[keycloak-user] Limit Google authentication by domain?

Stian Thorgersen stian at redhat.com
Tue Mar 24 13:16:58 EDT 2015


Please jira and I'll look at it tomorrow

----- Original Message -----
> From: "Thorsten" <thorsten315 at gmx.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 24 March, 2015 4:02:25 PM
> Subject: Re: [keycloak-user] Limit Google authentication by domain?
> 
> I built master from github and used the appliance distribution with a
> docker image. I can create a new relam and setup a custom OpenID connect
> provider but when I go to realm login I run into the following exception:
> 
> 14:51:24,683 ERROR [io.undertow.request] (default task-24) UT005023:
> Exception handling request to
> /auth/realms/test/broker/google_hd_test/login: java.lang.RuntimeException:
> request path: /auth/realms/test/broker/google_hd_test/login
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
> [undertow-core-1.1.0.Final.jar:1.1.0.Final]
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_65]
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_65]
>         at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
> Caused by: org.jboss.resteasy.spi.UnhandledException:
> java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
> [undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         ... 28 more
> Caused by: java.lang.NoClassDefFoundError: org/jboss/resteasy/logging/Logger
>         at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.<clinit>(AbstractOAuth2IdentityProvider.java:60)
>         at
> org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:44)
>         at
> org.keycloak.broker.oidc.OIDCIdentityProviderFactory.create(OIDCIdentityProviderFactory.java:33)
>         at
> org.keycloak.services.resources.IdentityBrokerService.getIdentityProvider(IdentityBrokerService.java:438)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at
> org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:126)
> [keycloak-services-1.2.0.Beta1-SNAPSHOT.jar:1.2.0.Beta1-SNAPSHOT]
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [rt.jar:1.7.0_65]
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> [rt.jar:1.7.0_65]
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> [rt.jar:1.7.0_65]
>         at java.lang.reflect.Method.invoke(Method.java:606)
> [rt.jar:1.7.0_65]
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> [resteasy-jaxrs-3.0.10.Final.jar:]
>         ... 39 more
> Caused by: java.lang.ClassNotFoundException:
> org.jboss.resteasy.logging.Logger from [Module
> "org.keycloak.keycloak-broker-oidc:main" from local module loader @5f5cc764
> (finder: local module finder @4426a725 (roots:
> /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/base))]
>         at
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389)
> [jboss-modules.jar:1.3.3.Final]
>         at
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134)
> [jboss-modules.jar:1.3.3.Final]
>         ... 54 more
> 
> 
> 2015-03-24 7:09 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> 
> > Not sure why it's not working, you can enable debug for
> > org.keycloak.services.DefaultKeycloakSessionFactory and
> > org.keycloak.provider.ProviderManager that may provide some option.
> >
> > Alternatively, if you try with master (build from github) or wait until
> > 1.2.0.Beta1 is released you can configure your own OpenID Connect provider
> > which would let you add the hd param to the authorization url.
> >
> > ----- Original Message -----
> > > From: "Thorsten" <thorsten315 at gmx.de>
> > > To: "Bill Burke" <bburke at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Monday, 23 March, 2015 5:11:12 PM
> > > Subject: Re: [keycloak-user] Limit Google authentication by domain?
> > >
> > > Ok, I have copied the social Google adapter (all based on the 1.1.0.Final
> > > codebase) and modified a few lines (incl. ID and NAME). I also adjusted
> > the
> > > "services" entry to match the new class name.
> > > Now I used the jboss/keycloak:1.1.0.Final docker image and just added my
> > > adapter jar to the
> > /opt/jboss/keycloak/standalone/configuration/providers/
> > > directory.
> > >
> > > But when I start the docker container and enable Social Login I don't
> > see my
> > > social module name in the "Add provider..." pulldown list.
> > >
> > > Is there anything else I need to do in order to add my social provider to
> > > register?
> > >
> > > Thanks
> > >
> > > 2015-03-23 15:19 GMT+01:00 Bill Burke < bburke at redhat.com > :
> > >
> > >
> > > We don't support this. Our "social" module contains our Google adapter.
> > >
> > > On 3/23/2015 10:14 AM, Thorsten wrote:
> > > > Hi,
> > > >
> > > > is there a way to limit the Google authentication to only work for
> > users
> > > > that have a Google account in a specific Google app domain? Right now
> > it
> > > > seems that anybody with a Google+ account can login once you enable it.
> > > >
> > > > Is there an out-of-the box way to get this done though configuration
> > and
> > > > if not what would be the simplest way to implement this?
> > > >
> > > > Thanks
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 


More information about the keycloak-user mailing list