.keycloak.federation.ldap" category in standalone.xml
>>             . With it, you should see some trace messages with the
>>             names and values of all LDAP attributes, which are loaded
>>             in user record. You should see the 'applications'
>>             attribute loaded
>>
>>             3) If (2) is ok, you can browse keycloak database and
>>             check if attribute 'applications' is really here. The
>>             user attributes are saved in table USER_ATTRIBUTES.
>>             Currently it's not possible to browse user attributes
>>             generically in admin console (unless you do custom theme)
>>             so browse DB seems to be the only possibility.
>>
>>             4) If (3) is ok, the issue is not in LDAP interaction,
>>             but in protocol mapper configuration. Make sure you use
>>             correct protocol mapper (In your case it should be "User
>>             attributes" mapper, not "User property" mapper). Also if
>>             your application is Java based, the value of
>>             'applications' claim is saved in accessToken in
>>             'otherClaims' map and can be retrieved with something
>>             like: accessToken.getOtherClaims().get("applications");
>>
>>             Marek
>>
>>
>>
>>             On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>             Thanks to the team for 1.3.1. We were eagerly waiting
>>>             for that to add LDAP attribute mappings which I see has
>>>             now been done. Unfortunately I can't seem to get it to work.
>>>
>>>             I have added a user attribute mapper to my ldap
>>>             federation. This maps the LDAP atribute 'applications'
>>>             which exists on my LDAP user record to 'applications' in
>>>             Keycloak.
>>>
>>>             I have also added a user attribute token mapper to my
>>>             Keycloak client definition to map user attribute
>>>             'applications' to token claim 'applications'. I've also
>>>             asked to add to both id and access token.
>>>
>>>             However this attribute is not present in either the ID
>>>             or access token when testing. Is there something I've
>>>             missed?
>>>
>>>             Something that may be an issue though is that I'm using
>>>             a home written openid-connect Lua client based on your
>>>             javascript one. This uses the endpoint
>>>             /auth/realms/master/protocol/openid-connect/token. Is it
>>>             that the openid-connect endpoint doesn't support these
>>>             attributes yet?
>>>
>>>             *Kevin Thorpe
>>>             *
>>>             CTO, PI ltd
>>>
>>>
>>>             _______________________________________________
>>>             keycloak-user mailing list
>>>             keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>             https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/e7061280/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/e7061280/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/e7061280/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/e7061280/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/e7061280/attachment-0007.jpe 

From kevin.thorpe at p-i.net  Fri Jun 19 11:45:08 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Fri, 19 Jun 2015 16:45:08 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <55842599.8000301@redhat.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
	<55842599.8000301@redhat.com>
Message-ID: <CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com>

I agree with you on the delimiter option. That wouldn't require any
database changes. For the small
attribute applications I could wrap into a delimited string but we have
some others for fine grained
permissions/roles that can be dozens of already delimited strings. Roles in
particular are:
    application|role|path/that/role/represents
I know it's very common to have multi-attributes in LDAP anyway so this
will affect others.

JIRA: https://issues.jboss.org/browse/KEYCLOAK-1487



*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 19 June 2015 at 15:22, Marek Posolda <mposolda at redhat.com> wrote:

>  Ouch, this is a bug :-(
>
> Feel free to create JIRA.
>
> The UserModel in Keycloak DB has each attribute modelled as one string
> value. But I think I can address it with the usage of some delimiter and
> then for access token has the protocol mapper, which will handle it.
>
> So for example if your LDAP user has 3 values of attribute "applications"
> with values "finance", "sales", "development", the attribute on the
> Keycloak UserModel will have value like "finance###sales###development"
> (The sequence ### will be used as delimiter), but for the access token it
> will be divided again. So in your application, you will have possibility to
> have something like:
>
> Set<String> applications =
> accessToken.getOtherClaims().getAttribute("applications");
>
> which will return set with 3 values "finance", "sales", "development".
>
> Marek
>
>
> On 19.6.2015 15:22, Kevin Thorpe wrote:
>
> Ok, I think I understand. I tried 'sync all users' and got an error. Is
> this because applications is a multiple
> attribute? Obviously I will probably have access to more than one
> application. In the meantime I'll try a brand
> new user and see if that works.
>
>  Log shows:
>
>  2015-06-19 14:19:26,361 INFO
>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
> task-2) Sync all users from LDAP to local store: realm: master, federation
> provider: PI  ordinary users
> 2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2)
> UT005023: Exception handling request to
> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
> java.lang.RuntimeException: request path:
> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>         at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.ClassCastException: java.util.TreeSet cannot be cast to
> java.lang.String
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>         at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>         ... 29 more
> Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be cast
> to java.lang.String
>         at
> org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>         at
> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>         at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>         at
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>         at
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>         at
> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:497)
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>         ... 40 more
>
>
>
> *Kevin Thorpe *
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  Thanks for the info. Now I think I know what's going on.
>>
>> The issue is that currently when we import users from LDAP (federation in
>> general), we sync the configured attributes to the Keycloak DB. But during
>> searching, we don't sync the attributes from LDAP to Keycloak DB anymore.
>> So I guess you did the steps like this:
>> - You first authenticate as LDAP user "joe" (or search this user from
>> admin console), which imported this user into Keycloak DB
>> - Then you created mapper for the 'applications' attribute. But user
>> 'joe' was already imported into Keycloak DB from the previous step, right?
>>
>> I believe that when you import some other user from LDAP, which is not
>> yet exist in Keycloak DB, the 'applications' attribute will be there. For
>> the existing user, the only possibility right now is to use "Synchronize
>> all users" or "Synchronize changed users" on LDAP federation screen. This
>> will update existing users into Keycloak DB as well, so 'joe' will be
>> updated.
>>
>> Please let me know if it helps.  Looks that it's something we should
>> address better in Keycloak.
>>
>> Marek
>>
>>
>> On 19.6.2015 11:56, Kevin Thorpe wrote:
>>
>> I had a hunch so I added a record in USER_ATTRIBUTE for applications and
>> it is getting passed
>> in the JWT claims now. That squarely points at the ldap federation part.
>>
>>
>> *Kevin Thorpe *
>> CTO
>>
>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>
>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>>
>>> Hi Marek, thanks for the quick reply.
>>>
>>>  1. I am definitely sure that the attributes I need are in the LDAP
>>> record.
>>>
>>>  2. adding trace to federation.ldap shows my mapped attributes being
>>> read
>>>
>>>  3. there is no USER_ATTRIBUTES table I'm assuming you meant
>>> USER_ATTRIBUTE but it doesn't have my attributes.
>>>    it does have a reference to my LDAP_ID so i8t looks like it should be
>>> here
>>>
>>>  MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>>
>>> +---------+-------------------------------------+--------------------------------------+
>>> | NAME    | VALUE                               | USER_ID
>>>                |
>>>
>>> +---------+-------------------------------------+--------------------------------------+
>>> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>>
>>> +---------+-------------------------------------+--------------------------------------+
>>>
>>>  thanks for your time on this
>>>
>>>
>>> *Kevin Thorpe *
>>> CTO
>>>
>>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>
>>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>
>>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>
>>> _____________________________
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately by e-mail if you have received this e-mail by
>>> mistake and delete this e-mail from your system. If you are not the
>>> intended recipient you are notified that disclosing, copying, distributing
>>> or taking any action in reliance on the contents of this information is
>>> strictly prohibited.
>>>
>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>>  There are few steps here and the result will work only if all steps
>>>> success. So it might help to try which step could be wrong here:
>>>>
>>>> 1) You can doublecheck if your user really has 'applications' attribute
>>>> in LDAP
>>>>
>>>> 2) If (1) is ok, you can enable TRACE logging for
>>>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>>>> should see some trace messages with the names and values of all LDAP
>>>> attributes, which are loaded in user record. You should see the
>>>> 'applications' attribute loaded
>>>>
>>>> 3) If (2) is ok, you can browse keycloak database and check if
>>>> attribute 'applications' is really here. The user attributes are saved in
>>>> table USER_ATTRIBUTES. Currently it's not possible to browse user
>>>> attributes generically in admin console (unless you do custom theme) so
>>>> browse DB seems to be the only possibility.
>>>>
>>>> 4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
>>>> mapper configuration. Make sure you use correct protocol mapper (In your
>>>> case it should be "User attributes" mapper, not "User property" mapper).
>>>> Also if your application is Java based, the value of 'applications' claim
>>>> is saved in accessToken in 'otherClaims' map and can be retrieved with
>>>> something like: accessToken.getOtherClaims().get("applications");
>>>>
>>>> Marek
>>>>
>>>>
>>>>
>>>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>>
>>>>   Thanks to the team for 1.3.1. We were eagerly waiting for that to
>>>> add LDAP attribute mappings which I see has now been done. Unfortunately I
>>>> can't seem to get it to work.
>>>>
>>>>  I have added a user attribute mapper to my ldap federation. This maps
>>>> the LDAP atribute 'applications' which exists on my LDAP user record to
>>>> 'applications' in Keycloak.
>>>>
>>>>  I have also added a user attribute token mapper to my Keycloak client
>>>> definition to map user attribute 'applications' to token claim
>>>> 'applications'. I've also asked to add to both id and access token.
>>>>
>>>>  However this attribute is not present in either the ID or access
>>>> token when testing. Is there something I've missed?
>>>>
>>>>  Something that may be an issue though is that I'm using a home
>>>> written openid-connect Lua client based on your javascript one. This uses
>>>> the endpoint /auth/realms/master/protocol/openid-connect/token. Is it that
>>>> the openid-connect endpoint doesn't support these attributes yet?
>>>>
>>>>
>>>> *Kevin Thorpe *
>>>> CTO, PI ltd
>>>>
>>>>
>>>>  _______________________________________________
>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0004.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0005.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0007.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/96b40ace/attachment-0003.jpg 

From juandiego83 at gmail.com  Fri Jun 19 14:31:58 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 19 Jun 2015 13:31:58 -0500
Subject: [keycloak-user] passing tokens to a servlet with cors
Message-ID: <CAJGEj6c-H-rUg_8YwyUGoxb_-piwcrDhvWA3EjqtVJAuCkmrRg@mail.gmail.com>

Hi

I have an upload servlet https://gist.github.com/jdc18/c6c8689e269e655581cb,
I tested before without keycloak and it worked.  But when I activate
keycloak I get " No 'Access-Control-Allow-Origin' header is present on the
requested resource.", my rest services do work with CORS.  I have my page
with angular and my backend with java.

My backend is similar to the database service example.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/bb7f6323/attachment.html 

From juandiego83 at gmail.com  Fri Jun 19 14:32:20 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 19 Jun 2015 13:32:20 -0500
Subject: [keycloak-user] Securing backend rest methods
In-Reply-To: <1657212935.22258867.1434700184588.JavaMail.zimbra@redhat.com>
References: <CAJGEj6drnSA--=PD8wo9kD2ifcGuk3VNkyvvKRXidG8TPsvu6Q@mail.gmail.com>
	<1657212935.22258867.1434700184588.JavaMail.zimbra@redhat.com>
Message-ID: <CAJGEj6ch6wDz64TnxE1U3CiCDX86k0e5b3=vwG+1cZJqKcz-iw@mail.gmail.com>

How can I secure a method for a role, if a rest service has multiple
methods.

On Fri, Jun 19, 2015 at 2:49 AM, Stian Thorgersen <stian at redhat.com> wrote:

> Keycloak is based on roles and we don't have support for groups. By using
> composite roles you can model groups as a role though.
>
> ----- Original Message -----
> > From: "Juan Diego" <juandiego83 at gmail.com>
> > To: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Thursday, 18 June, 2015 8:35:08 PM
> > Subject: [keycloak-user] Securing backend rest methods
> >
> > Hi,
> >
> > I was looking in the examples but I cannot find the right one. Is there
> an
> > example that shows how to secure just a method of a rest for a certain
> > group, allow all groups to the rest method. Like in picketlinks you could
> > create your own @Admin @Mygroup annotation and add it to a function.
> >
> > Thanks,
> >
> > Juan diego
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/8f023e68/attachment.html 

From scott at xigole.com  Fri Jun 19 15:19:28 2015
From: scott at xigole.com (Scott Dunbar)
Date: Fri, 19 Jun 2015 13:19:28 -0600
Subject: [keycloak-user] Securing backend rest methods
In-Reply-To: <CAJGEj6ch6wDz64TnxE1U3CiCDX86k0e5b3=vwG+1cZJqKcz-iw@mail.gmail.com>
References: <CAJGEj6drnSA--=PD8wo9kD2ifcGuk3VNkyvvKRXidG8TPsvu6Q@mail.gmail.com>	<1657212935.22258867.1434700184588.JavaMail.zimbra@redhat.com>
	<CAJGEj6ch6wDz64TnxE1U3CiCDX86k0e5b3=vwG+1cZJqKcz-iw@mail.gmail.com>
Message-ID: <55846B40.1090701@xigole.com>

Juan,
I'm not sure that your environment is like mine but I have something like:


@Path("/user")
@Stateless
public class UserService {

...

     @Path("/getUserInformation")
     @Produces({ MediaType.APPLICATION_JSON })
     @GET
     @HttpConstraint(rolesAllowed = {"companyAdmin"})
     public Response getUserInformation(@Context HttpServletRequest 
request) {
     }
}

This means that someone had to have already logged in elsewhere and be 
in the companyAdmin role before they will have the ability to call the 
getUserInformation method.  If they are not logged in or are not in that 
roll they will get a forbidden message.  Any methods that do not have 
the HttpConstraint annotation are not protected.

Is this what you're looking for?




On 06/19/2015 12:32 PM, Juan Diego wrote:
> How can I secure a method for a role, if a rest service has multiple 
> methods.
>
> On Fri, Jun 19, 2015 at 2:49 AM, Stian Thorgersen <stian at redhat.com 
> <mailto:stian at redhat.com>> wrote:
>
>     Keycloak is based on roles and we don't have support for groups.
>     By using composite roles you can model groups as a role though.
>
>     ----- Original Message -----
>     > From: "Juan Diego" <juandiego83 at gmail.com
>     <mailto:juandiego83 at gmail.com>>
>     > To: "keycloak-user" <keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>     > Sent: Thursday, 18 June, 2015 8:35:08 PM
>     > Subject: [keycloak-user] Securing backend rest methods
>     >
>     > Hi,
>     >
>     > I was looking in the examples but I cannot find the right one.
>     Is there an
>     > example that shows how to secure just a method of a rest for a
>     certain
>     > group, allow all groups to the rest method. Like in picketlinks
>     you could
>     > create your own @Admin @Mygroup annotation and add it to a function.
>     >
>     > Thanks,
>     >
>     > Juan diego
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Scott Dunbar
Xigole Systems, Inc.
Enterprise consulting, development, and hosting
303?667?6343
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/c13e7914/attachment.html 

From juandiego83 at gmail.com  Fri Jun 19 15:35:42 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 19 Jun 2015 14:35:42 -0500
Subject: [keycloak-user] Securing backend rest methods
In-Reply-To: <55846B40.1090701@xigole.com>
References: <CAJGEj6drnSA--=PD8wo9kD2ifcGuk3VNkyvvKRXidG8TPsvu6Q@mail.gmail.com>
	<1657212935.22258867.1434700184588.JavaMail.zimbra@redhat.com>
	<CAJGEj6ch6wDz64TnxE1U3CiCDX86k0e5b3=vwG+1cZJqKcz-iw@mail.gmail.com>
	<55846B40.1090701@xigole.com>
Message-ID: <CAJGEj6cLW594Zy=9Wj=XRrkr7L5QEagjTS_Nico9551-=JBZYw@mail.gmail.com>

Yeah thanks that is exactly what I was looking for.

On Fri, Jun 19, 2015 at 2:19 PM, Scott Dunbar <scott at xigole.com> wrote:

>  Juan,
> I'm not sure that your environment is like mine but I have something like:
>
>
> @Path("/user")
> @Stateless
> public class UserService {
>
> ...
>
>     @Path("/getUserInformation")
>     @Produces({ MediaType.APPLICATION_JSON })
>     @GET
>     @HttpConstraint(rolesAllowed = {"companyAdmin"})
>     public Response getUserInformation(@Context HttpServletRequest
> request) {
>     }
> }
>
> This means that someone had to have already logged in elsewhere and be in
> the companyAdmin role before they will have the ability to call the
> getUserInformation method.  If they are not logged in or are not in that
> roll they will get a forbidden message.  Any methods that do not have the
> HttpConstraint annotation are not protected.
>
> Is this what you're looking for?
>
>
>
>
>
> On 06/19/2015 12:32 PM, Juan Diego wrote:
>
> How can I secure a method for a role, if a rest service has multiple
> methods.
>
> On Fri, Jun 19, 2015 at 2:49 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> Keycloak is based on roles and we don't have support for groups. By using
>> composite roles you can model groups as a role though.
>>
>> ----- Original Message -----
>> > From: "Juan Diego" <juandiego83 at gmail.com>
>> > To: "keycloak-user" <keycloak-user at lists.jboss.org>
>> > Sent: Thursday, 18 June, 2015 8:35:08 PM
>> > Subject: [keycloak-user] Securing backend rest methods
>> >
>> > Hi,
>> >
>> > I was looking in the examples but I cannot find the right one. Is there
>> an
>> > example that shows how to secure just a method of a rest for a certain
>> > group, allow all groups to the rest method. Like in picketlinks you
>> could
>> > create your own @Admin @Mygroup annotation and add it to a function.
>> >
>> > Thanks,
>> >
>> > Juan diego
>> >
>>  > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
> Scott Dunbar
> Xigole Systems, Inc.
> Enterprise consulting, development, and hosting
> 303?667?6343
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150619/f8e4d15a/attachment.html 

From peterson.dean at gmail.com  Sat Jun 20 22:04:31 2015
From: peterson.dean at gmail.com (Dean Peterson)
Date: Sat, 20 Jun 2015 21:04:31 -0500
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
	1.2.0.Final
In-Reply-To: <5583DEA3.5050304@redhat.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>
	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>
	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>
	<CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>
	<CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>
	<230363077.19971361.1434521202436.JavaMail.zimbra@redhat.com>
	<CAFGzvPnAV-WgKy+nf78Cs3XJnfK+1eBD0KLz+DEga-hiTp2iXQ@mail.gmail.com>
	<5583DEA3.5050304@redhat.com>
Message-ID: <CAFGzvPkJZjqxL2aoGQrbX8wNkRF6GFKoowbSL-fcAfh-kqDp_g@mail.gmail.com>

I am using mongodb version 3.0.2

On Fri, Jun 19, 2015 at 4:19 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  Which version of MongoDB are you using?
>
> Marek
>
>
> On 19.6.2015 03:26, Dean Peterson wrote:
>
> Neither returned any indexes
>
> On Wed, Jun 17, 2015 at 1:06 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
>
>> Could you run listIndexes[1] on the applications and clients collections?
>>
>> [1]
>> http://docs.mongodb.org/manual/tutorial/list-indexes/#list-all-indexes-on-a-collection
>>
>> ----- Original Message -----
>> > From: "Dean Peterson" <peterson.dean at gmail.com>
>>  > To: "Stian Thorgersen" <stian at redhat.com>
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Wednesday, 17 June, 2015 7:32:24 AM
>> > Subject: Re: [keycloak-user] Tried to update database from 1.2.0.Beta1
>> to 1.2.0.Final
>> >
>> > Any suggestions?
>> >
>> > On Mon, Jun 15, 2015 at 6:54 AM, Dean Peterson <peterson.dean at gmail.com
>> >
>> > wrote:
>> >
>> > > I put the version in the subject: 1.2.0.Beta1
>> > > On Jun 15, 2015 12:28 AM, "Stian Thorgersen" <stian at redhat.com>
>> wrote:
>> > >
>> > >> What version are you upgrading from?
>> > >>
>> > >> ----- Original Message -----
>> > >> > From: "Dean Peterson" <peterson.dean at gmail.com>
>> > >> > To: keycloak-user at lists.jboss.org
>> > >> > Sent: Monday, 15 June, 2015 5:50:12 AM
>> > >> > Subject: Re: [keycloak-user] Tried to update database from
>> 1.2.0.Beta1
>> > >> to     1.2.0.Final
>> > >> >
>> > >> > The end of the error message is strange since I am trying to
>> update to
>> > >> > 1.2.0.Final. It refers to a candidate release:
>> > >>
>> > >> When updating the db it goes through a list of updates, so if you
>> haven't
>> > >> upgraded to 1.2.0.cr1 in the past that update is on the list as well.
>> > >>
>> > >> >
>> > >> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
>> "kcdb/
>> > >> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>> > >> "index
>> > >> > not found with name [realmId_1_name_1]"}
>> > >> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
>> > >> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>> > >> > at com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>> > >> > at com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>> > >> > at
>> > >> >
>> > >>
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>> > >> > at
>> > >> >
>> > >>
>> org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>> > >> > at
>> > >> >
>> > >>
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
>> > >> >
>> > >> >
>> > >> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
>> > >> peterson.dean at gmail.com >
>> > >> > wrote:
>> > >> >
>> > >> >
>> > >> >
>> > >> > I receive this error:
>> > >> >
>> > >> > Caused by: java.lang.RuntimeException: Failed to update database
>> > >> > at
>> > >> >
>> > >>
>> org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
>> > >> > at
>> > >> >
>> > >>
>> org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
>> > >> > ... 35 more
>> > >> > Caused by: com.mongodb.CommandFailureException: { "serverUsed" :
>> "kcdb/
>> > >> > 172.17.5.191:27017 " , "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>> > >> "index
>> > >> > not found with name [realmId_1_name_1]"}
>> > >> > at com.mongodb.CommandResult.getException(CommandResult.java:71)
>> > >> > at com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>> > >> >
>> > >> >
>> > >> >
>> > >> > _______________________________________________
>> > >> > keycloak-user mailing list
>> > >> > keycloak-user at lists.jboss.org
>> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >>
>> > >
>> >
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150620/ace3d907/attachment-0001.html 

From mposolda at redhat.com  Mon Jun 22 09:25:07 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 22 Jun 2015 15:25:07 +0200
Subject: [keycloak-user] Tried to update database from 1.2.0.Beta1 to
 1.2.0.Final
In-Reply-To: <CAFGzvPkJZjqxL2aoGQrbX8wNkRF6GFKoowbSL-fcAfh-kqDp_g@mail.gmail.com>
References: <CAFGzvPmGa5Tp6Nmm-C3_qGJVNfUydBVHC9dgfJcBW_GOM37Vqg@mail.gmail.com>	<CAFGzvPkLpgzTE2V=WfLiNC6FuP1NfPsbjV6o-EqT3Dn5G5dX7w@mail.gmail.com>	<170215390.17456248.1434346131578.JavaMail.zimbra@redhat.com>	<CAFGzvPmf5aK6Jv3B=x8nak+wUKeqtQ6XaCS4UhDqdzOZb3vNXA@mail.gmail.com>	<CAFGzvPmkz7-k-+oZ+nxjb0XqSKi0shvN4FuTCw8fN13n4bZG_A@mail.gmail.com>	<230363077.19971361.1434521202436.JavaMail.zimbra@redhat.com>	<CAFGzvPnAV-WgKy+nf78Cs3XJnfK+1eBD0KLz+DEga-hiTp2iXQ@mail.gmail.com>	<5583DEA3.5050304@redhat.com>
	<CAFGzvPkJZjqxL2aoGQrbX8wNkRF6GFKoowbSL-fcAfh-kqDp_g@mail.gmail.com>
Message-ID: <55880CB3.4000701@redhat.com>

Thanks for the info. I will doublecheck it once I have time. So far, 
I've tested just on Mongo 2.X.

Marek

Dne 21.6.2015 v 04:04 Dean Peterson napsal(a):
> I am using mongodb version 3.0.2
>
> On Fri, Jun 19, 2015 at 4:19 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Which version of MongoDB are you using?
>
>     Marek
>
>
>     On 19.6.2015 03:26, Dean Peterson wrote:
>>     Neither returned any indexes
>>
>>     On Wed, Jun 17, 2015 at 1:06 AM, Stian Thorgersen
>>     <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>
>>         Could you run listIndexes[1] on the applications and clients
>>         collections?
>>
>>         [1]
>>         http://docs.mongodb.org/manual/tutorial/list-indexes/#list-all-indexes-on-a-collection
>>
>>         ----- Original Message -----
>>         > From: "Dean Peterson" <peterson.dean at gmail.com
>>         <mailto:peterson.dean at gmail.com>>
>>         > To: "Stian Thorgersen" <stian at redhat.com
>>         <mailto:stian at redhat.com>>
>>         > Cc: keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > Sent: Wednesday, 17 June, 2015 7:32:24 AM
>>         > Subject: Re: [keycloak-user] Tried to update database from
>>         1.2.0.Beta1 to 1.2.0.Final
>>         >
>>         > Any suggestions?
>>         >
>>         > On Mon, Jun 15, 2015 at 6:54 AM, Dean Peterson
>>         <peterson.dean at gmail.com <mailto:peterson.dean at gmail.com>>
>>         > wrote:
>>         >
>>         > > I put the version in the subject: 1.2.0.Beta1
>>         > > On Jun 15, 2015 12:28 AM, "Stian Thorgersen"
>>         <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>>         > >
>>         > >> What version are you upgrading from?
>>         > >>
>>         > >> ----- Original Message -----
>>         > >> > From: "Dean Peterson" <peterson.dean at gmail.com
>>         <mailto:peterson.dean at gmail.com>>
>>         > >> > To: keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > >> > Sent: Monday, 15 June, 2015 5:50:12 AM
>>         > >> > Subject: Re: [keycloak-user] Tried to update database
>>         from 1.2.0.Beta1
>>         > >> to     1.2.0.Final
>>         > >> >
>>         > >> > The end of the error message is strange since I am
>>         trying to update to
>>         > >> > 1.2.0.Final. It refers to a candidate release:
>>         > >>
>>         > >> When updating the db it goes through a list of updates,
>>         so if you haven't
>>         > >> upgraded to 1.2.0.cr1 in the past that update is on the
>>         list as well.
>>         > >>
>>         > >> >
>>         > >> > Caused by: com.mongodb.CommandFailureException: {
>>         "serverUsed" : "kcdb/
>>         > >> > 172.17.5.191:27017 <http://172.17.5.191:27017> " ,
>>         "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>>         > >> "index
>>         > >> > not found with name [realmId_1_name_1]"}
>>         > >> > at
>>         com.mongodb.CommandResult.getException(CommandResult.java:71)
>>         > >> > at
>>         com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>>         > >> > at
>>         com.mongodb.DBCollection.dropIndexes(DBCollection.java:847)
>>         > >> > at
>>         com.mongodb.DBCollection.dropIndex(DBCollection.java:1349)
>>         > >> > at
>>         > >> >
>>         > >>
>>         org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.convertApplicationsToClients(Update1_2_0_CR1.java:33)
>>         > >> > at
>>         > >> >
>>         > >>
>>         org.keycloak.connections.mongo.updater.impl.updates.Update1_2_0_CR1.update(Update1_2_0_CR1.java:23)
>>         > >> > at
>>         > >> >
>>         > >>
>>         org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:82)
>>         > >> >
>>         > >> >
>>         > >> > On Sun, Jun 14, 2015 at 10:43 PM, Dean Peterson <
>>         > >> peterson.dean at gmail.com <mailto:peterson.dean at gmail.com> >
>>         > >> > wrote:
>>         > >> >
>>         > >> >
>>         > >> >
>>         > >> > I receive this error:
>>         > >> >
>>         > >> > Caused by: java.lang.RuntimeException: Failed to
>>         update database
>>         > >> > at
>>         > >> >
>>         > >>
>>         org.keycloak.connections.mongo.updater.impl.DefaultMongoUpdaterProvider.update(DefaultMongoUpdaterProvider.java:93)
>>         > >> > at
>>         > >> >
>>         > >>
>>         org.keycloak.connections.mongo.DefaultMongoConnectionFactoryProvider.lazyInit(DefaultMongoConnectionFactoryProvider.java:95)
>>         > >> > ... 35 more
>>         > >> > Caused by: com.mongodb.CommandFailureException: {
>>         "serverUsed" : "kcdb/
>>         > >> > 172.17.5.191:27017 <http://172.17.5.191:27017> " ,
>>         "nIndexesWas" : 1 , "ok" : 0.0 , "errmsg" :
>>         > >> "index
>>         > >> > not found with name [realmId_1_name_1]"}
>>         > >> > at
>>         com.mongodb.CommandResult.getException(CommandResult.java:71)
>>         > >> > at
>>         com.mongodb.CommandResult.throwOnError(CommandResult.java:110)
>>         > >> >
>>         > >> >
>>         > >> >
>>         > >> > _______________________________________________
>>         > >> > keycloak-user mailing list
>>         > >> > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         > >>
>>         > >
>>         >
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/a122787d/attachment.html 

From mposolda at redhat.com  Mon Jun 22 09:45:51 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 22 Jun 2015 15:45:51 +0200
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
 1.3.1
In-Reply-To: <CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
	<55842599.8000301@redhat.com>
	<CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com>
Message-ID: <5588118F.6090307@redhat.com>

Thanks for the info Kevin. I've also created 
https://issues.jboss.org/browse/KEYCLOAK-1490 for the sync issue. Will 
try to address both issues for the next release. Will let you know once 
it's fixed in master if you want to try it before the next release is out.

Marek

Dne 19.6.2015 v 17:45 Kevin Thorpe napsal(a):
> I agree with you on the delimiter option. That wouldn't require any 
> database changes. For the small
> attribute applications I could wrap into a delimited string but we 
> have some others for fine grained
> permissions/roles that can be dozens of already delimited strings. 
> Roles in particular are:
>     application|role|path/that/role/represents
> I know it's very common to have multi-attributes in LDAP anyway so 
> this will affect others.
>
> JIRA: https://issues.jboss.org/browse/KEYCLOAK-1487
>
>
> *Kevin Thorpe
> *
> CTO
>
> <https://www.p-i.net/> <https://twitter.com/@PI_150>
>
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
> **
> _____________________________
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager. This message contains confidential information and 
> is intended only for the individual named. If you are not the named 
> addressee you should not disseminate, distribute or copy this e-mail. 
> Please notify the sender immediately by e-mail if you have received 
> this e-mail by mistake and delete this e-mail from your system. If you 
> are not the intended recipient you are notified that disclosing, 
> copying, distributing or taking any action in reliance on the contents 
> of this information is strictly prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
> On 19 June 2015 at 15:22, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Ouch, this is a bug:-(
>
>     Feel free to create JIRA.
>
>     The UserModel in Keycloak DB has each attribute modelled as one
>     string value. But I think I can address it with the usage of some
>     delimiter and then for access token has the protocol mapper, which
>     will handle it.
>
>     So for example if your LDAP user has 3 values of attribute
>     "applications" with values "finance", "sales", "development", the
>     attribute on the Keycloak UserModel will have value like
>     "finance###sales###development" (The sequence ### will be used as
>     delimiter), but for the access token it will be divided again. So
>     in your application, you will have possibility to have something like:
>
>     Set<String> applications =
>     accessToken.getOtherClaims().getAttribute("applications");
>
>     which will return set with 3 values "finance", "sales", "development".
>
>     Marek
>
>
>     On 19.6.2015 15:22, Kevin Thorpe wrote:
>>     Ok, I think I understand. I tried 'sync all users' and got an
>>     error. Is this because applications is a multiple
>>     attribute? Obviously I will probably have access to more than one
>>     application. In the meantime I'll try a brand
>>     new user and see if that works.
>>
>>     Log shows:
>>
>>     2015-06-19 14:19:26,361 INFO
>>      [org.keycloak.federation.ldap.LDAPFederationProviderFactory]
>>     (default task-2) Sync all users from LDAP to local store: realm:
>>     master, federation provider: PI  ordinary users
>>     2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default
>>     task-2) UT005023: Exception handling request to
>>     /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
>>     java.lang.RuntimeException: request path:
>>     /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>>             at
>>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>>             at
>>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>             at
>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>             at
>>     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>>             at
>>     io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>             at
>>     io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>             at
>>     org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>             at
>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>     io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>             at
>>     io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>             at
>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>     io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>             at
>>     io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>             at
>>     io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>>             at
>>     io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>>             at
>>     io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>             at
>>     io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>>             at
>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>     org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>             at
>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>             at
>>     io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>>             at
>>     io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>>             at
>>     io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>>             at
>>     io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>>             at
>>     io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>>             at
>>     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>>             at
>>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>             at
>>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>             at java.lang.Thread.run(Thread.java:745)
>>     Caused by: org.jboss.resteasy.spi.UnhandledException:
>>     java.lang.ClassCastException: java.util.TreeSet cannot be cast to
>>     java.lang.String
>>             at
>>     org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>             at
>>     org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>             at
>>     org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>>             at
>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>>             at
>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>>             at
>>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>>             at
>>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>             at
>>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>             at
>>     javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>             at
>>     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>>             at
>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>>             at
>>     org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>>             at
>>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>             at
>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>             at
>>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>>             ... 29 more
>>     Caused by: java.lang.ClassCastException: java.util.TreeSet cannot
>>     be cast to java.lang.String
>>             at
>>     org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>>             at
>>     org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>>             at
>>     org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>>             at
>>     org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>>             at
>>     org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>>             at
>>     org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>>             at
>>     org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>>             at
>>     org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>>             at
>>     org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>>             at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>     Method)
>>             at
>>     sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>             at
>>     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>             at java.lang.reflect.Method.invoke(Method.java:497)
>>             at
>>     org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>>             at
>>     org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>>             at
>>     org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>             at
>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>>             at
>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>>             ... 40 more
>>
>>
>>     *Kevin Thorpe
>>     *
>>     CTO
>>
>>     <https://www.p-i.net/> <https://twitter.com/@PI_150>
>>
>>     www.p-i.net <http://www.p-i.net/> | @PI_150
>>     <https://twitter.com/@PI_150>
>>
>>     M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207
>>     730 2635
>>     150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>     **
>>     _____________________________
>>
>>     This email and any files transmitted with it are confidential and
>>     intended solely for the use of the individual or entity to whom
>>     they are addressed. If you have received this email in error
>>     please notify the system manager. This message contains
>>     confidential information and is intended only for the individual
>>     named. If you are not the named addressee you should not
>>     disseminate, distribute or copy this e-mail. Please notify the
>>     sender immediately by e-mail if you have received this e-mail by
>>     mistake and delete this e-mail from your system. If you are not
>>     the intended recipient you are notified that disclosing, copying,
>>     distributing or taking any action in reliance on the contents of
>>     this information is strictly prohibited.
>>
>>     *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>>
>>     On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>> wrote:
>>
>>         Thanks for the info. Now I think I know what's going on.
>>
>>         The issue is that currently when we import users from LDAP
>>         (federation in general), we sync the configured attributes to
>>         the Keycloak DB. But during searching, we don't sync the
>>         attributes from LDAP to Keycloak DB anymore. So I guess you
>>         did the steps like this:
>>         - You first authenticate as LDAP user "joe" (or search this
>>         user from admin console), which imported this user into
>>         Keycloak DB
>>         - Then you created mapper for the 'applications' attribute.
>>         But user 'joe' was already imported into Keycloak DB from the
>>         previous step, right?
>>
>>         I believe that when you import some other user from LDAP,
>>         which is not yet exist in Keycloak DB, the 'applications'
>>         attribute will be there. For the existing user, the only
>>         possibility right now is to use "Synchronize all users" or
>>         "Synchronize changed users" on LDAP federation screen. This
>>         will update existing users into Keycloak DB as well, so 'joe'
>>         will be updated.
>>
>>         Please let me know if it helps.  Looks that it's something we
>>         should address better in Keycloak.
>>
>>         Marek
>>
>>
>>         On 19.6.2015 11:56, Kevin Thorpe wrote:
>>>         I had a hunch so I added a record in USER_ATTRIBUTE for
>>>         applications and it is getting passed
>>>         in the JWT claims now. That squarely points at the ldap
>>>         federation part.
>>>
>>>         *Kevin Thorpe
>>>         *
>>>         CTO
>>>
>>>         <https://www.p-i.net/> <https://twitter.com/@PI_150>
>>>
>>>         www.p-i.net <http://www.p-i.net/> | @PI_150
>>>         <https://twitter.com/@PI_150>
>>>
>>>         M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F:
>>>         +44(0)207 730 2635
>>>         150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>         **
>>>         _____________________________
>>>
>>>         This email and any files transmitted with it are
>>>         confidential and intended solely for the use of the
>>>         individual or entity to whom they are addressed. If you have
>>>         received this email in error please notify the system
>>>         manager. This message contains confidential information and
>>>         is intended only for the individual named. If you are not
>>>         the named addressee you should not disseminate, distribute
>>>         or copy this e-mail. Please notify the sender immediately by
>>>         e-mail if you have received this e-mail by mistake and
>>>         delete this e-mail from your system. If you are not the
>>>         intended recipient you are notified that disclosing,
>>>         copying, distributing or taking any action in reliance on
>>>         the contents of this information is strictly prohibited.
>>>
>>>         *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>>
>>>         On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net
>>>         <mailto:kevin.thorpe at p-i.net>> wrote:
>>>
>>>             Hi Marek, thanks for the quick reply.
>>>
>>>             1. I am definitely sure that the attributes I need are
>>>             in the LDAP record.
>>>
>>>             2. adding trace to federation.ldap shows my mapped
>>>             attributes being read
>>>
>>>             3. there is no USER_ATTRIBUTES table I'm assuming you
>>>             meant USER_ATTRIBUTE but it doesn't have my attributes.
>>>                it does have a reference to my LDAP_ID so i8t looks
>>>             like it should be here
>>>
>>>             MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>>             +---------+-------------------------------------+--------------------------------------+
>>>             | NAME    | VALUE             | USER_ID    |
>>>             +---------+-------------------------------------+--------------------------------------+
>>>             | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>>             471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>>             | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>>             6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>>             +---------+-------------------------------------+--------------------------------------+
>>>
>>>             thanks for your time on this
>>>
>>>             *Kevin Thorpe
>>>             *
>>>             CTO
>>>
>>>             <https://www.p-i.net/> <https://twitter.com/@PI_150>
>>>
>>>             www.p-i.net <http://www.p-i.net/> | @PI_150
>>>             <https://twitter.com/@PI_150>
>>>
>>>             M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F:
>>>             +44(0)207 730 2635
>>>             150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>             **
>>>             _____________________________
>>>
>>>             This email and any files transmitted with it are
>>>             confidential and intended solely for the use of the
>>>             individual or entity to whom they are addressed. If you
>>>             have received this email in error please notify the
>>>             system manager. This message contains confidential
>>>             information and is intended only for the individual
>>>             named. If you are not the named addressee you should not
>>>             disseminate, distribute or copy this e-mail. Please
>>>             notify the sender immediately by e-mail if you have
>>>             received this e-mail by mistake and delete this e-mail
>>>             from your system. If you are not the intended recipient
>>>             you are notified that disclosing, copying, distributing
>>>             or taking any action in reliance on the contents of this
>>>             information is strictly prohibited.
>>>
>>>             *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>>
>>>             On 19 June 2015 at 10:15, Marek Posolda
>>>             <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>>
>>>                 There are few steps here and the result will work
>>>                 only if all steps success. So it might help to try
>>>                 which step could be wrong here:
>>>
>>>                 1) You can doublecheck if your user really has
>>>                 'applications' attribute in LDAP
>>>
>>>                 2) If (1) is ok, you can enable TRACE logging for
>>>                 "org.keycloak.federation.ldap" category in
>>>                 standalone.xml . With it, you should see some trace
>>>                 messages with the names and values of all LDAP
>>>                 attributes, which are loaded in user record. You
>>>                 should see the 'applications' attribute loaded
>>>
>>>                 3) If (2) is ok, you can browse keycloak database
>>>                 and check if attribute 'applications' is really
>>>                 here. The user attributes are saved in table
>>>                 USER_ATTRIBUTES. Currently it's not possible to
>>>                 browse user attributes generically in admin console
>>>                 (unless you do custom theme) so browse DB seems to
>>>                 be the only possibility.
>>>
>>>                 4) If (3) is ok, the issue is not in LDAP
>>>                 interaction, but in protocol mapper configuration.
>>>                 Make sure you use correct protocol mapper (In your
>>>                 case it should be "User attributes" mapper, not
>>>                 "User property" mapper). Also if your application is
>>>                 Java based, the value of 'applications' claim is
>>>                 saved in accessToken in 'otherClaims' map and can be
>>>                 retrieved with something like:
>>>                 accessToken.getOtherClaims().get("applications");
>>>
>>>                 Marek
>>>
>>>
>>>
>>>                 On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>>                 Thanks to the team for 1.3.1. We were eagerly
>>>>                 waiting for that to add LDAP attribute mappings
>>>>                 which I see has now been done. Unfortunately I
>>>>                 can't seem to get it to work.
>>>>
>>>>                 I have added a user attribute mapper to my ldap
>>>>                 federation. This maps the LDAP atribute
>>>>                 'applications' which exists on my LDAP user record
>>>>                 to 'applications' in Keycloak.
>>>>
>>>>                 I have also added a user attribute token mapper to
>>>>                 my Keycloak client definition to map user attribute
>>>>                 'applications' to token claim 'applications'. I've
>>>>                 also asked to add to both id and access token.
>>>>
>>>>                 However this attribute is not present in either the
>>>>                 ID or access token when testing. Is there something
>>>>                 I've missed?
>>>>
>>>>                 Something that may be an issue though is that I'm
>>>>                 using a home written openid-connect Lua client
>>>>                 based on your javascript one. This uses the
>>>>                 endpoint
>>>>                 /auth/realms/master/protocol/openid-connect/token.
>>>>                 Is it that the openid-connect endpoint doesn't
>>>>                 support these attributes yet?
>>>>
>>>>                 *Kevin Thorpe
>>>>                 *
>>>>                 CTO, PI ltd
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 keycloak-user mailing list
>>>>                 keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0007.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0008.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0009.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0010.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/f70840b2/attachment-0011.jpe 

From kevin.thorpe at p-i.net  Mon Jun 22 09:49:08 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Mon, 22 Jun 2015 14:49:08 +0100
Subject: [keycloak-user] Having trouble with LDAP attribute mapping in
	1.3.1
In-Reply-To: <5588118F.6090307@redhat.com>
References: <CAFMa6BZSatfB38r892f0JEu9j57Sv09JqgiT=oFyQfpttQNsFA@mail.gmail.com>
	<5583DDCA.10607@redhat.com>
	<CAFMa6BYcd1eqemxZN1VRCSaEezMkikJ76dwDa6ZsF1jKNHj_6w@mail.gmail.com>
	<CAFMa6Bb=P6sM3TBwO6-1w5N=ufzh5Pg7xTF0EDUby=JTHhNf0Q@mail.gmail.com>
	<55840FFF.7080208@redhat.com>
	<CAFMa6BY715FGKQez58_km2jzhKHnuQmNODRwTg=y2bzxR8A_eA@mail.gmail.com>
	<55842599.8000301@redhat.com>
	<CAFMa6BYF1ZY99_0jedDPK2J=45qioZXERJ918SK1QJc1Ofrvng@mail.gmail.com>
	<5588118F.6090307@redhat.com>
Message-ID: <CAFMa6BZrowaOhyNJjPdBVxpMPEctNBH0_-UBd7kzcXcrhCNpWw@mail.gmail.com>

Brilliant, I'm waiting for it so yes I'd like to try as soon as available.



*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 22 June 2015 at 14:45, Marek Posolda <mposolda at redhat.com> wrote:

>  Thanks for the info Kevin. I've also created
> https://issues.jboss.org/browse/KEYCLOAK-1490 for the sync issue. Will
> try to address both issues for the next release. Will let you know once
> it's fixed in master if you want to try it before the next release is out.
>
> Marek
>
> Dne 19.6.2015 v 17:45 Kevin Thorpe napsal(a):
>
> I agree with you on the delimiter option. That wouldn't require any
> database changes. For the small
> attribute applications I could wrap into a delimited string but we have
> some others for fine grained
> permissions/roles that can be dozens of already delimited strings. Roles
> in particular are:
>     application|role|path/that/role/represents
> I know it's very common to have multi-attributes in LDAP anyway so this
> will affect others.
>
>  JIRA: https://issues.jboss.org/browse/KEYCLOAK-1487
>
>
>
> *Kevin Thorpe *
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 19 June 2015 at 15:22, Marek Posolda <mposolda at redhat.com> wrote:
>
>>  Ouch, this is a bug :-(
>>
>> Feel free to create JIRA.
>>
>> The UserModel in Keycloak DB has each attribute modelled as one string
>> value. But I think I can address it with the usage of some delimiter and
>> then for access token has the protocol mapper, which will handle it.
>>
>> So for example if your LDAP user has 3 values of attribute "applications"
>> with values "finance", "sales", "development", the attribute on the
>> Keycloak UserModel will have value like "finance###sales###development"
>> (The sequence ### will be used as delimiter), but for the access token it
>> will be divided again. So in your application, you will have possibility to
>> have something like:
>>
>> Set<String> applications =
>> accessToken.getOtherClaims().getAttribute("applications");
>>
>> which will return set with 3 values "finance", "sales", "development".
>>
>> Marek
>>
>>
>> On 19.6.2015 15:22, Kevin Thorpe wrote:
>>
>> Ok, I think I understand. I tried 'sync all users' and got an error. Is
>> this because applications is a multiple
>> attribute? Obviously I will probably have access to more than one
>> application. In the meantime I'll try a brand
>> new user and see if that works.
>>
>>  Log shows:
>>
>>  2015-06-19 14:19:26,361 INFO
>>  [org.keycloak.federation.ldap.LDAPFederationProviderFactory] (default
>> task-2) Sync all users from LDAP to local store: realm: master, federation
>> provider: PI  ordinary users
>> 2015-06-19 14:19:26,611 ERROR [io.undertow.request] (default task-2)
>> UT005023: Exception handling request to
>> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync:
>> java.lang.RuntimeException: request path:
>> /auth/admin/realms/master/user-federation/instances/141db483-1f5c-412f-acbb-0ea642015798/sync
>>         at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>>         at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>         at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>>         at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>         at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>         at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>         at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>         at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>         at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>>         at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>>         at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>         at
>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>>         at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>>         at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>>         at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>         at java.lang.Thread.run(Thread.java:745)
>> Caused by: org.jboss.resteasy.spi.UnhandledException:
>> java.lang.ClassCastException: java.util.TreeSet cannot be cast to
>> java.lang.String
>>         at
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>         at
>> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>         at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>>         at
>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>>         at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>         at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>>         ... 29 more
>> Caused by: java.lang.ClassCastException: java.util.TreeSet cannot be cast
>> to java.lang.String
>>         at
>> org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:60)
>>         at
>> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:404)
>>         at
>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>>         at
>> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>>         at
>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>>         at
>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>>         at
>> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>>         at
>> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>>         at
>> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>         at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>         at java.lang.reflect.Method.invoke(Method.java:497)
>>         at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>>         at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>>         at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>>         ... 40 more
>>
>>
>>
>> *Kevin Thorpe *
>> CTO
>>
>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>
>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>
>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>
>>
>> _____________________________
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they are
>> addressed. If you have received this email in error please notify the
>> system manager. This message contains confidential information and is
>> intended only for the individual named. If you are not the named addressee
>> you should not disseminate, distribute or copy this e-mail. Please notify
>> the sender immediately by e-mail if you have received this e-mail by
>> mistake and delete this e-mail from your system. If you are not the
>> intended recipient you are notified that disclosing, copying, distributing
>> or taking any action in reliance on the contents of this information is
>> strictly prohibited.
>>
>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>
>> On 19 June 2015 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>>  Thanks for the info. Now I think I know what's going on.
>>>
>>> The issue is that currently when we import users from LDAP (federation
>>> in general), we sync the configured attributes to the Keycloak DB. But
>>> during searching, we don't sync the attributes from LDAP to Keycloak DB
>>> anymore. So I guess you did the steps like this:
>>> - You first authenticate as LDAP user "joe" (or search this user from
>>> admin console), which imported this user into Keycloak DB
>>> - Then you created mapper for the 'applications' attribute. But user
>>> 'joe' was already imported into Keycloak DB from the previous step, right?
>>>
>>> I believe that when you import some other user from LDAP, which is not
>>> yet exist in Keycloak DB, the 'applications' attribute will be there. For
>>> the existing user, the only possibility right now is to use "Synchronize
>>> all users" or "Synchronize changed users" on LDAP federation screen. This
>>> will update existing users into Keycloak DB as well, so 'joe' will be
>>> updated.
>>>
>>> Please let me know if it helps.  Looks that it's something we should
>>> address better in Keycloak.
>>>
>>> Marek
>>>
>>>
>>> On 19.6.2015 11:56, Kevin Thorpe wrote:
>>>
>>> I had a hunch so I added a record in USER_ATTRIBUTE for applications and
>>> it is getting passed
>>> in the JWT claims now. That squarely points at the ldap federation part.
>>>
>>>
>>> *Kevin Thorpe *
>>> CTO
>>>
>>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>
>>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>
>>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>
>>>
>>> _____________________________
>>>
>>> This email and any files transmitted with it are confidential and
>>> intended solely for the use of the individual or entity to whom they are
>>> addressed. If you have received this email in error please notify the
>>> system manager. This message contains confidential information and is
>>> intended only for the individual named. If you are not the named addressee
>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>> the sender immediately by e-mail if you have received this e-mail by
>>> mistake and delete this e-mail from your system. If you are not the
>>> intended recipient you are notified that disclosing, copying, distributing
>>> or taking any action in reliance on the contents of this information is
>>> strictly prohibited.
>>>
>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>
>>> On 19 June 2015 at 10:42, Kevin Thorpe <kevin.thorpe at p-i.net> wrote:
>>>
>>>> Hi Marek, thanks for the quick reply.
>>>>
>>>>  1. I am definitely sure that the attributes I need are in the LDAP
>>>> record.
>>>>
>>>>  2. adding trace to federation.ldap shows my mapped attributes being
>>>> read
>>>>
>>>>  3. there is no USER_ATTRIBUTES table I'm assuming you meant
>>>> USER_ATTRIBUTE but it doesn't have my attributes.
>>>>    it does have a reference to my LDAP_ID so i8t looks like it should
>>>> be here
>>>>
>>>>  MariaDB [keycloak]> select * from USER_ATTRIBUTE;
>>>>
>>>> +---------+-------------------------------------+--------------------------------------+
>>>> | NAME    | VALUE                               | USER_ID
>>>>                |
>>>>
>>>> +---------+-------------------------------------+--------------------------------------+
>>>> | LDAP_ID | 7fc89601-96e711e2-a5a7b2a9-738d4470 |
>>>> 471f0b4f-cb7c-4610-b3d6-ddd3a18e9986 |
>>>> | LDAP_ID | 3245fc81-55c211e2-a5a7b2a9-738d4470 |
>>>> 6d64f5a2-d356-4ab6-9b4d-3f89a3ee38c4 |
>>>>
>>>> +---------+-------------------------------------+--------------------------------------+
>>>>
>>>>  thanks for your time on this
>>>>
>>>>
>>>> *Kevin Thorpe *
>>>> CTO
>>>>
>>>>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>>>>
>>>>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>>>>
>>>>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730
>>>> 2635
>>>>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>>>>
>>>>
>>>> _____________________________
>>>>
>>>> This email and any files transmitted with it are confidential and
>>>> intended solely for the use of the individual or entity to whom they are
>>>> addressed. If you have received this email in error please notify the
>>>> system manager. This message contains confidential information and is
>>>> intended only for the individual named. If you are not the named addressee
>>>> you should not disseminate, distribute or copy this e-mail. Please notify
>>>> the sender immediately by e-mail if you have received this e-mail by
>>>> mistake and delete this e-mail from your system. If you are not the
>>>> intended recipient you are notified that disclosing, copying, distributing
>>>> or taking any action in reliance on the contents of this information is
>>>> strictly prohibited.
>>>>
>>>> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>>>>
>>>> On 19 June 2015 at 10:15, Marek Posolda <mposolda at redhat.com> wrote:
>>>>
>>>>>  There are few steps here and the result will work only if all steps
>>>>> success. So it might help to try which step could be wrong here:
>>>>>
>>>>> 1) You can doublecheck if your user really has 'applications'
>>>>> attribute in LDAP
>>>>>
>>>>> 2) If (1) is ok, you can enable TRACE logging for
>>>>> "org.keycloak.federation.ldap" category in standalone.xml . With it, you
>>>>> should see some trace messages with the names and values of all LDAP
>>>>> attributes, which are loaded in user record. You should see the
>>>>> 'applications' attribute loaded
>>>>>
>>>>> 3) If (2) is ok, you can browse keycloak database and check if
>>>>> attribute 'applications' is really here. The user attributes are saved in
>>>>> table USER_ATTRIBUTES. Currently it's not possible to browse user
>>>>> attributes generically in admin console (unless you do custom theme) so
>>>>> browse DB seems to be the only possibility.
>>>>>
>>>>> 4) If (3) is ok, the issue is not in LDAP interaction, but in protocol
>>>>> mapper configuration. Make sure you use correct protocol mapper (In your
>>>>> case it should be "User attributes" mapper, not "User property" mapper).
>>>>> Also if your application is Java based, the value of 'applications' claim
>>>>> is saved in accessToken in 'otherClaims' map and can be retrieved with
>>>>> something like: accessToken.getOtherClaims().get("applications");
>>>>>
>>>>> Marek
>>>>>
>>>>>
>>>>>
>>>>> On 18.6.2015 17:50, Kevin Thorpe wrote:
>>>>>
>>>>>   Thanks to the team for 1.3.1. We were eagerly waiting for that to
>>>>> add LDAP attribute mappings which I see has now been done. Unfortunately I
>>>>> can't seem to get it to work.
>>>>>
>>>>>  I have added a user attribute mapper to my ldap federation. This
>>>>> maps the LDAP atribute 'applications' which exists on my LDAP user record
>>>>> to 'applications' in Keycloak.
>>>>>
>>>>>  I have also added a user attribute token mapper to my Keycloak
>>>>> client definition to map user attribute 'applications' to token claim
>>>>> 'applications'. I've also asked to add to both id and access token.
>>>>>
>>>>>  However this attribute is not present in either the ID or access
>>>>> token when testing. Is there something I've missed?
>>>>>
>>>>>  Something that may be an issue though is that I'm using a home
>>>>> written openid-connect Lua client based on your javascript one. This uses
>>>>> the endpoint /auth/realms/master/protocol/openid-connect/token. Is it that
>>>>> the openid-connect endpoint doesn't support these attributes yet?
>>>>>
>>>>>
>>>>> *Kevin Thorpe *
>>>>> CTO, PI ltd
>>>>>
>>>>>
>>>>>  _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0006.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0007.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0008.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0003.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0009.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0010.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/779aa895/attachment-0011.jpe 

From giovanni.baruzzi at syntlogo.de  Mon Jun 22 14:20:18 2015
From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi)
Date: Mon, 22 Jun 2015 20:20:18 +0200
Subject: [keycloak-user] Error during "Synchronize all users" from an LDAP
	Server
In-Reply-To: <D1ACCA06.1A5EC%giovanni.baruzzi@syntlogo.de>
References: <D1ACCA06.1A5EC%giovanni.baruzzi@syntlogo.de>
Message-ID: <D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>

Dear Friends,

I got the following exception trying to ?synchronize all users? from a LDAP Server. The dialog user is ?Settings->User Federation->Settings.
Please find the details about the LDAP Server further below after the Java LOG.
Thank for your attention,
Giovanni

=====================
20:23:38,119 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /auth/admin/realms/demo/user-federation/instances/6f4de879-f4b7-4d74-9141-46044c4b9e09/sync: java.lang.RuntimeException: request path: /auth/admin/realms/demo/user-fede                                                      ration/instances/6f4de879-f4b7-4d74-9141-46044c4b9e09/sync
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.                                                      java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java                                                      :131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java                                                      :57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstrai                                                      ntHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.ja                                                      va:72)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalStateException: Expected String but attribute was [adub, sdub]                                                       of type java.util.TreeSet
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
        at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
        ... 29 more
Caused by: java.lang.IllegalStateException: Expected String but attribute was [adub, sdub] of type java.util.TreeSet
        at org.keycloak.federation.ldap.idm.model.LDAPObject.getAttributeAsString(LDAPObject.java:79)
        at org.keycloak.federation.ldap.LDAPUtils.getUsername(LDAPUtils.java:76)
        at org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:390)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
        at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
        at org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
        at org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
        at org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
        ... 40 more

The LDAP Server is a port389 (nearly identical to RedHat) this is an excerpt of the LDIF of the people container
(all test data, not real people)

dn: ou=People, dc=syntlogo,dc=de
objectClass: top
objectClass: organizationalunit
ou: People

dn: uid=cros, ou=People, dc=syntlogo,dc=de
cn: Carlo Rossi
sn: Rossi
givenName: Carlo
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Milano
uid: cros
mail: carlo.rossi at mycompany.com<mailto:carlo.rossi at mycompany.com>
telephoneNumber: +39-02-2267-4798
facsimileTelephoneNumber: +39-02-2267-9751
roomNumber: 4612
userPassword: {SSHA}dvuiZA9vGMEqopNlIJ2qwxf0igE1fmJVLB8MRw==

dn: uid=gste, ou=People, dc=syntlogo,dc=de
cn: Gudrun Steinle
sn: Steinle
givenName: Gudrun
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Stuttgart
uid: gste
mail: gudrun.steinle at mycompany.com<mailto:gudrun.steinle at mycompany.com>
telephoneNumber: +49-711-2359-9187
facsimileTelephoneNumber: +49-711-2359-8473
roomNumber: 4117
userPassword: {SSHA}wc8v0cdM3GNzzQZ9EkfH5EdUBUMqVtMCDlTXFQ==

dn: uid=abia, ou=People, dc=syntlogo,dc=de
cn: Antonio Bianchi
sn: Bianchi
givenName: Antonio
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Human Resources
ou: People
l: Milano
uid: abia
mail: antonio.bianchi at mycompany.com<mailto:antonio.bianchi at mycompany.com>
telephoneNumber: +39-02-2267- 5625
facsimileTelephoneNumber: +39-02-2267- 3372
roomNumber: 2871
userPassword: {SSHA}+b2IRLQ2tPT5xLSiYAnM4vuUrY7FMac/NwGXFQ==


and in the log of the LDAP server is the following to see:

[18/May/2015:14:32:26 +0200] conn=168 fd=64 slot=64 connection from 10.1.0.90 to 10.1.0.93
[18/May/2015:14:32:26 +0200] conn=169 fd=65 slot=65 connection from 10.1.0.90 to 10.1.0.93
[18/May/2015:14:32:26 +0200] conn=169 op=0 BIND dn="cn=directory manager" method=128 version=3
[18/May/2015:14:32:26 +0200] conn=169 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[18/May/2015:14:32:26 +0200] conn=169 op=1 SRCH base="ou=people,dc=syntlogo,dc=local" scope=1 filter="(&(objectClass=organizationalPerson)(objectClass=inetOrgPerson))" attrs="uid nsUniqueId mail createTimestamp sn cn objectClass modifyTimestamp"
[18/May/2015:14:32:26 +0200] conn=169 op=1 RESULT err=0 tag=101 nentries=19 etime=0 notes=P


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150622/2519014c/attachment-0001.html 

From juraci at kroehling.de  Tue Jun 23 07:50:31 2015
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Tue, 23 Jun 2015 13:50:31 +0200
Subject: [keycloak-user] Refresh token - should it expire?
Message-ID: <55894807.9030507@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I'm building a secret store application that will sit in front of
Hawkular and will be responsible for replacing API keys into actual
Keycloak authentication data.

Based on the suggestions from Stian, the current code does the following
:

- - User logs in Hawkular via Keycloak
- - Once the user wants to create a new application key/secret, the user
is redirected to /secret-store/tokens/create , which takes the KC
authentication data and stores the refresh_token into the database,
creating a new key/secret
- - User configures an external application (like a monitoring agent in
a server), adding this key/secret to its configuration
- - The agent makes a call to the Hawkular backend, sending this key/secre
t
- - An undertow filter gets this key/secret from the request, fetches
the refresh_token from the database, gets a bearer token from Keycloak
based on this refresh_token and sets it to the request's context (ie:
replacing the Authorization header)
- - Keycloak uses this bearer token to perform what it needs to do
- - Request reaches the Hawkular backend

It all works, but the session from the *user* (second step) eventually
expires, causing the refresh_token to be invalid[1].

So, the question is whether this token is indeed supposed to be
attached to an user session, or if it's a bug. If the behavior I'm
seeing is the correct one, what could be a proper way to store a token
so that it can be replaced at a later time?

1 - http://git.io/vLAtF

Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/
j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk
SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa
f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ
WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7
1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI=
=EA+F
-----END PGP SIGNATURE-----

From stian at redhat.com  Tue Jun 23 10:50:57 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 23 Jun 2015 10:50:57 -0400 (EDT)
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <55894807.9030507@kroehling.de>
References: <55894807.9030507@kroehling.de>
Message-ID: <1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>

Hi,

Refresh tokens should expire, but we will be adding offline tokens at some point which won't expire until revoked by the user or admin.

In the mean time you can set a high level for the sso expiration.

When do you need to have a proper offline token?


----- Original Message -----
> From: "Juraci Paix?o Kr?hling" <juraci at kroehling.de>
> To: keycloak-user at lists.jboss.org
> Sent: Tuesday, 23 June, 2015 1:50:31 PM
> Subject: [keycloak-user] Refresh token - should it expire?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello,
> 
> I'm building a secret store application that will sit in front of
> Hawkular and will be responsible for replacing API keys into actual
> Keycloak authentication data.
> 
> Based on the suggestions from Stian, the current code does the following
> :
> 
> - - User logs in Hawkular via Keycloak
> - - Once the user wants to create a new application key/secret, the user
> is redirected to /secret-store/tokens/create , which takes the KC
> authentication data and stores the refresh_token into the database,
> creating a new key/secret
> - - User configures an external application (like a monitoring agent in
> a server), adding this key/secret to its configuration
> - - The agent makes a call to the Hawkular backend, sending this key/secre
> t
> - - An undertow filter gets this key/secret from the request, fetches
> the refresh_token from the database, gets a bearer token from Keycloak
> based on this refresh_token and sets it to the request's context (ie:
> replacing the Authorization header)
> - - Keycloak uses this bearer token to perform what it needs to do
> - - Request reaches the Hawkular backend
> 
> It all works, but the session from the *user* (second step) eventually
> expires, causing the refresh_token to be invalid[1].
> 
> So, the question is whether this token is indeed supposed to be
> attached to an user session, or if it's a bug. If the behavior I'm
> seeing is the correct one, what could be a proper way to store a token
> so that it can be replaced at a later time?
> 
> 1 - http://git.io/vLAtF
> 
> Best,
> Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/
> j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk
> SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa
> f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ
> WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7
> 1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI=
> =EA+F
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


From juraci at kroehling.de  Tue Jun 23 11:12:14 2015
From: juraci at kroehling.de (=?UTF-8?B?SnVyYWNpIFBhaXjDo28gS3LDtmhsaW5n?=)
Date: Tue, 23 Jun 2015 17:12:14 +0200
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
Message-ID: <5589774E.9080004@kroehling.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/23/2015 04:50 PM, Stian Thorgersen wrote:
> In the mean time you can set a high level for the sso expiration.

That would work for now, but note that if an user logs out or if the
session expires for some reason, the token is automatically deemed as
expired as well (invalid_grant, actually). So, it's not about the
token expiration itself, but about the session expiration:

http://git.io/vLAtF

> When do you need to have a proper offline token?

Tough question :-) I'd say that we'd absolutely need this by
September/October, but of course, the sooner the better as it touches
an important part of the system.

- - Juca.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJViXdOAAoJEDnJtskdmzLMNgEH/jfdVPJQyljkIbbxUlcxo3H3
9RBqzPtpb8142Ts6eJR1lwPg82KEjtycVjGuwggkJINPolhtgVploZPH9bKe7kiN
7GFAEPhT9FPSKUv09oIR1zz0hl9vu9G/Qv35UmWue1JCzTPtRlUYx9cYBS/Ze4Ps
+Y/tXgVbLwrx/y2xOVpAEH2giPuGP9VYYWNMCF3vnzISnLjhaEwEK91vHrfwWKEY
0+KAq7NDO40049FeFAMwsZ1AzlX+CoK54NdR1q7YQ8kAH88bweA8J/NnM6dySaTN
Omf6EsxJMWLMXA4Yya5r8ls+K0ZeyJrQqEw01qrTtpu8q1wp1rfrIk8zjknNZ1I=
=G+Um
-----END PGP SIGNATURE-----

From stian at redhat.com  Tue Jun 23 11:14:27 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Tue, 23 Jun 2015 11:14:27 -0400 (EDT)
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <5589774E.9080004@kroehling.de>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
	<5589774E.9080004@kroehling.de>
Message-ID: <47189901.24304127.1435072467145.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Juraci Paix?o Kr?hling" <juraci at kroehling.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 23 June, 2015 5:12:14 PM
> Subject: Re: [keycloak-user] Refresh token - should it expire?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 06/23/2015 04:50 PM, Stian Thorgersen wrote:
> > In the mean time you can set a high level for the sso expiration.
> 
> That would work for now, but note that if an user logs out or if the
> session expires for some reason, the token is automatically deemed as
> expired as well (invalid_grant, actually). So, it's not about the
> token expiration itself, but about the session expiration:
> 
> http://git.io/vLAtF

Indeed that's the intent. All non-offline tokens are linked to the current users session.

> 
> > When do you need to have a proper offline token?
> 
> Tough question :-) I'd say that we'd absolutely need this by
> September/October, but of course, the sooner the better as it touches
> an important part of the system.

We'll try to get it in for 1.5 - which should be end of August.

> 
> - - Juca.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJViXdOAAoJEDnJtskdmzLMNgEH/jfdVPJQyljkIbbxUlcxo3H3
> 9RBqzPtpb8142Ts6eJR1lwPg82KEjtycVjGuwggkJINPolhtgVploZPH9bKe7kiN
> 7GFAEPhT9FPSKUv09oIR1zz0hl9vu9G/Qv35UmWue1JCzTPtRlUYx9cYBS/Ze4Ps
> +Y/tXgVbLwrx/y2xOVpAEH2giPuGP9VYYWNMCF3vnzISnLjhaEwEK91vHrfwWKEY
> 0+KAq7NDO40049FeFAMwsZ1AzlX+CoK54NdR1q7YQ8kAH88bweA8J/NnM6dySaTN
> Omf6EsxJMWLMXA4Yya5r8ls+K0ZeyJrQqEw01qrTtpu8q1wp1rfrIk8zjknNZ1I=
> =G+Um
> -----END PGP SIGNATURE-----
> 


From ssilvert at redhat.com  Tue Jun 23 13:13:53 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 23 Jun 2015 13:13:53 -0400
Subject: [keycloak-user] Trouble running Fuse demo with 3.1.1.Final
Message-ID: <558993D1.8040305@redhat.com>

I'm trying to run the Fuse demo at 
https://github.com/keycloak/keycloak/tree/master/examples/fuse

I'm using Fuse 6.1.0.redhat-379 and Keycloak 3.1.1.Final. Everything 
goes fine until I try to install keycloak-fuse-example. Then I get:

JBossFuse:karaf at root> features:install keycloak-fuse-example
Error executing command: Can not resolve feature:
Unsatisfied requirement(s):
---------------------------
package:(&(package=org.apache.http.client.entity)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.apache.http.conn.ssl)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.keycloak.representations.idm)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.keycloak.jose.jws)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.keycloak.jose.jws.crypto)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.impl.conn)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.apache.http.conn.scheme)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.keycloak.representations.adapters.action)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.impl.conn.tsccm)(version>=4.3.6))
       Keycloak Adapter Core
    package:(&(package=org.keycloak)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.cookie)(version>=4.3.6))
       Keycloak Adapter Core
    package:(&(package=org.apache.http.conn)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.keycloak.representations)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.keycloak.representations.adapters.config)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.params)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.keycloak.util.reflections)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.client)(version>=4.3.6))
       Keycloak Adapter Core
    package:(&(package=org.apache.http)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.apache.http.message)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.keycloak.util)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.client.methods)(version>=4.3.6))
       Keycloak Adapter Core
package:(&(package=org.keycloak.enums)(version>=1.3.1.Final))
       Keycloak Adapter Core
package:(&(package=org.apache.http.impl.client)(version>=4.3.6))
       Keycloak Adapter Core





From juandiego83 at gmail.com  Tue Jun 23 14:06:12 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Tue, 23 Jun 2015 13:06:12 -0500
Subject: [keycloak-user] what to do after storing the token with javascript
Message-ID: <CAJGEj6dgSsYyarUwgdRfcZ8bRZ7c7-_ZBm7yV-RR4y=mg0LYUw@mail.gmail.com>

Hi,

After my user logs I am saving the token to a localstorage. I am using
angularjs by the way.

So if my user refreshes the page they still have the session.  As far as I
can tell when you refresh the page, most of the info of the object keycloak
is null, except for the realm and all the stuff you  get form
keycloak.json.  Like if you have never logged.

So I stored the token in my localStorage.

I am thinking 3 options basically.

1)
Setting keycloak.token = localStorage.get("token"), and I was trying to
look for a function in that object to retrieve all the other data, but I
couldnt find any on the documentation and looking at my
console.log(keycloak)

2)
Storing the whole object keycloak in localstorage, the problem with this is
that it will only store the properties and obviously not the functions, so
I was thinking that I should manually set all the properties like this

clientId = localStorageService.get('keycloak').clientId;
idToken = localStorageService.get('keycloak').idToken;
idTokenParsed = localStorageService.get('keycloak').idTokenParsed;
realmAccess =  localStorageService.get('keycloak').realmAccess;

3) Just check everything against the localstorage instead.

But I wont be able to use the functions from the object keyclaok, like
updateToken.

I am kind of new to angular, as you can see too.

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150623/337913b7/attachment.html 

From ssilvert at redhat.com  Tue Jun 23 15:47:31 2015
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 23 Jun 2015 15:47:31 -0400
Subject: [keycloak-user] Trouble running Fuse demo with 3.1.1.Final
In-Reply-To: <558993D1.8040305@redhat.com>
References: <558993D1.8040305@redhat.com>
Message-ID: <5589B7D3.3010905@redhat.com>

BTW, I went back and verified that everything works fine with Keycloak 
1.2.0.Beta1.

On 6/23/2015 1:13 PM, Stan Silvert wrote:
> I'm trying to run the Fuse demo at
> https://github.com/keycloak/keycloak/tree/master/examples/fuse
>
> I'm using Fuse 6.1.0.redhat-379 and Keycloak 3.1.1.Final. Everything
> goes fine until I try to install keycloak-fuse-example. Then I get:
>
> JBossFuse:karaf at root> features:install keycloak-fuse-example
> Error executing command: Can not resolve feature:
> Unsatisfied requirement(s):
> ---------------------------
> package:(&(package=org.apache.http.client.entity)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.conn.ssl)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.representations.idm)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.jose.jws)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.jose.jws.crypto)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.impl.conn)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.conn.scheme)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.representations.adapters.action)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.impl.conn.tsccm)(version>=4.3.6))
>         Keycloak Adapter Core
>      package:(&(package=org.keycloak)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.cookie)(version>=4.3.6))
>         Keycloak Adapter Core
>      package:(&(package=org.apache.http.conn)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.representations)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.representations.adapters.config)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.params)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.util.reflections)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.client)(version>=4.3.6))
>         Keycloak Adapter Core
>      package:(&(package=org.apache.http)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.message)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.util)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.client.methods)(version>=4.3.6))
>         Keycloak Adapter Core
> package:(&(package=org.keycloak.enums)(version>=1.3.1.Final))
>         Keycloak Adapter Core
> package:(&(package=org.apache.http.impl.client)(version>=4.3.6))
>         Keycloak Adapter Core
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Tue Jun 23 16:10:42 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 23 Jun 2015 22:10:42 +0200
Subject: [keycloak-user] Trouble running Fuse demo with 3.1.1.Final
In-Reply-To: <5589B7D3.3010905@redhat.com>
References: <558993D1.8040305@redhat.com> <5589B7D3.3010905@redhat.com>
Message-ID: <5589BD42.2040607@redhat.com>

Looks like a bug... Unfortunately I did not test Fuse demo with latest 
1.3.1.Final :-(

I will take a look tomorrow.

Marek

On 23/06/15 21:47, Stan Silvert wrote:
> BTW, I went back and verified that everything works fine with Keycloak 
> 1.2.0.Beta1.
>
> On 6/23/2015 1:13 PM, Stan Silvert wrote:
>> I'm trying to run the Fuse demo at
>> https://github.com/keycloak/keycloak/tree/master/examples/fuse
>>
>> I'm using Fuse 6.1.0.redhat-379 and Keycloak 3.1.1.Final. Everything
>> goes fine until I try to install keycloak-fuse-example. Then I get:
>>
>> JBossFuse:karaf at root> features:install keycloak-fuse-example
>> Error executing command: Can not resolve feature:
>> Unsatisfied requirement(s):
>> ---------------------------
>> package:(&(package=org.apache.http.client.entity)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.conn.ssl)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.representations.idm)(version>=1.3.1.Final)) 
>>
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.jose.jws)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.jose.jws.crypto)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.impl.conn)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.conn.scheme)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.representations.adapters.action)(version>=1.3.1.Final)) 
>>
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.impl.conn.tsccm)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.cookie)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.conn)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.representations)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.representations.adapters.config)(version>=1.3.1.Final)) 
>>
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.params)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.util.reflections)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.client)(version>=4.3.6))
>>         Keycloak Adapter Core
>>      package:(&(package=org.apache.http)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.message)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.util)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.client.methods)(version>=4.3.6))
>>         Keycloak Adapter Core
>> package:(&(package=org.keycloak.enums)(version>=1.3.1.Final))
>>         Keycloak Adapter Core
>> package:(&(package=org.apache.http.impl.client)(version>=4.3.6))
>>         Keycloak Adapter Core
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From mposolda at redhat.com  Wed Jun 24 03:35:50 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 24 Jun 2015 09:35:50 +0200
Subject: [keycloak-user] what to do after storing the token with
	javascript
In-Reply-To: <CAJGEj6dgSsYyarUwgdRfcZ8bRZ7c7-_ZBm7yV-RR4y=mg0LYUw@mail.gmail.com>
References: <CAJGEj6dgSsYyarUwgdRfcZ8bRZ7c7-_ZBm7yV-RR4y=mg0LYUw@mail.gmail.com>
Message-ID: <558A5DD6.90805@redhat.com>

You have option to pass the tokens from local storage to the 'init' 
method of keycloak object. For example you can use something like:

keycloak.init({
   token: 'yourAccessToken',
   refreshToken: 'yourRefreshToken',
   idToken: 'yourIdToken'
});

Another option is to not store anything in localStorage, but instead 
after refresh the page re-authenticate the user again. User won't need 
to login again and provide username/password, because he should be 
logged automatically due to SSO (unless session is expired). This is 
what our admin console and examples are doing. Feel free to check them, 
especially angular example: 
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app

Marek

On 23.6.2015 20:06, Juan Diego wrote:
> Hi,
>
> After my user logs I am saving the token to a localstorage. I am using 
> angularjs by the way.
>
> So if my user refreshes the page they still have the session.  As far 
> as I can tell when you refresh the page, most of the info of the 
> object keycloak is null, except for the realm and all the stuff you  
> get form keycloak.json.  Like if you have never logged.
>
> So I stored the token in my localStorage.
>
> I am thinking 3 options basically.
>
> 1)
> Setting keycloak.token = localStorage.get("token"), and I was trying 
> to look for a function in that object to retrieve all the other data, 
> but I couldnt find any on the documentation and looking at my 
> console.log(keycloak)
>
> 2)
> Storing the whole object keycloak in localstorage, the problem with 
> this is that it will only store the properties and obviously not the 
> functions, so I was thinking that I should manually set all the 
> properties like this
>
> clientId= localStorageService.get('keycloak').clientId;
> idToken= localStorageService.get('keycloak').idToken;
> idTokenParsed= localStorageService.get('keycloak').idTokenParsed;
> realmAccess=  localStorageService.get('keycloak').realmAccess;
>
> 3) Just check everything against the localstorage instead.
> But I wont be able to use the functions from the object keyclaok, like updateToken.
>
> I am kind of new to angular, as you can see too.
>
> Thanks,
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/592e5949/attachment.html 

From mposolda at redhat.com  Wed Jun 24 03:41:17 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 24 Jun 2015 09:41:17 +0200
Subject: [keycloak-user] passing tokens to a servlet with cors
In-Reply-To: <CAJGEj6c-H-rUg_8YwyUGoxb_-piwcrDhvWA3EjqtVJAuCkmrRg@mail.gmail.com>
References: <CAJGEj6c-H-rUg_8YwyUGoxb_-piwcrDhvWA3EjqtVJAuCkmrRg@mail.gmail.com>
Message-ID: <558A5F1D.9000904@redhat.com>

You may need to configure web origins in the configuration of your 
client in Keycloak admin console. For example if your javascript 
application is running on "http://myserver.org:8080/myapp" you need to 
add origin like "http://myserver.org:8080" . See docs for the details: 
http://keycloak.github.io/docs/userguide/html/cors.html

Marek

On 19.6.2015 20:31, Juan Diego wrote:
> Hi
>
> I have an upload servlet 
> https://gist.github.com/jdc18/c6c8689e269e655581cb, I tested before 
> without keycloak and it worked.  But when I activate keycloak I get " 
> No 'Access-Control-Allow-Origin' header is present on the requested 
> resource.", my rest services do work with CORS.  I have my page with 
> angular and my backend with java.
>
> My backend is similar to the database service example.
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/0d0e3303/attachment.html 

From Carsten.Saathoff at kisters.de  Wed Jun 24 03:43:59 2015
From: Carsten.Saathoff at kisters.de (Carsten Saathoff)
Date: Wed, 24 Jun 2015 09:43:59 +0200
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
Message-ID: <OF40FCA263.F4DB6613-ONC1257E6E.00275C1F-C1257E6E.002A7A9F@kisters.de>

Hi,

keycloak-user-bounces at lists.jboss.org wrote on 23/06/2015 16:50:57:

> Refresh tokens should expire, but we will be adding offline tokens 
> at some point which won't expire until revoked by the user or admin.

do you have any idea how this feature will look like? I'm asking because I 
will need to cover a use case in the near future, where offline processes 
(e.g. periodic exports) need to access services on behalf of a user. In 
other words, they need to access data with the roles of the user who 
created the process initially, and as the roles are encoded in the token 
they actually need to get hold of an access token for that user. Refresh 
token were our first idea, but our concern was that we needed the user to 
be involved in issuing the refresh token, as the service that executes the 
offline processes is not the service the user authenticates with. We use 
an api-gateway between the backend services and the UI. But we don't want 
to expose such details about the involved microservices to the user. And 
as I learned from this thread, the refresh tokens will also expire, which 
is also not an option for us. Those processes also need to run when the 
user is in vacation for 3 weeks.

I have the feeling that offline tokens would be what we actually need in 
our use case. But I think it would be important for some use cases to 
allow for issuing of those tokens without user intervention. I think of 
having an API that allows a client to request an offline token on behalf 
of a user (e.g. by providing a valid access token). Obviously, clients 
would need to be enabled explicitly for using such API.

I understand that in typical OAuth flows you want the user to be involved 
in such processes, but in an enterprise setting and with a microservices 
architecture I would prefer to not bother the user with having to 
authorize backend services that he shouldn't even know of.

I would really be interested in how other people solve such scenarios (or 
if they do it at all) and what you think of such an API.

Thanks and best regards

Carsten
--------------------------------------------------------------------------------------------------------------------------------------------
 Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany
Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de
--------------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. 
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/a2cd6643/attachment-0001.html 

From mposolda at redhat.com  Wed Jun 24 03:53:26 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 24 Jun 2015 09:53:26 +0200
Subject: [keycloak-user] Error during "Synchronize all users" from an
 LDAP Server
In-Reply-To: <D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>
References: <D1ACCA06.1A5EC%giovanni.baruzzi@syntlogo.de>
	<D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>
Message-ID: <558A61F6.5020806@redhat.com>

Hi Giovanni,

this is bug similar to already reported here 
https://issues.jboss.org/browse/KEYCLOAK-1487, I will need to take a 
look at it.

Marek

On 22.6.2015 20:20, Giovanni Baruzzi wrote:
> Dear Friends,
>
> I got the following exception trying to ?synchronize all users? from a 
> LDAP Server. The dialog user is ?Settings->User Federation->Settings.
>
> Please find the details about the LDAP Server further below after the 
> Java LOG.
>
> Thank for your attention,
>
> Giovanni
>
> =====================
>
> 20:23:38,119 ERROR [io.undertow.request] (default task-9) UT005023: 
> Exception handling request to 
> /auth/admin/realms/demo/user-federation/instances/6f4de879-f4b7-4d74-9141-46044c4b9e09/sync: 
> java.lang.RuntimeException: request path: 
> /auth/admin/realms/demo/user-fede 
> ration/instances/6f4de879-f4b7-4d74-9141-46044c4b9e09/sync
>
>         at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
>
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>
>         at 
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>
>         at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
>         at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
>         at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler. 
> java:78)
>
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>         at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java 
> :131)
>
>         at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java 
> :57)
>
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>         at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
>         at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstrai 
> ntHandler.java:64)
>
>         at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>
>         at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.ja 
>                                                      va:72)
>
>         at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
>         at 
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>         at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>         at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
>
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
>
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>
>         at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>
>         at 
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>
>         at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>
>         at java.lang.Thread.run(Thread.java:745)
>
> Caused by: org.jboss.resteasy.spi.UnhandledException: 
> java.lang.IllegalStateException: Expected String but attribute was 
> [adub, sdub] of type java.util.TreeSet
>
>         at 
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
>         at 
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
>
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
>
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>
>         at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
>         at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>
>         at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>
>         at 
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>
>         at 
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>
>         at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>
>         at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>
>         ... 29 more
>
> Caused by: java.lang.IllegalStateException: Expected String but 
> attribute was [adub, sdub] of type java.util.TreeSet
>
>         at 
> org.keycloak.federation.ldap.idm.model.LDAPObject.getAttributeAsString(LDAPObject.java:79)
>
>         at 
> org.keycloak.federation.ldap.LDAPUtils.getUsername(LDAPUtils.java:76)
>
>         at 
> org.keycloak.federation.ldap.LDAPFederationProvider.importLDAPUsers(LDAPFederationProvider.java:390)
>
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.importLdapUsers(LDAPFederationProviderFactory.java:269)
>
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory$1.run(LDAPFederationProviderFactory.java:223)
>
>         at 
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:241)
>
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncImpl(LDAPFederationProviderFactory.java:219)
>
>         at 
> org.keycloak.federation.ldap.LDAPFederationProviderFactory.syncAllUsers(LDAPFederationProviderFactory.java:177)
>
>         at 
> org.keycloak.services.managers.UsersSyncManager.syncAllUsers(UsersSyncManager.java:50)
>
>         at 
> org.keycloak.services.resources.admin.UserFederationProviderResource.syncUsers(UserFederationProviderResource.java:144)
>
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>         at java.lang.reflect.Method.invoke(Method.java:606)
>
>         at 
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>
>         at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
>
>         at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>
>         at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>
>         ... 40 more
>
> The LDAP Server is a port389 (nearly identical to RedHat) this is an 
> excerpt of the LDIF of the people container
>
> (all test data, not real people)
>
> dn: ou=People, dc=syntlogo,dc=de
>
> objectClass: top
>
> objectClass: organizationalunit
>
> ou: People
>
> dn: uid=cros, ou=People, dc=syntlogo,dc=de
>
> cn: Carlo Rossi
>
> sn: Rossi
>
> givenName: Carlo
>
> objectClass: top
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: inetOrgPerson
>
> ou: Accounting
>
> ou: People
>
> l: Milano
>
> uid: cros
>
> mail:carlo.rossi at mycompany.com <mailto:carlo.rossi at mycompany.com>
>
> telephoneNumber: +39-02-2267-4798
>
> facsimileTelephoneNumber: +39-02-2267-9751
>
> roomNumber: 4612
>
> userPassword: {SSHA}dvuiZA9vGMEqopNlIJ2qwxf0igE1fmJVLB8MRw==
>
> dn: uid=gste, ou=People, dc=syntlogo,dc=de
>
> cn: Gudrun Steinle
>
> sn: Steinle
>
> givenName: Gudrun
>
> objectClass: top
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: inetOrgPerson
>
> ou: Accounting
>
> ou: People
>
> l: Stuttgart
>
> uid: gste
>
> mail:gudrun.steinle at mycompany.com <mailto:gudrun.steinle at mycompany.com>
>
> telephoneNumber: +49-711-2359-9187
>
> facsimileTelephoneNumber: +49-711-2359-8473
>
> roomNumber: 4117
>
> userPassword: {SSHA}wc8v0cdM3GNzzQZ9EkfH5EdUBUMqVtMCDlTXFQ==
>
> dn: uid=abia, ou=People, dc=syntlogo,dc=de
>
> cn: Antonio Bianchi
>
> sn: Bianchi
>
> givenName: Antonio
>
> objectClass: top
>
> objectClass: person
>
> objectClass: organizationalPerson
>
> objectClass: inetOrgPerson
>
> ou: Human Resources
>
> ou: People
>
> l: Milano
>
> uid: abia
>
> mail:antonio.bianchi at mycompany.com <mailto:antonio.bianchi at mycompany.com>
>
> telephoneNumber: +39-02-2267- 5625
>
> facsimileTelephoneNumber: +39-02-2267- 3372
>
> roomNumber: 2871
>
> userPassword: {SSHA}+b2IRLQ2tPT5xLSiYAnM4vuUrY7FMac/NwGXFQ==
>
> and in the log of the LDAP server is the following to see:
>
> [18/May/2015:14:32:26 +0200] conn=168 fd=64 slot=64 connection from 
> 10.1.0.90 to 10.1.0.93
>
> [18/May/2015:14:32:26 +0200] conn=169 fd=65 slot=65 connection from 
> 10.1.0.90 to 10.1.0.93
>
> [18/May/2015:14:32:26 +0200] conn=169 op=0 BIND dn="cn=directory 
> manager" method=128 version=3
>
> [18/May/2015:14:32:26 +0200] conn=169 op=0 RESULT err=0 tag=97 
> nentries=0 etime=0 dn="cn=directory manager"
>
> [18/May/2015:14:32:26 +0200] conn=169 op=1 SRCH 
> base="ou=people,dc=syntlogo,dc=local" scope=1 
> filter="(&(objectClass=organizationalPerson)(objectClass=inetOrgPerson))" 
> attrs="uid nsUniqueId mail createTimestamp sn cn objectClass 
> modifyTimestamp"
>
> [18/May/2015:14:32:26 +0200] conn=169 op=1 RESULT err=0 tag=101 
> nentries=19 etime=0 notes=P
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/7c9ffe4e/attachment-0001.html 

From chamantha at outlook.com  Wed Jun 24 06:28:03 2015
From: chamantha at outlook.com (Chamantha De Silva)
Date: Wed, 24 Jun 2015 16:28:03 +0600
Subject: [keycloak-user] Customizing the register user flow
Message-ID: <BAY168-W1211A5871D5298D418CF59AA9AF0@phx.gbl>

Hi Team,
I have requirement to users to go to registration flow directly instead of going through the login page. Currently user does not go directly to the registration page. I checked for possibilities at configuration changes on admin console level but I didn't get any supporting documents. 

Can I get this requirement fulfilled with a minimal effort ? 
Currently started to research on getting the code it needs to along with the register URL  
1. Is this code an authorization code ?
2. If yes there a document providing those information 

Your kind advice is much appreciated.

Best Regards,
Chamantha 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/9a32afa9/attachment.html 

From sadiqkhoja at gmail.com  Wed Jun 24 07:07:37 2015
From: sadiqkhoja at gmail.com (Sadiq Khoja)
Date: Wed, 24 Jun 2015 16:07:37 +0500
Subject: [keycloak-user] Use Keycloak for CAS based application
Message-ID: <CAK2HbcyjUzPOWVb3OknnyWXjunODwYdZrJJtftA11wbjDCdN_Q@mail.gmail.com>

Hi,

I have a third party application which provides CAS based authentication
for SSO. How can I use Keycloak for authentication of users and access to
that application?

?
Regards,
*??Sadiq Khoja*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/aae73481/attachment.html 

From stian at redhat.com  Wed Jun 24 09:00:18 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Wed, 24 Jun 2015 09:00:18 -0400 (EDT)
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <OF40FCA263.F4DB6613-ONC1257E6E.00275C1F-C1257E6E.002A7A9F@kisters.de>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
	<OF40FCA263.F4DB6613-ONC1257E6E.00275C1F-C1257E6E.002A7A9F@kisters.de>
Message-ID: <930619577.25055033.1435150818052.JavaMail.zimbra@redhat.com>

We'll be adding service accounts in the near future, that'll provide a way for clients to obtain a token on behalf of themselves. There will be a special linked user to the client. Clients can obtain this through the client credential grant (see oauth2 for more details) and use a secret or pub/priv keypair to authenticate.

For a client to get a token on behalf of a user the user will have to either enter username/pass in a cli and you'd use resource owner credential grant (again see oauth2 for more details) or you'd use the normal redirect based flow.

For the above once we add offline tokens this will only be required as an initial setup as the "refresh token" will not expire until the user goes in and revokes access to the appliction. 

----- Original Message -----
> From: "Carsten Saathoff" <Carsten.Saathoff at kisters.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Juraci Paix?o Kr?hling" <juraci at kroehling.de>, keycloak-user at lists.jboss.org
> Sent: Wednesday, 24 June, 2015 3:43:59 AM
> Subject: Re: [keycloak-user] Refresh token - should it expire?
> 
> Hi,
> 
> keycloak-user-bounces at lists.jboss.org wrote on 23/06/2015 16:50:57:
> 
> > Refresh tokens should expire, but we will be adding offline tokens
> > at some point which won't expire until revoked by the user or admin.
> 
> do you have any idea how this feature will look like? I'm asking because I
> will need to cover a use case in the near future, where offline processes
> (e.g. periodic exports) need to access services on behalf of a user. In
> other words, they need to access data with the roles of the user who
> created the process initially, and as the roles are encoded in the token
> they actually need to get hold of an access token for that user. Refresh
> token were our first idea, but our concern was that we needed the user to
> be involved in issuing the refresh token, as the service that executes the
> offline processes is not the service the user authenticates with. We use
> an api-gateway between the backend services and the UI. But we don't want
> to expose such details about the involved microservices to the user. And
> as I learned from this thread, the refresh tokens will also expire, which
> is also not an option for us. Those processes also need to run when the
> user is in vacation for 3 weeks.
> 
> I have the feeling that offline tokens would be what we actually need in
> our use case. But I think it would be important for some use cases to
> allow for issuing of those tokens without user intervention. I think of
> having an API that allows a client to request an offline token on behalf
> of a user (e.g. by providing a valid access token). Obviously, clients
> would need to be enabled explicitly for using such API.
> 
> I understand that in typical OAuth flows you want the user to be involved
> in such processes, but in an enterprise setting and with a microservices
> architecture I would prefer to not bother the user with having to
> authorize backend services that he shouldn't even know of.
> 
> I would really be interested in how other people solve such scenarios (or
> if they do it at all) and what you think of such an API.
> 
> Thanks and best regards
> 
> Carsten
> --------------------------------------------------------------------------------------------------------------------------------------------
>  Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany
> Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters
> | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
> Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail:
> Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de
> --------------------------------------------------------------------------------------------------------------------------------------------
> Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail ist nicht gestattet.
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorised copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.


From paulojeronimo at gmail.com  Wed Jun 24 09:58:32 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 10:58:32 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
Message-ID: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>

I'm trying to make Keycloak 1.3.1 works on a customer. My objective, is
install it (in a development environment) with JBoss BPM Suite 6.1 (it runs
with JBoss EAP 6.4). So, I will need to access /auth/admin in the same
server with the context /business-central.

The environment is Windows 8 with Cygwin.

I'm finding errors trying to do this installation, even before install BPM
Suite, on a pure JBoss EAP 6.4 installation.

Here is my procedure and the error:

$ rm -rf jboss-eap-6.4
$ shasum jboss-eap-6.4.0.zip
9ac2979fe92040a039a3a3db8b4ce8d166e2c872 *jboss-eap-6.4.0.zip
$ unzip -q jboss-eap-6.4.0.zip
$ unzip -q -d jboss-eap-6.4 keycloak-overlay-eap6-1.3.1.Final.zip
$ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
--server-config standalone-keycloak.xml
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4

  JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java

  JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
-Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
-XX:+PrintGCDetails -XX:+PrintGC
DateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
-XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m
-XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
 -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
-Djava.awt.headless=true -Djboss.modules.policy-permissions=true

=========================================================================

10:52:42,978 INFO  [org.jboss.modules] (main) JBoss Modules version
1.3.6.Final-redhat-1
10:52:43,125 INFO  [org.jboss.msc] (main) JBoss MSC version
1.1.5.Final-redhat-1
10:52:43,183 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
10:52:43,584 ERROR [org.jboss.as.server] (Controller Boot Thread)
JBAS015956: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException: J
BAS014676: Failed to parse configuration
        at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.jboss.as.server.ServerService.boot(ServerService.java:330)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to load
module org.keycloak.keycloak-server-subsystem
        at
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
[staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
        at
org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
[staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
        at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        ... 3 more
Caused by: java.util.concurrent.ExecutionException:
javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
        at java.util.concurrent.FutureTask.report(FutureTask.java:122)
[rt.jar:1.7.0_75]
        at java.util.concurrent.FutureTask.get(FutureTask.java:188)
[rt.jar:1.7.0_75]
        at
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        ... 9 more
Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to load
module
        at
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_75]
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_75]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_75]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
        at org.jboss.threads.JBossThread.run(JBossThread.java:122)
[jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Caused by: org.jboss.modules.ModuleNotFoundException:
org.keycloak.keycloak-server-subsystem:main
        at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
[jboss-modules.jar:1.3.6.Final-redhat-1]
        at
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        ... 8 more

10:52:43,595 FATAL [org.jboss.as.server] (Controller Boot Thread)
JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
previous messages for details.
11:52:43,604 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 3ms


I saw the differences between the standard configuration:

$ vim -d
jboss-eap-6.4/standalone/configuration/standalone{.xml,-keycloak.xml}

And I know the module org.keycloak.keycloak-server-subsystem is present:

$ tree
jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
`-- main
    `-- module.xml

1 directory, 1 file

Maybe I'm missing some detail? I appreciate any help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/78326dc4/attachment-0001.html 

From kalc04 at gmail.com  Wed Jun 24 09:59:08 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Wed, 24 Jun 2015 19:29:08 +0530
Subject: [keycloak-user] Automatic Social Account Linking
Message-ID: <CAPj1eSxu1048_K2SxcfSd4g6mw_HTYXCPm76PhOCH6tuzDzQXQ@mail.gmail.com>

Hi,

As per the current behavior, linking multiple social accounts is a process
done manually. Is there an option where we can enable automatic social
account linking if the email is the same? Or is it something that has to be
implemented separately?


Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/9605861e/attachment.html 

From vineet.chaudhary at praxify.com  Wed Jun 24 10:19:05 2015
From: vineet.chaudhary at praxify.com (Vineet Chaudhary)
Date: Wed, 24 Jun 2015 19:49:05 +0530
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
Message-ID: <CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>

Hi,

Please edit
../standalone/deployments/auth-server.war/WEB-INF/jboss-deployment-structure.xml

>From <jboss-deployment-structure>

To    <jboss-deployment-structure
xmlns="urn:jboss:deployment-structure:1.2">

Thanks,
VineetC

On Wed, Jun 24, 2015 at 7:28 PM, Paulo Jer?nimo <paulojeronimo at gmail.com>
wrote:

> I'm trying to make Keycloak 1.3.1 works on a customer. My objective, is
> install it (in a development environment) with JBoss BPM Suite 6.1 (it runs
> with JBoss EAP 6.4). So, I will need to access /auth/admin in the same
> server with the context /business-central.
>
> The environment is Windows 8 with Cygwin.
>
> I'm finding errors trying to do this installation, even before install BPM
> Suite, on a pure JBoss EAP 6.4 installation.
>
> Here is my procedure and the error:
>
> $ rm -rf jboss-eap-6.4
> $ shasum jboss-eap-6.4.0.zip
> 9ac2979fe92040a039a3a3db8b4ce8d166e2c872 *jboss-eap-6.4.0.zip
> $ unzip -q jboss-eap-6.4.0.zip
> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-eap6-1.3.1.Final.zip
> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
> --server-config standalone-keycloak.xml
> =========================================================================
>
>   JBoss Bootstrap Environment
>
>   JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>
>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>
>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
> -XX:+PrintGCDetails -XX:+PrintGC
> DateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
> -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m
> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>  -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>
> =========================================================================
>
> 10:52:42,978 INFO  [org.jboss.modules] (main) JBoss Modules version
> 1.3.6.Final-redhat-1
> 10:52:43,125 INFO  [org.jboss.msc] (main) JBoss MSC version
> 1.1.5.Final-redhat-1
> 10:52:43,183 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
> 10:52:43,584 ERROR [org.jboss.as.server] (Controller Boot Thread)
> JBAS015956: Caught exception during boot:
> org.jboss.as.controller.persistence.ConfigurationPersistenceException: J
> BAS014676: Failed to parse configuration
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at org.jboss.as.server.ServerService.boot(ServerService.java:330)
> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to load
> module org.keycloak.keycloak-server-subsystem
>         at
> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>         at
> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>         at
> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         ... 3 more
> Caused by: java.util.concurrent.ExecutionException:
> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
> [rt.jar:1.7.0_75]
>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
> [rt.jar:1.7.0_75]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         ... 9 more
> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to load
> module
>         at
> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at
> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> [rt.jar:1.7.0_75]
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_75]
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_75]
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
> Caused by: org.jboss.modules.ModuleNotFoundException:
> org.keycloak.keycloak-server-subsystem:main
>         at
> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
> [jboss-modules.jar:1.3.6.Final-redhat-1]
>         at
> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>         ... 8 more
>
> 10:52:43,595 FATAL [org.jboss.as.server] (Controller Boot Thread)
> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
> previous messages for details.
> 11:52:43,604 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 3ms
>
>
> I saw the differences between the standard configuration:
>
> $ vim -d
> jboss-eap-6.4/standalone/configuration/standalone{.xml,-keycloak.xml}
>
> And I know the module org.keycloak.keycloak-server-subsystem is present:
>
> $ tree
> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>
> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
> `-- main
>     `-- module.xml
>
> 1 directory, 1 file
>
> Maybe I'm missing some detail? I appreciate any help.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/a2702384/attachment.html 

From paulojeronimo at gmail.com  Wed Jun 24 10:27:10 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 11:27:10 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
Message-ID: <CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>

Vineet,

There?s no auth-server.war in jboss-eap-6.4 when I extract
keycloak-eap6-adapter-dist-1.3.1.Final.zip on it.

I also tried to find it on the zip:

$ unzip -t keycloak-eap6-adapter-dist-1.3.1.Final.zip | grep auth
    testing:
modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/   OK
    testing:
modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/
OK
    testing:
modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/module.xml
OK
    testing:
modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/keycloak-servlet-oauth-client-1.3.1.Final.jar
OK

Maybe I'm doing something wrong?


2015-06-24 11:19 GMT-03:00 Vineet Chaudhary <vineet.chaudhary at praxify.com>:

> Hi,
>
> Please edit
>
> ../standalone/deployments/auth-server.war/WEB-INF/jboss-deployment-structure.xml
>
> From <jboss-deployment-structure>
>
> To    <jboss-deployment-structure
> xmlns="urn:jboss:deployment-structure:1.2">
>
> Thanks,
> VineetC
>
> On Wed, Jun 24, 2015 at 7:28 PM, Paulo Jer?nimo <paulojeronimo at gmail.com>
> wrote:
>
>> I'm trying to make Keycloak 1.3.1 works on a customer. My objective, is
>> install it (in a development environment) with JBoss BPM Suite 6.1 (it runs
>> with JBoss EAP 6.4). So, I will need to access /auth/admin in the same
>> server with the context /business-central.
>>
>> The environment is Windows 8 with Cygwin.
>>
>> I'm finding errors trying to do this installation, even before install
>> BPM Suite, on a pure JBoss EAP 6.4 installation.
>>
>> Here is my procedure and the error:
>>
>> $ rm -rf jboss-eap-6.4
>> $ shasum jboss-eap-6.4.0.zip
>> 9ac2979fe92040a039a3a3db8b4ce8d166e2c872 *jboss-eap-6.4.0.zip
>> $ unzip -q jboss-eap-6.4.0.zip
>> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-eap6-1.3.1.Final.zip
>> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
>> --server-config standalone-keycloak.xml
>> =========================================================================
>>
>>   JBoss Bootstrap Environment
>>
>>   JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>>
>>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>>
>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
>> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
>> -XX:+PrintGCDetails -XX:+PrintGC
>> DateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
>> -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m
>> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>  -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
>> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>>
>> =========================================================================
>>
>> 10:52:42,978 INFO  [org.jboss.modules] (main) JBoss Modules version
>> 1.3.6.Final-redhat-1
>> 10:52:43,125 INFO  [org.jboss.msc] (main) JBoss MSC version
>> 1.1.5.Final-redhat-1
>> 10:52:43,183 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
>> 10:52:43,584 ERROR [org.jboss.as.server] (Controller Boot Thread)
>> JBAS015956: Caught exception during boot:
>> org.jboss.as.controller.persistence.ConfigurationPersistenceException: J
>> BAS014676: Failed to parse configuration
>>         at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at org.jboss.as.server.ServerService.boot(ServerService.java:330)
>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>> load module org.keycloak.keycloak-server-subsystem
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>         at
>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>         at
>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         ... 3 more
>> Caused by: java.util.concurrent.ExecutionException:
>> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>> [rt.jar:1.7.0_75]
>>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
>> [rt.jar:1.7.0_75]
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         ... 9 more
>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>> load module
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>> [rt.jar:1.7.0_75]
>>         at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> [rt.jar:1.7.0_75]
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> [rt.jar:1.7.0_75]
>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
>> Caused by: org.jboss.modules.ModuleNotFoundException:
>> org.keycloak.keycloak-server-subsystem:main
>>         at
>> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
>> [jboss-modules.jar:1.3.6.Final-redhat-1]
>>         at
>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>         ... 8 more
>>
>> 10:52:43,595 FATAL [org.jboss.as.server] (Controller Boot Thread)
>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>> previous messages for details.
>> 11:52:43,604 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 3ms
>>
>>
>> I saw the differences between the standard configuration:
>>
>> $ vim -d
>> jboss-eap-6.4/standalone/configuration/standalone{.xml,-keycloak.xml}
>>
>> And I know the module org.keycloak.keycloak-server-subsystem is present:
>>
>> $ tree
>> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>>
>> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>> `-- main
>>     `-- module.xml
>>
>> 1 directory, 1 file
>>
>> Maybe I'm missing some detail? I appreciate any help.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Att,
Paulo Jer?nimo

Fone: (61) 9504-6178
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/951616e6/attachment-0001.html 

From juandiego83 at gmail.com  Wed Jun 24 10:37:06 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Wed, 24 Jun 2015 09:37:06 -0500
Subject: [keycloak-user] passing tokens to a servlet with cors
In-Reply-To: <558A5F1D.9000904@redhat.com>
References: <CAJGEj6c-H-rUg_8YwyUGoxb_-piwcrDhvWA3EjqtVJAuCkmrRg@mail.gmail.com>
	<558A5F1D.9000904@redhat.com>
Message-ID: <CAJGEj6eQzK=zdh6f0Z7M3Ute1q6MURj6B7gFaS+ifhzUpNr-oA@mail.gmail.com>

Thanks, Marek,  apparently is not something Keycloak related, ng-flow
doesnt use $http to upload the file so I have to add the headers manually
into keycloak.

On Wed, Jun 24, 2015 at 2:41 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  You may need to configure web origins in the configuration of your
> client in Keycloak admin console. For example if your javascript
> application is running on "http://myserver.org:8080/myapp"
> <http://myserver.org:8080/myapp> you need to add origin like
> "http://myserver.org:8080" <http://myserver.org:8080> . See docs for the
> details: http://keycloak.github.io/docs/userguide/html/cors.html
>
> Marek
>
>
> On 19.6.2015 20:31, Juan Diego wrote:
>
>   Hi
>
>  I have an upload servlet
> https://gist.github.com/jdc18/c6c8689e269e655581cb, I tested before
> without keycloak and it worked.  But when I activate keycloak I get " No
> 'Access-Control-Allow-Origin' header is present on the requested
> resource.", my rest services do work with CORS.  I have my page with
> angular and my backend with java.
>
>  My backend is similar to the database service example.
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/4c4e3c8d/attachment.html 

From juandiego83 at gmail.com  Wed Jun 24 10:37:26 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Wed, 24 Jun 2015 09:37:26 -0500
Subject: [keycloak-user] passing tokens to a servlet with cors
In-Reply-To: <CAJGEj6eQzK=zdh6f0Z7M3Ute1q6MURj6B7gFaS+ifhzUpNr-oA@mail.gmail.com>
References: <CAJGEj6c-H-rUg_8YwyUGoxb_-piwcrDhvWA3EjqtVJAuCkmrRg@mail.gmail.com>
	<558A5F1D.9000904@redhat.com>
	<CAJGEj6eQzK=zdh6f0Z7M3Ute1q6MURj6B7gFaS+ifhzUpNr-oA@mail.gmail.com>
Message-ID: <CAJGEj6f1kvHvCR6PLCvVDWZEX-1rkhKUfFj1kH87NGBGdUr6Kg@mail.gmail.com>

I mean ng-flow

On Wed, Jun 24, 2015 at 9:37 AM, Juan Diego <juandiego83 at gmail.com> wrote:

> Thanks, Marek,  apparently is not something Keycloak related, ng-flow
> doesnt use $http to upload the file so I have to add the headers manually
> into keycloak.
>
> On Wed, Jun 24, 2015 at 2:41 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>>  You may need to configure web origins in the configuration of your
>> client in Keycloak admin console. For example if your javascript
>> application is running on "http://myserver.org:8080/myapp"
>> <http://myserver.org:8080/myapp> you need to add origin like
>> "http://myserver.org:8080" <http://myserver.org:8080> . See docs for the
>> details: http://keycloak.github.io/docs/userguide/html/cors.html
>>
>> Marek
>>
>>
>> On 19.6.2015 20:31, Juan Diego wrote:
>>
>>   Hi
>>
>>  I have an upload servlet
>> https://gist.github.com/jdc18/c6c8689e269e655581cb, I tested before
>> without keycloak and it worked.  But when I activate keycloak I get " No
>> 'Access-Control-Allow-Origin' header is present on the requested
>> resource.", my rest services do work with CORS.  I have my page with
>> angular and my backend with java.
>>
>>  My backend is similar to the database service example.
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/f4622244/attachment.html 

From mposolda at redhat.com  Wed Jun 24 10:43:35 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 24 Jun 2015 16:43:35 +0200
Subject: [keycloak-user] Trouble running Fuse demo with 3.1.1.Final
In-Reply-To: <5589BD42.2040607@redhat.com>
References: <558993D1.8040305@redhat.com> <5589B7D3.3010905@redhat.com>
	<5589BD42.2040607@redhat.com>
Message-ID: <558AC217.3000806@redhat.com>

Should be fixed now in latest master.

Btv. from yesterday there is JBoss Fuse 6.2 available already for 
download and it should work fine as well.

Marek

On 23.6.2015 22:10, Marek Posolda wrote:
> Looks like a bug... Unfortunately I did not test Fuse demo with latest 
> 1.3.1.Final :-(
>
> I will take a look tomorrow.
>
> Marek
>
> On 23/06/15 21:47, Stan Silvert wrote:
>> BTW, I went back and verified that everything works fine with 
>> Keycloak 1.2.0.Beta1.
>>
>> On 6/23/2015 1:13 PM, Stan Silvert wrote:
>>> I'm trying to run the Fuse demo at
>>> https://github.com/keycloak/keycloak/tree/master/examples/fuse
>>>
>>> I'm using Fuse 6.1.0.redhat-379 and Keycloak 3.1.1.Final. Everything
>>> goes fine until I try to install keycloak-fuse-example. Then I get:
>>>
>>> JBossFuse:karaf at root> features:install keycloak-fuse-example
>>> Error executing command: Can not resolve feature:
>>> Unsatisfied requirement(s):
>>> ---------------------------
>>> package:(&(package=org.apache.http.client.entity)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.conn.ssl)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.representations.idm)(version>=1.3.1.Final)) 
>>>
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.jose.jws)(version>=1.3.1.Final))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.jose.jws.crypto)(version>=1.3.1.Final))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.impl.conn)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.conn.scheme)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.representations.adapters.action)(version>=1.3.1.Final)) 
>>>
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.impl.conn.tsccm)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak)(version>=1.3.1.Final))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.cookie)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.conn)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.representations)(version>=1.3.1.Final))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.representations.adapters.config)(version>=1.3.1.Final)) 
>>>
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.params)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.util.reflections)(version>=1.3.1.Final)) 
>>>
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.client)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.message)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.util)(version>=1.3.1.Final))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.client.methods)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.keycloak.enums)(version>=1.3.1.Final))
>>>         Keycloak Adapter Core
>>> package:(&(package=org.apache.http.impl.client)(version>=4.3.6))
>>>         Keycloak Adapter Core
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


From vineet.chaudhary at praxify.com  Wed Jun 24 10:44:54 2015
From: vineet.chaudhary at praxify.com (Vineet Chaudhary)
Date: Wed, 24 Jun 2015 20:14:54 +0530
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
	<CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
Message-ID: <CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>

Ohh Sorry I missed you are using adapter-dist

Can you find *auth-server.war* in path
modules/system/layers/base/org/keycloak/keycloak-server/main/

If you find it there edit WEB-INF/jboss-deployment-structure.xml from that
war

Hope this helps.


On Wed, Jun 24, 2015 at 7:57 PM, Paulo Jer?nimo <paulojeronimo at gmail.com>
wrote:

> Vineet,
>
> There?s no auth-server.war in jboss-eap-6.4 when I extract
> keycloak-eap6-adapter-dist-1.3.1.Final.zip on it.
>
> I also tried to find it on the zip:
>
> $ unzip -t keycloak-eap6-adapter-dist-1.3.1.Final.zip | grep auth
>     testing:
> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/   OK
>     testing:
> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/
> OK
>     testing:
> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/module.xml
> OK
>     testing:
> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/keycloak-servlet-oauth-client-1.3.1.Final.jar
> OK
>
> Maybe I'm doing something wrong?
>
>
> 2015-06-24 11:19 GMT-03:00 Vineet Chaudhary <vineet.chaudhary at praxify.com>
> :
>
>> Hi,
>>
>> Please edit
>>
>> ../standalone/deployments/auth-server.war/WEB-INF/jboss-deployment-structure.xml
>>
>> From <jboss-deployment-structure>
>>
>> To    <jboss-deployment-structure
>> xmlns="urn:jboss:deployment-structure:1.2">
>>
>> Thanks,
>> VineetC
>>
>> On Wed, Jun 24, 2015 at 7:28 PM, Paulo Jer?nimo <paulojeronimo at gmail.com>
>> wrote:
>>
>>> I'm trying to make Keycloak 1.3.1 works on a customer. My objective, is
>>> install it (in a development environment) with JBoss BPM Suite 6.1 (it runs
>>> with JBoss EAP 6.4). So, I will need to access /auth/admin in the same
>>> server with the context /business-central.
>>>
>>> The environment is Windows 8 with Cygwin.
>>>
>>> I'm finding errors trying to do this installation, even before install
>>> BPM Suite, on a pure JBoss EAP 6.4 installation.
>>>
>>> Here is my procedure and the error:
>>>
>>> $ rm -rf jboss-eap-6.4
>>> $ shasum jboss-eap-6.4.0.zip
>>> 9ac2979fe92040a039a3a3db8b4ce8d166e2c872 *jboss-eap-6.4.0.zip
>>> $ unzip -q jboss-eap-6.4.0.zip
>>> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-eap6-1.3.1.Final.zip
>>> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
>>> --server-config standalone-keycloak.xml
>>> =========================================================================
>>>
>>>   JBoss Bootstrap Environment
>>>
>>>   JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>>>
>>>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>>>
>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
>>> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
>>> -XX:+PrintGCDetails -XX:+PrintGC
>>> DateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
>>> -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m
>>> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>>  -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
>>> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>>>
>>> =========================================================================
>>>
>>> 10:52:42,978 INFO  [org.jboss.modules] (main) JBoss Modules version
>>> 1.3.6.Final-redhat-1
>>> 10:52:43,125 INFO  [org.jboss.msc] (main) JBoss MSC version
>>> 1.1.5.Final-redhat-1
>>> 10:52:43,183 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
>>> 10:52:43,584 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015956: Caught exception during boot:
>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException: J
>>> BAS014676: Failed to parse configuration
>>>         at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.ServerService.boot(ServerService.java:330)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>> load module org.keycloak.keycloak-server-subsystem
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>         at
>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>         at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         ... 3 more
>>> Caused by: java.util.concurrent.ExecutionException:
>>> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>>>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>>> [rt.jar:1.7.0_75]
>>>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
>>> [rt.jar:1.7.0_75]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         ... 9 more
>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>> load module
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>> [rt.jar:1.7.0_75]
>>>         at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_75]
>>>         at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_75]
>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>>> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
>>> Caused by: org.jboss.modules.ModuleNotFoundException:
>>> org.keycloak.keycloak-server-subsystem:main
>>>         at
>>> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
>>> [jboss-modules.jar:1.3.6.Final-redhat-1]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         ... 8 more
>>>
>>> 10:52:43,595 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>> previous messages for details.
>>> 11:52:43,604 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 3ms
>>>
>>>
>>> I saw the differences between the standard configuration:
>>>
>>> $ vim -d
>>> jboss-eap-6.4/standalone/configuration/standalone{.xml,-keycloak.xml}
>>>
>>> And I know the module org.keycloak.keycloak-server-subsystem is present:
>>>
>>> $ tree
>>> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>>>
>>> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>>> `-- main
>>>     `-- module.xml
>>>
>>> 1 directory, 1 file
>>>
>>> Maybe I'm missing some detail? I appreciate any help.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
> Att,
> Paulo Jer?nimo
>
> Fone: (61) 9504-6178
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/ef8802d9/attachment-0001.html 

From juandiego83 at gmail.com  Wed Jun 24 10:49:23 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Wed, 24 Jun 2015 09:49:23 -0500
Subject: [keycloak-user] what to do after storing the token with
	javascript
In-Reply-To: <558A5DD6.90805@redhat.com>
References: <CAJGEj6dgSsYyarUwgdRfcZ8bRZ7c7-_ZBm7yV-RR4y=mg0LYUw@mail.gmail.com>
	<558A5DD6.90805@redhat.com>
Message-ID: <CAJGEj6ezRQyj25e55YLo75QR3L_6gq9pqXfXPD0GJk4JxWo6vQ@mail.gmail.com>

I am allowing anonymous users, would the check-sso force my users to log?

On Wed, Jun 24, 2015 at 2:35 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  You have option to pass the tokens from local storage to the 'init'
> method of keycloak object. For example you can use something like:
>
> keycloak.init({
>   token: 'yourAccessToken',
>   refreshToken: 'yourRefreshToken',
>   idToken: 'yourIdToken'
> });
>
> Another option is to not store anything in localStorage, but instead after
> refresh the page re-authenticate the user again. User won't need to login
> again and provide username/password, because he should be logged
> automatically due to SSO (unless session is expired). This is what our
> admin console and examples are doing. Feel free to check them, especially
> angular example:
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app
>
> Marek
>
>
> On 23.6.2015 20:06, Juan Diego wrote:
>
>  Hi,
>
>  After my user logs I am saving the token to a localstorage. I am using
> angularjs by the way.
>
>  So if my user refreshes the page they still have the session.  As far as
> I can tell when you refresh the page, most of the info of the object
> keycloak is null, except for the realm and all the stuff you  get form
> keycloak.json.  Like if you have never logged.
>
>  So I stored the token in my localStorage.
>
>  I am thinking 3 options basically.
>
> 1)
>  Setting keycloak.token = localStorage.get("token"), and I was trying to
> look for a function in that object to retrieve all the other data, but I
> couldnt find any on the documentation and looking at my
> console.log(keycloak)
>
> 2)
>  Storing the whole object keycloak in localstorage, the problem with this
> is that it will only store the properties and obviously not the functions,
> so I was thinking that I should manually set all the properties like this
>
> clientId = localStorageService.get('keycloak').clientId;idToken = localStorageService.get('keycloak').idToken;idTokenParsed = localStorageService.get('keycloak').idTokenParsed;realmAccess =  localStorageService.get('keycloak').realmAccess;
>
>
> 3) Just check everything against the localstorage instead.
>
> But I wont be able to use the functions from the object keyclaok, like updateToken.
>
>
> I am kind of new to angular, as you can see too.
>
>
> Thanks,
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/b25d2f1e/attachment.html 

From paulojeronimo at gmail.com  Wed Jun 24 10:56:49 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 11:56:49 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
	<CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
	<CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>
Message-ID: <CAG4jLmAk5mBPgc-_yZyGyM1tg47FrzOZD_+hO+TJ=Z+Pu23PmQ@mail.gmail.com>

Sorry, Vineet. My last check was wrong. I would send the output from the
following command to you (because I extracted this zip on jboss-eap-6.4)

$ unzip -t keycloak-overlay-eap6-1.3.1.Final.zip | grep auth

This command does not output anything.

In similar form, there's no auth-server.war when if I extract the file
keycloak-eap6-adapter-dist-1.3.1.Final.zip

The auth-server.war should be in which zip?


2015-06-24 11:44 GMT-03:00 Vineet Chaudhary <vineet.chaudhary at praxify.com>:

> Ohh Sorry I missed you are using adapter-dist
>
> Can you find *auth-server.war* in path
> modules/system/layers/base/org/keycloak/keycloak-server/main/
>
> If you find it there edit WEB-INF/jboss-deployment-structure.xml from
> that war
>
> Hope this helps.
>
>
> On Wed, Jun 24, 2015 at 7:57 PM, Paulo Jer?nimo <paulojeronimo at gmail.com>
> wrote:
>
>> Vineet,
>>
>> There?s no auth-server.war in jboss-eap-6.4 when I extract
>> keycloak-eap6-adapter-dist-1.3.1.Final.zip on it.
>>
>> I also tried to find it on the zip:
>>
>> $ unzip -t keycloak-eap6-adapter-dist-1.3.1.Final.zip | grep auth
>>     testing:
>> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/   OK
>>     testing:
>> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/
>> OK
>>     testing:
>> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/module.xml
>> OK
>>     testing:
>> modules/system/layers/base/org/keycloak/keycloak-servlet-oauth-client/main/keycloak-servlet-oauth-client-1.3.1.Final.jar
>> OK
>>
>> Maybe I'm doing something wrong?
>>
>>
>> 2015-06-24 11:19 GMT-03:00 Vineet Chaudhary <vineet.chaudhary at praxify.com
>> >:
>>
>>> Hi,
>>>
>>> Please edit
>>>
>>> ../standalone/deployments/auth-server.war/WEB-INF/jboss-deployment-structure.xml
>>>
>>> From <jboss-deployment-structure>
>>>
>>> To    <jboss-deployment-structure
>>> xmlns="urn:jboss:deployment-structure:1.2">
>>>
>>> Thanks,
>>> VineetC
>>>
>>> On Wed, Jun 24, 2015 at 7:28 PM, Paulo Jer?nimo <paulojeronimo at gmail.com
>>> > wrote:
>>>
>>>> I'm trying to make Keycloak 1.3.1 works on a customer. My objective, is
>>>> install it (in a development environment) with JBoss BPM Suite 6.1 (it runs
>>>> with JBoss EAP 6.4). So, I will need to access /auth/admin in the same
>>>> server with the context /business-central.
>>>>
>>>> The environment is Windows 8 with Cygwin.
>>>>
>>>> I'm finding errors trying to do this installation, even before install
>>>> BPM Suite, on a pure JBoss EAP 6.4 installation.
>>>>
>>>> Here is my procedure and the error:
>>>>
>>>> $ rm -rf jboss-eap-6.4
>>>> $ shasum jboss-eap-6.4.0.zip
>>>> 9ac2979fe92040a039a3a3db8b4ce8d166e2c872 *jboss-eap-6.4.0.zip
>>>> $ unzip -q jboss-eap-6.4.0.zip
>>>> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-eap6-1.3.1.Final.zip
>>>> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
>>>> --server-config standalone-keycloak.xml
>>>>
>>>> =========================================================================
>>>>
>>>>   JBoss Bootstrap Environment
>>>>
>>>>   JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>>>>
>>>>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>>>>
>>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
>>>> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
>>>> -XX:+PrintGCDetails -XX:+PrintGC
>>>> DateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
>>>> -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m
>>>> -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>>>  -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
>>>> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>>>>
>>>>
>>>> =========================================================================
>>>>
>>>> 10:52:42,978 INFO  [org.jboss.modules] (main) JBoss Modules version
>>>> 1.3.6.Final-redhat-1
>>>> 10:52:43,125 INFO  [org.jboss.msc] (main) JBoss MSC version
>>>> 1.1.5.Final-redhat-1
>>>> 10:52:43,183 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
>>>> 10:52:43,584 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>>> JBAS015956: Caught exception during boot:
>>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException: J
>>>> BAS014676: Failed to parse configuration
>>>>         at
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.ServerService.boot(ServerService.java:330)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>>> load module org.keycloak.keycloak-server-subsystem
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>>         at
>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>>         at
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         ... 3 more
>>>> Caused by: java.util.concurrent.ExecutionException:
>>>> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>>>>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>>>> [rt.jar:1.7.0_75]
>>>>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
>>>> [rt.jar:1.7.0_75]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         ... 9 more
>>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>>> load module
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>> [rt.jar:1.7.0_75]
>>>>         at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_75]
>>>>         at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_75]
>>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>>>> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
>>>> Caused by: org.jboss.modules.ModuleNotFoundException:
>>>> org.keycloak.keycloak-server-subsystem:main
>>>>         at
>>>> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
>>>> [jboss-modules.jar:1.3.6.Final-redhat-1]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         ... 8 more
>>>>
>>>> 10:52:43,595 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>>> previous messages for details.
>>>> 11:52:43,604 INFO  [org.jboss.as] (MSC service thread 1-7) JBAS015950:
>>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 3ms
>>>>
>>>>
>>>> I saw the differences between the standard configuration:
>>>>
>>>> $ vim -d
>>>> jboss-eap-6.4/standalone/configuration/standalone{.xml,-keycloak.xml}
>>>>
>>>> And I know the module org.keycloak.keycloak-server-subsystem is present:
>>>>
>>>> $ tree
>>>> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>>>>
>>>> jboss-eap-6.4/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/
>>>> `-- main
>>>>     `-- module.xml
>>>>
>>>> 1 directory, 1 file
>>>>
>>>> Maybe I'm missing some detail? I appreciate any help.
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>> --
>> Att,
>> Paulo Jer?nimo
>>
>> Fone: (61) 9504-6178
>>
>
>


-- 
Att,
Paulo Jer?nimo

Fone: (61) 9504-6178
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/5955a592/attachment-0001.html 

From paulojeronimo at gmail.com  Wed Jun 24 11:49:57 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 12:49:57 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAG4jLmAk5mBPgc-_yZyGyM1tg47FrzOZD_+hO+TJ=Z+Pu23PmQ@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
	<CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
	<CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>
	<CAG4jLmAk5mBPgc-_yZyGyM1tg47FrzOZD_+hO+TJ=Z+Pu23PmQ@mail.gmail.com>
Message-ID: <CAG4jLmBeJzaNkwXaRWFWTSRWcMwdudtOAv-5_RQhrXQp0GVi-g@mail.gmail.com>

Due this error with version 1.3.1, I also tried to use Keycloak version
1.2.0 and put it to work on JBoss EAP 6.4.

But I also did not succeed following this procedure:

$ rm -rf jboss-eap-6.4
$ unzip -q jboss-eap-6.4.0.zip
$ unzip -q -d jboss-eap-6.4 keycloak-overlay-1.2.0.Final.zip
$ cd jboss-eap-6.4/standalone/configuration/
$ cp standalone.xml standalone.xml.original
$ cat << 'EOF' | patch standalone.xml
> --- standalone.xml.original 2015-06-24 09:41:43.018484800 -0300
> +++ standalone.xml  2015-06-24 09:45:49.245308500 -0300
> @@ -24,6 +24,7 @@
>          <extension module="org.jboss.as.web"/>
>          <extension module="org.jboss.as.webservices"/>
>          <extension module="org.jboss.as.weld"/>
> +        <extension module="org.keycloak.keycloak-subsystem"/>
>      </extensions>
>      <management>
>          <security-realms>
> @@ -135,6 +136,14 @@
>                          <password>sa</password>
>                      </security>
>                  </datasource>
> +                <datasource
jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
enabled="true" use-java-context="true">
> +
<connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
> +                    <driver>h2</driver>
> +                    <security>
> +                        <user-name>sa</user-name>
> +                        <password>sa</password>
> +                    </security>
> +                </datasource>
>                  <drivers>
>                      <driver name="h2" module="com.h2database.h2">
>
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
> @@ -276,6 +285,16 @@
>                          <policy-module code="Delegating"
flag="required"/>
>                      </authorization>
>                  </security-domain>
> +                <security-domain name="keycloak">
> +                    <authentication>
> +                        <login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
> +                    </authentication>
> +                </security-domain>
> +                <security-domain name="sp" cache-type="default">
> +                    <authentication>
> +                        <login-module
code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule"
flag="required"/>
> +                    </authentication>
> +                </security-domain>
>              </security-domains>
>          </subsystem>
>          <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
> @@ -307,6 +326,12 @@
>              <client-config name="Standard-Client-Config"/>
>          </subsystem>
>          <subsystem xmlns="urn:jboss:domain:weld:1.0"/>
> +        <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
> +            <auth-server name="main-auth-server">
> +                <enabled>true</enabled>
> +                <web-context>auth</web-context>
> +            </auth-server>
> +        </subsystem>
>      </profile>
>      <interfaces>
>          <interface name="management">
> @@ -338,4 +363,4 @@
>              <remote-destination host="localhost" port="25"/>
>          </outbound-socket-binding>
>      </socket-binding-group>
> -</server>
> \ No newline at end of file
> +</server>
> EOF
patching file standalone.xml
$ cd ../../..

$ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4

  JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java

  JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
-Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
-XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation
-XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading
-Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
-Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
-Djava.awt.headless=true -Djboss.modules.policy-permissions=true

=========================================================================

12:45:03,381 INFO  [org.jboss.modules] (main) JBoss Modules version
1.3.6.Final-redhat-1
12:45:03,527 INFO  [org.jboss.msc] (main) JBoss MSC version
1.1.5.Final-redhat-1
12:45:03,585 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
12:45:03,975 ERROR [org.jboss.as.server] (Controller Boot Thread)
JBAS015956: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
JBAS014676: Failed to parse configuration
        at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at org.jboss.as.server.ServerService.boot(ServerService.java:330)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to load
module org.keycloak.keycloak-subsystem
        at
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
[jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
[staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
        at
org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
[staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
        at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        ... 3 more
Caused by: java.util.concurrent.ExecutionException:
javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
        at java.util.concurrent.FutureTask.report(FutureTask.java:122)
[rt.jar:1.7.0_75]
        at java.util.concurrent.FutureTask.get(FutureTask.java:188)
[rt.jar:1.7.0_75]
        at
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        ... 9 more
Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to load
module
        at
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
[rt.jar:1.7.0_75]
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_75]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_75]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
        at org.jboss.threads.JBossThread.run(JBossThread.java:122)
[jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Caused by: org.jboss.modules.ModuleNotFoundException:
org.keycloak.keycloak-subsystem:main
        at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
[jboss-modules.jar:1.3.6.Final-redhat-1]
        at
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
        ... 8 more

12:45:03,983 FATAL [org.jboss.as.server] (Controller Boot Thread)
JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
previous messages for details.
12:45:03,994 INFO  [org.jboss.as] (MSC service thread 1-5) JBAS015950:
JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 2ms



What I'm doing wrong?
I had a good experience using Keycloak with Widlfy but I still can't put it
to work with JBoss EAP 6.4.

Please, help me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/6a826fd6/attachment.html 

From Tom.Nuernberger at tceq.texas.gov  Wed Jun 24 12:30:21 2015
From: Tom.Nuernberger at tceq.texas.gov (Tom Nuernberger)
Date: Wed, 24 Jun 2015 16:30:21 +0000
Subject: [keycloak-user] KeyCloak and JBoss 6.3.3 / JDK1.8
Message-ID: <BLUPR05MB961D216FA7ABA1E1EDA55B9C3AF0@BLUPR05MB961.namprd05.prod.outlook.com>

Does KeyClock run successfully using:

                JDK1.8
                JBoss 6.3.3

And if so, what version of KeyClock.

Thanks.

Tom W. Nuernberger
Programmer Analyst IV
Texas Commission on Environmental Quality
12100 Park 35 Circle | Bldg. A | Austin, TX 78753
(512) 239-0895
[cid:image001.jpg at 01D0AE71.2640C1E0]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/cfb86eda/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2402 bytes
Desc: image001.jpg
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/cfb86eda/attachment-0001.jpg 

From mposolda at redhat.com  Wed Jun 24 12:31:15 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 24 Jun 2015 18:31:15 +0200
Subject: [keycloak-user] what to do after storing the token with
	javascript
In-Reply-To: <CAJGEj6ezRQyj25e55YLo75QR3L_6gq9pqXfXPD0GJk4JxWo6vQ@mail.gmail.com>
References: <CAJGEj6dgSsYyarUwgdRfcZ8bRZ7c7-_ZBm7yV-RR4y=mg0LYUw@mail.gmail.com>	<558A5DD6.90805@redhat.com>
	<CAJGEj6ezRQyj25e55YLo75QR3L_6gq9pqXfXPD0GJk4JxWo6vQ@mail.gmail.com>
Message-ID: <558ADB53.2020603@redhat.com>

No, check-sso is used to check if user is already logged into Keycloak 
server and in that case, he will be automatically logged into your 
javascript application. In case of anonymous access, user is not forced 
to login.

Marek

On 24.6.2015 16:49, Juan Diego wrote:
> I am allowing anonymous users, would the check-sso force my users to log?
>
> On Wed, Jun 24, 2015 at 2:35 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     You have option to pass the tokens from local storage to the
>     'init' method of keycloak object. For example you can use
>     something like:
>
>     keycloak.init({
>       token: 'yourAccessToken',
>       refreshToken: 'yourRefreshToken',
>       idToken: 'yourIdToken'
>     });
>
>     Another option is to not store anything in localStorage, but
>     instead after refresh the page re-authenticate the user again.
>     User won't need to login again and provide username/password,
>     because he should be logged automatically due to SSO (unless
>     session is expired). This is what our admin console and examples
>     are doing. Feel free to check them, especially angular example:
>     https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app
>
>     Marek
>
>
>     On 23.6.2015 20:06, Juan Diego wrote:
>>     Hi,
>>
>>     After my user logs I am saving the token to a localstorage. I am
>>     using angularjs by the way.
>>
>>     So if my user refreshes the page they still have the session.  As
>>     far as I can tell when you refresh the page, most of the info of
>>     the object keycloak is null, except for the realm and all the
>>     stuff you  get form keycloak.json.  Like if you have never logged.
>>
>>     So I stored the token in my localStorage.
>>
>>     I am thinking 3 options basically.
>>
>>     1)
>>     Setting keycloak.token = localStorage.get("token"), and I was
>>     trying to look for a function in that object to retrieve all the
>>     other data, but I couldnt find any on the documentation and
>>     looking at my console.log(keycloak)
>>
>>     2)
>>     Storing the whole object keycloak in localstorage, the problem
>>     with this is that it will only store the properties and obviously
>>     not the functions, so I was thinking that I should manually set
>>     all the properties like this
>>
>>     clientId= localStorageService.get('keycloak').clientId;
>>     idToken= localStorageService.get('keycloak').idToken;
>>     idTokenParsed= localStorageService.get('keycloak').idTokenParsed;
>>     realmAccess=  localStorageService.get('keycloak').realmAccess;
>>
>>     3) Just check everything against the localstorage instead.
>>     But I wont be able to use the functions from the object keyclaok, like updateToken.
>>
>>     I am kind of new to angular, as you can see too.
>>
>>     Thanks,
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/7fc0ea42/attachment.html 

From juandiego83 at gmail.com  Wed Jun 24 14:16:17 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Wed, 24 Jun 2015 13:16:17 -0500
Subject: [keycloak-user] what to do after storing the token with
	javascript
In-Reply-To: <558ADB53.2020603@redhat.com>
References: <CAJGEj6dgSsYyarUwgdRfcZ8bRZ7c7-_ZBm7yV-RR4y=mg0LYUw@mail.gmail.com>
	<558A5DD6.90805@redhat.com>
	<CAJGEj6ezRQyj25e55YLo75QR3L_6gq9pqXfXPD0GJk4JxWo6vQ@mail.gmail.com>
	<558ADB53.2020603@redhat.com>
Message-ID: <CAJGEj6fAAgdu2meTQXkwu8RzcbNMCvs31OuqZbCt0UBRDgYRDA@mail.gmail.com>

Do I need to use it in a angular.element(document).ready like in the
example because I was using ng-app and I will have to restructure
somethings.

On Wed, Jun 24, 2015 at 11:31 AM, Marek Posolda <mposolda at redhat.com> wrote:

>  No, check-sso is used to check if user is already logged into Keycloak
> server and in that case, he will be automatically logged into your
> javascript application. In case of anonymous access, user is not forced to
> login.
>
> Marek
>
>
> On 24.6.2015 16:49, Juan Diego wrote:
>
> I am allowing anonymous users, would the check-sso force my users to log?
>
> On Wed, Jun 24, 2015 at 2:35 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>>  You have option to pass the tokens from local storage to the 'init'
>> method of keycloak object. For example you can use something like:
>>
>> keycloak.init({
>>   token: 'yourAccessToken',
>>   refreshToken: 'yourRefreshToken',
>>   idToken: 'yourIdToken'
>> });
>>
>> Another option is to not store anything in localStorage, but instead
>> after refresh the page re-authenticate the user again. User won't need to
>> login again and provide username/password, because he should be logged
>> automatically due to SSO (unless session is expired). This is what our
>> admin console and examples are doing. Feel free to check them, especially
>> angular example:
>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app
>>
>> Marek
>>
>>
>> On 23.6.2015 20:06, Juan Diego wrote:
>>
>>   Hi,
>>
>>  After my user logs I am saving the token to a localstorage. I am using
>> angularjs by the way.
>>
>>  So if my user refreshes the page they still have the session.  As far
>> as I can tell when you refresh the page, most of the info of the object
>> keycloak is null, except for the realm and all the stuff you  get form
>> keycloak.json.  Like if you have never logged.
>>
>>  So I stored the token in my localStorage.
>>
>>  I am thinking 3 options basically.
>>
>> 1)
>>  Setting keycloak.token = localStorage.get("token"), and I was trying to
>> look for a function in that object to retrieve all the other data, but I
>> couldnt find any on the documentation and looking at my
>> console.log(keycloak)
>>
>> 2)
>>  Storing the whole object keycloak in localstorage, the problem with
>> this is that it will only store the properties and obviously not the
>> functions, so I was thinking that I should manually set all the properties
>> like this
>>
>> clientId = localStorageService.get('keycloak').clientId;idToken = localStorageService.get('keycloak').idToken;idTokenParsed = localStorageService.get('keycloak').idTokenParsed;realmAccess =  localStorageService.get('keycloak').realmAccess;
>>
>>
>> 3) Just check everything against the localstorage instead.
>>
>> But I wont be able to use the functions from the object keyclaok, like updateToken.
>>
>>
>> I am kind of new to angular, as you can see too.
>>
>>
>> Thanks,
>>
>>
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/bb44df42/attachment.html 

From sarbx at hotmail.com  Wed Jun 24 14:34:34 2015
From: sarbx at hotmail.com (Bellan Saravanan)
Date: Wed, 24 Jun 2015 11:34:34 -0700
Subject: [keycloak-user] Realm resolver
Message-ID: <COL126-W9C80736AEA1195E59D9A3B5AF0@phx.gbl>

We're using KeycloakConfigResolver to resolve the realm based on the request URI. But if we are unable to resolve to a specific realm we want forward the user to a page where she can enter the email address from which we can figure out the user's realm. 
Since KeycloakConfigResolver cannot be used to redirect the request, any suggestions are how to forward to the page to manual resolution? We are using the Keycloak wildfly adapter.
Thanks,
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/9e9783b6/attachment.html 

From paulojeronimo at gmail.com  Wed Jun 24 15:04:54 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 16:04:54 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAG4jLmAk1D1Lj1T8Yhgz2=vpmGJAZa73DT67hv+JBWwTELkQBQ@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
	<CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
	<CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>
	<CAG4jLmAk5mBPgc-_yZyGyM1tg47FrzOZD_+hO+TJ=Z+Pu23PmQ@mail.gmail.com>
	<CAG4jLmBeJzaNkwXaRWFWTSRWcMwdudtOAv-5_RQhrXQp0GVi-g@mail.gmail.com>
	<CAMwTEoacMPbEE9mC+Zphhi75q4PHW0x0k_6g3QF_7b88h=aoKw@mail.gmail.com>
	<CAG4jLmAk1D1Lj1T8Yhgz2=vpmGJAZa73DT67hv+JBWwTELkQBQ@mail.gmail.com>
Message-ID: <CAG4jLmB7drgF-si8KEodPwkRv9t1pLcpTpGUVxV_fAmCFf+eJA@mail.gmail.com>

Now I tried to downgrade to keycloak version 1.1.0.Final, executing the
steps bellow. But, I still can?t start JBoss EAP 6.4 after my steps:

https://gist.github.com/paulojeronimo/3f5746b221a882cf6b24

Any idea about what I?m doing wrong?

I really need integrate Keycloak with JBoss EAP 6.4. This integration
really works? (I?ve been using Keycloak only with Wildfly until now, but,
as its documentation said, it works. How???)


2015-06-24 14:25 GMT-03:00 Paulo Jer?nimo <paulojeronimo at gmail.com>:

> Vineet,
>
> I did what you said (using my last configuration with keycloak 1.2.0):
>
> $ grep 'subsystem.*keycloak'
> jboss-eap-6.4/standalone/configuration/standalone.xml
>         <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>
> The error persists.
>
> Some other idea?
>
> 2015-06-24 13:05 GMT-03:00 Vineet Chaudhary <vineet.chaudhary at praxify.com>
> :
>
>> I might be sound crazy now but for last time can you just change
>> standalone.xml
>>
>> <subsystem xmlns="urn:jboss:domain:keycloak:1.0"> to
>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>
>> On Wed, Jun 24, 2015 at 9:19 PM, Paulo Jer?nimo <paulojeronimo at gmail.com>
>> wrote:
>>
>>> Due this error with version 1.3.1, I also tried to use Keycloak version
>>> 1.2.0 and put it to work on JBoss EAP 6.4.
>>>
>>> But I also did not succeed following this procedure:
>>>
>>> $ rm -rf jboss-eap-6.4
>>> $ unzip -q jboss-eap-6.4.0.zip
>>> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-1.2.0.Final.zip
>>> $ cd jboss-eap-6.4/standalone/configuration/
>>> $ cp standalone.xml standalone.xml.original
>>> $ cat << 'EOF' | patch standalone.xml
>>> > --- standalone.xml.original 2015-06-24 09:41:43.018484800 -0300
>>> > +++ standalone.xml  2015-06-24 09:45:49.245308500 -0300
>>> > @@ -24,6 +24,7 @@
>>> >          <extension module="org.jboss.as.web"/>
>>> >          <extension module="org.jboss.as.webservices"/>
>>> >          <extension module="org.jboss.as.weld"/>
>>> > +        <extension module="org.keycloak.keycloak-subsystem"/>
>>> >      </extensions>
>>> >      <management>
>>> >          <security-realms>
>>> > @@ -135,6 +136,14 @@
>>> >                          <password>sa</password>
>>> >                      </security>
>>> >                  </datasource>
>>> > +                <datasource
>>> jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
>>> enabled="true" use-java-context="true">
>>> > +
>>> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
>>> > +                    <driver>h2</driver>
>>> > +                    <security>
>>> > +                        <user-name>sa</user-name>
>>> > +                        <password>sa</password>
>>> > +                    </security>
>>> > +                </datasource>
>>> >                  <drivers>
>>> >                      <driver name="h2" module="com.h2database.h2">
>>> >
>>> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>> > @@ -276,6 +285,16 @@
>>> >                          <policy-module code="Delegating"
>>> flag="required"/>
>>> >                      </authorization>
>>> >                  </security-domain>
>>> > +                <security-domain name="keycloak">
>>> > +                    <authentication>
>>> > +                        <login-module
>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>>> > +                    </authentication>
>>> > +                </security-domain>
>>> > +                <security-domain name="sp" cache-type="default">
>>> > +                    <authentication>
>>> > +                        <login-module
>>> code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule"
>>> flag="required"/>
>>> > +                    </authentication>
>>> > +                </security-domain>
>>> >              </security-domains>
>>> >          </subsystem>
>>> >          <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
>>> > @@ -307,6 +326,12 @@
>>> >              <client-config name="Standard-Client-Config"/>
>>> >          </subsystem>
>>> >          <subsystem xmlns="urn:jboss:domain:weld:1.0"/>
>>> > +        <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
>>> > +            <auth-server name="main-auth-server">
>>> > +                <enabled>true</enabled>
>>> > +                <web-context>auth</web-context>
>>> > +            </auth-server>
>>> > +        </subsystem>
>>> >      </profile>
>>> >      <interfaces>
>>> >          <interface name="management">
>>> > @@ -338,4 +363,4 @@
>>> >              <remote-destination host="localhost" port="25"/>
>>> >          </outbound-socket-binding>
>>> >      </socket-binding-group>
>>> > -</server>
>>> > \ No newline at end of file
>>> > +</server>
>>> > EOF
>>> patching file standalone.xml
>>> $ cd ../../..
>>>
>>> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
>>> =========================================================================
>>>
>>>   JBoss Bootstrap Environment
>>>
>>>   JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>>>
>>>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>>>
>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
>>> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
>>> -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation
>>> -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading
>>> -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>> -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
>>> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>>>
>>> =========================================================================
>>>
>>> 12:45:03,381 INFO  [org.jboss.modules] (main) JBoss Modules version
>>> 1.3.6.Final-redhat-1
>>> 12:45:03,527 INFO  [org.jboss.msc] (main) JBoss MSC version
>>> 1.1.5.Final-redhat-1
>>> 12:45:03,585 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
>>> 12:45:03,975 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015956: Caught exception during boot:
>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>>> JBAS014676: Failed to parse configuration
>>>         at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.ServerService.boot(ServerService.java:330)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>> load module org.keycloak.keycloak-subsystem
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>         at
>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>         at
>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         ... 3 more
>>> Caused by: java.util.concurrent.ExecutionException:
>>> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>>>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>>> [rt.jar:1.7.0_75]
>>>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
>>> [rt.jar:1.7.0_75]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         ... 9 more
>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>> load module
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>> [rt.jar:1.7.0_75]
>>>         at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> [rt.jar:1.7.0_75]
>>>         at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> [rt.jar:1.7.0_75]
>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>>> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
>>> Caused by: org.jboss.modules.ModuleNotFoundException:
>>> org.keycloak.keycloak-subsystem:main
>>>         at
>>> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
>>> [jboss-modules.jar:1.3.6.Final-redhat-1]
>>>         at
>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>         ... 8 more
>>>
>>> 12:45:03,983 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>> previous messages for details.
>>> 12:45:03,994 INFO  [org.jboss.as] (MSC service thread 1-5) JBAS015950:
>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 2ms
>>>
>>>
>>>
>>> What I'm doing wrong?
>>> I had a good experience using Keycloak with Widlfy but I still can't put
>>> it to work with JBoss EAP 6.4.
>>>
>>> Please, help me.
>>>
>>>
>>
>
>
> --
> Att,
> Paulo Jer?nimo
>
> Fone: (61) 9504-6178
>



-- 
Att,
Paulo Jer?nimo

Fone: (61) 9504-6178
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/b403bfa0/attachment-0001.html 

From paulojeronimo at gmail.com  Wed Jun 24 16:23:45 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 17:23:45 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAG4jLmB7drgF-si8KEodPwkRv9t1pLcpTpGUVxV_fAmCFf+eJA@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
	<CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
	<CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>
	<CAG4jLmAk5mBPgc-_yZyGyM1tg47FrzOZD_+hO+TJ=Z+Pu23PmQ@mail.gmail.com>
	<CAG4jLmBeJzaNkwXaRWFWTSRWcMwdudtOAv-5_RQhrXQp0GVi-g@mail.gmail.com>
	<CAMwTEoacMPbEE9mC+Zphhi75q4PHW0x0k_6g3QF_7b88h=aoKw@mail.gmail.com>
	<CAG4jLmAk1D1Lj1T8Yhgz2=vpmGJAZa73DT67hv+JBWwTELkQBQ@mail.gmail.com>
	<CAG4jLmB7drgF-si8KEodPwkRv9t1pLcpTpGUVxV_fAmCFf+eJA@mail.gmail.com>
Message-ID: <CAG4jLmCwrrxtuVQW7x-iz523PetkK+cj66Xs2Q+Re58LZ89W4w@mail.gmail.com>

In my investigation of this problem, I identified that if I run the steps
described to test the Keycloak 1.3.1 + JBoss EAP 6.4 on a Linux environment
with OpenJDK 8 I don't catch problems. So, it seems to be an execution
problem in Windows environment. I will keep doing my research to identify
the cause.

2015-06-24 16:04 GMT-03:00 Paulo Jer?nimo <paulojeronimo at gmail.com>:

> Now I tried to downgrade to keycloak version 1.1.0.Final, executing the
> steps bellow. But, I still can?t start JBoss EAP 6.4 after my steps:
>
> https://gist.github.com/paulojeronimo/3f5746b221a882cf6b24
>
> Any idea about what I?m doing wrong?
>
> I really need integrate Keycloak with JBoss EAP 6.4. This integration
> really works? (I?ve been using Keycloak only with Wildfly until now, but,
> as its documentation said, it works. How???)
>
>
> 2015-06-24 14:25 GMT-03:00 Paulo Jer?nimo <paulojeronimo at gmail.com>:
>
>> Vineet,
>>
>> I did what you said (using my last configuration with keycloak 1.2.0):
>>
>> $ grep 'subsystem.*keycloak'
>> jboss-eap-6.4/standalone/configuration/standalone.xml
>>         <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>
>> The error persists.
>>
>> Some other idea?
>>
>> 2015-06-24 13:05 GMT-03:00 Vineet Chaudhary <vineet.chaudhary at praxify.com
>> >:
>>
>>> I might be sound crazy now but for last time can you just change
>>> standalone.xml
>>>
>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.0"> to
>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>
>>> On Wed, Jun 24, 2015 at 9:19 PM, Paulo Jer?nimo <paulojeronimo at gmail.com
>>> > wrote:
>>>
>>>> Due this error with version 1.3.1, I also tried to use Keycloak version
>>>> 1.2.0 and put it to work on JBoss EAP 6.4.
>>>>
>>>> But I also did not succeed following this procedure:
>>>>
>>>> $ rm -rf jboss-eap-6.4
>>>> $ unzip -q jboss-eap-6.4.0.zip
>>>> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-1.2.0.Final.zip
>>>> $ cd jboss-eap-6.4/standalone/configuration/
>>>> $ cp standalone.xml standalone.xml.original
>>>> $ cat << 'EOF' | patch standalone.xml
>>>> > --- standalone.xml.original 2015-06-24 09:41:43.018484800 -0300
>>>> > +++ standalone.xml  2015-06-24 09:45:49.245308500 -0300
>>>> > @@ -24,6 +24,7 @@
>>>> >          <extension module="org.jboss.as.web"/>
>>>> >          <extension module="org.jboss.as.webservices"/>
>>>> >          <extension module="org.jboss.as.weld"/>
>>>> > +        <extension module="org.keycloak.keycloak-subsystem"/>
>>>> >      </extensions>
>>>> >      <management>
>>>> >          <security-realms>
>>>> > @@ -135,6 +136,14 @@
>>>> >                          <password>sa</password>
>>>> >                      </security>
>>>> >                  </datasource>
>>>> > +                <datasource
>>>> jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
>>>> enabled="true" use-java-context="true">
>>>> > +
>>>> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
>>>> > +                    <driver>h2</driver>
>>>> > +                    <security>
>>>> > +                        <user-name>sa</user-name>
>>>> > +                        <password>sa</password>
>>>> > +                    </security>
>>>> > +                </datasource>
>>>> >                  <drivers>
>>>> >                      <driver name="h2" module="com.h2database.h2">
>>>> >
>>>> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>>> > @@ -276,6 +285,16 @@
>>>> >                          <policy-module code="Delegating"
>>>> flag="required"/>
>>>> >                      </authorization>
>>>> >                  </security-domain>
>>>> > +                <security-domain name="keycloak">
>>>> > +                    <authentication>
>>>> > +                        <login-module
>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>>>> > +                    </authentication>
>>>> > +                </security-domain>
>>>> > +                <security-domain name="sp" cache-type="default">
>>>> > +                    <authentication>
>>>> > +                        <login-module
>>>> code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule"
>>>> flag="required"/>
>>>> > +                    </authentication>
>>>> > +                </security-domain>
>>>> >              </security-domains>
>>>> >          </subsystem>
>>>> >          <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
>>>> > @@ -307,6 +326,12 @@
>>>> >              <client-config name="Standard-Client-Config"/>
>>>> >          </subsystem>
>>>> >          <subsystem xmlns="urn:jboss:domain:weld:1.0"/>
>>>> > +        <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
>>>> > +            <auth-server name="main-auth-server">
>>>> > +                <enabled>true</enabled>
>>>> > +                <web-context>auth</web-context>
>>>> > +            </auth-server>
>>>> > +        </subsystem>
>>>> >      </profile>
>>>> >      <interfaces>
>>>> >          <interface name="management">
>>>> > @@ -338,4 +363,4 @@
>>>> >              <remote-destination host="localhost" port="25"/>
>>>> >          </outbound-socket-binding>
>>>> >      </socket-binding-group>
>>>> > -</server>
>>>> > \ No newline at end of file
>>>> > +</server>
>>>> > EOF
>>>> patching file standalone.xml
>>>> $ cd ../../..
>>>>
>>>> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
>>>>
>>>> =========================================================================
>>>>
>>>>   JBoss Bootstrap Environment
>>>>
>>>>   JBOSS_HOME: C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>>>>
>>>>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>>>>
>>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
>>>> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
>>>> -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation
>>>> -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading
>>>> -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>>> -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
>>>> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>>>>
>>>>
>>>> =========================================================================
>>>>
>>>> 12:45:03,381 INFO  [org.jboss.modules] (main) JBoss Modules version
>>>> 1.3.6.Final-redhat-1
>>>> 12:45:03,527 INFO  [org.jboss.msc] (main) JBoss MSC version
>>>> 1.1.5.Final-redhat-1
>>>> 12:45:03,585 INFO  [org.jboss.as] (MSC service thread 1-6) JBAS015899:
>>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
>>>> 12:45:03,975 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>>> JBAS015956: Caught exception during boot:
>>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>>>> JBAS014676: Failed to parse configuration
>>>>         at
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.ServerService.boot(ServerService.java:330)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>>> load module org.keycloak.keycloak-subsystem
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>>         at
>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>>         at
>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         ... 3 more
>>>> Caused by: java.util.concurrent.ExecutionException:
>>>> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>>>>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>>>> [rt.jar:1.7.0_75]
>>>>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
>>>> [rt.jar:1.7.0_75]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         ... 9 more
>>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>>> load module
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>> [rt.jar:1.7.0_75]
>>>>         at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>> [rt.jar:1.7.0_75]
>>>>         at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>> [rt.jar:1.7.0_75]
>>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>>>> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
>>>> Caused by: org.jboss.modules.ModuleNotFoundException:
>>>> org.keycloak.keycloak-subsystem:main
>>>>         at
>>>> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
>>>> [jboss-modules.jar:1.3.6.Final-redhat-1]
>>>>         at
>>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>         ... 8 more
>>>>
>>>> 12:45:03,983 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>>> previous messages for details.
>>>> 12:45:03,994 INFO  [org.jboss.as] (MSC service thread 1-5) JBAS015950:
>>>> JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in 2ms
>>>>
>>>>
>>>>
>>>> What I'm doing wrong?
>>>> I had a good experience using Keycloak with Widlfy but I still can't
>>>> put it to work with JBoss EAP 6.4.
>>>>
>>>> Please, help me.
>>>>
>>>>
>>>
>>
>>
>> --
>> Att,
>> Paulo Jer?nimo
>>
>> Fone: (61) 9504-6178
>>
>
>
>
> --
> Att,
> Paulo Jer?nimo
>
> Fone: (61) 9504-6178
>



-- 
Att,
Paulo Jer?nimo

Fone: (61) 9504-6178
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/dfc186fb/attachment-0001.html 

From paulojeronimo at gmail.com  Wed Jun 24 16:57:33 2015
From: paulojeronimo at gmail.com (=?UTF-8?Q?Paulo_Jer=C3=B4nimo?=)
Date: Wed, 24 Jun 2015 17:57:33 -0300
Subject: [keycloak-user] Keycloak 1.3.1 on JBoss EAP 6.4
In-Reply-To: <CAG4jLmCwrrxtuVQW7x-iz523PetkK+cj66Xs2Q+Re58LZ89W4w@mail.gmail.com>
References: <CAG4jLmD1iAfFF_9FTjh-Af2iO-Az-D7Rvc2BeyfYHqzAm-NHVg@mail.gmail.com>
	<CAMwTEoYqpmEg0vr6xN+unF_K2AjO9-fqDR+dOEbKhWBBcft3kw@mail.gmail.com>
	<CAG4jLmCUCpiNxN45cbcQ09-0Eyg_=BrJTRijEcYrVau+hDyDfg@mail.gmail.com>
	<CAMwTEoaaRUk9nAbgu43AntUmjDOcFmtjGHa-AOei7Gscowgokg@mail.gmail.com>
	<CAG4jLmAk5mBPgc-_yZyGyM1tg47FrzOZD_+hO+TJ=Z+Pu23PmQ@mail.gmail.com>
	<CAG4jLmBeJzaNkwXaRWFWTSRWcMwdudtOAv-5_RQhrXQp0GVi-g@mail.gmail.com>
	<CAMwTEoacMPbEE9mC+Zphhi75q4PHW0x0k_6g3QF_7b88h=aoKw@mail.gmail.com>
	<CAG4jLmAk1D1Lj1T8Yhgz2=vpmGJAZa73DT67hv+JBWwTELkQBQ@mail.gmail.com>
	<CAG4jLmB7drgF-si8KEodPwkRv9t1pLcpTpGUVxV_fAmCFf+eJA@mail.gmail.com>
	<CAG4jLmCwrrxtuVQW7x-iz523PetkK+cj66Xs2Q+Re58LZ89W4w@mail.gmail.com>
Message-ID: <CAG4jLmCxURLD-bMoNKHmAGJxg1RNM8ZErYUNVhu9D2uHuBmGug@mail.gmail.com>

Finally, I found the root cause of my problem! My fault.

Due a little bug when I starts standalone.sh on Cygwin environment for
JBoss EAP 6.4 I set a value $JBOSS_HOME/modules for JBOSS_MODULEPATH
variable. The problem was that when I run the following command:

JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
--server-config standalone-keycloak.xml

I also need change the value for JBOSS_MODULEPATH on this command line

Or alternatively unset JBOSS_MODULEPATH variable and get the previous
little bug:

$ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
--server-config standalone-keycloak.xml
cygpath: can't convert empty path

Thats it! Keycloak 1.3.1 works with JBoss EAP 6.4. No doubt.

2015-06-24 17:23 GMT-03:00 Paulo Jer?nimo <paulojeronimo at gmail.com>:

> In my investigation of this problem, I identified that if I run the steps
> described to test the Keycloak 1.3.1 + JBoss EAP 6.4 on a Linux environment
> with OpenJDK 8 I don't catch problems. So, it seems to be an execution
> problem in Windows environment. I will keep doing my research to identify
> the cause.
>
> 2015-06-24 16:04 GMT-03:00 Paulo Jer?nimo <paulojeronimo at gmail.com>:
>
>> Now I tried to downgrade to keycloak version 1.1.0.Final, executing the
>> steps bellow. But, I still can?t start JBoss EAP 6.4 after my steps:
>>
>> https://gist.github.com/paulojeronimo/3f5746b221a882cf6b24
>>
>> Any idea about what I?m doing wrong?
>>
>> I really need integrate Keycloak with JBoss EAP 6.4. This integration
>> really works? (I?ve been using Keycloak only with Wildfly until now, but,
>> as its documentation said, it works. How???)
>>
>>
>> 2015-06-24 14:25 GMT-03:00 Paulo Jer?nimo <paulojeronimo at gmail.com>:
>>
>>> Vineet,
>>>
>>> I did what you said (using my last configuration with keycloak 1.2.0):
>>>
>>> $ grep 'subsystem.*keycloak'
>>> jboss-eap-6.4/standalone/configuration/standalone.xml
>>>         <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>
>>> The error persists.
>>>
>>> Some other idea?
>>>
>>> 2015-06-24 13:05 GMT-03:00 Vineet Chaudhary <
>>> vineet.chaudhary at praxify.com>:
>>>
>>>> I might be sound crazy now but for last time can you just change
>>>> standalone.xml
>>>>
>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.0"> to
>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>>
>>>> On Wed, Jun 24, 2015 at 9:19 PM, Paulo Jer?nimo <
>>>> paulojeronimo at gmail.com> wrote:
>>>>
>>>>> Due this error with version 1.3.1, I also tried to use Keycloak
>>>>> version 1.2.0 and put it to work on JBoss EAP 6.4.
>>>>>
>>>>> But I also did not succeed following this procedure:
>>>>>
>>>>> $ rm -rf jboss-eap-6.4
>>>>> $ unzip -q jboss-eap-6.4.0.zip
>>>>> $ unzip -q -d jboss-eap-6.4 keycloak-overlay-1.2.0.Final.zip
>>>>> $ cd jboss-eap-6.4/standalone/configuration/
>>>>> $ cp standalone.xml standalone.xml.original
>>>>> $ cat << 'EOF' | patch standalone.xml
>>>>> > --- standalone.xml.original 2015-06-24 09:41:43.018484800 -0300
>>>>> > +++ standalone.xml  2015-06-24 09:45:49.245308500 -0300
>>>>> > @@ -24,6 +24,7 @@
>>>>> >          <extension module="org.jboss.as.web"/>
>>>>> >          <extension module="org.jboss.as.webservices"/>
>>>>> >          <extension module="org.jboss.as.weld"/>
>>>>> > +        <extension module="org.keycloak.keycloak-subsystem"/>
>>>>> >      </extensions>
>>>>> >      <management>
>>>>> >          <security-realms>
>>>>> > @@ -135,6 +136,14 @@
>>>>> >                          <password>sa</password>
>>>>> >                      </security>
>>>>> >                  </datasource>
>>>>> > +                <datasource
>>>>> jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS"
>>>>> enabled="true" use-java-context="true">
>>>>> > +
>>>>> <connection-url>jdbc:h2:${jboss.server.data.dir}/keycloak;AUTO_SERVER=TRUE</connection-url>
>>>>> > +                    <driver>h2</driver>
>>>>> > +                    <security>
>>>>> > +                        <user-name>sa</user-name>
>>>>> > +                        <password>sa</password>
>>>>> > +                    </security>
>>>>> > +                </datasource>
>>>>> >                  <drivers>
>>>>> >                      <driver name="h2" module="com.h2database.h2">
>>>>> >
>>>>> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>>>> > @@ -276,6 +285,16 @@
>>>>> >                          <policy-module code="Delegating"
>>>>> flag="required"/>
>>>>> >                      </authorization>
>>>>> >                  </security-domain>
>>>>> > +                <security-domain name="keycloak">
>>>>> > +                    <authentication>
>>>>> > +                        <login-module
>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
>>>>> > +                    </authentication>
>>>>> > +                </security-domain>
>>>>> > +                <security-domain name="sp" cache-type="default">
>>>>> > +                    <authentication>
>>>>> > +                        <login-module
>>>>> code="org.picketlink.identity.federation.bindings.wildfly.SAML2LoginModule"
>>>>> flag="required"/>
>>>>> > +                    </authentication>
>>>>> > +                </security-domain>
>>>>> >              </security-domains>
>>>>> >          </subsystem>
>>>>> >          <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
>>>>> > @@ -307,6 +326,12 @@
>>>>> >              <client-config name="Standard-Client-Config"/>
>>>>> >          </subsystem>
>>>>> >          <subsystem xmlns="urn:jboss:domain:weld:1.0"/>
>>>>> > +        <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
>>>>> > +            <auth-server name="main-auth-server">
>>>>> > +                <enabled>true</enabled>
>>>>> > +                <web-context>auth</web-context>
>>>>> > +            </auth-server>
>>>>> > +        </subsystem>
>>>>> >      </profile>
>>>>> >      <interfaces>
>>>>> >          <interface name="management">
>>>>> > @@ -338,4 +363,4 @@
>>>>> >              <remote-destination host="localhost" port="25"/>
>>>>> >          </outbound-socket-binding>
>>>>> >      </socket-binding-group>
>>>>> > -</server>
>>>>> > \ No newline at end of file
>>>>> > +</server>
>>>>> > EOF
>>>>> patching file standalone.xml
>>>>> $ cd ../../..
>>>>>
>>>>> $ JBOSS_HOME=$PWD/jboss-eap-6.4 jboss-eap-6.4/bin/standalone.sh
>>>>>
>>>>> =========================================================================
>>>>>
>>>>>   JBoss Bootstrap Environment
>>>>>
>>>>>   JBOSS_HOME:
>>>>> C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4
>>>>>
>>>>>   JAVA: /cygdrive/c/Program Files/Java/jdk1.7.0_75/bin/java
>>>>>
>>>>>   JAVA_OPTS:  -server -XX:+UseCompressedOops -verbose:gc
>>>>> -Xloggc:"C:\desenv\projetos\stn\sigti\instalador-bpms\jboss-eap-6.4\standalone\log/gc.log"
>>>>> -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation
>>>>> -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading
>>>>> -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true
>>>>> -Duser.language=en -Djboss.modules.system.pkgs=org.jboss.byteman
>>>>> -Djava.awt.headless=true -Djboss.modules.policy-permissions=true
>>>>>
>>>>>
>>>>> =========================================================================
>>>>>
>>>>> 12:45:03,381 INFO  [org.jboss.modules] (main) JBoss Modules version
>>>>> 1.3.6.Final-redhat-1
>>>>> 12:45:03,527 INFO  [org.jboss.msc] (main) JBoss MSC version
>>>>> 1.1.5.Final-redhat-1
>>>>> 12:45:03,585 INFO  [org.jboss.as] (MSC service thread 1-6)
>>>>> JBAS015899: JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) starting
>>>>> 12:45:03,975 ERROR [org.jboss.as.server] (Controller Boot Thread)
>>>>> JBAS015956: Caught exception during boot:
>>>>> org.jboss.as.controller.persistence.ConfigurationPersistenceException:
>>>>> JBAS014676: Failed to parse configuration
>>>>>         at
>>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:141)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.server.ServerService.boot(ServerService.java:330)
>>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>>>> load module org.keycloak.keycloak-subsystem
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:154)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.server.parsing.StandaloneXml.readServerElement_1_4(StandaloneXml.java:435)
>>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:145)
>>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:107)
>>>>> [jboss-as-server-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
>>>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>>>         at
>>>>> org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
>>>>> [staxmapper-1.1.0.Final-redhat-3.jar:1.1.0.Final-redhat-3]
>>>>>         at
>>>>> org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:133)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         ... 3 more
>>>>> Caused by: java.util.concurrent.ExecutionException:
>>>>> javax.xml.stream.XMLStreamException: JBAS014674: Failed to load module
>>>>>         at java.util.concurrent.FutureTask.report(FutureTask.java:122)
>>>>> [rt.jar:1.7.0_75]
>>>>>         at java.util.concurrent.FutureTask.get(FutureTask.java:188)
>>>>> [rt.jar:1.7.0_75]
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:146)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         ... 9 more
>>>>> Caused by: javax.xml.stream.XMLStreamException: JBAS014674: Failed to
>>>>> load module
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:195)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:68)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:126)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:123)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>>>>> [rt.jar:1.7.0_75]
>>>>>         at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>>> [rt.jar:1.7.0_75]
>>>>>         at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>>> [rt.jar:1.7.0_75]
>>>>>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_75]
>>>>>         at org.jboss.threads.JBossThread.run(JBossThread.java:122)
>>>>> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
>>>>> Caused by: org.jboss.modules.ModuleNotFoundException:
>>>>> org.keycloak.keycloak-subsystem:main
>>>>>         at
>>>>> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:240)
>>>>> [jboss-modules.jar:1.3.6.Final-redhat-1]
>>>>>         at
>>>>> org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:177)
>>>>> [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21]
>>>>>         ... 8 more
>>>>>
>>>>> 12:45:03,983 FATAL [org.jboss.as.server] (Controller Boot Thread)
>>>>> JBAS015957: Server boot has failed in an unrecoverable manner; exiting. See
>>>>> previous messages for details.
>>>>> 12:45:03,994 INFO  [org.jboss.as] (MSC service thread 1-5)
>>>>> JBAS015950: JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) stopped in
>>>>> 2ms
>>>>>
>>>>>
>>>>>
>>>>> What I'm doing wrong?
>>>>> I had a good experience using Keycloak with Widlfy but I still can't
>>>>> put it to work with JBoss EAP 6.4.
>>>>>
>>>>> Please, help me.
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Att,
>>> Paulo Jer?nimo
>>>
>>> Fone: (61) 9504-6178
>>>
>>
>>
>>
>> --
>> Att,
>> Paulo Jer?nimo
>>
>> Fone: (61) 9504-6178
>>
>
>
>
> --
> Att,
> Paulo Jer?nimo
>
> Fone: (61) 9504-6178
>



-- 
Att,
Paulo Jer?nimo

Fone: (61) 9504-6178
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150624/f2769995/attachment-0001.html 

From chamantha at outlook.com  Thu Jun 25 01:22:31 2015
From: chamantha at outlook.com (Chamantha De Silva)
Date: Thu, 25 Jun 2015 11:22:31 +0600
Subject: [keycloak-user] Update the user only with required fields
Message-ID: <BAY168-W73A6C0C3FCCCA890BB120AA9AE0@phx.gbl>

Hi Team,

There are situations that we use update user rest API, to update just one element of user (eg:  enabled : false etc.)  . 
This requires a pre fetched user object from the GET user call, other wise rest of the user information tend to be truncated after the update call. 

Is there a possibility to update only specific elements of the user instead of sending whole the user object (objective is to avoid the  GET call right before the update call and avoid possible tendency of data truncations )? Your kind reply is highly appreciated.

Best regards,
Chamantha
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/00d46562/attachment.html 

From Carsten.Saathoff at kisters.de  Thu Jun 25 03:14:11 2015
From: Carsten.Saathoff at kisters.de (Carsten Saathoff)
Date: Thu, 25 Jun 2015 09:14:11 +0200
Subject: [keycloak-user] Refresh token - should it expire?
In-Reply-To: <930619577.25055033.1435150818052.JavaMail.zimbra@redhat.com>
References: <55894807.9030507@kroehling.de>
	<1356259086.24285420.1435071057101.JavaMail.zimbra@redhat.com>
	<OF40FCA263.F4DB6613-ONC1257E6E.00275C1F-C1257E6E.002A7A9F@kisters.de>
	<930619577.25055033.1435150818052.JavaMail.zimbra@redhat.com>
Message-ID: <OF6C02FCEC.BF9618ED-ONC1257E6F.0024CD87-C1257E6F.0027C022@kisters.de>

Hi,

Stian Thorgersen <stian at redhat.com> wrote on 24/06/2015 15:00:18:

> We'll be adding service accounts in the near future, that'll provide
> a way for clients to obtain a token on behalf of themselves. There 
> will be a special linked user to the client. Clients can obtain this
> through the client credential grant (see oauth2 for more details) 
> and use a secret or pub/priv keypair to authenticate.

that sounds great.
 
> For a client to get a token on behalf of a user the user will have 
> to either enter username/pass in a cli and you'd use resource owner 
> credential grant (again see oauth2 for more details) or you'd use 
> the normal redirect based flow.
> 
> For the above once we add offline tokens this will only be required 
> as an initial setup as the "refresh token" will not expire until the
> user goes in and revokes access to the appliction. 

That's actually the initial setup that I would like to avoid. If we talk 
about social websites this flow makes absolute sense, as I as the user 
want to control what data can be accessed by external services. However, 
in an enterprise application the user shouldn't be bothered with single 
microservices IMO. Therefore, when I ask the user to authorise some 
arbitrary backend service to access some data, the user will probably be 
surprised or, even worse, confused.

Currently I only see three possible solutions:
1. Do it as you propose and implement the OAuth flow.
2. Add some additional API and options to allow clients to request access 
tokens on behalf of users (maybe with reduced privileges only).
3. Somehow let the service figure out the access rights of the user, e.g. 
by using the admin API (haven't really checked whether that would work at 
all).

I don't like 3 because a) I don't want to provide admin privileges to my 
services and b) I don't like the fact that authorisation would work 
differently in that case. I definitely prefer 2 over 1, because I think it 
will provide the best user experience. My hope was that there is some 
other option to handle that use case that I wasn't aware of.

As a general question, would such a feature fit into keycloak, or is out 
of consideration because it is not standardized?

best

Carsten
--------------------------------------------------------------------------------------------------------------------------------------------
 Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany
Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers
Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de
--------------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. 
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/5dc0fa8d/attachment.html 

From giovanni.baruzzi at syntlogo.de  Thu Jun 25 04:10:12 2015
From: giovanni.baruzzi at syntlogo.de (Giovanni Baruzzi)
Date: Thu, 25 Jun 2015 10:10:12 +0200
Subject: [keycloak-user] Error during "Synchronize all users" from an LDAP
	Server
In-Reply-To: <D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>
References: <D1ACCA06.1A5EC%giovanni.baruzzi@syntlogo.de>
	<D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>
Message-ID: <D1B18368.1A789%giovanni.baruzzi@syntlogo.de>

Marek,

Thank you for your attention.
It is sure in the same area. But as you see I used a very simple LDAP and only the attribute objectClass has multiple values.
Please tell me if you need further information about my setup.

Regards,
Giovanni


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/25a421b6/attachment.html 

From mposolda at redhat.com  Thu Jun 25 08:58:45 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 25 Jun 2015 14:58:45 +0200
Subject: [keycloak-user] Error during "Synchronize all users" from an
 LDAP Server
In-Reply-To: <D1B18368.1A789%giovanni.baruzzi@syntlogo.de>
References: <D1ACCA06.1A5EC%giovanni.baruzzi@syntlogo.de>	<D1AE1E5F.1A67A%giovanni.baruzzi@syntlogo.de>
	<D1B18368.1A789%giovanni.baruzzi@syntlogo.de>
Message-ID: <558BFB05.1030301@redhat.com>

Thanks.

Actually from your log you sent earlier, it seems that in your 
environment there is some LDAP user object with 2 values for "uid" 
attribute (or whatever attribute you have mapped as Username LDAP 
Attribute ). Those values are "adub", "sdub" . Can you please check if 
it's the case or not?

I am looking at it and hope to have fix by the end of this week. Will 
let you know once it's done.

Marek


On 25.6.2015 10:10, Giovanni Baruzzi wrote:
> Marek,
>
> Thank you for your attention.
> It is sure in the same area. But as you see I used a very simple LDAP 
> and only the attribute objectClass has multiple values.
> Please tell me if you need further information about my setup.
>
> Regards,
> Giovanni
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/27a01625/attachment.html 

From mposolda at redhat.com  Thu Jun 25 09:24:17 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 25 Jun 2015 15:24:17 +0200
Subject: [keycloak-user] Realm resolver
In-Reply-To: <COL126-W9C80736AEA1195E59D9A3B5AF0@phx.gbl>
References: <COL126-W9C80736AEA1195E59D9A3B5AF0@phx.gbl>
Message-ID: <558C0101.1010500@redhat.com>

There might be possibility to address this with Servlet filter, which 
will redirect you to the page where you can ask for the email. Only 
thing is, that servlet filters are triggered later than the 
authentication code on adapter side, so the filter itself would likely 
need to be mapped to unsecured URI.

Other possibility is that we will improve the KeycloakConfigResolver, so 
it has access to the response (not just request like it's now) and have 
possibility to redirect response. But in that case, we need to do some 
refactoring on the adapter side, so all the code to resolve 
KeycloakDeployment will need to check if response is redirected and 
finish the request processing in that case. Not sure if it's the way to 
go TBH... But you can create JIRA and we can try to take a look (or you 
can try to propose PR)

Marek


On 24.6.2015 20:34, Bellan Saravanan wrote:
> We're using KeycloakConfigResolver to resolve the realm based on the 
> request URI. But if we are unable to resolve to a specific realm we 
> want forward the user to a page where she can enter the email address 
> from which we can figure out the user's realm.
>
> Since KeycloakConfigResolver cannot be used to redirect the request, 
> any suggestions are how to forward to the page to manual resolution? 
> We are using the Keycloak wildfly adapter.
>
> Thanks,
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/d08bd195/attachment-0001.html 

From mposolda at redhat.com  Thu Jun 25 09:30:24 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Thu, 25 Jun 2015 15:30:24 +0200
Subject: [keycloak-user] KeyCloak and JBoss 6.3.3 / JDK1.8
In-Reply-To: <BLUPR05MB961D216FA7ABA1E1EDA55B9C3AF0@BLUPR05MB961.namprd05.prod.outlook.com>
References: <BLUPR05MB961D216FA7ABA1E1EDA55B9C3AF0@BLUPR05MB961.namprd05.prod.outlook.com>
Message-ID: <558C0270.108@redhat.com>

For the keycloak server side, we support latest 1.3.1 version running on 
EAP 6.4 but maybe EAP 6.3.3 works as well (I am assuming by "JBoss 
6.3.3" you meant "JBoss EAP 6.3.3" ). You can try to use overlay with 
6.3.3 and you will see...

For the adapter side, we support running your applications on EAP 6.3.3.

JDK 1.8 should work fine.

Marek

On 24.6.2015 18:30, Tom Nuernberger wrote:
>
> Does KeyClock run successfully using:
>
>                 JDK1.8
>
>                 JBoss 6.3.3
>
> And if so, what version of KeyClock.
>
> Thanks.
>
> /Tom W. Nuernberger/
>
> Programmer Analyst IV
>
> Texas Commission on Environmental Quality
>
> 12100 Park 35 Circle | Bldg. A | Austin, TX 78753
>
> (512) 239-0895
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/190f010d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 2402 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/190f010d/attachment.jpe 

From stian at redhat.com  Thu Jun 25 10:14:22 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Jun 2015 10:14:22 -0400 (EDT)
Subject: [keycloak-user] Customizing the register user flow
In-Reply-To: <BAY168-W1211A5871D5298D418CF59AA9AF0@phx.gbl>
References: <BAY168-W1211A5871D5298D418CF59AA9AF0@phx.gbl>
Message-ID: <2015279953.26079810.1435241662147.JavaMail.zimbra@redhat.com>

You can link directly to the registration page instead of the login page. For openid connect you just replace '../auth' with '../registrations' to do that.

What adapter are you using?

----- Original Message -----
> From: "Chamantha De Silva" <chamantha at outlook.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 24 June, 2015 6:28:03 AM
> Subject: [keycloak-user] Customizing the register user flow
> 
> Hi Team,
> I have requirement to users to go to registration flow directly instead of
> going through the login page. Currently user does not go directly to the
> registration page. I checked for possibilities at configuration changes on
> admin console level but I didn't get any supporting documents.
> 
> Can I get this requirement fulfilled with a minimal effort ?
> Currently started to research on getting the code it needs to along with the
> register URL
> 
> 
> 1. Is this code an authorization code ?
> 2. If yes there a document providing those information
> 
> Your kind advice is much appreciated.
> 
> Best Regards,
> Chamantha
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jun 25 10:17:42 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Jun 2015 10:17:42 -0400 (EDT)
Subject: [keycloak-user] Use Keycloak for CAS based application
In-Reply-To: <CAK2HbcyjUzPOWVb3OknnyWXjunODwYdZrJJtftA11wbjDCdN_Q@mail.gmail.com>
References: <CAK2HbcyjUzPOWVb3OknnyWXjunODwYdZrJJtftA11wbjDCdN_Q@mail.gmail.com>
Message-ID: <1553541807.26081476.1435241862612.JavaMail.zimbra@redhat.com>

I assume the third party app is a web app that authenticates with a CAS server (not a CAS server that provides CAS auth)?

In either case we don't support CAS and we don't intend to add this. We have a protocol SPI so you could in theory add it yourself, but I'm pretty sure that's not something you're going to want to do.

Does the third party app you have not have support for OpenID Connect or SAML? Does it have pluggable auth mechanims?

----- Original Message -----
> From: "Sadiq Khoja" <sadiqkhoja at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 24 June, 2015 7:07:37 AM
> Subject: [keycloak-user] Use Keycloak for CAS based application
> 
> Hi,
> 
> I have a third party application which provides CAS based authentication for
> SSO. How can I use Keycloak for authentication of users and access to that
> application?
> 
> ?
> Regards,
> ??
> Sadiq Khoja
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From stian at redhat.com  Thu Jun 25 10:19:21 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Jun 2015 10:19:21 -0400 (EDT)
Subject: [keycloak-user] Automatic Social Account Linking
In-Reply-To: <CAPj1eSxu1048_K2SxcfSd4g6mw_HTYXCPm76PhOCH6tuzDzQXQ@mail.gmail.com>
References: <CAPj1eSxu1048_K2SxcfSd4g6mw_HTYXCPm76PhOCH6tuzDzQXQ@mail.gmail.com>
Message-ID: <610441686.26082295.1435241961268.JavaMail.zimbra@redhat.com>

Ideally the flow we wanted is that if someone tries to login with another social network and the email already exists, we'd just ask the user to authenticate as the existing user and the user would be linked.

It's something we've planned for a while, but not had the time to do yet.

----- Original Message -----
> From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, 24 June, 2015 9:59:08 AM
> Subject: [keycloak-user] Automatic Social Account Linking
> 
> Hi,
> 
> As per the current behavior, linking multiple social accounts is a process
> done manually. Is there an option where we can enable automatic social
> account linking if the email is the same? Or is it something that has to be
> implemented separately?
> 
> 
> Regards,
> Lohitha.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jun 25 10:20:53 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Jun 2015 10:20:53 -0400 (EDT)
Subject: [keycloak-user] Update the user only with required fields
In-Reply-To: <BAY168-W73A6C0C3FCCCA890BB120AA9AE0@phx.gbl>
References: <BAY168-W73A6C0C3FCCCA890BB120AA9AE0@phx.gbl>
Message-ID: <1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>

You can just send the user json and only include the attributes you want to change.

----- Original Message -----
> From: "Chamantha De Silva" <chamantha at outlook.com>
> To: keycloak-user at lists.jboss.org
> Sent: Thursday, 25 June, 2015 1:22:31 AM
> Subject: [keycloak-user] Update the user only with required fields
> 
> Hi Team,
> 
> There are situations that we use update user rest API, to update just one
> element of user (eg: enabled : false etc.) .
> This requires a pre fetched user object from the GET user call, other wise
> rest of the user information tend to be truncated after the update call.
> 
> Is there a possibility to update only specific elements of the user instead
> of sending whole the user object (objective is to avoid the GET call right
> before the update call and avoid possible tendency of data truncations )?
> Your kind reply is highly appreciated.
> 
> Best regards,
> Chamantha
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jun 25 10:22:52 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Jun 2015 10:22:52 -0400 (EDT)
Subject: [keycloak-user] Realm resolver
In-Reply-To: <558C0101.1010500@redhat.com>
References: <COL126-W9C80736AEA1195E59D9A3B5AF0@phx.gbl>
	<558C0101.1010500@redhat.com>
Message-ID: <668070514.26084682.1435242172949.JavaMail.zimbra@redhat.com>

An alternative would be to use identity brokering. You'd have a main realm that had identity brokers for the other realms.

We plan to add an option where the user only has to enter username first. Then you can auto-redirect to a identity broker based on email domain.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Bellan Saravanan" <sarbx at hotmail.com>, keycloak-user at lists.jboss.org
> Sent: Thursday, 25 June, 2015 9:24:17 AM
> Subject: Re: [keycloak-user] Realm resolver
> 
> There might be possibility to address this with Servlet filter, which will
> redirect you to the page where you can ask for the email. Only thing is,
> that servlet filters are triggered later than the authentication code on
> adapter side, so the filter itself would likely need to be mapped to
> unsecured URI.
> 
> Other possibility is that we will improve the KeycloakConfigResolver, so it
> has access to the response (not just request like it's now) and have
> possibility to redirect response. But in that case, we need to do some
> refactoring on the adapter side, so all the code to resolve
> KeycloakDeployment will need to check if response is redirected and finish
> the request processing in that case. Not sure if it's the way to go TBH...
> But you can create JIRA and we can try to take a look (or you can try to
> propose PR)
> 
> Marek
> 
> 
> On 24.6.2015 20:34, Bellan Saravanan wrote:
> 
> 
> 
> We're using KeycloakConfigResolver to resolve the realm based on the request
> URI. But if we are unable to resolve to a specific realm we want forward the
> user to a page where she can enter the email address from which we can
> figure out the user's realm.
> 
> Since KeycloakConfigResolver cannot be used to redirect the request, any
> suggestions are how to forward to the page to manual resolution? We are
> using the Keycloak wildfly adapter.
> 
> Thanks,
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stian at redhat.com  Thu Jun 25 10:23:57 2015
From: stian at redhat.com (Stian Thorgersen)
Date: Thu, 25 Jun 2015 10:23:57 -0400 (EDT)
Subject: [keycloak-user] KeyCloak and JBoss 6.3.3 / JDK1.8
In-Reply-To: <558C0270.108@redhat.com>
References: <BLUPR05MB961D216FA7ABA1E1EDA55B9C3AF0@BLUPR05MB961.namprd05.prod.outlook.com>
	<558C0270.108@redhat.com>
Message-ID: <566064914.26085257.1435242237988.JavaMail.zimbra@redhat.com>



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Tom Nuernberger" <Tom.Nuernberger at tceq.texas.gov>, keycloak-user at lists.jboss.org
> Sent: Thursday, 25 June, 2015 9:30:24 AM
> Subject: Re: [keycloak-user] KeyCloak and JBoss 6.3.3 / JDK1.8
> 
> For the keycloak server side, we support latest 1.3.1 version running on EAP
> 6.4 but maybe EAP 6.3.3 works as well (I am assuming by "JBoss 6.3.3" you
> meant "JBoss EAP 6.3.3" ). You can try to use overlay with 6.3.3 and you
> will see...

We don't support EAP 6.3.x for server. Server requires 6.4. Once EAP 7.0 is out, the server will require EAP 7.

> 
> For the adapter side, we support running your applications on EAP 6.3.3.
> 
> JDK 1.8 should work fine.
> 
> Marek
> 
> On 24.6.2015 18:30, Tom Nuernberger wrote:
> 
> 
> 
> 
> 
> Does KeyClock run successfully using:
> 
> 
> 
> JDK1.8
> 
> JBoss 6.3.3
> 
> 
> 
> And if so, what version of KeyClock.
> 
> 
> 
> Thanks.
> 
> 
> 
> Tom W. Nuernberger
> 
> Programmer Analyst IV
> 
> Texas Commission on Environmental Quality
> 
> 12100 Park 35 Circle | Bldg. A | Austin, TX 78753
> 
> (512) 239-0895
> 
> 
> 
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From chenkeong.yap at izeno.com  Thu Jun 25 18:11:18 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Fri, 26 Jun 2015 06:11:18 +0800
Subject: [keycloak-user] invalidate application session using glo
Message-ID: <0EFC1219-D82D-4AF9-B794-D368C47F287C@izeno.com>

Hi,

iam using picketlink sp filter to secure my applications. when performing global logout, sp session is invalidated but individual application session still alive. In order to invalidate application session, i need the jsessionid. so do i need to store the jsessionid and userid mapping in keycloak and how that can be done?

Regards,
CK Yap

From juandiego83 at gmail.com  Thu Jun 25 19:14:49 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Thu, 25 Jun 2015 18:14:49 -0500
Subject: [keycloak-user] public rest services
Message-ID: <CAJGEj6fWb9k_5txH8sMYWhRRLn=VTbd-OP=xsXk9_V+XkKi5Xw@mail.gmail.com>

I have some services that should be public, I am allowing anonymous users
in my page.  They should be able to  access some minor features of my site.
Should I create another security-constrain for public users, is there a way
to create a public role and get a token for that.
Or that is more like creating a role for an app, maybe I understood that
part wrong.

Thanks.

Juan Diego
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150625/637d0137/attachment.html 

From chenkeong.yap at izeno.com  Thu Jun 25 20:51:08 2015
From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com)
Date: Fri, 26 Jun 2015 08:51:08 +0800
Subject: [keycloak-user] invalidate application session using glo
In-Reply-To: <0EFC1219-D82D-4AF9-B794-D368C47F287C@izeno.com>
References: <0EFC1219-D82D-4AF9-B794-D368C47F287C@izeno.com>
Message-ID: <8DF1081C-2DEE-447C-9A3D-CD72E48259BF@izeno.com>

hi,

iam just wondering can implement a custom session listener just to invalidate the app session id by username? kindly share your opinions please

Regards,
CK Yap

> On 26 Jun 2015, at 6:11 am, chenkeong.yap at izeno.com wrote:
> 
> Hi,
> 
> iam using picketlink sp filter to secure my applications. when performing global logout, sp session is invalidated but individual application session still alive. In order to invalidate application session, i need the jsessionid. so do i need to store the jsessionid and userid mapping in keycloak and how that can be done?
> 
> Regards,
> CK Yap


From chamantha at outlook.com  Fri Jun 26 01:18:08 2015
From: chamantha at outlook.com (Chamantha De Silva)
Date: Fri, 26 Jun 2015 11:18:08 +0600
Subject: [keycloak-user] Update the user only with required fields
In-Reply-To: <1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>
References: <BAY168-W73A6C0C3FCCCA890BB120AA9AE0@phx.gbl>,
	<1490204236.26083427.1435242053103.JavaMail.zimbra@redhat.com>
Message-ID: <BAY168-W85ADBAA90A159FBBEB1612A9AD0@phx.gbl>

Hi Stain,

Thank you for your response, we are using Keycloak 1.2.0 final and in that version we do have that problem. If we update only particular element in user update call it will truncate (turn to default values in some cases eg : boolean).

Best Regards,
Chamantha 

> Date: Thu, 25 Jun 2015 10:20:53 -0400
> From: stian at redhat.com
> To: chamantha at outlook.com
> CC: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Update the user only with required fields
> 
> You can just send the user json and only include the attributes you want to change.
> 
> ----- Original Message -----
> > From: "Chamantha De Silva" <chamantha at outlook.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Thursday, 25 June, 2015 1:22:31 AM
> > Subject: [keycloak-user] Update the user only with required fields
> > 
> > Hi Team,
> > 
> > There are situations that we use update user rest API, to update just one
> > element of user (eg: enabled : false etc.) .
> > This requires a pre fetched user object from the GET user call, other wise
> > rest of the user information tend to be truncated after the update call.
> > 
> > Is there a possibility to update only specific elements of the user instead
> > of sending whole the user object (objective is to avoid the GET call right
> > before the update call and avoid possible tendency of data truncations )?
> > Your kind reply is highly appreciated.
> > 
> > Best regards,
> > Chamantha
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150626/8a3d6ca6/attachment.html 

From chamantha at outlook.com  Fri Jun 26 01:41:33 2015
From: chamantha at outlook.com (Chamantha De Silva)
Date: Fri, 26 Jun 2015 11:41:33 +0600
Subject: [keycloak-user] Customizing the register user flow
In-Reply-To: <2015279953.26079810.1435241662147.JavaMail.zimbra@redhat.com>
References: <BAY168-W1211A5871D5298D418CF59AA9AF0@phx.gbl>,
	<2015279953.26079810.1435241662147.JavaMail.zimbra@redhat.com>
Message-ID: <BAY168-W10832BC7340B2B53CB278B0A9AD0@phx.gbl>

Hi Stain,

Thank you for your response and it works like a charm. 

We are using Tomcat Adapter for our applications.

Best Regards,
Chamantha

> Date: Thu, 25 Jun 2015 10:14:22 -0400
> From: stian at redhat.com
> To: chamantha at outlook.com
> CC: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customizing the register user flow
> 
> You can link directly to the registration page instead of the login page. For openid connect you just replace '../auth' with '../registrations' to do that.
> 
> What adapter are you using?
> 
> ----- Original Message -----
> > From: "Chamantha De Silva" <chamantha at outlook.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Wednesday, 24 June, 2015 6:28:03 AM
> > Subject: [keycloak-user] Customizing the register user flow
> > 
> > Hi Team,
> > I have requirement to users to go to registration flow directly instead of
> > going through the login page. Currently user does not go directly to the
> > registration page. I checked for possibilities at configuration changes on
> > admin console level but I didn't get any supporting documents.
> > 
> > Can I get this requirement fulfilled with a minimal effort ?
> > Currently started to research on getting the code it needs to along with the
> > register URL
> > 
> > 
> > 1. Is this code an authorization code ?
> > 2. If yes there a document providing those information
> > 
> > Your kind advice is much appreciated.
> > 
> > Best Regards,
> > Chamantha
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150626/fe860d48/attachment.html 

From kalc04 at gmail.com  Fri Jun 26 02:34:46 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Fri, 26 Jun 2015 12:04:46 +0530
Subject: [keycloak-user] Automatic Social Account Linking
In-Reply-To: <610441686.26082295.1435241961268.JavaMail.zimbra@redhat.com>
References: <CAPj1eSxu1048_K2SxcfSd4g6mw_HTYXCPm76PhOCH6tuzDzQXQ@mail.gmail.com>
	<610441686.26082295.1435241961268.JavaMail.zimbra@redhat.com>
Message-ID: <CAPj1eSxS7YdUCnfpq6FdpfbBGo6P1p_2MHquE-yvsH_rqyKZiQ@mail.gmail.com>

Thanks Stian.

This could come up as a requirement from our clients, hence the question.
We will go through the Keycloak code and check if this can be easily
implemented.


Regards,
Lohitha.

On Thu, Jun 25, 2015 at 7:49 PM, Stian Thorgersen <stian at redhat.com> wrote:

> Ideally the flow we wanted is that if someone tries to login with another
> social network and the email already exists, we'd just ask the user to
> authenticate as the existing user and the user would be linked.
>
> It's something we've planned for a while, but not had the time to do yet.
>
> ----- Original Message -----
> > From: "Lohitha Chiranjeewa" <kalc04 at gmail.com>
> > To: "keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Wednesday, 24 June, 2015 9:59:08 AM
> > Subject: [keycloak-user] Automatic Social Account Linking
> >
> > Hi,
> >
> > As per the current behavior, linking multiple social accounts is a
> process
> > done manually. Is there an option where we can enable automatic social
> > account linking if the email is the same? Or is it something that has to
> be
> > implemented separately?
> >
> >
> > Regards,
> > Lohitha.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150626/5d9d286b/attachment.html 

From mposolda at redhat.com  Fri Jun 26 03:33:49 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 26 Jun 2015 09:33:49 +0200
Subject: [keycloak-user] public rest services
In-Reply-To: <CAJGEj6fWb9k_5txH8sMYWhRRLn=VTbd-OP=xsXk9_V+XkKi5Xw@mail.gmail.com>
References: <CAJGEj6fWb9k_5txH8sMYWhRRLn=VTbd-OP=xsXk9_V+XkKi5Xw@mail.gmail.com>
Message-ID: <558D005D.6020509@redhat.com>

IMO the easiest option is to create security-constraints in web.xml just 
for the REST endpoints, which are supposed to be secured . Then the 
public endpoints, which won't be mapped in web.xml can be accessed by 
anonymous user.

Marek

On 26.6.2015 01:14, Juan Diego wrote:
> I have some services that should be public, I am allowing anonymous 
> users in my page.  They should be able to  access some minor features 
> of my site.
> Should I create another security-constrain for public users, is there 
> a way to create a public role and get a token for that.
> Or that is more like creating a role for an app, maybe I understood 
> that part wrong.
>
> Thanks.
>
> Juan Diego
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150626/1f4fc3e2/attachment-0001.html 

From davidillsley at gmail.com  Fri Jun 26 03:37:44 2015
From: davidillsley at gmail.com (David Illsley)
Date: Fri, 26 Jun 2015 08:37:44 +0100
Subject: [keycloak-user] Running Keycloak as a 12factor app/on a Heroku-like
	PaaS
Message-ID: <CA+E3Fw0hyPY2vZdBXE6gKO27x41ycD5gVY0xWmn3tmDw3sqKDQ@mail.gmail.com>

Hi all,
Does anyone have any experience running Keycloak as a 12-factor app? On a
PaaS like Heroku or Cloud Foundry? And happen to have
scripts/instructions/war stories/a buildpack to share?
Cheers,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150626/945bf1d3/attachment.html 

From juandiego83 at gmail.com  Fri Jun 26 18:12:43 2015
From: juandiego83 at gmail.com (Juan Diego)
Date: Fri, 26 Jun 2015 17:12:43 -0500
Subject: [keycloak-user] Angular Product app do over
Message-ID: <CAJGEj6fMjDc7t-a37+8oE2gc0BQkCbtj0vufh4rPxsoRKM9KUw@mail.gmail.com>

Hi
I am not much of an angular expert ( i have being working with angular for
a month), but after working with keycloak and angular, I  wanted to give
the angular product app a do over, I dont like that the app depends too
much on angular.element(document).ready,  and that you have javascript
variables outside angular objects.  Also responseInterceptors are completly
deprecated with angular 1.4.  So I tried to update the code to the best of
my limited abilities.
This the app.js
https://gist.github.com/jdc18/7b8ca0c4bf8a4cdbfdbf
This is the index.html,
https://gist.github.com/jdc18/cd8ccd1c430a293c3439

I can clean the code up so it can work like the angular-product-app, but I
tried to make it work with best practices and using providers to set te
configuration.
Also I set it up to use check-sso and added a login button, I think this
example might be more helpfull for mid level users of keycloak, to explain
how to make it work.

I was going to submit this to dev forum but I thought I should ask users to
test it a little bit.

I am open to changes.

Thanks,

Juan Diego
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150626/cac71228/attachment.html 

From shanloid at gmail.com  Mon Jun 29 00:47:29 2015
From: shanloid at gmail.com (Shannon Lloyd)
Date: Mon, 29 Jun 2015 14:47:29 +1000
Subject: [keycloak-user] Keycloak suitability in microservice-based platform
Message-ID: <CAHAPd=CcAp_V0M0G8aG+17nfwp9zzsU9OCcO_Csybxm7RVSCdQ@mail.gmail.com>

Hi,

We are evaluating Keycloak for possible use in a microservices-based SaaS
platform that we are building, and I have a few questions around the
suitability of Keycloak within the architecture that we are planning on
using.

Briefly, we will have a handful of end-user applications with their own UIs
and a large number of backend services with which those UIs will speak.
Some of those services will act as aggregating/gateway services which will
delegate to other services further downstream, so there will be a lot of
service-to-service comms. Our design currently calls for each logical
application (i.e. a UI plus a handful of supporting services) to have its
own set of roles that make sense within the context of that application.
Because many/most roles will only make sense in that one context, it does
not make sense for a user's token to contain all possible roles across the
entire realm (the tokens would be insanely large). We came up with the idea
of having an authentication/identity token (containing no
application-specific roles) to represent the logged in user, and then
passing this token to downstream services which would then (e.g. via a
filter in front of that service) retrieve and cache application-specific
tokens (with roles) from the SSO service for that combination of
authenticated identity and application/client (relying on the fact that the
identity token is valid and not expired as proof of an active session).

Firstly, does this seem like a reasonable approach?

Secondly, how much support is there in Keycloak to support something like
this? We are not using an app server, so it doesn't appear to be a simple
case of leveraging one of the existing adapters. We have a custom
Java(-SE)-based framework (happens to use Undertow for HTTP, but only
undertow-core). What support exists for custom, programmatic authentication
and JWT retrieval outside of the set of adapters provided in the Keycloak
distribution? Are there any examples along these lines? Is it a case of us
needing to trawl through all the REST endpoints exposed via
keycloak-services to figure out what is do-able, or are the non-admin
endpoints documented somewhere in the same way that the admin endpoints
have been documented?

I noticed this on the Keycloak blog about a month ago:

If a service needs to invoke another service it can pass on the token it
received, which will invoke the other service with the users permissions.
Soon we'll add support for services to authenticate directly with Keycloak
to be able to invoke other services with their own permissions, not just on
behalf of users.

Is there any news on these plans? It sounds like the sort of thing that we
would require.

Cheers,
Shannon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150629/34c556ae/attachment.html 

From bburke at redhat.com  Mon Jun 29 07:10:04 2015
From: bburke at redhat.com (Bill Burke)
Date: Mon, 29 Jun 2015 07:10:04 -0400
Subject: [keycloak-user] Keycloak suitability in microservice-based
	platform
In-Reply-To: <CAHAPd=CcAp_V0M0G8aG+17nfwp9zzsU9OCcO_Csybxm7RVSCdQ@mail.gmail.com>
References: <CAHAPd=CcAp_V0M0G8aG+17nfwp9zzsU9OCcO_Csybxm7RVSCdQ@mail.gmail.com>
Message-ID: <5591278C.4020508@redhat.com>



On 6/29/2015 12:47 AM, Shannon Lloyd wrote:
> Hi,
>
> We are evaluating Keycloak for possible use in a microservices-based
> SaaS platform that we are building, and I have a few questions around
> the suitability of Keycloak within the architecture that we are planning
> on using.
>
> Briefly, we will have a handful of end-user applications with their own
> UIs and a large number of backend services with which those UIs will
> speak. Some of those services will act as aggregating/gateway services
> which will delegate to other services further downstream, so there will
> be a lot of service-to-service comms. Our design currently calls for
> each logical application (i.e. a UI plus a handful of supporting
> services) to have its own set of roles that make sense within the
> context of that application. Because many/most roles will only make
> sense in that one context, it does not make sense for a user's token to
> contain all possible roles across the entire realm (the tokens would be
> insanely large). We came up with the idea of having an
> authentication/identity token (containing no application-specific roles)
> to represent the logged in user, and then passing this token to
> downstream services which would then (e.g. via a filter in front of that
> service) retrieve and cache application-specific tokens (with roles)
> from the SSO service for that combination of authenticated identity and
> application/client (relying on the fact that the identity token is valid
> and not expired as proof of an active session).
>

I don't think you need to do that.  In Keycloak each token is built 
specifically and tailor made for each client and you have complete 
control over what goes into the token via the client's Scope and Mappers.

> Firstly, does this seem like a reasonable approach?
>
> Secondly, how much support is there in Keycloak to support something
> like this? We are not using an app server, so it doesn't appear to be a
> simple case of leveraging one of the existing adapters. We have a custom
> Java(-SE)-based framework (happens to use Undertow for HTTP, but only
> undertow-core). What support exists for custom, programmatic
> authentication and JWT retrieval outside of the set of adapters provided
> in the Keycloak distribution? Are there any examples along these lines?
> Is it a case of us needing to trawl through all the REST endpoints
> exposed via keycloak-services to figure out what is do-able, or are the
> non-admin endpoints documented somewhere in the same way that the admin
> endpoints have been documented?
>

Tokens are just JWTs wrapped in a JWS.  Since you're using Undertow, I 
think it is possible to use our adapter.  I'd have to do some research 
to remember how, but our Security Proxy does something very similar if 
you want to look at that code.  Our Security Proxy is just Undertow set 
up with a handler chain which is what you probably want.


> I noticed this on the Keycloak blog about a month ago:
>
> If a service needs to invoke another service it can pass on the token it
> received, which will invoke the other service with the users
> permissions. Soon we'll add support for services to authenticate
> directly with Keycloak to be able to invoke other services with their
> own permissions, not just on behalf of users.
>

Marek is work on that the next few weeks.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

From daduev.ad at gmail.com  Mon Jun 29 08:02:04 2015
From: daduev.ad at gmail.com (Adam Daduev)
Date: Mon, 29 Jun 2015 15:02:04 +0300
Subject: [keycloak-user] How read added mapper attribute from ldap?
Message-ID: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>

Hi.
I try use new feature of keycloak 1.3.1, i added new attribute, like
department, but i can not get it in my web bean, i try get new attribute
from KeycloakSecurityContext, but con not found.
How can i get my new added atribute?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150629/3e2b7072/attachment.html 

From kevin.thorpe at p-i.net  Mon Jun 29 08:22:09 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Mon, 29 Jun 2015 13:22:09 +0100
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
References: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
Message-ID: <CAFMa6Bb=yn1cmA2zGOUph+S+DhVVBR=S+ymSvP=TdNXZfw1ZEw@mail.gmail.com>

There are two mappings here

Firstly you need an attribute mapper in user federation. This maps an LAP
attribute to a Keycloak one.
I don't think this works on existing users though. Try creating a new LDAP
user and log in as that user to test this.
Check the log. In my case it's at /var/log/wildfly/console.log but might
have been moved there by one of our devs.
Check USER_ATTRIBUTES table in the database. You should have a line for
your new attribute for your new user.
I know this doesn't work for multi-attribute values. eg we have an
'applications' attribute which users will have several entries.

Secondly you need to map the user attribute you created above to the JWT
token
This is under your client application definition.
You need a 'user attribute' not 'property' mapper to map the new keycloak
user attribute to a value in the token(s)
You also need to turn it on for either the id token or access token
depending on where your client expects it.






*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 29 June 2015 at 13:02, Adam Daduev <daduev.ad at gmail.com> wrote:

> Hi.
> I try use new feature of keycloak 1.3.1, i added new attribute, like
> department, but i can not get it in my web bean, i try get new attribute
> from KeycloakSecurityContext, but con not found.
> How can i get my new added atribute?
> Thanks!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150629/9ac7f991/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150629/9ac7f991/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150629/9ac7f991/attachment-0003.jpg 

From nielsbne at gmail.com  Mon Jun 29 11:30:51 2015
From: nielsbne at gmail.com (Niels Bertram)
Date: Tue, 30 Jun 2015 01:30:51 +1000
Subject: [keycloak-user] keycloak 1.3.1 OpenID Connect token introspection
	url
Message-ID: <CAPLPygn+QS0cM9zyxUGqiyEPn1Z_RB7u=gu61H4pj6h4CM_5ww@mail.gmail.com>

Hi there,

I am trying to configure a server side (RP) client which requires a JWT
introspection URL on the OP. I tried to find such endpoint on the KeyCloak
server without avail neither did I actually find any url of type
"introspect" in the OpenID Connect Specification.

Does anyone know if/how a OAuth2 client can validate a JWT token via a back
channel with the KeyCloak server?

The client I am trying to configure is the MITREid client as per
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config

Looking at the code, the client will issue a post to the introspection
endpoint with some form data:

POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
Host: localhost:8080
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded

client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
valid access token]

Any pointers are much appreciated.

Kind Regards,
Niels
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/e47e0aa2/attachment.html 

From gregj at thesoftwarecottage.com.au  Tue Jun 30 02:06:47 2015
From: gregj at thesoftwarecottage.com.au (Greg Jones)
Date: Tue, 30 Jun 2015 16:06:47 +1000
Subject: [keycloak-user] User Registration using UserFederationProvider
Message-ID: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>

Hi Team,

We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.

The next step was to use the back-end server for user registrations and this is where we are having problems.

We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.

For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.

Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:

1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.

I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.

Thanks in advance,
Greg Jones

From kalc04 at gmail.com  Tue Jun 30 02:37:31 2015
From: kalc04 at gmail.com (Lohitha Chiranjeewa)
Date: Tue, 30 Jun 2015 12:07:31 +0530
Subject: [keycloak-user] Importing an Application (Client) into an Existing
	Realm
Message-ID: <CAPj1eSy_x71tnhLMuNk9mANKkb-rH=8G19nm7CnBLsbVP+9NZA@mail.gmail.com>

Hi,

We get the need to create applications (clients) from time to time in our
already existing realm. Since these clients have to be created in all the
environments (dev, QA, staging, production) we'd like it to be (partly)
automated rather than creating them through Admin console in each
environment.

We've seen an 'Import Client' option in the Clients section in the Admin
console, but not sure how to create the initial client so that it can be
imported. The only import type is 'SAML 2.0 Entity Descriptor', which we
aren't sure about as well. Can someone point out how we should continue to
build the initial client here?

Also, if there is an option to update the existing realm with the 'Export
Realm' facility, that would do as well. However that's not possible I
suppose?


Regards,
Lohitha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/02a732f2/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Jun 30 03:50:39 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 30 Jun 2015 10:50:39 +0300
Subject: [keycloak-user] Maximum number of clients (applications) in a realm
Message-ID: <CABjN769poCsF=OE=DstJT0VX=6mF3kytkxS1KPTGEAiD97uf0A@mail.gmail.com>

Hi all,

Is there a limit in the maximum number of clients/applications in single
realm supported by keycloak?

I can see that the keycloak admin UI is not built with a big number in
mind. For instance, when assigning "Client roles" to a realm user there is
a dropdown with all clients/applications in the realm. I guess this
shouldn't grow too big to be usuable.

I'm working on a scenario where i need to implement authorization in a
system where new machines (and their respective keycloak applications) will
be added on the fly. So i'm worying about what will happen if the number
starts to grow.


Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/daf0d846/attachment.html 

From mposolda at redhat.com  Tue Jun 30 07:44:11 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 30 Jun 2015 13:44:11 +0200
Subject: [keycloak-user] Maximum number of clients (applications) in a
 realm
In-Reply-To: <CABjN769poCsF=OE=DstJT0VX=6mF3kytkxS1KPTGEAiD97uf0A@mail.gmail.com>
References: <CABjN769poCsF=OE=DstJT0VX=6mF3kytkxS1KPTGEAiD97uf0A@mail.gmail.com>
Message-ID: <5592810B.2000204@redhat.com>

How much clients you have in mind?

Theoretically there is no any limit. At least at database level. Fact is 
that we didn't try to test admin console UI with very big number of 
clients. Feel free to create JIRA if you're seeing issues.

Another approach is to design your deployment so the number of clients 
is not too big. For example when adding new "machine" you can reuse 
already created clients (not sure if it's the approach which works for 
you, just a possible hint...)

Marek

On 30.6.2015 09:50, Orestis Tsakiridis wrote:
> Hi all,
>
> Is there a limit in the maximum number of clients/applications in 
> single realm supported by keycloak?
>
> I can see that the keycloak admin UI is not built with a big number in 
> mind. For instance, when assigning "Client roles" to a realm user 
> there is a dropdown with all clients/applications in the realm. I 
> guess this shouldn't grow too big to be usuable.
>
> I'm working on a scenario where i need to implement authorization in a 
> system where new machines (and their respective keycloak applications) 
> will be added on the fly. So i'm worying about what will happen if the 
> number starts to grow.
>
>
> Thanks
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/ee4e54b0/attachment.html 

From mposolda at redhat.com  Tue Jun 30 07:51:56 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 30 Jun 2015 13:51:56 +0200
Subject: [keycloak-user] Importing an Application (Client) into an
 Existing Realm
In-Reply-To: <CAPj1eSy_x71tnhLMuNk9mANKkb-rH=8G19nm7CnBLsbVP+9NZA@mail.gmail.com>
References: <CAPj1eSy_x71tnhLMuNk9mANKkb-rH=8G19nm7CnBLsbVP+9NZA@mail.gmail.com>
Message-ID: <559282DC.4010503@redhat.com>

On 30.6.2015 08:37, Lohitha Chiranjeewa wrote:
> Hi,
>
> We get the need to create applications (clients) from time to time in 
> our already existing realm. Since these clients have to be created in 
> all the environments (dev, QA, staging, production) we'd like it to be 
> (partly) automated rather than creating them through Admin console in 
> each environment.
In that case, I would create some admin client utility, which will 
invoke REST endpoints for create new client into each realm 
(environment) you want.
>
> We've seen an 'Import Client' option in the Clients section in the 
> Admin console, but not sure how to create the initial client so that 
> it can be imported. The only import type is 'SAML 2.0 Entity 
> Descriptor', which we aren't sure about as well. Can someone point out 
> how we should continue to build the initial client here?
>
> Also, if there is an option to update the existing realm with the 
> 'Export Realm' facility, that would do as well. However that's not 
> possible I suppose?
not yet, probably it's something which we can improve. Feel free to 
create JIRA.

Marek
>
>
> Regards,
> Lohitha.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/263bd188/attachment-0001.html 

From mposolda at redhat.com  Tue Jun 30 08:17:57 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 30 Jun 2015 14:17:57 +0200
Subject: [keycloak-user] User Registration using UserFederationProvider
In-Reply-To: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
References: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
Message-ID: <559288F5.7090405@redhat.com>

On 30.6.2015 08:06, Greg Jones wrote:
> Hi Team,
>
> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>
> The next step was to use the back-end server for user registrations and this is where we are having problems.
>
> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
Yes, the method UserFederationProvider.register() is called with 
UserModel object, which has just username set. I agree that it could be 
possibly more friendly... Could you please create JIRA?

But you should have possibility to address this (even if it's not very 
easy). From the "register" method (and maybe from other methods of your 
provider as well according to your usecase), you are supposed to return 
"proxy" UserModel object wrapping the "local" (Keycloak DB based) 
UserModel object. In that case when some method is invoked on the proxy 
(like setFirstName, setLastName, setAttribute etc) you can update the 
data in your backend as well. See the example 
https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32 


>
> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>
> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>
> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
> 2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
> 3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.
If you throw ModelException either from "register" method or from 
"setXXX" method of your proxy UserModel object returned from the 
register method, then the text thrown from the exception is properly 
displayed in admin console UI. At least in latest 1.3.1 it should work 
AFAIK. Can you check this ?

There might be still the issue that "register" method is called with 
UserModel of just username filled, so if some attribute is not valid, 
your DB may already have the "invalid" object created from the register  
method. You can address this by not send your user to your backend when 
"register" method is called, but just return the proxy. Then you will 
update your backend later once all the attributes are valid and properly 
set.

Marek
>
> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>
> Thanks in advance,
> Greg Jones
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From orestis.tsakiridis at telestax.com  Tue Jun 30 08:30:02 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 30 Jun 2015 15:30:02 +0300
Subject: [keycloak-user] Maximum number of clients (applications) in a
	realm
In-Reply-To: <5592810B.2000204@redhat.com>
References: <CABjN769poCsF=OE=DstJT0VX=6mF3kytkxS1KPTGEAiD97uf0A@mail.gmail.com>
	<5592810B.2000204@redhat.com>
Message-ID: <CABjN769e+b1aYHyP-ByNNw66FE26CDR+Bx_N7z2hhaQntamwxg@mail.gmail.com>

Hi Marek,

my comments inline:

On Tue, Jun 30, 2015 at 2:44 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  How much clients you have in mind?
>
>
I guess 100-1000 would be realistic. But more may come later.


> Theoretically there is no any limit. At least at database level. Fact is
> that we didn't try to test admin console UI with very big number of
> clients. Feel free to create JIRA if you're seeing issues.
>
>
Thanks. Before doing this, i just want to be sure that i'm on the right
path and there are no alternatives. For instance, i've also considered
creating a new realm per machine but this won't work either. A user's
identity should be global but also have access to selected machine(s). I
think that concept can work only within a single realm.


> Another approach is to design your deployment so the number of clients is
> not too big. For example when adding new "machine" you can reuse already
> created clients (not sure if it's the approach which works for you, just a
> possible hint...)
>

Unfortunately that won't work either. :-(. We need those clients and their
respective machines to be in place and operational.


> Marek
>
>

Anyway, thanks for the help Marek!


Regards

Orestis




> On 30.6.2015 09:50, Orestis Tsakiridis wrote:
>
>  Hi all,
>
>  Is there a limit in the maximum number of clients/applications in single
> realm supported by keycloak?
>
> I can see that the keycloak admin UI is not built with a big number in
> mind. For instance, when assigning "Client roles" to a realm user there is
> a dropdown with all clients/applications in the realm. I guess this
> shouldn't grow too big to be usuable.
>
>  I'm working on a scenario where i need to implement authorization in a
> system where new machines (and their respective keycloak applications) will
> be added on the fly. So i'm worying about what will happen if the number
> starts to grow.
>
>
>  Thanks
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/f910486d/attachment.html 

From mposolda at redhat.com  Tue Jun 30 08:39:38 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 30 Jun 2015 14:39:38 +0200
Subject: [keycloak-user] Maximum number of clients (applications) in a
 realm
In-Reply-To: <CABjN769e+b1aYHyP-ByNNw66FE26CDR+Bx_N7z2hhaQntamwxg@mail.gmail.com>
References: <CABjN769poCsF=OE=DstJT0VX=6mF3kytkxS1KPTGEAiD97uf0A@mail.gmail.com>	<5592810B.2000204@redhat.com>
	<CABjN769e+b1aYHyP-ByNNw66FE26CDR+Bx_N7z2hhaQntamwxg@mail.gmail.com>
Message-ID: <55928E0A.10106@redhat.com>

Hi Orestis,

the alternative is also to use our admin REST api directly and invoke 
REST endpoints for create/update client directly without using our admin 
console.

Marek

On 30.6.2015 14:30, Orestis Tsakiridis wrote:
> Hi Marek,
>
> my comments inline:
>
> On Tue, Jun 30, 2015 at 2:44 PM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     How much clients you have in mind?
>
>
> I guess 100-1000 would be realistic. But more may come later.
>
>     Theoretically there is no any limit. At least at database level.
>     Fact is that we didn't try to test admin console UI with very big
>     number of clients. Feel free to create JIRA if you're seeing issues.
>
>
> Thanks. Before doing this, i just want to be sure that i'm on the 
> right path and there are no alternatives. For instance, i've also 
> considered creating a new realm per machine but this won't work 
> either. A user's identity should be global but also have access to 
> selected machine(s). I think that concept can work only within a 
> single realm.
>
>     Another approach is to design your deployment so the number of
>     clients is not too big. For example when adding new "machine" you
>     can reuse already created clients (not sure if it's the approach
>     which works for you, just a possible hint...)
>
>
> Unfortunately that won't work either. :-(. We need those clients and 
> their respective machines to be in place and operational.
>
>     Marek
>
>
>
> Anyway, thanks for the help Marek!
>
>
> Regards
>
> Orestis
>
>
>
>
>     On 30.6.2015 09:50, Orestis Tsakiridis wrote:
>>     Hi all,
>>
>>     Is there a limit in the maximum number of clients/applications in
>>     single realm supported by keycloak?
>>
>>     I can see that the keycloak admin UI is not built with a big
>>     number in mind. For instance, when assigning "Client roles" to a
>>     realm user there is a dropdown with all clients/applications in
>>     the realm. I guess this shouldn't grow too big to be usuable.
>>
>>     I'm working on a scenario where i need to implement authorization
>>     in a system where new machines (and their respective keycloak
>>     applications) will be added on the fly. So i'm worying about what
>>     will happen if the number starts to grow.
>>
>>
>>     Thanks
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/cdbb8fc9/attachment.html 

From orestis.tsakiridis at telestax.com  Tue Jun 30 09:24:05 2015
From: orestis.tsakiridis at telestax.com (Orestis Tsakiridis)
Date: Tue, 30 Jun 2015 16:24:05 +0300
Subject: [keycloak-user] Maximum number of clients (applications) in a
	realm
In-Reply-To: <55928E0A.10106@redhat.com>
References: <CABjN769poCsF=OE=DstJT0VX=6mF3kytkxS1KPTGEAiD97uf0A@mail.gmail.com>
	<5592810B.2000204@redhat.com>
	<CABjN769e+b1aYHyP-ByNNw66FE26CDR+Bx_N7z2hhaQntamwxg@mail.gmail.com>
	<55928E0A.10106@redhat.com>
Message-ID: <CABjN76-W=ARvMSpKPhSZUZnw=oxkYP9E7RFDq-3MexwLAkwcvw@mail.gmail.com>

Hi Marek,

Right, that's the plan.


Thanks for your time.

Orestis

On Tue, Jun 30, 2015 at 3:39 PM, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi Orestis,
>
> the alternative is also to use our admin REST api directly and invoke REST
> endpoints for create/update client directly without using our admin console.
>
> Marek
>
>
> On 30.6.2015 14:30, Orestis Tsakiridis wrote:
>
>  Hi Marek,
>
>  my comments inline:
>
> On Tue, Jun 30, 2015 at 2:44 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>>  How much clients you have in mind?
>>
>>
>  I guess 100-1000 would be realistic. But more may come later.
>
>
>>  Theoretically there is no any limit. At least at database level. Fact
>> is that we didn't try to test admin console UI with very big number of
>> clients. Feel free to create JIRA if you're seeing issues.
>>
>>
>  Thanks. Before doing this, i just want to be sure that i'm on the right
> path and there are no alternatives. For instance, i've also considered
> creating a new realm per machine but this won't work either. A user's
> identity should be global but also have access to selected machine(s). I
> think that concept can work only within a single realm.
>
>
>>  Another approach is to design your deployment so the number of clients
>> is not too big. For example when adding new "machine" you can reuse already
>> created clients (not sure if it's the approach which works for you, just a
>> possible hint...)
>>
>
> Unfortunately that won't work either. :-(. We need those clients and their
> respective machines to be in place and operational.
>
>
>>  Marek
>>
>>
>
>  Anyway, thanks for the help Marek!
>
>
>  Regards
>
>  Orestis
>
>
>
>
>> On 30.6.2015 09:50, Orestis Tsakiridis wrote:
>>
>>   Hi all,
>>
>>  Is there a limit in the maximum number of clients/applications in single
>> realm supported by keycloak?
>>
>> I can see that the keycloak admin UI is not built with a big number in
>> mind. For instance, when assigning "Client roles" to a realm user there is
>> a dropdown with all clients/applications in the realm. I guess this
>> shouldn't grow too big to be usuable.
>>
>>  I'm working on a scenario where i need to implement authorization in a
>> system where new machines (and their respective keycloak applications) will
>> be added on the fly. So i'm worying about what will happen if the number
>> starts to grow.
>>
>>
>>  Thanks
>>
>>
>>
>>
>>
>>  _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/62c6ed8e/attachment-0001.html 

From mposolda at redhat.com  Tue Jun 30 09:28:13 2015
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 30 Jun 2015 15:28:13 +0200
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <CAFMa6Bb=yn1cmA2zGOUph+S+DhVVBR=S+ymSvP=TdNXZfw1ZEw@mail.gmail.com>
References: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
	<CAFMa6Bb=yn1cmA2zGOUph+S+DhVVBR=S+ymSvP=TdNXZfw1ZEw@mail.gmail.com>
Message-ID: <5592996D.8000108@redhat.com>

Hi Kevin,

in latest master there is support for multiple values of some user 
attribute mapped from LDAP. There is also new switch "multivalued" in 
admin console for User attribute protocol mapper - when it's on, you 
will see all the values of the attribute in the id token (or access 
token) in your application.

Also there is switch "Always read value from LDAP" on User attribute 
LDAP federation mapper. When it's on, the value of attribute is always 
read from LDAP even for the users, which were already added into 
Keycloak DB before you created the LDAP mapper.

I hope this will address the issues you mentioned below and in the 
previous mails last week.

Please let me know if it works or if there are still some issues you're 
seeing.

Thanks,
Marek

On 29.6.2015 14:22, Kevin Thorpe wrote:
> There are two mappings here
>
> Firstly you need an attribute mapper in user federation. This maps an 
> LAP attribute to a Keycloak one.
> I don't think this works on existing users though. Try creating a new 
> LDAP user and log in as that user to test this.
> Check the log. In my case it's at /var/log/wildfly/console.log but 
> might have been moved there by one of our devs.
> Check USER_ATTRIBUTES table in the database. You should have a line 
> for your new attribute for your new user.
> I know this doesn't work for multi-attribute values. eg we have an 
> 'applications' attribute which users will have several entries.
>
> Secondly you need to map the user attribute you created above to the 
> JWT token
> This is under your client application definition.
> You need a 'user attribute' not 'property' mapper to map the new 
> keycloak user attribute to a value in the token(s)
> You also need to turn it on for either the id token or access token 
> depending on where your client expects it.
>
>
>
>
>
> *Kevin Thorpe
> *
> CTO
>
> <https://www.p-i.net/> <https://twitter.com/@PI_150>
>
> www.p-i.net <http://www.p-i.net/> | @PI_150 <https://twitter.com/@PI_150>
>
> M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
> 150 Buckingham Palace Road, London, SW1W 9TR, UK
>
> **
> _____________________________
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager. This message contains confidential information and 
> is intended only for the individual named. If you are not the named 
> addressee you should not disseminate, distribute or copy this e-mail. 
> Please notify the sender immediately by e-mail if you have received 
> this e-mail by mistake and delete this e-mail from your system. If you 
> are not the intended recipient you are notified that disclosing, 
> copying, distributing or taking any action in reliance on the contents 
> of this information is strictly prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
>
> On 29 June 2015 at 13:02, Adam Daduev <daduev.ad at gmail.com 
> <mailto:daduev.ad at gmail.com>> wrote:
>
>     Hi.
>     I try use new feature of keycloak 1.3.1, i added new attribute,
>     like department, but i can not get it in my web bean, i try get
>     new attribute from KeycloakSecurityContext, but con not found.
>     How can i get my new added atribute?
>     Thanks!
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/a2025112/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/a2025112/attachment.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/a2025112/attachment-0001.jpe 

From kevin.thorpe at p-i.net  Tue Jun 30 13:23:47 2015
From: kevin.thorpe at p-i.net (Kevin Thorpe)
Date: Tue, 30 Jun 2015 18:23:47 +0100
Subject: [keycloak-user] How read added mapper attribute from ldap?
In-Reply-To: <5592996D.8000108@redhat.com>
References: <CACKoP8FS=U16N+B6sfCivb4LBS0k8NH4dj29F2i4beQCUzmNTg@mail.gmail.com>
	<CAFMa6Bb=yn1cmA2zGOUph+S+DhVVBR=S+ymSvP=TdNXZfw1ZEw@mail.gmail.com>
	<5592996D.8000108@redhat.com>
Message-ID: <CAFMa6Bbu_Gxw+xYhVdkY+cB7QQ=o6UJTweRMUbB70OjDUwKdOA@mail.gmail.com>

Brilliant, thanks Marek. Compiling that at the moment and will properly
test the new functionality in the morning



*Kevin Thorpe*
CTO

 <https://www.p-i.net/>    <https://twitter.com/@PI_150>

 www.p-i.net | @PI_150 <https://twitter.com/@PI_150>

 M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
 150 Buckingham Palace Road, London, SW1W 9TR, UK


_____________________________

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

*"SAVE PAPER - THINK BEFORE YOU PRINT!" *

On 30 June 2015 at 14:28, Marek Posolda <mposolda at redhat.com> wrote:

>  Hi Kevin,
>
> in latest master there is support for multiple values of some user
> attribute mapped from LDAP. There is also new switch "multivalued" in admin
> console for User attribute protocol mapper - when it's on, you will see all
> the values of the attribute in the id token (or access token) in your
> application.
>
> Also there is switch "Always read value from LDAP" on User attribute LDAP
> federation mapper. When it's on, the value of attribute is always read from
> LDAP even for the users, which were already added into Keycloak DB before
> you created the LDAP mapper.
>
> I hope this will address the issues you mentioned below and in the
> previous mails last week.
>
> Please let me know if it works or if there are still some issues you're
> seeing.
>
> Thanks,
> Marek
>
>
> On 29.6.2015 14:22, Kevin Thorpe wrote:
>
> There are two mappings here
>
>  Firstly you need an attribute mapper in user federation. This maps an
> LAP attribute to a Keycloak one.
> I don't think this works on existing users though. Try creating a new LDAP
> user and log in as that user to test this.
> Check the log. In my case it's at /var/log/wildfly/console.log but might
> have been moved there by one of our devs.
> Check USER_ATTRIBUTES table in the database. You should have a line for
> your new attribute for your new user.
> I know this doesn't work for multi-attribute values. eg we have an
> 'applications' attribute which users will have several entries.
>
>  Secondly you need to map the user attribute you created above to the JWT
> token
> This is under your client application definition.
> You need a 'user attribute' not 'property' mapper to map the new keycloak
> user attribute to a value in the token(s)
> You also need to turn it on for either the id token or access token
> depending on where your client expects it.
>
>
>
>
>
>
> *Kevin Thorpe *
> CTO
>
>  <https://www.p-i.net/>    <https://twitter.com/@PI_150>
>
>  www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
>
>  M: +44 (0)7425 160 368 | T: +44 (0)203 005 6750 | F: +44(0)207 730 2635
>  150 Buckingham Palace Road, London, SW1W 9TR, UK
>
>
> _____________________________
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> *"SAVE PAPER - THINK BEFORE YOU PRINT!" *
>
> On 29 June 2015 at 13:02, Adam Daduev <daduev.ad at gmail.com> wrote:
>
>>  Hi.
>> I try use new feature of keycloak 1.3.1, i added new attribute, like
>> department, but i can not get it in my web bean, i try get new attribute
>> from KeycloakSecurityContext, but con not found.
>> How can i get my new added atribute?
>> Thanks!
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/8e4d8d7a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pi_icon.jpg
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/8e4d8d7a/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/8e4d8d7a/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3053 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/8e4d8d7a/attachment-0003.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twitter.jpg
Type: image/jpeg
Size: 1204 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150630/8e4d8d7a/attachment-0003.jpg 

From gregj at thesoftwarecottage.com.au  Tue Jun 30 19:36:03 2015
From: gregj at thesoftwarecottage.com.au (Greg Jones)
Date: Wed, 1 Jul 2015 09:36:03 +1000
Subject: [keycloak-user] User Registration using UserFederationProvider
In-Reply-To: <559288F5.7090405@redhat.com>
References: <05125352-EFEC-45C9-94D5-8B45078E63EC@thesoftwarecottage.com.au>
	<559288F5.7090405@redhat.com>
Message-ID: <6E6B2727-094C-436F-95E7-17D9C868F4C4@thesoftwarecottage.com.au>

Thanks Marek,

I will raise a Jira and provide a description of what I have done to make this more friendly.

Regards,
Greg

> On 30 Jun 2015, at 10:17 pm, Marek Posolda <mposolda at redhat.com> wrote:
> 
> On 30.6.2015 08:06, Greg Jones wrote:
>> Hi Team,
>> 
>> We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
>> 
>> The next step was to use the back-end server for user registrations and this is where we are having problems.
>> 
>> We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider?s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
> Yes, the method UserFederationProvider.register() is called with UserModel object, which has just username set. I agree that it could be possibly more friendly... Could you please create JIRA?
> 
> But you should have possibility to address this (even if it's not very easy). From the "register" method (and maybe from other methods of your provider as well according to your usecase), you are supposed to return "proxy" UserModel object wrapping the "local" (Keycloak DB based) UserModel object. In that case when some method is invoked on the proxy (like setFirstName, setLastName, setAttribute etc) you can update the data in your backend as well. See the example https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java#L32 
> 
>> 
>> For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
>> 
>> Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
>> 
>> 1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
>> 2. As mentioned, the federation provider?s register method is called before the additional fields are added to the UserModel.
>> 3. There is no way for the federation provider?s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing ?Internal Server Error?.
> If you throw ModelException either from "register" method or from "setXXX" method of your proxy UserModel object returned from the register method, then the text thrown from the exception is properly displayed in admin console UI. At least in latest 1.3.1 it should work AFAIK. Can you check this ?
> 
> There might be still the issue that "register" method is called with UserModel of just username filled, so if some attribute is not valid, your DB may already have the "invalid" object created from the register  method. You can address this by not send your user to your backend when "register" method is called, but just return the proxy. Then you will update your backend later once all the attributes are valid and properly set.
> 
> Marek
>> 
>> I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
>> 
>> Thanks in advance,
>> Greg Jones
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>