From bburke at redhat.com Fri May 1 08:48:19 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 01 May 2015 08:48:19 -0400 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com> References: <5542BA2B.2010608@redhat.com> <1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55437613.3030501@redhat.com> You can map the SAML/OIDC assertion/token that is sent to your applications however you want. On 4/30/2015 9:23 PM, Raghu Prabhala wrote: > Bill - That would be an issue for us as we cannot manipulate the values > (especially username) sent by an external IDP which is the authoritative > source of user information. We will have to figure out another way, > perhaps, an internal KC user attribute that can be made unique to > prevent name clashes. > > Thanks, > Raghu > ------------------------------------------------------------------------ > *From:* Bill Burke > *To:* Henk Laracker ; > "keycloak-user at lists.jboss.org" > *Sent:* Thursday, April 30, 2015 7:26 PM > *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce > > Right now, the username is prefixed with the broker name. THis is to > avoid name clashes if you are brokering multiple IDPS (i.e. multiple > social providers). > > On 4/30/2015 2:51 PM, Henk Laracker wrote: > > Hi Bill, > > > > Thank you this worked out! I user is created with my name > > saml.henk.laracker at p ***n.nl , do you > have any idee why the ?saml? prefix > > is added? > > > > > > Henk > > > > On 30/04/15 18:44, "Bill Burke" > wrote: > > > >> Ok, I was able to get this to work. The problem was I had to set a > >> "profile" for the connected app on Salesforce. I added a "System > >> Adminstrator" profile to the Connected App and it worked. > >> > >> I'm not sure how to upload a app certificate yet. Not sure what format > >> Salesforce is looking for. > >> > >> On 4/30/2015 11:39 AM, Bill Burke wrote: > >>> I set up a salesforce example and looked at the login response SAML > >>> document. Looks like no assertion data is being sent back at all by > >>> salesforce. > >>> > >>> On 4/30/2015 9:43 AM, Bill Burke wrote: > >>>> i have no idea. Basically this error is stating that the login > >>>> response > >>>> saml document has no assertions within it. If there are no > assertions, > >>>> then there has been no identity data sent. > >>>> > >>>> I'm looking now, but can you send me a link on how to set up > Salesforce > >>>> as an IDP? Is one able to set up a free account and such? > >>>> > >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: > >>>>> Hi Bill, > >>>>> > >>>>> I don?t know why I missed that, thanks! Salesforce respons know with > >>>>> the > >>>>> correct login page. After logging in in Salesforce, I?m redirected to > >>>>> keycloak again with a internal error: > >>>>> > >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: > >>>>> Could not > >>>>> process response from SAML identity provider. > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE > >>>>> ndpo > >>>>> int.java:299) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn > >>>>> dpoi > >>>>> nt.java:343) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java > >>>>> :169 > >>>>> ) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117 > >>>>> ) > >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>>>> [rt.jar:1.8.0_45] > >>>>> at > >>>>> > >>>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja > >>>>> va:6 > >>>>> 2) [rt.jar:1.8.0_45] > >>>>> at > >>>>> > >>>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso > >>>>> rImp > >>>>> l.java:43) [rt.jar:1.8.0_45] > >>>>> at java.lang.reflect.Method.invoke(Method.java:497) > [rt.jar:1.8.0_45] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja > >>>>> va:1 > >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe > >>>>> thod > >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo > >>>>> ker. > >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res > >>>>> ourc > >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn > >>>>> voke > >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res > >>>>> ourc > >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn > >>>>> voke > >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> at > >>>>> > >>>>> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc > >>>>> her. > >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] > >>>>> ... 39 more > >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No > >>>>> assertion from response. > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint > >>>>> .jav > >>>>> a:309) > >>>>> at > >>>>> > >>>>> > org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE > >>>>> ndpo > >>>>> int.java:264) > >>>>> ... 54 more > >>>>> > >>>>> Any idea? > >>>>> > >>>>> Henk > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> On 30/04/15 14:31, "Bill Burke" > wrote: > >>>>> > >>>>>> You want to chain keycloak server to Salesforce? > >>>>>> > >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to > >>>>>> Salesforce, you;ll see after you create it, an Export button. Click > >>>>>> that. That will create an entity descriptor with all the > information > >>>>>> you need. > >>>>>> > >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> I like to use Salesforce as Identity Provider, the metadata > >>>>>>> provided by > >>>>>>> salesforce can be imported. > >>>>>>> But I need to specify the Service Provider in salesforce, I have to > >>>>>>> fill > >>>>>>> in a couple of fields, but two of them I don?t understand (and are > >>>>>>> mandatory). Does someone have any clue > >>>>>>> > >>>>>>> 1. entity id , remark of salesforce : get this value from your > >>>>>>> serviceprovider > >>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer > >>>>>>> service. Get > >>>>>>> this value from your service provider. > >>>>>>> > >>>>>>> I have tried a lot of values but every-time I click the saml button > >>>>>>> on > >>>>>>> my app, it redirects to salesforce but I get a page with the > error : > >>>>>>> Error: Unable to resolve request into a Service Provider > >>>>>>> > >>>>>>> Henk > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> keycloak-user mailing list > >>>>>>> keycloak-user at lists.jboss.org > > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>>>> > >>>>>> > >>>>>> -- > >>>>>> Bill Burke > >>>>>> JBoss, a division of Red Hat > >>>>>> http://bill.burkecentral.com > > > > >>>>>> _______________________________________________ > >>>>>> keycloak-user mailing list > >>>>>> keycloak-user at lists.jboss.org > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>> > >>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri May 1 08:52:02 2015 From: bburke at redhat.com (Bill Burke) Date: Fri, 01 May 2015 08:52:02 -0400 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <55437613.3030501@redhat.com> References: <5542BA2B.2010608@redhat.com> <1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com> <55437613.3030501@redhat.com> Message-ID: <554376F2.3090805@redhat.com> I'll add a username mapper. On 5/1/2015 8:48 AM, Bill Burke wrote: > You can map the SAML/OIDC assertion/token that is sent to your > applications however you want. > > On 4/30/2015 9:23 PM, Raghu Prabhala wrote: >> Bill - That would be an issue for us as we cannot manipulate the values >> (especially username) sent by an external IDP which is the authoritative >> source of user information. We will have to figure out another way, >> perhaps, an internal KC user attribute that can be made unique to >> prevent name clashes. >> >> Thanks, >> Raghu >> ------------------------------------------------------------------------ >> *From:* Bill Burke >> *To:* Henk Laracker ; >> "keycloak-user at lists.jboss.org" >> *Sent:* Thursday, April 30, 2015 7:26 PM >> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce >> >> Right now, the username is prefixed with the broker name. THis is to >> avoid name clashes if you are brokering multiple IDPS (i.e. multiple >> social providers). >> >> On 4/30/2015 2:51 PM, Henk Laracker wrote: >> > Hi Bill, >> > >> > Thank you this worked out! I user is created with my name >> > saml.henk.laracker at p ***n.nl , do you >> have any idee why the ?saml? prefix >> > is added? >> > >> > >> > Henk >> > >> > On 30/04/15 18:44, "Bill Burke" > > wrote: >> > >> >> Ok, I was able to get this to work. The problem was I had to set a >> >> "profile" for the connected app on Salesforce. I added a "System >> >> Adminstrator" profile to the Connected App and it worked. >> >> >> >> I'm not sure how to upload a app certificate yet. Not sure what format >> >> Salesforce is looking for. >> >> >> >> On 4/30/2015 11:39 AM, Bill Burke wrote: >> >>> I set up a salesforce example and looked at the login response SAML >> >>> document. Looks like no assertion data is being sent back at all by >> >>> salesforce. >> >>> >> >>> On 4/30/2015 9:43 AM, Bill Burke wrote: >> >>>> i have no idea. Basically this error is stating that the login >> >>>> response >> >>>> saml document has no assertions within it. If there are no >> assertions, >> >>>> then there has been no identity data sent. >> >>>> >> >>>> I'm looking now, but can you send me a link on how to set up >> Salesforce >> >>>> as an IDP? Is one able to set up a free account and such? >> >>>> >> >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >> >>>>> Hi Bill, >> >>>>> >> >>>>> I don?t know why I missed that, thanks! Salesforce respons know with >> >>>>> the >> >>>>> correct login page. After logging in in Salesforce, I?m redirected to >> >>>>> keycloak again with a internal error: >> >>>>> >> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: >> >>>>> Could not >> >>>>> process response from SAML identity provider. >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE >> >>>>> ndpo >> >>>>> int.java:299) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn >> >>>>> dpoi >> >>>>> nt.java:343) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java >> >>>>> :169 >> >>>>> ) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117 >> >>>>> ) >> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> >>>>> [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja >> >>>>> va:6 >> >>>>> 2) [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso >> >>>>> rImp >> >>>>> l.java:43) [rt.jar:1.8.0_45] >> >>>>> at java.lang.reflect.Method.invoke(Method.java:497) >> [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja >> >>>>> va:1 >> >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe >> >>>>> thod >> >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo >> >>>>> ker. >> >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res >> >>>>> ourc >> >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn >> >>>>> voke >> >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res >> >>>>> ourc >> >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn >> >>>>> voke >> >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc >> >>>>> her. >> >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> ... 39 more >> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No >> >>>>> assertion from response. >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint >> >>>>> .jav >> >>>>> a:309) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE >> >>>>> ndpo >> >>>>> int.java:264) >> >>>>> ... 54 more >> >>>>> >> >>>>> Any idea? >> >>>>> >> >>>>> Henk >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> On 30/04/15 14:31, "Bill Burke" > > wrote: >> >>>>> >> >>>>>> You want to chain keycloak server to Salesforce? >> >>>>>> >> >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to >> >>>>>> Salesforce, you;ll see after you create it, an Export button. Click >> >>>>>> that. That will create an entity descriptor with all the >> information >> >>>>>> you need. >> >>>>>> >> >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >> >>>>>>> Hi, >> >>>>>>> >> >>>>>>> I like to use Salesforce as Identity Provider, the metadata >> >>>>>>> provided by >> >>>>>>> salesforce can be imported. >> >>>>>>> But I need to specify the Service Provider in salesforce, I have to >> >>>>>>> fill >> >>>>>>> in a couple of fields, but two of them I don?t understand (and are >> >>>>>>> mandatory). Does someone have any clue >> >>>>>>> >> >>>>>>> 1. entity id , remark of salesforce : get this value from your >> >>>>>>> serviceprovider >> >>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer >> >>>>>>> service. Get >> >>>>>>> this value from your service provider. >> >>>>>>> >> >>>>>>> I have tried a lot of values but every-time I click the saml button >> >>>>>>> on >> >>>>>>> my app, it redirects to salesforce but I get a page with the >> error : >> >>>>>>> Error: Unable to resolve request into a Service Provider >> >>>>>>> >> >>>>>>> Henk >> >>>>>>> >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> keycloak-user mailing list >> >>>>>>> keycloak-user at lists.jboss.org >> >> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Bill Burke >> >>>>>> JBoss, a division of Red Hat >> >>>>>> http://bill.burkecentral.com >> >> >> >> >>>>>> _______________________________________________ >> >>>>>> keycloak-user mailing list >> >>>>>> keycloak-user at lists.jboss.org >> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>> >> >>>> >> >>> >> >> >> >> -- >> >> Bill Burke >> >> JBoss, a division of Red Hat >> >> http://bill.burkecentral.com >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From Henk.Laracker at planonsoftware.com Fri May 1 08:53:06 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Fri, 1 May 2015 14:53:06 +0200 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <5542BA2B.2010608@redhat.com> References: <55422096.8000500@redhat.com> <5542319E.5090708@redhat.com> <55424CC1.2010405@redhat.com> <55425BD7.9020903@redhat.com> <5542BA2B.2010608@redhat.com> Message-ID: Hi Bill, I can understand why the prefix is needed, but is there a possibility to send the username to the service provider without the prefix. If I configure Facebook login and saml login, and I login with one of configured logins with the same email adres, It would be nice that this is one user for the backend. Or is my conclusion wrong. Know it are two different users. Another question, does anybody know how to logout from salesforce and redirect to your application. I use https://keycloak-accdev.planoncloud.com/auth/realms/auth/tokens/logout?redi rect_uri=https://auth-proddev.planoncloud.com in my application. In keycloak Single Logout Service Url : https://ciwwa-dev-ed.my.salesforce.com/secur/logout.jsp?retUrl=https://auth -proddev.planoncloud.com This doesn?t work, salesforce logouts but does not do the redirect. I also like to ask if it is possible to take over the logout url from my initial redirect. Als the logout on salesforce does not have the right effect when I go back to my main https://auth-proddev.planoncloud.com I?m still logged in. Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement, Henk Laracker On 01/05/15 01:26, "Bill Burke" wrote: >Right now, the username is prefixed with the broker name. THis is to >avoid name clashes if you are brokering multiple IDPS (i.e. multiple >social providers). > >On 4/30/2015 2:51 PM, Henk Laracker wrote: >> Hi Bill, >> >> Thank you this worked out! I user is created with my name >> saml.henk.laracker at p***n.nl , do you have any idee why the ?saml? prefix >> is added? >> >> >> Henk >> >> On 30/04/15 18:44, "Bill Burke" wrote: >> >>> Ok, I was able to get this to work. The problem was I had to set a >>> "profile" for the connected app on Salesforce. I added a "System >>> Adminstrator" profile to the Connected App and it worked. >>> >>> I'm not sure how to upload a app certificate yet. Not sure what format >>> Salesforce is looking for. >>> >>> On 4/30/2015 11:39 AM, Bill Burke wrote: >>>> I set up a salesforce example and looked at the login response SAML >>>> document. Looks like no assertion data is being sent back at all by >>>> salesforce. >>>> >>>> On 4/30/2015 9:43 AM, Bill Burke wrote: >>>>> i have no idea. Basically this error is stating that the login >>>>> response >>>>> saml document has no assertions within it. If there are no >>>>>assertions, >>>>> then there has been no identity data sent. >>>>> >>>>> I'm looking now, but can you send me a link on how to set up >>>>>Salesforce >>>>> as an IDP? Is one able to set up a free account and such? >>>>> >>>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >>>>>> Hi Bill, >>>>>> >>>>>> I don?t know why I missed that, thanks! Salesforce respons know with >>>>>> the >>>>>> correct login page. After logging in in Salesforce, I?m redirected >>>>>>to >>>>>> keycloak again with a internal error: >>>>>> >>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: >>>>>> Could not >>>>>> process response from SAML identity provider. >>>>>> at >>>>>> >>>>>> >>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAM >>>>>>LE >>>>>> ndpo >>>>>> int.java:299) >>>>>> at >>>>>> >>>>>> >>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAML >>>>>>En >>>>>> dpoi >>>>>> nt.java:343) >>>>>> at >>>>>> >>>>>> >>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.ja >>>>>>va >>>>>> :169 >>>>>> ) >>>>>> at >>>>>> >>>>>> >>>>>>org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:1 >>>>>>17 >>>>>> ) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>> [rt.jar:1.8.0_45] >>>>>> at >>>>>> >>>>>> >>>>>>sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. >>>>>>ja >>>>>> va:6 >>>>>> 2) [rt.jar:1.8.0_45] >>>>>> at >>>>>> >>>>>> >>>>>>sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >>>>>>so >>>>>> rImp >>>>>> l.java:43) [rt.jar:1.8.0_45] >>>>>> at java.lang.reflect.Method.invoke(Method.java:497) >>>>>>[rt.jar:1.8.0_45] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl. >>>>>>ja >>>>>> va:1 >>>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource >>>>>>Me >>>>>> thod >>>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn >>>>>>vo >>>>>> ker. >>>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R >>>>>>es >>>>>> ourc >>>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator >>>>>>In >>>>>> voke >>>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R >>>>>>es >>>>>> ourc >>>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator >>>>>>In >>>>>> voke >>>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> at >>>>>> >>>>>> >>>>>>org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa >>>>>>tc >>>>>> her. >>>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>>> ... 39 more >>>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No >>>>>> assertion from response. >>>>>> at >>>>>> >>>>>> >>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoi >>>>>>nt >>>>>> .jav >>>>>> a:309) >>>>>> at >>>>>> >>>>>> >>>>>>org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAM >>>>>>LE >>>>>> ndpo >>>>>> int.java:264) >>>>>> ... 54 more >>>>>> >>>>>> Any idea? >>>>>> >>>>>> Henk >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 30/04/15 14:31, "Bill Burke" wrote: >>>>>> >>>>>>> You want to chain keycloak server to Salesforce? >>>>>>> >>>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to >>>>>>> Salesforce, you;ll see after you create it, an Export button. >>>>>>>Click >>>>>>> that. That will create an entity descriptor with all the >>>>>>>information >>>>>>> you need. >>>>>>> >>>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I like to use Salesforce as Identity Provider, the metadata >>>>>>>> provided by >>>>>>>> salesforce can be imported. >>>>>>>> But I need to specify the Service Provider in salesforce, I have >>>>>>>>to >>>>>>>> fill >>>>>>>> in a couple of fields, but two of them I don?t understand (and are >>>>>>>> mandatory). Does someone have any clue >>>>>>>> >>>>>>>> 1. entity id , remark of salesforce : get this value from >>>>>>>>your >>>>>>>> serviceprovider >>>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer >>>>>>>> service. Get >>>>>>>> this value from your service provider. >>>>>>>> >>>>>>>> I have tried a lot of values but every-time I click the saml >>>>>>>>button >>>>>>>> on >>>>>>>> my app, it redirects to salesforce but I get a page with the >>>>>>>>error : >>>>>>>> Error: Unable to resolve request into a Service Provider >>>>>>>> >>>>>>>> Henk >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >-- >Bill Burke >JBoss, a division of Red Hat >http://bill.burkecentral.com From stian at redhat.com Mon May 4 01:09:07 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 4 May 2015 01:09:07 -0400 (EDT) Subject: [keycloak-user] OAuth In-Reply-To: References: Message-ID: <793422084.11876330.1430716147097.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Fadi Abdin" > To: "keycloak-user" > Sent: Thursday, April 30, 2015 6:48:47 PM > Subject: [keycloak-user] OAuth > > I just created a simple javascript app to test my oauth keycloak connections > and implemented the calls to do the basic things ( except revoke the token) > . > > My code is on github https://github.com/fadiabdeen/keycloak-oauth > > I was able to get a authorization code. > get a token > refresh the token > get the user information though validate > logout ( which only clears the session > > I cant figure out how to revoke my access_token .. if anybody can help with > this then its great. Not sure what you mean about revoking the access token. Can you elaborate? > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon May 4 03:03:20 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 04 May 2015 09:03:20 +0200 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <55424CC1.2010405@redhat.com> References: <55422096.8000500@redhat.com> <5542319E.5090708@redhat.com> <55424CC1.2010405@redhat.com> Message-ID: <554719B8.8010305@redhat.com> As far as I remember, it could be the certificate in CRT format exported from keystore file via "keytool -export" . At least that's what worked for me couple of years back when I did integration of Salesforce with Picketlink: https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP Marek On 30.4.2015 17:39, Bill Burke wrote: > I set up a salesforce example and looked at the login response SAML > document. Looks like no assertion data is being sent back at all by > salesforce. > > On 4/30/2015 9:43 AM, Bill Burke wrote: >> i have no idea. Basically this error is stating that the login response >> saml document has no assertions within it. If there are no assertions, >> then there has been no identity data sent. >> >> I'm looking now, but can you send me a link on how to set up Salesforce >> as an IDP? Is one able to set up a free account and such? >> >> On 4/30/2015 9:25 AM, Henk Laracker wrote: >>> Hi Bill, >>> >>> I don?t know why I missed that, thanks! Salesforce respons know with the >>> correct login page. After logging in in Salesforce, I?m redirected to >>> keycloak again with a internal error: >>> >>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: Could not >>> process response from SAML identity provider. >>> at >>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo >>> int.java:299) >>> at >>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoi >>> nt.java:343) >>> at >>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:169 >>> ) >>> at >>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> [rt.jar:1.8.0_45] >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:6 >>> 2) [rt.jar:1.8.0_45] >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp >>> l.java:43) [rt.jar:1.8.0_45] >>> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:1 >>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethod >>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker. >>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc >>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke >>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc >>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke >>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher. >>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >>> ... 39 more >>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No >>> assertion from response. >>> at >>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint.jav >>> a:309) >>> at >>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo >>> int.java:264) >>> ... 54 more >>> >>> Any idea? >>> >>> Henk >>> >>> >>> >>> >>> On 30/04/15 14:31, "Bill Burke" wrote: >>> >>>> You want to chain keycloak server to Salesforce? >>>> >>>> If you create a SAMLv2 IdentityProvider in keycloak that points to >>>> Salesforce, you;ll see after you create it, an Export button. Click >>>> that. That will create an entity descriptor with all the information >>>> you need. >>>> >>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >>>>> Hi, >>>>> >>>>> I like to use Salesforce as Identity Provider, the metadata provided by >>>>> salesforce can be imported. >>>>> But I need to specify the Service Provider in salesforce, I have to fill >>>>> in a couple of fields, but two of them I don?t understand (and are >>>>> mandatory). Does someone have any clue >>>>> >>>>> 1. entity id , remark of salesforce : get this value from your >>>>> serviceprovider >>>>> 2. ACS URL, remark of slaesforce : The assertion consumer service. Get >>>>> this value from your service provider. >>>>> >>>>> I have tried a lot of values but every-time I click the saml button on >>>>> my app, it redirects to salesforce but I get a page with the error : >>>>> Error: Unable to resolve request into a Service Provider >>>>> >>>>> Henk >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user From jayblanc at gmail.com Mon May 4 03:33:05 2015 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Mon, 04 May 2015 07:33:05 +0000 Subject: [keycloak-user] How touser Servlet OAuth Client In-Reply-To: <55391F0E.7010600@redhat.com> References: <55367704.7020302@redhat.com> <55391AF8.7060704@redhat.com> <55391F0E.7010600@redhat.com> Message-ID: Hi, Marek, the tips of building a simple redirect servlet protected by a user role constraint and let the other servlets unconstrained is working like a charm. This simple servlet act as a redirect point to ensure keycloak adapter handling of authentication without writing new code. A perfect solution in fact. Thank you very much for your support, best regards, J?r?me. Le jeu. 23 avr. 2015 ? 18:34, Bill Burke a ?crit : > Please read this: > > > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/ch08.html#jboss-adapter > > add a @SecurityDomain("keycloak") to your EJB and it will pick up the > Keylcoak context. > > On 4/23/2015 12:16 PM, Marek Posolda wrote: > > You're not wrong. With ServletOAuthClient you have control when you > > redirect user to the KC login screen. But you're completely independent > > on Wildfly container security layers, hence no propagation to EJB layer. > > > > If ServletOAuthClient is good for you, depends on the usecase you want > > to achieve. Maybe it is better for you to add some security-constraints > > URL to your web.xml (for example "/my-protected-url") and you will > > redirect your application to /my-protected-url (with > > httpResponse.sendRedirect) whenever you want your application to be > > logged with keycloak. Then once KC authentication is finished and your > > application will visit "/my-protected-url" as authenticated user, you > > will redirect back to the original URL before authentication. > > > > Not sure if EJB propagation will happen once you're authenticated, but > > visit unprotected URL though... But at least you can give it a shot. > > > > Marek > > > > On 23.4.2015 15:35, J?r?me Blanchard wrote: > >> Hi, > >> I wonder that the Servlet OAuth Client won't propagate authentication > >> to wildfy EJB layer... Am I wrong ? > >> J?r?me. > >> > >> Le mar. 21 avr. 2015 ? 18:13, Marek Posolda >> > a ?crit : > >> > >> You can take a look at our examples for how to use > >> ServletOAuthClient. Hopefully it could help with your usecase: > >> > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party > >> > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/third-party-cdi > >> > >> Marek > >> > >> > >> On 21.4.2015 12:14, J?r?me Blanchard wrote: > >>> Hi all, > >>> > >>> I'm trying to protect a servlet application which can be accessed > >>> either as anonymous user and as authenticated user. Some > >>> resources are protected and my application takes in charge the > >>> access control (not role based) so I can't use the war protection > >>> using role user constraint. > >>> In this case I've removed the role constraint in the web.xml and > >>> the keycloak wildfly (undertow) adapter let me access the > >>> application as unauthentified user (anonymous) which is perfect. > >>> What I want to handle on some AccessDeniedException is to > >>> redirect the user to the authentication server manually. In this > >>> case, user authentified an come back to the protected URL but is > >>> no more anonymous but a authentified user. > >>> Is ther is a way to handle this redirection to the authentication > >>> server manually (I don't know where to store the state variable > >>> allowing keycloak wildfly adapter to handle properly the auth > >>> redirect that include the code). > >>> > >>> Best regards, J?r?me. > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org keycloak-user at lists.jboss.org> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150504/12ca30d4/attachment.html From fadiabdeen at gmail.com Mon May 4 07:30:42 2015 From: fadiabdeen at gmail.com (Fadi Abdin) Date: Mon, 4 May 2015 07:30:42 -0400 Subject: [keycloak-user] OAuth In-Reply-To: <793422084.11876330.1430716147097.JavaMail.zimbra@redhat.com> References: <793422084.11876330.1430716147097.JavaMail.zimbra@redhat.com> Message-ID: I basically want to force expire a token , or invalidate a token . https://tools.ietf.org/html/rfc7009 On Mon, May 4, 2015 at 1:09 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Fadi Abdin" > > To: "keycloak-user" > > Sent: Thursday, April 30, 2015 6:48:47 PM > > Subject: [keycloak-user] OAuth > > > > I just created a simple javascript app to test my oauth keycloak > connections > > and implemented the calls to do the basic things ( except revoke the > token) > > . > > > > My code is on github https://github.com/fadiabdeen/keycloak-oauth > > > > I was able to get a authorization code. > > get a token > > refresh the token > > get the user information though validate > > logout ( which only clears the session > > > > I cant figure out how to revoke my access_token .. if anybody can help > with > > this then its great. > > Not sure what you mean about revoking the access token. Can you elaborate? > > > > > Thanks > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150504/b915600d/attachment.html From bburke at redhat.com Mon May 4 07:59:04 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 04 May 2015 07:59:04 -0400 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <554719B8.8010305@redhat.com> References: <55422096.8000500@redhat.com> <5542319E.5090708@redhat.com> <55424CC1.2010405@redhat.com> <554719B8.8010305@redhat.com> Message-ID: <55475F08.4050808@redhat.com> Hey, do you know if Salesforce as an SP works if the IDP is localhost? Or did you have to test that outside a firewall? On 5/4/2015 3:03 AM, Marek Posolda wrote: > As far as I remember, it could be the certificate in CRT format exported > from keystore file via "keytool -export" . At least that's what worked > for me couple of years back when I did integration of Salesforce with > Picketlink: > https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP > > > Marek > > On 30.4.2015 17:39, Bill Burke wrote: >> I set up a salesforce example and looked at the login response SAML >> document. Looks like no assertion data is being sent back at all by >> salesforce. >> >> On 4/30/2015 9:43 AM, Bill Burke wrote: >>> i have no idea. Basically this error is stating that the login response >>> saml document has no assertions within it. If there are no assertions, >>> then there has been no identity data sent. >>> >>> I'm looking now, but can you send me a link on how to set up Salesforce >>> as an IDP? Is one able to set up a free account and such? >>> >>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >>>> Hi Bill, >>>> >>>> I don?t know why I missed that, thanks! Salesforce respons know with >>>> the >>>> correct login page. After logging in in Salesforce, I?m redirected to >>>> keycloak again with a internal error: >>>> >>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: >>>> Could not >>>> process response from SAML identity provider. >>>> at >>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo >>>> >>>> int.java:299) >>>> at >>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoi >>>> >>>> nt.java:343) >>>> at >>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:169 >>>> >>>> ) >>>> at >>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117) >>>> >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> [rt.jar:1.8.0_45] >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:6 >>>> >>>> 2) [rt.jar:1.8.0_45] >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp >>>> >>>> l.java:43) [rt.jar:1.8.0_45] >>>> at java.lang.reflect.Method.invoke(Method.java:497) >>>> [rt.jar:1.8.0_45] >>>> at >>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:1 >>>> >>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethod >>>> >>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker. >>>> >>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc >>>> >>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke >>>> >>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc >>>> >>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke >>>> >>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> at >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher. >>>> >>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >>>> ... 39 more >>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No >>>> assertion from response. >>>> at >>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint.jav >>>> >>>> a:309) >>>> at >>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo >>>> >>>> int.java:264) >>>> ... 54 more >>>> >>>> Any idea? >>>> >>>> Henk >>>> >>>> >>>> >>>> >>>> On 30/04/15 14:31, "Bill Burke" wrote: >>>> >>>>> You want to chain keycloak server to Salesforce? >>>>> >>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to >>>>> Salesforce, you;ll see after you create it, an Export button. Click >>>>> that. That will create an entity descriptor with all the information >>>>> you need. >>>>> >>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >>>>>> Hi, >>>>>> >>>>>> I like to use Salesforce as Identity Provider, the metadata >>>>>> provided by >>>>>> salesforce can be imported. >>>>>> But I need to specify the Service Provider in salesforce, I have >>>>>> to fill >>>>>> in a couple of fields, but two of them I don?t understand (and are >>>>>> mandatory). Does someone have any clue >>>>>> >>>>>> 1. entity id , remark of salesforce : get this value from your >>>>>> serviceprovider >>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer >>>>>> service. Get >>>>>> this value from your service provider. >>>>>> >>>>>> I have tried a lot of values but every-time I click the saml >>>>>> button on >>>>>> my app, it redirects to salesforce but I get a page with the error : >>>>>> Error: Unable to resolve request into a Service Provider >>>>>> >>>>>> Henk >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Mon May 4 08:36:31 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 04 May 2015 14:36:31 +0200 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <55475F08.4050808@redhat.com> References: <55422096.8000500@redhat.com> <5542319E.5090708@redhat.com> <55424CC1.2010405@redhat.com> <554719B8.8010305@redhat.com> <55475F08.4050808@redhat.com> Message-ID: <554767CF.1090009@redhat.com> Yeah, that worked for me. Localhost is also used in the example instructions https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP . AFAIR Salesforce interacts with IDP just through browser redirects, not backchannel requests. So localhost is not a problem. Marek On 4.5.2015 13:59, Bill Burke wrote: > Hey, do you know if Salesforce as an SP works if the IDP is localhost? > Or did you have to test that outside a firewall? > > On 5/4/2015 3:03 AM, Marek Posolda wrote: >> As far as I remember, it could be the certificate in CRT format exported >> from keystore file via "keytool -export" . At least that's what worked >> for me couple of years back when I did integration of Salesforce with >> Picketlink: >> https://docs.jboss.org/author/display/PLINK/Picketlink+as+IDP,+Salesforce+as+SP >> >> >> >> Marek >> >> On 30.4.2015 17:39, Bill Burke wrote: >>> I set up a salesforce example and looked at the login response SAML >>> document. Looks like no assertion data is being sent back at all by >>> salesforce. >>> >>> On 4/30/2015 9:43 AM, Bill Burke wrote: >>>> i have no idea. Basically this error is stating that the login >>>> response >>>> saml document has no assertions within it. If there are no >>>> assertions, >>>> then there has been no identity data sent. >>>> >>>> I'm looking now, but can you send me a link on how to set up >>>> Salesforce >>>> as an IDP? Is one able to set up a free account and such? >>>> >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >>>>> Hi Bill, >>>>> >>>>> I don?t know why I missed that, thanks! Salesforce respons know with >>>>> the >>>>> correct login page. After logging in in Salesforce, I?m redirected to >>>>> keycloak again with a internal error: >>>>> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: >>>>> Could not >>>>> process response from SAML identity provider. >>>>> at >>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo >>>>> >>>>> >>>>> int.java:299) >>>>> at >>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoi >>>>> >>>>> >>>>> nt.java:343) >>>>> at >>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:169 >>>>> >>>>> >>>>> ) >>>>> at >>>>> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117) >>>>> >>>>> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> [rt.jar:1.8.0_45] >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:6 >>>>> >>>>> >>>>> 2) [rt.jar:1.8.0_45] >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp >>>>> >>>>> >>>>> l.java:43) [rt.jar:1.8.0_45] >>>>> at java.lang.reflect.Method.invoke(Method.java:497) >>>>> [rt.jar:1.8.0_45] >>>>> at >>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:1 >>>>> >>>>> >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethod >>>>> >>>>> >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker. >>>>> >>>>> >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc >>>>> >>>>> >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke >>>>> >>>>> >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resourc >>>>> >>>>> >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoke >>>>> >>>>> >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> at >>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher. >>>>> >>>>> >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >>>>> ... 39 more >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: No >>>>> assertion from response. >>>>> at >>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint.jav >>>>> >>>>> >>>>> a:309) >>>>> at >>>>> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpo >>>>> >>>>> >>>>> int.java:264) >>>>> ... 54 more >>>>> >>>>> Any idea? >>>>> >>>>> Henk >>>>> >>>>> >>>>> >>>>> >>>>> On 30/04/15 14:31, "Bill Burke" wrote: >>>>> >>>>>> You want to chain keycloak server to Salesforce? >>>>>> >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points to >>>>>> Salesforce, you;ll see after you create it, an Export button. Click >>>>>> that. That will create an entity descriptor with all the >>>>>> information >>>>>> you need. >>>>>> >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I like to use Salesforce as Identity Provider, the metadata >>>>>>> provided by >>>>>>> salesforce can be imported. >>>>>>> But I need to specify the Service Provider in salesforce, I have >>>>>>> to fill >>>>>>> in a couple of fields, but two of them I don?t understand (and are >>>>>>> mandatory). Does someone have any clue >>>>>>> >>>>>>> 1. entity id , remark of salesforce : get this value from your >>>>>>> serviceprovider >>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer >>>>>>> service. Get >>>>>>> this value from your service provider. >>>>>>> >>>>>>> I have tried a lot of values but every-time I click the saml >>>>>>> button on >>>>>>> my app, it redirects to salesforce but I get a page with the >>>>>>> error : >>>>>>> Error: Unable to resolve request into a Service Provider >>>>>>> >>>>>>> Henk >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From peterson.dean at gmail.com Mon May 4 08:52:06 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Mon, 4 May 2015 07:52:06 -0500 Subject: [keycloak-user] Disable SSL with keycloak-server.json Message-ID: I am trying to deploy Keycloak with Docker on a headless Redhat Enterprise Linux on Amazon's EC2. There is no way to sign in on the local host. I saw a brief mention of allowing an entry in the keycloak-server.json file to disable ssl but it does not appear that was ever implemented. Is there a way to disable ssl without first needing to sign in to the master realm as administrator? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150504/65ceba9e/attachment.html From kalinga at leapset.com Tue May 5 03:09:43 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Tue, 5 May 2015 12:39:43 +0530 (IST) Subject: [keycloak-user] Clarification on Remember Me Functionality In-Reply-To: <1092658797.9307847.1430307821196.JavaMail.zimbra@redhat.com> References: <1077151537.15651304.1428645933306.JavaMail.zimbra@redhat.com> <1163846703.15736138.1428654722223.JavaMail.zimbra@redhat.com> <1430293670.756224901@apps.rackspace.com> <812709433.9010092.1430295196992.JavaMail.zimbra@redhat.com> <1430299060.339127383@apps.rackspace.com> <1092658797.9307847.1430307821196.JavaMail.zimbra@redhat.com> Message-ID: <1430809783.22429404@apps.rackspace.com> [ https://issues.jboss.org/browse/KEYCLOAK-1267 ]( https://issues.jboss.org/browse/KEYCLOAK-1267 ) is created to track this. Kalinga -----Original Message----- From: "Stian Thorgersen" Sent: Wednesday, April 29, 2015 5:13pm To: "Kalinga Dissanayake" Cc: "Lohitha Chiranjeewa" , keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Clarification on Remember Me Functionality Oki, that makes sense - it's not possible atm, but if you create a jira we'll add it when we can ----- Original Message ----- > From: "Kalinga Dissanayake" > To: "Stian Thorgersen" > Cc: "Lohitha Chiranjeewa" , keycloak-user at lists.jboss.org > Sent: Wednesday, 29 April, 2015 11:17:40 AM > Subject: Re: [keycloak-user] Clarification on Remember Me Functionality > > > Sorry for the confusion. > Let me rephrase, please correct me if I am wrong. > > This is my requirement > If a user logins via keycloak without ticking "remember me", I need the > session on keycloak to timeout after 20 minutes. (in case its idle) > If a user logins via keycloak ticking "remember me", I need the user to be > "remembered" on keycloak for 12 weeks irrespective of whether the user > continues to interact with keycloak or not. Something like facebook. > > Just saw this thread as well > [ > http://ux.stackexchange.com/questions/62857/which-remember-me-option-is-the-best/62862#62862 > ]( > http://ux.stackexchange.com/questions/62857/which-remember-me-option-is-the-best/62862#62862 > ) > > Hope my requirement is clear. > > Kalinga > > > -----Original Message----- > From: "Stian Thorgersen" > Sent: Wednesday, April 29, 2015 1:43pm > To: "Kalinga Dissanayake" > Cc: "Lohitha Chiranjeewa" , keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Clarification on Remember Me Functionality > > > > I'm confused, what do you actual think the session timeout does? Exactly why > do you think that remember-me/session should be valid after the session has > timed out? > > ----- Original Message ----- > > From: "Kalinga Dissanayake" > > To: "Stian Thorgersen" > > Cc: "Lohitha Chiranjeewa" , keycloak-user at lists.jboss.org > > Sent: Wednesday, 29 April, 2015 9:47:50 AM > > Subject: Re: [keycloak-user] Clarification on Remember Me Functionality > > > > > > Stian, > > > > I am having this issue on remember me functionality > > Can you help me getting it sorted? > > > > I need keycloak to remember me for 2 weeks but i need the session idle > > timeout to be only 20 minutes. > > I tried setting SSO Session Max Lifespan to 14 days and setting SSO Session > > Idle Timeout to 20 minutes. > > But keycloak remember me token expires after 20 minutes! I need the > > remember > > me token to be valid for 14 days and session idle timeout to be valid for > > 20 > > minutes. :) How can i get this sorted? Setting both parameters to 14 days > > does not work for me :) Any other way forward? > > > > Kalinga > > > > -----Original Message----- > > From: "Stian Thorgersen" > > Sent: Friday, April 10, 2015 2:02pm > > To: "Lohitha Chiranjeewa" > > Cc: keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Clarification on Remember Me Functionality > > > > > > > > This is expected behaviour > > > > ----- Original Message ----- > > > From: "Lohitha Chiranjeewa" > > > To: "Stian Thorgersen" , keycloak-user at lists.jboss.org > > > Sent: Friday, 10 April, 2015 8:57:19 AM > > > Subject: Re: [keycloak-user] Clarification on Remember Me Functionality > > > > > > Thanks for the suggestion. I will have to adjust both timeouts according > > > to > > > my needs. > > > > > > So is this the expected behavior of Keycloak or is there room for an > > > improvement? In my view, Remember Me functionality should work > > > independent > > > of SSO Session Idle Timeout. > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/dc56af46/attachment.html From stian at redhat.com Tue May 5 06:21:20 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 5 May 2015 06:21:20 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.2.0.CR1 Released Message-ID: <1424346669.12975071.1430821280430.JavaMail.zimbra@redhat.com> See http://blog.keycloak.org/2015/05/keycloak-120cr1-released.html for details From ivan at akvo.org Tue May 5 09:19:48 2015 From: ivan at akvo.org (=?UTF-8?B?SXbDoW4gUGVyZG9tbw==?=) Date: Tue, 05 May 2015 15:19:48 +0200 Subject: [keycloak-user] OIDC - ID Token's nonce validation Message-ID: <5548C374.5040601@akvo.org> Hi, It seems that if a client sends the optional `nonce` parameter as part of the authentication request, the server should return it as `nonce` claim part of the ID Token > The value is passed through unmodified from the Authentication > Request to the ID Token. If present in the ID Token, Clients MUST > verify that the nonce Claim Value is equal to the value of the nonce > parameter sent in the Authentication Request. If present in the > Authentication Request, Authorization Servers MUST include a nonce > Claim in the ID Token with the Claim Value being the nonce value sent > in the Authentication Request. Authorization Servers SHOULD perform > no other processing on nonce values used. The nonce value is a case > sensitive string. http://openid.net/specs/openid-connect-core-1_0.html#IDToken As of Keycloak 1.2.0.Beta1 if a client sends a `nonce`, the ID Token doesn't include the `nonce` claim. Should I log this as an defect? Or is something already solved in 1.2.0RC1 ? Thanks, -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/5da9bf32/attachment-0001.bin From delkant at gmail.com Tue May 5 09:25:06 2015 From: delkant at gmail.com (Rodrigo Del Canto) Date: Tue, 5 May 2015 09:25:06 -0400 Subject: [keycloak-user] Cordova on IOS error Message-ID: Hello guys, I work a lot with cordova and Wildfly, usually I do my implementations of the authentication using JAAS and ajax, sending a auth token in the http request. I really love Keycloak's goals and how fast the project is growing, I would love to integrate it to my projects. The problem I have now is I have tried the cordova example that comes with keycloak's examples, it works fine on Android, but I couldn't make it work on iOS, it's like the "new Keycloack()" instance cannot be initialized. I don't know if I'm doing something wrong but this looks so simple, I added the inappbrowser plugin on android and it just worked there but I didn't have the same luck on IOS. Have anyone tested it on iOS? is there any extra step I have to do in order to make it work? My environment: - Wildfly 8.2 - Keycloak 1.2.0.Beta1 - Cordova 4.1.2 Thanks, Rodrigo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/06285861/attachment.html From ivan at akvo.org Tue May 5 10:12:30 2015 From: ivan at akvo.org (=?windows-1252?Q?Iv=E1n_Perdomo?=) Date: Tue, 05 May 2015 16:12:30 +0200 Subject: [keycloak-user] OIDC - ID Token's nonce validation In-Reply-To: <5548C374.5040601@akvo.org> References: <5548C374.5040601@akvo.org> Message-ID: <5548CFCE.1070302@akvo.org> Hi again, On 05/05/2015 03:19 PM, Iv?n Perdomo wrote: > If present in the ID Token, Clients MUST >> verify that the nonce Claim Value is equal to the value of the nonce >> parameter sent in the Authentication Request. More info is also described in the ID Token validation section > If a nonce value was sent in the Authentication Request, a nonce > Claim MUST be present and its value checked to verify that it is the > same value as the one that was sent in the Authentication Request. > The Client SHOULD check the nonce value for replay attacks. The > precise method for detecting replay attacks is Client specific. http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation As i understand if, if a `nonce` parameter is present in the authentication request, we should simply return it as "claim" in the ID Token. I'm browsing the source code and I see that IDToken [1] class is prepared with the `nonce` property. But I'm kind of lost on where does the authentication request gets parsed. I would like to contribute this change, any guide where to look? [1] https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/org/keycloak/representations/IDToken.java#L40-L41 Cheers, -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/bacbc3be/attachment.bin From kalinga at leapset.com Tue May 5 10:38:04 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Tue, 5 May 2015 20:08:04 +0530 (IST) Subject: [keycloak-user] User attributes in ID Token using protocol mappers Message-ID: <1430836684.06481955@apps.rackspace.com> Is it possible to return a user attribute in the ID token using protocol mappers? I have a user that has a custom attribute called "accountId" and a value is assigned to it. I checked in the USER_ATTRIBUTE table (mysql) and the values are properly assigned. I created a protocol mapper. In that I set the protocol type as "User Attribute" and entered the key "accountId" as both the User Attribute and Token Claim Name and switched on both "Add to ID Token" and "Add to Access Token". I simply cant get this accountID attribute value returned in the ID Token nor Access Token. Basically I need to return the user attributes in the ID Token / Access Token. Is it possible? Regards, Kalinga -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/2397c2df/attachment.html From mposolda at redhat.com Tue May 5 11:12:42 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 May 2015 17:12:42 +0200 Subject: [keycloak-user] User attributes in ID Token using protocol mappers In-Reply-To: <1430836684.06481955@apps.rackspace.com> References: <1430836684.06481955@apps.rackspace.com> Message-ID: <5548DDEA.1010103@redhat.com> Hi, I've just tried that with latest 1.2.0.CR1 release and it works as expected. Could you also try it with latest version? Which adapter are you using? In JS application, you should be able to retrieve token directly from "tokenParsed" or "idTokenParsed". From servlet application, you need to call something like: accessToken.getOtherClaims().get("accountId"); Also doublecheck the case-sensitivity for both database and name of attribute in protocol mapper ( "accountId" vs. "accountID" ). Last tip: if you added the attribute directly to database, you may need to restart keycloak server. It's because user might be already cached by Keycloak and hence you won't see the attribute from DB until you restart Keycloak server. It's because cache is not cleared if you edit database directly. Marek On 5.5.2015 16:38, Kalinga Dissanayake wrote: > > Is it possible to return a user attribute in the ID token using > protocol mappers? > > I have a user that has a custom attribute called "accountId" and a > value is assigned to it. I checked in the USER_ATTRIBUTE table (mysql) > and the values are properly assigned. > > I created a protocol mapper. In that I set the protocol type as "User > Attribute" and entered the key "accountId" as both the User Attribute > and Token Claim Name and switched on both "Add to ID Token" and "Add > to Access Token". > > I simply cant get this accountID attribute value returned in the ID > Token nor Access Token. > > Basically I need to return the user attributes in the ID Token / > Access Token. Is it possible? > > Regards*,* > > Kalinga > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/1c36307a/attachment.html From bburke at redhat.com Tue May 5 11:15:31 2015 From: bburke at redhat.com (Bill Burke) Date: Tue, 05 May 2015 11:15:31 -0400 Subject: [keycloak-user] User attributes in ID Token using protocol mappers In-Reply-To: <1430836684.06481955@apps.rackspace.com> References: <1430836684.06481955@apps.rackspace.com> Message-ID: <5548DE93.8060508@redhat.com> There is a UserProperty mapper and a UserAttribute mapper. Use the "UserAttribute" mapper. Maybe that's it? UserProperty is looks for get methods on UserModel. Meh, this as probably a bad idea. Should probably have just combined them. On 5/5/2015 10:38 AM, Kalinga Dissanayake wrote: > Is it possible to return a user attribute in the ID token using protocol > mappers? > > I have a user that has a custom attribute called "accountId" and a value > is assigned to it. I checked in the USER_ATTRIBUTE table (mysql) and the > values are properly assigned. > > I created a protocol mapper. In that I set the protocol type as "User > Attribute" and entered the key "accountId" as both the User Attribute > and Token Claim Name and switched on both "Add to ID Token" and "Add to > Access Token". > > I simply cant get this accountID attribute value returned in the ID > Token nor Access Token. > > Basically I need to return the user attributes in the ID Token / Access > Token. Is it possible? > > Regards*,* > > Kalinga > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue May 5 11:18:02 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 May 2015 17:18:02 +0200 Subject: [keycloak-user] OIDC - ID Token's nonce validation In-Reply-To: <5548CFCE.1070302@akvo.org> References: <5548C374.5040601@akvo.org> <5548CFCE.1070302@akvo.org> Message-ID: <5548DF2A.5020707@redhat.com> We don't have support for it at this moment. Could you please create JIRA for it? Thanks, Marek On 5.5.2015 16:12, Iv?n Perdomo wrote: > Hi again, > > On 05/05/2015 03:19 PM, Iv?n Perdomo wrote: >> If present in the ID Token, Clients MUST >>> verify that the nonce Claim Value is equal to the value of the nonce >>> parameter sent in the Authentication Request. > More info is also described in the ID Token validation section > >> If a nonce value was sent in the Authentication Request, a nonce >> Claim MUST be present and its value checked to verify that it is the >> same value as the one that was sent in the Authentication Request. >> The Client SHOULD check the nonce value for replay attacks. The >> precise method for detecting replay attacks is Client specific. > http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation > > As i understand if, if a `nonce` parameter is present in the > authentication request, we should simply return it as "claim" in the ID > Token. > > I'm browsing the source code and I see that IDToken [1] class is > prepared with the `nonce` property. But I'm kind of lost on where does > the authentication request gets parsed. I would like to contribute this > change, any guide where to look? > > [1] > https://github.com/keycloak/keycloak/blob/1.2.0.CR1/core/src/main/java/org/keycloak/representations/IDToken.java#L40-L41 > > Cheers, > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/ee7c9dc8/attachment-0001.html From mposolda at redhat.com Tue May 5 11:21:41 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 May 2015 17:21:41 +0200 Subject: [keycloak-user] User attributes in ID Token using protocol mappers In-Reply-To: <5548DE93.8060508@redhat.com> References: <1430836684.06481955@apps.rackspace.com> <5548DE93.8060508@redhat.com> Message-ID: <5548E005.30800@redhat.com> +1 for combine them. Or maybe UserPropertyMapper could display the combobox with the available properties from UserModel? As those could be retrieved by reflection. Marek On 5.5.2015 17:15, Bill Burke wrote: > There is a UserProperty mapper and a UserAttribute mapper. Use the > "UserAttribute" mapper. Maybe that's it? UserProperty is looks for get > methods on UserModel. Meh, this as probably a bad idea. Should > probably have just combined them. > > On 5/5/2015 10:38 AM, Kalinga Dissanayake wrote: >> Is it possible to return a user attribute in the ID token using protocol >> mappers? >> >> I have a user that has a custom attribute called "accountId" and a value >> is assigned to it. I checked in the USER_ATTRIBUTE table (mysql) and the >> values are properly assigned. >> >> I created a protocol mapper. In that I set the protocol type as "User >> Attribute" and entered the key "accountId" as both the User Attribute >> and Token Claim Name and switched on both "Add to ID Token" and "Add to >> Access Token". >> >> I simply cant get this accountID attribute value returned in the ID >> Token nor Access Token. >> >> Basically I need to return the user attributes in the ID Token / Access >> Token. Is it possible? >> >> Regards*,* >> >> Kalinga >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From eugene.chow.ct at gmail.com Tue May 5 11:30:17 2015 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Tue, 05 May 2015 23:30:17 +0800 Subject: [keycloak-user] Batch import of accounts into Keycloak Message-ID: <5548E209.2070807@gmail.com> Hi, First of all, a big thank you to the developers for an SSO that's simple to use and a beautiful interface to boot. I'm running Keycloak for an app in development. For UAT purposes, I need to batch import accounts from a CSV file via the command-line. I'm looking for the REST API to login as admin, get token, create new account, update new acct's password, and then logout. I haven't found any documentation on this. If the REST API is not equipped for this purpose, what would be the correct method to bulk import users? Thanks! From ivan at akvo.org Tue May 5 11:50:53 2015 From: ivan at akvo.org (=?windows-1252?Q?Iv=E1n_Perdomo?=) Date: Tue, 05 May 2015 17:50:53 +0200 Subject: [keycloak-user] OIDC - ID Token's nonce validation In-Reply-To: <5548DF2A.5020707@redhat.com> References: <5548C374.5040601@akvo.org> <5548CFCE.1070302@akvo.org> <5548DF2A.5020707@redhat.com> Message-ID: <5548E6DD.4060105@akvo.org> Hi, On 05/05/2015 05:18 PM, Marek Posolda wrote: > We don't have support for it at this moment. Could you please create > JIRA for it? Issue logged: https://issues.jboss.org/browse/KEYCLOAK-1272 Cheers, -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/10f42071/attachment.bin From b.hansmann at alphaapps.de Tue May 5 13:15:18 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Tue, 05 May 2015 19:15:18 +0200 Subject: [keycloak-user] Deployment of 1.2.0.CR1 Message-ID: <1430846118.5642.23.camel@alphaapps.de> Thanks for the release. I have questions regarding the new overlay distribution: 1 Wildfly adapter seems to be integrated in the overlay distribution, so no adapter installation is needed in this situation. Is this correct? 2 Section 3.1.2 (Install on existing WildFly 8.2.0.Final) of the documentation refers to the keycloak standalone server/appliance distribution. Is this intended? 3 I merged the keycloak specific configuration from standalone-keycloak.xml into the standalone.xml of my existing wildfly installation. Am I supposed to deploy the keycloak-server-1.2.0.CR1.war manually as in previous versions? Section 3.4. (Installing Keycloak Server as Root Context) states that main-auth-server is the name of the Keycloak server as defined in the Keycloak subsystem. Can I use this name to deploy it without providing the full path even when not using it as the default-web-module? 4 Will there be maven artifacts for this release soon? Best Regards Benjamin From thiago.addevico at gmail.com Tue May 5 14:11:06 2015 From: thiago.addevico at gmail.com (Thiago Presa) Date: Tue, 5 May 2015 15:11:06 -0300 Subject: [keycloak-user] Application Management In-Reply-To: <142236929.14040814.1428466536253.JavaMail.zimbra@redhat.com> References: <596874598.6524658.1427432321791.JavaMail.zimbra@redhat.com> <1915332308.6796315.1427464264502.JavaMail.zimbra@redhat.com> <657783737.13228908.1428388705228.JavaMail.zimbra@redhat.com> <142236929.14040814.1428466536253.JavaMail.zimbra@redhat.com> Message-ID: Sorry for the delay, I removed it. On Wed, Apr 8, 2015 at 1:15 AM, Stian Thorgersen wrote: > Keycloak doesn't add any roles to applications, as we don't want to make > special/reserved roles on those and leave it up to users to decide what > roles they want. So that would have to be removed. > > ----- Original Message ----- > > From: "Thiago Presa" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Tuesday, 7 April, 2015 3:24:59 PM > > Subject: Re: [keycloak-user] Application Management > > > > To make sure that the user has all roles of a given application. If > someone > > creates another role after granting app-admin, it is automatically > inserted > > into app-admin composite role and therefore granted. > > > > On Tue, Apr 7, 2015 at 3:38 AM, Stian Thorgersen > wrote: > > > > > What's the purpose of app-admin? > > > > > > ----- Original Message ----- > > > > From: "Thiago Presa" > > > > To: "Stian Thorgersen" > > > > Cc: keycloak-user at lists.jboss.org > > > > Sent: Wednesday, 1 April, 2015 7:33:26 PM > > > > Subject: Re: [keycloak-user] Application Management > > > > > > > > Speaking with my colleagues, I believe it won't cause troubles for > us. We > > > > had to give view-applications: the admin console wouldn't work > properly, > > > > but this is also OK according to our requirements. > > > > > > > > Would you mind giving us some feedback on [1]? We wrote this to > > > experiment > > > > a bit with the proposal, but I'm not familiar with keycloak's source > or > > > > practices. What should I do to help get this merged? > > > > > > > > [1] > https://github.com/keycloak/keycloak/compare/master...tpresa:master > > > > > > > > On Fri, Mar 27, 2015 at 10:51 AM, Stian Thorgersen > > > > wrote: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Thiago Presa" > > > > > > To: "Stian Thorgersen" > > > > > > Cc: keycloak-user at lists.jboss.org > > > > > > Sent: Friday, 27 March, 2015 2:01:56 PM > > > > > > Subject: Re: [keycloak-user] Application Management > > > > > > > > > > > > Ah, yes, I didn't understand your proposal properly. Wouldn't > giving > > > > > > manage-users to app-admins wouldn't cause trouble, since > app-admins > > > could > > > > > > create and modify user accounts? > > > > > > > > > > Whether or not it's causing trouble depends on your requirements, > but > > > yes, > > > > > they could create and modify user accounts, but not grant more > > > privileges. > > > > > > > > > > If you need to go beyond this one alternative is to wrap the admin > > > > > endpoints in your own application. We've just got so much on our > plate > > > at > > > > > the moment that we can't provide this level of control on > permissions. > > > > > > > > > > > > > > > > > On Fri, Mar 27, 2015 at 1:58 AM, Stian Thorgersen < > stian at redhat.com> > > > > > wrote: > > > > > > > > > > > > > Well, yes.. I told you it was a bit rubbish and would need some > > > > > re-design > > > > > > > to implement more fine grained permissions. Doing that is a > > > relatively > > > > > big > > > > > > > task and is not a high priority for us ATM. > > > > > > > > > > > > > > I'm a bit confused by this email as I proposed a simple > solution > > > that > > > > > > > would resolve your requirements. If an admin can only grant > > > permissions > > > > > > > that admin has access to all you have to do is to create an > admin > > > that > > > > > can > > > > > > > only access roles for certain applications and your problem > should > > > be > > > > > > > solved. That's a simple solution that we can add soon. > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Thiago Presa" > > > > > > > > To: "Stian Thorgersen" > > > > > > > > Cc: keycloak-user at lists.jboss.org > > > > > > > > Sent: Thursday, 26 March, 2015 8:10:07 PM > > > > > > > > Subject: Re: [keycloak-user] Application Management > > > > > > > > > > > > > > > > So I've spent the last couple of days playing with the > source. > > > :-) > > > > > > > > > > > > > > > > The current authorization mechanism is based on > Realm/RealmApp > > > i.e. > > > > > > > > whenever an API resource is called, check if the User has the > > > > > required > > > > > > > > Right (manage, any, view) in the resource's Realm/RealmApp. > > > > > > > > > > > > > > > > Consider, for example, the URI > > > > > > > > > > > > > > /admin/realms/{realm}/applications-by-id/{app-name}/roles/{role-name}. > > > > > > > What > > > > > > > > I was trying to do is to create a permission for {app-name} > so > > > that > > > > > this > > > > > > > > API call wouldn't require any Realm/RealmApp right. > > > > > > > > > > > > > > > > The problem I see is that this API call trigger many methods > > > (i.e. > > > > > > > > AdminRoot#getRealmsAdmin, RealmsAdminResource#getRealmAdmin, > > > > > > > > RealmAdminResource#getApplicationsById, and so on...), and at > > > those > > > > > > > methods > > > > > > > > there is not enough information to figure out whether this > is: > > > > > > > > > > > > > > > > 1- An app-specific call and thus should be authorized even > > > without > > > > > realm > > > > > > > > authorization, or; > > > > > > > > 2- Not app-specific call and this should be properly > authorized > > > by > > > > > > > > Realm/RealmApp. > > > > > > > > > > > > > > > > Even in the case of (1), the information on which app should > I > > > check > > > > > for > > > > > > > > authorization is not available. > > > > > > > > > > > > > > > > So it seems to me that this resource-loading mechanisms > > > pressuposes > > > > > an > > > > > > > > authorization mechanism that checks only against the realm > for > > > > > > > permission, > > > > > > > > and changing this seems daunting to me. > > > > > > > > > > > > > > > > Do you guys have any idea on a more local change I could > make to > > > > > achieve > > > > > > > > the intended behavior? > > > > > > > > > > > > > > > > On Tue, Mar 24, 2015 at 2:33 PM, Thiago Presa < > > > > > thiago.addevico at gmail.com > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > OK, agreed. We thought this out of consistency, but if > that's > > > not a > > > > > > > good > > > > > > > > > design we surely can consider a better one. > > > > > > > > > > > > > > > > > > On Tue, Mar 24, 2015 at 9:44 AM, Stian Thorgersen < > > > > > stian at redhat.com> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > >> ----- Original Message ----- > > > > > > > > >> > From: "Thiago Presa" > > > > > > > > >> > To: stian at redhat.com > > > > > > > > >> > Cc: keycloak-user at lists.jboss.org > > > > > > > > >> > Sent: Tuesday, 24 March, 2015 1:41:16 PM > > > > > > > > >> > Subject: Re: [keycloak-user] Application Management > > > > > > > > >> > > > > > > > > > >> > Hi there, > > > > > > > > >> > > > > > > > > > >> > I'm Alex's coworker and I'll be working on this too. > > > > > > > > >> > > > > > > > > > >> > We were just discussing your idea, and it seems to fit > our > > > > > > > requirements. > > > > > > > > >> > > > > > > > > > >> > As far as we have seen, keycloak already has a > realm-admin > > > > > concept. > > > > > > > > >> > Whenever a realm "R" is created, it creates a R-realm > > > > > application > > > > > > > with > > > > > > > > >> > a bunch of default roles (manage-users, manage-roles, > etc.) > > > > > into the > > > > > > > > >> > realm master. > > > > > > > > >> > > > > > > > > > >> > We are currently thinking if we could mimic this > structure > > > for > > > > > > > > >> > applications. What do you think? > > > > > > > > >> > > > > > > > > >> It's already messy with the way I modelled it and adding > the > > > same > > > > > for > > > > > > > > >> applications would be even worse. I don't see why that's > > > needed > > > > > > > though if > > > > > > > > >> we'd add what I proposed. > > > > > > > > >> > > > > > > > > >> > > > > > > > > > >> > > I had an idea a while back that is a simple way to > achieve > > > > > what > > > > > > > you're > > > > > > > > >> > > asking for. Th> e idea would be to only allow an > admin to > > > > > grant > > > > > > > roles > > > > > > > > >> that > > > > > > > > >> > > the admin has access to. > > > > > > > > >> > > > > > > > > > >> > > Basically:> * A user with admin (super user) role can > > > grant > > > > > any > > > > > > > roles > > > > > > > > >> (we > > > > > > > > >> > > would need to add a per-> realm super user role) > > > > > > > > >> > > > > > > > > > >> > > * A user with the role manage-users and some roles on > > > app1 can > > > > > > > only > > > > > > > > >> grant > > > > > > > > >> > > other users > the roles on app1 > > > > > > > > >> > > > > > > > > > >> > > * A user with the role manage-users and some roles on > > > app2 can > > > > > > > only > > > > > > > > >> grant > > > > > > > > >> > > other users > the roles on app2 > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > This is something we should add in either case (to > prevent > > > > > users > > > > > > > > >> granting > > > > > > > > >> > themselves more access). Would it solve your problems? > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150505/474febbe/attachment-0001.html From mposolda at redhat.com Tue May 5 14:37:44 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 May 2015 20:37:44 +0200 Subject: [keycloak-user] Batch import of accounts into Keycloak In-Reply-To: <5548E209.2070807@gmail.com> References: <5548E209.2070807@gmail.com> Message-ID: <55490DF8.7050801@redhat.com> Hi, we have some admin REST API documented and the operations you mentioned should be available there: http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/overview-index.html Maybe easiest solution for you would be to use our admin-client, which allows to easily invoke REST endpoints as java methods and handles obtain the accessToken for admin authentication too. If your command-line has Java available, you can just run simple Java program, which will use admin-client to invoke REST endpoints. The example for admin client is here: https://github.com/keycloak/keycloak/tree/master/examples/admin-client Marek On 5.5.2015 17:30, Eugene Chow wrote: > Hi, > > First of all, a big thank you to the developers for an SSO that's simple > to use and a beautiful interface to boot. > > I'm running Keycloak for an app in development. For UAT purposes, I need > to batch import accounts from a CSV file via the command-line. I'm > looking for the REST API to login as admin, get token, create new > account, update new acct's password, and then logout. I haven't found > any documentation on this. > > If the REST API is not equipped for this purpose, what would be the > correct method to bulk import users? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Tue May 5 18:37:30 2015 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 05 May 2015 18:37:30 -0400 Subject: [keycloak-user] Deployment of 1.2.0.CR1 In-Reply-To: <1430846118.5642.23.camel@alphaapps.de> References: <1430846118.5642.23.camel@alphaapps.de> Message-ID: <5549462A.7040502@redhat.com> On 5/5/2015 1:15 PM, Benjamin Hansmann [alphaApps] wrote: > 3 I merged the keycloak specific configuration from > standalone-keycloak.xml into the standalone.xml of my existing wildfly > installation. Am I supposed to deploy the keycloak-server-1.2.0.CR1.war > manually as in previous versions? Section 3.4. (Installing Keycloak > Server as Root Context) states that main-auth-server is the name of the > Keycloak server as defined in the Keycloak subsystem. Can I use this > name to deploy it without providing the full path even when not using it > as the default-web-module? The name "main-auth-server" is just a name that is used in the keycloak subsystem by default. When you deploy the server manually as a war you can actually pick any name you want (assuming you deploy with CLI or web console). If you want the keycloak server to use the root context, follow the same procedure as in the documentation. The value of default-web-module will whatever deployment name you used. If you deployed by dropping the WAR into the /deployments directory then the deployment name will just be the name of the war file. > > Best Regards > Benjamin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kalinga at leapset.com Tue May 5 19:49:02 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Wed, 6 May 2015 05:19:02 +0530 (IST) Subject: [keycloak-user] User attributes in ID Token using protocol mappers In-Reply-To: <5548E005.30800@redhat.com> References: <1430836684.06481955@apps.rackspace.com> <5548DE93.8060508@redhat.com> <5548E005.30800@redhat.com> Message-ID: <1430869742.28338026@apps.rackspace.com> I am using 1.2.0 Beta version on keycloak. Hmm...Let me try again and see how it goes. Regards, Kalinga -----Original Message----- From: "Marek Posolda" Sent: Tuesday, May 5, 2015 8:51pm To: "Bill Burke" , keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] User attributes in ID Token using protocol mappers +1 for combine them. Or maybe UserPropertyMapper could display the combobox with the available properties from UserModel? As those could be retrieved by reflection. Marek On 5.5.2015 17:15, Bill Burke wrote: > There is a UserProperty mapper and a UserAttribute mapper. Use the > "UserAttribute" mapper. Maybe that's it? UserProperty is looks for get > methods on UserModel. Meh, this as probably a bad idea. Should > probably have just combined them. > > On 5/5/2015 10:38 AM, Kalinga Dissanayake wrote: >> Is it possible to return a user attribute in the ID token using protocol >> mappers? >> >> I have a user that has a custom attribute called "accountId" and a value >> is assigned to it. I checked in the USER_ATTRIBUTE table (mysql) and the >> values are properly assigned. >> >> I created a protocol mapper. In that I set the protocol type as "User >> Attribute" and entered the key "accountId" as both the User Attribute >> and Token Claim Name and switched on both "Add to ID Token" and "Add to >> Access Token". >> >> I simply cant get this accountID attribute value returned in the ID >> Token nor Access Token. >> >> Basically I need to return the user attributes in the ID Token / Access >> Token. Is it possible? >> >> Regards*,* >> >> Kalinga >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150506/d3a10d64/attachment.html From lkrzyzan at redhat.com Wed May 6 03:11:58 2015 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Wed, 6 May 2015 09:11:58 +0200 Subject: [keycloak-user] Missing artifact in maven central - org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 Message-ID: <0B8657D9-29B0-4C2B-9166-5A35F8969B97@redhat.com> Hi there, my project depends on keycloak-server-overlay org.keycloak keycloak-server-overlay 1.2.0.CR1 zip See http://central.maven.org/maven2/org/keycloak/keycloak-server-overlay/1.2.0.CR1/keycloak-server-overlay-1.2.0.CR1.pom I?m not able to build it because this transitive dependency is missing in repo: org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 Workaround is to build it locally from KC sources. Can you upload it to maven central repo please? Thanks, Libor Krzy?anek jboss.org Development Team -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150506/0c93ee7f/attachment.html From bbazian at mbopartners.com Wed May 6 06:05:17 2015 From: bbazian at mbopartners.com (Ben Bazian) Date: Wed, 6 May 2015 10:05:17 +0000 Subject: [keycloak-user] Salesforce connection Message-ID: <860E8DAFFC76794694CFF405F8A1E71F0218AF55@416429-EXCH1.mbopartners.com> We are doing a proof of concept to use Keycloak for our SSO environment. As a test case I would like to connect our Salesforce sandbox with Keycloak. Has anyone successfully made this connection? Is there any documentation available? Thanks -Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150506/f2b27b96/attachment.html From bburke at redhat.com Wed May 6 06:57:27 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 06 May 2015 06:57:27 -0400 Subject: [keycloak-user] Salesforce connection In-Reply-To: <860E8DAFFC76794694CFF405F8A1E71F0218AF55@416429-EXCH1.mbopartners.com> References: <860E8DAFFC76794694CFF405F8A1E71F0218AF55@416429-EXCH1.mbopartners.com> Message-ID: <5549F397.6030801@redhat.com> I have successfully set up a salesforce as an IDP, but not salesforce as an SP. No docs. I'd like to do a screencast for it or something... Do you know if using Salesforce as a SP it is possible for the IDP to run on localhost? On 5/6/2015 6:05 AM, Ben Bazian wrote: > We are doing a proof of concept to use Keycloak for our SSO > environment. As a test case I would like to connect our Salesforce > sandbox with Keycloak. Has anyone successfully made this connection? > Is there any documentation available? > > Thanks > > -Ben > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From peterson.dean at gmail.com Wed May 6 10:32:56 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Wed, 6 May 2015 09:32:56 -0500 Subject: [keycloak-user] Keycloak still creates long ugly urls Message-ID: I recently upgraded to the latest beta version of Keycloak expecting my long ugly url problem to go away: http://trade.abecorn.com/?redirect_fragment=%2F&code=ukqPsGX7F3ViiYdYgVjsDGE1v-4TGTqE-We0ksk1nzY.d2386c15-b402-4411-a94a-a175f0fc1334&state=2b84dfb8-0f10-4c15-9737-feb409d7bfb7#/ Am I doing something wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150506/d10be12d/attachment-0001.html From eugene.chow.ct at gmail.com Wed May 6 11:26:22 2015 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Wed, 06 May 2015 23:26:22 +0800 Subject: [keycloak-user] Batch import of accounts into Keycloak In-Reply-To: References: Message-ID: <554A329E.5020607@gmail.com> Hi Marek, Thanks for the link. Looks like it came up shortly before I posted. I would like to first try the REST API as I can quickly whip up a BASH script to perform the batch import. In 1.2.0.CR1's REST API documentation, there doesn't seem to be an option to login as admin and get the token. Could you point out which URL I should call to login via curl on the CLI? Thanks! On 6/5/2015 10:33 PM, Marek Posolda wrote: > Hi, > > we have some admin REST API documented and the operations you mentioned > should be available there: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/overview-index.html > > Maybe easiest solution for you would be to use our admin-client, which > allows to easily invoke REST endpoints as java methods and handles > obtain the accessToken for admin authentication too. If your > command-line has Java available, you can just run simple Java program, > which will use admin-client to invoke REST endpoints. The example for > admin client is here: > https://github.com/keycloak/keycloak/tree/master/examples/admin-client > > Marek > > > On 5.5.2015 17:30, Eugene Chow wrote: >> Hi, >> >> First of all, a big thank you to the developers for an SSO that's simple >> to use and a beautiful interface to boot. >> >> I'm running Keycloak for an app in development. For UAT purposes, I need >> to batch import accounts from a CSV file via the command-line. I'm >> looking for the REST API to login as admin, get token, create new >> account, update new acct's password, and then logout. I haven't found >> any documentation on this. >> >> If the REST API is not equipped for this purpose, what would be the >> correct method to bulk import users? >> >> Thanks! From b.hansmann at alphaapps.de Wed May 6 13:09:50 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Wed, 06 May 2015 19:09:50 +0200 Subject: [keycloak-user] Get message for ModelException in admin-client Message-ID: <1430932190.4814.7.camel@alphaapps.de> Is one able to get an error message from the resetPassword method of admin-client if it somehow failed to reset the password, like when the password is too short or does not comply with the password policy? It throws an InternalServerErrorException in that case. On the server side there seems to be a ModelException: invalidPasswordMinLengthMessage. That information is lost... From leonardo.zanivan at gmail.com Wed May 6 13:31:41 2015 From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan) Date: Wed, 06 May 2015 17:31:41 +0000 Subject: [keycloak-user] Get message for ModelException in admin-client In-Reply-To: <1430932190.4814.7.camel@alphaapps.de> References: <1430932190.4814.7.camel@alphaapps.de> Message-ID: Unfortunatelly I think it's not possible right now. Admin client uses Admin REST API, which isn't handling errors correctly. If you try to reset a password using Admin interface you will get a generic error 500 saying "Failed to reset user password". In the server the stacktrace shows: Caused by: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelException: invalidPasswordMinLengthMessage We could fill a JIRA to handle ModelException using JAX-RS exception handlers, so the response will have the correct error and we could show a better error message. On Wed, May 6, 2015 at 2:10 PM Benjamin Hansmann [alphaApps] < b.hansmann at alphaapps.de> wrote: > Is one able to get an error message from the resetPassword method of > admin-client if it somehow failed to reset the password, like when the > password is too short or does not comply with the password policy? > > It throws an InternalServerErrorException in that case. On the server > side there seems to be a ModelException: > invalidPasswordMinLengthMessage. That information is lost... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150506/27e5e63a/attachment.html From b.hansmann at alphaapps.de Wed May 6 13:40:08 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Wed, 06 May 2015 19:40:08 +0200 Subject: [keycloak-user] Get message for ModelException in admin-client In-Reply-To: References: <1430932190.4814.7.camel@alphaapps.de> Message-ID: <1430934008.4814.9.camel@alphaapps.de> On Wed, 2015-05-06 at 17:31 +0000, Leonardo Loch Zanivan wrote: > Unfortunatelly I think it's not possible right now. > > Admin client uses Admin REST API, which isn't handling errors > correctly. > > If you try to reset a password using Admin interface you will get a > generic error 500 saying "Failed to reset user password". > > In the server the stacktrace shows: > Caused by: org.jboss.resteasy.spi.UnhandledException: > org.keycloak.models.ModelException: invalidPasswordMinLengthMessage > > We could fill a JIRA to handle ModelException using JAX-RS exception > handlers, so the response will have the correct error and we could > show a better error message. That would be nice. > > On Wed, May 6, 2015 at 2:10 PM Benjamin Hansmann [alphaApps] > wrote: > Is one able to get an error message from the resetPassword > method of > admin-client if it somehow failed to reset the password, like > when the > password is too short or does not comply with the password > policy? > > It throws an InternalServerErrorException in that case. On the > server > side there seems to be a ModelException: > invalidPasswordMinLengthMessage. That information is lost... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- [alphaApps] mobile development Benjamin Hansmann Nosthoffenstra?e 46 D-40589 D?sseldorf Germany Mobile: +49 (0) 177 249 47 47 Email: b.hansmann at alphaapps.de From mposolda at redhat.com Wed May 6 14:21:37 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 06 May 2015 20:21:37 +0200 Subject: [keycloak-user] Batch import of accounts into Keycloak In-Reply-To: <554A329E.5020607@gmail.com> References: <554A329E.5020607@gmail.com> Message-ID: <554A5BB1.4060604@redhat.com> Hi, you first need to enable "Direct access grant" for the master realm. Then retrieve the token via direct access grant request for the master realm for example with "security-admin-console" application. You can see some example in the docs on how to do it: http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/direct-access-grants.html . Use username/password of admin user in the endpoint (admin/admin by default). Note that we have some more examples showing direct access grant (as pointed on that page in the docs) and especially that admin-client handles this for you, which is one of his big advantages. Then REST endpoint for adding user is here: http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/admin/realms/%7Brealm%7D/users/index.html#POST . For change password, you need to use endpoint for "reset-password" and then use another endpoint for removing required action from the user (as reseting password will add this required action automatically). For more inspiration, you can also use keycloak admin console and use some tool (For example Firebug in FF) to see which REST endpoints is admin console itself using. Note that admin console is angular application, which invokes all these admin REST endpoints under the hood. Marek On 6.5.2015 17:26, Eugene Chow wrote: > Hi Marek, > > Thanks for the link. Looks like it came up shortly before I posted. > > I would like to first try the REST API as I can quickly whip up a BASH > script to perform the batch import. In 1.2.0.CR1's REST API > documentation, there doesn't seem to be an option to login as admin and > get the token. > > Could you point out which URL I should call to login via curl on the CLI? > > Thanks! > > On 6/5/2015 10:33 PM, Marek Posolda wrote: >> Hi, >> >> we have some admin REST API documented and the operations you mentioned >> should be available there: >> http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/overview-index.html >> >> Maybe easiest solution for you would be to use our admin-client, which >> allows to easily invoke REST endpoints as java methods and handles >> obtain the accessToken for admin authentication too. If your >> command-line has Java available, you can just run simple Java program, >> which will use admin-client to invoke REST endpoints. The example for >> admin client is here: >> https://github.com/keycloak/keycloak/tree/master/examples/admin-client >> >> Marek >> >> >> On 5.5.2015 17:30, Eugene Chow wrote: >>> Hi, >>> >>> First of all, a big thank you to the developers for an SSO that's simple >>> to use and a beautiful interface to boot. >>> >>> I'm running Keycloak for an app in development. For UAT purposes, I need >>> to batch import accounts from a CSV file via the command-line. I'm >>> looking for the REST API to login as admin, get token, create new >>> account, update new acct's password, and then logout. I haven't found >>> any documentation on this. >>> >>> If the REST API is not equipped for this purpose, what would be the >>> correct method to bulk import users? >>> >>> Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed May 6 14:37:42 2015 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 06 May 2015 20:37:42 +0200 Subject: [keycloak-user] Get message for ModelException in admin-client In-Reply-To: References: <1430932190.4814.7.camel@alphaapps.de> Message-ID: <554A5F76.30805@redhat.com> +1 for JIRA. Also feel free to send PR as you already nail it down and you already send some PRs :-) By the way, Thanks for them. It seems that generally we should improve on handling errors from admin REST endpoints. Ideally you can handle the error response similarly like it's done here: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L771 . Then on admin-client side, you can catch ClientErrorException and see the error message for example like done here: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L49 Thanks, Marek On 6.5.2015 19:31, Leonardo Loch Zanivan wrote: > Unfortunatelly I think it's not possible right now. > > Admin client uses Admin REST API, which isn't handling errors correctly. > > If you try to reset a password using Admin interface you will get a > generic error 500 saying "Failed to reset user password". > > In the server the stacktrace shows: > Caused by: org.jboss.resteasy.spi.UnhandledException: > org.keycloak.models.ModelException: invalidPasswordMinLengthMessage > > We could fill a JIRA to handle ModelException using JAX-RS exception > handlers, so the response will have the correct error and we could > show a better error message. > > On Wed, May 6, 2015 at 2:10 PM Benjamin Hansmann [alphaApps] > > wrote: > > Is one able to get an error message from the resetPassword method of > admin-client if it somehow failed to reset the password, like when the > password is too short or does not comply with the password policy? > > It throws an InternalServerErrorException in that case. On the server > side there seems to be a ModelException: > invalidPasswordMinLengthMessage. That information is lost... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150506/f0376de6/attachment.html From bburke at redhat.com Wed May 6 20:37:44 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 06 May 2015 20:37:44 -0400 Subject: [keycloak-user] Keycloak still creates long ugly urls In-Reply-To: References: Message-ID: <554AB3D8.5020100@redhat.com> Err...Too bad! :) This is the openid protocol/oauth protocol. The code and state query params have to be unique and relatively unguessable. Our adapters are supposed to strip out these oauth parameters and redirect to the original URL. Are you not seeing that? On 5/6/2015 10:32 AM, Dean Peterson wrote: > I recently upgraded to the latest beta version of Keycloak expecting my > long ugly url problem to go away: > > http://trade.abecorn.com/?redirect_fragment=%2F&code=ukqPsGX7F3ViiYdYgVjsDGE1v-4TGTqE-We0ksk1nzY.d2386c15-b402-4411-a94a-a175f0fc1334&state=2b84dfb8-0f10-4c15-9737-feb409d7bfb7#/ > > Am I doing something wrong? > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Thu May 7 00:35:40 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 00:35:40 -0400 (EDT) Subject: [keycloak-user] Cordova on IOS error In-Reply-To: References: Message-ID: <1684900889.14314001.1430973340317.JavaMail.zimbra@redhat.com> Afraid it's only been tested on Android as I don't have any Apple devices available. I can see if we can get someone to try it out. Can you create a JIRA, and add some more details please? Also, if you figure out what the problem is feel free to send a PR. ----- Original Message ----- > From: "Rodrigo Del Canto" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, May 5, 2015 3:25:06 PM > Subject: [keycloak-user] Cordova on IOS error > > Hello guys, > > I work a lot with cordova and Wildfly, usually I do my implementations of the > authentication using JAAS and ajax, sending a auth token in the http > request. > > I really love Keycloak's goals and how fast the project is growing, I would > love to integrate it to my projects. > > The problem I have now is I have tried the cordova example that comes with > keycloak's examples, it works fine on Android, but I couldn't make it work > on iOS, it's like the "new Keycloack()" instance cannot be initialized. > > I don't know if I'm doing something wrong but this looks so simple, I added > the inappbrowser plugin on android and it just worked there but I didn't > have the same luck on IOS. > > Have anyone tested it on iOS? is there any extra step I have to do in order > to make it work? > > My environment: > - Wildfly 8.2 > - Keycloak 1.2.0.Beta1 > - Cordova 4.1.2 > > > Thanks, > > Rodrigo > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Thu May 7 00:41:55 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 00:41:55 -0400 (EDT) Subject: [keycloak-user] Deployment of 1.2.0.CR1 In-Reply-To: <1430846118.5642.23.camel@alphaapps.de> References: <1430846118.5642.23.camel@alphaapps.de> Message-ID: <549432504.14314842.1430973715600.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Benjamin Hansmann [alphaApps]" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, May 5, 2015 7:15:18 PM > Subject: [keycloak-user] Deployment of 1.2.0.CR1 > > Thanks for the release. I have questions regarding the new overlay > distribution: > > 1 Wildfly adapter seems to be integrated in the overlay distribution, so > no adapter installation is needed in this situation. Is this correct? Not in 1.2.0.Beta1, but we'll probably change this in the future so the overlay only contains server bits. > > 2 Section 3.1.2 (Install on existing WildFly 8.2.0.Final) of the > documentation refers to the keycloak standalone server/appliance > distribution. Is this intended? I can't see any reference to keycloak standalone server/appliance in section 3.1.2. Can you copy/paste the relevant section? > > 3 I merged the keycloak specific configuration from > standalone-keycloak.xml into the standalone.xml of my existing wildfly > installation. Am I supposed to deploy the keycloak-server-1.2.0.CR1.war > manually as in previous versions? Section 3.4. (Installing Keycloak > Server as Root Context) states that main-auth-server is the name of the > Keycloak server as defined in the Keycloak subsystem. Can I use this > name to deploy it without providing the full path even when not using it > as the default-web-module? There's is no WAR any more. Keycloak is deployed as a sub-system. > > 4 Will there be maven artifacts for this release soon? Syncing to Maven central can take up to 24h after the release. It sucks, but nothing we can do about it :/ > > Best Regards > Benjamin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Thu May 7 00:47:19 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 00:47:19 -0400 (EDT) Subject: [keycloak-user] Missing artifact in maven central - org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 In-Reply-To: <0B8657D9-29B0-4C2B-9166-5A35F8969B97@redhat.com> References: <0B8657D9-29B0-4C2B-9166-5A35F8969B97@redhat.com> Message-ID: <643205323.14315616.1430974039317.JavaMail.zimbra@redhat.com> Fixed and will be included in 1.2.0.Final release (https://issues.jboss.org/browse/KEYCLOAK-1279) ----- Original Message ----- > From: "Libor Krzy?anek" > To: "keycloak-user" > Sent: Wednesday, May 6, 2015 9:11:58 AM > Subject: [keycloak-user] Missing artifact in maven central - org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 > > Hi there, > my project depends on keycloak-server-overlay > > org.keycloak > keycloak-server-overlay > 1.2.0.CR1 > zip > > See > http://central.maven.org/maven2/org/keycloak/keycloak-server-overlay/1.2.0.CR1/keycloak-server-overlay-1.2.0.CR1.pom > > I?m not able to build it because this transitive dependency is missing in > repo: org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 > > Workaround is to build it locally from KC sources. > > Can you upload it to maven central repo please? > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Thu May 7 01:39:38 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 01:39:38 -0400 (EDT) Subject: [keycloak-user] OAuth In-Reply-To: References: <793422084.11876330.1430716147097.JavaMail.zimbra@redhat.com> Message-ID: <1554037269.14368813.1430977178199.JavaMail.zimbra@redhat.com> We don't currently have support for that rfc. However, we have other mechanisms to expire tokens. All tokens are linked to a user session, once the session is logged out all associated tokens are invalid as well. You can also push a not-before for a realm or a specific client to invalidate all tokens prior to a given date. ----- Original Message ----- > From: "Fadi Abdin" > To: "Stian Thorgersen" > Cc: "keycloak-user" > Sent: Monday, May 4, 2015 1:30:42 PM > Subject: Re: [keycloak-user] OAuth > > I basically want to force expire a token , or invalidate a token . > https://tools.ietf.org/html/rfc7009 > > > > On Mon, May 4, 2015 at 1:09 AM, Stian Thorgersen wrote: > > > > > > > ----- Original Message ----- > > > From: "Fadi Abdin" > > > To: "keycloak-user" > > > Sent: Thursday, April 30, 2015 6:48:47 PM > > > Subject: [keycloak-user] OAuth > > > > > > I just created a simple javascript app to test my oauth keycloak > > connections > > > and implemented the calls to do the basic things ( except revoke the > > token) > > > . > > > > > > My code is on github https://github.com/fadiabdeen/keycloak-oauth > > > > > > I was able to get a authorization code. > > > get a token > > > refresh the token > > > get the user information though validate > > > logout ( which only clears the session > > > > > > I cant figure out how to revoke my access_token .. if anybody can help > > with > > > this then its great. > > > > Not sure what you mean about revoking the access token. Can you elaborate? > > > > > > > > Thanks > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From stian at redhat.com Thu May 7 01:42:18 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 01:42:18 -0400 (EDT) Subject: [keycloak-user] Disable SSL with keycloak-server.json In-Reply-To: References: Message-ID: <194798762.14369367.1430977338962.JavaMail.zimbra@redhat.com> Disabling SSL on non-internal IP addresses is a terrible idea. If you really want to you can use SSH to open a tunnel to the instance so you can disable it through the admin console. ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org > Sent: Monday, May 4, 2015 2:52:06 PM > Subject: [keycloak-user] Disable SSL with keycloak-server.json > > I am trying to deploy Keycloak with Docker on a headless Redhat Enterprise > Linux on Amazon's EC2. There is no way to sign in on the local host. I saw a > brief mention of allowing an entry in the keycloak-server.json file to > disable ssl but it does not appear that was ever implemented. Is there a way > to disable ssl without first needing to sign in to the master realm as > administrator? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Thu May 7 06:27:43 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 06:27:43 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.2.0.CR1 Docker image Message-ID: <1511910813.14749155.1430994463892.JavaMail.zimbra@redhat.com> Keycloak 1.2.0.CR1 Docker image is available on Docker Hub (https://registry.hub.docker.com/u/jboss/keycloak/) From b.hansmann at alphaapps.de Thu May 7 07:32:14 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Thu, 07 May 2015 13:32:14 +0200 Subject: [keycloak-user] Deployment of 1.2.0.CR1 In-Reply-To: <549432504.14314842.1430973715600.JavaMail.zimbra@redhat.com> References: <1430846118.5642.23.camel@alphaapps.de> <549432504.14314842.1430973715600.JavaMail.zimbra@redhat.com> Message-ID: <1430998334.2388.10.camel@alphaapps.de> On Thu, 2015-05-07 at 00:41 -0400, Stian Thorgersen wrote: > > ----- Original Message ----- > > From: "Benjamin Hansmann [alphaApps]" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, May 5, 2015 7:15:18 PM > > Subject: [keycloak-user] Deployment of 1.2.0.CR1 > > > > Thanks for the release. I have questions regarding the new overlay > > distribution: > > > > 1 Wildfly adapter seems to be integrated in the overlay distribution, so > > no adapter installation is needed in this situation. Is this correct? > > Not in 1.2.0.Beta1, but we'll probably change this in the future so the overlay only contains server bits. In 1.2.0.CR1 I didn't need to install the adapter to make everything work. > > > > > 2 Section 3.1.2 (Install on existing WildFly 8.2.0.Final) of the > > documentation refers to the keycloak standalone server/appliance > > distribution. Is this intended? > > I can't see any reference to keycloak standalone server/appliance in section 3.1.2. Can you copy/paste the relevant section? > Ok. The commands to start the server contain the path and configuration specific to the standalone distribution which implies that you are not using the overlay (if I didn't get it wrong): "To start Wildfly with Keycloak run: keycloak-1.2.0.CR1/bin/standalone.sh --server-config=standalone-keycloak.xml" > > > > 3 I merged the keycloak specific configuration from > > standalone-keycloak.xml into the standalone.xml of my existing wildfly > > installation. Am I supposed to deploy the keycloak-server-1.2.0.CR1.war > > manually as in previous versions? Section 3.4. (Installing Keycloak > > Server as Root Context) states that main-auth-server is the name of the > > Keycloak server as defined in the Keycloak subsystem. Can I use this > > name to deploy it without providing the full path even when not using it > > as the default-web-module? > > There's is no WAR any more. Keycloak is deployed as a sub-system. > I had to add true auth to my keycloak subsystem section in standalone.xml to deploy the war which I think is this modules/system/layers/base/org/keycloak/keycloak-subsystem/main/auth-server/keycloak-server-1.2.0.CR1.war. Maybe I have a misunderstanding here. > > > > 4 Will there be maven artifacts for this release soon? > > Syncing to Maven central can take up to 24h after the release. It sucks, but nothing we can do about it :/ Thanks. It is available know. > > > > > Best Regards > > Benjamin > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- [alphaApps] mobile development Benjamin Hansmann Nosthoffenstra?e 46 D-40589 D?sseldorf Germany Mobile: +49 (0) 177 249 47 47 Email: b.hansmann at alphaapps.de From stian at redhat.com Thu May 7 07:40:45 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 07:40:45 -0400 (EDT) Subject: [keycloak-user] Deployment of 1.2.0.CR1 In-Reply-To: <1430998334.2388.10.camel@alphaapps.de> References: <1430846118.5642.23.camel@alphaapps.de> <549432504.14314842.1430973715600.JavaMail.zimbra@redhat.com> <1430998334.2388.10.camel@alphaapps.de> Message-ID: <1372628300.14867110.1430998845545.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Benjamin Hansmann [alphaApps]" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, May 7, 2015 1:32:14 PM > Subject: Re: [keycloak-user] Deployment of 1.2.0.CR1 > > On Thu, 2015-05-07 at 00:41 -0400, Stian Thorgersen wrote: > > > > ----- Original Message ----- > > > From: "Benjamin Hansmann [alphaApps]" > > > To: keycloak-user at lists.jboss.org > > > Sent: Tuesday, May 5, 2015 7:15:18 PM > > > Subject: [keycloak-user] Deployment of 1.2.0.CR1 > > > > > > Thanks for the release. I have questions regarding the new overlay > > > distribution: > > > > > > 1 Wildfly adapter seems to be integrated in the overlay distribution, so > > > no adapter installation is needed in this situation. Is this correct? > > > > Not in 1.2.0.Beta1, but we'll probably change this in the future so the > > overlay only contains server bits. > In 1.2.0.CR1 I didn't need to install the adapter to make everything > work. I meant in 1.2.0.Beta1 you don't need to install the adapter ;) > > > > > > > > > 2 Section 3.1.2 (Install on existing WildFly 8.2.0.Final) of the > > > documentation refers to the keycloak standalone server/appliance > > > distribution. Is this intended? > > > > I can't see any reference to keycloak standalone server/appliance in > > section 3.1.2. Can you copy/paste the relevant section? > > > Ok. The commands to start the server contain the path and configuration > specific to the standalone distribution which implies that you are not > using the overlay (if I didn't get it wrong): > > "To start Wildfly with Keycloak run: > keycloak-1.2.0.CR1/bin/standalone.sh > --server-config=standalone-keycloak.xml" I don't get what the problem is? 3.1.2 doesn't refer to server/appliance at all, and it states to start it using --server-config=standalone-keycloak.xml. > > > > > > > 3 I merged the keycloak specific configuration from > > > standalone-keycloak.xml into the standalone.xml of my existing wildfly > > > installation. Am I supposed to deploy the keycloak-server-1.2.0.CR1.war > > > manually as in previous versions? Section 3.4. (Installing Keycloak > > > Server as Root Context) states that main-auth-server is the name of the > > > Keycloak server as defined in the Keycloak subsystem. Can I use this > > > name to deploy it without providing the full path even when not using it > > > as the default-web-module? > > > > There's is no WAR any more. Keycloak is deployed as a sub-system. > > > I had to add > > true > auth > > to my keycloak subsystem section in standalone.xml to deploy the war > which I think is this > modules/system/layers/base/org/keycloak/keycloak-subsystem/main/auth-server/keycloak-server-1.2.0.CR1.war. > > Maybe I have a misunderstanding here. There's a problem in the docs which is fixed in master now. The elements you should copy from standalone-keycloak.xml to standalone.xml should include not (). BTW if you haven't done any changes to standalone.xml yourself, you can just copy standalone-keycloak.xml to standalone.xml. > > > > > > > 4 Will there be maven artifacts for this release soon? > > > > Syncing to Maven central can take up to 24h after the release. It sucks, > > but nothing we can do about it :/ > Thanks. It is available know. > > > > > > > > > Best Regards > > > Benjamin > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > > [alphaApps] mobile development > > Benjamin Hansmann > > Nosthoffenstra?e 46 > D-40589 D?sseldorf > Germany > > Mobile: +49 (0) 177 249 47 47 > Email: b.hansmann at alphaapps.de > > From b.hansmann at alphaapps.de Thu May 7 08:54:29 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Thu, 07 May 2015 14:54:29 +0200 Subject: [keycloak-user] Deployment of 1.2.0.CR1 In-Reply-To: <1372628300.14867110.1430998845545.JavaMail.zimbra@redhat.com> References: <1430846118.5642.23.camel@alphaapps.de> <549432504.14314842.1430973715600.JavaMail.zimbra@redhat.com> <1430998334.2388.10.camel@alphaapps.de> <1372628300.14867110.1430998845545.JavaMail.zimbra@redhat.com> Message-ID: <1431003269.2388.26.camel@alphaapps.de> On Thu, 2015-05-07 at 07:40 -0400, Stian Thorgersen wrote: > > ----- Original Message ----- > > From: "Benjamin Hansmann [alphaApps]" > > To: "Stian Thorgersen" > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, May 7, 2015 1:32:14 PM > > Subject: Re: [keycloak-user] Deployment of 1.2.0.CR1 > > > > On Thu, 2015-05-07 at 00:41 -0400, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > > > > From: "Benjamin Hansmann [alphaApps]" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Tuesday, May 5, 2015 7:15:18 PM > > > > Subject: [keycloak-user] Deployment of 1.2.0.CR1 > > > > > > > > Thanks for the release. I have questions regarding the new overlay > > > > distribution: > > > > > > > > 1 Wildfly adapter seems to be integrated in the overlay distribution, so > > > > no adapter installation is needed in this situation. Is this correct? > > > > > > Not in 1.2.0.Beta1, but we'll probably change this in the future so the > > > overlay only contains server bits. > > In 1.2.0.CR1 I didn't need to install the adapter to make everything > > work. > > I meant in 1.2.0.Beta1 you don't need to install the adapter ;) > > > > > > > > > > > > > > 2 Section 3.1.2 (Install on existing WildFly 8.2.0.Final) of the > > > > documentation refers to the keycloak standalone server/appliance > > > > distribution. Is this intended? > > > > > > I can't see any reference to keycloak standalone server/appliance in > > > section 3.1.2. Can you copy/paste the relevant section? > > > > > Ok. The commands to start the server contain the path and configuration > > specific to the standalone distribution which implies that you are not > > using the overlay (if I didn't get it wrong): > > > > "To start Wildfly with Keycloak run: > > keycloak-1.2.0.CR1/bin/standalone.sh > > --server-config=standalone-keycloak.xml" > > I don't get what the problem is? 3.1.2 doesn't refer to server/appliance at all, and it states to start it using --server-config=standalone-keycloak.xml. To be specific, I mean the file /1.2.0/docbook/reference/en/en-US/modules/server-installation.xml should contain $WILDFLY_HOME instead of keycloak-&project.version;: 52c52 < keycloak-&project.version;/bin/standalone.sh --server-config=standalone-keycloak.xml --- > $WILDFLY_HOME/bin/standalone.sh --server-config=standalone-keycloak.xml 54c54 < keycloak-&project.version;/bin/standalone.bat --server-config=standalone-keycloak.xml --- > $WILDFLY_HOME/bin/standalone.bat --server-config=standalone-keycloak.xml > > > > > > > > > > 3 I merged the keycloak specific configuration from > > > > standalone-keycloak.xml into the standalone.xml of my existing wildfly > > > > installation. Am I supposed to deploy the keycloak-server-1.2.0.CR1.war > > > > manually as in previous versions? Section 3.4. (Installing Keycloak > > > > Server as Root Context) states that main-auth-server is the name of the > > > > Keycloak server as defined in the Keycloak subsystem. Can I use this > > > > name to deploy it without providing the full path even when not using it > > > > as the default-web-module? > > > > > > There's is no WAR any more. Keycloak is deployed as a sub-system. > > > > > I had to add > > > > true > > auth > > > > to my keycloak subsystem section in standalone.xml to deploy the war > > which I think is this > > modules/system/layers/base/org/keycloak/keycloak-subsystem/main/auth-server/keycloak-server-1.2.0.CR1.war. > > > > Maybe I have a misunderstanding here. > > There's a problem in the docs which is fixed in master now. The elements you should copy from standalone-keycloak.xml to standalone.xml should include not (). > > BTW if you haven't done any changes to standalone.xml yourself, you can just copy standalone-keycloak.xml to standalone.xml. > > > > > > > > > > > 4 Will there be maven artifacts for this release soon? > > > > > > Syncing to Maven central can take up to 24h after the release. It sucks, > > > but nothing we can do about it :/ > > Thanks. It is available know. > > > > > > > > > > > > > Best Regards > > > > Benjamin > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From kalc04 at gmail.com Thu May 7 09:39:47 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Thu, 7 May 2015 19:09:47 +0530 Subject: [keycloak-user] Infinispan Clustering Issue with TCP JGroups Stack Message-ID: Hi, We're trying to have a clustered environment with two servers, and need Infinispan caches to work perfectly. We're using AWS servers for all our requirements, and they don't support multicasting. Hence the UDP option is out for us. So, as per the JIRA ticket KEYCLOAK-979, we have tried to continue with TCP instead. However we've had no success. Changes don't get synced between the servers. To configure TCPPING, we've referred both KEYCLOAK-979 ticket contents and http://middlewaremagic.com/jboss/?p=2015. We have enabled TCP communication in our VPC and have all the necessary ports open in our servers. We've followed the step given at http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering.html to setup Infinispan and related configs. What could we be doing wrong here? Any configuration we're missing? Thanks, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150507/36c5ee35/attachment.html From peterson.dean at gmail.com Thu May 7 09:57:39 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 7 May 2015 08:57:39 -0500 Subject: [keycloak-user] Disable SSL with keycloak-server.json In-Reply-To: <194798762.14369367.1430977338962.JavaMail.zimbra@redhat.com> References: <194798762.14369367.1430977338962.JavaMail.zimbra@redhat.com> Message-ID: I have an nginx load balancer that automatically gets configured sitting in front of everything but I wasn't able to configure SSL correctly for that. Instead, I enabled SSL on the Wildfly instance running in a container and just used the ip address and dynamic port of that container to log in. I am past the problem. Thanks! On Thu, May 7, 2015 at 12:42 AM, Stian Thorgersen wrote: > Disabling SSL on non-internal IP addresses is a terrible idea. > > If you really want to you can use SSH to open a tunnel to the instance so > you can disable it through the admin console. > > ----- Original Message ----- > > From: "Dean Peterson" > > To: keycloak-user at lists.jboss.org > > Sent: Monday, May 4, 2015 2:52:06 PM > > Subject: [keycloak-user] Disable SSL with keycloak-server.json > > > > I am trying to deploy Keycloak with Docker on a headless Redhat > Enterprise > > Linux on Amazon's EC2. There is no way to sign in on the local host. I > saw a > > brief mention of allowing an entry in the keycloak-server.json file to > > disable ssl but it does not appear that was ever implemented. Is there a > way > > to disable ssl without first needing to sign in to the master realm as > > administrator? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150507/0186b751/attachment.html From mposolda at redhat.com Thu May 7 10:28:44 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 07 May 2015 16:28:44 +0200 Subject: [keycloak-user] Infinispan Clustering Issue with TCP JGroups Stack In-Reply-To: References: Message-ID: <554B769C.1010807@redhat.com> Hi, once you start both nodes, do you have the message in the server.log as mentioned in the troubleshooting section: http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/clustering.html#d4e2750 ? Also I recall that for TCPPING you need to manually mention all the cluster nodes in the JGroups configuration of TCPPING protocol. This needs to be done on both nodes AFAIR. Do you have it configured? Marek On 7.5.2015 15:39, Lohitha Chiranjeewa wrote: > Hi, > > We're trying to have a clustered environment with two servers, and > need Infinispan caches to work perfectly. > > We're using AWS servers for all our requirements, and they don't > support multicasting. Hence the UDP option is out for us. So, as per > the JIRA ticket KEYCLOAK-979, we have tried to continue with TCP > instead. However we've had no success. Changes don't get synced > between the servers. > > To configure TCPPING, we've referred both KEYCLOAK-979 ticket contents > and http://middlewaremagic.com/jboss/?p=2015. We have enabled TCP > communication in our VPC and have all the necessary ports open in our > servers. > > We've followed the step given at > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering.html > to setup Infinispan and related configs. > > What could we be doing wrong here? Any configuration we're missing? > > > Thanks, > Lohitha. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150507/bb5ce256/attachment.html From peterson.dean at gmail.com Thu May 7 10:37:17 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 7 May 2015 09:37:17 -0500 Subject: [keycloak-user] Keycloak still creates long ugly urls In-Reply-To: References: Message-ID: My clients are separate angularjs applications that use keycloak.js to communicate with Keycloak. The long urls are always present: when I redirect back to the main route after login and on every subsequent route change. I use the keycloak.js that automatically resides on the running Keycloak server rather than the downloadable version. On Wed, May 6, 2015 at 9:32 AM, Dean Peterson wrote: > I recently upgraded to the latest beta version of Keycloak expecting my > long ugly url problem to go away: > > > http://trade.abecorn.com/?redirect_fragment=%2F&code=ukqPsGX7F3ViiYdYgVjsDGE1v-4TGTqE-We0ksk1nzY.d2386c15-b402-4411-a94a-a175f0fc1334&state=2b84dfb8-0f10-4c15-9737-feb409d7bfb7#/ > > Am I doing something wrong? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150507/bd71e45c/attachment.html From stian at redhat.com Thu May 7 14:05:25 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 7 May 2015 14:05:25 -0400 (EDT) Subject: [keycloak-user] Keycloak still creates long ugly urls In-Reply-To: References: Message-ID: <2103851341.15175553.1431021925959.JavaMail.zimbra@redhat.com> In that case you've got a problem. Keycloak.js strips off the code and redirect_fragment query params. For AngularJS you need to let Keycloak.js do it's thing before AngularJS bootstraps. This can be improved with a keycloak-angular module, but we haven't had time to do that. Otherwise Angular reverts the url after keycloak.js has stripped those off. Have a look at https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js#L14 that's how we do it in the admin console. ----- Original Message ----- > From: "Dean Peterson" > To: keycloak-user at lists.jboss.org, bburke at redhat.com > Sent: Thursday, 7 May, 2015 4:37:17 PM > Subject: Re: [keycloak-user] Keycloak still creates long ugly urls > > My clients are separate angularjs applications that use keycloak.js to > communicate with Keycloak. The long urls are always present: when I redirect > back to the main route after login and on every subsequent route change. I > use the keycloak.js that automatically resides on the running Keycloak > server rather than the downloadable version. > > On Wed, May 6, 2015 at 9:32 AM, Dean Peterson < peterson.dean at gmail.com > > wrote: > > > > I recently upgraded to the latest beta version of Keycloak expecting my long > ugly url problem to go away: > > http://trade.abecorn.com/?redirect_fragment=%2F&code=ukqPsGX7F3ViiYdYgVjsDGE1v-4TGTqE-We0ksk1nzY.d2386c15-b402-4411-a94a-a175f0fc1334&state=2b84dfb8-0f10-4c15-9737-feb409d7bfb7#/ > > Am I doing something wrong? > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From peterson.dean at gmail.com Thu May 7 14:12:26 2015 From: peterson.dean at gmail.com (Dean Peterson) Date: Thu, 7 May 2015 13:12:26 -0500 Subject: [keycloak-user] Keycloak still creates long ugly urls In-Reply-To: <2103851341.15175553.1431021925959.JavaMail.zimbra@redhat.com> References: <2103851341.15175553.1431021925959.JavaMail.zimbra@redhat.com> Message-ID: That will work. Thanks! On Thu, May 7, 2015 at 1:05 PM, Stian Thorgersen wrote: > In that case you've got a problem. Keycloak.js strips off the code and > redirect_fragment query params. > > For AngularJS you need to let Keycloak.js do it's thing before AngularJS > bootstraps. This can be improved with a keycloak-angular module, but we > haven't had time to do that. Otherwise Angular reverts the url after > keycloak.js has stripped those off. > > Have a look at > https://github.com/keycloak/keycloak/blob/master/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js#L14 > that's how we do it in the admin console. > > ----- Original Message ----- > > From: "Dean Peterson" > > To: keycloak-user at lists.jboss.org, bburke at redhat.com > > Sent: Thursday, 7 May, 2015 4:37:17 PM > > Subject: Re: [keycloak-user] Keycloak still creates long ugly urls > > > > My clients are separate angularjs applications that use keycloak.js to > > communicate with Keycloak. The long urls are always present: when I > redirect > > back to the main route after login and on every subsequent route change. > I > > use the keycloak.js that automatically resides on the running Keycloak > > server rather than the downloadable version. > > > > On Wed, May 6, 2015 at 9:32 AM, Dean Peterson < peterson.dean at gmail.com > > > > wrote: > > > > > > > > I recently upgraded to the latest beta version of Keycloak expecting my > long > > ugly url problem to go away: > > > > > http://trade.abecorn.com/?redirect_fragment=%2F&code=ukqPsGX7F3ViiYdYgVjsDGE1v-4TGTqE-We0ksk1nzY.d2386c15-b402-4411-a94a-a175f0fc1334&state=2b84dfb8-0f10-4c15-9737-feb409d7bfb7#/ > > > > Am I doing something wrong? > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150507/faf57f17/attachment-0001.html From b.hansmann at alphaapps.de Thu May 7 14:51:15 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Thu, 07 May 2015 20:51:15 +0200 Subject: [keycloak-user] Check to see if user exists with Admin REST API Message-ID: <1431024675.13950.19.camel@alphaapps.de> I hope this is my last question to this list :-) I want to check if a user exists with given username/or email address from within an Android App while the user is typing. Hence I want to provide a REST endpoint to let the app check. I am using the Admin REST API for backchannel requests to keycloak from within my servlet. /admin/realms/{my-realm}/users/{username} (or the get(username) equivalent of admin-client) does not work for checking if the email address is already in use. /admin/realms/{my-realm}/users?search={username} works for email, but it's greedy. I think "%" is added at beginning and end of the query parameters before the database request, so that search hits are quasi guaranteed. E.g. if someone has a registered Email Address of john.smith at example.com and someone tries to register with smith at example.com or smith at example.com.br it is shown as already in use. Any ideas? How is this solved in the web frontend? Maybe the Admin REST API endpoint should support username and email as path params when those two can be used to login? Best Regards Benjamin From ah at magick.nu Thu May 7 15:58:14 2015 From: ah at magick.nu (Anton Hughes) Date: Thu, 7 May 2015 21:58:14 +0200 Subject: [keycloak-user] Migrating custom user database to Keycloak In-Reply-To: <550BD322.9030209@redhat.com> References: <550B1D9A.6010901@redhat.com> <550BD322.9030209@redhat.com> Message-ID: On Fri, Mar 20, 2015 at 8:58 AM, Marek Posolda wrote: > Yes, Keycloak also verified during each authentication (or interaction > with the UserModel) if user still exists in your backend and it's removed > from Keycloak DB if not. > > Normally user is synced to Keycloak DB after successful login (your step > 4), but you can also sync all your users from your storage at once or setup > periodic sync. > HI Marek Thanks for your help with this. Ideally, what we would like is to have keycloak do all user-management - that is, migrate all users out of our custom application and store them in Keycloak. This would slim down our application, and avoid having to custom provider. Is this possible? Thanks -- *Anton HughesCo-founderah at magick.nu www.magick.nu * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150507/4a3e7335/attachment.html From eugene.chow.ct at gmail.com Thu May 7 23:29:39 2015 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Fri, 8 May 2015 11:29:39 +0800 Subject: [keycloak-user] Batch import of accounts into Keycloak In-Reply-To: References: Message-ID: <51C8A1F5-57FC-45CB-82DC-590BCC0C1E71@gmail.com> Thanks Marek for the detailed explanation! I?ll give it a shot. > Hi, > > you first need to enable "Direct access grant" for the master realm. > Then retrieve the token via direct access grant request for the master > realm for example with "security-admin-console" application. You can see > some example in the docs on how to do it: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/direct-access-grants.html > . Use username/password of admin user in the endpoint (admin/admin by > default). > > Note that we have some more examples showing direct access grant (as > pointed on that page in the docs) and especially that admin-client > handles this for you, which is one of his big advantages. > > Then REST endpoint for adding user is here: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/admin/realms/%7Brealm%7D/users/index.html#POST > . For change password, you need to use endpoint for "reset-password" and > then use another endpoint for removing required action from the user (as > reseting password will add this required action automatically). > > For more inspiration, you can also use keycloak admin console and use > some tool (For example Firebug in FF) to see which REST endpoints is > admin console itself using. Note that admin console is angular > application, which invokes all these admin REST endpoints under the hood. > > Marek > > On 6.5.2015 17:26, Eugene Chow wrote: >> Hi Marek, >> >> Thanks for the link. Looks like it came up shortly before I posted. >> >> I would like to first try the REST API as I can quickly whip up a BASH >> script to perform the batch import. In 1.2.0.CR1's REST API >> documentation, there doesn't seem to be an option to login as admin and >> get the token. >> >> Could you point out which URL I should call to login via curl on the CLI? >> >> Thanks! >> >> On 6/5/2015 10:33 PM, Marek Posolda wrote: >>> Hi, >>> >>> we have some admin REST API documented and the operations you mentioned >>> should be available there: >>> http://docs.jboss.org/keycloak/docs/1.2.0.CR1/rest-api/overview-index.html >>> >>> Maybe easiest solution for you would be to use our admin-client, which >>> allows to easily invoke REST endpoints as java methods and handles >>> obtain the accessToken for admin authentication too. If your >>> command-line has Java available, you can just run simple Java program, >>> which will use admin-client to invoke REST endpoints. The example for >>> admin client is here: >>> https://github.com/keycloak/keycloak/tree/master/examples/admin-client >>> >>> Marek >>> >>> >>> On 5.5.2015 17:30, Eugene Chow wrote: >>>> Hi, >>>> >>>> First of all, a big thank you to the developers for an SSO that's simple >>>> to use and a beautiful interface to boot. >>>> >>>> I'm running Keycloak for an app in development. For UAT purposes, I need >>>> to batch import accounts from a CSV file via the command-line. I'm >>>> looking for the REST API to login as admin, get token, create new >>>> account, update new acct's password, and then logout. I haven't found >>>> any documentation on this. >>>> >>>> If the REST API is not equipped for this purpose, what would be the >>>> correct method to bulk import users? >>>> >>>> Thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri May 8 01:17:08 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 8 May 2015 01:17:08 -0400 (EDT) Subject: [keycloak-user] Migrating custom user database to Keycloak In-Reply-To: References: <550B1D9A.6010901@redhat.com> <550BD322.9030209@redhat.com> Message-ID: <712785002.15439362.1431062228299.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Anton Hughes" > To: "Marek Posolda" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, 7 May, 2015 9:58:14 PM > Subject: Re: [keycloak-user] Migrating custom user database to Keycloak > > > On Fri, Mar 20, 2015 at 8:58 AM, Marek Posolda < mposolda at redhat.com > wrote: > > > > Yes, Keycloak also verified during each authentication (or interaction with > the UserModel) if user still exists in your backend and it's removed from > Keycloak DB if not. > > Normally user is synced to Keycloak DB after successful login (your step 4), > but you can also sync all your users from your storage at once or setup > periodic sync. > > HI Marek > > Thanks for your help with this. > Ideally, what we would like is to have keycloak do all user-management - that > is, migrate all users out of our custom application and store them in > Keycloak. > This would slim down our application, and avoid having to custom provider. > > Is this possible? Yes, you've got two options atm: * Export your users to a json file and import into Keycloak - in the future we want to be able to import users into existing realm, but currently you have to create a new realm * Use the admin rest api (or java admin client) to import users > > Thanks > > > -- > > > > > > Anton Hughes > > Co-founder > > ah at magick.nu > > www.magick.nu > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri May 8 01:21:56 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 8 May 2015 01:21:56 -0400 (EDT) Subject: [keycloak-user] Check to see if user exists with Admin REST API In-Reply-To: <1431024675.13950.19.camel@alphaapps.de> References: <1431024675.13950.19.camel@alphaapps.de> Message-ID: <1920246751.15439790.1431062516101.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Benjamin Hansmann [alphaApps]" > To: "keycloak-user" > Sent: Thursday, 7 May, 2015 8:51:15 PM > Subject: [keycloak-user] Check to see if user exists with Admin REST API > > I hope this is my last question to this list :-) That sounds very sinister, please don't go ;) > > I want to check if a user exists with given username/or email address > from within an Android App while the user is typing. > > Hence I want to provide a REST endpoint to let the app check. I am using > the Admin REST API for backchannel requests to keycloak from within my > servlet. > > /admin/realms/{my-realm}/users/{username} (or the get(username) > equivalent of admin-client) does not work for checking if the email > address is already in use. > > /admin/realms/{my-realm}/users?search={username} works for email, but > it's greedy. I think "%" is added at beginning and end of the query > parameters before the database request, so that search hits are quasi > guaranteed. E.g. if someone has a registered Email Address of > john.smith at example.com and someone tries to register with > smith at example.com or smith at example.com.br it is shown as already in use. > > Any ideas? How is this solved in the web frontend? Maybe the Admin REST > API endpoint should support username and email as path params when those > two can be used to login? I wouldn't hit Keycloak with these queries, especially not if you're expecting your app to have many users. I'd write an event listener provider and use that to write usernames and emails that are in use to your application database and query that instead. > > Best Regards > Benjamin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kalc04 at gmail.com Fri May 8 01:22:23 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Fri, 8 May 2015 10:52:23 +0530 Subject: [keycloak-user] Infinispan Clustering Issue with TCP JGroups Stack In-Reply-To: <554B769C.1010807@redhat.com> References: <554B769C.1010807@redhat.com> Message-ID: Hi Marek, Yes we have both nodes mentioned in the TCPPING configuration, in both servers. It looks like this (x.x.x.x and y.y.y.y being server public IPs): x.x.x.x[7600],y.y.y.y[7600] 2 0 2000 We give node names when starting the servers by passing the following params: ./standalone.sh -c standalone-ha.xml -b x.x.x.x -Djboss.node.name=node1 ./standalone.sh -c standalone-ha.xml -b y.y.y.y -Djboss.node.name=node2 However, once we start the servers, the two servers seem to detect only itself and start working independently. In node1 it logs: ... 05:09:44,643 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000078: Starting JGroups Channel 05:09:44,696 INFO [stdout] (MSC service thread 1-1) 05:09:44,697 INFO [stdout] (MSC service thread 1-1) ------------------------------------------------------------------- 05:09:44,697 INFO [stdout] (MSC service thread 1-1) GMS: address=node1/keycloak, cluster=keycloak, physical address=0.0.0.0:7600 05:09:44,697 INFO [stdout] (MSC service thread 1-1) ------------------------------------------------------------------- 05:09:46,779 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view: [node1/keycloak|0] (1) [node1/keycloak] 05:09:46,781 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Cache local address is node1/keycloak, physical addresses are [0.0.0.0:7600] ... In node2 it's the same case with node1 replaced by node2 in the log. Also, if we're doing an activity in node1, something similar to the following gets logged in that server, without any mention about node2 (and vise versa if the activity was done in node2) ... 05:09:57,280 DEBUG [org.infinispan.interceptors.InvalidationInterceptor] (MSC service thread 1-1) Cache [node1/keycloak] replicating InvalidateCommand{keys=[e2734aa6-e770-407a-b00a-1915105ea586]} 05:09:57,281 DEBUG [org.infinispan.interceptors.InvalidationInterceptor] (MSC service thread 1-1) Cache [node1/keycloak] replicating InvalidateCommand{keys=[ebb4d88a-a364-4ec1-bd7c-48572ac762af]} 05:09:57,283 DEBUG [org.infinispan.interceptors.InvalidationInterceptor] (MSC service thread 1-1) Cache [node1/keycloak] replicating InvalidateCommand{keys=[9658becc-34e4-4fd1-817c-46b3b9ad4c7f]} ... Could you determine if we're doing something wrong here? Thanks, Lohitha. On Thu, May 7, 2015 at 7:58 PM, Marek Posolda wrote: > Hi, > > once you start both nodes, do you have the message in the server.log as > mentioned in the troubleshooting section: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/clustering.html#d4e2750 > ? > > Also I recall that for TCPPING you need to manually mention all the > cluster nodes in the JGroups configuration of TCPPING protocol. This needs > to be done on both nodes AFAIR. Do you have it configured? > > Marek > > > On 7.5.2015 15:39, Lohitha Chiranjeewa wrote: > > Hi, > > We're trying to have a clustered environment with two servers, and need > Infinispan caches to work perfectly. > > We're using AWS servers for all our requirements, and they don't support > multicasting. Hence the UDP option is out for us. So, as per the JIRA > ticket KEYCLOAK-979, we have tried to continue with TCP instead. However > we've had no success. Changes don't get synced between the servers. > > To configure TCPPING, we've referred both KEYCLOAK-979 ticket contents > and http://middlewaremagic.com/jboss/?p=2015. We have enabled TCP > communication in our VPC and have all the necessary ports open in our > servers. > > We've followed the step given at > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering.html > to setup Infinispan and related configs. > > What could we be doing wrong here? Any configuration we're missing? > > > Thanks, > Lohitha. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150508/38bfb002/attachment-0001.html From stian at redhat.com Fri May 8 01:25:41 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 8 May 2015 01:25:41 -0400 (EDT) Subject: [keycloak-user] Infinispan Clustering Issue with TCP JGroups Stack In-Reply-To: <554B769C.1010807@redhat.com> References: <554B769C.1010807@redhat.com> Message-ID: <664869249.15440059.1431062741125.JavaMail.zimbra@redhat.com> Try Googling for "Infinispan AWS", or Infinispan user forum http://infinispan.org/community/. I would expect you need to do configuration specific to AWS to get it to work there. ----- Original Message ----- > From: "Marek Posolda" > To: "Lohitha Chiranjeewa" , keycloak-user at lists.jboss.org > Sent: Thursday, 7 May, 2015 4:28:44 PM > Subject: Re: [keycloak-user] Infinispan Clustering Issue with TCP JGroups Stack > > Hi, > > once you start both nodes, do you have the message in the server.log as > mentioned in the troubleshooting section: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/clustering.html#d4e2750 > ? > > Also I recall that for TCPPING you need to manually mention all the cluster > nodes in the JGroups configuration of TCPPING protocol. This needs to be > done on both nodes AFAIR. Do you have it configured? > > Marek > > On 7.5.2015 15:39, Lohitha Chiranjeewa wrote: > > > > Hi, > > We're trying to have a clustered environment with two servers, and need > Infinispan caches to work perfectly. > > We're using AWS servers for all our requirements, and they don't support > multicasting. Hence the UDP option is out for us. So, as per the JIRA ticket > KEYCLOAK-979, we have tried to continue with TCP instead. However we've had > no success. Changes don't get synced between the servers. > > To configure TCPPING, we've referred both KEYCLOAK-979 ticket contents and > http://middlewaremagic.com/jboss/?p=2015 . We have enabled TCP communication > in our VPC and have all the necessary ports open in our servers. > > We've followed the step given at > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering.html > to setup Infinispan and related configs. > > What could we be doing wrong here? Any configuration we're missing? > > > Thanks, > Lohitha. > > > _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri May 8 01:58:18 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 8 May 2015 01:58:18 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.2.0.CR1 OpenShift Cartridge released Message-ID: <54921065.15445315.1431064698977.JavaMail.zimbra@redhat.com> OpenShift Cartridge has been updated to 1.2.0.CR1 From b.hansmann at alphaapps.de Fri May 8 05:44:29 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Fri, 08 May 2015 11:44:29 +0200 Subject: [keycloak-user] Check to see if user exists with Admin REST API In-Reply-To: <1920246751.15439790.1431062516101.JavaMail.zimbra@redhat.com> References: <1431024675.13950.19.camel@alphaapps.de> <1920246751.15439790.1431062516101.JavaMail.zimbra@redhat.com> Message-ID: <1431078269.2196.4.camel@alphaapps.de> On Fri, 2015-05-08 at 01:21 -0400, Stian Thorgersen wrote: > > ----- Original Message ----- > > From: "Benjamin Hansmann [alphaApps]" > > To: "keycloak-user" > > Sent: Thursday, 7 May, 2015 8:51:15 PM > > Subject: [keycloak-user] Check to see if user exists with Admin REST API > > > > I hope this is my last question to this list :-) > > That sounds very sinister, please don't go ;) > > > > > I want to check if a user exists with given username/or email address > > from within an Android App while the user is typing. > > > > Hence I want to provide a REST endpoint to let the app check. I am using > > the Admin REST API for backchannel requests to keycloak from within my > > servlet. > > > > /admin/realms/{my-realm}/users/{username} (or the get(username) > > equivalent of admin-client) does not work for checking if the email > > address is already in use. > > > > /admin/realms/{my-realm}/users?search={username} works for email, but > > it's greedy. I think "%" is added at beginning and end of the query > > parameters before the database request, so that search hits are quasi > > guaranteed. E.g. if someone has a registered Email Address of > > john.smith at example.com and someone tries to register with > > smith at example.com or smith at example.com.br it is shown as already in use. > > > > Any ideas? How is this solved in the web frontend? Maybe the Admin REST > > API endpoint should support username and email as path params when those > > two can be used to login? > > I wouldn't hit Keycloak with these queries, especially not if you're expecting your app to have many users. I'd write an event listener provider and use that to write usernames and emails that are in use to your application database and query that instead. > Thanks Stian. If I do that, maybe I should write an User Federation Provider upfront and store the users in my db. Do you think this is a better option than creating users via admin rest API? I still wouldn't have a feature to trigger verification emails, right? I am doing it with a dirty workaround to login the user with apache httpclient once to trigger it now. > > > > Best Regards > > Benjamin > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From stian at redhat.com Fri May 8 07:20:39 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 8 May 2015 07:20:39 -0400 (EDT) Subject: [keycloak-user] Check to see if user exists with Admin REST API In-Reply-To: <1431078269.2196.4.camel@alphaapps.de> References: <1431024675.13950.19.camel@alphaapps.de> <1920246751.15439790.1431062516101.JavaMail.zimbra@redhat.com> <1431078269.2196.4.camel@alphaapps.de> Message-ID: <1704082891.15547076.1431084039992.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Benjamin Hansmann [alphaApps]" > To: "Stian Thorgersen" > Cc: "keycloak-user" > Sent: Friday, 8 May, 2015 11:44:29 AM > Subject: Re: [keycloak-user] Check to see if user exists with Admin REST API > > On Fri, 2015-05-08 at 01:21 -0400, Stian Thorgersen wrote: > > > > ----- Original Message ----- > > > From: "Benjamin Hansmann [alphaApps]" > > > To: "keycloak-user" > > > Sent: Thursday, 7 May, 2015 8:51:15 PM > > > Subject: [keycloak-user] Check to see if user exists with Admin REST API > > > > > > I hope this is my last question to this list :-) > > > > That sounds very sinister, please don't go ;) > > > > > > > > I want to check if a user exists with given username/or email address > > > from within an Android App while the user is typing. > > > > > > Hence I want to provide a REST endpoint to let the app check. I am using > > > the Admin REST API for backchannel requests to keycloak from within my > > > servlet. > > > > > > /admin/realms/{my-realm}/users/{username} (or the get(username) > > > equivalent of admin-client) does not work for checking if the email > > > address is already in use. > > > > > > /admin/realms/{my-realm}/users?search={username} works for email, but > > > it's greedy. I think "%" is added at beginning and end of the query > > > parameters before the database request, so that search hits are quasi > > > guaranteed. E.g. if someone has a registered Email Address of > > > john.smith at example.com and someone tries to register with > > > smith at example.com or smith at example.com.br it is shown as already in use. > > > > > > Any ideas? How is this solved in the web frontend? Maybe the Admin REST > > > API endpoint should support username and email as path params when those > > > two can be used to login? > > > > I wouldn't hit Keycloak with these queries, especially not if you're > > expecting your app to have many users. I'd write an event listener > > provider and use that to write usernames and emails that are in use to > > your application database and query that instead. > > > > Thanks Stian. If I do that, maybe I should write an User Federation > Provider upfront and store the users in my db. Do you think this is a > better option than creating users via admin rest API? I'd go for the event listener approach personally as it's much simpler if all you want is a list of usernames and emails, but you can also do the same through the user federation spi. > > I still wouldn't have a feature to trigger verification emails, right? I > am doing it with a dirty workaround to login the user with apache > httpclient once to trigger it now. Dunno what you mean about verification emails, those are sent when user first logins if realm requires it. > > > > > > > Best Regards > > > Benjamin > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > From ah at magick.nu Fri May 8 11:16:59 2015 From: ah at magick.nu (Anton Hughes) Date: Fri, 8 May 2015 17:16:59 +0200 Subject: [keycloak-user] Migrating custom user database to Keycloak In-Reply-To: <712785002.15439362.1431062228299.JavaMail.zimbra@redhat.com> References: <550B1D9A.6010901@redhat.com> <550BD322.9030209@redhat.com> <712785002.15439362.1431062228299.JavaMail.zimbra@redhat.com> Message-ID: Thanks Stian On Fri, May 8, 2015 at 7:17 AM, Stian Thorgersen wrote: > > Yes, you've got two options atm: > > * Export your users to a json file and import into Keycloak - in the > future we want to be able to import users into existing realm, but > currently you have to create a new realm > Its no problem creating a realm. Is there an example of importing users from a json file? Or can you point me to documentation for this? > * Use the admin rest api (or java admin client) to import users Thanks again -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150508/f7d888d9/attachment.html From Thomas.LaPorte at dreamworks.com Fri May 8 13:41:47 2015 From: Thomas.LaPorte at dreamworks.com (Thomas LaPorte) Date: Fri, 8 May 2015 10:41:47 -0700 Subject: [keycloak-user] Keycloak as OpenID Connect Identity Provider? Message-ID: Can Keycloak act as an OpenID Connect Identity Provider? I'm only just getting an understanding of some of the various protocols and standards in this world, but I'm working from a set of developers' specs for a software project and one thing that they list is to use OpenID Connect. I can see from Chapter 9 of the Documentation how to configure the Identity Broker for various types of Identity Providers. But I can't find anything that suggests that Keycloak can act as the Identity Provider for OpenID Connect. I fear I might be missing something obvious. The information on the OpenID.net site ( http://openid.net/developers/libraries/ ) lists Keycloak, but it does not have details on whether it can only act as a Relying Party, or if it can also act as an Identity Provider. Any thoughts or pointers to something I'm missing in the docs would be appreciated. Thanks. -- Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150508/487ac544/attachment.html From leonardo.zanivan at gmail.com Sat May 9 16:40:51 2015 From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan) Date: Sat, 09 May 2015 20:40:51 +0000 Subject: [keycloak-user] Get message for ModelException in admin-client In-Reply-To: <554A5F76.30805@redhat.com> References: <1430932190.4814.7.camel@alphaapps.de> <554A5F76.30805@redhat.com> Message-ID: I'll work on that next week.. Thanks! On Wed, May 6, 2015 at 3:37 PM Marek Posolda wrote: > +1 for JIRA. Also feel free to send PR as you already nail it down and > you already send some PRs :-) > > By the way, Thanks for them. > > It seems that generally we should improve on handling errors from admin > REST endpoints. Ideally you can handle the error response similarly like > it's done here: > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L771 > . Then on admin-client side, you can catch ClientErrorException and see the > error message for example like done here: > https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L49 > > Thanks, > Marek > > > On 6.5.2015 19:31, Leonardo Loch Zanivan wrote: > > Unfortunatelly I think it's not possible right now. > > Admin client uses Admin REST API, which isn't handling errors correctly. > > If you try to reset a password using Admin interface you will get a > generic error 500 saying "Failed to reset user password". > > In the server the stacktrace shows: > Caused by: org.jboss.resteasy.spi.UnhandledException: > org.keycloak.models.ModelException: invalidPasswordMinLengthMessage > > We could fill a JIRA to handle ModelException using JAX-RS exception > handlers, so the response will have the correct error and we could show a > better error message. > > On Wed, May 6, 2015 at 2:10 PM Benjamin Hansmann [alphaApps] < > b.hansmann at alphaapps.de> wrote: > >> Is one able to get an error message from the resetPassword method of >> admin-client if it somehow failed to reset the password, like when the >> password is too short or does not comply with the password policy? >> >> It throws an InternalServerErrorException in that case. On the server >> side there seems to be a ModelException: >> invalidPasswordMinLengthMessage. That information is lost... >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150509/17e4791a/attachment-0001.html From stian at redhat.com Mon May 11 01:45:54 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 May 2015 01:45:54 -0400 (EDT) Subject: [keycloak-user] Keycloak as OpenID Connect Identity Provider? In-Reply-To: References: Message-ID: <1870240756.16424097.1431323154071.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Thomas LaPorte" > To: keycloak-user at lists.jboss.org > Sent: Friday, 8 May, 2015 7:41:47 PM > Subject: [keycloak-user] Keycloak as OpenID Connect Identity Provider? > > Can Keycloak act as an OpenID Connect Identity Provider? Yes > > I'm only just getting an understanding of some of the various protocols and > standards in this world, but I'm working from a set of developers' specs for > a software project and one thing that they list is to use OpenID Connect. > > I can see from Chapter 9 of the Documentation how to configure the Identity > Broker for various types of Identity Providers. But I can't find anything > that suggests that Keycloak can act as the Identity Provider for OpenID > Connect. I fear I might be missing something obvious. > > The information on the OpenID.net site ( > http://openid.net/developers/libraries/ ) lists Keycloak, but it does not > have details on whether it can only act as a Relying Party, or if it can > also act as an Identity Provider. > > Any thoughts or pointers to something I'm missing in the docs would be > appreciated. > > Thanks. > > -- Tom > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon May 11 05:26:07 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 May 2015 11:26:07 +0200 Subject: [keycloak-user] Migrating custom user database to Keycloak In-Reply-To: References: <550B1D9A.6010901@redhat.com> <550BD322.9030209@redhat.com> <712785002.15439362.1431062228299.JavaMail.zimbra@redhat.com> Message-ID: <555075AF.4090705@redhat.com> On 8.5.2015 17:16, Anton Hughes wrote: > Thanks Stian > On Fri, May 8, 2015 at 7:17 AM, Stian Thorgersen > wrote: > > > Yes, you've got two options atm: > > * Export your users to a json file and import into Keycloak - in > the future we want to be able to import users into existing realm, > but currently you have to create a new realm > > Its no problem creating a realm. Is there an example of importing > users from a json file? Or can you point me to documentation for this? You can see some documentation for export/import here http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/export-import.html . You can first try to create some example realm with few users, then export it and then re-import it to see how it works and what is the format of the file. However the tricky part for migrating users from external system to Keycloak DB are user passwords. You will be able to import user passwords to Keycloak DB just if you know them in plain-text or if you use PBKDF2 for store them in your current DB like we are using in Keycloak. In this case you will need to add hash + salt + number of iterations (you will need to know these from your DB) for each user password similarly like you can see in the file previously exported from Keycloak DB. That's why using federation and implement your FederationProvider might be better approach. Marek > > * Use the admin rest api (or java admin client) to import users > > Thanks again > > > > -- > * > > > * > > **** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150511/f56e9ba9/attachment.html From kalc04 at gmail.com Mon May 11 08:48:14 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 11 May 2015 18:18:14 +0530 Subject: [keycloak-user] Infinispan Clustering Issue with TCP JGroups Stack In-Reply-To: <664869249.15440059.1431062741125.JavaMail.zimbra@redhat.com> References: <554B769C.1010807@redhat.com> <664869249.15440059.1431062741125.JavaMail.zimbra@redhat.com> Message-ID: Hi, We found out the cause for the problem, it was a configuration that clashed with the Infinispan configs. Basically we had set the 'management' and 'public' interfaces to 'any-address' for our convenience earlier, and it had made the Wildfly server to ignore the bind address we were providing. Instead it was taking 0.0.0.0 as the bind address every time, making Infinispan unable to identify its peers. Now it's sorted. Thanks for the support. Regards, Lohitha On Fri, May 8, 2015 at 10:55 AM, Stian Thorgersen wrote: > Try Googling for "Infinispan AWS", or Infinispan user forum > http://infinispan.org/community/. > > I would expect you need to do configuration specific to AWS to get it to > work there. > > ----- Original Message ----- > > From: "Marek Posolda" > > To: "Lohitha Chiranjeewa" , > keycloak-user at lists.jboss.org > > Sent: Thursday, 7 May, 2015 4:28:44 PM > > Subject: Re: [keycloak-user] Infinispan Clustering Issue with TCP > JGroups Stack > > > > Hi, > > > > once you start both nodes, do you have the message in the server.log as > > mentioned in the troubleshooting section: > > > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/clustering.html#d4e2750 > > ? > > > > Also I recall that for TCPPING you need to manually mention all the > cluster > > nodes in the JGroups configuration of TCPPING protocol. This needs to be > > done on both nodes AFAIR. Do you have it configured? > > > > Marek > > > > On 7.5.2015 15:39, Lohitha Chiranjeewa wrote: > > > > > > > > Hi, > > > > We're trying to have a clustered environment with two servers, and need > > Infinispan caches to work perfectly. > > > > We're using AWS servers for all our requirements, and they don't support > > multicasting. Hence the UDP option is out for us. So, as per the JIRA > ticket > > KEYCLOAK-979, we have tried to continue with TCP instead. However we've > had > > no success. Changes don't get synced between the servers. > > > > To configure TCPPING, we've referred both KEYCLOAK-979 ticket contents > and > > http://middlewaremagic.com/jboss/?p=2015 . We have enabled TCP > communication > > in our VPC and have all the necessary ports open in our servers. > > > > We've followed the step given at > > > http://docs.jboss.org/keycloak/docs/1.2.0.Beta1/userguide/html/clustering.html > > to setup Infinispan and related configs. > > > > What could we be doing wrong here? Any configuration we're missing? > > > > > > Thanks, > > Lohitha. > > > > > > _______________________________________________ > > keycloak-user mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150511/e28ee8e3/attachment.html From lkrzyzan at redhat.com Mon May 11 14:27:01 2015 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Mon, 11 May 2015 20:27:01 +0200 Subject: [keycloak-user] Missing artifact in maven central - org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 In-Reply-To: <643205323.14315616.1430974039317.JavaMail.zimbra@redhat.com> References: <0B8657D9-29B0-4C2B-9166-5A35F8969B97@redhat.com> <643205323.14315616.1430974039317.JavaMail.zimbra@redhat.com> Message-ID: Cool. Thanks. Libor Krzy?anek jboss.org Development Team > On 07 May 2015, at 06:47, Stian Thorgersen wrote: > > Fixed and will be included in 1.2.0.Final release (https://issues.jboss.org/browse/KEYCLOAK-1279) > > ----- Original Message ----- >> From: "Libor Krzy?anek" >> To: "keycloak-user" >> Sent: Wednesday, May 6, 2015 9:11:58 AM >> Subject: [keycloak-user] Missing artifact in maven central - org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 >> >> Hi there, >> my project depends on keycloak-server-overlay >> >> org.keycloak >> keycloak-server-overlay >> 1.2.0.CR1 >> zip >> >> See >> http://central.maven.org/maven2/org/keycloak/keycloak-server-overlay/1.2.0.CR1/keycloak-server-overlay-1.2.0.CR1.pom >> >> I?m not able to build it because this transitive dependency is missing in >> repo: org.keycloak:keycloak-jboss-modules:zip:1.2.0.CR1 >> >> Workaround is to build it locally from KC sources. >> >> Can you upload it to maven central repo please? >> >> Thanks, >> >> Libor Krzy?anek >> jboss.org Development Team >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150511/f30a119a/attachment.html From niko at n-k.de Tue May 12 04:24:22 2015 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Tue, 12 May 2015 10:24:22 +0200 Subject: [keycloak-user] Change username? Message-ID: <53458C9B-1469-47FC-A81A-570AB6C67099@n-k.de> Hi, is there any possibility to change the users username? The UI doesn?t provide a possibility (field is readonly) and via REST-Admin-API a changed username is ignored when updating the user. I understand that this is not easy to handle and maybe the username is a primary/unique key in the datastore. (But) we have the requirement that it must be able to change the users username. So, is there any possibility/workaround for this? Regards, - Niko From stian at redhat.com Tue May 12 04:36:50 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 12 May 2015 04:36:50 -0400 (EDT) Subject: [keycloak-user] Change username? In-Reply-To: <53458C9B-1469-47FC-A81A-570AB6C67099@n-k.de> References: <53458C9B-1469-47FC-A81A-570AB6C67099@n-k.de> Message-ID: <1205055747.17489238.1431419810138.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Niko K?bler" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 12 May, 2015 10:24:22 AM > Subject: [keycloak-user] Change username? > > Hi, > > is there any possibility to change the users username? > > The UI doesn?t provide a possibility (field is readonly) and via > REST-Admin-API a changed username is ignored when updating the user. > I understand that this is not easy to handle and maybe the username is a > primary/unique key in the datastore. > > (But) we have the requirement that it must be able to change the users > username. > So, is there any possibility/workaround for this? Username isn't primary key and it's been designed to handle this, but we haven't implemented it yet so neither admin console or account management provides this option currently. Please create a jira feature request and we can see when we get time to implement it. > > Regards, > - Niko > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kalinga at leapset.com Tue May 12 04:43:27 2015 From: kalinga at leapset.com (Kalinga Dissanayake) Date: Tue, 12 May 2015 14:13:27 +0530 (IST) Subject: [keycloak-user] User attributes in ID Token using protocol mappers In-Reply-To: <1430869742.28338026@apps.rackspace.com> References: <1430836684.06481955@apps.rackspace.com> <5548DE93.8060508@redhat.com> <5548E005.30800@redhat.com> <1430869742.28338026@apps.rackspace.com> Message-ID: <1431420207.09322262@apps.rackspace.com> Sorted!. Thanks. Upgraded all the related components to 1.2.0. Played around with the configurations on the protocol mappings and worked fine. Regards, Kalinga -----Original Message----- From: "Kalinga Dissanayake" Sent: Wednesday, May 6, 2015 5:19am To: "Marek Posolda" Cc: "Bill Burke" , keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] User attributes in ID Token using protocol mappers I am using 1.2.0 Beta version on keycloak. Hmm...Let me try again and see how it goes. Regards, Kalinga -----Original Message----- From: "Marek Posolda" Sent: Tuesday, May 5, 2015 8:51pm To: "Bill Burke" , keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] User attributes in ID Token using protocol mappers +1 for combine them. Or maybe UserPropertyMapper could display the combobox with the available properties from UserModel? As those could be retrieved by reflection. Marek On 5.5.2015 17:15, Bill Burke wrote: > There is a UserProperty mapper and a UserAttribute mapper. Use the > "UserAttribute" mapper. Maybe that's it? UserProperty is looks for get > methods on UserModel. Meh, this as probably a bad idea. Should > probably have just combined them. > > On 5/5/2015 10:38 AM, Kalinga Dissanayake wrote: >> Is it possible to return a user attribute in the ID token using protocol >> mappers? >> >> I have a user that has a custom attribute called "accountId" and a value >> is assigned to it. I checked in the USER_ATTRIBUTE table (mysql) and the >> values are properly assigned. >> >> I created a protocol mapper. In that I set the protocol type as "User >> Attribute" and entered the key "accountId" as both the User Attribute >> and Token Claim Name and switched on both "Add to ID Token" and "Add to >> Access Token". >> >> I simply cant get this accountID attribute value returned in the ID >> Token nor Access Token. >> >> Basically I need to return the user attributes in the ID Token / Access >> Token. Is it possible? >> >> Regards*,* >> >> Kalinga >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150512/4e3ae3e6/attachment.html From niko at n-k.de Tue May 12 05:22:35 2015 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Tue, 12 May 2015 11:22:35 +0200 Subject: [keycloak-user] Change username? In-Reply-To: <1205055747.17489238.1431419810138.JavaMail.zimbra@redhat.com> References: <53458C9B-1469-47FC-A81A-570AB6C67099@n-k.de> <1205055747.17489238.1431419810138.JavaMail.zimbra@redhat.com> Message-ID: <2564A537-CEC0-42A9-9DE4-CFB96D668D92@n-k.de> Done: https://issues.jboss.org/browse/KEYCLOAK-1305 Thanks. > Am 12.05.2015 um 10:36 schrieb Stian Thorgersen : > > > > ----- Original Message ----- >> From: "Niko K?bler" >> To: keycloak-user at lists.jboss.org >> Sent: Tuesday, 12 May, 2015 10:24:22 AM >> Subject: [keycloak-user] Change username? >> >> Hi, >> >> is there any possibility to change the users username? >> >> The UI doesn?t provide a possibility (field is readonly) and via >> REST-Admin-API a changed username is ignored when updating the user. >> I understand that this is not easy to handle and maybe the username is a >> primary/unique key in the datastore. >> >> (But) we have the requirement that it must be able to change the users >> username. >> So, is there any possibility/workaround for this? > > Username isn't primary key and it's been designed to handle this, but we haven't implemented it yet so neither admin console or account management provides this option currently. > > Please create a jira feature request and we can see when we get time to implement it. > >> >> Regards, >> - Niko >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150512/fd77c9ff/attachment.html From thorsten315 at gmx.de Tue May 12 17:37:47 2015 From: thorsten315 at gmx.de (Thorsten) Date: Tue, 12 May 2015 23:37:47 +0200 Subject: [keycloak-user] Import IDP config from URL not working? Message-ID: I tried to import the basic IDP config for a custom "OpenID Connect v1.0" provider from the published Google autoconf URL: https://accounts.google.com/.well-known/openid-configuration The URLs are picked up fine but there seem to be two issues: 1.) the "Issuer" is imported as "https://accounts.google.com" when it should be "accounts.google.com" 2.) the public validation keys are not imported correctly. The always produce 12:09:40,416 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-17) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: token signature validation failed at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286) when authentication is being performed. Are these bugs or is the published discovery document from Google not standard compliant? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150512/f213db6e/attachment.html From leonardo.zanivan at gmail.com Tue May 12 17:54:31 2015 From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan) Date: Tue, 12 May 2015 21:54:31 +0000 Subject: [keycloak-user] Get message for ModelException in admin-client In-Reply-To: References: <1430932190.4814.7.camel@alphaapps.de> <554A5F76.30805@redhat.com> Message-ID: I've created a generic exception mapper for REST API but also specialized for ModelException to return correct internationalized message. JIRA: https://issues.jboss.org/browse/KEYCLOAK-1306 PR: https://github.com/keycloak/keycloak/pull/1251 I'll also need i18n in the admin console, +1 JIRA ( https://issues.jboss.org/browse/KEYCLOAK-1308). On Sat, May 9, 2015 at 5:40 PM Leonardo Loch Zanivan < leonardo.zanivan at gmail.com> wrote: > I'll work on that next week.. > > Thanks! > > On Wed, May 6, 2015 at 3:37 PM Marek Posolda wrote: > >> +1 for JIRA. Also feel free to send PR as you already nail it down and >> you already send some PRs :-) >> >> By the way, Thanks for them. >> >> It seems that generally we should improve on handling errors from admin >> REST endpoints. Ideally you can handle the error response similarly like >> it's done here: >> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L771 >> . Then on admin-client side, you can catch ClientErrorException and see the >> error message for example like done here: >> https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L49 >> >> Thanks, >> Marek >> >> >> On 6.5.2015 19:31, Leonardo Loch Zanivan wrote: >> >> Unfortunatelly I think it's not possible right now. >> >> Admin client uses Admin REST API, which isn't handling errors correctly. >> >> If you try to reset a password using Admin interface you will get a >> generic error 500 saying "Failed to reset user password". >> >> In the server the stacktrace shows: >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> org.keycloak.models.ModelException: invalidPasswordMinLengthMessage >> >> We could fill a JIRA to handle ModelException using JAX-RS exception >> handlers, so the response will have the correct error and we could show a >> better error message. >> >> On Wed, May 6, 2015 at 2:10 PM Benjamin Hansmann [alphaApps] < >> b.hansmann at alphaapps.de> wrote: >> >>> Is one able to get an error message from the resetPassword method of >>> admin-client if it somehow failed to reset the password, like when the >>> password is too short or does not comply with the password policy? >>> >>> It throws an InternalServerErrorException in that case. On the server >>> side there seems to be a ModelException: >>> invalidPasswordMinLengthMessage. That information is lost... >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150512/5b2a6cb6/attachment-0001.html From b.hansmann at alphaapps.de Tue May 12 20:01:43 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Wed, 13 May 2015 02:01:43 +0200 Subject: [keycloak-user] Get message for ModelException in admin-client In-Reply-To: References: <1430932190.4814.7.camel@alphaapps.de> <554A5F76.30805@redhat.com> Message-ID: <1431475303.4407.3.camel@alphaapps.de> On Tue, 2015-05-12 at 21:54 +0000, Leonardo Loch Zanivan wrote: > I've created a generic exception mapper for REST API but also > specialized for ModelException to return correct internationalized > message. > Thanks for implementing this, Leonardo. > JIRA: https://issues.jboss.org/browse/KEYCLOAK-1306 > PR: https://github.com/keycloak/keycloak/pull/1251 > > I'll also need i18n in the admin console, +1 JIRA > (https://issues.jboss.org/browse/KEYCLOAK-1308). > > > On Sat, May 9, 2015 at 5:40 PM Leonardo Loch Zanivan > wrote: > > I'll work on that next week.. > > Thanks! > > > On Wed, May 6, 2015 at 3:37 PM Marek Posolda > wrote: > +1 for JIRA. Also feel free to send PR as you already > nail it down and you already send some PRs :-) > > By the way, Thanks for them. > > It seems that generally we should improve on handling > errors from admin REST endpoints. Ideally you can > handle the error response similarly like it's done > here: > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L771 . Then on admin-client side, you can catch ClientErrorException and see the error message for example like done here: https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/admin/UserTest.java#L49 > > Thanks, > Marek > > > On 6.5.2015 19:31, Leonardo Loch Zanivan wrote: > > > Unfortunatelly I think it's not possible right now. > > > > Admin client uses Admin REST API, which isn't > > handling errors correctly. > > > > If you try to reset a password using Admin interface > > you will get a generic error 500 saying "Failed to > > reset user password". > > > > In the server the stacktrace shows: > > Caused by: > > org.jboss.resteasy.spi.UnhandledException: > > org.keycloak.models.ModelException: > > invalidPasswordMinLengthMessage > > > > We could fill a JIRA to handle ModelException using > > JAX-RS exception handlers, so the response will have > > the correct error and we could show a better error > > message. > > > > On Wed, May 6, 2015 at 2:10 PM Benjamin Hansmann > > [alphaApps] wrote: > > Is one able to get an error message from the > > resetPassword method of > > admin-client if it somehow failed to reset > > the password, like when the > > password is too short or does not comply > > with the password policy? > > > > It throws an InternalServerErrorException in > > that case. On the server > > side there seems to be a ModelException: > > invalidPasswordMinLengthMessage. That > > information is lost... > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- [alphaApps] mobile development Benjamin Hansmann Nosthoffenstra?e 46 D-40589 D?sseldorf Germany Mobile: +49 (0) 177 249 47 47 Email: b.hansmann at alphaapps.de From b.hansmann at alphaapps.de Tue May 12 20:24:47 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Wed, 13 May 2015 02:24:47 +0200 Subject: [keycloak-user] Trigger verification emails Message-ID: <1431476687.4407.22.camel@alphaapps.de> For me there is generally only one feature missing now: When using the admin rest api exclusively I would need a way to trigger verification emails. Either as per Jira KEYCLOAK-944 or through Admin-Rest API. Is this planned to be implemented in the near future? If it shouldn't require to dive deep into keycloak internals I would be willing to contribute an admin rest api endpoint to trigger these. Any hints where to start looking in the code on github regarding verification emails and admin rest api? Two other remarks: - If Jira KEYCLOAK-943 (account service rest api) should be implemented one day, a nice to have would be to also provide an registration endpoint. - When creating an EventListener it does not get notified when creating a user through Admin Console or Admin REST API, only self-registration triggers onEvent(). Best Regards Benjamin From b.hansmann at alphaapps.de Wed May 13 00:26:05 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Wed, 13 May 2015 06:26:05 +0200 Subject: [keycloak-user] SecurityContext in ContainerRequestFilter Message-ID: <1431491165.11809.9.camel@alphaapps.de> When using JAX-RS EJBs one supplies the @SecurityDomain annotation and is able to inject a SecurityContext. But I am now trying to get hold of a SecurityContext in a ContainerRequestFilter from the filter's ContainerRequestContext. The UserPrincipal seems to be null. How could one get a UserPrincipal from within a ContainerRequestFilter? I need it for some sort of revocation policy. From bburke at redhat.com Wed May 13 11:25:40 2015 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 May 2015 11:25:40 -0400 Subject: [keycloak-user] Import IDP config from URL not working? In-Reply-To: References: Message-ID: <55536CF4.8050509@redhat.com> Why do you think the issuer should be changed to accounts.google.com? I'm not sure about the keys as our code eats the error. How can I reproduce this? Meaning how can I set up my google account and such? Same as regular social provider stuff? On 5/12/2015 5:37 PM, Thorsten wrote: > I tried to import the basic IDP config for a custom "OpenID Connect > v1.0" provider from the published Google autoconf URL: > https://accounts.google.com/.well-known/openid-configuration > > The URLs are picked up fine but there seem to be two issues: > > 1.) the "Issuer" is imported as "https://accounts.google.com" when it > should be "accounts.google.com " > 2.) the public validation keys are not imported correctly. The always > produce > > 12:09:40,416 ERROR > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default > task-17) Failed to make identity provider oauth callback: > org.keycloak.broker.provider.IdentityBrokerException: token signature > validation failed > at > org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286) > > when authentication is being performed. > > Are these bugs or is the published discovery document from Google not > standard compliant? > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From thorsten315 at gmx.de Wed May 13 13:01:16 2015 From: thorsten315 at gmx.de (Thorsten) Date: Wed, 13 May 2015 19:01:16 +0200 Subject: [keycloak-user] Import IDP config from URL not working? In-Reply-To: <55536CF4.8050509@redhat.com> References: <55536CF4.8050509@redhat.com> Message-ID: Well, when I put "https://accounts.google.com" into the "Issuer" field I get the following exception: 16:53:37,502 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-37) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Wrong issuer from token. Got: accounts.google.com expected: https://accounts.google.com at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:312) The autoconfig stuff for the sign key issue is easy to reproduce: - create realm - add "OpenID Connect v1.0" provider - on the bottom populate the "Import From Url" with " https://accounts.google.com/.well-known/openid-configuration" and click "Import" - add your "Client ID" and "Client secret" as provided in your Google Developer Console - add scopes "openid profile email" - click "Save" (due to the aforementioned "Issuer" issue you may need to change " https://accounts.google.com" to "accounts.google.com" as well) Try to login with your google account into the realm and it should give you the sig validation failure I posed. 2015-05-13 17:25 GMT+02:00 Bill Burke : > Why do you think the issuer should be changed to accounts.google.com? > > I'm not sure about the keys as our code eats the error. How can I > reproduce this? Meaning how can I set up my google account and such? > Same as regular social provider stuff? > > > > On 5/12/2015 5:37 PM, Thorsten wrote: > > I tried to import the basic IDP config for a custom "OpenID Connect > > v1.0" provider from the published Google autoconf URL: > > https://accounts.google.com/.well-known/openid-configuration > > > > The URLs are picked up fine but there seem to be two issues: > > > > 1.) the "Issuer" is imported as "https://accounts.google.com" when it > > should be "accounts.google.com " > > 2.) the public validation keys are not imported correctly. The always > > produce > > > > 12:09:40,416 ERROR > > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default > > task-17) Failed to make identity provider oauth callback: > > org.keycloak.broker.provider.IdentityBrokerException: token signature > > validation failed > > at > > > org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdentityProvider.java:286) > > > > when authentication is being performed. > > > > Are these bugs or is the published discovery document from Google not > > standard compliant? > > > > Thanks > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150513/12c1e865/attachment.html From iqbaltalaat at gmail.com Thu May 14 10:02:17 2015 From: iqbaltalaat at gmail.com (I-T) Date: Thu, 14 May 2015 19:02:17 +0500 Subject: [keycloak-user] Keycloak Admin REST API Message-ID: Hello, I see that the Keycloak Admin REST API[ http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html] is what keycloak itself is using whenever you need to add a new app via Chrome inspector. There is an 'Authorization: Bearer KEY' header in every request that the Admin UI app makes to Keycloak Server. I'm unsure where I can get the key from in a Script that I can use for Server to Server communications. I want my existing app to migrate to Keycloak and I want to be able to create new users on signup as well without having them to redirect to the keycloak service. Any help in this regard will be most appreciated. These are my notes for logging in and validating the users through various microservices: https://www.evernote.com/l/ALEH0fpLM1JLKYaFnbMQxQxLURc5cduo-oc I want to be able to build something similar for Admin functionalities. Any library / scripts that I write while accomplishing this talk will be open sourced. Best Regards, Iqbal Talaat Bhatti "If we did all the things we are capable of doing, we would literally astound ourselves." - Thomas Edison -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150514/e9068d75/attachment.html From adisari06 at yahoo.com Thu May 14 10:58:36 2015 From: adisari06 at yahoo.com (Adil Arif) Date: Thu, 14 May 2015 14:58:36 +0000 (UTC) Subject: [keycloak-user] Keycloak 1.2.0 Final release date Message-ID: <253600403.357443.1431615516375.JavaMail.yahoo@mail.yahoo.com> Is there an estimated date when 1.2.0 final will be released? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150514/2eaf731c/attachment-0001.html From carlosthe19916 at gmail.com Fri May 15 00:41:55 2015 From: carlosthe19916 at gmail.com (Carlos Feria) Date: Thu, 14 May 2015 23:41:55 -0500 Subject: [keycloak-user] Keycloak documentation In-Reply-To: References: Message-ID: Hello. I'm using keycloak in my projects, it is a great solution. I'd would like to find some documentation of the structure or architecture of keycloak, something like uml diagrams or any documentation for developers not only for users... i'm trying to review the code for learn how keycloak works internally. Please, anybody could tell me if exists anything like. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150514/7cbb1438/attachment.html From mposolda at redhat.com Fri May 15 01:35:44 2015 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 15 May 2015 07:35:44 +0200 Subject: [keycloak-user] Keycloak documentation In-Reply-To: References: Message-ID: <555585B0.9040701@redhat.com> Hi, Keycloak implements OpenID Connect and SAML specifications from both client and server perspective. You can find some diagrams related to those specs on the web. Client (adapters) code is inside "integration" module and it's submodules. Then in "core" module is some shared code for both adapters and server. The rest of the code are mainly server parts. For the server, you can start to look at KeycloakApplication class, which is entry point where are registered REST resources and KeycloakSessionFactory, which registers SPIs. That's for the start. For the rest, I would suggest to dig into code, debug and see how it works :-) ah, and some startup docs for developers is also in readme files under "misc" directory (you can take a look at least to HackingOnKeycloak.md and Testsuite.md ). Good luck:-) Marek On 15.5.2015 06:41, Carlos Feria wrote: > > Hello. I'm using keycloak in my projects, it is a great solution. > > I'd would like to find some documentation of the structure or > architecture of keycloak, something like uml diagrams or any > documentation for developers not only for users... > > i'm trying to review the code for learn how keycloak works internally. > Please, anybody could tell me if exists anything like. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150515/93e5310a/attachment.html From stian at redhat.com Fri May 15 03:07:30 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 15 May 2015 03:07:30 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.2.0 Final release date In-Reply-To: <253600403.357443.1431615516375.JavaMail.yahoo@mail.yahoo.com> References: <253600403.357443.1431615516375.JavaMail.yahoo@mail.yahoo.com> Message-ID: <143166844.20012654.1431673650700.JavaMail.zimbra@redhat.com> Next week most likely ----- Original Message ----- > From: "Adil Arif" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 14 May, 2015 4:58:36 PM > Subject: [keycloak-user] Keycloak 1.2.0 Final release date > > Is there an estimated date when 1.2.0 final will be released? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Fri May 15 03:08:56 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 15 May 2015 03:08:56 -0400 (EDT) Subject: [keycloak-user] Keycloak Admin REST API In-Reply-To: References: Message-ID: <2014330930.20012825.1431673736545.JavaMail.zimbra@redhat.com> Look at the examples - you can either use the rest api directly (https://github.com/keycloak/keycloak/tree/master/examples/demo-template/admin-access-app) or use the java library (https://github.com/keycloak/keycloak/tree/master/examples/admin-client). ----- Original Message ----- > From: "I-T" > To: keycloak-user at lists.jboss.org > Sent: Thursday, 14 May, 2015 4:02:17 PM > Subject: [keycloak-user] Keycloak Admin REST API > > Hello, > > I see that the Keycloak Admin REST API[ > http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html > ] is what keycloak itself is using whenever you need to add a new app via > Chrome inspector. > > There is an 'Authorization: Bearer KEY' header in every request that the > Admin UI app makes to Keycloak Server. > > I'm unsure where I can get the key from in a Script that I can use for Server > to Server communications. I want my existing app to migrate to Keycloak and > I want to be able to create new users on signup as well without having them > to redirect to the keycloak service. Any help in this regard will be most > appreciated. > > These are my notes for logging in and validating the users through various > microservices: > https://www.evernote.com/l/ALEH0fpLM1JLKYaFnbMQxQxLURc5cduo-oc > > I want to be able to build something similar for Admin functionalities. Any > library / scripts that I write while accomplishing this talk will be open > sourced. > > Best Regards, > > Iqbal Talaat Bhatti > > "If we did all the things we are capable of doing, we would literally astound > ourselves." - Thomas Edison > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From iqbaltalaat at gmail.com Fri May 15 03:25:36 2015 From: iqbaltalaat at gmail.com (I-T) Date: Fri, 15 May 2015 12:25:36 +0500 Subject: [keycloak-user] Keycloak Admin REST API In-Reply-To: <2014330930.20012825.1431673736545.JavaMail.zimbra@redhat.com> References: <2014330930.20012825.1431673736545.JavaMail.zimbra@redhat.com> Message-ID: Thanks for the response Stain. I can get the admin to login to the master realm. When I use that token with the admin API for my own apps realm, it does not work. Is it supposed to work or am I doing something wrong in theory. Best Regards, On 15 May 2015 at 12:08, Stian Thorgersen wrote: > Look at the examples - you can either use the rest api directly ( > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/admin-access-app) > or use the java library ( > https://github.com/keycloak/keycloak/tree/master/examples/admin-client). > > ----- Original Message ----- > > From: "I-T" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, 14 May, 2015 4:02:17 PM > > Subject: [keycloak-user] Keycloak Admin REST API > > > > Hello, > > > > I see that the Keycloak Admin REST API[ > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html > > ] is what keycloak itself is using whenever you need to add a new app via > > Chrome inspector. > > > > There is an 'Authorization: Bearer KEY' header in every request that the > > Admin UI app makes to Keycloak Server. > > > > I'm unsure where I can get the key from in a Script that I can use for > Server > > to Server communications. I want my existing app to migrate to Keycloak > and > > I want to be able to create new users on signup as well without having > them > > to redirect to the keycloak service. Any help in this regard will be most > > appreciated. > > > > These are my notes for logging in and validating the users through > various > > microservices: > > https://www.evernote.com/l/ALEH0fpLM1JLKYaFnbMQxQxLURc5cduo-oc > > > > I want to be able to build something similar for Admin functionalities. > Any > > library / scripts that I write while accomplishing this talk will be open > > sourced. > > > > Best Regards, > > > > Iqbal Talaat Bhatti > > > > "If we did all the things we are capable of doing, we would literally > astound > > ourselves." - Thomas Edison > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Iqbal Talaat Bhatti "If we did all the things we are capable of doing, we would literally astound ourselves." - Thomas Edison -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150515/3f2a467d/attachment.html From stan.ieugen at gmail.com Fri May 15 04:38:21 2015 From: stan.ieugen at gmail.com (Ioan Eugen Stan) Date: Fri, 15 May 2015 11:38:21 +0300 Subject: [keycloak-user] get twitter token Message-ID: Hello, I'm working on a node app that uses Twitter social login. The twitter app that asks for login is able to send direct messages to the followers. How can I get the twitter tokens from keycloak in order to send direct messages to followers or read twitter data? I'm using connect-keycloak p.s. I've sent a pull request to fix connect-keycloak module to work behind a proxy. https://github.com/keycloak/keycloak-nodejs/pull/5 Thanks, -- Ioan Eugen Stan 0720 898 747 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150515/f08d1ace/attachment.html From eugene.chow.ct at gmail.com Fri May 15 11:50:37 2015 From: eugene.chow.ct at gmail.com (Eugene Chow) Date: Fri, 15 May 2015 23:50:37 +0800 Subject: [keycloak-user] Keycloak Admin REST API (I-T) Message-ID: <555615CD.3090005@gmail.com> Hi Iqbal, I wrote a BASH script to perform admin tasks using the REST API - https://github.com/eugene-chow/keycloak-tools. Hope it helps! > Hello, > > I see that the Keycloak Admin REST API[ > http://docs.jboss.org/keycloak/docs/1.1.0.Final/rest-api/overview-index.html] > is what keycloak itself is using whenever you need to add a new app via > Chrome inspector. > > There is an 'Authorization: Bearer KEY' header in every request that the > Admin UI app makes to Keycloak Server. > > I'm unsure where I can get the key from in a Script that I can use for > Server to Server communications. I want my existing app to migrate to > Keycloak and I want to be able to create new users on signup as well > without having them to redirect to the keycloak service. Any help in this > regard will be most appreciated. > > These are my notes for logging in and validating the users through various > microservices: > https://www.evernote.com/l/ALEH0fpLM1JLKYaFnbMQxQxLURc5cduo-oc > > I want to be able to build something similar for Admin functionalities. Any > library / scripts that I write while accomplishing this talk will be open > sourced. > > Best Regards, > > Iqbal Talaat Bhatti > > "If we did all the things we are capable of doing, we would literally > astound ourselves." - Thomas Edison From kalc04 at gmail.com Mon May 18 06:20:43 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 18 May 2015 15:50:43 +0530 Subject: [keycloak-user] Issues with Social Provider Logins Message-ID: Hi, I have experienced a couple of issues when testing with Social Provider logins: 1. It seems that a successful Twitter login doesn't return the user email - hence it cannot be bound to other social accounts created with the same email. I haven't seen any editable consent params on Twitter developer site as well. So this means consistency with other social providers is not maintained. Is there a way out of this? 2. When the 'Cancel' button is pressed on the LinkedIn login page, it redirects to a Keycloak error page which says "Unexpected error when authenticating with identity provider". Ideally this should return the user to the Keycloak login page w/o showing an error. Seems like a bug. Thanks, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150518/17329df6/attachment.html From stian at redhat.com Mon May 18 08:17:33 2015 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 18 May 2015 08:17:33 -0400 (EDT) Subject: [keycloak-user] Issues with Social Provider Logins In-Reply-To: References: Message-ID: <443132693.711753.1431951453415.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Lohitha Chiranjeewa" > To: keycloak-user at lists.jboss.org > Sent: Monday, 18 May, 2015 12:20:43 PM > Subject: [keycloak-user] Issues with Social Provider Logins > > Hi, > > I have experienced a couple of issues when testing with Social Provider > logins: > > 1. It seems that a successful Twitter login doesn't return the user email - > hence it cannot be bound to other social accounts created with the same > email. I haven't seen any editable consent params on Twitter developer site > as well. So this means consistency with other social providers is not > maintained. Is there a way out of this? At least a while ago when we implemented this there was no way to retrieve email from Twitter. If you find out it's possible now, let us know. > > 2. When the 'Cancel' button is pressed on the LinkedIn login page, it > redirects to a Keycloak error page which says "Unexpected error when > authenticating with identity provider". Ideally this should return the user > to the Keycloak login page w/o showing an error. Seems like a bug. That's a bug, so please jira > > > Thanks, > Lohitha. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kalc04 at gmail.com Mon May 18 08:54:29 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 18 May 2015 18:24:29 +0530 Subject: [keycloak-user] Issues with Social Provider Logins In-Reply-To: <443132693.711753.1431951453415.JavaMail.zimbra@redhat.com> References: <443132693.711753.1431951453415.JavaMail.zimbra@redhat.com> Message-ID: Hi, Following ticket was created for the LinkedIn issue: https://issues.jboss.org/browse/KEYCLOAK-1321 Regards, Lohitha. On Mon, May 18, 2015 at 5:47 PM, Stian Thorgersen wrote: > > > ----- Original Message ----- > > From: "Lohitha Chiranjeewa" > > To: keycloak-user at lists.jboss.org > > Sent: Monday, 18 May, 2015 12:20:43 PM > > Subject: [keycloak-user] Issues with Social Provider Logins > > > > Hi, > > > > I have experienced a couple of issues when testing with Social Provider > > logins: > > > > 1. It seems that a successful Twitter login doesn't return the user > email - > > hence it cannot be bound to other social accounts created with the same > > email. I haven't seen any editable consent params on Twitter developer > site > > as well. So this means consistency with other social providers is not > > maintained. Is there a way out of this? > > At least a while ago when we implemented this there was no way to retrieve > email from Twitter. If you find out it's possible now, let us know. > > > > > 2. When the 'Cancel' button is pressed on the LinkedIn login page, it > > redirects to a Keycloak error page which says "Unexpected error when > > authenticating with identity provider". Ideally this should return the > user > > to the Keycloak login page w/o showing an error. Seems like a bug. > > That's a bug, so please jira > > > > > > > Thanks, > > Lohitha. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150518/2324ba61/attachment.html From stian at redhat.com Tue May 19 02:44:40 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 19 May 2015 02:44:40 -0400 (EDT) Subject: [keycloak-user] Trigger verification emails In-Reply-To: <1431476687.4407.22.camel@alphaapps.de> References: <1431476687.4407.22.camel@alphaapps.de> Message-ID: <897204751.1391536.1432017880064.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Benjamin Hansmann [alphaApps]" > To: "keycloak-user" > Sent: Wednesday, 13 May, 2015 2:24:47 AM > Subject: [keycloak-user] Trigger verification emails > > For me there is generally only one feature missing now: When using the > admin rest api exclusively I would need a way to trigger verification > emails. Either as per Jira KEYCLOAK-944 or through Admin-Rest API. Is > this planned to be implemented in the near future? If it shouldn't > require to dive deep into keycloak internals I would be willing to > contribute an admin rest api endpoint to trigger these. Any hints where > to start looking in the code on github regarding verification emails and > admin rest api? This is not on our road-map so you'd have to implement it. It should be relatively easy though as we already have support for sending reset password email, so should be quite trivial to adapt that code to send a verify email email instead. > > Two other remarks: > > - If Jira KEYCLOAK-943 (account service rest api) should be implemented > one day, a nice to have would be to also provide an registration > endpoint. KEYCLOAK-943 isn't on our immediate road-map, but this is another low hanging fruit that should be easy to implement, so if you want to do it that'd be great. There's already some support here, but it's limited to retrieving the user profile. This may change a bit in the near future as we're adding auth/required-actions spi that allows custom authentication flows. Custom registration is something we've considered, but not planned to add yet. A simple rest endpoint could be the way to do it. > - When creating an EventListener it does not get notified when creating > a user through Admin Console or Admin REST API, only self-registration > triggers onEvent(). We're adding admin events soon > > Best Regards > Benjamin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Tue May 19 08:02:20 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 19 May 2015 08:02:20 -0400 (EDT) Subject: [keycloak-user] Keycloak 1.2.0.Final released In-Reply-To: <835789693.1573810.1432036881644.JavaMail.zimbra@redhat.com> Message-ID: <815638486.1574215.1432036940104.JavaMail.zimbra@redhat.com> No major changes since 1.2.0.CR1 only some minor bug fixes. For full details see https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12313920&version=12327255 and to download go to https://sourceforge.net/projects/keycloak/files/1.2.0.Final/. From didier.romelot at renault.com Tue May 19 11:16:49 2015 From: didier.romelot at renault.com (ROMELOT Didier) Date: Tue, 19 May 2015 17:16:49 +0200 Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? Message-ID: <2C7C8999FAA4E64EA65847796254796420FCDEBD38@MBX022.renault.mail.noxiane.net> Hi, we try to implement the following use case using keycloak identity brokering functionnality : - User request a resource to Service Provider, then select a remote IDP (SAML IDP in our case based on PicketLink...) and authenticates on this remote IDP - Keycloak computes local Authentication / Identity Federation based on Authentication Response from remote IDP - During local authentication, Keycloak maps roles contained in the Authentication response from remote IDP to roles defined in keycloak. Does Keycloak support such scenario through mappers ? regards -- Disclaimer ------------------------------------ Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme. *** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150519/a2b424b4/attachment.html From stian at redhat.com Wed May 20 00:45:08 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 20 May 2015 00:45:08 -0400 (EDT) Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? In-Reply-To: <2C7C8999FAA4E64EA65847796254796420FCDEBD38@MBX022.renault.mail.noxiane.net> References: <2C7C8999FAA4E64EA65847796254796420FCDEBD38@MBX022.renault.mail.noxiane.net> Message-ID: <1341246141.2081096.1432097108432.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "ROMELOT Didier" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 19 May, 2015 5:16:49 PM > Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? > > > > Hi, we try to implement the following use case using keycloak identity > brokering functionnality : > > > > - User request a resource to Service Provider, then select a remote IDP (SAML > IDP in our case based on PicketLink?) and authenticates on this remote IDP > > - Keycloak computes local Authentication / Identity Federation based on > Authentication Response from remote IDP > > - During local authentication, Keycloak maps roles contained in the > Authentication response from remote IDP to roles defined in keycloak. > > > > Does Keycloak support such scenario through mappers ? Yes > > > > regards > > > -- Disclaimer ------------------------------------ > Ce message ainsi que les eventuelles pieces jointes constituent une > correspondance privee et confidentielle a l'attention exclusive du > destinataire designe ci-dessus. Si vous n'etes pas le destinataire du > present message ou une personne susceptible de pouvoir le lui delivrer, il > vous est signifie que toute divulgation, distribution ou copie de cette > transmission est strictement interdite. Si vous avez recu ce message par > erreur, nous vous remercions d'en informer l'expediteur par telephone ou de > lui retourner le present message, puis d'effacer immediatement ce message de > votre systeme. > > *** This e-mail and any attachments is a confidential correspondence intended > only for use of the individual or entity named above. If you are not the > intended recipient or the agent responsible for delivering the message to > the intended recipient, you are hereby notified that any disclosure, > distribution or copying of this communication is strictly prohibited. If you > have received this communication in error, please notify the sender by phone > or by replying this message, and then delete this message from your system. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From didier.romelot at renault.com Wed May 20 02:13:39 2015 From: didier.romelot at renault.com (ROMELOT Didier) Date: Wed, 20 May 2015 08:13:39 +0200 Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? In-Reply-To: <1341246141.2081096.1432097108432.JavaMail.zimbra@redhat.com> References: <2C7C8999FAA4E64EA65847796254796420FCDEBD38@MBX022.renault.mail.noxiane.net> <1341246141.2081096.1432097108432.JavaMail.zimbra@redhat.com> Message-ID: <2C7C8999FAA4E64EA65847796254796420FCE6666F@MBX022.renault.mail.noxiane.net> Thanks for the answers; is there any documentation or sample that show how to implement that ? regards -----Message d'origine----- De?: Stian Thorgersen [mailto:stian at redhat.com] Envoy??: mercredi 20 mai 2015 06:45 ??: ROMELOT Didier Cc?: keycloak-user at lists.jboss.org Objet?: Re: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? ----- Original Message ----- > From: "ROMELOT Didier" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, 19 May, 2015 5:16:49 PM > Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? > > > > Hi, we try to implement the following use case using keycloak identity > brokering functionnality : > > > > - User request a resource to Service Provider, then select a remote > IDP (SAML IDP in our case based on PicketLink?) and authenticates on > this remote IDP > > - Keycloak computes local Authentication / Identity Federation based > on Authentication Response from remote IDP > > - During local authentication, Keycloak maps roles contained in the > Authentication response from remote IDP to roles defined in keycloak. > > > > Does Keycloak support such scenario through mappers ? Yes > > > > regards > > > -- Disclaimer ------------------------------------ > Ce message ainsi que les eventuelles pieces jointes constituent une > correspondance privee et confidentielle a l'attention exclusive du > destinataire designe ci-dessus. Si vous n'etes pas le destinataire du > present message ou une personne susceptible de pouvoir le lui > delivrer, il vous est signifie que toute divulgation, distribution ou > copie de cette transmission est strictement interdite. Si vous avez > recu ce message par erreur, nous vous remercions d'en informer > l'expediteur par telephone ou de lui retourner le present message, > puis d'effacer immediatement ce message de votre systeme. > > *** This e-mail and any attachments is a confidential correspondence > intended only for use of the individual or entity named above. If you > are not the intended recipient or the agent responsible for delivering > the message to the intended recipient, you are hereby notified that > any disclosure, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender by phone or by replying this message, and then delete this message from your system. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Disclaimer ------------------------------------ Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme. *** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system. From stian at redhat.com Wed May 20 02:24:07 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 20 May 2015 02:24:07 -0400 (EDT) Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? In-Reply-To: <2C7C8999FAA4E64EA65847796254796420FCE6666F@MBX022.renault.mail.noxiane.net> References: <2C7C8999FAA4E64EA65847796254796420FCDEBD38@MBX022.renault.mail.noxiane.net> <1341246141.2081096.1432097108432.JavaMail.zimbra@redhat.com> <2C7C8999FAA4E64EA65847796254796420FCE6666F@MBX022.renault.mail.noxiane.net> Message-ID: <1110543395.2096953.1432103047234.JavaMail.zimbra@redhat.com> Not much docs, see http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1908 It's all configurable through the admin console and should hopefully be self explanatory. ----- Original Message ----- > From: "ROMELOT Didier" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, 20 May, 2015 8:13:39 AM > Subject: RE: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering > ? > > Thanks for the answers; is there any documentation or sample that show how to > implement that ? > > regards > > > -----Message d'origine----- > De?: Stian Thorgersen [mailto:stian at redhat.com] > Envoy??: mercredi 20 mai 2015 06:45 > ??: ROMELOT Didier > Cc?: keycloak-user at lists.jboss.org > Objet?: Re: [keycloak-user] mapping roles received from remote IDP token to > keycloak roles during Identity brokering ? > > > > ----- Original Message ----- > > From: "ROMELOT Didier" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 19 May, 2015 5:16:49 PM > > Subject: [keycloak-user] mapping roles received from remote IDP token to > > keycloak roles during Identity brokering ? > > > > > > > > Hi, we try to implement the following use case using keycloak identity > > brokering functionnality : > > > > > > > > - User request a resource to Service Provider, then select a remote > > IDP (SAML IDP in our case based on PicketLink?) and authenticates on > > this remote IDP > > > > - Keycloak computes local Authentication / Identity Federation based > > on Authentication Response from remote IDP > > > > - During local authentication, Keycloak maps roles contained in the > > Authentication response from remote IDP to roles defined in keycloak. > > > > > > > > Does Keycloak support such scenario through mappers ? > > Yes > > > > > > > > > regards > > > > > > -- Disclaimer ------------------------------------ > > Ce message ainsi que les eventuelles pieces jointes constituent une > > correspondance privee et confidentielle a l'attention exclusive du > > destinataire designe ci-dessus. Si vous n'etes pas le destinataire du > > present message ou une personne susceptible de pouvoir le lui > > delivrer, il vous est signifie que toute divulgation, distribution ou > > copie de cette transmission est strictement interdite. Si vous avez > > recu ce message par erreur, nous vous remercions d'en informer > > l'expediteur par telephone ou de lui retourner le present message, > > puis d'effacer immediatement ce message de votre systeme. > > > > *** This e-mail and any attachments is a confidential correspondence > > intended only for use of the individual or entity named above. If you > > are not the intended recipient or the agent responsible for delivering > > the message to the intended recipient, you are hereby notified that > > any disclosure, distribution or copying of this communication is > > strictly prohibited. If you have received this communication in error, > > please notify the sender by phone or by replying this message, and then > > delete this message from your system. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Disclaimer ------------------------------------ > Ce message ainsi que les eventuelles pieces jointes constituent une > correspondance privee et confidentielle a l'attention exclusive du > destinataire designe ci-dessus. Si vous n'etes pas le destinataire du > present message ou une personne susceptible de pouvoir le lui delivrer, il > vous est signifie que toute divulgation, distribution ou copie de cette > transmission est strictement interdite. Si vous avez recu ce message par > erreur, nous vous remercions d'en informer l'expediteur par telephone ou de > lui retourner le present message, puis d'effacer immediatement ce message de > votre systeme. > > *** This e-mail and any attachments is a confidential correspondence intended > only for use of the individual or entity named above. If you are not the > intended recipient or the agent responsible for delivering the message to > the intended recipient, you are hereby notified that any disclosure, > distribution or copying of this communication is strictly prohibited. If you > have received this communication in error, please notify the sender by phone > or by replying this message, and then delete this message from your system. > From ha.hamed at gmail.com Wed May 20 04:17:57 2015 From: ha.hamed at gmail.com (ha.hamed at gmail.com) Date: Wed, 20 May 2015 16:17:57 +0800 Subject: [keycloak-user] HTML resources over SSL (v1.2.0.CR1) Message-ID: Hi, I'm using docker image jboss/keycloak:1.2.0.CR1 with Nginx as reverse proxy. With version 1.1.0.Final everything is fine but with version 1.2.0.CR1 I can not open admin console page. Because the page is over HTTPS but the resources inside (JS+CSS) are still over HTTP and browser will can load them! Any solution!? Regards, Hamed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/285b52b6/attachment.html From thorsten315 at gmx.de Wed May 20 05:28:22 2015 From: thorsten315 at gmx.de (Thorsten) Date: Wed, 20 May 2015 11:28:22 +0200 Subject: [keycloak-user] HTML resources over SSL (v1.2.0.CR1) In-Reply-To: References: Message-ID: Hey Hamed, when you use a SSL reverse proxy you'll have to make some modification to wildfly running Keycloak in order to get it to work. I had the same issue with HAProxy acting as SSL proxy. Have a look at section 3.2.6.2 of the manual: http://keycloak.github.io/docs/userguide/html/server-installation.html#d4e356 It oulines the config changes required. Once done the resources should also be delivered via SSL. At least this worked for me. Cheers, Thorsten 2015-05-20 10:17 GMT+02:00 ha.hamed at gmail.com : > Hi, > > I'm using docker image jboss/keycloak:1.2.0.CR1 with Nginx as reverse > proxy. With version 1.1.0.Final everything is fine but with version > 1.2.0.CR1 I can not open admin console page. Because the page is over HTTPS > but the resources inside (JS+CSS) are still over HTTP and browser will can > load them! > Any solution!? > > Regards, > Hamed > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/477f7f56/attachment.html From sebastian.olscher at traveltainment.de Wed May 20 09:57:17 2015 From: sebastian.olscher at traveltainment.de (Sebastian Olscher) Date: Wed, 20 May 2015 13:57:17 +0000 Subject: [keycloak-user] Keyloak - Securing SOAP/HTTP Web Service In-Reply-To: References: Message-ID: <5C3DDBFAC4DBF04084678703EC0AC294250BFB89@EX-TT-AC-02.traveltainment.int> Hi, is there any possibility to use Keycloak for the standard OAuth-2 workflow "Obtaining a Token in an Autonomous Client (Username and Password Flow)" described here (https://s3.amazonaws.com/dfc-wiki/en/images/7/76/OAuthAutonomousClientFlow.png): [OAuthAutonomousClientFlow.png] The general goal is to realize an automated process for machine-to-machine authentication, e.g. Java client to SOAP web service deployed on wildfly secured by Keycloak without any redirect on a browser page. In the video tutorials on the Keycloak homepage are only browser login authentications shown. What?s the best example to get an idea, how this can be configured within Keycloak-1.2.0-Final? Thanks for your advices, Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/b25cc072/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 65403 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/b25cc072/attachment-0001.png From maciej.szewczykowski at pjmedia.co.uk Wed May 20 10:04:13 2015 From: maciej.szewczykowski at pjmedia.co.uk (Maciej Szewczykowski) Date: Wed, 20 May 2015 14:04:13 +0000 Subject: [keycloak-user] Retrieving list of application roles for a given realm role Message-ID: Hi, I'm working on a simple security service for enterprise application, and one of the requirements is to be able to determine list of application roles (composites, if I get the vocabulary right) for each user that has successfully signed in. User credentials are naturally acquired from session token. According to the REST API docs, you can acquire list of application roles for a given realm role with the following request: /admin/realms/{realm}/roles/{realm_role}/composites It turns out however that in order to be successfully executed, this request requires the user to have "manage-realm" effective role assigned. This will naturally be the case only for admin users. So I'd much appreciate if you could tell whether there is a way (using REST API or User/RoleRepresentation objects) to get list of application roles for a given realm role without the need of having "manage-realm" role assigned. Thank you in advance for your help. Best Regards, Maciej Szewczykowski Java Developer ________________________________ T +44 01628 539 800 E firstname.lastname at pjmedia.co.uk PJ Media Limited, Plac Wolno?ci 21, 05-825 Grodzisk Mazowiecki, Warsaw, Poland [Brandpath] PJ MEDIA LIMITED | Registered in England and Wales no. 04946760 | Registered Office: Network House, Third Avenue, Globe Park, Marlow, Buckinghamshire, SL7 1EY, United Kingdom | Web site: http://www.pjmedia.co.uk The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error you should delete it from your system immediately and advise the sender. To any recipient of this message within PJ Media, unless otherwise stated, you should consider this message and attachments as PJ Media confidential. PJ MEDIA LIMITED, Registered in England no. 04946760 Address: Network House, Third Avenue, Globe Park, Marlow, SL7 1EY, United Kingdom -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/b8bb7916/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 9315 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/b8bb7916/attachment.jpg From didier.romelot at renault.com Wed May 20 10:24:03 2015 From: didier.romelot at renault.com (ROMELOT Didier) Date: Wed, 20 May 2015 16:24:03 +0200 Subject: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? In-Reply-To: <1110543395.2096953.1432103047234.JavaMail.zimbra@redhat.com> References: <2C7C8999FAA4E64EA65847796254796420FCDEBD38@MBX022.renault.mail.noxiane.net> <1341246141.2081096.1432097108432.JavaMail.zimbra@redhat.com> <2C7C8999FAA4E64EA65847796254796420FCE6666F@MBX022.renault.mail.noxiane.net> <1110543395.2096953.1432103047234.JavaMail.zimbra@redhat.com> Message-ID: <2C7C8999FAA4E64EA65847796254796420FCE66935@MBX022.renault.mail.noxiane.net> I tried a configuration with saml sales-post sample application configured with a role list mapper on keycloak and a saml identity Provider configured on the keycloak realm. The SAML response that is sent back to SP after authentication is the same in both case: - when authenticating directly on keycloak - when authenticating on the saml identity provider In other words, role list that is sent back by saml identity provider is replaced by a new one provided by keycloak. What's wrong ? -----Message d'origine----- De?: Stian Thorgersen [mailto:stian at redhat.com] Envoy??: mercredi 20 mai 2015 08:24 ??: ROMELOT Didier Cc?: keycloak-user at lists.jboss.org Objet?: Re: [keycloak-user] mapping roles received from remote IDP token to keycloak roles during Identity brokering ? Not much docs, see http://keycloak.github.io/docs/userguide/html/identity-broker.html#d4e1908 It's all configurable through the admin console and should hopefully be self explanatory. ----- Original Message ----- > From: "ROMELOT Didier" > To: "Stian Thorgersen" > Cc: keycloak-user at lists.jboss.org > Sent: Wednesday, 20 May, 2015 8:13:39 AM > Subject: RE: [keycloak-user] mapping roles received from remote IDP > token to keycloak roles during Identity brokering ? > > Thanks for the answers; is there any documentation or sample that show > how to implement that ? > > regards > > > -----Message d'origine----- > De?: Stian Thorgersen [mailto:stian at redhat.com] Envoy??: mercredi 20 > mai 2015 06:45 ??: ROMELOT Didier Cc?: keycloak-user at lists.jboss.org > Objet?: Re: [keycloak-user] mapping roles received from remote IDP > token to keycloak roles during Identity brokering ? > > > > ----- Original Message ----- > > From: "ROMELOT Didier" > > To: keycloak-user at lists.jboss.org > > Sent: Tuesday, 19 May, 2015 5:16:49 PM > > Subject: [keycloak-user] mapping roles received from remote IDP > > token to keycloak roles during Identity brokering ? > > > > > > > > Hi, we try to implement the following use case using keycloak > > identity brokering functionnality : > > > > > > > > - User request a resource to Service Provider, then select a remote > > IDP (SAML IDP in our case based on PicketLink?) and authenticates on > > this remote IDP > > > > - Keycloak computes local Authentication / Identity Federation based > > on Authentication Response from remote IDP > > > > - During local authentication, Keycloak maps roles contained in the > > Authentication response from remote IDP to roles defined in keycloak. > > > > > > > > Does Keycloak support such scenario through mappers ? > > Yes > > > > > > > > > regards > > > > > > -- Disclaimer ------------------------------------ > > Ce message ainsi que les eventuelles pieces jointes constituent une > > correspondance privee et confidentielle a l'attention exclusive du > > destinataire designe ci-dessus. Si vous n'etes pas le destinataire > > du present message ou une personne susceptible de pouvoir le lui > > delivrer, il vous est signifie que toute divulgation, distribution > > ou copie de cette transmission est strictement interdite. Si vous > > avez recu ce message par erreur, nous vous remercions d'en informer > > l'expediteur par telephone ou de lui retourner le present message, > > puis d'effacer immediatement ce message de votre systeme. > > > > *** This e-mail and any attachments is a confidential correspondence > > intended only for use of the individual or entity named above. If > > you are not the intended recipient or the agent responsible for > > delivering the message to the intended recipient, you are hereby > > notified that any disclosure, distribution or copying of this > > communication is strictly prohibited. If you have received this > > communication in error, please notify the sender by phone or by > > replying this message, and then delete this message from your system. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Disclaimer ------------------------------------ > Ce message ainsi que les eventuelles pieces jointes constituent une > correspondance privee et confidentielle a l'attention exclusive du > destinataire designe ci-dessus. Si vous n'etes pas le destinataire du > present message ou une personne susceptible de pouvoir le lui > delivrer, il vous est signifie que toute divulgation, distribution ou > copie de cette transmission est strictement interdite. Si vous avez > recu ce message par erreur, nous vous remercions d'en informer > l'expediteur par telephone ou de lui retourner le present message, > puis d'effacer immediatement ce message de votre systeme. > > *** This e-mail and any attachments is a confidential correspondence > intended only for use of the individual or entity named above. If you > are not the intended recipient or the agent responsible for delivering > the message to the intended recipient, you are hereby notified that > any disclosure, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender by phone or by replying this message, and then delete this message from your system. > -- Disclaimer ------------------------------------ Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer l'expediteur par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme. *** This e-mail and any attachments is a confidential correspondence intended only for use of the individual or entity named above. If you are not the intended recipient or the agent responsible for delivering the message to the intended recipient, you are hereby notified that any disclosure, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by phone or by replying this message, and then delete this message from your system. From John.Schneider at carrier.utc.com Wed May 20 14:16:38 2015 From: John.Schneider at carrier.utc.com (Schneider, John DODGE CONSULTING SERVICES, LLC) Date: Wed, 20 May 2015 18:16:38 +0000 Subject: [keycloak-user] Error upgrading MS SQL database from 1.1 Final to 1.2 Final Message-ID: Hi all, I was excited to find out 1.2 was released and tried to upgrade my sandbox environment from 1.1 today. I already had 1.1 deployed as a Wildlfly module, and extracted the 1.2 overlay edition along with the 1.2 Wildfly adapter. The database update was chugging along fine for a bit, but did hit an error. It seems to be an SQL dialect problem. Because of company policies, I'm forced to use MS SQL, and am using the JDBC 41 driver deployed as a Wildfly module. I've attached the relevant log output, starting from the beginning of the database update. I did take a DB backup before starting, so I can restore and replicate the update process from the beginning again. Could you please take a look and let me know what I can do? Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/92ae32a2/attachment-0001.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log.txt Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/92ae32a2/attachment-0001.txt From ayrton at ubuntu.com Wed May 20 15:39:27 2015 From: ayrton at ubuntu.com (=?UTF-8?Q?Ayrton_Ara=C3=BAjo?=) Date: Wed, 20 May 2015 15:39:27 -0400 Subject: [keycloak-user] LDAP configuration Message-ID: I'm trying do add a new user federation provider for integrate keycloak with a ldap server. The parameters: Console display name -> Active Directory Priority -> 0 Edit Mode -> READ_ONLY Sync Registrations -> OFF Vendor -> Active Directory Username LDAP attribute -> sAMAccountName User Object Classes -> person, organizationPerson, user Connection URL -> ldap://dom.example.com:389 Base DN -> DC=dom,DC=example,DC=com User DN Suffix -> CN=Users Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com Bind Credential -> ******** Connection pooling -> ON Pagination -> ON Enable Account After Password Update -> OFF Batch Size -> 100 Periodic Full Sync -> OFF Periodic changed users sync -> ON Changed users sync period -> 86400 I tried change User DN Suffix to only Users, but it not works. The log always saying: LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR) And it says this when it tries to parse the User DN Suffix. Theres something wrong with my conf? -- Ayrton Ara?jo "If you can tell the false from the true you are already a scientist." -- http://ayr-ton.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/dbb24563/attachment.html From ayrton at ubuntu.com Wed May 20 15:58:45 2015 From: ayrton at ubuntu.com (=?UTF-8?Q?Ayrton_Ara=C3=BAjo?=) Date: Wed, 20 May 2015 15:58:45 -0400 Subject: [keycloak-user] LDAP configuration Message-ID: I'm trying do add a new user federation provider for integrate keycloak with a ldap server. The parameters: Console display name -> Active Directory Priority -> 0 Edit Mode -> READ_ONLY Sync Registrations -> OFF Vendor -> Active Directory Username LDAP attribute -> sAMAccountName User Object Classes -> person, organizationPerson, user Connection URL -> ldap://dom.example.com:389 Base DN -> DC=dom,DC=example,DC=com User DN Suffix -> CN=Users Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com Bind Credential -> ******** Connection pooling -> ON Pagination -> ON Enable Account After Password Update -> OFF Batch Size -> 100 Periodic Full Sync -> OFF Periodic changed users sync -> ON Changed users sync period -> 86400 I tried change User DN Suffix to only Users, but it not works. The log always saying: LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR) And it says this when it tries to parse the User DN Suffix. Theres something wrong with my conf? Ayrton Ara?jo "If you can tell the false from the true you are already a scientist." -- http://ayr-ton.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/fbf2203c/attachment.html From ayrton at ubuntu.com Wed May 20 16:00:32 2015 From: ayrton at ubuntu.com (=?UTF-8?Q?Ayrton_Ara=C3=BAjo?=) Date: Wed, 20 May 2015 16:00:32 -0400 Subject: [keycloak-user] LDAP configuration Message-ID: I'm trying do add a new user federation provider for integrate keycloak with a ldap server. The parameters: Console display name -> Active Directory Priority -> 0 Edit Mode -> READ_ONLY Sync Registrations -> OFF Vendor -> Active Directory Username LDAP attribute -> sAMAccountName User Object Classes -> person, organizationPerson, user Connection URL -> ldap://dom.example.com:389 Base DN -> DC=dom,DC=example,DC=com User DN Suffix -> CN=Users Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com Bind Credential -> ******** Connection pooling -> ON Pagination -> ON Enable Account After Password Update -> OFF Batch Size -> 100 Periodic Full Sync -> OFF Periodic changed users sync -> ON Changed users sync period -> 86400 I tried change User DN Suffix to only Users, but it not works. The log always saying: LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR) And it says this when it tries to parse the User DN Suffix. Theres something wrong with my conf? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150520/5c040432/attachment.html From srossillo at smartling.com Wed May 20 19:06:35 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 20 May 2015 19:06:35 -0400 Subject: [keycloak-user] Admin Client Create User Message-ID: Hi, We?re using the admin client to create users in 1.2.0.Final. The call works, but the credentials are missing. List credentialsList = new ArrayList<>(); CredentialRepresentation credentials = new CredentialRepresentation(); credentials.setType(CredentialRepresentation.PASSWORD); credentials.setValue(appUser.getPassword()); credentialsList.add(credentials); user.setCredentials(createCredentials(source)); I see the credentials getting passed on the create user HTTP POST, but the CREDENTIALS table doesn?t contain an entry for the user. Any suggestions? Best, Scott From mposolda at redhat.com Thu May 21 02:15:18 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 21 May 2015 08:15:18 +0200 Subject: [keycloak-user] LDAP configuration In-Reply-To: References: Message-ID: <555D77F6.6050905@redhat.com> On 20.5.2015 22:00, Ayrton Ara?jo wrote: > I'm trying do add a new user federation provider for integrate > keycloak with a ldap server. > > The parameters: > Console display name -> Active Directory > Priority -> 0 > Edit Mode -> READ_ONLY > Sync Registrations -> OFF > Vendor -> Active Directory > Username LDAP attribute -> sAMAccountName > User Object Classes -> person, organizationPerson, user > Connection URL -> ldap://dom.example.com:389 > Base DN -> DC=dom,DC=example,DC=com > User DN Suffix -> CN=Users > Bind DN -> CN=Keycloak.LDAP;CN=Users;DC=dom,DC=example,DC=com > Bind Credential -> ******** > Connection pooling -> ON > Pagination -> ON > Enable Account After Password Update -> OFF > Batch Size -> 100 > Periodic Full Sync -> OFF > Periodic changed users sync -> ON > Changed users sync period -> 86400 > > I tried change User DN Suffix to only Users, but it not works. The log > always saying: > LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 > (DIR_ERROR) > And it says this when it tries to parse the User DN Suffix. Currently "User DN Suffix" is supposed to contain whole DN. So in your case it should be probably something like: CN=Users,DC=dom,DC=example,DC=com I agree that name of the parameter "User DN Suffix" is misleading. It will be improved in next version ( 1.3.0.Beta1 ) and also it will be possible to configure more User DNs to search for users. Marek > > Theres something wrong with my conf? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/956d57d9/attachment-0001.html From mposolda at redhat.com Thu May 21 02:23:14 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 21 May 2015 08:23:14 +0200 Subject: [keycloak-user] Error upgrading MS SQL database from 1.1 Final to 1.2 Final In-Reply-To: References: Message-ID: <555D79D2.6020209@redhat.com> Hi, This looks like a bug, it seems that MS SQL server doesn't know what the 'true' is, so the SQL statement used here https://github.com/keycloak/keycloak/blob/master/connections/jpa-liquibase/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/JpaUpdate1_2_0_CR1.java#L20 is failing :-( Could you create JIRA for it please? Btv. which version of MS SQL server are you using? Thanks, Marek On 20.5.2015 20:16, Schneider, John DODGE CONSULTING SERVICES, LLC wrote: > > Hi all, > > I was excited to find out 1.2 was released and tried to upgrade my > sandbox environment from 1.1 today. I already had 1.1 deployed as a > Wildlfly module, and extracted the 1.2 overlay edition along with the > 1.2 Wildfly adapter. > > The database update was chugging along fine for a bit, but did hit an > error. It seems to be an SQL dialect problem. Because of company > policies, I?m forced to use MS SQL, and am using the JDBC 41 driver > deployed as a Wildfly module. I?ve attached the relevant log output, > starting from the beginning of the database update. I did take a DB > backup before starting, so I can restore and replicate the update > process from the beginning again. > > Could you please take a look and let me know what I can do? > > Thanks, > > John > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/224ee2b7/attachment.html From mposolda at redhat.com Thu May 21 02:27:52 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 21 May 2015 08:27:52 +0200 Subject: [keycloak-user] Admin Client Create User In-Reply-To: References: Message-ID: <555D7AE8.4000002@redhat.com> Hi, Once you create user through admin endpoint, you will need to call another rest endpoint to update his password. It should be this endpoint: http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/reset-password/index.html Marek On 21.5.2015 01:06, Scott Rossillo wrote: > Hi, > > We?re using the admin client to create users in 1.2.0.Final. The call works, but the credentials are missing. > > List credentialsList = new ArrayList<>(); > CredentialRepresentation credentials = new CredentialRepresentation(); > > credentials.setType(CredentialRepresentation.PASSWORD); > credentials.setValue(appUser.getPassword()); > > credentialsList.add(credentials); > user.setCredentials(createCredentials(source)); > > I see the credentials getting passed on the create user HTTP POST, but the CREDENTIALS table doesn?t contain an entry for the user. > > Any suggestions? > > Best, > Scott > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu May 21 02:39:50 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 21 May 2015 08:39:50 +0200 Subject: [keycloak-user] Retrieving list of application roles for a given realm role In-Reply-To: References: Message-ID: <555D7DB6.7090403@redhat.com> It seems that you can instead use this endpoint for role-by-id: http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/roles-by-id/%7Brole-id%7D/composites/index.html . This one should require just "view-realm" permissions. Marek On 20.5.2015 16:04, Maciej Szewczykowski wrote: > > Hi, > > I?m working on a simple security service for enterprise application, > and one of the requirements is to be able to determine list of > application roles (composites, if I get the vocabulary right) for each > user that has successfully signed in. User credentials are naturally > acquired from session token. > > According to the REST API docs, you can acquire list of application > roles for a given realm role with the following request: > > /admin/realms/{realm}/roles/{realm_role}/composites > > It turns out however that in order to be successfully executed, this > request requires the user to have ?manage-realm? effective role > assigned. This will naturally be the case only for admin users. > > So I?d much appreciate if you could tell whether there is a way (using > REST API or User/RoleRepresentation objects) to get list of > application roles for a given realm role without the need of having > ?manage-realm? role assigned. > > Thank you in advance for your help. > > Best Regards, > > *Maciej Szewczykowski * > > Java Developer > > ------------------------------------------------------------------------ > > T +44 01628 539 800 > > E firstname.lastname at pjmedia.co.uk > > > *PJ Media Limited,*** > > Plac Wolno?ci 21, 05-825 > > Grodzisk Mazowiecki, Warsaw, Poland > > > > Brandpath > > PJ MEDIA LIMITED | Registered in England and Wales no. 04946760 | > Registered Office: Network House, Third Avenue, Globe Park, Marlow, > Buckinghamshire, SL7 1EY, United Kingdom | Web site: > http://www.pjmedia.co.uk > > > The contents of this message and any attachments to it are > confidential and may be legally privileged. If you have received this > message in error you should delete it from your system immediately and > advise the sender. To any recipient of this message within PJ Media, > unless otherwise stated, you should consider this message and > attachments as PJ Media confidential. > > PJ MEDIA LIMITED, > Registered in England no. 04946760 > Address: Network House, Third Avenue, Globe Park, Marlow, SL7 1EY, > United Kingdom > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/a02fca94/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 9315 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/a02fca94/attachment-0001.jpe From stian at redhat.com Thu May 21 03:01:09 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 21 May 2015 03:01:09 -0400 (EDT) Subject: [keycloak-user] Keyloak - Securing SOAP/HTTP Web Service In-Reply-To: <5C3DDBFAC4DBF04084678703EC0AC294250BFB89@EX-TT-AC-02.traveltainment.int> References: <5C3DDBFAC4DBF04084678703EC0AC294250BFB89@EX-TT-AC-02.traveltainment.int> Message-ID: <243939145.2970636.1432191669163.JavaMail.zimbra@redhat.com> http://keycloak.github.io/docs/userguide/html/direct-access-grants.html ----- Original Message ----- > From: "Sebastian Olscher" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 20 May, 2015 3:57:17 PM > Subject: [keycloak-user] Keyloak - Securing SOAP/HTTP Web Service > > > > Hi, > > > > is there any possibility to use Keycloak for the standard OAuth-2 workflow > ?Obtaining a Token in an Autonomous Client (Username and Password Flow)? > described here ( > https://s3.amazonaws.com/dfc-wiki/en/images/7/76/OAuthAutonomousClientFlow.png > ): > > > > > > > > The general goal is to realize an automated process for machine-to-machine > authentication, e.g. Java client to SOAP web service deployed on wildfly > secured by Keycloak without any redirect on a browser page. In the video > tutorials on the Keycloak homepage are only browser login authentications > shown. > > > > What?s the best example to get an idea, how this can be configured within > Keycloak-1.2.0-Final? > > > > Thanks for your advices, > > Sebastian > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pubudupg at gmail.com Thu May 21 08:11:26 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Thu, 21 May 2015 17:41:26 +0530 Subject: [keycloak-user] Can Keycloak be used to secure PHP applications? Message-ID: Hi All, In the Adapters section of the documentation(http://keycloak.github.io/docs/userguide/html/ch08.html#installed-applications) it says "This section defines which application types are supported and how to configure and install them" and lists some servers. I thought that since Keycloak supports SAML, I could use a SAML client library and secure any application. Is my assumption wrong? -- Thanks, Pubudu From felipe.braun at intelbras.com.br Thu May 21 08:15:37 2015 From: felipe.braun at intelbras.com.br (Felipe Braun Azambuja) Date: Thu, 21 May 2015 09:15:37 -0300 Subject: [keycloak-user] Can Keycloak be used to secure PHP applications? In-Reply-To: References: Message-ID: <555DCC69.9020303@intelbras.com.br> Definitely not. We're using samlclient to secure our apps. I've tested first with WordPress and SAML plugin. Worked perfectly! Il 21/05/2015 09:11, pubudu gunawardena ha scritto: > Hi All, > > In the Adapters section of the > documentation(http://keycloak.github.io/docs/userguide/html/ch08.html#installed-applications) > it says "This section defines which application types are supported > and how to configure and install them" and lists some servers. > > I thought that since Keycloak supports SAML, I could use a SAML client > library and secure any application. Is my assumption wrong? > -- Felipe Braun Azambuja DBA Tecnologia da Informa??o e Comunica??o (48) 3281 9577 felipe.braun at intelbras.com.br Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em raz?o dele, eximindo esta institui??o de qualquer responsabilidade por utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador. The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system. From pubudupg at gmail.com Thu May 21 08:35:00 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Thu, 21 May 2015 18:05:00 +0530 Subject: [keycloak-user] Can Keycloak be used to secure PHP applications? In-Reply-To: <555DCC69.9020303@intelbras.com.br> References: <555DCC69.9020303@intelbras.com.br> Message-ID: Thank you Felipe for your reply. Maybe the documentation should be changed so that no one else will come to a similar conclusion as me. On Thu, May 21, 2015 at 5:45 PM, Felipe Braun Azambuja wrote: > Definitely not. We're using samlclient to secure our apps. I've tested > first with WordPress and SAML plugin. Worked perfectly! > > > Il 21/05/2015 09:11, pubudu gunawardena ha scritto: >> >> Hi All, >> >> In the Adapters section of the >> >> documentation(http://keycloak.github.io/docs/userguide/html/ch08.html#installed-applications) >> it says "This section defines which application types are supported >> and how to configure and install them" and lists some servers. >> >> I thought that since Keycloak supports SAML, I could use a SAML client >> library and secure any application. Is my assumption wrong? >> > > -- > Felipe Braun Azambuja > DBA > Tecnologia da Informa??o e Comunica??o > (48) 3281 9577 > felipe.braun at intelbras.com.br > Esta mensagem, incluindo seus anexos, cont?m informa??es protegidas por lei, > sujeitas a privil?gios e/ou confidencialidades, n?o podendo ser > retransmitida, arquivada, divulgada ou copiada sem autoriza??o do remetente. > O remetente utiliza o correio eletr?nico no exerc?cio do seu trabalho ou em > raz?o dele, eximindo esta institui??o de qualquer responsabilidade por > utiliza??o indevida. Caso tenha recebido esta mensagem por engano, por favor > informe o remetente respondendo imediatamente a este e-mail, e em seguida > apague-a do seu computador. > > The information contained in this e-mail and its attachments are protected > by law, subjected to privilege and/or confidentiality and cannot be > retransmitted, filed, disclosed or copied without authorization from the > sender. The sender uses the electronic mail in the exercise of his/her work > or by virtue thereof, and the institution accepts no liability from its > undue use. If you have received this message by mistake, please notify us > immediately by returning the e-mail and deleting this message from your > system. -- Thanks, Pubudu From srossillo at smartling.com Thu May 21 09:17:03 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 21 May 2015 09:17:03 -0400 Subject: [keycloak-user] Admin Client Create User In-Reply-To: <555D7AE8.4000002@redhat.com> References: <555D7AE8.4000002@redhat.com> Message-ID: Thanks the admin client in 1.2.0.Final doesn't have a way to make that call. I can do it manually but is there a way to make the password permanent, not temporary? This is for account migration purposes. On Thursday, May 21, 2015, Marek Posolda wrote: > Hi, > > Once you create user through admin endpoint, you will need to call another > rest endpoint to update his password. It should be this endpoint: > http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/reset-password/index.html > > Marek > > On 21.5.2015 01:06, Scott Rossillo wrote: > >> Hi, >> >> We?re using the admin client to create users in 1.2.0.Final. The call >> works, but the credentials are missing. >> >> List credentialsList = new ArrayList<>(); >> CredentialRepresentation credentials = new CredentialRepresentation(); >> >> credentials.setType(CredentialRepresentation.PASSWORD); >> credentials.setValue(appUser.getPassword()); >> >> credentialsList.add(credentials); >> user.setCredentials(createCredentials(source)); >> >> I see the credentials getting passed on the create user HTTP POST, but >> the CREDENTIALS table doesn?t contain an entry for the user. >> >> Any suggestions? >> >> Best, >> Scott >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/6985c045/attachment.html From mposolda at redhat.com Thu May 21 10:51:55 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 21 May 2015 16:51:55 +0200 Subject: [keycloak-user] Admin Client Create User In-Reply-To: References: <555D7AE8.4000002@redhat.com> Message-ID: <555DF10B.8060707@redhat.com> Hmm... Isn't this method on UserResource useful for this: https://github.com/keycloak/keycloak/blob/master/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserResource.java#L46 ? For permanent password, I think you can just set flag "setTemporary(false)" on CredentialRepresentation. Marek On 21.5.2015 15:17, Scott Rossillo wrote: > Thanks the admin client in 1.2.0.Final doesn't have a way to make that > call. I can do it manually but is there a way to make the password > permanent, not temporary? This is for account migration purposes. > > On Thursday, May 21, 2015, Marek Posolda > wrote: > > Hi, > > Once you create user through admin endpoint, you will need to call > another rest endpoint to update his password. It should be this > endpoint: > http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/reset-password/index.html > > Marek > > On 21.5.2015 01:06, Scott Rossillo wrote: > > Hi, > > We?re using the admin client to create users in 1.2.0.Final. > The call works, but the credentials are missing. > > List credentialsList = new > ArrayList<>(); > CredentialRepresentation credentials = new > CredentialRepresentation(); > > credentials.setType(CredentialRepresentation.PASSWORD); > credentials.setValue(appUser.getPassword()); > > credentialsList.add(credentials); > user.setCredentials(createCredentials(source)); > > I see the credentials getting passed on the create user HTTP > POST, but the CREDENTIALS table doesn?t contain an entry for > the user. > > Any suggestions? > > Best, > Scott > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/c812e30f/attachment.html From srossillo at smartling.com Thu May 21 10:53:50 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 21 May 2015 10:53:50 -0400 Subject: [keycloak-user] Admin Client Create User In-Reply-To: <555DF10B.8060707@redhat.com> References: <555D7AE8.4000002@redhat.com> <555DF10B.8060707@redhat.com> Message-ID: Hmm maybe I missed something last night. Was reading the admin JavaDoc and it showed a different method. I'll let you know later. Thanks! On Thursday, May 21, 2015, Marek Posolda wrote: > Hmm... Isn't this method on UserResource useful for this: > https://github.com/keycloak/keycloak/blob/master/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserResource.java#L46 > ? > > For permanent password, I think you can just set flag > "setTemporary(false)" on CredentialRepresentation. > > Marek > > On 21.5.2015 15:17, Scott Rossillo wrote: > > Thanks the admin client in 1.2.0.Final doesn't have a way to make that > call. I can do it manually but is there a way to make the password > permanent, not temporary? This is for account migration purposes. > > On Thursday, May 21, 2015, Marek Posolda > wrote: > >> Hi, >> >> Once you create user through admin endpoint, you will need to call >> another rest endpoint to update his password. It should be this endpoint: >> http://keycloak.github.io/docs/rest-api/admin/realms/%7Brealm%7D/users/%7Busername%7D/reset-password/index.html >> >> Marek >> >> On 21.5.2015 01:06, Scott Rossillo wrote: >> >>> Hi, >>> >>> We?re using the admin client to create users in 1.2.0.Final. The call >>> works, but the credentials are missing. >>> >>> List credentialsList = new ArrayList<>(); >>> CredentialRepresentation credentials = new CredentialRepresentation(); >>> >>> credentials.setType(CredentialRepresentation.PASSWORD); >>> credentials.setValue(appUser.getPassword()); >>> >>> credentialsList.add(credentials); >>> user.setCredentials(createCredentials(source)); >>> >>> I see the credentials getting passed on the create user HTTP POST, but >>> the CREDENTIALS table doesn?t contain an entry for the user. >>> >>> Any suggestions? >>> >>> Best, >>> Scott >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/c6579bf1/attachment-0001.html From carlosthe19916 at gmail.com Thu May 21 11:30:47 2015 From: carlosthe19916 at gmail.com (Carlos Feria) Date: Thu, 21 May 2015 10:30:47 -0500 Subject: [keycloak-user] Securing one .war with two .json Message-ID: Good morning. How can i configure one .war with two .json? I have two realms, these access the same .war (restfull bearer only), but my problem is that a .war can just one realm dependencie. I see that *keycloak* have a application with *realm-management* name and this application is registered in more than one realms but all realms can access to *realm-management* without problems. How can i do the same with my .war like *realm-management.* I need registrer my .war in two realms. Please help me. -- Carlos E. Feria Vila -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/8eabca22/attachment.html From leonardo.zanivan at gmail.com Thu May 21 11:39:12 2015 From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan) Date: Thu, 21 May 2015 15:39:12 +0000 Subject: [keycloak-user] Securing one .war with two .json In-Reply-To: References: Message-ID: Look at multi-tenant example https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant On Thu, May 21, 2015 at 12:31 PM Carlos Feria wrote: > Good morning. How can i configure one .war with two .json? > > I have two realms, these access the same .war (restfull bearer only), but > my problem is that a .war can just one realm dependencie. > > I see that *keycloak* have a application with *realm-management* name and > this application is registered in more than one realms but all realms can > access to *realm-management* without problems. > > How can i do the same with my .war like *realm-management.* > > I need registrer my .war in two realms. Please help me. > > -- > Carlos E. Feria Vila > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/f471a469/attachment.html From John.Schneider at carrier.utc.com Thu May 21 13:32:51 2015 From: John.Schneider at carrier.utc.com (Schneider, John DODGE CONSULTING SERVICES, LLC) Date: Thu, 21 May 2015 17:32:51 +0000 Subject: [keycloak-user] [External] Re: Error upgrading MS SQL database from 1.1 Final to 1.2 Final In-Reply-To: <555D79D2.6020209@redhat.com> References: <555D79D2.6020209@redhat.com> Message-ID: Thanks Marek. I created KEYCLOAK-1336. I?m using the free SQL Server Express 2008 R2 in my sandbox, but the same issue should exist in any MS SQL Server version as it handles Booleans differently than most other RDBMS?. John From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Thursday, May 21, 2015 2:23 AM To: Schneider, John DODGE CONSULTING SERVICES, LLC; keycloak-user at lists.jboss.org Subject: [External] Re: [keycloak-user] Error upgrading MS SQL database from 1.1 Final to 1.2 Final Hi, This looks like a bug, it seems that MS SQL server doesn't know what the 'true' is, so the SQL statement used here https://github.com/keycloak/keycloak/blob/master/connections/jpa-liquibase/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/JpaUpdate1_2_0_CR1.java#L20 is failing :-( Could you create JIRA for it please? Btv. which version of MS SQL server are you using? Thanks, Marek On 20.5.2015 20:16, Schneider, John DODGE CONSULTING SERVICES, LLC wrote: Hi all, I was excited to find out 1.2 was released and tried to upgrade my sandbox environment from 1.1 today. I already had 1.1 deployed as a Wildlfly module, and extracted the 1.2 overlay edition along with the 1.2 Wildfly adapter. The database update was chugging along fine for a bit, but did hit an error. It seems to be an SQL dialect problem. Because of company policies, I?m forced to use MS SQL, and am using the JDBC 41 driver deployed as a Wildfly module. I?ve attached the relevant log output, starting from the beginning of the database update. I did take a DB backup before starting, so I can restore and replicate the update process from the beginning again. Could you please take a look and let me know what I can do? Thanks, John _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/3efc0746/attachment.html From leonardo.zanivan at gmail.com Thu May 21 13:38:35 2015 From: leonardo.zanivan at gmail.com (Leonardo Loch Zanivan) Date: Thu, 21 May 2015 17:38:35 +0000 Subject: [keycloak-user] [External] Re: Error upgrading MS SQL database from 1.1 Final to 1.2 Final In-Reply-To: References: <555D79D2.6020209@redhat.com> Message-ID: Actually only a few RDBMS implements Boolean data type since it isn't SQL ANSI. On Thu, May 21, 2015 at 2:33 PM Schneider, John DODGE CONSULTING SERVICES, LLC wrote: > Thanks Marek. > > > > I created KEYCLOAK-1336. I?m using the free SQL Server Express 2008 R2 in > my sandbox, but the same issue should exist in any MS SQL Server version as > it handles Booleans differently than most other RDBMS?. > > > > John > > > > *From:* Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Thursday, May 21, 2015 2:23 AM > *To:* Schneider, John DODGE CONSULTING SERVICES, LLC; > keycloak-user at lists.jboss.org > *Subject:* [External] Re: [keycloak-user] Error upgrading MS SQL database > from 1.1 Final to 1.2 Final > > > > Hi, > > This looks like a bug, it seems that MS SQL server doesn't know what the > 'true' is, so the SQL statement used here > https://github.com/keycloak/keycloak/blob/master/connections/jpa-liquibase/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/JpaUpdate1_2_0_CR1.java#L20 > is failing :-( > > Could you create JIRA for it please? Btv. which version of MS SQL server > are you using? > > Thanks, > Marek > > On 20.5.2015 20:16, Schneider, John DODGE CONSULTING SERVICES, LLC wrote: > > Hi all, > > > > I was excited to find out 1.2 was released and tried to upgrade my sandbox > environment from 1.1 today. I already had 1.1 deployed as a Wildlfly > module, and extracted the 1.2 overlay edition along with the 1.2 Wildfly > adapter. > > > > The database update was chugging along fine for a bit, but did hit an > error. It seems to be an SQL dialect problem. Because of company policies, > I?m forced to use MS SQL, and am using the JDBC 41 driver deployed as a > Wildfly module. I?ve attached the relevant log output, starting from the > beginning of the database update. I did take a DB backup before starting, > so I can restore and replicate the update process from the beginning again. > > > > Could you please take a look and let me know what I can do? > > > > Thanks, > > John > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150521/0fc85055/attachment-0001.html From b.hansmann at alphaapps.de Thu May 21 19:40:22 2015 From: b.hansmann at alphaapps.de (Benjamin Hansmann [alphaApps]) Date: Fri, 22 May 2015 01:40:22 +0200 Subject: [keycloak-user] Trigger verification emails In-Reply-To: <897204751.1391536.1432017880064.JavaMail.zimbra@redhat.com> References: <1431476687.4407.22.camel@alphaapps.de> <897204751.1391536.1432017880064.JavaMail.zimbra@redhat.com> Message-ID: <1432251441.18154.8.camel@alphaapps.de> On Tue, 2015-05-19 at 02:44 -0400, Stian Thorgersen wrote: > > ----- Original Message ----- > > From: "Benjamin Hansmann [alphaApps]" > > To: "keycloak-user" > > Sent: Wednesday, 13 May, 2015 2:24:47 AM > > Subject: [keycloak-user] Trigger verification emails > > > > For me there is generally only one feature missing now: When using the > > admin rest api exclusively I would need a way to trigger verification > > emails. Either as per Jira KEYCLOAK-944 or through Admin-Rest API. Is > > this planned to be implemented in the near future? If it shouldn't > > require to dive deep into keycloak internals I would be willing to > > contribute an admin rest api endpoint to trigger these. Any hints where > > to start looking in the code on github regarding verification emails and > > admin rest api? > > This is not on our road-map so you'd have to implement it. It should be relatively easy though as we already have support for sending reset password email, so should be quite trivial to adapt that code to send a verify email email instead. > Thanks Stian. Your're right, it was quite easy to duplicate the resetPasswordEmail method and adapt the code to send a verification Email. It was also trivial to add a corresponding method to the admin-client. This adds some duplicated boiler-plate code to the services UsersResource class. Should I do a PR anyway or should that be refactored? > > > > Two other remarks: > > > > - If Jira KEYCLOAK-943 (account service rest api) should be implemented > > one day, a nice to have would be to also provide an registration > > endpoint. > > KEYCLOAK-943 isn't on our immediate road-map, but this is another low hanging fruit that should be easy to implement, so if you want to do it that'd be great. There's already some support here, but it's limited to retrieving the user profile. This may change a bit in the near future as we're adding auth/required-actions spi that allows custom authentication flows. > > Custom registration is something we've considered, but not planned to add yet. A simple rest endpoint could be the way to do it. > > > - When creating an EventListener it does not get notified when creating > > a user through Admin Console or Admin REST API, only self-registration > > triggers onEvent(). > > We're adding admin events soon > > > > > Best Regards > > Benjamin > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From kalc04 at gmail.com Mon May 25 04:22:03 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 25 May 2015 13:52:03 +0530 Subject: [keycloak-user] Sending Emails with HTML Templates Message-ID: Hi, The default email FTLs are in plain text. I have tried to enhance them by adding HTML styling. However, when I do that the email bodies don't get styled accordingly. Instead the exact HTML code gets returned in the email body. I have verified that my email server supports HTML styling (through external email requests). So what could be the issue here? Thanks, Lohitha. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150525/6949d77e/attachment.html From ivan at akvo.org Mon May 25 04:57:06 2015 From: ivan at akvo.org (=?windows-1252?Q?Iv=E1n_Perdomo?=) Date: Mon, 25 May 2015 10:57:06 +0200 Subject: [keycloak-user] Sending Emails with HTML Templates In-Reply-To: References: Message-ID: <5562E3E2.9060505@akvo.org> Hi, On 05/25/2015 10:22 AM, Lohitha Chiranjeewa wrote: > Hi, > > The default email FTLs are in plain text. I have tried to enhance them > by adding HTML styling. However, when I do that the email bodies don't > get styled accordingly. Instead the exact HTML code gets returned in the > email body. > > I have verified that my email server supports HTML styling (through > external email requests). So what could be the issue here? My guess the email is using `plain/text` as default content type for the email. You need to set it up to "text/html; charset=utf-8" See: * https://github.com/keycloak/keycloak/blob/1.2.0.Final/forms/email-freemarker/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailProvider.java#L142 * http://stackoverflow.com/a/5068907 > > > Thanks, > Lohitha. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150525/84847caa/attachment.bin From kalc04 at gmail.com Mon May 25 05:27:39 2015 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 25 May 2015 14:57:39 +0530 Subject: [keycloak-user] Sending Emails with HTML Templates In-Reply-To: <5562E3E2.9060505@akvo.org> References: <5562E3E2.9060505@akvo.org> Message-ID: Thanks for the reply Iv?n. When I track the SMTP request sent by Keycloak (through tcpdump), I can see the following parameters: From: admin at xxxxx.com To: user at xxxxx.com Message-ID: <16547339.4.1432541195530.JavaMail.xxxx at xxxx> Subject: Reset password MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The issue here is, since the email process is handled by Keycloak, the client (me) has no control over it. It seems either Keycloak explicitly sets the content-type to be text/plain, or it gets added as a default value. Either way, I haven't seen any place where I can configure the content-type through Keycloak Admin Console or any other place. Is there such a configurable entry somewhere? Or can I get this done through some other measure? Regards, Lohitha. On Mon, May 25, 2015 at 2:27 PM, Iv?n Perdomo wrote: > Hi, > > > > On 05/25/2015 10:22 AM, Lohitha Chiranjeewa wrote: > > Hi, > > > > The default email FTLs are in plain text. I have tried to enhance them > > by adding HTML styling. However, when I do that the email bodies don't > > get styled accordingly. Instead the exact HTML code gets returned in the > > email body. > > > > I have verified that my email server supports HTML styling (through > > external email requests). So what could be the issue here? > > My guess the email is using `plain/text` as default content type for the > email. You need to set it up to "text/html; charset=utf-8" > > See: > > * > > https://github.com/keycloak/keycloak/blob/1.2.0.Final/forms/email-freemarker/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailProvider.java#L142 > * http://stackoverflow.com/a/5068907 > > > > > > > Thanks, > > Lohitha. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Iv?n > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150525/c92d741e/attachment.html From pubudupg at gmail.com Mon May 25 05:32:30 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Mon, 25 May 2015 15:02:30 +0530 Subject: [keycloak-user] Use Existing Database without Importing Users Message-ID: Hi All, I am trying to use Keycloak to implement SSO for two websites, one Wordpress and another custom implemented. I want to make Keycloak use the existing database but would prefer to not import the data to Keycloak, which would make another copy of the data. Is something like this possible with keycloak? -- Thanks, Pubudu From mposolda at redhat.com Mon May 25 10:08:02 2015 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 25 May 2015 16:08:02 +0200 Subject: [keycloak-user] Use Existing Database without Importing Users In-Reply-To: References: Message-ID: <55632CC2.1040700@redhat.com> It depends what exactly you need. 1) There is User Federation SPI, which allows to pull data about users from your own database and partially import it to Keycloak. See docs http://keycloak.github.io/docs/userguide/html/user_federation.html . This SPI allows you to specify which data will be pulled from your DB to Keycloak DB, so your store doesn't need to support storing all Keycloak user metadata 2) UserProvider SPI - in this case you will need to implement whole model by yourself. Note that your store will need to support all Keycloak metadata (For example data about user's required actions etc). For most deployments (1) is better and much easier choice. Marek On 25.5.2015 11:32, pubudu gunawardena wrote: > Hi All, > > I am trying to use Keycloak to implement SSO for two websites, one > Wordpress and another custom implemented. I want to make Keycloak use > the existing database but would prefer to not import the data to > Keycloak, which would make another copy of the data. Is something like > this possible with keycloak? From cf at utc.fr Mon May 25 14:05:50 2015 From: cf at utc.fr (Christophe Fillot) Date: Mon, 25 May 2015 20:05:50 +0200 Subject: [keycloak-user] Web authentication using CAS server Message-ID: <5563647E.4060400@utc.fr> Hello all, We currently have a Jasig CAS server (3.5.x) for Web SSO, with LDAP as authentication backend. I would like to use Keycloak for some new applications, but without users having to log in twice. Is it possible to delegate the authentication in Keycloak to the CAS server ? Has someone managed to integrate Keycloak with an existing CAS setup ? Another option would be to have Keycloak implement the CAS 2.0 protocol, maybe this is something planned ? Thanks, Christophe From bburke at redhat.com Mon May 25 14:17:58 2015 From: bburke at redhat.com (Bill Burke) Date: Mon, 25 May 2015 14:17:58 -0400 Subject: [keycloak-user] Web authentication using CAS server In-Reply-To: <5563647E.4060400@utc.fr> References: <5563647E.4060400@utc.fr> Message-ID: <55636756.30702@redhat.com> Keycloak can delegate to a SAML, OpenID Connect, and most social providers. If CAS can support SAML or openID connect clients, Keycloak can delegate to it. On 5/25/2015 2:05 PM, Christophe Fillot wrote: > Hello all, > > We currently have a Jasig CAS server (3.5.x) for Web SSO, with LDAP as > authentication backend. I would like to use Keycloak for some new > applications, but without users having to log in twice. > Is it possible to delegate the authentication in Keycloak to the CAS > server ? Has someone managed to integrate Keycloak with an existing CAS > setup ? > > Another option would be to have Keycloak implement the CAS 2.0 protocol, > maybe this is something planned ? > > Thanks, > > Christophe > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From carlosthe19916 at gmail.com Mon May 25 17:42:33 2015 From: carlosthe19916 at gmail.com (Carlos Feria) Date: Mon, 25 May 2015 16:42:33 -0500 Subject: [keycloak-user] Keycloak-1.2.0.Final /$keycloak_home/standalone/deployments folder Message-ID: Hello i'm using keycloak-1.2.0.Final and i can't see the /$keycloak_home/standalone*/deployments* folder, so i can't deploy other .war of my projects...wich is the folder where i can put my .war deployments? -- Carlos E. Feria Vila -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150525/4f407d75/attachment.html From pubudupg at gmail.com Mon May 25 20:14:02 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Tue, 26 May 2015 05:44:02 +0530 Subject: [keycloak-user] Use Existing Database without Importing Users In-Reply-To: <55632CC2.1040700@redhat.com> References: <55632CC2.1040700@redhat.com> Message-ID: Thanks for the answer Marek. I actually did look into the user federation example that comes with keycloak. In the settings for that, there are buttons/settings to fully import users or to import differences periodically which would bring the data to keycloak. The thing is that there is already a database for users for the custom website and Wordpress will also create its own users on login. With keycloak there will be a third database of users whiich I feel will lead to difficulties in maintaining. That is the reason why I wanted to look for a solution that would not import the data to keycloak, but authenticate against my user database directly. On Mon, May 25, 2015 at 7:38 PM, Marek Posolda wrote: > It depends what exactly you need. > 1) There is User Federation SPI, which allows to pull data about users from > your own database and partially import it to Keycloak. See docs > http://keycloak.github.io/docs/userguide/html/user_federation.html . This > SPI allows you to specify which data will be pulled from your DB to Keycloak > DB, so your store doesn't need to support storing all Keycloak user metadata > > 2) UserProvider SPI - in this case you will need to implement whole model by > yourself. Note that your store will need to support all Keycloak metadata > (For example data about user's required actions etc). > > For most deployments (1) is better and much easier choice. > > Marek > > > On 25.5.2015 11:32, pubudu gunawardena wrote: >> >> Hi All, >> >> I am trying to use Keycloak to implement SSO for two websites, one >> Wordpress and another custom implemented. I want to make Keycloak use >> the existing database but would prefer to not import the data to >> Keycloak, which would make another copy of the data. Is something like >> this possible with keycloak? > > -- Thanks, Pubudu From mposolda at redhat.com Tue May 26 02:47:27 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 May 2015 08:47:27 +0200 Subject: [keycloak-user] Use Existing Database without Importing Users In-Reply-To: References: <55632CC2.1040700@redhat.com> Message-ID: <556416FF.5010902@redhat.com> You're free to use the option (2) if you want but that would be really much harder to implement and your DB will need to store all the metadata about users which keycloak needs (For example required actions, persistent grants, role mappings etc). See the interface of UserModel here: https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/org/keycloak/models/UserModel.java With federation, you can choose what would be stored in Keycloak DB and what in your user DB. So for example user passwords and basic attributes (firstName, lastName, email, ...) will be still just in your DB and other required metadata by Keycloak (for example required actions) in the keycloak DB. Marek On 26.5.2015 02:14, pubudu gunawardena wrote: > Thanks for the answer Marek. I actually did look into the user > federation example that comes with keycloak. In the settings for that, > there are buttons/settings to fully import users or to import > differences periodically which would bring the data to keycloak. The > thing is that there is already a database for users for the custom > website and Wordpress will also create its own users on login. With > keycloak there will be a third database of users whiich I feel will > lead to difficulties in maintaining. That is the reason why I wanted > to look for a solution that would not import the data to keycloak, but > authenticate against my user database directly. > > On Mon, May 25, 2015 at 7:38 PM, Marek Posolda wrote: >> It depends what exactly you need. >> 1) There is User Federation SPI, which allows to pull data about users from >> your own database and partially import it to Keycloak. See docs >> http://keycloak.github.io/docs/userguide/html/user_federation.html . This >> SPI allows you to specify which data will be pulled from your DB to Keycloak >> DB, so your store doesn't need to support storing all Keycloak user metadata >> >> 2) UserProvider SPI - in this case you will need to implement whole model by >> yourself. Note that your store will need to support all Keycloak metadata >> (For example data about user's required actions etc). >> >> For most deployments (1) is better and much easier choice. >> >> Marek >> >> >> On 25.5.2015 11:32, pubudu gunawardena wrote: >>> Hi All, >>> >>> I am trying to use Keycloak to implement SSO for two websites, one >>> Wordpress and another custom implemented. I want to make Keycloak use >>> the existing database but would prefer to not import the data to >>> Keycloak, which would make another copy of the data. Is something like >>> this possible with keycloak? >> > > From stian at redhat.com Tue May 26 03:19:20 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 26 May 2015 03:19:20 -0400 (EDT) Subject: [keycloak-user] Sending Emails with HTML Templates In-Reply-To: References: <5562E3E2.9060505@akvo.org> Message-ID: <1194008912.5368627.1432624760235.JavaMail.zimbra@redhat.com> We plan to add support for multi-part emails (https://issues.jboss.org/browse/KEYCLOAK-681) ----- Original Message ----- > From: "Lohitha Chiranjeewa" > To: "Iv?n Perdomo" > Cc: keycloak-user at lists.jboss.org > Sent: Monday, 25 May, 2015 11:27:39 AM > Subject: Re: [keycloak-user] Sending Emails with HTML Templates > > Thanks for the reply Iv?n. > > When I track the SMTP request sent by Keycloak (through tcpdump), I can see > the following parameters: > > From: admin at xxxxx.com > To: user at xxxxx.com > Message-ID: <16547339.4.1432541195530.JavaMail.xxxx at xxxx> > Subject: Reset password > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > The issue here is, since the email process is handled by Keycloak, the client > (me) has no control over it. It seems either Keycloak explicitly sets the > content-type to be text/plain, or it gets added as a default value. Either > way, I haven't seen any place where I can configure the content-type through > Keycloak Admin Console or any other place. Is there such a configurable > entry somewhere? Or can I get this done through some other measure? > > > Regards, > Lohitha. > > On Mon, May 25, 2015 at 2:27 PM, Iv?n Perdomo < ivan at akvo.org > wrote: > > > Hi, > > > > On 05/25/2015 10:22 AM, Lohitha Chiranjeewa wrote: > > Hi, > > > > The default email FTLs are in plain text. I have tried to enhance them > > by adding HTML styling. However, when I do that the email bodies don't > > get styled accordingly. Instead the exact HTML code gets returned in the > > email body. > > > > I have verified that my email server supports HTML styling (through > > external email requests). So what could be the issue here? > > My guess the email is using `plain/text` as default content type for the > email. You need to set it up to "text/html; charset=utf-8" > > See: > > * > https://github.com/keycloak/keycloak/blob/1.2.0.Final/forms/email-freemarker/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailProvider.java#L142 > * http://stackoverflow.com/a/5068907 > > > > > > > Thanks, > > Lohitha. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Iv?n > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Tue May 26 03:20:37 2015 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 26 May 2015 03:20:37 -0400 (EDT) Subject: [keycloak-user] Keycloak-1.2.0.Final /$keycloak_home/standalone/deployments folder In-Reply-To: References: Message-ID: <1750170089.5370017.1432624837771.JavaMail.zimbra@redhat.com> http://keycloak.github.io/docs/userguide/html/Migration_from_older_versions.html#d4e3120 http://blog.keycloak.org/2015/05/distribution-changes.html ----- Original Message ----- > From: "Carlos Feria" > To: keycloak-user at lists.jboss.org, keycloak-dev at lists.jboss.org > Sent: Monday, 25 May, 2015 11:42:33 PM > Subject: [keycloak-user] Keycloak-1.2.0.Final /$keycloak_home/standalone/deployments folder > > Hello i'm using keycloak-1.2.0.Final and i can't see the > /$keycloak_home/standalone /deployments folder, so i can't deploy other .war > of my projects...wich is the folder where i can put my .war deployments? > > -- > Carlos E. Feria Vila > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pubudupg at gmail.com Tue May 26 05:02:18 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Tue, 26 May 2015 14:32:18 +0530 Subject: [keycloak-user] Use Existing Database without Importing Users In-Reply-To: <556416FF.5010902@redhat.com> References: <55632CC2.1040700@redhat.com> <556416FF.5010902@redhat.com> Message-ID: I looked at the example provider code again at https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/BasePropertiesFederationProvider.java. Seems like only the username is registered on the keycloak db when importing data session.userStorage().addUser(realm, username) Does this mean that the authentication will always happen against my database? If that is the case, then I think I can use federation. But in the user interface there is functionality to change password for the user as well. Is that functionality not used in federation? On Tue, May 26, 2015 at 12:17 PM, Marek Posolda wrote: > You're free to use the option (2) if you want but that would be really much > harder to implement and your DB will need to store all the metadata about > users which keycloak needs (For example required actions, persistent grants, > role mappings etc). See the interface of UserModel here: > https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/org/keycloak/models/UserModel.java > > With federation, you can choose what would be stored in Keycloak DB and what > in your user DB. So for example user passwords and basic attributes > (firstName, lastName, email, ...) will be still just in your DB and other > required metadata by Keycloak (for example required actions) in the keycloak > DB. > > Marek > > > On 26.5.2015 02:14, pubudu gunawardena wrote: >> >> Thanks for the answer Marek. I actually did look into the user >> federation example that comes with keycloak. In the settings for that, >> there are buttons/settings to fully import users or to import >> differences periodically which would bring the data to keycloak. The >> thing is that there is already a database for users for the custom >> website and Wordpress will also create its own users on login. With >> keycloak there will be a third database of users whiich I feel will >> lead to difficulties in maintaining. That is the reason why I wanted >> to look for a solution that would not import the data to keycloak, but >> authenticate against my user database directly. >> >> On Mon, May 25, 2015 at 7:38 PM, Marek Posolda >> wrote: >>> >>> It depends what exactly you need. >>> 1) There is User Federation SPI, which allows to pull data about users >>> from >>> your own database and partially import it to Keycloak. See docs >>> http://keycloak.github.io/docs/userguide/html/user_federation.html . This >>> SPI allows you to specify which data will be pulled from your DB to >>> Keycloak >>> DB, so your store doesn't need to support storing all Keycloak user >>> metadata >>> >>> 2) UserProvider SPI - in this case you will need to implement whole model >>> by >>> yourself. Note that your store will need to support all Keycloak metadata >>> (For example data about user's required actions etc). >>> >>> For most deployments (1) is better and much easier choice. >>> >>> Marek >>> >>> >>> On 25.5.2015 11:32, pubudu gunawardena wrote: >>>> >>>> Hi All, >>>> >>>> I am trying to use Keycloak to implement SSO for two websites, one >>>> Wordpress and another custom implemented. I want to make Keycloak use >>>> the existing database but would prefer to not import the data to >>>> Keycloak, which would make another copy of the data. Is something like >>>> this possible with keycloak? >>> >>> >> >> > -- Thanks, Pubudu From mposolda at redhat.com Tue May 26 13:15:14 2015 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 26 May 2015 19:15:14 +0200 Subject: [keycloak-user] Use Existing Database without Importing Users In-Reply-To: References: <55632CC2.1040700@redhat.com> <556416FF.5010902@redhat.com> Message-ID: <5564AA22.8090908@redhat.com> On 26.5.2015 11:02, pubudu gunawardena wrote: > I looked at the example provider code again at > https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/BasePropertiesFederationProvider.java. > Seems like only the username is registered on the keycloak db when > importing data > > session.userStorage().addUser(realm, username) You can import even more data to Keycloak if you want and if your store supports it. For example if you call: UserModel myNewUser = session.userStorage().addUser(realm, username) myNewUser.setFirstName(firstNameFromYourDB); The example just stores username/password pairs in the property file and hence supports just storing and importing those. > > Does this mean that the authentication will always happen against my > database? If that is the case, then I think I can use federation. Yes, you can do it like this if you want. Just note that implementation of your UserFederationProvider will need to implement method "getSupportedCredentialTypes(UserModel user)" and return PASSWORD credential, so Keycloak knows that password should be validated against your DB and not against Keycloak DB. Then in method "validCredentials" you need to validate the password against your DB however you need. > But in the user interface there is functionality to change password > for the user as well. Is that functionality not used in federation? It is used. FederationProvider has method "proxy" . This allows you to return UserModelDelegate implementation, which will override method "updateCredential" and update the password in your DB. Pretty much like example is doing. Marek > > > > On Tue, May 26, 2015 at 12:17 PM, Marek Posolda wrote: >> You're free to use the option (2) if you want but that would be really much >> harder to implement and your DB will need to store all the metadata about >> users which keycloak needs (For example required actions, persistent grants, >> role mappings etc). See the interface of UserModel here: >> https://github.com/keycloak/keycloak/blob/master/model/api/src/main/java/org/keycloak/models/UserModel.java >> >> With federation, you can choose what would be stored in Keycloak DB and what >> in your user DB. So for example user passwords and basic attributes >> (firstName, lastName, email, ...) will be still just in your DB and other >> required metadata by Keycloak (for example required actions) in the keycloak >> DB. >> >> Marek >> >> >> On 26.5.2015 02:14, pubudu gunawardena wrote: >>> Thanks for the answer Marek. I actually did look into the user >>> federation example that comes with keycloak. In the settings for that, >>> there are buttons/settings to fully import users or to import >>> differences periodically which would bring the data to keycloak. The >>> thing is that there is already a database for users for the custom >>> website and Wordpress will also create its own users on login. With >>> keycloak there will be a third database of users whiich I feel will >>> lead to difficulties in maintaining. That is the reason why I wanted >>> to look for a solution that would not import the data to keycloak, but >>> authenticate against my user database directly. >>> >>> On Mon, May 25, 2015 at 7:38 PM, Marek Posolda >>> wrote: >>>> It depends what exactly you need. >>>> 1) There is User Federation SPI, which allows to pull data about users >>>> from >>>> your own database and partially import it to Keycloak. See docs >>>> http://keycloak.github.io/docs/userguide/html/user_federation.html . This >>>> SPI allows you to specify which data will be pulled from your DB to >>>> Keycloak >>>> DB, so your store doesn't need to support storing all Keycloak user >>>> metadata >>>> >>>> 2) UserProvider SPI - in this case you will need to implement whole model >>>> by >>>> yourself. Note that your store will need to support all Keycloak metadata >>>> (For example data about user's required actions etc). >>>> >>>> For most deployments (1) is better and much easier choice. >>>> >>>> Marek >>>> >>>> >>>> On 25.5.2015 11:32, pubudu gunawardena wrote: >>>>> Hi All, >>>>> >>>>> I am trying to use Keycloak to implement SSO for two websites, one >>>>> Wordpress and another custom implemented. I want to make Keycloak use >>>>> the existing database but would prefer to not import the data to >>>>> Keycloak, which would make another copy of the data. Is something like >>>>> this possible with keycloak? >>>> >>> > > From pubudupg at gmail.com Wed May 27 02:51:29 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Wed, 27 May 2015 12:21:29 +0530 Subject: [keycloak-user] Using JSON Web Token Debugger with Keycloak generated tokens Message-ID: Hi All, I am trying to consume the Direct Access Grant API using a PHP client. I tried to inspect the tokens using the tool at http://jwt.io/, but the tool always says "Invalid Signature". What I would like to know is does Keycloak use a different algorithm to sign the response? Otherwise why does the on-line tool complain that the signature is invalid? Following is a sample response I got from Keycloak. {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5Y2Y5YzUwYy1hNGFmLTRmMWQtOWE1NC0wZTEzYjYzYTVjOTAiLCJleHAiOjE0MzI3MDkyNjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwiYXVkIjoicXYyLXJlc3QiLCJzdWIiOiI1MjYxMGUyNS1kMDhmLTQ3MmEtYWU1ZC1jOThhNmU2MmI4ZDMiLCJhenAiOiJxdjItcmVzdCIsInNlc3Npb25fc3RhdGUiOiIyMzQ1ZmY0Mi1lYTQ1LTRhNjEtYWIxYi0yNWQxY2VjZmY3MjIiLCJjbGllbnRfc2Vzc2lvbiI6ImYxYzU1MzZmLWYwZmUtNDUwNy1iZjQyLWU0MzU0MDVhNGIyYiIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbInZpZXctcHJvZmlsZSIsIm1hbmFnZS1hY2NvdW50Il19fSwiZW1haWwiOiJwdWJ1ZHVAc29tZXdoZXJlLmNvbSIsIm5hbWUiOiJQdWJ1ZHUgR3VuYXdhcmRlbmEiLCJmYW1pbHlfbmFtZSI6Ikd1bmF3YXJkZW5hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoicHVidWR1IiwiZ2l2ZW5fbmFtZSI6IlB1YnVkdSJ9.a5MRV5lfzjDd0VftEigxr-VXJ7vxohUZj5bpMDvZ7opHaM-FccNVtIUrNDgW2rXCZJAI1B0tUAlJlngrIFghJxoQANnpCJxzqjlkbV-gh1j7CaQSWX0-KA9OZPSvhyhRhs4MzsCxirBwEhmWcyuaDECp0UjfEP22LhnXf3mSpmMJ7HfyikClcWfW_ykEb7fwOnFe5jk9thSqaQKWroFksBWT0_fAZuGdkfyG6rBCFHRCnQm31vn6I5SwZOpAx1YatAbK85Sc3tAcitpFnd8twFr0aC95Fbcghb_TbrivJrL0J5qN77f-9DQKJ_fy1FHljTxYwfbIyx1HQwvyq1HOFQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0NjJmYzNmNS1kMjRkLTQ1MTItOWY3My00NzllZGQ4NTBhNzAiLCJleHAiOjE0MzI3MTA3NjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwic3ViIjoiNTI2MTBlMjUtZDA4Zi00NzJhLWFlNWQtYzk4YTZlNjJiOGQzIiwidHlwIjoiUkVGUkVTSCIsImF6cCI6InF2Mi1yZXN0Iiwic2Vzc2lvbl9zdGF0ZSI6IjIzNDVmZjQyLWVhNDUtNGE2MS1hYjFiLTI1ZDFjZWNmZjcyMiIsImNsaWVudF9zZXNzaW9uIjoiZjFjNTUzNmYtZjBmZS00NTA3LWJmNDItZTQzNTQwNWE0YjJiIiwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsidmlldy1wcm9maWxlIiwibWFuYWdlLWFjY291bnQiXX19fQ.X_aBtZzKHPCsRqo9ShOxtsQgTZOYaVNEZDmfvfWSxCafE6kpC5yIcz9xFW2CfYo2ttm5i3GMb-aho-nyU3IEmhZkZ-DjHjxCLHO_Vlt5MBKtVF9L7-v5qWRP4va5rLUa8O1JshjRP1yW1r7SvLafqE8jLYvn3vknPhYp1ts3EhcmckIHiXS5dW_tO4XxBx7tE0kSWlUoCe_10IqqW6uRKXFuwfRWLd2KDUIIth4g2YoUrwFyQBxt2qcdjm4MQPVF0-JpNxWZN3VwbOcpKLG0gSsGppvmhuJI0eRujJzbAlxL3fY9682UZLE9JTzzX4gRTaxL5VZGau6Q0iIfzh_U1A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3ZWM1MTdhOS1hZjg2LTRiMDEtYjUyZi1lNjExOWMwYjBhZTciLCJleHAiOjE0MzI3MDkyNjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwiYXVkIjoicXYyLXJlc3QiLCJzdWIiOiI1MjYxMGUyNS1kMDhmLTQ3MmEtYWU1ZC1jOThhNmU2MmI4ZDMiLCJhenAiOiJxdjItcmVzdCIsInNlc3Npb25fc3RhdGUiOiIyMzQ1ZmY0Mi1lYTQ1LTRhNjEtYWIxYi0yNWQxY2VjZmY3MjIiLCJlbWFpbCI6InB1YnVkdUBzb21ld2hlcmUuY29tIiwibmFtZSI6IlB1YnVkdSBHdW5hd2FyZGVuYSIsImZhbWlseV9uYW1lIjoiR3VuYXdhcmRlbmEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwdWJ1ZHUiLCJnaXZlbl9uYW1lIjoiUHVidWR1In0.C5REGCEQyaWmkhbc0DrWW74m0bbeM2cKWcKJvlkvz17VZPh9sZ1eaiXdRD9pGZ1iACGPLpoCYrMkcrF5FbIX7ng7NggVbf2VEdNCeDUgZ8oDRSJlKyqeGdYWnKsi6dpwrmcPZW9BffWcqkzJv1BUbSII2tejjnB4BWz7bCvesF3ge_KKwkfy-COk8RGx_G4oxp21Ik1pQbVoiqifRQALuK252NKuuV-sXI4dd4ltj0TOca9DKNHlHMyCoRVwDVRsqMMWGfWXpqwacEh35wp8r3VDgQ00vcOnEfiraadwoPYnIsjPK5ZnfSFZlBxyDTNP76tXX1Jd5AHMUPyvOC1YhA","not-before-policy":0,"session-state":"2345ff42-ea45-4a61-ab1b-25d1cecff722"} -- Thanks, Pubudu From stian at redhat.com Wed May 27 03:42:24 2015 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 27 May 2015 03:42:24 -0400 (EDT) Subject: [keycloak-user] Using JSON Web Token Debugger with Keycloak generated tokens In-Reply-To: References: Message-ID: <787243961.6285230.1432712544541.JavaMail.zimbra@redhat.com> Works fine here. Keycloak uses RS256. To get jwt.io to work you need to copy/paste the realm public key. Go to Keycloak admin console and select the realm. Click on Settings -> Keys. Copy the value of "Public Key". Next open http://jwt.io/. Select RS256. In the text-area that starts with "RSASHA256" (bottom/right textarea) delete everything between "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" and paste the public key from the Keycloak admin console. Make sure you keep those lines, otherwise it won't work. Once you've done this generate an access_token and paste it into the "ENCODED" textarea. ----- Original Message ----- > From: "pubudu gunawardena" > To: keycloak-user at lists.jboss.org > Sent: Wednesday, 27 May, 2015 8:51:29 AM > Subject: [keycloak-user] Using JSON Web Token Debugger with Keycloak generated tokens > > Hi All, > > I am trying to consume the Direct Access Grant API using a PHP client. > I tried to inspect the tokens using the tool at http://jwt.io/, but > the tool always says "Invalid Signature". What I would like to know is > does Keycloak use a different algorithm to sign the response? > Otherwise why does the on-line tool complain that the signature is > invalid? > > Following is a sample response I got from Keycloak. > > {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5Y2Y5YzUwYy1hNGFmLTRmMWQtOWE1NC0wZTEzYjYzYTVjOTAiLCJleHAiOjE0MzI3MDkyNjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwiYXVkIjoicXYyLXJlc3QiLCJzdWIiOiI1MjYxMGUyNS1kMDhmLTQ3MmEtYWU1ZC1jOThhNmU2MmI4ZDMiLCJhenAiOiJxdjItcmVzdCIsInNlc3Npb25fc3RhdGUiOiIyMzQ1ZmY0Mi1lYTQ1LTRhNjEtYWIxYi0yNWQxY2VjZmY3MjIiLCJjbGllbnRfc2Vzc2lvbiI6ImYxYzU1MzZmLWYwZmUtNDUwNy1iZjQyLWU0MzU0MDVhNGIyYiIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbInZpZXctcHJvZmlsZSIsIm1hbmFnZS1hY2NvdW50Il19fSwiZW1haWwiOiJwdWJ1ZHVAc29tZXdoZXJlLmNvbSIsIm5hbWUiOiJQdWJ1ZHUgR3VuYXdhcmRlbmEiLCJmYW1pbHlfbmFtZSI6Ikd1bmF3YXJkZW5hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoicHVidWR1IiwiZ2l2ZW5fbmFtZSI6IlB1YnVkdSJ9.a5MRV5lfzjDd0VftEigxr-VXJ7vxohUZj5bpMDvZ7opHaM-FccNVtIUrNDgW2rXCZJAI1B0tUAlJlngrIFghJxoQANnpCJxzqjlkbV-gh1j7CaQSWX0-KA9OZPSvhyhRhs4MzsCxirBwEhmWcyuaDECp0UjfEP22LhnXf3mSpmMJ7HfyikClcWfW_ykEb7fwOnFe5jk9thSqaQ! > KWroFksBWT0_fAZuGdkfyG6rBCFHRCnQm31vn6I5SwZOpAx1YatAbK85Sc3tAcitpFnd8twFr0aC95Fbcghb_TbrivJrL0J5qN77f-9DQKJ_fy1FHljTxYwfbIyx1HQwvyq1HOFQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0NjJmYzNmNS1kMjRkLTQ1MTItOWY3My00NzllZGQ4NTBhNzAiLCJleHAiOjE0MzI3MTA3NjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwic3ViIjoiNTI2MTBlMjUtZDA4Zi00NzJhLWFlNWQtYzk4YTZlNjJiOGQzIiwidHlwIjoiUkVGUkVTSCIsImF6cCI6InF2Mi1yZXN0Iiwic2Vzc2lvbl9zdGF0ZSI6IjIzNDVmZjQyLWVhNDUtNGE2MS1hYjFiLTI1ZDFjZWNmZjcyMiIsImNsaWVudF9zZXNzaW9uIjoiZjFjNTUzNmYtZjBmZS00NTA3LWJmNDItZTQzNTQwNWE0YjJiIiwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsidmlldy1wcm9maWxlIiwibWFuYWdlLWFjY291bnQiXX19fQ.X_aBtZzKHPCsRqo9ShOxtsQgTZOYaVNEZDmfvfWSxCafE6kpC5yIcz9xFW2CfYo2ttm5i3GMb-aho-nyU3IEmhZkZ-DjHjxCLHO_Vlt5MBKtVF9L7-v5qWRP4va5rLUa8O1JshjRP1yW1r7SvLafqE8jLYvn3vknPhYp1ts3EhcmckIHiXS5dW_tO4XxBx7tE0kSWlUoCe_10IqqW6uRKXFuwfRWLd2KDUIIth4g2YoUrw! > FyQBxt2qcdjm4MQPVF0-JpNxWZN3VwbOcpKLG0gSsGppvmhuJI0eRujJzbAlxL! > 3fY9682U > ZLE9JTzzX4gRTaxL5VZGau6Q0iIfzh_U1A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3ZWM1MTdhOS1hZjg2LTRiMDEtYjUyZi1lNjExOWMwYjBhZTciLCJleHAiOjE0MzI3MDkyNjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwiYXVkIjoicXYyLXJlc3QiLCJzdWIiOiI1MjYxMGUyNS1kMDhmLTQ3MmEtYWU1ZC1jOThhNmU2MmI4ZDMiLCJhenAiOiJxdjItcmVzdCIsInNlc3Npb25fc3RhdGUiOiIyMzQ1ZmY0Mi1lYTQ1LTRhNjEtYWIxYi0yNWQxY2VjZmY3MjIiLCJlbWFpbCI6InB1YnVkdUBzb21ld2hlcmUuY29tIiwibmFtZSI6IlB1YnVkdSBHdW5hd2FyZGVuYSIsImZhbWlseV9uYW1lIjoiR3VuYXdhcmRlbmEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwdWJ1ZHUiLCJnaXZlbl9uYW1lIjoiUHVidWR1In0.C5REGCEQyaWmkhbc0DrWW74m0bbeM2cKWcKJvlkvz17VZPh9sZ1eaiXdRD9pGZ1iACGPLpoCYrMkcrF5FbIX7ng7NggVbf2VEdNCeDUgZ8oDRSJlKyqeGdYWnKsi6dpwrmcPZW9BffWcqkzJv1BUbSII2tejjnB4BWz7bCvesF3ge_KKwkfy-COk8RGx_G4oxp21Ik1pQbVoiqifRQALuK252NKuuV-sXI4dd4ltj0TOca9DKNHlHMyCoRVwDVRsqMMWGfWXpqwacEh35wp8r3VDgQ00vcOnEfiraadwoPYnIsjPK5ZnfSFZlBxyDTNP76tXX1Jd5AHMUPyvOC1YhA","not-befor! > e-policy":0,"session-state":"2345ff42-ea45-4a61-ab1b-25d1cecff722"} > > -- > Thanks, > Pubudu > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pubudupg at gmail.com Wed May 27 03:53:45 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Wed, 27 May 2015 13:23:45 +0530 Subject: [keycloak-user] Using JSON Web Token Debugger with Keycloak generated tokens In-Reply-To: <787243961.6285230.1432712544541.JavaMail.zimbra@redhat.com> References: <787243961.6285230.1432712544541.JavaMail.zimbra@redhat.com> Message-ID: Thanks Stian. Worked after following the steps. On Wed, May 27, 2015 at 1:12 PM, Stian Thorgersen wrote: > Works fine here. Keycloak uses RS256. > > To get jwt.io to work you need to copy/paste the realm public key. Go to Keycloak admin console and select the realm. Click on Settings -> Keys. Copy the value of "Public Key". > > Next open http://jwt.io/. Select RS256. In the text-area that starts with "RSASHA256" (bottom/right textarea) delete everything between "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" and paste the public key from the Keycloak admin console. Make sure you keep those lines, otherwise it won't work. > > Once you've done this generate an access_token and paste it into the "ENCODED" textarea. > > ----- Original Message ----- >> From: "pubudu gunawardena" >> To: keycloak-user at lists.jboss.org >> Sent: Wednesday, 27 May, 2015 8:51:29 AM >> Subject: [keycloak-user] Using JSON Web Token Debugger with Keycloak generated tokens >> >> Hi All, >> >> I am trying to consume the Direct Access Grant API using a PHP client. >> I tried to inspect the tokens using the tool at http://jwt.io/, but >> the tool always says "Invalid Signature". What I would like to know is >> does Keycloak use a different algorithm to sign the response? >> Otherwise why does the on-line tool complain that the signature is >> invalid? >> >> Following is a sample response I got from Keycloak. >> >> {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5Y2Y5YzUwYy1hNGFmLTRmMWQtOWE1NC0wZTEzYjYzYTVjOTAiLCJleHAiOjE0MzI3MDkyNjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwiYXVkIjoicXYyLXJlc3QiLCJzdWIiOiI1MjYxMGUyNS1kMDhmLTQ3MmEtYWU1ZC1jOThhNmU2MmI4ZDMiLCJhenAiOiJxdjItcmVzdCIsInNlc3Npb25fc3RhdGUiOiIyMzQ1ZmY0Mi1lYTQ1LTRhNjEtYWIxYi0yNWQxY2VjZmY3MjIiLCJjbGllbnRfc2Vzc2lvbiI6ImYxYzU1MzZmLWYwZmUtNDUwNy1iZjQyLWU0MzU0MDVhNGIyYiIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbInZpZXctcHJvZmlsZSIsIm1hbmFnZS1hY2NvdW50Il19fSwiZW1haWwiOiJwdWJ1ZHVAc29tZXdoZXJlLmNvbSIsIm5hbWUiOiJQdWJ1ZHUgR3VuYXdhcmRlbmEiLCJmYW1pbHlfbmFtZSI6Ikd1bmF3YXJkZW5hIiwicHJlZmVycmVkX3VzZXJuYW1lIjoicHVidWR1IiwiZ2l2ZW5fbmFtZSI6IlB1YnVkdSJ9.a5MRV5lfzjDd0VftEigxr-VXJ7vxohUZj5bpMDvZ7opHaM-FccNVtIUrNDgW2rXCZJAI1B0tUAlJlngrIFghJxoQANnpCJxzqjlkbV-gh1j7CaQSWX0-KA9OZPSvhyhRhs4MzsCxirBwEhmWcyuaDECp0UjfEP22LhnXf3mSpmMJ7HfyikClcWfW_ykEb7fwOnFe5jk9thSqaQ! >> KWroFksBWT0_fAZuGdkfyG6rBCFHRCnQm31vn6I5SwZOpAx1YatAbK85Sc3tAcitpFnd8twFr0aC95Fbcghb_TbrivJrL0J5qN77f-9DQKJ_fy1FHljTxYwfbIyx1HQwvyq1HOFQ","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0NjJmYzNmNS1kMjRkLTQ1MTItOWY3My00NzllZGQ4NTBhNzAiLCJleHAiOjE0MzI3MTA3NjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwic3ViIjoiNTI2MTBlMjUtZDA4Zi00NzJhLWFlNWQtYzk4YTZlNjJiOGQzIiwidHlwIjoiUkVGUkVTSCIsImF6cCI6InF2Mi1yZXN0Iiwic2Vzc2lvbl9zdGF0ZSI6IjIzNDVmZjQyLWVhNDUtNGE2MS1hYjFiLTI1ZDFjZWNmZjcyMiIsImNsaWVudF9zZXNzaW9uIjoiZjFjNTUzNmYtZjBmZS00NTA3LWJmNDItZTQzNTQwNWE0YjJiIiwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsidmlldy1wcm9maWxlIiwibWFuYWdlLWFjY291bnQiXX19fQ.X_aBtZzKHPCsRqo9ShOxtsQgTZOYaVNEZDmfvfWSxCafE6kpC5yIcz9xFW2CfYo2ttm5i3GMb-aho-nyU3IEmhZkZ-DjHjxCLHO_Vlt5MBKtVF9L7-v5qWRP4va5rLUa8O1JshjRP1yW1r7SvLafqE8jLYvn3vknPhYp1ts3EhcmckIHiXS5dW_tO4XxBx7tE0kSWlUoCe_10IqqW6uRKXFuwfRWLd2KDUIIth4g2YoUrw! >> FyQBxt2qcdjm4MQPVF0-JpNxWZN3VwbOcpKLG0gSsGppvmhuJI0eRujJzbAlxL! >> 3fY9682U >> ZLE9JTzzX4gRTaxL5VZGau6Q0iIfzh_U1A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI3ZWM1MTdhOS1hZjg2LTRiMDEtYjUyZi1lNjExOWMwYjBhZTciLCJleHAiOjE0MzI3MDkyNjYsIm5iZiI6MCwiaWF0IjoxNDMyNzA4OTY2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcXYyIiwiYXVkIjoicXYyLXJlc3QiLCJzdWIiOiI1MjYxMGUyNS1kMDhmLTQ3MmEtYWU1ZC1jOThhNmU2MmI4ZDMiLCJhenAiOiJxdjItcmVzdCIsInNlc3Npb25fc3RhdGUiOiIyMzQ1ZmY0Mi1lYTQ1LTRhNjEtYWIxYi0yNWQxY2VjZmY3MjIiLCJlbWFpbCI6InB1YnVkdUBzb21ld2hlcmUuY29tIiwibmFtZSI6IlB1YnVkdSBHdW5hd2FyZGVuYSIsImZhbWlseV9uYW1lIjoiR3VuYXdhcmRlbmEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJwdWJ1ZHUiLCJnaXZlbl9uYW1lIjoiUHVidWR1In0.C5REGCEQyaWmkhbc0DrWW74m0bbeM2cKWcKJvlkvz17VZPh9sZ1eaiXdRD9pGZ1iACGPLpoCYrMkcrF5FbIX7ng7NggVbf2VEdNCeDUgZ8oDRSJlKyqeGdYWnKsi6dpwrmcPZW9BffWcqkzJv1BUbSII2tejjnB4BWz7bCvesF3ge_KKwkfy-COk8RGx_G4oxp21Ik1pQbVoiqifRQALuK252NKuuV-sXI4dd4ltj0TOca9DKNHlHMyCoRVwDVRsqMMWGfWXpqwacEh35wp8r3VDgQ00vcOnEfiraadwoPYnIsjPK5ZnfSFZlBxyDTNP76tXX1Jd5AHMUPyvOC1YhA","not-befor! >> e-policy":0,"session-state":"2345ff42-ea45-4a61-ab1b-25d1cecff722"} >> >> -- >> Thanks, >> Pubudu >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- Thanks, Pubudu From krenfro at real-comp.com Wed May 27 10:31:20 2015 From: krenfro at real-comp.com (Kyle Renfro) Date: Wed, 27 May 2015 09:31:20 -0500 Subject: [keycloak-user] SQL exception on password recovery Message-ID: Keycloak 1.2.0-Final I am evaluating Keycloak, and so far I am very impressed. I have made good progress implementing a custom federation provider. I have full and periodic syncing implemented and all is working except password recovery using an e-mail address. Password recovery with a username works. I'm not sure if my custom provider is getting in the way. >From the logs: ... Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Duplicate entry '1' for key 'PRIMARY' Here is the the record from the keycloak SQL database I am attempting pw recovery on: *mysql> select * from USER_ENTITY where id = 1;* +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ | ID | EMAIL | EMAIL_CONSTRAINT | EMAIL_VERIFIED | ENABLED | FEDERATION_LINK | FIRST_NAME | LAST_NAME | REALM_ID | TOTP | USERNAME | +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ | 1 | krenfro at real-comp.com | krenfro at real-comp.com | | | 7675cab9-ad38-420c-aa1f-df7a869c50bb | NULL | Kyle Renfro | 893a55ff-7aac-448f-b7b6-704a26997dfe | | krenfro | +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ 1 row in set, 1 warning (0.00 sec) There is a SQL warning, not sure if it is related: *mysql> show warnings;* +---------+------+--------------------------------------------------------------------------+ | Level | Code | Message | +---------+------+--------------------------------------------------------------------------+ | Warning | 1292 | Truncated incorrect DOUBLE value: '7cd31fee-2398-46cc-92d9-58eae6b32fb2' | +---------+------+--------------------------------------------------------------------------+ 1 row in set (0.00 sec) If deleting the db and starting from scratch is recommended, that is fine. Thanks in advance! Kyle *Here is full stack trace and keycloak logs:* 09:14:13,886 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-109) SQL Error: 1062, SQLState: 23000 09:14:13,887 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-109) Duplicate entry '1' for key 'PRIMARY' 09:14:13,887 INFO [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-109) HHH000010: On release of batch it still contained JDBC statements 09:14:13,888 ERROR [io.undertow.request] (default task-109) UT005023: Exception handling request to /auth/realms/test/login-actions/password-reset: java.lang.RuntimeException: request path: /auth/realms/test/login-actions/password-reset at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) [keycloak-services-1.2.0.Final.jar:1.2.0.Final] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) [undertow-core-1.1.0.Final.jar:1.1.0.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_80] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_80] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] Caused by: org.jboss.resteasy.spi.UnhandledException: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.10.Final.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) [keycloak-services-1.2.0.Final.jar:1.2.0.Final] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) [keycloak-services-1.2.0.Final.jar:1.2.0.Final] ... 28 more Caused by: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] at com.sun.proxy.$Proxy52.flush(Unknown Source) at org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:57) [keycloak-model-jpa-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.models.cache.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:254) [keycloak-invalidation-cache-model-1.2.0.Final.jar:1.2.0.Final] at com.realcomp.keycloak.UserServiceFederationProvider.importUser(UserServiceFederationProvider.java:249) at com.realcomp.keycloak.UserServiceFederationProvider.getUserByUsername(UserServiceFederationProvider.java:276) at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:155) [keycloak-model-api-1.2.0.Final.jar:1.2.0.Final] at org.keycloak.services.resources.LoginActionsService.sendPasswordReset(LoginActionsService.java:908) [keycloak-services-1.2.0.Final.jar:1.2.0.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_80] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_80] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_80] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_80] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.10.Final.jar:] ... 39 more Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683) [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338) [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_80] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_80] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_80] at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_80] at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] ... 56 more Caused by: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:72) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:211) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3124) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3581) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:104) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:349) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1222) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335) [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] ... 61 more Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Duplicate entry '1' for key 'PRIMARY' at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.7.0_80] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) [rt.jar:1.7.0_80] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [rt.jar:1.7.0_80] at java.lang.reflect.Constructor.newInstance(Constructor.java:526) [rt.jar:1.7.0_80] at com.mysql.jdbc.Util.handleNewInstance(Util.java:411) at com.mysql.jdbc.Util.getInstance(Util.java:386) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1039) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3609) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3541) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2002) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2163) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2624) at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2127) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2427) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2345) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2330) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:493) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:208) [hibernate-core-4.3.7.Final.jar:4.3.7.Final] ... 71 more -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150527/1ca3aa14/attachment-0001.html From krenfro at real-comp.com Wed May 27 17:08:04 2015 From: krenfro at real-comp.com (Kyle Renfro) Date: Wed, 27 May 2015 16:08:04 -0500 Subject: [keycloak-user] SQL exception on password recovery In-Reply-To: References: Message-ID: I've deleted the db and started over. In my custom federation provider, I changed the method I was using to add the user to the keycloak database from: UserModel addUser(RealmModel realm, String id, String username, boolean addDefaultRoles); to: UserModel addUser(RealmModel realm, String username); Reference: https://github.com/keycloak/keycloak/blob/1a433093339e40ec0272c827f8d4327fa7dbcae2/model/api/src/main/java/org/keycloak/models/UserProvider.java This didn't make a significant difference, but the error message is a bit different: 15:43:53,989 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-96) SQL Error: 1062, SQLState: 23000 15:43:53,989 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-96) Duplicate entry '872ff877-eea2-4d37-942e-e066690b136b-krenfro' for key 'UK_RU8TT6T700S9V50BU18WS5HA6' ... The UK_RU8TT6T700S9V50BU18WS5HA6 key is only defined in the USER_ENTITY table. mysql> show indexes from USER_ENTITY; +-------------+------------+------------------------------+--------------+------------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ | Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | Index_comment | +-------------+------------+------------------------------+--------------+------------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ | USER_ENTITY | 0 | PRIMARY | 1 | ID | A | 885 | NULL | NULL | | BTREE | | | | USER_ENTITY | 0 | UK_DYKN684SL8UP1CRFEI6ECKHD7 | 1 | REALM_ID | A | NULL | NULL | NULL | YES | BTREE | | | | USER_ENTITY | 0 | UK_DYKN684SL8UP1CRFEI6ECKHD7 | 2 | EMAIL_CONSTRAINT | A | NULL | NULL | NULL | YES | BTREE | | | | USER_ENTITY | 0 | UK_RU8TT6T700S9V50BU18WS5HA6 | 1 | REALM_ID | A | NULL | NULL | NULL | YES | BTREE | | | | USER_ENTITY | 0 | UK_RU8TT6T700S9V50BU18WS5HA6 | 2 | USERNAME | A | NULL | NULL | NULL | YES | BTREE | | | +-------------+------------+------------------------------+--------------+------------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ The 872ff877-eea2-4d37-942e-e066690b136b is the realm_id in the 'krenfro' record. thanks, Kyle On Wed, May 27, 2015 at 9:31 AM, Kyle Renfro wrote: > Keycloak 1.2.0-Final > > I am evaluating Keycloak, and so far I am very impressed. I have made > good progress implementing a custom federation provider. I have full and > periodic syncing implemented and all is working except password recovery > using an e-mail address. Password recovery with a username works. I'm not > sure if my custom provider is getting in the way. > > From the logs: > ... > Caused by: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Duplicate entry '1' for key 'PRIMARY' > > Here is the the record from the keycloak SQL database I am attempting pw > recovery on: > > *mysql> select * from USER_ENTITY where id = 1;* > > +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ > | ID | EMAIL | EMAIL_CONSTRAINT | EMAIL_VERIFIED | > ENABLED | FEDERATION_LINK | FIRST_NAME | LAST_NAME | > REALM_ID | TOTP | USERNAME | > > +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ > | 1 | krenfro at real-comp.com | krenfro at real-comp.com | | > | 7675cab9-ad38-420c-aa1f-df7a869c50bb | NULL | Kyle Renfro | > 893a55ff-7aac-448f-b7b6-704a26997dfe | | krenfro | > > +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ > 1 row in set, 1 warning (0.00 sec) > > > There is a SQL warning, not sure if it is related: > *mysql> show warnings;* > > +---------+------+--------------------------------------------------------------------------+ > | Level | Code | Message > | > > +---------+------+--------------------------------------------------------------------------+ > | Warning | 1292 | Truncated incorrect DOUBLE value: > '7cd31fee-2398-46cc-92d9-58eae6b32fb2' | > > +---------+------+--------------------------------------------------------------------------+ > 1 row in set (0.00 sec) > > > If deleting the db and starting from scratch is recommended, that is fine. > > Thanks in advance! > Kyle > > > > > *Here is full stack trace and keycloak logs:* > 09:14:13,886 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-109) SQL Error: 1062, SQLState: 23000 > 09:14:13,887 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-109) Duplicate entry '1' for key 'PRIMARY' > 09:14:13,887 INFO > [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default > task-109) HHH000010: On release of batch it still contained JDBC statements > 09:14:13,888 ERROR [io.undertow.request] (default task-109) UT005023: > Exception handling request to > /auth/realms/test/login-actions/password-reset: java.lang.RuntimeException: > request path: /auth/realms/test/login-actions/password-reset > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [rt.jar:1.7.0_80] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [rt.jar:1.7.0_80] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] > Caused by: org.jboss.resteasy.spi.UnhandledException: > org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > [resteasy-jaxrs-3.0.10.Final.jar:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > ... 28 more > Caused by: org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) > [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) > [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] > at com.sun.proxy.$Proxy52.flush(Unknown Source) > at > org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:57) > [keycloak-model-jpa-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.models.cache.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:254) > [keycloak-invalidation-cache-model-1.2.0.Final.jar:1.2.0.Final] > at > com.realcomp.keycloak.UserServiceFederationProvider.importUser(UserServiceFederationProvider.java:249) > at > com.realcomp.keycloak.UserServiceFederationProvider.getUserByUsername(UserServiceFederationProvider.java:276) > at > org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:155) > [keycloak-model-api-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.services.resources.LoginActionsService.sendPasswordReset(LoginActionsService.java:908) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_80] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_80] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_80] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_80] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > [resteasy-jaxrs-3.0.10.Final.jar:] > ... 39 more > Caused by: javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_80] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_80] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_80] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_80] > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) > [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] > ... 56 more > Caused by: org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:72) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:211) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3124) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3581) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:104) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:349) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1222) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > ... 61 more > Caused by: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Duplicate entry '1' for key 'PRIMARY' > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > [rt.jar:1.7.0_80] > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > [rt.jar:1.7.0_80] > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > [rt.jar:1.7.0_80] > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > [rt.jar:1.7.0_80] > at com.mysql.jdbc.Util.handleNewInstance(Util.java:411) > at com.mysql.jdbc.Util.getInstance(Util.java:386) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1039) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3609) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3541) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2002) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2163) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2624) > at > com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2127) > at > com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2427) > at > com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2345) > at > com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2330) > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:493) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:208) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > ... 71 more > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150527/bebec842/attachment-0001.html From mposolda at redhat.com Thu May 28 01:46:10 2015 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 28 May 2015 07:46:10 +0200 Subject: [keycloak-user] SQL exception on password recovery In-Reply-To: References: Message-ID: <5566ABA2.8010805@redhat.com> It seems that you're trying to add user, which already exists in DB. Can it be the case? If you want to update user, which already exists, you can instead use something like: UserModel user = session.userStorage().getUserByUsername("krenfro", realm); user.setFirstName("anything"); ... Marek On 27.5.2015 23:08, Kyle Renfro wrote: > I've deleted the db and started over. In my custom federation > provider, I changed the method I was using to add the user to the > keycloak database from: > UserModel addUser(RealmModel realm, String id, String username, > boolean addDefaultRoles); > to: > UserModel addUser(RealmModel realm, String username); > > Reference: > https://github.com/keycloak/keycloak/blob/1a433093339e40ec0272c827f8d4327fa7dbcae2/model/api/src/main/java/org/keycloak/models/UserProvider.java > > This didn't make a significant difference, but the error message is a > bit different: > 15:43:53,989 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-96) SQL Error: 1062, SQLState: 23000 > 15:43:53,989 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-96) Duplicate entry > '872ff877-eea2-4d37-942e-e066690b136b-krenfro' for key > 'UK_RU8TT6T700S9V50BU18WS5HA6' > ... > > The UK_RU8TT6T700S9V50BU18WS5HA6 key is only defined in the > USER_ENTITY table. > > mysql> show indexes from USER_ENTITY; > +-------------+------------+------------------------------+--------------+------------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ > | Table | Non_unique | Key_name | Seq_in_index | Column_name > | Collation | Cardinality | Sub_part | Packed | Null | Index_type > | Comment | Index_comment | > +-------------+------------+------------------------------+--------------+------------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ > | USER_ENTITY | 0 | PRIMARY | 1 | ID > | A | 885 | NULL | NULL | | BTREE | > | | > | USER_ENTITY | 0 | UK_DYKN684SL8UP1CRFEI6ECKHD7 | > 1 | REALM_ID | A | NULL | NULL | NULL | > YES | BTREE | | | > | USER_ENTITY | 0 | UK_DYKN684SL8UP1CRFEI6ECKHD7 | > 2 | EMAIL_CONSTRAINT | A | NULL | NULL | NULL | > YES | BTREE | | | > | USER_ENTITY | 0 | UK_RU8TT6T700S9V50BU18WS5HA6 | > 1 | REALM_ID | A | NULL | NULL | NULL | > YES | BTREE | | | > | USER_ENTITY | 0 | UK_RU8TT6T700S9V50BU18WS5HA6 | > 2 | USERNAME | A | NULL | NULL | NULL | > YES | BTREE | | | > +-------------+------------+------------------------------+--------------+------------------+-----------+-------------+----------+--------+------+------------+---------+---------------+ > > The 872ff877-eea2-4d37-942e-e066690b136b is the realm_id in the > 'krenfro' record. > > thanks, > Kyle > > On Wed, May 27, 2015 at 9:31 AM, Kyle Renfro > wrote: > > Keycloak 1.2.0-Final > > I am evaluating Keycloak, and so far I am very impressed. I have > made good progress implementing a custom federation provider. I > have full and periodic syncing implemented and all is working > except password recovery using an e-mail address. Password > recovery with a username works. I'm not sure if my custom > provider is getting in the way. > > From the logs: > ... > Caused by: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Duplicate entry '1' for key 'PRIMARY' > > Here is the the record from the keycloak SQL database I am > attempting pw recovery on: > > *mysql> select * from USER_ENTITY where id = 1;* > +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ > | ID | EMAIL | EMAIL_CONSTRAINT | > EMAIL_VERIFIED | ENABLED | FEDERATION_LINK | FIRST_NAME | > LAST_NAME | REALM_ID | TOTP | USERNAME | > +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ > | 1 | krenfro at real-comp.com | > krenfro at real-comp.com | > | | 7675cab9-ad38-420c-aa1f-df7a869c50bb | NULL | Kyle > Renfro | 893a55ff-7aac-448f-b7b6-704a26997dfe | | krenfro | > +----+-----------------------+-----------------------+----------------+---------+--------------------------------------+------------+-------------+--------------------------------------+------+----------+ > 1 row in set, 1 warning (0.00 sec) > > > There is a SQL warning, not sure if it is related: > *mysql> show warnings;* > +---------+------+--------------------------------------------------------------------------+ > | Level | Code | Message | > +---------+------+--------------------------------------------------------------------------+ > | Warning | 1292 | Truncated incorrect DOUBLE value: > '7cd31fee-2398-46cc-92d9-58eae6b32fb2' | > +---------+------+--------------------------------------------------------------------------+ > 1 row in set (0.00 sec) > > > If deleting the db and starting from scratch is recommended, that > is fine. > > Thanks in advance! > Kyle > > > > > *Here is full stack trace and keycloak logs:* > 09:14:13,886 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default > task-109) SQL Error: 1062, SQLState: 23000 > 09:14:13,887 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default > task-109) Duplicate entry '1' for key 'PRIMARY' > 09:14:13,887 INFO > [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] > (default task-109) HHH000010: On release of batch it still > contained JDBC statements > 09:14:13,888 ERROR [io.undertow.request] (default task-109) > UT005023: Exception handling request to > /auth/realms/test/login-actions/password-reset: > java.lang.RuntimeException: request path: > /auth/realms/test/login-actions/password-reset > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) > [undertow-core-1.1.0.Final.jar:1.1.0.Final] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > [rt.jar:1.7.0_80] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > [rt.jar:1.7.0_80] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] > Caused by: org.jboss.resteasy.spi.UnhandledException: > org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > [resteasy-jaxrs-3.0.10.Final.jar:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > [undertow-servlet-1.1.0.Final.jar:1.1.0.Final] > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > ... 28 more > Caused by: org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) > [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) > [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] > at com.sun.proxy.$Proxy52.flush(Unknown Source) > at > org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:57) > [keycloak-model-jpa-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.models.cache.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:254) > [keycloak-invalidation-cache-model-1.2.0.Final.jar:1.2.0.Final] > at > com.realcomp.keycloak.UserServiceFederationProvider.importUser(UserServiceFederationProvider.java:249) > at > com.realcomp.keycloak.UserServiceFederationProvider.getUserByUsername(UserServiceFederationProvider.java:276) > at > org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:155) > [keycloak-model-api-1.2.0.Final.jar:1.2.0.Final] > at > org.keycloak.services.resources.LoginActionsService.sendPasswordReset(LoginActionsService.java:908) > [keycloak-services-1.2.0.Final.jar:1.2.0.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_80] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_80] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_80] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_80] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > [resteasy-jaxrs-3.0.10.Final.jar:] > ... 39 more > Caused by: javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1683) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1338) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_80] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_80] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_80] > at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_80] > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) > [keycloak-connections-jpa-1.2.0.Final.jar:1.2.0.Final] > ... 56 more > Caused by: org.hibernate.exception.ConstraintViolationException: > could not execute statement > at > org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:72) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:211) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:62) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3124) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3581) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:104) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:349) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:350) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:56) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1222) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1335) > [hibernate-entitymanager-4.3.7.Final.jar:4.3.7.Final] > ... 61 more > Caused by: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Duplicate entry '1' for key 'PRIMARY' > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) [rt.jar:1.7.0_80] > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > [rt.jar:1.7.0_80] > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > [rt.jar:1.7.0_80] > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > [rt.jar:1.7.0_80] > at com.mysql.jdbc.Util.handleNewInstance(Util.java:411) > at com.mysql.jdbc.Util.getInstance(Util.java:386) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1039) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3609) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3541) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2002) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2163) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2624) > at > com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2127) > at > com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2427) > at > com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2345) > at > com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2330) > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:493) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:208) > [hibernate-core-4.3.7.Final.jar:4.3.7.Final] > ... 71 more > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150528/da700de7/attachment-0001.html From Henk.Laracker at planonsoftware.com Thu May 28 06:01:47 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Thu, 28 May 2015 12:01:47 +0200 Subject: [keycloak-user] Cors not working Final 1.2 Message-ID: Hi, Cors headers missing during login procedure of keycloak =============================== Step 1 - Prepare keycloak realm: =============================== Create a simple keycloak realm for testing, =============================== Step 2 - Create a user =============================== Add a user and a client to the realm The client should be configured as follows: Client Protocol openid-connect Access Type public Valid redirect uri's: http://localhost/* http://localhost Web origins: http://localhost/* http://localhost =============================== Step 3 - Create test application on tomcat =============================== On a given tomcat server (I'm using localhost for this example) add 2 web applications: app1 with a simple index.html cors with a simple test.txt with the content "Some data" The following url's are now available: http://localhost/app1/index.html http://localhost/cors/test.txt In http://localhost/app1/index.html create javascript which loads data from http://localhost/cors/test.txt If you go to http://localhost/app1/index.html now, a GET will be performed to http://localhost/cors/test.txt and the data is displayed =============================== Step 4 - Adding keycloak to the applications =============================== Add keycloak configuration on "app1". Add keycloak configuration on "cors" Additionally, add "enable-cors": "true" to the json file. =============================== Step 5 - Log in to app1 =============================== If you log in to app1 in a new browser the data from app "cors" will not be loaded. The following error will be displayed in the console of your browser (using chrome) XMLHttpRequest cannot load http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access. If it loaded the data, make sure that you're logged out, or try it in private browsing mode. =============================== Expected result =============================== We expected "Access-Control-Allow-Origin" to be set to the "Web origins", allowing for cross-application requests without editing existing applications. Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement, Henk Laracker -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150528/951ca9cf/attachment.html From petr.b.titov at gmail.com Thu May 28 06:15:57 2015 From: petr.b.titov at gmail.com (Petr Titov) Date: Thu, 28 May 2015 13:15:57 +0300 Subject: [keycloak-user] Keycloak & Wordpress Message-ID: Hi, I'm trying to integrate Keycloak 1.2.0-Final with Wordpress using SAML 2.0 Single Sign-On plugin (https://wordpress.org/plugins/saml-20-single-sign-on/ ). After setting up both applications I get Keycloak login page without any inputs, just background and text LOG IN TO MIG. The redirect url from Wordpress to Keycloak is http://localhost:8080/auth/realms/mig/protocol/saml?SAMLRequest= There are no errors in the log. What does that mean? -- Petr Titov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150528/4789ae9d/attachment.html From stian at redhat.com Thu May 28 06:22:50 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 28 May 2015 06:22:50 -0400 (EDT) Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: References: Message-ID: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Henk Laracker" > To: keycloak-user at lists.jboss.org > Cc: "Mark Bertels" > Sent: Thursday, 28 May, 2015 12:01:47 PM > Subject: [keycloak-user] Cors not working Final 1.2 > > Hi, > > Cors headers missing during login procedure of keycloak > > > =============================== > Step 1 - Prepare keycloak realm: > =============================== > > Create a simple keycloak realm for testing, > > =============================== > Step 2 - Create a user > =============================== > > Add a user and a client to the realm > The client should be configured as follows: > > Client Protocol openid-connect > Access Type public > > Valid redirect uri's: http://localhost/* > http://localhost > Web origins: http://localhost/* > http://localhost > > =============================== > Step 3 - Create test application on tomcat > =============================== > > On a given tomcat server (I'm using localhost for this example) add 2 web > applications: > app1 with a simple index.html > cors with a simple test.txt with the content "Some data" > > The following url's are now available: > http://localhost/app1/index.html > http://localhost/cors/test.txt > > In http://localhost/app1/index.html create javascript which loads data from > http://localhost/cors/test.txt > > If you go to http://localhost/app1/index.html now, a GET will be performed to > http://localhost/cors/test.txt and the data is displayed > > > =============================== > Step 4 - Adding keycloak to the applications > =============================== > > Add keycloak configuration on "app1". > > > Add keycloak configuration on "cors" > Additionally, add > "enable-cors": "true" > to the json file. > > =============================== > Step 5 - Log in to app1 > =============================== > > If you log in to app1 in a new browser the data from app "cors" will not be > loaded. The following error will be displayed in the console of your browser > (using chrome) > > XMLHttpRequest cannot load > http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&login=true. > No 'Access-Control-Allow-Origin' header is present on the requested resource. > Origin 'http://localhost' is therefore not allowed access. This request to "/protocol/openid-connect/auth" makes no sense to me. How are you invoking this? Can you include the source for index.html? > > > If it loaded the data, make sure that you're logged out, or try it in private > browsing mode. > > > =============================== > Expected result > =============================== > > We expected "Access-Control-Allow-Origin" to be set to the "Web origins", > allowing for cross-application requests without editing existing > applications. > > > > Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s > cordialement, > > > > > Henk Laracker > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pubudupg at gmail.com Thu May 28 07:30:59 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Thu, 28 May 2015 17:00:59 +0530 Subject: [keycloak-user] Some Help to Write a Federation Provider Message-ID: Hi All, I am writing a federation provider which performs authentication against an RDBMS. I am using keycloak 1.2.0.Final. I have looked at the sample properties provider and would like to know a few things. In UserFederationProviderFactory 1. UserFederationProviderFactory#create returns null in the example. Do we not need to implement that? 2. When is the UserFederationProviderFactory#close method called? Is it when the server is shut down? 3. When is the init method called? Is it called once per object instance? 4. Is it only one instance of a given type UserFederationProviderFactory that is created for the system? UserFederationProvider 5. The javadoc for UserFederationProvider#getUserByUsername says "Required to import into local storage any user found." does it mean that I have to call keyCloakSession.userStorage().addUser(realm, userName)? Do I have to do that even if the user has been already previously imported into the system? Do I have to synchronize the user data in that method? 6. Same as question 5 for methods getUserByEmail and searchByAttributes. 7. When should I return false from method "isValid". What does returning false from that method prevent? Is it importing/prevent user from logging in/not show user in user list? 8. In validCredentials(RealmModel realm, UserCredentialModel credential) the javadoc says "Validate credentials of unknown user.". When should I implement that method? How can an unknown user be validated? 9. When is the UserFederationProvider# close method called? Any help is highly appreciated. If possible please mention how those questions will relate to an RDBMS backed provider implementation. -- Thanks, Pubudu From Henk.Laracker at planonsoftware.com Thu May 28 07:38:12 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Thu, 28 May 2015 13:38:12 +0200 Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> References: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> Message-ID: As requested: cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us index.html - http://pastebin.com/raw.php?i=SndsyL8F test.txt - http://pastebin.com/raw.php?i=BeaRUCHE Thanks for looking in. On 28/05/15 12:22, "Stian Thorgersen" wrote: > > >----- Original Message ----- >> From: "Henk Laracker" >> To: keycloak-user at lists.jboss.org >> Cc: "Mark Bertels" >> Sent: Thursday, 28 May, 2015 12:01:47 PM >> Subject: [keycloak-user] Cors not working Final 1.2 >> >> Hi, >> >> Cors headers missing during login procedure of keycloak >> >> >> =============================== >> Step 1 - Prepare keycloak realm: >> =============================== >> >> Create a simple keycloak realm for testing, >> >> =============================== >> Step 2 - Create a user >> =============================== >> >> Add a user and a client to the realm >> The client should be configured as follows: >> >> Client Protocol openid-connect >> Access Type public >> >> Valid redirect uri's: http://localhost/* >> http://localhost >> Web origins: http://localhost/* >> http://localhost >> >> =============================== >> Step 3 - Create test application on tomcat >> =============================== >> >> On a given tomcat server (I'm using localhost for this example) add 2 >>web >> applications: >> app1 with a simple index.html >> cors with a simple test.txt with the content "Some data" >> >> The following url's are now available: >> http://localhost/app1/index.html >> http://localhost/cors/test.txt >> >> In http://localhost/app1/index.html create javascript which loads data >>from >> http://localhost/cors/test.txt >> >> If you go to http://localhost/app1/index.html now, a GET will be >>performed to >> http://localhost/cors/test.txt and the data is displayed >> >> >> =============================== >> Step 4 - Adding keycloak to the applications >> =============================== >> >> Add keycloak configuration on "app1". >> >> >> Add keycloak configuration on "cors" >> Additionally, add >> "enable-cors": "true" >> to the json file. >> >> =============================== >> Step 5 - Log in to app1 >> =============================== >> >> If you log in to app1 in a new browser the data from app "cors" will >>not be >> loaded. The following error will be displayed in the console of your >>browser >> (using chrome) >> >> XMLHttpRequest cannot load >> >>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth? >>re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&login= >>true. >> No 'Access-Control-Allow-Origin' header is present on the requested >>resource. >> Origin 'http://localhost' is therefore not allowed access. > >This request to "/protocol/openid-connect/auth" makes no sense to me. How >are you invoking this? Can you include the source for index.html? > >> >> >> If it loaded the data, make sure that you're logged out, or try it in >>private >> browsing mode. >> >> >> =============================== >> Expected result >> =============================== >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web >>origins", >> allowing for cross-application requests without editing existing >> applications. >> >> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / >>Tr?s >> cordialement, >> >> >> >> >> Henk Laracker >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From stian at redhat.com Thu May 28 08:01:48 2015 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 28 May 2015 08:01:48 -0400 (EDT) Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: References: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> Message-ID: <1140173976.7604565.1432814508221.JavaMail.zimbra@redhat.com> Looks like what's happening is that you're doing a XMLHttpRequest to a resource that requires authentication. In this case the adapter returns a 302 and it'll redirected to the login screen on the Keycloak server. The login screen is not expected to be invoked with XMLHttpRequest/CORS so it shouldn't have CORS headers. Further the Keycloak adapter only adds CORS headers when a bearer token is present (Authorization: Bearer ...). If you want CORS headers for non-protected endpoints you'll have to add those yourself as Keycloak pulls the permitted origins from the bearer token. Just make sure you invoke your secured endpoints with a valid bearer token and it should work fine. With regards to it returning a 302 for a XMLHttpRequest that's an improvement we can do in the adapters to only do that if Accept header contains text/html. ----- Original Message ----- > From: "Henk Laracker" > To: "Stian Thorgersen" > Cc: "Mark Bertels" , keycloak-user at lists.jboss.org > Sent: Thursday, 28 May, 2015 1:38:12 PM > Subject: Re: [keycloak-user] Cors not working Final 1.2 > > As requested: > > > cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH > app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us > > index.html - http://pastebin.com/raw.php?i=SndsyL8F > test.txt - http://pastebin.com/raw.php?i=BeaRUCHE > > Thanks for looking in. > > > On 28/05/15 12:22, "Stian Thorgersen" wrote: > > > > > > >----- Original Message ----- > >> From: "Henk Laracker" > >> To: keycloak-user at lists.jboss.org > >> Cc: "Mark Bertels" > >> Sent: Thursday, 28 May, 2015 12:01:47 PM > >> Subject: [keycloak-user] Cors not working Final 1.2 > >> > >> Hi, > >> > >> Cors headers missing during login procedure of keycloak > >> > >> > >> =============================== > >> Step 1 - Prepare keycloak realm: > >> =============================== > >> > >> Create a simple keycloak realm for testing, > >> > >> =============================== > >> Step 2 - Create a user > >> =============================== > >> > >> Add a user and a client to the realm > >> The client should be configured as follows: > >> > >> Client Protocol openid-connect > >> Access Type public > >> > >> Valid redirect uri's: http://localhost/* > >> http://localhost > >> Web origins: http://localhost/* > >> http://localhost > >> > >> =============================== > >> Step 3 - Create test application on tomcat > >> =============================== > >> > >> On a given tomcat server (I'm using localhost for this example) add 2 > >>web > >> applications: > >> app1 with a simple index.html > >> cors with a simple test.txt with the content "Some data" > >> > >> The following url's are now available: > >> http://localhost/app1/index.html > >> http://localhost/cors/test.txt > >> > >> In http://localhost/app1/index.html create javascript which loads data > >>from > >> http://localhost/cors/test.txt > >> > >> If you go to http://localhost/app1/index.html now, a GET will be > >>performed to > >> http://localhost/cors/test.txt and the data is displayed > >> > >> > >> =============================== > >> Step 4 - Adding keycloak to the applications > >> =============================== > >> > >> Add keycloak configuration on "app1". > >> > >> > >> Add keycloak configuration on "cors" > >> Additionally, add > >> "enable-cors": "true" > >> to the json file. > >> > >> =============================== > >> Step 5 - Log in to app1 > >> =============================== > >> > >> If you log in to app1 in a new browser the data from app "cors" will > >>not be > >> loaded. The following error will be displayed in the console of your > >>browser > >> (using chrome) > >> > >> XMLHttpRequest cannot load > >> > >>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth? > >>re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&login= > >>true. > >> No 'Access-Control-Allow-Origin' header is present on the requested > >>resource. > >> Origin 'http://localhost' is therefore not allowed access. > > > >This request to "/protocol/openid-connect/auth" makes no sense to me. How > >are you invoking this? Can you include the source for index.html? > > > >> > >> > >> If it loaded the data, make sure that you're logged out, or try it in > >>private > >> browsing mode. > >> > >> > >> =============================== > >> Expected result > >> =============================== > >> > >> We expected "Access-Control-Allow-Origin" to be set to the "Web > >>origins", > >> allowing for cross-application requests without editing existing > >> applications. > >> > >> > >> > >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / > >>Tr?s > >> cordialement, > >> > >> > >> > >> > >> Henk Laracker > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Thu May 28 08:51:41 2015 From: bburke at redhat.com (Bill Burke) Date: Thu, 28 May 2015 08:51:41 -0400 Subject: [keycloak-user] Some Help to Write a Federation Provider In-Reply-To: References: Message-ID: <55670F5D.4010103@redhat.com> On 5/28/2015 7:30 AM, pubudu gunawardena wrote: > Hi All, > > I am writing a federation provider which performs authentication > against an RDBMS. > I am using keycloak 1.2.0.Final. I have looked at the sample > properties provider and would like to know a few things. > > In UserFederationProviderFactory > 1. UserFederationProviderFactory#create returns null in the example. > Do we not need to implement that? No. This method is not called. > 2. When is the UserFederationProviderFactory#close method called? Is > it when the server is shut down? Yes. > 3. When is the init method called? Is it called once per object instance? It Factory.init() is only called once when the server boots. The config is pulled in from keycloak_server.json > 4. Is it only one instance of a given type > UserFederationProviderFactory that is created for the system? > Only one Factory instance is created for the server. > UserFederationProvider > 5. The javadoc for UserFederationProvider#getUserByUsername says > "Required to import into local storage any user found." does it mean > that I have to call keyCloakSession.userStorage().addUser(realm, > userName)? Do I have to do that even if the user has been already > previously imported into the system? Do I have to synchronize the user > data in that method? You do not have to test to see if the username exists in local storage. Keycloak will do that before calling this method. > 6. Same as question 5 for methods getUserByEmail and searchByAttributes. getUserEmail does not require that you check to see if the user exists in local storage. searchByAttribute, unfortunately does. The way you should implement is: 1. do your query 2. Loop on results 3. if result is not in local storage, import to local storage 4. add result to returned List > 7. When should I return false from method "isValid". What does > returning false from that method prevent? Is it importing/prevent user > from logging in/not show user in user list? Keycloak may call this method to determine if a user is still exists or is still enabled in federated storage. > 8. In validCredentials(RealmModel realm, UserCredentialModel > credential) the javadoc says "Validate credentials of unknown user.". > When should I implement that method? How can an unknown user be > validated? This method is really only used for kerberos authentication against an LDAP database. > 9. When is the UserFederationProvider# close method called? > UserFederationProviders are created and closed once per request. > Any help is highly appreciated. If possible please mention how those > questions will relate to an RDBMS backed provider implementation. > Thanks, I'll add all this to the javadoc. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From Henk.Laracker at planonsoftware.com Thu May 28 15:18:31 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Thu, 28 May 2015 21:18:31 +0200 Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: <1140173976.7604565.1432814508221.JavaMail.zimbra@redhat.com> References: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> <1140173976.7604565.1432814508221.JavaMail.zimbra@redhat.com> Message-ID: I understand, but we have some weird behaviour once we've logged in into http://localhost/app1/index.html . If you first login on http://localhost/app1/index.html , then go directly to http://localhost/cors/test.txt we are able to see the txt file without logging in. When we go back to http://localhost/app1/index.html it's working as intended, and we get no keycloak redirect. On 28/05/15 14:01, "Stian Thorgersen" wrote: >Looks like what's happening is that you're doing a XMLHttpRequest to a >resource that requires authentication. In this case the adapter returns a >302 and it'll redirected to the login screen on the Keycloak server. > >The login screen is not expected to be invoked with XMLHttpRequest/CORS >so it shouldn't have CORS headers. > >Further the Keycloak adapter only adds CORS headers when a bearer token >is present (Authorization: Bearer ...). If you want CORS headers for >non-protected endpoints you'll have to add those yourself as Keycloak >pulls the permitted origins from the bearer token. > >Just make sure you invoke your secured endpoints with a valid bearer >token and it should work fine. With regards to it returning a 302 for a >XMLHttpRequest that's an improvement we can do in the adapters to only do >that if Accept header contains text/html. > >----- Original Message ----- >> From: "Henk Laracker" >> To: "Stian Thorgersen" >> Cc: "Mark Bertels" , >>keycloak-user at lists.jboss.org >> Sent: Thursday, 28 May, 2015 1:38:12 PM >> Subject: Re: [keycloak-user] Cors not working Final 1.2 >> >> As requested: >> >> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us >> >> index.html - http://pastebin.com/raw.php?i=SndsyL8F >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE >> >> Thanks for looking in. >> >> >> On 28/05/15 12:22, "Stian Thorgersen" wrote: >> >> > >> > >> >----- Original Message ----- >> >> From: "Henk Laracker" >> >> To: keycloak-user at lists.jboss.org >> >> Cc: "Mark Bertels" >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM >> >> Subject: [keycloak-user] Cors not working Final 1.2 >> >> >> >> Hi, >> >> >> >> Cors headers missing during login procedure of keycloak >> >> >> >> >> >> =============================== >> >> Step 1 - Prepare keycloak realm: >> >> =============================== >> >> >> >> Create a simple keycloak realm for testing, >> >> >> >> =============================== >> >> Step 2 - Create a user >> >> =============================== >> >> >> >> Add a user and a client to the realm >> >> The client should be configured as follows: >> >> >> >> Client Protocol openid-connect >> >> Access Type public >> >> >> >> Valid redirect uri's: http://localhost/* >> >> http://localhost >> >> Web origins: http://localhost/* >> >> http://localhost >> >> >> >> =============================== >> >> Step 3 - Create test application on tomcat >> >> =============================== >> >> >> >> On a given tomcat server (I'm using localhost for this example) add 2 >> >>web >> >> applications: >> >> app1 with a simple index.html >> >> cors with a simple test.txt with the content "Some data" >> >> >> >> The following url's are now available: >> >> http://localhost/app1/index.html >> >> http://localhost/cors/test.txt >> >> >> >> In http://localhost/app1/index.html create javascript which loads >>data >> >>from >> >> http://localhost/cors/test.txt >> >> >> >> If you go to http://localhost/app1/index.html now, a GET will be >> >>performed to >> >> http://localhost/cors/test.txt and the data is displayed >> >> >> >> >> >> =============================== >> >> Step 4 - Adding keycloak to the applications >> >> =============================== >> >> >> >> Add keycloak configuration on "app1". >> >> >> >> >> >> Add keycloak configuration on "cors" >> >> Additionally, add >> >> "enable-cors": "true" >> >> to the json file. >> >> >> >> =============================== >> >> Step 5 - Log in to app1 >> >> =============================== >> >> >> >> If you log in to app1 in a new browser the data from app "cors" will >> >>not be >> >> loaded. The following error will be displayed in the console of your >> >>browser >> >> (using chrome) >> >> >> >> XMLHttpRequest cannot load >> >> >> >>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/aut >>>>h? >> >>>>re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&logi >>>>n= >> >>true. >> >> No 'Access-Control-Allow-Origin' header is present on the requested >> >>resource. >> >> Origin 'http://localhost' is therefore not allowed access. >> > >> >This request to "/protocol/openid-connect/auth" makes no sense to me. >>How >> >are you invoking this? Can you include the source for index.html? >> > >> >> >> >> >> >> If it loaded the data, make sure that you're logged out, or try it in >> >>private >> >> browsing mode. >> >> >> >> >> >> =============================== >> >> Expected result >> >> =============================== >> >> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web >> >>origins", >> >> allowing for cross-application requests without editing existing >> >> applications. >> >> >> >> >> >> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / >> >>Tr?s >> >> cordialement, >> >> >> >> >> >> >> >> >> >> Henk Laracker >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From Henk.Laracker at planonsoftware.com Thu May 28 17:23:00 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Thu, 28 May 2015 23:23:00 +0200 Subject: [keycloak-user] IDP SAMLV2.0 with Salesforce In-Reply-To: <55437613.3030501@redhat.com> References: <5542BA2B.2010608@redhat.com> <1970499048.89811.1430443394466.JavaMail.yahoo@mail.yahoo.com> <55437613.3030501@redhat.com> Message-ID: Hi Bill, Can you explain me how I configure this, I have Facebook as my ip. I like to my my email adres and not Facebook:email at test.nl Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / Tr?s cordialement, Henk Laracker On 01/05/15 14:48, "Bill Burke" wrote: >You can map the SAML/OIDC assertion/token that is sent to your >applications however you want. > >On 4/30/2015 9:23 PM, Raghu Prabhala wrote: >> Bill - That would be an issue for us as we cannot manipulate the values >> (especially username) sent by an external IDP which is the authoritative >> source of user information. We will have to figure out another way, >> perhaps, an internal KC user attribute that can be made unique to >> prevent name clashes. >> >> Thanks, >> Raghu >> ------------------------------------------------------------------------ >> *From:* Bill Burke >> *To:* Henk Laracker ; >> "keycloak-user at lists.jboss.org" >> *Sent:* Thursday, April 30, 2015 7:26 PM >> *Subject:* Re: [keycloak-user] IDP SAMLV2.0 with Salesforce >> >> Right now, the username is prefixed with the broker name. THis is to >> avoid name clashes if you are brokering multiple IDPS (i.e. multiple >> social providers). >> >> On 4/30/2015 2:51 PM, Henk Laracker wrote: >> > Hi Bill, >> > >> > Thank you this worked out! I user is created with my name >> > saml.henk.laracker at p ***n.nl , do you >> have any idee why the ?saml? prefix >> > is added? >> > >> > >> > Henk >> > >> > On 30/04/15 18:44, "Bill Burke" > > wrote: >> > >> >> Ok, I was able to get this to work. The problem was I had to set a >> >> "profile" for the connected app on Salesforce. I added a "System >> >> Adminstrator" profile to the Connected App and it worked. >> >> >> >> I'm not sure how to upload a app certificate yet. Not sure what >>format >> >> Salesforce is looking for. >> >> >> >> On 4/30/2015 11:39 AM, Bill Burke wrote: >> >>> I set up a salesforce example and looked at the login response SAML >> >>> document. Looks like no assertion data is being sent back at all >>by >> >>> salesforce. >> >>> >> >>> On 4/30/2015 9:43 AM, Bill Burke wrote: >> >>>> i have no idea. Basically this error is stating that the login >> >>>> response >> >>>> saml document has no assertions within it. If there are no >> assertions, >> >>>> then there has been no identity data sent. >> >>>> >> >>>> I'm looking now, but can you send me a link on how to set up >> Salesforce >> >>>> as an IDP? Is one able to set up a free account and such? >> >>>> >> >>>> On 4/30/2015 9:25 AM, Henk Laracker wrote: >> >>>>> Hi Bill, >> >>>>> >> >>>>> I don?t know why I missed that, thanks! Salesforce respons know >>with >> >>>>> the >> >>>>> correct login page. After logging in in Salesforce, I?m >>redirected to >> >>>>> keycloak again with a internal error: >> >>>>> >> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: >> >>>>> Could not >> >>>>> process response from SAML identity provider. >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE >> >>>>> ndpo >> >>>>> int.java:299) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEn >> >>>>> dpoi >> >>>>> nt.java:343) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java >> >>>>> :169 >> >>>>> ) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:117 >> >>>>> ) >> >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>Method) >> >>>>> [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja >> >>>>> va:6 >> >>>>> 2) [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso >> >>>>> rImp >> >>>>> l.java:43) [rt.jar:1.8.0_45] >> >>>>> at java.lang.reflect.Method.invoke(Method.java:497) >> [rt.jar:1.8.0_45] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.ja >> >>>>> va:1 >> >>>>> 37) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMe >> >>>>> thod >> >>>>> Invoker.java:296) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvo >> >>>>> ker. >> >>>>> java:250) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res >> >>>>> ourc >> >>>>> eLocatorInvoker.java:140) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn >> >>>>> voke >> >>>>> r.java:109) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Res >> >>>>> ourc >> >>>>> eLocatorInvoker.java:135) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorIn >> >>>>> voke >> >>>>> r.java:103) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> at >> >>>>> >> >>>>> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatc >> >>>>> her. >> >>>>> java:356) [resteasy-jaxrs-3.0.10.Final.jar:] >> >>>>> ... 39 more >> >>>>> Caused by: org.keycloak.broker.provider.IdentityBrokerException: >>No >> >>>>> assertion from response. >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.getAssertion(SAMLEndpoint >> >>>>> .jav >> >>>>> a:309) >> >>>>> at >> >>>>> >> >>>>> >> org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLE >> >>>>> ndpo >> >>>>> int.java:264) >> >>>>> ... 54 more >> >>>>> >> >>>>> Any idea? >> >>>>> >> >>>>> Henk >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>> On 30/04/15 14:31, "Bill Burke" > > wrote: >> >>>>> >> >>>>>> You want to chain keycloak server to Salesforce? >> >>>>>> >> >>>>>> If you create a SAMLv2 IdentityProvider in keycloak that points >>to >> >>>>>> Salesforce, you;ll see after you create it, an Export button. >>Click >> >>>>>> that. That will create an entity descriptor with all the >> information >> >>>>>> you need. >> >>>>>> >> >>>>>> On 4/30/2015 2:45 AM, Henk Laracker wrote: >> >>>>>>> Hi, >> >>>>>>> >> >>>>>>> I like to use Salesforce as Identity Provider, the metadata >> >>>>>>> provided by >> >>>>>>> salesforce can be imported. >> >>>>>>> But I need to specify the Service Provider in salesforce, I >>have to >> >>>>>>> fill >> >>>>>>> in a couple of fields, but two of them I don?t understand (and >>are >> >>>>>>> mandatory). Does someone have any clue >> >>>>>>> >> >>>>>>> 1. entity id , remark of salesforce : get this value from >>your >> >>>>>>> serviceprovider >> >>>>>>> 2. ACS URL, remark of slaesforce : The assertion consumer >> >>>>>>> service. Get >> >>>>>>> this value from your service provider. >> >>>>>>> >> >>>>>>> I have tried a lot of values but every-time I click the saml >>button >> >>>>>>> on >> >>>>>>> my app, it redirects to salesforce but I get a page with the >> error : >> >>>>>>> Error: Unable to resolve request into a Service Provider >> >>>>>>> >> >>>>>>> Henk >> >>>>>>> >> >>>>>>> >> >>>>>>> _______________________________________________ >> >>>>>>> keycloak-user mailing list >> >>>>>>> keycloak-user at lists.jboss.org >> >> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Bill Burke >> >>>>>> JBoss, a division of Red Hat >> >>>>>> http://bill.burkecentral.com >> >> >> >> >>>>>> _______________________________________________ >> >>>>>> keycloak-user mailing list >> >>>>>> keycloak-user at lists.jboss.org >> >> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>> >> >>>> >> >>> >> >> >> >> -- >> >> Bill Burke >> >> JBoss, a division of Red Hat >> >> http://bill.burkecentral.com >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > >-- >Bill Burke >JBoss, a division of Red Hat >http://bill.burkecentral.com From pubudupg at gmail.com Fri May 29 00:41:13 2015 From: pubudupg at gmail.com (pubudu gunawardena) Date: Fri, 29 May 2015 10:11:13 +0530 Subject: [keycloak-user] Some Help to Write a Federation Provider Message-ID: Thanks Bill for your help. > Date: Thu, 28 May 2015 08:51:41 -0400 > From: Bill Burke > Subject: Re: [keycloak-user] Some Help to Write a Federation Provider > To: keycloak-user at lists.jboss.org > Message-ID: <55670F5D.4010103 at redhat.com> > Content-Type: text/plain; charset=windows-1252; format=flowed > > > > On 5/28/2015 7:30 AM, pubudu gunawardena wrote: >> Hi All, >> >> I am writing a federation provider which performs authentication >> against an RDBMS. >> I am using keycloak 1.2.0.Final. I have looked at the sample >> properties provider and would like to know a few things. >> >> In UserFederationProviderFactory >> 1. UserFederationProviderFactory#create returns null in the example. >> Do we not need to implement that? > > No. This method is not called. > >> 2. When is the UserFederationProviderFactory#close method called? Is >> it when the server is shut down? > > Yes. > >> 3. When is the init method called? Is it called once per object instance? > > It Factory.init() is only called once when the server boots. The config > is pulled in from keycloak_server.json > >> 4. Is it only one instance of a given type >> UserFederationProviderFactory that is created for the system? >> > > Only one Factory instance is created for the server. > >> UserFederationProvider >> 5. The javadoc for UserFederationProvider#getUserByUsername says >> "Required to import into local storage any user found." does it mean >> that I have to call keyCloakSession.userStorage().addUser(realm, >> userName)? Do I have to do that even if the user has been already >> previously imported into the system? Do I have to synchronize the user >> data in that method? > > You do not have to test to see if the username exists in local storage. > Keycloak will do that before calling this method. > >> 6. Same as question 5 for methods getUserByEmail and searchByAttributes. > > getUserEmail does not require that you check to see if the user exists > in local storage. searchByAttribute, unfortunately does. The way you > should implement is: > > 1. do your query > 2. Loop on results > 3. if result is not in local storage, import to local storage > 4. add result to returned List > >> 7. When should I return false from method "isValid". What does >> returning false from that method prevent? Is it importing/prevent user >> from logging in/not show user in user list? > > Keycloak may call this method to determine if a user is still exists or > is still enabled in federated storage. > >> 8. In validCredentials(RealmModel realm, UserCredentialModel >> credential) the javadoc says "Validate credentials of unknown user.". >> When should I implement that method? How can an unknown user be >> validated? > > This method is really only used for kerberos authentication against an > LDAP database. > >> 9. When is the UserFederationProvider# close method called? >> > > UserFederationProviders are created and closed once per request. > >> Any help is highly appreciated. If possible please mention how those >> questions will relate to an RDBMS backed provider implementation. >> > > Thanks, I'll add all this to the javadoc. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -- Thanks, Pubudu From lkrzyzan at redhat.com Fri May 29 02:57:47 2015 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Fri, 29 May 2015 08:57:47 +0200 Subject: [keycloak-user] Sharing FTLs between login and account themes Message-ID: Hi, is it possible to have some ?common? FTL that could be imported in login FTLs and account FTLs? Use case is having list of countries defined in one FTL and share it in login and account themes. Thanks, Libor Krzy?anek jboss.org Development Team -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150529/ae58ba85/attachment.html From stian at redhat.com Fri May 29 03:19:13 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 29 May 2015 03:19:13 -0400 (EDT) Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: References: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> <1140173976.7604565.1432814508221.JavaMail.zimbra@redhat.com> Message-ID: <1207147001.8381183.1432883953737.JavaMail.zimbra@redhat.com> I assume you've secured http://localhost/app1 and http://localhost/cors with the Keycloak Tomcat adapter? For cors app you should select bearer-only as the client type, that'll prevent the redirect with XMLHttpRequest. Bearer only applications are "services" that only verify tokens sent in request, but doesn't allow users to login directly. You also need to make sure that http://localhost/cors/test.txt is secured properly, in web.xml if that's how you secure it. Once deployed check that you can visit http://localhost/cors/test.txt in the browser. Next step would be to make sure http://localhost/app1 sends the bearer token in the authorization header when invoking cors/test.txt ----- Original Message ----- > From: "Henk Laracker" > To: "Stian Thorgersen" > Cc: "Mark Bertels" , keycloak-user at lists.jboss.org > Sent: Thursday, May 28, 2015 8:18:31 PM > Subject: Re: [keycloak-user] Cors not working Final 1.2 > > I understand, but we have some weird behaviour once we've logged in into > http://localhost/app1/index.html . > > If you first login on http://localhost/app1/index.html , then go directly > to http://localhost/cors/test.txt we are able to see the txt file without > logging in. > When we go back to http://localhost/app1/index.html it's working as > intended, and we get no keycloak redirect. > > > > > On 28/05/15 14:01, "Stian Thorgersen" wrote: > > >Looks like what's happening is that you're doing a XMLHttpRequest to a > >resource that requires authentication. In this case the adapter returns a > >302 and it'll redirected to the login screen on the Keycloak server. > > > >The login screen is not expected to be invoked with XMLHttpRequest/CORS > >so it shouldn't have CORS headers. > > > >Further the Keycloak adapter only adds CORS headers when a bearer token > >is present (Authorization: Bearer ...). If you want CORS headers for > >non-protected endpoints you'll have to add those yourself as Keycloak > >pulls the permitted origins from the bearer token. > > > >Just make sure you invoke your secured endpoints with a valid bearer > >token and it should work fine. With regards to it returning a 302 for a > >XMLHttpRequest that's an improvement we can do in the adapters to only do > >that if Accept header contains text/html. > > > >----- Original Message ----- > >> From: "Henk Laracker" > >> To: "Stian Thorgersen" > >> Cc: "Mark Bertels" , > >>keycloak-user at lists.jboss.org > >> Sent: Thursday, 28 May, 2015 1:38:12 PM > >> Subject: Re: [keycloak-user] Cors not working Final 1.2 > >> > >> As requested: > >> > >> > >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH > >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us > >> > >> index.html - http://pastebin.com/raw.php?i=SndsyL8F > >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE > >> > >> Thanks for looking in. > >> > >> > >> On 28/05/15 12:22, "Stian Thorgersen" wrote: > >> > >> > > >> > > >> >----- Original Message ----- > >> >> From: "Henk Laracker" > >> >> To: keycloak-user at lists.jboss.org > >> >> Cc: "Mark Bertels" > >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM > >> >> Subject: [keycloak-user] Cors not working Final 1.2 > >> >> > >> >> Hi, > >> >> > >> >> Cors headers missing during login procedure of keycloak > >> >> > >> >> > >> >> =============================== > >> >> Step 1 - Prepare keycloak realm: > >> >> =============================== > >> >> > >> >> Create a simple keycloak realm for testing, > >> >> > >> >> =============================== > >> >> Step 2 - Create a user > >> >> =============================== > >> >> > >> >> Add a user and a client to the realm > >> >> The client should be configured as follows: > >> >> > >> >> Client Protocol openid-connect > >> >> Access Type public > >> >> > >> >> Valid redirect uri's: http://localhost/* > >> >> http://localhost > >> >> Web origins: http://localhost/* > >> >> http://localhost > >> >> > >> >> =============================== > >> >> Step 3 - Create test application on tomcat > >> >> =============================== > >> >> > >> >> On a given tomcat server (I'm using localhost for this example) add 2 > >> >>web > >> >> applications: > >> >> app1 with a simple index.html > >> >> cors with a simple test.txt with the content "Some data" > >> >> > >> >> The following url's are now available: > >> >> http://localhost/app1/index.html > >> >> http://localhost/cors/test.txt > >> >> > >> >> In http://localhost/app1/index.html create javascript which loads > >>data > >> >>from > >> >> http://localhost/cors/test.txt > >> >> > >> >> If you go to http://localhost/app1/index.html now, a GET will be > >> >>performed to > >> >> http://localhost/cors/test.txt and the data is displayed > >> >> > >> >> > >> >> =============================== > >> >> Step 4 - Adding keycloak to the applications > >> >> =============================== > >> >> > >> >> Add keycloak configuration on "app1". > >> >> > >> >> > >> >> Add keycloak configuration on "cors" > >> >> Additionally, add > >> >> "enable-cors": "true" > >> >> to the json file. > >> >> > >> >> =============================== > >> >> Step 5 - Log in to app1 > >> >> =============================== > >> >> > >> >> If you log in to app1 in a new browser the data from app "cors" will > >> >>not be > >> >> loaded. The following error will be displayed in the console of your > >> >>browser > >> >> (using chrome) > >> >> > >> >> XMLHttpRequest cannot load > >> >> > >> > >>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/aut > >>>>h? > >> > >>>>re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&logi > >>>>n= > >> >>true. > >> >> No 'Access-Control-Allow-Origin' header is present on the requested > >> >>resource. > >> >> Origin 'http://localhost' is therefore not allowed access. > >> > > >> >This request to "/protocol/openid-connect/auth" makes no sense to me. > >>How > >> >are you invoking this? Can you include the source for index.html? > >> > > >> >> > >> >> > >> >> If it loaded the data, make sure that you're logged out, or try it in > >> >>private > >> >> browsing mode. > >> >> > >> >> > >> >> =============================== > >> >> Expected result > >> >> =============================== > >> >> > >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web > >> >>origins", > >> >> allowing for cross-application requests without editing existing > >> >> applications. > >> >> > >> >> > >> >> > >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Gr??en / > >> >>Tr?s > >> >> cordialement, > >> >> > >> >> > >> >> > >> >> > >> >> Henk Laracker > >> >> > >> >> _______________________________________________ > >> >> keycloak-user mailing list > >> >> keycloak-user at lists.jboss.org > >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > > From ivan at akvo.org Fri May 29 04:46:55 2015 From: ivan at akvo.org (=?windows-1252?Q?Iv=E1n_Perdomo?=) Date: Fri, 29 May 2015 10:46:55 +0200 Subject: [keycloak-user] Keycloak 1.2.0.Final released In-Reply-To: <815638486.1574215.1432036940104.JavaMail.zimbra@redhat.com> References: <815638486.1574215.1432036940104.JavaMail.zimbra@redhat.com> Message-ID: <5568277F.7080907@akvo.org> Hi, On 05/19/2015 02:02 PM, Stian Thorgersen wrote: > to download go to https://sourceforge.net/projects/keycloak/files/1.2.0.Final/. Given the latest news on SF.net [1] I would suggest you publish the files checksum, and/or perhaps sign the files [2] ? [1] https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/ [2] https://www.gnupg.org/gph/en/manual/x135.html Cheers, -- Iv?n -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20150529/f1ce8ecc/attachment.bin From lkrzyzan at redhat.com Fri May 29 05:01:06 2015 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Fri, 29 May 2015 11:01:06 +0200 Subject: [keycloak-user] Sharing FTLs between login and account themes In-Reply-To: References: Message-ID: I figured this out. The shared FTL needs to be stored let say within ?login? theme. Then in account theme put into theme.properties import=login/ and then you shared FTL in e.g. account.ftl <#include ?" /> Libor Krzy?anek jboss.org Development Team > On 29 May 2015, at 08:57, Libor Krzy?anek wrote: > > Hi, > is it possible to have some ?common? FTL that could be imported in login FTLs and account FTLs? > > Use case is having list of countries defined in one FTL and share it in login and account themes. > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150529/89918444/attachment-0001.html From stian at redhat.com Fri May 29 05:32:50 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 29 May 2015 05:32:50 -0400 (EDT) Subject: [keycloak-user] Sharing FTLs between login and account themes In-Reply-To: References: Message-ID: <620076847.8441564.1432891970035.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Libor Krzy?anek" > To: "keycloak-user" > Sent: Friday, 29 May, 2015 10:01:06 AM > Subject: Re: [keycloak-user] Sharing FTLs between login and account themes > > I figured this out. > > The shared FTL needs to be stored let say within ?login? theme. > > Then in account theme put into theme.properties > import=login/ > > and then you shared FTL in e.g. account.ftl > <#include ?" /> Exactly - I'd recommend you put the shared bits into a common theme so you limit what's "shared" > > Libor Krzy?anek > jboss.org Development Team > > > > > On 29 May 2015, at 08:57, Libor Krzy?anek < lkrzyzan at redhat.com > wrote: > > Hi, > is it possible to have some ?common? FTL that could be imported in login FTLs > and account FTLs? > > Use case is having list of countries defined in one FTL and share it in login > and account themes. > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Henk.Laracker at planonsoftware.com Fri May 29 10:27:21 2015 From: Henk.Laracker at planonsoftware.com (Henk Laracker) Date: Fri, 29 May 2015 16:27:21 +0200 Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: <1207147001.8381183.1432883953737.JavaMail.zimbra@redhat.com> References: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> <1140173976.7604565.1432814508221.JavaMail.zimbra@redhat.com> <1207147001.8381183.1432883953737.JavaMail.zimbra@redhat.com> Message-ID: On 29/05/15 09:19, "Stian Thorgersen" wrote: >I assume you've secured http://localhost/app1 and http://localhost/cors >with the Keycloak Tomcat adapter? Yes > >For cors app you should select bearer-only as the client type, that'll >prevent the redirect with XMLHttpRequest. Bearer only applications are >"services" that only verify tokens sent in request, but doesn't allow >users to login directly. You also need to make sure that >http://localhost/cors/test.txt is secured properly, in web.xml if that's >how you secure it. Once deployed check that you can visit >http://localhost/cors/test.txt in the browser. > >Next step would be to make sure http://localhost/app1 sends the bearer >token in the authorization header when invoking cors/test.txt This means that I have to change my application and send the token. In the example I can, but in real life I can to change the application. Is there not other way? > >----- Original Message ----- >> From: "Henk Laracker" >> To: "Stian Thorgersen" >> Cc: "Mark Bertels" , >>keycloak-user at lists.jboss.org >> Sent: Thursday, May 28, 2015 8:18:31 PM >> Subject: Re: [keycloak-user] Cors not working Final 1.2 >> >> I understand, but we have some weird behaviour once we've logged in into >> http://localhost/app1/index.html . >> >> If you first login on http://localhost/app1/index.html , then go >>directly >> to http://localhost/cors/test.txt we are able to see the txt file >>without >> logging in. >> When we go back to http://localhost/app1/index.html it's working as >> intended, and we get no keycloak redirect. >> >> >> >> >> On 28/05/15 14:01, "Stian Thorgersen" wrote: >> >> >Looks like what's happening is that you're doing a XMLHttpRequest to a >> >resource that requires authentication. In this case the adapter >>returns a >> >302 and it'll redirected to the login screen on the Keycloak server. >> > >> >The login screen is not expected to be invoked with XMLHttpRequest/CORS >> >so it shouldn't have CORS headers. >> > >> >Further the Keycloak adapter only adds CORS headers when a bearer token >> >is present (Authorization: Bearer ...). If you want CORS headers for >> >non-protected endpoints you'll have to add those yourself as Keycloak >> >pulls the permitted origins from the bearer token. >> > >> >Just make sure you invoke your secured endpoints with a valid bearer >> >token and it should work fine. With regards to it returning a 302 for a >> >XMLHttpRequest that's an improvement we can do in the adapters to only >>do >> >that if Accept header contains text/html. >> > >> >----- Original Message ----- >> >> From: "Henk Laracker" >> >> To: "Stian Thorgersen" >> >> Cc: "Mark Bertels" , >> >>keycloak-user at lists.jboss.org >> >> Sent: Thursday, 28 May, 2015 1:38:12 PM >> >> Subject: Re: [keycloak-user] Cors not working Final 1.2 >> >> >> >> As requested: >> >> >> >> >> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH >> >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us >> >> >> >> index.html - http://pastebin.com/raw.php?i=SndsyL8F >> >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE >> >> >> >> Thanks for looking in. >> >> >> >> >> >> On 28/05/15 12:22, "Stian Thorgersen" wrote: >> >> >> >> > >> >> > >> >> >----- Original Message ----- >> >> >> From: "Henk Laracker" >> >> >> To: keycloak-user at lists.jboss.org >> >> >> Cc: "Mark Bertels" >> >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM >> >> >> Subject: [keycloak-user] Cors not working Final 1.2 >> >> >> >> >> >> Hi, >> >> >> >> >> >> Cors headers missing during login procedure of keycloak >> >> >> >> >> >> >> >> >> =============================== >> >> >> Step 1 - Prepare keycloak realm: >> >> >> =============================== >> >> >> >> >> >> Create a simple keycloak realm for testing, >> >> >> >> >> >> =============================== >> >> >> Step 2 - Create a user >> >> >> =============================== >> >> >> >> >> >> Add a user and a client to the realm >> >> >> The client should be configured as follows: >> >> >> >> >> >> Client Protocol openid-connect >> >> >> Access Type public >> >> >> >> >> >> Valid redirect uri's: http://localhost/* >> >> >> http://localhost >> >> >> Web origins: http://localhost/* >> >> >> http://localhost >> >> >> >> >> >> =============================== >> >> >> Step 3 - Create test application on tomcat >> >> >> =============================== >> >> >> >> >> >> On a given tomcat server (I'm using localhost for this example) >>add 2 >> >> >>web >> >> >> applications: >> >> >> app1 with a simple index.html >> >> >> cors with a simple test.txt with the content "Some data" >> >> >> >> >> >> The following url's are now available: >> >> >> http://localhost/app1/index.html >> >> >> http://localhost/cors/test.txt >> >> >> >> >> >> In http://localhost/app1/index.html create javascript which loads >> >>data >> >> >>from >> >> >> http://localhost/cors/test.txt >> >> >> >> >> >> If you go to http://localhost/app1/index.html now, a GET will be >> >> >>performed to >> >> >> http://localhost/cors/test.txt and the data is displayed >> >> >> >> >> >> >> >> >> =============================== >> >> >> Step 4 - Adding keycloak to the applications >> >> >> =============================== >> >> >> >> >> >> Add keycloak configuration on "app1". >> >> >> >> >> >> >> >> >> Add keycloak configuration on "cors" >> >> >> Additionally, add >> >> >> "enable-cors": "true" >> >> >> to the json file. >> >> >> >> >> >> =============================== >> >> >> Step 5 - Log in to app1 >> >> >> =============================== >> >> >> >> >> >> If you log in to app1 in a new browser the data from app "cors" >>will >> >> >>not be >> >> >> loaded. The following error will be displayed in the console of >>your >> >> >>browser >> >> >> (using chrome) >> >> >> >> >> >> XMLHttpRequest cannot load >> >> >> >> >> >> >>>>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/a >>>>>>ut >> >>>>h? >> >> >> >>>>>>re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&lo >>>>>>gi >> >>>>n= >> >> >>true. >> >> >> No 'Access-Control-Allow-Origin' header is present on the >>requested >> >> >>resource. >> >> >> Origin 'http://localhost' is therefore not allowed access. >> >> > >> >> >This request to "/protocol/openid-connect/auth" makes no sense to >>me. >> >>How >> >> >are you invoking this? Can you include the source for index.html? >> >> > >> >> >> >> >> >> >> >> >> If it loaded the data, make sure that you're logged out, or try >>it in >> >> >>private >> >> >> browsing mode. >> >> >> >> >> >> >> >> >> =============================== >> >> >> Expected result >> >> >> =============================== >> >> >> >> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web >> >> >>origins", >> >> >> allowing for cross-application requests without editing existing >> >> >> applications. >> >> >> >> >> >> >> >> >> >> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen >>Gr??en / >> >> >>Tr?s >> >> >> cordialement, >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Henk Laracker >> >> >> >> >> >> _______________________________________________ >> >> >> keycloak-user mailing list >> >> >> keycloak-user at lists.jboss.org >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> From stian at redhat.com Fri May 29 10:31:05 2015 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 29 May 2015 10:31:05 -0400 (EDT) Subject: [keycloak-user] Cors not working Final 1.2 In-Reply-To: References: <515231757.7522528.1432808570232.JavaMail.zimbra@redhat.com> <1140173976.7604565.1432814508221.JavaMail.zimbra@redhat.com> <1207147001.8381183.1432883953737.JavaMail.zimbra@redhat.com> Message-ID: <1497289530.8679473.1432909865533.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Henk Laracker" > To: "Stian Thorgersen" > Cc: "Mark Bertels" , keycloak-user at lists.jboss.org > Sent: Friday, 29 May, 2015 3:27:21 PM > Subject: Re: [keycloak-user] Cors not working Final 1.2 > > > On 29/05/15 09:19, "Stian Thorgersen" wrote: > > >I assume you've secured http://localhost/app1 and http://localhost/cors > >with the Keycloak Tomcat adapter? > > Yes > > > > >For cors app you should select bearer-only as the client type, that'll > >prevent the redirect with XMLHttpRequest. Bearer only applications are > >"services" that only verify tokens sent in request, but doesn't allow > >users to login directly. You also need to make sure that > >http://localhost/cors/test.txt is secured properly, in web.xml if that's > >how you secure it. Once deployed check that you can visit > >http://localhost/cors/test.txt in the browser. > > > >Next step would be to make sure http://localhost/app1 sends the bearer > >token in the authorization header when invoking cors/test.txt > > This means that I have to change my application and send the token. In the > example I can, but in real life I can to change the application. Is there > not other way? If you want to do a XMLHttpRequest to a secured endpoint you obviously need to include authentication details. Some JS frameworks will let you do that with interceptors without having to change your app. > > > > >----- Original Message ----- > >> From: "Henk Laracker" > >> To: "Stian Thorgersen" > >> Cc: "Mark Bertels" , > >>keycloak-user at lists.jboss.org > >> Sent: Thursday, May 28, 2015 8:18:31 PM > >> Subject: Re: [keycloak-user] Cors not working Final 1.2 > >> > >> I understand, but we have some weird behaviour once we've logged in into > >> http://localhost/app1/index.html . > >> > >> If you first login on http://localhost/app1/index.html , then go > >>directly > >> to http://localhost/cors/test.txt we are able to see the txt file > >>without > >> logging in. > >> When we go back to http://localhost/app1/index.html it's working as > >> intended, and we get no keycloak redirect. > >> > >> > >> > >> > >> On 28/05/15 14:01, "Stian Thorgersen" wrote: > >> > >> >Looks like what's happening is that you're doing a XMLHttpRequest to a > >> >resource that requires authentication. In this case the adapter > >>returns a > >> >302 and it'll redirected to the login screen on the Keycloak server. > >> > > >> >The login screen is not expected to be invoked with XMLHttpRequest/CORS > >> >so it shouldn't have CORS headers. > >> > > >> >Further the Keycloak adapter only adds CORS headers when a bearer token > >> >is present (Authorization: Bearer ...). If you want CORS headers for > >> >non-protected endpoints you'll have to add those yourself as Keycloak > >> >pulls the permitted origins from the bearer token. > >> > > >> >Just make sure you invoke your secured endpoints with a valid bearer > >> >token and it should work fine. With regards to it returning a 302 for a > >> >XMLHttpRequest that's an improvement we can do in the adapters to only > >>do > >> >that if Accept header contains text/html. > >> > > >> >----- Original Message ----- > >> >> From: "Henk Laracker" > >> >> To: "Stian Thorgersen" > >> >> Cc: "Mark Bertels" , > >> >>keycloak-user at lists.jboss.org > >> >> Sent: Thursday, 28 May, 2015 1:38:12 PM > >> >> Subject: Re: [keycloak-user] Cors not working Final 1.2 > >> >> > >> >> As requested: > >> >> > >> >> > >> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH > >> >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us > >> >> > >> >> index.html - http://pastebin.com/raw.php?i=SndsyL8F > >> >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE > >> >> > >> >> Thanks for looking in. > >> >> > >> >> > >> >> On 28/05/15 12:22, "Stian Thorgersen" wrote: > >> >> > >> >> > > >> >> > > >> >> >----- Original Message ----- > >> >> >> From: "Henk Laracker" > >> >> >> To: keycloak-user at lists.jboss.org > >> >> >> Cc: "Mark Bertels" > >> >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM > >> >> >> Subject: [keycloak-user] Cors not working Final 1.2 > >> >> >> > >> >> >> Hi, > >> >> >> > >> >> >> Cors headers missing during login procedure of keycloak > >> >> >> > >> >> >> > >> >> >> =============================== > >> >> >> Step 1 - Prepare keycloak realm: > >> >> >> =============================== > >> >> >> > >> >> >> Create a simple keycloak realm for testing, > >> >> >> > >> >> >> =============================== > >> >> >> Step 2 - Create a user > >> >> >> =============================== > >> >> >> > >> >> >> Add a user and a client to the realm > >> >> >> The client should be configured as follows: > >> >> >> > >> >> >> Client Protocol openid-connect > >> >> >> Access Type public > >> >> >> > >> >> >> Valid redirect uri's: http://localhost/* > >> >> >> http://localhost > >> >> >> Web origins: http://localhost/* > >> >> >> http://localhost > >> >> >> > >> >> >> =============================== > >> >> >> Step 3 - Create test application on tomcat > >> >> >> =============================== > >> >> >> > >> >> >> On a given tomcat server (I'm using localhost for this example) > >>add 2 > >> >> >>web > >> >> >> applications: > >> >> >> app1 with a simple index.html > >> >> >> cors with a simple test.txt with the content "Some data" > >> >> >> > >> >> >> The following url's are now available: > >> >> >> http://localhost/app1/index.html > >> >> >> http://localhost/cors/test.txt > >> >> >> > >> >> >> In http://localhost/app1/index.html create javascript which loads > >> >>data > >> >> >>from > >> >> >> http://localhost/cors/test.txt > >> >> >> > >> >> >> If you go to http://localhost/app1/index.html now, a GET will be > >> >> >>performed to > >> >> >> http://localhost/cors/test.txt and the data is displayed > >> >> >> > >> >> >> > >> >> >> =============================== > >> >> >> Step 4 - Adding keycloak to the applications > >> >> >> =============================== > >> >> >> > >> >> >> Add keycloak configuration on "app1". > >> >> >> > >> >> >> > >> >> >> Add keycloak configuration on "cors" > >> >> >> Additionally, add > >> >> >> "enable-cors": "true" > >> >> >> to the json file. > >> >> >> > >> >> >> =============================== > >> >> >> Step 5 - Log in to app1 > >> >> >> =============================== > >> >> >> > >> >> >> If you log in to app1 in a new browser the data from app "cors" > >>will > >> >> >>not be > >> >> >> loaded. The following error will be displayed in the console of > >>your > >> >> >>browser > >> >> >> (using chrome) > >> >> >> > >> >> >> XMLHttpRequest cannot load > >> >> >> > >> >> > >> > >>>>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/a > >>>>>>ut > >> >>>>h? > >> >> > >> > >>>>>>re?lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&lo > >>>>>>gi > >> >>>>n= > >> >> >>true. > >> >> >> No 'Access-Control-Allow-Origin' header is present on the > >>requested > >> >> >>resource. > >> >> >> Origin 'http://localhost' is therefore not allowed access. > >> >> > > >> >> >This request to "/protocol/openid-connect/auth" makes no sense to > >>me. > >> >>How > >> >> >are you invoking this? Can you include the source for index.html? > >> >> > > >> >> >> > >> >> >> > >> >> >> If it loaded the data, make sure that you're logged out, or try > >>it in > >> >> >>private > >> >> >> browsing mode. > >> >> >> > >> >> >> > >> >> >> =============================== > >> >> >> Expected result > >> >> >> =============================== > >> >> >> > >> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web > >> >> >>origins", > >> >> >> allowing for cross-application requests without editing existing > >> >> >> applications. > >> >> >> > >> >> >> > >> >> >> > >> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen > >>Gr??en / > >> >> >>Tr?s > >> >> >> cordialement, > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> Henk Laracker > >> >> >> > >> >> >> _______________________________________________ > >> >> >> keycloak-user mailing list > >> >> >> keycloak-user at lists.jboss.org > >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> >> > >> > >> > > From srossillo at smartling.com Fri May 29 16:53:56 2015 From: srossillo at smartling.com (Scott Rossillo) Date: Fri, 29 May 2015 16:53:56 -0400 Subject: [keycloak-user] Update user when "Email as username" enabled Message-ID: <926AA9D1-A94B-48D1-8B20-FF9681CB6325@smartling.com> If I?m using email as username, I can update the email address on a user via the admin API, but the username doesn?t update even when explicitly setting a new username. This is true in the KC admin console as well. How do I update the username to match the new email address? Thanks, Scott From roman.usatenko at gmail.com Fri May 29 19:39:33 2015 From: roman.usatenko at gmail.com (Roman Usatenko) Date: Fri, 29 May 2015 16:39:33 -0700 Subject: [keycloak-user] Cancel button handling on keycloak login page Message-ID: Hello, I am trying to implement POC with keycloak as auth* server. Here is my set up / use case: - Tomcat server with keycloak adapter - Web app with a URL *http://x.y/app/secure * protected by a security constraint. - An unauthenticated user goes to the URL and gets redirected by the adapter to the keycloak login page. - The user clicks Cancel button and gets redirected back to the URL with parameters ?error=access_denied&state=1%2Fxxxx - This redirect is intercepted by the adapter and user's browser gets 400 error from the adapter. My application never receives the request. So my questions are: 1. Is this correct description of what's going on or am I missing something? 2. If this is the behavior by design wouldn't it be better instead of the 400 error to redirect user to some themed page on the keycloak server with a nice explanation, like "We're sorry, but you cannot access this resource without authentication, blablabla " Thank you, Roman Usatenko. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150529/7ce2e481/attachment-0001.html From prabhalar at yahoo.com Fri May 29 22:19:47 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sat, 30 May 2015 02:19:47 +0000 (UTC) Subject: [keycloak-user] keycloak Identity broker for Custom Authentication Message-ID: <1327865093.1508982.1432952387617.JavaMail.yahoo@mail.yahoo.com> Hi, I am wondering if anyone implemented an Identity Broker for custom authentication? If so,?would appreciate some input on how to achieve that? I tried implementing one using the existing OIDC broker as the starting point but the option to select this custom broker doesn't appear in the GUI. So my question is, what changes must be made in the GUI to make the custom broker visible??Appreciate any pointers Thanks,Raghu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150530/a227f179/attachment.html From bburke at redhat.com Sat May 30 00:20:27 2015 From: bburke at redhat.com (Bill Burke) Date: Sat, 30 May 2015 00:20:27 -0400 Subject: [keycloak-user] keycloak Identity broker for Custom Authentication In-Reply-To: <1327865093.1508982.1432952387617.JavaMail.yahoo@mail.yahoo.com> References: <1327865093.1508982.1432952387617.JavaMail.yahoo@mail.yahoo.com> Message-ID: <55693A8B.4060207@redhat.com> We haven't really made this SPI public, but you must specif a META-IN/services/org...IdentityProviderFactory file within the jar of your broker. You'll see an example file in th eoidc module. On 5/29/2015 10:19 PM, Raghu Prabhala wrote: > Hi, > > I am wondering if anyone implemented an Identity Broker for custom > authentication? If so, would appreciate some input on how to achieve that? > > I tried implementing one using the existing OIDC broker as the starting > point but the option to select this custom broker doesn't appear in the > GUI. So my question is, what changes must be made in the GUI to make the > custom broker visible? Appreciate any pointers > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From prabhalar at yahoo.com Sat May 30 07:55:11 2015 From: prabhalar at yahoo.com (Raghu Prabhala) Date: Sat, 30 May 2015 11:55:11 +0000 (UTC) Subject: [keycloak-user] keycloak Identity broker for Custom Authentication In-Reply-To: <55693A8B.4060207@redhat.com> References: <55693A8B.4060207@redhat.com> Message-ID: <1335464390.1624624.1432986911233.JavaMail.yahoo@mail.yahoo.com> Thanks Bill. That helps. Now I am able to see the custom?identity broker in the combobox. But when I choose it, I get a "page not found".?It appears that I have to create a couple of html pages under the themes to display the content and perhaps modify some .js to show that page (looking at other identity providers to understand what needs to be done). Is there any documentation that outlines what we need to do? ? From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Saturday, May 30, 2015 12:20 AM Subject: Re: [keycloak-user] keycloak Identity broker for Custom Authentication We haven't really made this SPI public, but you must specif a META-IN/services/org...IdentityProviderFactory file within the jar of your broker.? You'll see an example file in th eoidc module. On 5/29/2015 10:19 PM, Raghu Prabhala wrote: > Hi, > > I am wondering if anyone implemented an Identity Broker for custom > authentication? If so, would appreciate some input on how to achieve that? > > I tried implementing one using the existing OIDC broker as the starting > point but the option to select this custom broker doesn't appear in the > GUI. So my question is, what changes must be made in the GUI to make the > custom broker visible? Appreciate any pointers > > Thanks, > Raghu > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150530/9f1e1011/attachment.html