From cedric.falletta at lampiris.be Mon Aug 1 05:16:41 2016 From: cedric.falletta at lampiris.be (Cedric Falletta) Date: Mon, 1 Aug 2016 09:16:41 +0000 Subject: [keycloak-user] Can't retrieve group roles in access token Message-ID: <1C804824EDF10B4AA15EC8C813517738015E3D06FE@QUIQUILFUS.lampiris.local> Hello, I recently installed keycloak 2.0.0 and I'm having troubles retrieving the roles of my users in the access token. I made a simple test in which I created a user "WebUser" and a group "GROUP-Website". I added the role "GROUP-Website" to my "WebUser" and then assigned the role "ROLE-Website" to this group. User should then inherit from this role. I then configured a client which maps groups and roles to my access tokens. It works well, but I can't find "ROLE-Website". Note that if I add a specific role directly to the user, it will be present in the access token. My problem here is then only related to the roles of my groups not being assigned to the user. As far as I understood from other issues, these roles should be present in the token. Can you then tell me if I somehow misconfigured the client or the mapper ? Thank you, C?dric Lampiris SA/NV Rue Saint-Laurent, 54. 4000 - Li?ge. Belgique [Lampiris] [Facebook] [Twitter] [LinkedIn] [Google+] [YouTube] [Instagram] Please consider the environment before printing this e-mail This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/a8ad7afb/attachment-0001.html From Mohan.Radhakrishnan at cognizant.com Mon Aug 1 05:41:31 2016 From: Mohan.Radhakrishnan at cognizant.com (Mohan.Radhakrishnan at cognizant.com) Date: Mon, 1 Aug 2016 09:41:31 +0000 Subject: [keycloak-user] Access token or ID token Message-ID: Hi, My ID token flow and OIDC filter are working. But I am still doubtful about my implementation. When I used another IDP(IdentifyServer3) the redirect URL issued from AngularJS gave me the access token with the ID token embedded in it directly. But now I am using this code. AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken(); URL is this. http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user And https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html mentions that keycloak.json is required to get the access token in AngularJS. Am I missing something ? Why is there a difference ? Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/f1819636/attachment.html From bvs78 at rediffmail.com Mon Aug 1 07:11:42 2016 From: bvs78 at rediffmail.com (Subrahmanyam BV) Date: 1 Aug 2016 11:11:42 -0000 Subject: [keycloak-user] =?utf-8?q?Multi_tenancy_-Groups?= Message-ID: <1469789469.S.2661.30850.f4mail-235-117.rediffmail.com.1470049902.6196@webmail.rediffmail.com> Pls help. Regards,Subrahmanyam Hi,    Here are few questions regarding Groups and multi tenancy approaches.   1.  Assuming a scenario where one client (application) in keycloak to be accessible by couple of customers (customer 1 and customer 2). Then what is the possible approaches.     2. Can I have one realm per customer, in this case the client has to be duplicated against per realm and Keycloak.json file has to be updated every time when a new customer comes in.     3. If we have one realm and a group per customer, then I should be able to restrict the access (user management) per group. Please suggest on this. Regards,Subrahmanyam. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/9532c828/attachment.html From psilva at redhat.com Mon Aug 1 07:34:41 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 1 Aug 2016 07:34:41 -0400 (EDT) Subject: [keycloak-user] Unable to understand authorization/get it to work In-Reply-To: <1469861424224.48370@viteos.com> References: <1469861424224.48370@viteos.com> Message-ID: <1911301123.21862561.1470051281165.JavaMail.zimbra@redhat.com> Hi, Your understanding is correct. However, that message is not clear enough about what it really represents. There were some improvements to Evaluation Tool UI, including an option to look the resulting authorization token. I'm also going to change that message and make it more clear in case you get a DENY or in case the server could not find policies that match the resources/scopes you are evaluating. Regards. Pedro Igor ----- Original Message ----- From: "Ushanas Shastri" To: keycloak-user at lists.jboss.org Sent: Saturday, July 30, 2016 3:52:01 AM Subject: [keycloak-user] Unable to understand authorization/get it to work Hello, This is my first post on this mailing list, and I've been evaluating Keycloak for a couple of days. I've been unable to get Authorization to work the way I thought it should. Maybe I've not understood it right, and could do with some help. I am using the builtin Evaluation tool to check. Here's my scenario: I have a web based application, where we have typical CRUD operations being performed. For e.g. the application maintains a list of Source from which we expect to receive data. Users have the ability to add, edit, view or delete a Source, provided the Sources belong to their Business Unit. Here's what I did in Keycloak. - Created Source as a resource, with the 4 actions as scopes (add, edit, view and delete). - Added a Role based Policy to a role called "ViewOnly" - The ViewOnly role is mapped to users. - Created a Scope based permission, where View is the only scope on the resource, attached to the ViewOnly policy. Now, when I use the evaluation tool for scope "View", I get a permit, which is as expected. I then check the evaluation tool for scope "Delete", I get a a message " Could not obtain any result for the given authorization request. Check if the provided resource(s) or scope(s) are associated with any policy." Is this as expected? Isn't this supposed to return a Deny since the Policy Enforcement Mode on the realm is "Enforcing". Is this just a UI message, indicating the same as a Deny? Now, I add Delete as a scope to the same permission, and check on Delete scope in the evaluation tool, but I continue to get the same message as above. Shouldn't I be receiving a PERMIT now, as the same permission was modified to include the Delete Scope? The summary is that if I have more than one scope added to the permission, the evaluation tool returns this message. If I have only one scope in a policy, it works for me. What am I missing? Regards, Ushanas. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From r.vanloenhout at greenvalley.nl Mon Aug 1 10:09:29 2016 From: r.vanloenhout at greenvalley.nl (Robert van Loenhout) Date: Mon, 1 Aug 2016 14:09:29 +0000 Subject: [keycloak-user] keycloak and spring security Message-ID: I'm trying to create a test application using spring and wicket (without spring boot). I'm unable to trigger any authentication redirect. I have added a SecurityConfig class as specified by the manual, and it's been picked up by Spring. For example my configure method is called @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.authorizeRequests().anyRequest().authenticated(); } However whatever page I call it is returned without taking any security into account. This is my web.xml wicket org.apache.wicket.protocol.http.WicketServlet applicationFactoryClassName org.apache.wicket.spring.SpringWebApplicationFactory applicationBean wicketApplication 1 wicket /* contextConfigLocation /WEB-INF/applicationContext.xml org.springframework.web.context.ContextLoaderListener The applicationContext does a component-scan. Did I miss something that I need to add? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/b7ed9885/attachment-0001.html From rsang at carelogistics.com Mon Aug 1 11:12:16 2016 From: rsang at carelogistics.com (Rong Sang (CL-ATL)) Date: Mon, 1 Aug 2016 15:12:16 +0000 Subject: [keycloak-user] How to implement this using Keycloak In-Reply-To: <1036664292.21314157.1469836242636.JavaMail.zimbra@redhat.com> References: <887A447F-BE5D-4CB9-9A58-1A4CA630E68C@carelogistics.com> <1036664292.21314157.1469836242636.JavaMail.zimbra@redhat.com> Message-ID: Hi Pedro, Thank you for your quick response! Travis? thank you for chiming in too. I agree your use case is the same as mine. Let me first answer Pedro?s questions, and then I explain my use cases in detail. * Are you the service owner ? Answer: yes, we have the full control of the API. * Is your service using a REST-style ? How the API looks like ? Answer: it is a REST-style service. * Is your service already protected using a bearer token ? Answer: yes, more details below. * How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ? Answer: Group and role, more details below. * What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ? I explain this in the following description of my use case. In my application, I have patients who stay in the hospital for overnight treatments. They stay in various units based on their diagnosis and treatment plans. In each unit, there are nurses, who are the users of my application. To protect patients? privacy, a nurse can only view the information of patients who stay in her unit. If a patient is not in the unit that the nurse works in, the nurse should be denied the access to the patient?s information. Nurse information is stored in a LDAP server. I use Keycloak LDAP module to sync users/groups, and do group-to-role mappings in Keycloak too. Doing so, I will know which nurse works in which units. I use OAuth tokens for authentication in Keycloak. I use the UMA features for fine-grained authorization. The patient service in my application returns the patient records. Because the service is a REST service, I use a bearer token to protect it. Because I want the service to ?filter? the returned patient records based on user?s units (or roles that represent units), I will need to get the units or roles somehow. I think the roles can be a part of the bearer token passed to the server Here is the api for now. The endpoint is ?/patients?, the user/roles information is embedded in the bearer token. I think I can extract roles from the token and map the request to an API call getPatients(units). Here the ?units? is equivalent to ?roles?. I think it will be easier if the Keycloak adapter can extract roles and set them in a new request header for me. When the request is mapped to the API call, mapping the roles (filters) is just like mapping a regular request header. Do you think this is a far-fetched idea? Or do you have better ideas to archive the similar effect? Thanks! Rong From: Pedro Igor Silva Date: Friday, July 29, 2016 at 7:50 PM To: rongsang Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to implement this using Keycloak Hi Rong, Can you provide more details about your use case ? For instance: * Are you the service owner ? * Is your service using a REST-style ? How the API looks like ? * Is your service already protected using a bearer token ? * How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ? * What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ? From what you described, it seems that you can achieve what you want with different approaches. It all depends on what you really need and how fine-grained you want to be. For instance, units can be represented as groups in Keycloak. You can enforce group membership in your application by introspecting the bearer token (issued by a Keycloak server to some client). The same logic applies if you are using roles or attributes to represent units. In 2.0.0.Final, we have introduced Keycloak Authorization Services. This one is related with externalized and fine-grained authorization, which gives you great flexibility to define, manage, deploy and enforce authorization polices to your application and organization. Indeed, one of the protocols we are supporting (not fully, yet), UMA, is pretty much based on several healthcare use cases. For instance, you can manage the policies that apply to patient records in Keycloak and also let Keycloak enforce these policies to requests sent to your application. In this case, you can define not only a "from unit have access" policy, but also apply even more fine-grained policies to your service using the different policy providers (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more to come...) we provide. We are still missing some very nice parts of UMA though, as currently we are focusing on API security use cases. But I hope to get those missing parts implemented soon. Regards. Pedro Igor ----- Original Message ----- From: "Rong Sang (CL-ATL)" To: keycloak-user at lists.jboss.org Sent: Friday, July 29, 2016 5:23:20 PM Subject: [keycloak-user] How to implement this using Keycloak Hi all, I?m doing a POC using Keycloak. The normal authentication/authorization features work well, but I have the following requirement that cannot find a straightforward solution for. I hope some security experts in the mailing list can point me to the right direction. Here is the requirement. A hospital has multiple units. Users should not have the access to patients in a unit that they are not authorized. I have one service that returns a list of patients across units. What?s the best way to set up authorization for this service? As I said earlier, I cannot find a feature for me to implement this. Any idea is greatly appreciated. Thanks, Rong _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/22ac555e/attachment.html From aikeaguinea at xsmail.com Mon Aug 1 11:17:35 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Mon, 01 Aug 2016 11:17:35 -0400 Subject: [keycloak-user] Multi tenancy -Groups In-Reply-To: References: <1469789469.S.2661.30850.f4mail-235-117.rediffmail.com.1470049902.6196@webmail.rediffmail.com> Message-ID: <1470064655.3822056.682685417.5AF9A98C@webmail.messagingengine.com> I had a thread on this list with I think the same question. You can find it here: http://keycloak-user.88327.x6.nabble.com/keycloak-user-One-client-application-users-in-many-organizations-td115.html > Pls help. > > > Regards, > Subrahmanyam > > > > > Hi, > Here are few questions regarding Groups and multi tenancy > approaches. > 1. Assuming a scenario where one client (application) in keycloak > to be accessible by couple of customers (customer 1 and customer > 2). Then what is the possible approaches. > 2. Can I have one realm per customer, in this case the client has > to be duplicated against per realm and Keycloak.json file has > to be updated every time when a new customer comes in. > 3. If we have one realm and a group per customer, then I should be > able to restrict the access (user management) per group. > > > Please suggest on this. > > > Regards, > Subrahmanyam. > > > > Email had 1 attachment: > * ATT00001.txt 1k (text/plain) -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Does exactly what it says on the tin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/7674ad98/attachment-0001.html From psilva at redhat.com Mon Aug 1 12:26:44 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 1 Aug 2016 12:26:44 -0400 (EDT) Subject: [keycloak-user] How to implement this using Keycloak In-Reply-To: References: <887A447F-BE5D-4CB9-9A58-1A4CA630E68C@carelogistics.com> <1036664292.21314157.1469836242636.JavaMail.zimbra@redhat.com> Message-ID: <1565239460.22222181.1470068804692.JavaMail.zimbra@redhat.com> In this case, I think you can just obtain the KeycloakSecurityContext, get the roles from there and then filter patients. Don't think you need a request header for that. The KeycloakSecurityContext is attached to the request as an attribute. So you just need to obtain it as follows: KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); Also, maybe you could do the filtering by having the "unit" id in your path. In this case, the client would just invoke your API passing the "unit" id and get the patients. So, are you already using our authorization services to enforce policies to individual patients ? Regards. ----- Original Message ----- From: "Rong Sang (CL-ATL)" To: "Pedro Igor Silva" , "Travis De Silva" Cc: keycloak-user at lists.jboss.org Sent: Monday, August 1, 2016 12:12:16 PM Subject: Re: [keycloak-user] How to implement this using Keycloak Hi Pedro, Thank you for your quick response! Travis? thank you for chiming in too. I agree your use case is the same as mine. Let me first answer Pedro?s questions, and then I explain my use cases in detail. * Are you the service owner ? Answer: yes, we have the full control of the API. * Is your service using a REST-style ? How the API looks like ? Answer: it is a REST-style service. * Is your service already protected using a bearer token ? Answer: yes, more details below. * How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ? Answer: Group and role, more details below. * What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ? I explain this in the following description of my use case. In my application, I have patients who stay in the hospital for overnight treatments. They stay in various units based on their diagnosis and treatment plans. In each unit, there are nurses, who are the users of my application. To protect patients? privacy, a nurse can only view the information of patients who stay in her unit. If a patient is not in the unit that the nurse works in, the nurse should be denied the access to the patient?s information. Nurse information is stored in a LDAP server. I use Keycloak LDAP module to sync users/groups, and do group-to-role mappings in Keycloak too. Doing so, I will know which nurse works in which units. I use OAuth tokens for authentication in Keycloak. I use the UMA features for fine-grained authorization. The patient service in my application returns the patient records. Because the service is a REST service, I use a bearer token to protect it. Because I want the service to ?filter? the returned patient records based on user?s units (or roles that represent units), I will need to get the units or roles somehow. I think the roles can be a part of the bearer token passed to the server Here is the api for now. The endpoint is ?/patients?, the user/roles information is embedded in the bearer token. I think I can extract roles from the token and map the request to an API call getPatients(units). Here the ?units? is equivalent to ?roles?. I think it will be easier if the Keycloak adapter can extract roles and set them in a new request header for me. When the request is mapped to the API call, mapping the roles (filters) is just like mapping a regular request header. Do you think this is a far-fetched idea? Or do you have better ideas to archive the similar effect? Thanks! Rong From: Pedro Igor Silva Date: Friday, July 29, 2016 at 7:50 PM To: rongsang Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to implement this using Keycloak Hi Rong, Can you provide more details about your use case ? For instance: * Are you the service owner ? * Is your service using a REST-style ? How the API looks like ? * Is your service already protected using a bearer token ? * How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ? * What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ? >From what you described, it seems that you can achieve what you want with different approaches. It all depends on what you really need and how fine-grained you want to be. For instance, units can be represented as groups in Keycloak. You can enforce group membership in your application by introspecting the bearer token (issued by a Keycloak server to some client). The same logic applies if you are using roles or attributes to represent units. In 2.0.0.Final, we have introduced Keycloak Authorization Services. This one is related with externalized and fine-grained authorization, which gives you great flexibility to define, manage, deploy and enforce authorization polices to your application and organization. Indeed, one of the protocols we are supporting (not fully, yet), UMA, is pretty much based on several healthcare use cases. For instance, you can manage the policies that apply to patient records in Keycloak and also let Keycloak enforce these policies to requests sent to your application. In this case, you can define not only a "from unit have access" policy, but also apply even more fine-grained policies to your service using the different policy providers (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more to come...) we provide. We are still missing some very nice parts of UMA though, as currently we are focusing on API security use cases. But I hope to get those missing parts implemented soon. Regards. Pedro Igor ----- Original Message ----- From: "Rong Sang (CL-ATL)" To: keycloak-user at lists.jboss.org Sent: Friday, July 29, 2016 5:23:20 PM Subject: [keycloak-user] How to implement this using Keycloak Hi all, I?m doing a POC using Keycloak. The normal authentication/authorization features work well, but I have the following requirement that cannot find a straightforward solution for. I hope some security experts in the mailing list can point me to the right direction. Here is the requirement. A hospital has multiple units. Users should not have the access to patients in a unit that they are not authorized. I have one service that returns a list of patients across units. What?s the best way to set up authorization for this service? As I said earlier, I cannot find a feature for me to implement this. Any idea is greatly appreciated. Thanks, Rong _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rsang at carelogistics.com Mon Aug 1 12:38:57 2016 From: rsang at carelogistics.com (Rong Sang (CL-ATL)) Date: Mon, 1 Aug 2016 16:38:57 +0000 Subject: [keycloak-user] How to implement this using Keycloak In-Reply-To: <1565239460.22222181.1470068804692.JavaMail.zimbra@redhat.com> References: <887A447F-BE5D-4CB9-9A58-1A4CA630E68C@carelogistics.com> <1036664292.21314157.1469836242636.JavaMail.zimbra@redhat.com> <1565239460.22222181.1470068804692.JavaMail.zimbra@redhat.com> Message-ID: <2A9B664C-3930-46F3-B2A6-C58B84CBAEA7@carelogistics.com> I will research the KeycloakSecurityContext class then. I can see that including the ?unit? id in the path is another way to go. Yes, I?m using a role-based policy, but instead of applying to individual patients, I apply the policy to a resource represents all patients. In essence, any user with any ?unit? role can access the resource, but the filter mechanism described earlier returns the right set of patients for the user. Any better ideas? Regards. From: Pedro Igor Silva Date: Monday, August 1, 2016 at 12:26 PM To: rongsang Cc: Travis De Silva , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to implement this using Keycloak In this case, I think you can just obtain the KeycloakSecurityContext, get the roles from there and then filter patients. Don't think you need a request header for that. The KeycloakSecurityContext is attached to the request as an attribute. So you just need to obtain it as follows: KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); Also, maybe you could do the filtering by having the "unit" id in your path. In this case, the client would just invoke your API passing the "unit" id and get the patients. So, are you already using our authorization services to enforce policies to individual patients ? Regards. ----- Original Message ----- From: "Rong Sang (CL-ATL)" To: "Pedro Igor Silva" , "Travis De Silva" Cc: keycloak-user at lists.jboss.org Sent: Monday, August 1, 2016 12:12:16 PM Subject: Re: [keycloak-user] How to implement this using Keycloak Hi Pedro, Thank you for your quick response! Travis? thank you for chiming in too. I agree your use case is the same as mine. Let me first answer Pedro?s questions, and then I explain my use cases in detail. * Are you the service owner ? Answer: yes, we have the full control of the API. * Is your service using a REST-style ? How the API looks like ? Answer: it is a REST-style service. * Is your service already protected using a bearer token ? Answer: yes, more details below. * How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ? Answer: Group and role, more details below. * What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ? I explain this in the following description of my use case. In my application, I have patients who stay in the hospital for overnight treatments. They stay in various units based on their diagnosis and treatment plans. In each unit, there are nurses, who are the users of my application. To protect patients? privacy, a nurse can only view the information of patients who stay in her unit. If a patient is not in the unit that the nurse works in, the nurse should be denied the access to the patient?s information. Nurse information is stored in a LDAP server. I use Keycloak LDAP module to sync users/groups, and do group-to-role mappings in Keycloak too. Doing so, I will know which nurse works in which units. I use OAuth tokens for authentication in Keycloak. I use the UMA features for fine-grained authorization. The patient service in my application returns the patient records. Because the service is a REST service, I use a bearer token to protect it. Because I want the service to ?filter? the returned patient records based on user?s units (or roles that represent units), I will need to get the units or roles somehow. I think the roles can be a part of the bearer token passed to the server Here is the api for now. The endpoint is ?/patients?, the user/roles information is embedded in the bearer token. I think I can extract roles from the token and map the request to an API call getPatients(units). Here the ?units? is equivalent to ?roles?. I think it will be easier if the Keycloak adapter can extract roles and set them in a new request header for me. When the request is mapped to the API call, mapping the roles (filters) is just like mapping a regular request header. Do you think this is a far-fetched idea? Or do you have better ideas to archive the similar effect? Thanks! Rong From: Pedro Igor Silva Date: Friday, July 29, 2016 at 7:50 PM To: rongsang Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to implement this using Keycloak Hi Rong, Can you provide more details about your use case ? For instance: * Are you the service owner ? * Is your service using a REST-style ? How the API looks like ? * Is your service already protected using a bearer token ? * How are you representing the user's unit ? Realm, Group, role or just a user claim/attribute ? * What is behind: "Users should not have the access to patients in a unit that they are not authorized". What "not authorized" really means ? What kinds of policies you want to apply ? From what you described, it seems that you can achieve what you want with different approaches. It all depends on what you really need and how fine-grained you want to be. For instance, units can be represented as groups in Keycloak. You can enforce group membership in your application by introspecting the bearer token (issued by a Keycloak server to some client). The same logic applies if you are using roles or attributes to represent units. In 2.0.0.Final, we have introduced Keycloak Authorization Services. This one is related with externalized and fine-grained authorization, which gives you great flexibility to define, manage, deploy and enforce authorization polices to your application and organization. Indeed, one of the protocols we are supporting (not fully, yet), UMA, is pretty much based on several healthcare use cases. For instance, you can manage the policies that apply to patient records in Keycloak and also let Keycloak enforce these policies to requests sent to your application. In this case, you can define not only a "from unit have access" policy, but also apply even more fine-grained policies to your service using the different policy providers (ABAC and Context-based, RBAC, Time-based, Rules-based, User-based, more to come...) we provide. We are still missing some very nice parts of UMA though, as currently we are focusing on API security use cases. But I hope to get those missing parts implemented soon. Regards. Pedro Igor ----- Original Message ----- From: "Rong Sang (CL-ATL)" To: keycloak-user at lists.jboss.org Sent: Friday, July 29, 2016 5:23:20 PM Subject: [keycloak-user] How to implement this using Keycloak Hi all, I?m doing a POC using Keycloak. The normal authentication/authorization features work well, but I have the following requirement that cannot find a straightforward solution for. I hope some security experts in the mailing list can point me to the right direction. Here is the requirement. A hospital has multiple units. Users should not have the access to patients in a unit that they are not authorized. I have one service that returns a list of patients across units. What?s the best way to set up authorization for this service? As I said earlier, I cannot find a feature for me to implement this. Any idea is greatly appreciated. Thanks, Rong _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/8e8c9f11/attachment-0001.html From mposolda at redhat.com Mon Aug 1 13:00:14 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 19:00:14 +0200 Subject: [keycloak-user] One click social-account linking widgets on website autheticated by Keycloak JS adapter In-Reply-To: <8a05c13b-f03e-c960-d520-06d555772532@redhat.com> References: <20160727093408.GB30971@abstractj.org> <8a05c13b-f03e-c960-d520-06d555772532@redhat.com> Message-ID: <579F801E.50003@redhat.com> I think that in the future, we plan to rewrite AccountService to use angular + REST endpoints. That way, the applications will have an easier possibility to invoke REST endpoints, which are currently available just to AccountService (ie. linking social account). For now,I can see the solution can be either: - Implement your own REST endpoint with logic similar to AccountService.processFederatedIdentityUpdate . The endpoint will be triggered when you click on the "link social" button in your app. - Implement the logic in first-broker-login flow as you pointed. Maybe it's so easy like just adding CookieAuthenticator to the first-broker-flow ? As then if user is already authenticated (which is determined based on SSO cookie) the flow will be finished with success and user will be later just linked with the social account. Not sure which possibility is better, depends on the usecase probably. Marek On 27/07/16 12:56, Vlastimil Elias wrote: > Thanks, but which URL should I use, with which parameters? I think > createLoginUrl() creates URL which is internally used in login() and I > tried this, but problem is on keycloak server side flow. It asks me to > login using github, but after this it does not link this github account > with already logged in Keycloak user, but performs common social login flow. > > Maybe I should somehow change "First Broker Login" flow to detect that > user is logged in already and perform link. But I'm curious if Keycloak > supports this case OOTB as I think it should be relatively common > requirement. > > Vl. > > On 27.7.2016 11:34, Bruno Oliveira wrote: >> Hi Vlastimil, >> >> I can be wrong, but I believe you have to call createLoginUrl[1]. >> >> [1] - https://github.com/keycloak/keycloak/blob/5c98b8c6ae7052b2d906156d8fc212ccd9dfd57d/examples/broker/twitter-authentication/src/main/webapp/js/app.js#L39-L51 >> >> On 2016-07-22, Vlastimil Elias wrote: >>> Hi, >>> >>> we have a requirement to implement 'One click social-account linking >>> widgets' on website autheticated by Keycloak JS adapter. To achieve this a >>> button would be placed on the website with the following flow: >>> >>> 1. User logs into the website (keycloak JS adapter) >>> 2. User browser to a part of the site requiring social account linking >>> (site checks linking status of current user for given social login >>> provider based on info in token - we wrote our mapper for this) >>> 3. User clicks on a button to link the required social account with his >>> Keycloak account >>> 4. User is directed through the linking process (which is similar as >>> Social Link action in Account app) >>> 5. User is returned to original page on successful account linking >>> (token in js client must be refreshed to contain actual info about >>> social links). >>> >>> Is there any way how to achieve this? I tried to call JS client login method >>> with idpHint when user is logged in (keycloak.login({"idpHint":"github"})), >>> but it doesn't work as expected. >>> >>> Thanks a lot in advance >>> >>> Vlastimil >>> >>> -- >>> Vlastimil Elias >>> Principal Software Engineer >>> Red Hat Developer | Engineering >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- >> >> abstractj >> PGP: 0x84DC9914 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/fc9d1fd6/attachment.html From mposolda at redhat.com Mon Aug 1 13:14:47 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 19:14:47 +0200 Subject: [keycloak-user] Failed to run the Customer-portal Demo on two machines In-Reply-To: References: Message-ID: <579F8387.6030300@redhat.com> You also need to change the redirect_uri query param to be absolute URL instead of relative URL. As you can see, the value "/customer-portal" is just relative URL, so it won't work with 2 separate servers. Marek On 31/07/16 22:48, Martin Min wrote: > After I changed the relative url "/customer-portal" to its full url, > "http://localhost:8080/customer-portal", the customer listing and > product listing functionality works correctly. > > However, the remaining problem is, when I click the "log out" link, I > received this error: > > http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri=%2Fcustomer-portal > > In view.jsp, the logout code is this: > > String logoutUri = > KeycloakUriBuilder.fromUri("/auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) > .queryParam("redirect_uri", > "/customer-portal").build("demo").toString(); > > > What could cause this error message? > > On Sat, Jul 30, 2016 at 4:58 PM, Martin Min > wrote: > > PLEASE: the title of my email above should be renamed to " Failed > to run the Customer-portal Demo on two separate servers, KeyCloak > 2.0 and Wildfly 10.0". Not on two machines, but two severs on the > same machine. Sorry for the correction. > > On Sat, Jul 30, 2016 at 4:57 PM, Martin Min > wrote: > > Hi, I can run the preconfigured Customer-portal demo > successfully on the single keycloak-demo-2.0.0.Final > distribution by importing the testrealm.json file to create > the realm. Everything works fine. > > And also I can run this simple login/logout demo by following > this instruction to install and setup KeyCloak and Wildfly > servers separately: > > https://keycloak.gitbooks.io/getting-started-tutorials/content/v/2.0/topics/overview.html > > > > However, I failed to run the Customer-Portal demo by trying to > set up the KeyClaok server and Wildfly server separately. It > always gives me this message as I clicked the "Customer > Listing > " link: > > http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=2%2Fe8f347bf-dd8c-4c48-a060-0b01d33476db&login=true > > I did exactly the same thing as I tested in the KeyCloak-demo > distribution by importing the testrealm.json. > > I didn't configure the subsystem section in the Wildfly 10's > standalone.xml, since I believe the "keycloak.json" and > "web.xml" in the application's WEB-INF directory will do the > same thing. I only had this configured in Wildfly > standalone.xml? > > > > code="org.keycloak.adapters.jboss.KeycloakLoginModule" > flag="required"/> > > > > > What am I missing? Thank you for your help to this working. By > the way, it would be really great to have a full tutorial on > how to set up the customer-portal demo on two separate > KeyCloak and Wildfly servers by configuring both Json and > subsystem file. > > Thank you for help. > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/90ed986c/attachment.html From mposolda at redhat.com Mon Aug 1 13:20:12 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 19:20:12 +0200 Subject: [keycloak-user] Access token or ID token In-Reply-To: References: Message-ID: <579F84CC.1010105@redhat.com> Not sure exactly about all the details of your setup etc. However from the first look, if you use "response_type=id_token" , then Keycloak will return you just idToken, but not accessToken at all. If you want both idToken and accessToken, you need to use value "id_token token". So encoded parameter will be something like "response_type=id_token%20token" Marek On 01/08/16 11:41, Mohan.Radhakrishnan at cognizant.com wrote: > > Hi, > > My ID token flow and OIDC filter are working. But I am > still doubtful about my implementation. When I used another > IDP(IdentifyServer3) the redirect URL issued from > > AngularJS gave me the access token with the ID token embedded in it > directly. > > But now I am using this code. > > AccessToken accessToken= > keycloakPrincipal.getKeycloakSecurityContext().getToken(); > > URL is this. > > _http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user_ > > And > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html > mentions that keycloak.json is required to get the access token in > AngularJS. > > Am I missing something ? Why is there a difference ? > > Thanks, > > Mohan > > This e-mail and any files transmitted with it are for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply to > the sender and destroy all copies of the original message. Any > unauthorized review, use, disclosure, dissemination, forwarding, > printing or copying of this email, and/or any action taken in reliance > on the contents of this e-mail is strictly prohibited and may be > unlawful. Where permitted by applicable law, this e-mail and other > e-mail communications sent to and from Cognizant e-mail addresses may > be monitored. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/074fdcf5/attachment-0001.html From zmeng at appnexus.com Mon Aug 1 13:23:53 2016 From: zmeng at appnexus.com (Zhaohua Meng) Date: Mon, 1 Aug 2016 17:23:53 +0000 Subject: [keycloak-user] How to configure a user Federation SPI implementation Message-ID: I wrote a user federation SPI implementation to integrate our internal user management. Particularly, an implementation of org.keycloak.models.UserFederationProviderFactory and org.keycloak.models.UserFederationProvider. My question is, how do you configure it in the keycloak-server.json? The documentation gave example for event listener but not user federation. Following the doc with similar approach I tried ?{ ?userFederation?: { ?my-impl?: { ?myProperty?:??, ...} ?}}?, and all kinds of combinations like that but nothing worked. I?d really appreciate if you can share some experience here. I?m quoting the doc in this regard here: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.0/topics/providers.html#providers ...? Configuring a provider You can pass configuration options to your provider by setting them in keycloak-server.json. For example to set the max value for my-event-listener add: { "eventsListener": { "my-event-listener": { "max": 100 } } } ?.. Thanks, -- Zhaohua Meng Business Intelligence, AppNexus 973-936-8028 (cell) 973-415-8028 (home) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/0d83d89f/attachment.html From mposolda at redhat.com Mon Aug 1 13:25:16 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 19:25:16 +0200 Subject: [keycloak-user] Does keycloak configuration support preventing a user from double simultaneous sign on? In-Reply-To: References: Message-ID: <579F85FC.5050007@redhat.com> Not OOTB, however you can implement custom Authenticator and configure custom authentication flow with this authenticator for this. AFAIK we are going to add that OOTB, so there will be max number of allowed user sessions per user. Marek On 30/07/16 02:10, Richard Lavallee wrote: > Does keycloak configuration support preventing a user from double > simultaneous sign on? > > E.g. User A on machine X logs in via Keycloak and same user A on > machine B also logs in via Keycloak; both for same Realm. > > -Richard > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/c8e8f43b/attachment.html From mposolda at redhat.com Mon Aug 1 13:32:39 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 19:32:39 +0200 Subject: [keycloak-user] How to configure a user Federation SPI implementation In-Reply-To: References: Message-ID: <579F87B7.60608@redhat.com> In YourUserFederationProviderFactory.init you can read the properties, which you configured in the keycloak-server.json. It's used in the event example for instance. For UserFederation it works the same way : https://github.com/keycloak/keycloak/blob/master/examples/providers/event-store-mem/src/main/java/org/keycloak/examples/providers/events/MemEventStoreProviderFactory.java#L56 Note that YourUserFederationProviderFactory.getId is corresponding to the providerId used in keycloak-server.json . Btv. the YourUserFederationProviderFactory.getConfigurationOptions() you can return list of strings, which will be used as names of the properties configurable in admin console. This is an alternative to keycloak-server.json configuration. See the userFederation example for more details. Marek On 01/08/16 19:23, Zhaohua Meng wrote: > > I wrote a user federation SPI implementation to integrate our internal > user management. Particularly, an implementation of > org.keycloak.models.UserFederationProviderFactory and > org.keycloak.models.UserFederationProvider. > > My question is, how do you configure it in the keycloak-server.json? > > The documentation gave example for event listener but not user > federation. Following the doc with similar approach I tried ?{ > ?userFederation?: { ?my-impl?: { ?myProperty?:??, ...} ?}}?, and all > kinds of combinations like that but nothing worked. I?d really > appreciate if you can share some experience here. > > I?m quoting the doc in this regard here: > https://keycloak.gitbooks.io/server-developer-guide/content/v/2.0/topics/providers.html#providers > > ...? > > Configuring a provider > > You can pass configuration options to your provider by setting them in > keycloak-server.json. For example to set the max value for > my-event-listener add: > > { > > "eventsListener": { > > "my-event-listener": { > > "max": 100 > > } > > } > > } > > ?.. > > Thanks, > > -- > > Zhaohua Meng > > Business Intelligence, AppNexus > > 973-936-8028 (cell) > > 973-415-8028 (home) > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/e44dc02e/attachment-0001.html From srossillo at smartling.com Mon Aug 1 13:59:36 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Mon, 1 Aug 2016 13:59:36 -0400 Subject: [keycloak-user] OIDCFilterSessionStore In-Reply-To: References: Message-ID: So in your example, the AngularJS app would be a Keycloak public client. It?s able to do interactive authentication with a user and Keycloak. With the Keycloak Java adapters, your app should be a confidential client letting the adapter handle the Authorization Code Flow. You can introspect the claims by getting an instance of the KeycloakSecurityContext and calling getIdToken() or getToken() - returns the access token - and using the getters on those tokens to read claims. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Jul 30, 2016, at 10:28 AM, Mohan.Radhakrishnan at cognizant.com wrote: > > Earlier we weren't using sessions because our application on Azure had to scale out. So all the requests had to contain an access token so that which node handles those was immaterial. But stateful ecommerce sites may not work with this approach. I think that is what you mean. But this is Rest with sessions ? We had GUID generators to identify the user which was part of the claim. > > I used the Implicit flow with an access token issued with an ID token. The client was AngularJS. What is the equivalent configuration for this ? > > Now I use this. The response type should be access token ? But that type is not accepted. So I am doing something wrong. > > http://localhost:8080/auth/realms/Pearson/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Pearson&client_id=Pearson&scope=user > > Moreover the filter validates by contacting the server but I need to introspect and get the claims for the business process. > > Thanks, > Mohan > From: Scott Rossillo [srossillo at smartling.com] > Sent: Saturday, July 30, 2016 2:27 AM > To: Radhakrishnan, Mohan (Cognizant) > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] OIDCFilterSessionStore > > For your first question, with OIDC there are three types of clients: confidential, public and bearer-only. For simplicity, let?s consider confidential, public as applications that you log into, for example, an e-commerce website. These applications have a session which stores the access token, ID token, and refresh token. When a request comes into the website the application, the session ID is used to establish who you are. This could mean making your OIDC tokens accessible to server side code. > > A bearer-only application does not use sessions. It expects the OIDC access token to be sent in the authorization HTTP header on every request. It is a stateless application. Continuing your example, let?s say your e-commerce website needs to call a service that provides up to date inventory information when a user adds an item to cart. This can be a stateless service but wants to know what user is requesting inventory. The e-commerce website could retrieve the access token from the session and query the bearer-only application. > > This is just one example, and a bit of an oversimplification of the things a confidential and public client can do. However, the point I?m trying to make is that by defining a client as bearer-only you are essentially saying it?s a stateless service that requires an OIDC access token on every request. > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > >> On Jul 29, 2016, at 9:18 AM, Mohan.Radhakrishnan at cognizant.com wrote: >> >> Hi, >> I have some doubts. I am using spring boot. The servlet filter adapter actually uses sessions. Is that right ? I was thinking the token will be required for every Rest endpoint access. But unless I clear jsessionid it is not required. Have I understood this correctly ? >> >> How do I get the claims from my implicit token ? Do I need the spring boot adapter ? Can I see an example combining implicit token and boot adapter ? >> >> Thanks, >> Mohan >> This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/4e2ded1e/attachment.html From zmeng at appnexus.com Mon Aug 1 14:56:02 2016 From: zmeng at appnexus.com (Zhaohua Meng) Date: Mon, 1 Aug 2016 18:56:02 +0000 Subject: [keycloak-user] How to configure a user Federation SPI implementation In-Reply-To: <579F87B7.60608@redhat.com> References: <579F87B7.60608@redhat.com> Message-ID: <6355FF95-5A92-4C4A-A56C-6B5782F3CD49@appnexus.com> Marek, My implementation id is ?IDP-API? and my getId() and init() method are following: @Override public String getId() { return ("IDP-API"); } @Override public void init(Scope config) { logger.info("in init"); this.config = config; logger.infof("config: %s",config.get("test")); } I?m getting null for the config.get("test"). What am I doing wrong here? I?m copying the keycloak-server.json in my test for your reference. { "IDP-API": { "test": "idp api test value" }, "providers": [ "classpath:${jboss.home.dir}/providers/*" ], "admin": { "realm": "master" }, "eventsStore": { "provider": "jpa", "jpa": { "exclude-events": [ "REFRESH_TOKEN" ] } }, "realm": { "provider": "jpa" }, "user": { "provider": "jpa" }, "userCache": { "default" : { "enabled": true } }, "userSessionPersister": { "provider": "jpa" }, "authorizationPersister": { "provider": "jpa" }, "timer": { "provider": "basic" }, "theme": { "staticMaxAge": 2592000, "cacheTemplates": true, "cacheThemes": true, "folder": { "dir": "${jboss.home.dir}/themes" } }, "scheduled": { "interval": 900 }, "connectionsHttpClient": { "default": {} }, "connectionsJpa": { "default": { "dataSource": "java:jboss/datasources/KeycloakDS", "databaseSchema": "update" } }, "realmCache": { "default" : { "enabled": true } }, "connectionsInfinispan": { "provider": "default", "default": { "cacheContainer" : "java:comp/env/infinispan/Keycloak" } } } Thanks, -- Zhaohua Meng Business Intelligence, AppNexus 973-936-8028 (cell) 973-415-8028 (home) From: Marek Posolda Date: Monday, August 1, 2016 at 1:32 PM To: Zaohua , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to configure a user Federation SPI implementation In YourUserFederationProviderFactory.init you can read the properties, which you configured in the keycloak-server.json. It's used in the event example for instance. For UserFederation it works the same way : https://github.com/keycloak/keycloak/blob/master/examples/providers/event-store-mem/src/main/java/org/keycloak/examples/providers/events/MemEventStoreProviderFactory.java#L56 Note that YourUserFederationProviderFactory.getId is corresponding to the providerId used in keycloak-server.json . Btv. the YourUserFederationProviderFactory.getConfigurationOptions() you can return list of strings, which will be used as names of the properties configurable in admin console. This is an alternative to keycloak-server.json configuration. See the userFederation example for more details. Marek On 01/08/16 19:23, Zhaohua Meng wrote: I wrote a user federation SPI implementation to integrate our internal user management. Particularly, an implementation of org.keycloak.models.UserFederationProviderFactory and org.keycloak.models.UserFederationProvider. My question is, how do you configure it in the keycloak-server.json? The documentation gave example for event listener but not user federation. Following the doc with similar approach I tried ?{ ?userFederation?: { ?my-impl?: { ?myProperty?:??, ...} ?}}?, and all kinds of combinations like that but nothing worked. I?d really appreciate if you can share some experience here. I?m quoting the doc in this regard here: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.0/topics/providers.html#providers ...? Configuring a provider You can pass configuration options to your provider by setting them in keycloak-server.json. For example to set the max value for my-event-listener add: { "eventsListener": { "my-event-listener": { "max": 100 } } } ?.. Thanks, -- Zhaohua Meng Business Intelligence, AppNexus 973-936-8028 (cell) 973-415-8028 (home) _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/2f4c6c23/attachment-0001.html From bburke at redhat.com Mon Aug 1 15:08:05 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 1 Aug 2016 15:08:05 -0400 Subject: [keycloak-user] How to configure a user Federation SPI implementation In-Reply-To: <6355FF95-5A92-4C4A-A56C-6B5782F3CD49@appnexus.com> References: <579F87B7.60608@redhat.com> <6355FF95-5A92-4C4A-A56C-6B5782F3CD49@appnexus.com> Message-ID: <87591dfd-2744-bd91-eb7e-be063ed361f3@redhat.com> "userFederation" : { "IDP-API" : { "test": "value } } On 8/1/16 2:56 PM, Zhaohua Meng wrote: > > Marek, > > My implementation id is ?IDP-API? and my getId() and init() method are > following: > > @Override > > *public*String getId() { > > *return*("IDP-API"); > > } > > @Override > > *public**void*init(Scope config) { > > logger.info("in init"); > > this.config = config; > > logger.infof("config: %s",config.get("test")); > > } > > I?m getting null for the config.get("test"). What am I doing wrong here? > > I?m copying the keycloak-server.json in my test for your reference. > > { > > "IDP-API": { > > "test": "_idp_ _api_ test value" > > }, > > "providers": [ > > "_classpath_:${jboss.home.dir}/providers/*" > > ], > > "_admin_": { > > "realm": "master" > > }, > > "eventsStore": { > > "provider": "_jpa_", > > "_jpa_": { > > "exclude-events": [ "REFRESH_TOKEN" ] > > } > > }, > > "realm": { > > "provider": "_jpa_" > > }, > > "user": { > > "provider": "_jpa_" > > }, > > "userCache": { > > "default" : { > > "enabled": true > > } > > }, > > "userSessionPersister": { > > "provider": "_jpa_" > > }, > > "authorizationPersister": { > > "provider": "_jpa_" > > }, > > "timer": { > > "provider": "basic" > > }, > > "theme": { > > "staticMaxAge": 2592000, > > "cacheTemplates": true, > > "cacheThemes": true, > > "folder": { > > "_dir_": "${jboss.home.dir}/themes" > > } > > }, > > "scheduled": { > > "interval": 900 > > }, > > "connectionsHttpClient": { > > "default": {} > > }, > > "connectionsJpa": { > > "default": { > > "dataSource": "java:jboss/_datasources_/KeycloakDS", > > "databaseSchema": "update" > > } > > }, > > "realmCache": { > > "default" : { > > "enabled": true > > } > > }, > > "connectionsInfinispan": { > > "provider": "default", > > "default": { > > "cacheContainer" : "java:comp/_env_/_infinispan_/_Keycloak_" > > } > > } > > } > > Thanks, > > -- > > Zhaohua Meng > > Business Intelligence, AppNexus > > 973-936-8028 (cell) > > 973-415-8028 (home) > > *From: *Marek Posolda > *Date: *Monday, August 1, 2016 at 1:32 PM > *To: *Zaohua , "keycloak-user at lists.jboss.org" > > *Subject: *Re: [keycloak-user] How to configure a user Federation SPI > implementation > > In YourUserFederationProviderFactory.init you can read the properties, > which you configured in the keycloak-server.json. It's used in the > event example for instance. For UserFederation it works the same way : > https://github.com/keycloak/keycloak/blob/master/examples/providers/event-store-mem/src/main/java/org/keycloak/examples/providers/events/MemEventStoreProviderFactory.java#L56 > > > Note that YourUserFederationProviderFactory.getId is corresponding to > the providerId used in keycloak-server.json . > > Btv. the YourUserFederationProviderFactory.getConfigurationOptions() > you can return list of strings, which will be used as names of the > properties configurable in admin console. This is an alternative to > keycloak-server.json configuration. See the userFederation example for > more details. > > Marek > > On 01/08/16 19:23, Zhaohua Meng wrote: > > I wrote a user federation SPI implementation to integrate our > internal user management. Particularly, an implementation of > org.keycloak.models.UserFederationProviderFactory and > org.keycloak.models.UserFederationProvider. > > My question is, how do you configure it in the keycloak-server.json? > > The documentation gave example for event listener but not user > federation. Following the doc with similar approach I tried ?{ > ?userFederation?: { ?my-impl?: { ?myProperty?:??, ...} ?}}?, and > all kinds of combinations like that but nothing worked. I?d really > appreciate if you can share some experience here. > > I?m quoting the doc in this regard here: > https://keycloak.gitbooks.io/server-developer-guide/content/v/2.0/topics/providers.html#providers > > ...? > > Configuring a provider > > You can pass configuration options to your provider by setting > them in keycloak-server.json. For example to set the max value for > my-event-listener add: > > { > > "eventsListener": { > > "my-event-listener": { > > "max": 100 > > } > > } > > } > > ?.. > > Thanks, > > -- > > Zhaohua Meng > > Business Intelligence, AppNexus > > 973-936-8028 (cell) > > 973-415-8028 (home) > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/594fe642/attachment-0001.html From mposolda at redhat.com Mon Aug 1 15:13:05 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 21:13:05 +0200 Subject: [keycloak-user] Can't retrieve group roles in access token In-Reply-To: <1C804824EDF10B4AA15EC8C813517738015E3D06FE@QUIQUILFUS.lampiris.local> References: <1C804824EDF10B4AA15EC8C813517738015E3D06FE@QUIQUILFUS.lampiris.local> Message-ID: <579F9F41.9050705@redhat.com> On 01/08/16 11:16, Cedric Falletta wrote: > > Hello, > > I recently installed keycloak 2.0.0 and I?m having troubles retrieving > the roles of my users in the access token. > > I made a simple test in which I created a user ?WebUser? and a group > ?GROUP-Website?. I added the role ?GROUP-Website? to my ?WebUser? and > then assigned the role ?ROLE-Website? to this group. User should then > inherit from this role. > Yes, it should work and role should be inherited. So you either mis-configure something, or your client doesn't have scope mapping for that role maybe? You can try with switch "Full scope allowed" enabled and see if it helps. Marek > I then configured a client which maps groups and roles to my access > tokens. It works well, but I can?t find ?ROLE-Website?. Note that if I > add a specific role directly to the user, it will be present in the > access token. My problem here is then only related to the roles of my > groups not being assigned to the user. > > As far as I understood from other issues, these roles should be > present in the token. Can you then tell me if I somehow misconfigured > the client or the mapper ? > > Thank you, > > C?dric > > > *Lampiris SA/NV* > Rue Saint-Laurent, 54. 4000 - Li?ge. Belgique > Lampiris > Facebook Twitter > LinkedIn > Google+ > YouTube > Instagram > > > Please consider the environment before printing this e-mail > > This message contains confidential information and is intended only > for the individual(s) addressed in the message. > If you are not the addressee you are notified that disseminating, > distributing or copying this e-mail is strictly prohibited. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/21f8766c/attachment.html From zmeng at appnexus.com Mon Aug 1 15:18:24 2016 From: zmeng at appnexus.com (Zhaohua Meng) Date: Mon, 1 Aug 2016 19:18:24 +0000 Subject: [keycloak-user] How to configure a user Federation SPI implementation In-Reply-To: <87591dfd-2744-bd91-eb7e-be063ed361f3@redhat.com> References: <579F87B7.60608@redhat.com> <6355FF95-5A92-4C4A-A56C-6B5782F3CD49@appnexus.com> <87591dfd-2744-bd91-eb7e-be063ed361f3@redhat.com> Message-ID: Marek, It worked for me. Thank you very much! -- Zhaohua Meng Business Intelligence, AppNexus From: on behalf of Bill Burke Date: Monday, August 1, 2016 at 3:08 PM To: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to configure a user Federation SPI implementation "userFederation" : { "IDP-API" : { "test": "value } } On 8/1/16 2:56 PM, Zhaohua Meng wrote: Marek, My implementation id is ?IDP-API? and my getId() and init() method are following: @Override public String getId() { return ("IDP-API"); } @Override public void init(Scope config) { logger.info("in init"); this.config = config; logger.infof("config: %s",config.get("test")); } I?m getting null for the config.get("test"). What am I doing wrong here? I?m copying the keycloak-server.json in my test for your reference. { "IDP-API": { "test": "idp api test value" }, "providers": [ "classpath:${jboss.home.dir}/providers/*" ], "admin": { "realm": "master" }, "eventsStore": { "provider": "jpa", "jpa": { "exclude-events": [ "REFRESH_TOKEN" ] } }, "realm": { "provider": "jpa" }, "user": { "provider": "jpa" }, "userCache": { "default" : { "enabled": true } }, "userSessionPersister": { "provider": "jpa" }, "authorizationPersister": { "provider": "jpa" }, "timer": { "provider": "basic" }, "theme": { "staticMaxAge": 2592000, "cacheTemplates": true, "cacheThemes": true, "folder": { "dir": "${jboss.home.dir}/themes" } }, "scheduled": { "interval": 900 }, "connectionsHttpClient": { "default": {} }, "connectionsJpa": { "default": { "dataSource": "java:jboss/datasources/KeycloakDS", "databaseSchema": "update" } }, "realmCache": { "default" : { "enabled": true } }, "connectionsInfinispan": { "provider": "default", "default": { "cacheContainer" : "java:comp/env/infinispan/Keycloak" } } } Thanks, -- Zhaohua Meng Business Intelligence, AppNexus From: Marek Posolda Date: Monday, August 1, 2016 at 1:32 PM To: Zaohua , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] How to configure a user Federation SPI implementation In YourUserFederationProviderFactory.init you can read the properties, which you configured in the keycloak-server.json. It's used in the event example for instance. For UserFederation it works the same way : https://github.com/keycloak/keycloak/blob/master/examples/providers/event-store-mem/src/main/java/org/keycloak/examples/providers/events/MemEventStoreProviderFactory.java#L56 Note that YourUserFederationProviderFactory.getId is corresponding to the providerId used in keycloak-server.json . Btv. the YourUserFederationProviderFactory.getConfigurationOptions() you can return list of strings, which will be used as names of the properties configurable in admin console. This is an alternative to keycloak-server.json configuration. See the userFederation example for more details. Marek On 01/08/16 19:23, Zhaohua Meng wrote: I wrote a user federation SPI implementation to integrate our internal user management. Particularly, an implementation of org.keycloak.models.UserFederationProviderFactory and org.keycloak.models.UserFederationProvider. My question is, how do you configure it in the keycloak-server.json? The documentation gave example for event listener but not user federation. Following the doc with similar approach I tried ?{ ?userFederation?: { ?my-impl?: { ?myProperty?:??, ...} ?}}?, and all kinds of combinations like that but nothing worked. I?d really appreciate if you can share some experience here. I?m quoting the doc in this regard here: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.0/topics/providers.html#providers ...? Configuring a provider You can pass configuration options to your provider by setting them in keycloak-server.json. For example to set the max value for my-event-listener add: { "eventsListener": { "my-event-listener": { "max": 100 } } } ?.. Thanks, -- Zhaohua Meng Business Intelligence, AppNexus _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/166598ce/attachment-0001.html From mposolda at redhat.com Mon Aug 1 15:32:55 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 21:32:55 +0200 Subject: [keycloak-user] Handling SuspectExceptions in Keycloak In-Reply-To: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> References: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> Message-ID: <579FA3E7.4000809@redhat.com> See KC issue [1] and related infinispan issue [2] . The workaround is to add the StateTransferInterceptor to the proper place in chain to "realms" and "users" caches. See how I did it programatically. I think that based on that, you should be able to add it to infinispan subsystem as well. [1] https://issues.jboss.org/browse/KEYCLOAK-3306 [2] https://issues.jboss.org/browse/ISPN-6857 Marek On 28/07/16 11:53, Sarp Kaya wrote: > > Hello, > > There is already an existing bug report for Infinispan here: > > https://issues.jboss.org/browse/ISPN-6721 > > Currently for Keycloak, if this exception is thrown then it sends an > Internal Server Error page to the browser. Essentially what would be > really good is that it sends the user back to the login page instead > of displaying Internal Server Error. > > This happens when I am consistently sending login and logout (around > 40 req/s) requests to two Keycloak instances (let?s call them kc1 and > kc2), then one new keycloak instance is started kc3. Kc3 connects to > kc1 and 2 in clustering mode. > > Now kc1 receives a new request (such as login) and while it is > processing that, kc3 is gracefully shut including the cache with this log: > > 2016-07-28 09:15:53,656 INFO [org.jboss.as.clustering.infinispan] > (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped sessions > cache from keycloak container > > Just shortly after that (6 ms) kc1 throws an exception like this: > > 2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default task-48) > UT005023: Exception handling request to > /auth/realms/{realm}/login-actions/authenticate: > org.jboss.resteasy.spi.UnhandledException: > org.infinispan.statetransfer.OutdatedTopologyException: Cache topology > changed while the command was executing: expected 175, got 176 > > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > > then shortly after(150 ms) kc1 wants to talk to kc3 and fails to do so > with this exception: > > 2016-07-28 09:15:53,804 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-54) ISPN000136: Error executing command RemoveCommand, writing > keys [f9bde276-dd03-41c9-995b-b1aaf64c1489]: > org.infinispan.remoting.transport.jgroups.SuspectException: Cache not > running on node kc3 > > at > org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46) > > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763) > > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > > at > org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31) > > at org.jgroups.blocks.Request.checkCompletion(Request.java:169) > > at org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261) > > at > org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331) > > at > org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242) > > at > org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684) > > at org.jgroups.JChannel.up(JChannel.java:738) > > at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123) > > at org.jgroups.stack.Protocol.up(Protocol.java:374) > > at org.jgroups.protocols.FORK.up(FORK.java:118) > > at org.jgroups.protocols.FRAG2.up(FRAG2.java:165) > > at org.jgroups.protocols.FlowControl.up(FlowControl.java:394) > > at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454) > > at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735) > > at > org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140) > > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922) > > at org.jgroups.stack.Protocol.up(Protocol.java:412) > > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294) > > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474) > > at org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982) > > at org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912) > > at org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846) > > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618) > > at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155) > > at org.jgroups.protocols.FD.up(FD.java:260) > > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310) > > at org.jgroups.protocols.MERGE3.up(MERGE3.java:285) > > at org.jgroups.protocols.Discovery.up(Discovery.java:295) > > at org.jgroups.protocols.TP.passMessageUp(TP.java:1577) > > at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > The key that it tries to write is the user-id. After this, the browser > receives an Internal Server Error page, which looks like this in html: > > > > > > > > Error > > > > > > > > Internal Server Error > > > > > > I have configured my infinispan cache settings as following (the rest > are default): > > > > > > > > I have tried many things (such as playing with owner amounts or > instance amounts etc). It does not seem to fix this exception. I am > well aware that this seems more Infinispan issue than Keycloak, but I > believe that Keycloak at least should respond the end user a better > error message (perhaps a login again page) rather than an Internal > Server Error page. Could you please handle this exception? > > Kind Regards, > Sarp Kaya > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/b734e4f7/attachment.html From mposolda at redhat.com Mon Aug 1 15:35:53 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Aug 2016 21:35:53 +0200 Subject: [keycloak-user] Handling SuspectExceptions in Keycloak In-Reply-To: <579FA3E7.4000809@redhat.com> References: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> <579FA3E7.4000809@redhat.com> Message-ID: <579FA499.6030605@redhat.com> Btv. another possibility to fix is, to doublecheck if you're not updating user (or other object) on every login. This may cause that user is always invalidated during each login. The result is the OutdatedTopologyException, but also the bad performance. Marek On 01/08/16 21:32, Marek Posolda wrote: > See KC issue [1] and related infinispan issue [2] . > > The workaround is to add the StateTransferInterceptor to the proper > place in chain to "realms" and "users" caches. See how I did it > programatically. I think that based on that, you should be able to add > it to infinispan subsystem as well. > > [1] https://issues.jboss.org/browse/KEYCLOAK-3306 > [2] https://issues.jboss.org/browse/ISPN-6857 > > Marek > > On 28/07/16 11:53, Sarp Kaya wrote: >> >> Hello, >> >> There is already an existing bug report for Infinispan here: >> >> https://issues.jboss.org/browse/ISPN-6721 >> >> Currently for Keycloak, if this exception is thrown then it sends an >> Internal Server Error page to the browser. Essentially what would be >> really good is that it sends the user back to the login page instead >> of displaying Internal Server Error. >> >> This happens when I am consistently sending login and logout (around >> 40 req/s) requests to two Keycloak instances (let?s call them kc1 and >> kc2), then one new keycloak instance is started kc3. Kc3 connects to >> kc1 and 2 in clustering mode. >> >> Now kc1 receives a new request (such as login) and while it is >> processing that, kc3 is gracefully shut including the cache with this >> log: >> >> 2016-07-28 09:15:53,656 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped sessions >> cache from keycloak container >> >> Just shortly after that (6 ms) kc1 throws an exception like this: >> >> 2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default task-48) >> UT005023: Exception handling request to >> /auth/realms/{realm}/login-actions/authenticate: >> org.jboss.resteasy.spi.UnhandledException: >> org.infinispan.statetransfer.OutdatedTopologyException: Cache >> topology changed while the command was executing: expected 175, got 176 >> >> at >> org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) >> >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) >> >> then shortly after(150 ms) kc1 wants to talk to kc3 and fails to do >> so with this exception: >> >> 2016-07-28 09:15:53,804 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default >> task-54) ISPN000136: Error executing command RemoveCommand, writing >> keys [f9bde276-dd03-41c9-995b-b1aaf64c1489]: >> org.infinispan.remoting.transport.jgroups.SuspectException: Cache not >> running on node kc3 >> >> at >> org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46) >> >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763) >> >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) >> >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> >> at >> java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> >> at >> java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> >> at >> org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31) >> >> at org.jgroups.blocks.Request.checkCompletion(Request.java:169) >> >> at org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261) >> >> at >> org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331) >> >> at >> org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242) >> >> at >> org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684) >> >> at org.jgroups.JChannel.up(JChannel.java:738) >> >> at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123) >> >> at org.jgroups.stack.Protocol.up(Protocol.java:374) >> >> at org.jgroups.protocols.FORK.up(FORK.java:118) >> >> at org.jgroups.protocols.FRAG2.up(FRAG2.java:165) >> >> at org.jgroups.protocols.FlowControl.up(FlowControl.java:394) >> >> at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454) >> >> at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735) >> >> at >> org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140) >> >> at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922) >> >> at org.jgroups.stack.Protocol.up(Protocol.java:412) >> >> at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294) >> >> at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474) >> >> at org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982) >> >> at org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912) >> >> at org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846) >> >> at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618) >> >> at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155) >> >> at org.jgroups.protocols.FD.up(FD.java:260) >> >> at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310) >> >> at org.jgroups.protocols.MERGE3.up(MERGE3.java:285) >> >> at org.jgroups.protocols.Discovery.up(Discovery.java:295) >> >> at org.jgroups.protocols.TP.passMessageUp(TP.java:1577) >> >> at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> The key that it tries to write is the user-id. After this, the >> browser receives an Internal Server Error page, which looks like this >> in html: >> >> >> >> >> >> >> >> Error >> >> >> >> >> >> >> >> Internal Server Error >> >> >> >> >> >> I have configured my infinispan cache settings as following (the rest >> are default): >> >> >> >> >> >> >> >> I have tried many things (such as playing with owner amounts or >> instance amounts etc). It does not seem to fix this exception. I am >> well aware that this seems more Infinispan issue than Keycloak, but I >> believe that Keycloak at least should respond the end user a better >> error message (perhaps a login again page) rather than an Internal >> Server Error page. Could you please handle this exception? >> >> Kind Regards, >> Sarp Kaya >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/556939cc/attachment-0001.html From derek.visch at gmail.com Mon Aug 1 16:58:41 2016 From: derek.visch at gmail.com (Derek Visch) Date: Mon, 1 Aug 2016 16:58:41 -0400 Subject: [keycloak-user] Reverse Proxy - SSL Termination - Invalid parameter: redirect uri Message-ID: Ended up figuring this out, just to save whatever poor soul has to go down the same/similar path here's what I did. I'm curious why I didn't get any errors when running keycloak with debug logging turned on as this must be some kind of host re-write problem with wildfly/keycloak. First the only configuration I had to set in standalone.xml was (I removed all the other custom configurations I had in place the rest is the vanilla standalone.xml ) Wildfly10 Docs for this: https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration Nginx configuration: server { listen 80; server_name keycloak_testing.leveldatadevelopment.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name keycloak_testing.leveldatadevelopment.com; ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt; ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key; location / { proxy_set_header *Host $host*; proxy_set_header X-Real-IP $remote_addr; #*Not sure this is needed for wildfly/keycloak* proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect http:// https://; proxy_pass http://0.0.0.0:8080; } } Note the Host different, with Host $host:$server_port; I receive a white page when logging into the admin URL. *Why would this happen*? Only mention of the host header I could find in the wildFly documentation is https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration Also to get past the invalid_redirect_uri issue, 1. Run keycloak locally 2. Go to the Clients settings in the Master Realm 3. Click edit on the security-admin-console client id (You may also have to do this with the account client ID I'm not certain) 4. Add valid redirect URI's for your new domain, for example https://website.com/* (Docs tell you to be as limited as possible with these so in production limit down your redirect URI's as much as possible) Hope this helps someone in the future! What do you think? Should this be added to the documentation somewhere or should some kind of error be thrown in this circumstance? I'm not certain if it's Wildfly or keycloak causing this to happen I didn't dig quite hard enough to find out :( On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch wrote: > Trying to setup reverse SSL for keycloak. Having issues finding > documentation about this, it's mentioned in > https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html > but the extra detail that's supposed to be in > https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could > not find in regards to reverse SSL proxys. > > Regardless I ended up following > http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html > > From that previous mailling list post: > > Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml. > > First add proxy-address-forwarding and redirect-socket to the http-listener element: > > > ... > > ... > > > Then add a new socket-binding element to the socket-binding-group element: > > > ... > > ... > > > > > but now when I go to log on to the admin console I get "We're sorry ... > Invalid aparameter: redirect uri". > > > > Tried stack overflow / google / IRC. No luck so far. > > Any help would be appreciated :D > > Thanks > > > -- *Derek Visch* / Software Developer / Network Technician dvisch at leveldata.com / Direct: 269-488-2037 *Level Data Inc.* Office: 866.511.3282 4787 Campus Dr. | Kalamazoo, MI 49008 http://www.leveldata.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/be068bb8/attachment.html From srossillo at smartling.com Mon Aug 1 18:07:23 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Mon, 1 Aug 2016 18:07:23 -0400 Subject: [keycloak-user] keycloak and spring security In-Reply-To: References: Message-ID: <51554E84-0904-49E5-9E50-E893F97D8E03@smartling.com> Seems the Spring Security filter chain isn?t being invoked on requests to the WicketServlet. Spring Boot is very opinionated about how it does things so I?m not entirely sure what the best approach is. However, I did find a boot starer for wicket[0] that provides some information on using Spring Security + Wicket[1]. [0]: https://github.com/MarcGiffing/wicket-spring-boot [1]: https://github.com/MarcGiffing/wicket-spring-boot#extension-spring-security Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Aug 1, 2016, at 10:09 AM, Robert van Loenhout wrote: > > I?m trying to create a test application using spring and wicket (without spring boot). I?m unable to trigger any authentication redirect. > I have added a SecurityConfig class as specified by the manual, and it?s been picked up by Spring. > For example my configure method is called > > @Override > protected void configure(HttpSecurity http) throws Exception { > super.configure(http); > http.authorizeRequests().anyRequest().authenticated(); > } > > However whatever page I call it is returned without taking any security into account. > > This is my web.xml > > > wicket > org.apache.wicket.protocol.http.WicketServlet > > applicationFactoryClassName > org.apache.wicket.spring.SpringWebApplicationFactory > > > applicationBean > wicketApplication > > 1 > > > > wicket > /* > > > > contextConfigLocation > /WEB-INF/applicationContext.xml > > > > org.springframework.web.context.ContextLoaderListener > > > The applicationContext does a component-scan. > Did I miss something that I need to add? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160801/86713f8d/attachment-0001.html From akaya at expedia.com Tue Aug 2 00:32:51 2016 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 2 Aug 2016 04:32:51 +0000 Subject: [keycloak-user] Handling SuspectExceptions in Keycloak In-Reply-To: <579FA3E7.4000809@redhat.com> References: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> <579FA3E7.4000809@redhat.com> Message-ID: <510A5664-A01D-4494-8188-51084A6CF946@expedia.com> Hi Marek, How do I add the StateTransferInterceptor to the standalone.xml? Isn?t that only doable programmatically? Thanks, Sarp From: Marek Posolda Date: Tuesday, August 2, 2016 at 5:32 AM To: Abdullah Sarp , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Handling SuspectExceptions in Keycloak See KC issue [1] and related infinispan issue [2] . The workaround is to add the StateTransferInterceptor to the proper place in chain to "realms" and "users" caches. See how I did it programatically. I think that based on that, you should be able to add it to infinispan subsystem as well. [1] https://issues.jboss.org/browse/KEYCLOAK-3306 [2] https://issues.jboss.org/browse/ISPN-6857 Marek On 28/07/16 11:53, Sarp Kaya wrote: Hello, There is already an existing bug report for Infinispan here: https://issues.jboss.org/browse/ISPN-6721 Currently for Keycloak, if this exception is thrown then it sends an Internal Server Error page to the browser. Essentially what would be really good is that it sends the user back to the login page instead of displaying Internal Server Error. This happens when I am consistently sending login and logout (around 40 req/s) requests to two Keycloak instances (let?s call them kc1 and kc2), then one new keycloak instance is started kc3. Kc3 connects to kc1 and 2 in clustering mode. Now kc1 receives a new request (such as login) and while it is processing that, kc3 is gracefully shut including the cache with this log: 2016-07-28 09:15:53,656 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped sessions cache from keycloak container Just shortly after that (6 ms) kc1 throws an exception like this: 2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default task-48) UT005023: Exception handling request to /auth/realms/{realm}/login-actions/authenticate: org.jboss.resteasy.spi.UnhandledException: org.infinispan.statetransfer.OutdatedTopologyException: Cache topology changed while the command was executing: expected 175, got 176 at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) then shortly after(150 ms) kc1 wants to talk to kc3 and fails to do so with this exception: 2016-07-28 09:15:53,804 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-54) ISPN000136: Error executing command RemoveCommand, writing keys [f9bde276-dd03-41c9-995b-b1aaf64c1489]: org.infinispan.remoting.transport.jgroups.SuspectException: Cache not running on node kc3 at org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31) at org.jgroups.blocks.Request.checkCompletion(Request.java:169) at org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261) at org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331) at org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242) at org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684) at org.jgroups.JChannel.up(JChannel.java:738) at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123) at org.jgroups.stack.Protocol.up(Protocol.java:374) at org.jgroups.protocols.FORK.up(FORK.java:118) at org.jgroups.protocols.FRAG2.up(FRAG2.java:165) at org.jgroups.protocols.FlowControl.up(FlowControl.java:394) at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454) at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735) at org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140) at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922) at org.jgroups.stack.Protocol.up(Protocol.java:412) at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294) at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474) at org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982) at org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912) at org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846) at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618) at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155) at org.jgroups.protocols.FD.up(FD.java:260) at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310) at org.jgroups.protocols.MERGE3.up(MERGE3.java:285) at org.jgroups.protocols.Discovery.up(Discovery.java:295) at org.jgroups.protocols.TP.passMessageUp(TP.java:1577) at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) The key that it tries to write is the user-id. After this, the browser receives an Internal Server Error page, which looks like this in html: Error Internal Server Error I have configured my infinispan cache settings as following (the rest are default): I have tried many things (such as playing with owner amounts or instance amounts etc). It does not seem to fix this exception. I am well aware that this seems more Infinispan issue than Keycloak, but I believe that Keycloak at least should respond the end user a better error message (perhaps a login again page) rather than an Internal Server Error page. Could you please handle this exception? Kind Regards, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/b66c954d/attachment-0001.html From deepakgarg.garg at gmail.com Tue Aug 2 03:18:59 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Tue, 2 Aug 2016 12:48:59 +0530 Subject: [keycloak-user] User Federation : How to implement provider if users are stored in other stores Message-ID: Hi, We have a existing web application which is using RDBMS database for authentication and authorization. I like to know how I can use keycloak to authenticate my user against same RDBMS databse. In your documentation under User Federation you have mentioned that we can implement our own provider if we have users in other stores such as RDBMS. Can you please let me know how to do it. We are running ASP.Net web apps which is written in HTML5, JQuery and CSS3. Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/f7e39117/attachment.html From r.vanloenhout at greenvalley.nl Tue Aug 2 03:37:30 2016 From: r.vanloenhout at greenvalley.nl (Robert van Loenhout) Date: Tue, 2 Aug 2016 07:37:30 +0000 Subject: [keycloak-user] keycloak and spring security In-Reply-To: <51554E84-0904-49E5-9E50-E893F97D8E03@smartling.com> References: <51554E84-0904-49E5-9E50-E893F97D8E03@smartling.com> Message-ID: Thanks for the links Scott. Although I am not actually using spring boot with wicket at the moment. Still?. this might come in handy. From: Scott Rossillo [mailto:srossillo at smartling.com] Sent: 02 August 2016 00:07 To: Robert van Loenhout Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] keycloak and spring security Seems the Spring Security filter chain isn?t being invoked on requests to the WicketServlet. Spring Boot is very opinionated about how it does things so I?m not entirely sure what the best approach is. However, I did find a boot starer for wicket[0] that provides some information on using Spring Security + Wicket[1]. [0]: https://github.com/MarcGiffing/wicket-spring-boot [1]: https://github.com/MarcGiffing/wicket-spring-boot#extension-spring-security Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com On Aug 1, 2016, at 10:09 AM, Robert van Loenhout > wrote: I?m trying to create a test application using spring and wicket (without spring boot). I?m unable to trigger any authentication redirect. I have added a SecurityConfig class as specified by the manual, and it?s been picked up by Spring. For example my configure method is called @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.authorizeRequests().anyRequest().authenticated(); } However whatever page I call it is returned without taking any security into account. This is my web.xml wicket org.apache.wicket.protocol.http.WicketServlet applicationFactoryClassName org.apache.wicket.spring.SpringWebApplicationFactory applicationBean wicketApplication 1 wicket /* contextConfigLocation /WEB-INF/applicationContext.xml org.springframework.web.context.ContextLoaderListener The applicationContext does a component-scan. Did I miss something that I need to add? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/ebae5fbb/attachment-0001.html From cedric.falletta at lampiris.be Tue Aug 2 06:02:52 2016 From: cedric.falletta at lampiris.be (Cedric Falletta) Date: Tue, 2 Aug 2016 10:02:52 +0000 Subject: [keycloak-user] Can't retrieve group roles in access token In-Reply-To: <579F9F41.9050705@redhat.com> References: <1C804824EDF10B4AA15EC8C813517738015E3D06FE@QUIQUILFUS.lampiris.local> <579F9F41.9050705@redhat.com> Message-ID: <1C804824EDF10B4AA15EC8C813517738015E3D0B5A@QUIQUILFUS.lampiris.local> Hello Marek, Thank you for your response. My client has full scope allowed, so indeed, any role mapped to the user or his group should normally be added to the list. My configuration is very basic and should work, that's why I've downloaded keycloak and tried to see where the group roles are mapped to user roles in the token to see what I could be doing wrong. I've checked the mappers (UserRealmRoleMappingMapper, GroupMembershipMapper, etc.) but although I see it's mapping roles from the user, It seems the group roles are not added to the list : String rolePrefix = mappingModel.getConfig().get(ProtocolMapperUtils.USER_MODEL_CLIENT_ROLE_MAPPING_ROLE_PREFIX); Set clientRoleNames = flattenRoleModelToRoleNames(clientRoleMappings, rolePrefix); OIDCAttributeMapperHelper.mapClaim(token, mappingModel, clientRoleNames); In user.getRoleMappings(), it doesn't seem that group roles are fetched. KR, C?dric De : Marek Posolda [mailto:mposolda at redhat.com] Envoy? : lundi 1 ao?t 2016 21:13 ? : Cedric Falletta; keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Can't retrieve group roles in access token On 01/08/16 11:16, Cedric Falletta wrote: Hello, I recently installed keycloak 2.0.0 and I'm having troubles retrieving the roles of my users in the access token. I made a simple test in which I created a user "WebUser" and a group "GROUP-Website". I added the role "GROUP-Website" to my "WebUser" and then assigned the role "ROLE-Website" to this group. User should then inherit from this role. Yes, it should work and role should be inherited. So you either mis-configure something, or your client doesn't have scope mapping for that role maybe? You can try with switch "Full scope allowed" enabled and see if it helps. Marek I then configured a client which maps groups and roles to my access tokens. It works well, but I can't find "ROLE-Website". Note that if I add a specific role directly to the user, it will be present in the access token. My problem here is then only related to the roles of my groups not being assigned to the user. As far as I understood from other issues, these roles should be present in the token. Can you then tell me if I somehow misconfigured the client or the mapper ? Thank you, C?dric Lampiris SA/NV Rue Saint-Laurent, 54. 4000 - Li?ge. Belgique [Image supprim?e par l'exp?diteur. Lampiris] [Image supprim?e par l'exp?diteur. Facebook] [Image supprim?e par l'exp?diteur. Twitter] [Image supprim?e par l'exp?diteur. LinkedIn] [Image supprim?e par l'exp?diteur. Google+] [Image supprim?e par l'exp?diteur. YouTube] [Image supprim?e par l'exp?diteur. Instagram] Please consider the environment before printing this e-mail This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user Lampiris SA/NV Rue Saint-Laurent, 54. 4000 - Li?ge. Belgique [Lampiris] [Facebook] [Twitter] [LinkedIn] [Google+] [YouTube] [Instagram] Please consider the environment before printing this e-mail This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the addressee you are notified that disseminating, distributing or copying this e-mail is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/9c84de6f/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ~WRD000.jpg Type: image/jpeg Size: 823 bytes Desc: ~WRD000.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/9c84de6f/attachment.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 344 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/9c84de6f/attachment-0001.jpg From stephen.flynn at jftechnology.com Tue Aug 2 07:25:50 2016 From: stephen.flynn at jftechnology.com (Stephen Flynn) Date: Tue, 2 Aug 2016 12:25:50 +0100 Subject: [keycloak-user] send-verify-email with redirect seems not to work Message-ID: <15600497-5b30-2f64-01cd-97f289533c77@jftechnology.com> I am using the following Rest API call on a standalone Keycloak server (v2.0.0)... */auth/admin/realms/{realm}/users/{id}/send-verify-email?client_id=XYZ&redirect_uri=abc* The call works almost as expected... * sends email with link to users email (https://auth.xyz.com/auth/realms/abc/login-actions/required-action?code=xxx...) * the link, when followed, marks the user as 'email verified' and clears the required action. * events log (event = CUSTOM_REQUIRED_ACTION, custom_required_action=VERIFY_EMAIL) looks OK and includes the correct redirect_uri as included in the initiating REST call. * link can only be used once. BUT the link doesn't redirect back to the redirect_uri as I would expect. Instead the user browser remains at the emailed link (https://auth.xyz.com/auth/realms/abc/login-actions/required-action?code=xxx...). Am I missing something here ? Am I expecting the wrong behaviour or is this a bug ? best rgds, Steve F. -- =================================================== *Stephen Flynn* *Director, JF Technology (UK) Ltd* Cell (UK) : +44 7768 003 882 Phone : +44 20 7833 8346 IM : xmpp:stephen.flynn at jftechnology.com IM : aim:stephen.flynn at jftechnology.com Website : http://www.jftechnology.com Tech support : support at jftechnology.com =================================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/81861250/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: stephen_flynn.vcf Type: text/x-vcard Size: 233 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/81861250/attachment-0001.vcf From christopher.james.davies at gmail.com Tue Aug 2 07:33:06 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Tue, 02 Aug 2016 11:33:06 +0000 Subject: [keycloak-user] Naive Question Message-ID: I am looking at linking our legacy app to Keycloak. Currently it is a bespoke jetty server, that only serves our war files. The security.xml is set in config of the server directory. I have taken the example setting file from https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html I can see this loading keycloak's spring adapter. It fails when searching for Keycloak.json. I was hoping to be able to drop the Keycloak.json file in the config directory. Hope you can be of assistance. Please feel free to ask if I have missed any key information. I am trying to get up to speed on both KeyCloak and SpringSecurity as I am a C++ programmer at heart. Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/3bf5ee61/attachment.html From sblanc at redhat.com Tue Aug 2 07:55:24 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 2 Aug 2016 13:55:24 +0200 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: Hi, Any reasons you don't want to put the keycloak.json in /WEB-INF ? Sebi On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies < christopher.james.davies at gmail.com> wrote: > I am looking at linking our legacy app to Keycloak. > > Currently it is a bespoke jetty server, that only serves our war files. > The security.xml is set in config of the server directory. > I have taken the example setting file from > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html > > I can see this loading keycloak's spring adapter. > It fails when searching for Keycloak.json. > > I was hoping to be able to drop the Keycloak.json file in the config > directory. > > Hope you can be of assistance. Please feel free to ask if I have missed > any key information. > I am trying to get up to speed on both KeyCloak and SpringSecurity as I am > a C++ programmer at heart. > > Chris > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/f5de644f/attachment.html From Mohan.Radhakrishnan at cognizant.com Tue Aug 2 08:05:23 2016 From: Mohan.Radhakrishnan at cognizant.com (Mohan.Radhakrishnan at cognizant.com) Date: Tue, 2 Aug 2016 12:05:23 +0000 Subject: [keycloak-user] Access token or ID token In-Reply-To: <579F84CC.1010105@redhat.com> References: <579F84CC.1010105@redhat.com> Message-ID: It is working as you describe. I can either get access or ID token. In either case - response_type=id_token and response_type=id_token%20token - the method call is the same. KeycloakPrincipal.getKeycloakSecurityContext().getToken(). getRealmAccess().getRoles().stream().forEach( f -> System.out.println( f )); It works like that. So here keycloak.json is used by the filter to validate the ID token by contacting the the IDP and then also requesting for the access token. Right ? The doubt I still have is my other thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html) The answer there mentions that when a request comes into the website the application, the session ID is used to establish who you are. But that is the ID token. Hope I am mixing two different concerns here. Thanks, Mohan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, August 01, 2016 10:50 PM To: Radhakrishnan, Mohan (Cognizant) ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Access token or ID token Not sure exactly about all the details of your setup etc. However from the first look, if you use "response_type=id_token" , then Keycloak will return you just idToken, but not accessToken at all. If you want both idToken and accessToken, you need to use value "id_token token". So encoded parameter will be something like "response_type=id_token%20token" Marek On 01/08/16 11:41, Mohan.Radhakrishnan at cognizant.com wrote: Hi, My ID token flow and OIDC filter are working. But I am still doubtful about my implementation. When I used another IDP(IdentifyServer3) the redirect URL issued from AngularJS gave me the access token with the ID token embedded in it directly. But now I am using this code. AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken(); URL is this. http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user And https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html mentions that keycloak.json is required to get the access token in AngularJS. Am I missing something ? Why is there a difference ? Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/cc894817/attachment.html From bruno at abstractj.org Tue Aug 2 08:34:58 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 2 Aug 2016 09:34:58 -0300 Subject: [keycloak-user] User Federation : How to implement provider if users are stored in other stores In-Reply-To: References: Message-ID: <20160802123458.GA7035@abstractj.org> Hi Deepak, there are several examples here[1]. I hope it helps. [1] - https://github.com/keycloak/keycloak/tree/master/examples/providers On 2016-08-02, Deepak Garg wrote: > Hi, > > We have a existing web application which is using RDBMS database for > authentication and authorization. I like to know how I can use keycloak to > authenticate my user against same RDBMS databse. > > In your documentation under User Federation you have mentioned that we can > implement our own provider if we have users in other stores such as RDBMS. > Can you please let me know how to do it. > > We are running ASP.Net web apps which is written in HTML5, JQuery and CSS3. > > Thanks, > Deepak > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From deepakgarg.garg at gmail.com Tue Aug 2 08:53:43 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Tue, 2 Aug 2016 18:23:43 +0530 Subject: [keycloak-user] User Federation : How to implement provider if users are stored in other stores Message-ID: Hi, I didn't find any relevant example where I can use existing database to authenticate user using keycloak. please suggest specific example. Thanks, Deepak On Tue, Aug 2, 2016 at 6:04 PM, Bruno Oliveira wrote: > Hi Deepak, there are several examples here[1]. I hope it helps. > > [1] - https://github.com/keycloak/keycloak/tree/master/examples/providers > > On 2016-08-02, Deepak Garg wrote: > > Hi, > > > > We have a existing web application which is using RDBMS database for > > authentication and authorization. I like to know how I can use keycloak > to > > authenticate my user against same RDBMS databse. > > > > In your documentation under User Federation you have mentioned that we > can > > implement our own provider if we have users in other stores such as > RDBMS. > > Can you please let me know how to do it. > > > > We are running ASP.Net web apps which is written in HTML5, JQuery and > CSS3. > > > > Thanks, > > Deepak > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/8c06230e/attachment.html From christopher.james.davies at gmail.com Tue Aug 2 08:56:05 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Tue, 02 Aug 2016 12:56:05 +0000 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: I do not want to have to open the war file just to update / change to keycloak credentials. I am right that the WEB-INF sits inside the war file ? I would like a single security instance for the entire Jetty server Chris On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc wrote: > Hi, > > Any reasons you don't want to put the keycloak.json in /WEB-INF ? > > > > > > Sebi > > On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies < > christopher.james.davies at gmail.com> wrote: > >> I am looking at linking our legacy app to Keycloak. >> >> Currently it is a bespoke jetty server, that only serves our war files. >> The security.xml is set in config of the server directory. >> I have taken the example setting file from >> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html >> >> I can see this loading keycloak's spring adapter. >> It fails when searching for Keycloak.json. >> >> I was hoping to be able to drop the Keycloak.json file in the config >> directory. >> >> Hope you can be of assistance. Please feel free to ask if I have missed >> any key information. >> I am trying to get up to speed on both KeyCloak and SpringSecurity as I >> am a C++ programmer at heart. >> >> Chris >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/b9c0d7fb/attachment.html From deepakgarg.garg at gmail.com Tue Aug 2 09:09:38 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Tue, 2 Aug 2016 18:39:38 +0530 Subject: [keycloak-user] Keycloak admin rest api - admin/realms Message-ID: Hi, I need your help to test the following admin rest api. I was able to get the access_token using http://localhost:9090/auth/realms/master/protocol/openid-connect/token rest api. As a next step, I like to get the list of all realms for which I am trying to use the below api http://localhost:9090/auth/admin/realms I have got the access token but don't know how to test this using postman. Please help me on this. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/815005d6/attachment.html From bruno at abstractj.org Tue Aug 2 09:31:17 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 2 Aug 2016 10:31:17 -0300 Subject: [keycloak-user] User Federation : How to implement provider if users are stored in other stores In-Reply-To: References: Message-ID: <20160802133117.GB7035@abstractj.org> There's no specific example for databases, but you can adapt the example[1] to your needs. For example, instead of having a file-based[2] federation provider, create one to get data from an existing database. [1] - https://github.com/keycloak/keycloak/tree/master/examples/providers/federation-provider [2] - https://github.com/keycloak/keycloak/blob/master/examples/providers/federation-provider/src/main/java/org/keycloak/examples/federation/properties/FilePropertiesFederationProvider.java On 2016-08-02, Deepak Garg wrote: > Hi, > > I didn't find any relevant example where I can use existing database to > authenticate user using keycloak. > > please suggest specific example. > > > Thanks, > Deepak > > On Tue, Aug 2, 2016 at 6:04 PM, Bruno Oliveira wrote: > > > Hi Deepak, there are several examples here[1]. I hope it helps. > > > > [1] - https://github.com/keycloak/keycloak/tree/master/examples/providers > > > > On 2016-08-02, Deepak Garg wrote: > > > Hi, > > > > > > We have a existing web application which is using RDBMS database for > > > authentication and authorization. I like to know how I can use keycloak > > to > > > authenticate my user against same RDBMS databse. > > > > > > In your documentation under User Federation you have mentioned that we > > can > > > implement our own provider if we have users in other stores such as > > RDBMS. > > > Can you please let me know how to do it. > > > > > > We are running ASP.Net web apps which is written in HTML5, JQuery and > > CSS3. > > > > > > Thanks, > > > Deepak > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From bruno at abstractj.org Tue Aug 2 09:40:43 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 2 Aug 2016 10:40:43 -0300 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: <20160802134043.GC7035@abstractj.org> I believe it's possible to define the configuration at `jetty-web.xml`[1] [1] - https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/jetty9-adapter.html#_jetty9_per_war On 2016-08-02, Christopher Davies wrote: > I do not want to have to open the war file just to update / change to > keycloak credentials. > I am right that the WEB-INF sits inside the war file ? > I would like a single security instance for the entire Jetty server > > Chris > > > On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc wrote: > > > Hi, > > > > Any reasons you don't want to put the keycloak.json in /WEB-INF ? > > > > > > > > > > > > Sebi > > > > On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies < > > christopher.james.davies at gmail.com> wrote: > > > >> I am looking at linking our legacy app to Keycloak. > >> > >> Currently it is a bespoke jetty server, that only serves our war files. > >> The security.xml is set in config of the server directory. > >> I have taken the example setting file from > >> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html > >> > >> I can see this loading keycloak's spring adapter. > >> It fails when searching for Keycloak.json. > >> > >> I was hoping to be able to drop the Keycloak.json file in the config > >> directory. > >> > >> Hope you can be of assistance. Please feel free to ask if I have missed > >> any key information. > >> I am trying to get up to speed on both KeyCloak and SpringSecurity as I > >> am a C++ programmer at heart. > >> > >> Chris > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From christopher.james.davies at gmail.com Tue Aug 2 09:58:54 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Tue, 02 Aug 2016 13:58:54 +0000 Subject: [keycloak-user] Naive Question In-Reply-To: <20160802134043.GC7035@abstractj.org> References: <20160802134043.GC7035@abstractj.org> Message-ID: Yes I have looked at the jetty documentation. I have had less luck with the Jetty adapter. I am updating an application so different users will take the entire package and drop in the keycloak for their system. I would like to avoid having the users have to modify the war. I did try dropping the keycloak.json in the war file but I still get an error locating the war file. I do not know if this is because the keycloak.json is in an individual app file but the security.xml is in a global file. Thanks for the help so far. Chris On Tue, Aug 2, 2016 at 2:40 PM Bruno Oliveira wrote: > I believe it's possible to define the configuration at `jetty-web.xml`[1] > > [1] - > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/jetty9-adapter.html#_jetty9_per_war > > On 2016-08-02, Christopher Davies wrote: > > I do not want to have to open the war file just to update / change to > > keycloak credentials. > > I am right that the WEB-INF sits inside the war file ? > > I would like a single security instance for the entire Jetty server > > > > Chris > > > > > > On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc > wrote: > > > > > Hi, > > > > > > Any reasons you don't want to put the keycloak.json in /WEB-INF ? > > > > > > class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean"> > > > > > > > > > > > > Sebi > > > > > > On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies < > > > christopher.james.davies at gmail.com> wrote: > > > > > >> I am looking at linking our legacy app to Keycloak. > > >> > > >> Currently it is a bespoke jetty server, that only serves our war > files. > > >> The security.xml is set in config of the server directory. > > >> I have taken the example setting file from > > >> > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html > > >> > > >> I can see this loading keycloak's spring adapter. > > >> It fails when searching for Keycloak.json. > > >> > > >> I was hoping to be able to drop the Keycloak.json file in the config > > >> directory. > > >> > > >> Hope you can be of assistance. Please feel free to ask if I have > missed > > >> any key information. > > >> I am trying to get up to speed on both KeyCloak and SpringSecurity as > I > > >> am a C++ programmer at heart. > > >> > > >> Chris > > >> > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/e26f9c18/attachment-0001.html From lholmqui at redhat.com Tue Aug 2 10:38:14 2016 From: lholmqui at redhat.com (Luke Holmquist) Date: Tue, 2 Aug 2016 10:38:14 -0400 Subject: [keycloak-user] Keycloak admin rest api - admin/realms In-Reply-To: References: Message-ID: On Tue, Aug 2, 2016 at 9:09 AM, Deepak Garg wrote: > Hi, > > I need your help to test the following admin rest api. > > I was able to get the access_token using > http://localhost:9090/auth/realms/master/protocol/openid-connect/token > rest api. > > As a next step, I like to get the list of all realms for which I am trying > to use the below api > > http://localhost:9090/auth/admin/realms > > I have got the access token but don't know how to test this using postman. > you should just need to add the authorization header in Postman, http://stackoverflow.com/questions/24709944/jwt-token-in-postman-header *note: i haven't actually tried this* > > > Please help me on this. > > > Thanks > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/22523bec/attachment.html From r.vanloenhout at greenvalley.nl Tue Aug 2 11:30:57 2016 From: r.vanloenhout at greenvalley.nl (Robert van Loenhout) Date: Tue, 2 Aug 2016 15:30:57 +0000 Subject: [keycloak-user] Configuring javascript calling REST service Message-ID: I'm using the keycloak javascript adapter and the spring security adapter for my REST service. The REST service is configured as a client with 'bearer-only' access type. The javascript client is authenticated. When it does an ajax call to my REST service I receive the following error in my browser: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:30001/rest1/greeting. (Reason: CORS header 'Access-Control-Allow-Origin' missing). I have added "enable-cors": true to my REST keycloak configuration. However where do I configure which origins are allowed? For 'public' and 'confidential' clients you can configure the web origins in the admin console. But when I set it to 'bearer-only' this field is gone. So what exactly are the steps you have to take to configure a javascript client that call a REST service on another host? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/46406e23/attachment.html From sblanc at redhat.com Tue Aug 2 12:23:43 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 2 Aug 2016 18:23:43 +0200 Subject: [keycloak-user] Configuring javascript calling REST service In-Reply-To: References: Message-ID: Hi, I'm not entirely sure but I think that "enable-cors" is not supported for the Spring Security Adapter. For now, you have to deal with CORS "manually" on the server side. I think Spring has a annotation like "@CrossOrigin". Sebi On Tue, Aug 2, 2016 at 5:30 PM, Robert van Loenhout < r.vanloenhout at greenvalley.nl> wrote: > I'm using the keycloak javascript adapter and the spring security adapter > for my REST service. > > The REST service is configured as a client with 'bearer-only' access type. > > The javascript client is authenticated. When it does an ajax call to my > REST service I receive the following error in my browser: > > > > Cross-Origin Request Blocked: The Same Origin Policy disallows reading the > remote resource at http://localhost:30001/rest1/greeting. (Reason: CORS > header 'Access-Control-Allow-Origin' missing). > > > > I have added > > "enable-cors": true > > to my REST keycloak configuration. > > However where do I configure which origins are allowed? > > > > For 'public' and 'confidential' clients you can configure the web origins > in the admin console. > > But when I set it to 'bearer-only' this field is gone. > > > > So what exactly are the steps you have to take to configure a javascript > client that call a REST service on another host? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/20cfc94a/attachment.html From srossillo at smartling.com Tue Aug 2 12:32:55 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 2 Aug 2016 12:32:55 -0400 Subject: [keycloak-user] keycloak and spring security In-Reply-To: References: <51554E84-0904-49E5-9E50-E893F97D8E03@smartling.com> Message-ID: <30C1DA54-D128-4195-BC8D-9F443A956830@smartling.com> Ah, I misread. Ok, so you need to configure the Spring security filters to protected the wicket app. Probably something like the DelegatingFilterProxy: http://docs.spring.io/spring-security/site/docs/4.1.1.RELEASE/reference/htmlsingle/#delegating-filter-proxy Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Aug 2, 2016, at 3:37 AM, Robert van Loenhout wrote: > > Thanks for the links Scott. Although I am not actually using spring boot with wicket at the moment. > Still?. this might come in handy. > > > From: Scott Rossillo [mailto:srossillo at smartling.com] > Sent: 02 August 2016 00:07 > To: Robert van Loenhout > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] keycloak and spring security > > Seems the Spring Security filter chain isn?t being invoked on requests to the WicketServlet. > > Spring Boot is very opinionated about how it does things so I?m not entirely sure what the best approach is. However, I did find a boot starer for wicket[0] that provides some information on > using Spring Security + Wicket[1]. > > [0]: https://github.com/MarcGiffing/wicket-spring-boot > [1]: https://github.com/MarcGiffing/wicket-spring-boot#extension-spring-security > > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > On Aug 1, 2016, at 10:09 AM, Robert van Loenhout > wrote: > > I?m trying to create a test application using spring and wicket (without spring boot). I?m unable to trigger any authentication redirect. > I have added a SecurityConfig class as specified by the manual, and it?s been picked up by Spring. > For example my configure method is called > > @Override > protected void configure(HttpSecurity http) throws Exception { > super.configure(http); > http.authorizeRequests().anyRequest().authenticated(); > } > > However whatever page I call it is returned without taking any security into account. > > This is my web.xml > > > wicket > org.apache.wicket.protocol.http.WicketServlet > > applicationFactoryClassName > org.apache.wicket.spring.SpringWebApplicationFactory > > > applicationBean > wicketApplication > > 1 > > > > wicket > /* > > > > contextConfigLocation > /WEB-INF/applicationContext.xml > > > > org.springframework.web.context.ContextLoaderListener > > > The applicationContext does a component-scan. > Did I miss something that I need to add? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/566d89cb/attachment-0001.html From srossillo at smartling.com Tue Aug 2 15:09:37 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 2 Aug 2016 15:09:37 -0400 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: Well, the adapter does support loading the keycloak.json file from anywhere on the class path. Jetty AFAIK does include jetty/resources on the class path. So, you could put keycloak.json there and if you start the server with the option below it should work: -Dkeycloak.configurationFile:?classpath:keycloak.json" Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Aug 2, 2016, at 8:56 AM, Christopher Davies wrote: > > I do not want to have to open the war file just to update / change to keycloak credentials. > I am right that the WEB-INF sits inside the war file ? > I would like a single security instance for the entire Jetty server > > Chris > > > On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc > wrote: > Hi, > > Any reasons you don't want to put the keycloak.json in /WEB-INF ? > > > > > Sebi > > On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies > wrote: > I am looking at linking our legacy app to Keycloak. > > Currently it is a bespoke jetty server, that only serves our war files. > The security.xml is set in config of the server directory. > I have taken the example setting file from https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html > > I can see this loading keycloak's spring adapter. > It fails when searching for Keycloak.json. > > I was hoping to be able to drop the Keycloak.json file in the config directory. > > Hope you can be of assistance. Please feel free to ask if I have missed any key information. > I am trying to get up to speed on both KeyCloak and SpringSecurity as I am a C++ programmer at heart. > > Chris > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/5b171911/attachment.html From srossillo at smartling.com Tue Aug 2 15:19:59 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 2 Aug 2016 15:19:59 -0400 Subject: [keycloak-user] Access token or ID token In-Reply-To: References: <579F84CC.1010105@redhat.com> Message-ID: Just to address your concern about Angular vs Java: Angular uses OIDC implicit flow and the Java adapters use the authorization code flow. You don?t get an access token or id token back from the login redirect. You get an authorization code which may then be exchanged for a set of OIDC tokens. The authorization code flow is something like: User -> Service : request a secured resource Service -> User: redirect to Keycloak login page User -> Keycloak : submit login page Keycloak -> User : redirect back to Service with this authorization code on the URL User -> Service: original request + code Service -> Keycloak : exchange auth code for token(s), store tokens, serve secure resource The authorization code flow doesn?t expose the actual tokens to the user and is considered more secure. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan at cognizant.com wrote: > > It is working as you describe. I can either get access or ID token. > > In either case - response_type=id_token and response_type=id_token%20token ? the method call is the same. > > KeycloakPrincipal.getKeycloakSecurityContext().getToken(). > getRealmAccess().getRoles().stream().forEach( f -> System.out.println( f )); > It works like that. > > So here keycloak.json is used by the filter to validate the ID token by contacting the the IDP and then also requesting for the access token. Right ? > > The doubt I still have is my other thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html ) > > The answer there mentions that when a request comes into the website the application, the session ID is used to establish who you are. > But that is the ID token. Hope I am mixing two different concerns here. > > Thanks, > Mohan > From: Marek Posolda [mailto:mposolda at redhat.com ] > Sent: Monday, August 01, 2016 10:50 PM > To: Radhakrishnan, Mohan (Cognizant) >; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Access token or ID token > > Not sure exactly about all the details of your setup etc. However from the first look, if you use "response_type=id_token" , then Keycloak will return you just idToken, but not accessToken at all. > > If you want both idToken and accessToken, you need to use value "id_token token". > > So encoded parameter will be something like "response_type=id_token%20token" > > Marek > > On 01/08/16 11:41, Mohan.Radhakrishnan at cognizant.com wrote: > Hi, > My ID token flow and OIDC filter are working. But I am still doubtful about my implementation. When I used another IDP(IdentifyServer3) the redirect URL issued from > AngularJS gave me the access token with the ID token embedded in it directly. > > But now I am using this code. > > AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken(); > > URL is this. > http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user > > And https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html mentions that keycloak.json is required to get the access token in AngularJS. > > Am I missing something ? Why is there a difference ? > > Thanks, > Mohan > This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/81abbc7b/attachment-0001.html From bburke at redhat.com Tue Aug 2 15:25:06 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 2 Aug 2016 15:25:06 -0400 Subject: [keycloak-user] Access token or ID token In-Reply-To: References: <579F84CC.1010105@redhat.com> Message-ID: <25f67eb8-767d-fd0c-1ba8-aade278bd2c3@redhat.com> Keycloak devs recommend using our javascript adapter and auth-code flow. Why? Implicit flow requires you to re-do the browser redirect dance when the access token expires. On 8/2/16 3:19 PM, Scott Rossillo wrote: > > Just to address your concern about Angular vs Java: Angular uses OIDC > implicit flow and the Java adapters use the authorization code flow. > You don?t get an access token or id token back from the login > redirect. You get an authorization code which may then be exchanged > for a set of OIDC tokens. > > The authorization code flow is something like: > > User -> Service : request a secured resource > Service -> User: redirect to Keycloak login page > User -> Keycloak : submit login page > Keycloak -> User : redirect back to Service with this authorization > code on the URL > User -> Service: original request + code > Service -> Keycloak : exchange auth code for token(s), store tokens, > serve secure resource > > The authorization code flow doesn?t expose the actual tokens to the > user and is considered more secure. > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > >> On Aug 2, 2016, at 8:05 AM, Mohan.Radhakrishnan at cognizant.com >> wrote: >> >> It is working as you describe. I can either get access or ID token. >> In either case -response_type=id_token and >> response_type=id_token%20token ? the method call is the same. >> KeycloakPrincipal.getKeycloakSecurityContext().getToken(). >> getRealmAccess().getRoles().stream().forEach(f-> >> System.*/out/*.println(f)); >> It works like that. >> So here keycloak.json is used by the filter to validate the ID token >> by contacting the the IDP and then also requesting for the access >> token. Right ? >> The doubt I still have is my other >> thread(http://lists.jboss.org/pipermail/keycloak-user/2016-July/007064.html) >> The answer there mentions that when a request comes into the website the application, the session ID is used to establish who you are. >> But that is the ID token. Hope I am mixing two different concerns here. >> Thanks, >> Mohan >> *From:*Marek Posolda [mailto:mposolda at redhat.com] >> *Sent:*Monday, August 01, 2016 10:50 PM >> *To:*Radhakrishnan, Mohan (Cognizant) >> > >;keycloak-user at lists.jboss.org >> >> *Subject:*Re: [keycloak-user] Access token or ID token >> Not sure exactly about all the details of your setup etc. However >> from the first look, if you use "response_type=id_token" , then >> Keycloak will return you just idToken, but not accessToken at all. >> >> If you want both idToken and accessToken, you need to use value >> "id_token token". >> >> So encoded parameter will be something like >> "response_type=id_token%20token" >> >> Marek >> >> On 01/08/16 11:41,Mohan.Radhakrishnan at cognizant.com >> wrote: >> >> Hi, >> My ID token flow and OIDC filter are working. But I am still >> doubtful about my implementation. When I used another >> IDP(IdentifyServer3) the redirect URL issued from >> AngularJS gave me the access token with the ID token embedded in >> it directly. >> But now I am using this code. >> >> AccessTokenaccessToken=keycloakPrincipal.getKeycloakSecurityContext().getToken(); >> URL is this. >> _http://localhost:8080/auth/realms/Test/protocol/openid-connect/auth?response_type=id_token&redirect_uri=http://localhost:8000/keycloak/claim/&realm=Test&client_id=Test&scope=user_ >> Andhttps://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.htmlmentions >> that keycloak.json is required to get the access token in AngularJS. >> Am I missing something ? Why is there a difference ? >> Thanks, >> Mohan >> This e-mail and any files transmitted with it are for the sole >> use of the intended recipient(s) and may contain confidential and >> privileged information. If you are not the intended recipient(s), >> please reply to the sender and destroy all copies of the original >> message. Any unauthorized review, use, disclosure, dissemination, >> forwarding, printing or copying of this email, and/or any action >> taken in reliance on the contents of this e-mail is strictly >> prohibited and may be unlawful. Where permitted by applicable >> law, this e-mail and other e-mail communications sent to and from >> Cognizant e-mail addresses may be monitored. >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> This e-mail and any files transmitted with it are for the sole use of >> the intended recipient(s) and may contain confidential and privileged >> information. If you are not the intended recipient(s), please reply >> to the sender and destroy all copies of the original message. Any >> unauthorized review, use, disclosure, dissemination, forwarding, >> printing or copying of this email, and/or any action taken in >> reliance on the contents of this e-mail is strictly prohibited and >> may be unlawful. Where permitted by applicable law, this e-mail and >> other e-mail communications sent to and from Cognizant e-mail >> addresses may be >> monitored._______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160802/98270c55/attachment-0001.html From aikeaguinea at xsmail.com Tue Aug 2 17:20:05 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 02 Aug 2016 17:20:05 -0400 Subject: [keycloak-user] API for User Account Service? Message-ID: <1470172805.4159443.684179281.797F86A5@webmail.messagingengine.com> Can the User Account Service be accessed as an API? I'm interested in the "forgot password" and "change password" functionality in particular. -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - mmm... Fastmail... From christopher.james.davies at gmail.com Wed Aug 3 05:54:10 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Wed, 03 Aug 2016 09:54:10 +0000 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: Thanks for all your help; I have managed to get the adapter to load and read the keycloak file. I used the following in my security.xml file: > > > Now I can see my app connecting to keycloak. Next issue is that despite keycloak passing pack the principal with the correct Roles, Spring security is rejecting the user in the RoleVoter. Will try to solve this myself before I trouble you. Chris On Tue, Aug 2, 2016 at 8:09 PM Scott Rossillo wrote: > Well, the adapter does support loading the keycloak.json file from > anywhere on the class path. Jetty AFAIK does include jetty/resources on the > class path. So, you could put keycloak.json there and if you start the > server with the option below it should work: > > -Dkeycloak.configurationFile:?classpath:keycloak.json" > > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > On Aug 2, 2016, at 8:56 AM, Christopher Davies < > christopher.james.davies at gmail.com> wrote: > > I do not want to have to open the war file just to update / change to > keycloak credentials. > I am right that the WEB-INF sits inside the war file ? > I would like a single security instance for the entire Jetty server > > Chris > > > On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc wrote: > >> Hi, >> >> Any reasons you don't want to put the keycloak.json in /WEB-INF ? >> >> >> >> >> >> Sebi >> >> On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies < >> christopher.james.davies at gmail.com> wrote: >> >>> I am looking at linking our legacy app to Keycloak. >>> >>> Currently it is a bespoke jetty server, that only serves our war files. >>> The security.xml is set in config of the server directory. >>> I have taken the example setting file from >>> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html >>> >>> I can see this loading keycloak's spring adapter. >>> It fails when searching for Keycloak.json. >>> >>> I was hoping to be able to drop the Keycloak.json file in the config >>> directory. >>> >>> Hope you can be of assistance. Please feel free to ask if I have missed >>> any key information. >>> I am trying to get up to speed on both KeyCloak and SpringSecurity as I >>> am a C++ programmer at heart. >>> >>> Chris >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/2e5cabba/attachment.html From christopher.james.davies at gmail.com Wed Aug 3 06:16:20 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Wed, 03 Aug 2016 10:16:20 +0000 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: Thanks everyone for all your help: I now have a lash up with my app talking via spring security to Keycloak. OK one last question - more of a redirect to the correct part of the documentation. However I do need a copy of the JWT to pass on to a native application. Can anyone point me at the api I would need to use to get the signed JWT from SpingSecurity Thanks in advance Chris On Wed, Aug 3, 2016 at 10:54 AM Christopher Davies < christopher.james.davies at gmail.com> wrote: > Thanks for all your help; I have managed to get the adapter to load and > read the keycloak file. I used the following in my security.xml file: > > > class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean"> > > > > > > Now I can see my app connecting to keycloak. Next issue is that despite > keycloak passing pack the principal with the correct Roles, Spring security > is rejecting the user in the RoleVoter. > Will try to solve this myself before I trouble you. > > Chris > > > On Tue, Aug 2, 2016 at 8:09 PM Scott Rossillo > wrote: > >> Well, the adapter does support loading the keycloak.json file from >> anywhere on the class path. Jetty AFAIK does include jetty/resources on the >> class path. So, you could put keycloak.json there and if you start the >> server with the option below it should work: >> >> -Dkeycloak.configurationFile:?classpath:keycloak.json" >> >> >> Scott Rossillo >> Smartling | Senior Software Engineer >> srossillo at smartling.com >> >> On Aug 2, 2016, at 8:56 AM, Christopher Davies < >> christopher.james.davies at gmail.com> wrote: >> >> I do not want to have to open the war file just to update / change to >> keycloak credentials. >> I am right that the WEB-INF sits inside the war file ? >> I would like a single security instance for the entire Jetty server >> >> Chris >> >> >> On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc >> wrote: >> >>> Hi, >>> >>> Any reasons you don't want to put the keycloak.json in /WEB-INF ? >>> >>> >>> >>> >>> >>> Sebi >>> >>> On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies < >>> christopher.james.davies at gmail.com> wrote: >>> >>>> I am looking at linking our legacy app to Keycloak. >>>> >>>> Currently it is a bespoke jetty server, that only serves our war files. >>>> The security.xml is set in config of the server directory. >>>> I have taken the example setting file from >>>> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html >>>> >>>> I can see this loading keycloak's spring adapter. >>>> It fails when searching for Keycloak.json. >>>> >>>> I was hoping to be able to drop the Keycloak.json file in the config >>>> directory. >>>> >>>> Hope you can be of assistance. Please feel free to ask if I have missed >>>> any key information. >>>> I am trying to get up to speed on both KeyCloak and SpringSecurity as I >>>> am a C++ programmer at heart. >>>> >>>> Chris >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/9e3742e8/attachment-0001.html From igor.zuk at qualitytaskforce.com Wed Aug 3 10:36:46 2016 From: igor.zuk at qualitytaskforce.com (Igor Zuk) Date: Wed, 3 Aug 2016 14:36:46 +0000 Subject: [keycloak-user] Keycloak user data encoding In-Reply-To: References: Message-ID: Sorry for a delayed response, I had to temporarily suspend the investigation. Yes, I can reproduce the issue anytime using Docker. I set up as default as possible environment with latest MySQL: docker run --name mysql -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -P -d mysql:latest and Keycloak in the same version as where I found the issue, 1.9.2.Final: docker run --name keycloak -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e MYSQL_PORT_3306_TCP_ADDR=192.168.99.100 -e MYSQL_PORT_3306_TCP_PORT=32779 -P -d jboss/keycloak-mysql:1.9.2.Final The results were identical, special letters in names were replaced with question marks. It turned out, that Keycloak created all its tables with the DB's default encoding, latin1 (ISO-8859-1). I've checked it with a query: SELECT character_set_name FROM information_schema.`COLUMNS` WHERE table_name = "USER_ENTITY" AND column_name = "FIRST_NAME"; Once again I've manually changed the encoding of a single column: ALTER TABLE `USER_ENTITY` MODIFY `FIRST_NAME` VARCHAR(255) CHARACTER SET utf8; It worked, but Keycloak was still putting there names with question marks, so the issue was fully reproduced. Because it seems, that Keycloak uses the DB's default encoding, I tried changing it in MySQL. I've removed its container entirely and started it with two parameters appended to Docker run command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci It seems, that it worked, but then Keycloak refused to start at all throwing exception with error: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)] It looks that Keycloak is not able to work with UTF-8 in databases at all! The full startup log is here: http://pastebin.com/VMTARqgF. Because 1.9.2.Final is quite dated, I've checked the latest available MySQL-preconfigured version, 2.0.0.Final. I've repeated all the steps and the results were identical. The example name I'm working with is M?ciwy ???w. Only the letter '?' is working, that's because it's encodable in ISO-8859-1. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, July 15, 2016 6:48 AM To: Igor Zuk Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding It's strange that no one else has reported this. We had several people report the issue with umlats, but no one else seems to have the issue with the database encoding. Maybe there's something different with your database config? Could you try with a default MySQL database installation and see if you can reproduce the issue? Also, can you give me a sample name that shows the problems. I added a test for umlats to registration and account management, see https://github.com/keycloak/keycloak/pull/3036. Once it's in I'll schedule a run with CI, which tests with a range of different databases. On 12 July 2016 at 16:13, Igor Zuk > wrote: Thank you for a quick response. I?m using 1.9.2.Final and the problem is a bit different, it?s not limited to registration screen. I?m saying, that ISO-8859-1 is the default encoding, because all the text columns in USER_ENTITY table had encoding latin1. The table was created completely by Keycloak as the database was empty in the beginning. I manually switched encoding of FIRST_NAME to UTF-8 and modified it so it contained special letters. I started the user editor in Keycloak admin console and this name was displayed correctly. I added a single character to it, saved, and then the name got messed up with question marks instead of all special characters. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, July 12, 2016 3:43 PM To: Stian Thorgersen > Cc: Igor Zuk >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding By the way this was fixed in 1.6.0.Final, see https://issues.jboss.org/browse/KEYCLOAK-1830?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20%22encoding%22 Are you using an old version? On 12 July 2016 at 15:37, Stian Thorgersen > wrote: Why are you saying the default encoding is ISO-8859-1? All forms are encoded as UTF-8 and all strings passed to the database should be UTF-8 encoded as well. The only thing that is ISO-8859-1 is the message properties, but those are converted to UTF-8 when added to HTML pages. On 12 July 2016 at 14:58, Igor Zuk > wrote: Hi I have an encoding problem. By default users' data fields (e.g. first name and last name) are encoded using ISO-8859-1. People from many countries can't properly create accounts as their personal data is silently messed up. How can I fix it? ? The MySQL DB receives already damaged names. By default all columns are ISO-8859-1-encoded, but manually converting them to UTF-8 doesn't help. ? Manual account modification from admin console has same effect. ? Change of default server (Wildfly) encoding to UTF-8 doesn't do anything. Best regards Igor ?uk _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/a0ac9e93/attachment-0001.html From abhi.raghav007 at gmail.com Wed Aug 3 11:36:42 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Wed, 3 Aug 2016 21:06:42 +0530 Subject: [keycloak-user] NGINX + Redirect URI is going to http rather than https Message-ID: I am trying to configure NGINX as a reverse for my keycloak instance and customer-portal to do SSL termination. So I am accessing the customer-portal over NGINX with https which is going fine. The URL which i called looks like this: https://192.168.99.100/customer-portal/ Next when I am trying to access any secured resourse by clicking on lets say 'customer-listing', I am redirected to keyclock with the URI as below with a error message as invalid redirect URI. http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true Here if you see, the redirect URI is going as http in place of https. which gives me invalid redirect-uri because the URI i have configured in valid-redirect-URI section of settings in the customer-portal client settings is below: https://192.168.99.100/customer-portal/* Am i missing something or i need to do anything else to support nginx settings in my keycloak. I have made the proxy-forwarding in standalone.xml also as 'true'. port also I configured in the socket binding as 443. Also i am configuring the required header in my nginx.conf. Below is my nginx.conf looks like: user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; server { listen 443; server_name ""; ssl_certificate /etc/nginx/external/cert.pem; ssl on; ssl_certificate_key /etc/nginx/external/key.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; location /customer-portal/ { proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $http_host; proxy_set_header X-Forwarded-Port 443; proxy_pass http://192.168.99.100:31050; } location /auth/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $http_host; proxy_pass http://192.168.99.100:31048/auth/; proxy_set_header X-Forwarded-Port 443; } } access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } And my keycloak.json file looks like below: { "realm": "nginx", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB", "auth-server-url": "https://192.168.99.100/auth/", "ssl-required": "external", "resource": "customer-portal", "credentials": { "secret": "20d8b6f8-25cc-481c-be66-133da68e9596" }, "use-resource-role-mappings": false } Note: I am runnning all the 3 in there own docker containers. Here my nginx url is *https://192.168.99.100 * my customer-portal url is *http://192.168.99.100:31050 * my keycloak server url is *http://192.168.99.100:31048 * Customer-portal is running on tomcat 8 with keycloak tomcat adapter. customer-portal and keycloak, both are running behind nginx. Am i doing something wrong. Thanks. Abhishek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/1277d083/attachment.html From hr.stoyanov at peruncs.com Wed Aug 3 14:10:54 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Wed, 3 Aug 2016 18:10:54 +0000 Subject: [keycloak-user] Wildfly swarm KC version? Message-ID: Are there plans to provide wildflyswarm version of KC? Will love to run KC-enabled web app in a SINGLE jvm, with 0 XML configurations ...one day. /Hristo Stoyanov -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/80730cf3/attachment.html From sblanc at redhat.com Wed Aug 3 14:28:47 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 3 Aug 2016 20:28:47 +0200 Subject: [keycloak-user] Wildfly swarm KC version? In-Reply-To: References: Message-ID: It's already there since a while ;) You have 2 fractions : * keycloak (embedded wf adapter ) * keycloak-server : to run kc server as a swarm app You can check these sample apps I wrote a while ago and that are based on swarm : https://github.com/sebastienblanc/keycloak-demos For the 0 xml, if you mean the web.xml , yeah this is possible as well with h kc swarm fraction , check the doc Le mercredi 3 ao?t 2016, Hristo Stoyanov a ?crit : > Are there plans to provide wildflyswarm version of KC? Will love to run > KC-enabled web app in a SINGLE jvm, with 0 XML configurations ...one day. > > /Hristo Stoyanov > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/344b3eba/attachment.html From luigi.demasi at extrasys.it Wed Aug 3 14:34:21 2016 From: luigi.demasi at extrasys.it (Luigi De Masi) Date: Wed, 3 Aug 2016 20:34:21 +0200 Subject: [keycloak-user] Authentication via Facebook Token Message-ID: Hi, I have to create a rest layer to allow a mobile application to interact with KC because mobile developers don't want to use any kind of redirect or webview, only rest calls for login/registration. For a username/password authentication/registration is easy, I can use admin rest api, but for social login (only via facebook), there is a way to get a keycloak JWT token passing a facebook token using admin api or any other rest api? If not, it's better to plug an authentication provider using Authentication SPI or create a custom rest endpoint and generate (don't know how) a JWT? Thanks. -- Luigi De Masi *"Talk is cheap. Show me the code."* * -- Linus Torvalds* -- ------------------------------ Extra srl p: +39 0587975800 a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy w: www.extrasrl.it e: info at extrasys.it Le informazioni trasmesse sono riservate alla persona o ente alla quali sono indirizzate e possono contenere informazioni riservate e/o materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione o altro uso, o l'adozione di azioni basate su tali informazioni da parte di soggetti diversi dal destinatario ? proibita. Se avete ricevuto per errore questo messaggio, siete pregati di informare il mittente e cancellare il materiale contenuto da ogni computer. The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/0ef0f289/attachment-0001.html From mposolda at redhat.com Wed Aug 3 16:17:13 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 3 Aug 2016 22:17:13 +0200 Subject: [keycloak-user] Keycloak 2.1.0.CR1 released Message-ID: <57A25149.2050803@redhat.com> Keycloak 2.1.0.CR1 has just been released. The final release will follow next week if no major issues are reported. Few highlights of this release: * *Password Policy SPI* - Now it's possible to plug your own implementation of password policy. This is useful if available builtin policies are not sufficient for you. * *Jetty 9.3 adapter* - Allow you to secure your applications deployed on Jetty 9.3 server. * *Authorization fixes & improvements* - There are lots of fixes and improvements in authorization services, which were recently added in 2.0 release. It really worth to check this out and eventually provide us some feedback. * *Better OpenID Connect interoperability* - There are lots of minor fixes related to OpenID Connect support. For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/54929812/attachment.html From john.d.ament at gmail.com Wed Aug 3 16:55:21 2016 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 03 Aug 2016 20:55:21 +0000 Subject: [keycloak-user] Is clustering required? Message-ID: Hey, I was wondering, is clustering actually required on the keycloak server if I have multiple deployed? Or will it read data from the database? John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/06b54c42/attachment.html From bburke at redhat.com Wed Aug 3 17:17:16 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Aug 2016 17:17:16 -0400 Subject: [keycloak-user] Is clustering required? In-Reply-To: References: Message-ID: It is required. The auth code flow for OAuth is an out of band HTTP request so you may be loadbalanced to a machine that doesn't have the user session. We have "sticky sessions" for out of band requests like this planned, but not implemented yet. On 8/3/16 4:55 PM, John D. Ament wrote: > Hey, > > I was wondering, is clustering actually required on the keycloak > server if I have multiple deployed? Or will it read data from the > database? > > John > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/498e9b65/attachment.html From john.d.ament at gmail.com Wed Aug 3 18:07:49 2016 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 03 Aug 2016 22:07:49 +0000 Subject: [keycloak-user] Is clustering required? In-Reply-To: References: Message-ID: Thanks Bill. What if I'm primarily using SAML? Same session issue? John On Wed, Aug 3, 2016 at 5:17 PM Bill Burke wrote: > It is required. The auth code flow for OAuth is an out of band HTTP > request so you may be loadbalanced to a machine that doesn't have the user > session. We have "sticky sessions" for out of band requests like this > planned, but not implemented yet. > > On 8/3/16 4:55 PM, John D. Ament wrote: > > Hey, > > I was wondering, is clustering actually required on the keycloak server if > I have multiple deployed? Or will it read data from the database? > > John > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/75416279/attachment.html From bburke at redhat.com Wed Aug 3 18:50:22 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Aug 2016 18:50:22 -0400 Subject: [keycloak-user] Is clustering required? In-Reply-To: References: Message-ID: <428877e4-e768-7d4f-e5ca-a9c52359ad79@redhat.com> I think SAML would be ok so long as you have sticky sessions enabled with your load balancer. On 8/3/16 6:07 PM, John D. Ament wrote: > Thanks Bill. What if I'm primarily using SAML? Same session issue? > > John > > On Wed, Aug 3, 2016 at 5:17 PM Bill Burke > wrote: > > It is required. The auth code flow for OAuth is an out of band > HTTP request so you may be loadbalanced to a machine that doesn't > have the user session. We have "sticky sessions" for out of band > requests like this planned, but not implemented yet. > > > On 8/3/16 4:55 PM, John D. Ament wrote: >> Hey, >> >> I was wondering, is clustering actually required on the keycloak >> server if I have multiple deployed? Or will it read data from the >> database? >> >> John >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/8b26ff52/attachment.html From john.d.ament at gmail.com Wed Aug 3 19:04:48 2016 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 3 Aug 2016 19:04:48 -0400 Subject: [keycloak-user] Is clustering required? In-Reply-To: <428877e4-e768-7d4f-e5ca-a9c52359ad79@redhat.com> References: <428877e4-e768-7d4f-e5ca-a9c52359ad79@redhat.com> Message-ID: Mmmph ok. Do you know how quickly sessions replicate now? Last time I did this it was about a minute which didn't perform well for me. This is going back at least 6 years though. On Aug 3, 2016 18:50, "Bill Burke" wrote: > I think SAML would be ok so long as you have sticky sessions enabled with > your load balancer. > > On 8/3/16 6:07 PM, John D. Ament wrote: > > Thanks Bill. What if I'm primarily using SAML? Same session issue? > > John > > On Wed, Aug 3, 2016 at 5:17 PM Bill Burke wrote: > >> It is required. The auth code flow for OAuth is an out of band HTTP >> request so you may be loadbalanced to a machine that doesn't have the user >> session. We have "sticky sessions" for out of band requests like this >> planned, but not implemented yet. >> >> On 8/3/16 4:55 PM, John D. Ament wrote: >> >> Hey, >> >> I was wondering, is clustering actually required on the keycloak server >> if I have multiple deployed? Or will it read data from the database? >> >> John >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/821c1c37/attachment-0001.html From lingvisa at gmail.com Wed Aug 3 19:39:08 2016 From: lingvisa at gmail.com (Martin Min) Date: Wed, 3 Aug 2016 16:39:08 -0700 Subject: [keycloak-user] Failed to run the Customer-portal Demo on two machines In-Reply-To: <579F8387.6030300@redhat.com> References: <579F8387.6030300@redhat.com> Message-ID: Hi, Marek, I changed it to this in view.jsp: * String logoutUri = KeycloakUriBuilder.fromUri("/auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)* * .queryParam("redirect_uri", "http://localhost:8080 /customer-portal").build("demo").toString();* But now when I click the "logout" link, I got this error: http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri *=http*%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal which is slightly different from the earlier error message when I used the relative url parameter "/customer-portal", as below: http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri *=*%2Fcustomer-portal So just change the 'queryParam(,)' doesn't solve the problem. Please see my configuration of URLs. What needs to be done additionally? On Mon, Aug 1, 2016 at 10:14 AM, Marek Posolda wrote: > You also need to change the redirect_uri query param to be absolute URL > instead of relative URL. As you can see, the value "/customer-portal" is > just relative URL, so it won't work with 2 separate servers. > > Marek > > > On 31/07/16 22:48, Martin Min wrote: > > After I changed the relative url "/customer-portal" to its full url, " > http://localhost:8080/customer-portal", the customer listing and product > listing functionality works correctly. > > However, the remaining problem is, when I click the "log out" link, I > received this error: > > > http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri=%2Fcustomer-portal > > In view.jsp, the logout code is this: > > String logoutUri = > KeycloakUriBuilder.fromUri("/auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) > .queryParam("redirect_uri", > "/customer-portal").build("demo").toString(); > > > What could cause this error message? > > On Sat, Jul 30, 2016 at 4:58 PM, Martin Min wrote: > >> PLEASE: the title of my email above should be renamed to " Failed to run >> the Customer-portal Demo on two separate servers, KeyCloak 2.0 and Wildfly >> 10.0". Not on two machines, but two severs on the same machine. Sorry >> for the correction. >> >> On Sat, Jul 30, 2016 at 4:57 PM, Martin Min < >> lingvisa at gmail.com> wrote: >> >>> Hi, I can run the preconfigured Customer-portal demo successfully on the >>> single keycloak-demo-2.0.0.Final distribution by importing the >>> testrealm.json file to create the realm. Everything works fine. >>> >>> And also I can run this simple login/logout demo by following this >>> instruction to install and setup KeyCloak and Wildfly servers separately: >>> >>> >>> https://keycloak.gitbooks.io/getting-started-tutorials/content/v/2.0/topics/overview.html >>> >>> >>> However, I failed to run the Customer-Portal demo by trying to set up >>> the KeyClaok server and Wildfly server separately. It always gives me this >>> message as I clicked the "Customer Listing >>> " link: >>> >>> >>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=2%2Fe8f347bf-dd8c-4c48-a060-0b01d33476db&login=true >>> >>> I did exactly the same thing as I tested in the KeyCloak-demo >>> distribution by importing the testrealm.json. >>> >>> I didn't configure the subsystem section in the Wildfly 10's >>> standalone.xml, since I believe the "keycloak.json" and "web.xml" in the >>> application's WEB-INF directory will do the same thing. I only had this >>> configured in Wildfly standalone.xml? >>> >>> >>> >>> >> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> >>> >>> >>> >>> >>> What am I missing? Thank you for your help to this working. By the way, >>> it would be really great to have a full tutorial on how to set up the >>> customer-portal demo on two separate KeyCloak and Wildfly servers by >>> configuring both Json and subsystem file. >>> >>> Thank you for help. >>> >>> >>> >>> >>> >> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/92d0f96b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: kecloak.png Type: image/png Size: 64701 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/92d0f96b/attachment-0001.png From lingvisa at gmail.com Wed Aug 3 19:48:30 2016 From: lingvisa at gmail.com (Martin Min) Date: Wed, 3 Aug 2016 16:48:30 -0700 Subject: [keycloak-user] Failed to run the Customer-portal Demo on two machines In-Reply-To: References: <579F8387.6030300@redhat.com> Message-ID: Solved! I also need to change the fromUrl('') to fromUrl("localhost:8180/auth"), instead of the relative url. Thanks. for all. On Wed, Aug 3, 2016 at 4:39 PM, Martin Min wrote: > Hi, Marek, I changed it to this in view.jsp: > > * String logoutUri = > KeycloakUriBuilder.fromUri("/auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH)* > * .queryParam("redirect_uri", "http://localhost:8080 > /customer-portal").build("demo").toString();* > > > But now when I click the "logout" link, I got this error: > > > http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri > *=http*%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal > > which is slightly different from the earlier error message when I used the > relative url parameter "/customer-portal", as below: > > > http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri > *=*%2Fcustomer-portal > > > > So just change the 'queryParam(,)' doesn't solve the problem. Please see > my configuration of URLs. > > What needs to be done additionally? > > > On Mon, Aug 1, 2016 at 10:14 AM, Marek Posolda > wrote: > >> You also need to change the redirect_uri query param to be absolute URL >> instead of relative URL. As you can see, the value "/customer-portal" is >> just relative URL, so it won't work with 2 separate servers. >> >> Marek >> >> >> On 31/07/16 22:48, Martin Min wrote: >> >> After I changed the relative url "/customer-portal" to its full url, " >> http://localhost:8080/customer-portal", the customer listing and product >> listing functionality works correctly. >> >> However, the remaining problem is, when I click the "log out" link, I >> received this error: >> >> >> http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout?redirect_uri=%2Fcustomer-portal >> >> In view.jsp, the logout code is this: >> >> String logoutUri = >> KeycloakUriBuilder.fromUri("/auth").path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH) >> .queryParam("redirect_uri", >> "/customer-portal").build("demo").toString(); >> >> >> What could cause this error message? >> >> On Sat, Jul 30, 2016 at 4:58 PM, Martin Min wrote: >> >>> PLEASE: the title of my email above should be renamed to " Failed to >>> run the Customer-portal Demo on two separate servers, KeyCloak 2.0 and >>> Wildfly 10.0". Not on two machines, but two severs on the same machine. >>> Sorry for the correction. >>> >>> On Sat, Jul 30, 2016 at 4:57 PM, Martin Min < >>> lingvisa at gmail.com> wrote: >>> >>>> Hi, I can run the preconfigured Customer-portal demo successfully on >>>> the single keycloak-demo-2.0.0.Final distribution by importing the >>>> testrealm.json file to create the realm. Everything works fine. >>>> >>>> And also I can run this simple login/logout demo by following this >>>> instruction to install and setup KeyCloak and Wildfly servers separately: >>>> >>>> >>>> https://keycloak.gitbooks.io/getting-started-tutorials/content/v/2.0/topics/overview.html >>>> >>>> >>>> However, I failed to run the Customer-Portal demo by trying to set up >>>> the KeyClaok server and Wildfly server separately. It always gives me this >>>> message as I clicked the "Customer Listing >>>> " link: >>>> >>>> >>>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=2%2Fe8f347bf-dd8c-4c48-a060-0b01d33476db&login=true >>>> >>>> I did exactly the same thing as I tested in the KeyCloak-demo >>>> distribution by importing the testrealm.json. >>>> >>>> I didn't configure the subsystem section in the Wildfly 10's >>>> standalone.xml, since I believe the "keycloak.json" and "web.xml" in the >>>> application's WEB-INF directory will do the same thing. I only had this >>>> configured in Wildfly standalone.xml? >>>> >>>> >>>> >>>> >>> code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/> >>>> >>>> >>>> >>>> >>>> What am I missing? Thank you for your help to this working. By the way, >>>> it would be really great to have a full tutorial on how to set up the >>>> customer-portal demo on two separate KeyCloak and Wildfly servers by >>>> configuring both Json and subsystem file. >>>> >>>> Thank you for help. >>>> >>>> >>>> >>>> >>>> >>> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/b6f51b05/attachment.html From bburke at redhat.com Wed Aug 3 19:50:25 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Aug 2016 19:50:25 -0400 Subject: [keycloak-user] Is clustering required? In-Reply-To: References: <428877e4-e768-7d4f-e5ca-a9c52359ad79@redhat.com> Message-ID: you don't need session replication, just load balancer sticky sessions. Basically the HTTP load balancer sets a cookie when you visit for the first time. Based on that cookie the load balancer knows which machine you are "stuck" on and will continually route the browser to that same machine. On 8/3/16 7:04 PM, John D. Ament wrote: > > Mmmph ok. Do you know how quickly sessions replicate now? Last time > I did this it was about a minute which didn't perform well for me. > This is going back at least 6 years though. > > > On Aug 3, 2016 18:50, "Bill Burke" > wrote: > > I think SAML would be ok so long as you have sticky sessions > enabled with your load balancer. > > > On 8/3/16 6:07 PM, John D. Ament wrote: >> Thanks Bill. What if I'm primarily using SAML? Same session issue? >> >> John >> >> On Wed, Aug 3, 2016 at 5:17 PM Bill Burke > > wrote: >> >> It is required. The auth code flow for OAuth is an out of >> band HTTP request so you may be loadbalanced to a machine >> that doesn't have the user session. We have "sticky >> sessions" for out of band requests like this planned, but not >> implemented yet. >> >> >> On 8/3/16 4:55 PM, John D. Ament wrote: >>> Hey, >>> >>> I was wondering, is clustering actually required on the >>> keycloak server if I have multiple deployed? Or will it read >>> data from the database? >>> >>> John >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/d785d2ea/attachment-0001.html From josh.cain at redhat.com Wed Aug 3 20:19:32 2016 From: josh.cain at redhat.com (Josh Cain) Date: Wed, 3 Aug 2016 19:19:32 -0500 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) Message-ID: Hi all, I'm in a situation in which I need to consult an external source of truth in order to pull social auth credentials (outside the Keycloak database). I'd ideally like something functionally equivalent to the UserFederationProvider, in which another source outside the user store is consulted for this information. Is anything like that currently supported? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/54a97295/attachment.html From josh.cain at redhat.com Wed Aug 3 21:00:45 2016 From: josh.cain at redhat.com (Josh Cain) Date: Wed, 3 Aug 2016 20:00:45 -0500 Subject: [keycloak-user] Is failing to DB possible for Federated Users? Message-ID: Hi all, I'm using a Keycloak impementation in which the majority of our users come from a UserFederationProvider. However, I'd ideally like to be able to fall-back to the Keycloak database when this provider is unavailable. Is it possible to do so? I looked around at the codebase and UserFederationManager seems to be where I'd like to change (namely the validateAndProxyUser method). Is there any way to extend this with our own behavior? Looks like that particular implementation is hard-coded into the KeycloakSession interface. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/785d3e30/attachment.html From bburke at redhat.com Wed Aug 3 21:35:14 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Aug 2016 21:35:14 -0400 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: Message-ID: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Huh? I don't understand. On 8/3/16 8:19 PM, Josh Cain wrote: > Hi all, > > I'm in a situation in which I need to consult an external source of > truth in order to pull social auth credentials (outside the Keycloak > database). I'd ideally like something functionally equivalent to the > UserFederationProvider, in which another source outside the user store > is consulted for this information. Is anything like that currently > supported? > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/7c3a08b9/attachment.html From bburke at redhat.com Wed Aug 3 21:36:08 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Aug 2016 21:36:08 -0400 Subject: [keycloak-user] Is failing to DB possible for Federated Users? In-Reply-To: References: Message-ID: Not sure what you mean. If the provider is not deployed? On 8/3/16 9:00 PM, Josh Cain wrote: > Hi all, > > I'm using a Keycloak impementation in which the majority of our users > come from a UserFederationProvider. However, I'd ideally like to be > able to fall-back to the Keycloak database when this provider is > unavailable. Is it possible to do so? > > I looked around at the codebase and UserFederationManager seems to be > where I'd like to change (namely the validateAndProxyUser > > method). Is there any way to extend this with our own behavior? > Looks like that particular implementation is hard-coded into the > KeycloakSession interface. > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160803/3612548e/attachment.html From john.d.ament at gmail.com Wed Aug 3 22:43:41 2016 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 04 Aug 2016 02:43:41 +0000 Subject: [keycloak-user] Is clustering required? In-Reply-To: References: <428877e4-e768-7d4f-e5ca-a9c52359ad79@redhat.com> Message-ID: In our environment, we've seen sticky sessions fail in ~5% of requests. We generally avoid it. I'll play around with the clustering to see how it works. On Wed, Aug 3, 2016 at 7:50 PM Bill Burke wrote: > you don't need session replication, just load balancer sticky sessions. > Basically the HTTP load balancer sets a cookie when you visit for the first > time. Based on that cookie the load balancer knows which machine you are > "stuck" on and will continually route the browser to that same machine. > > On 8/3/16 7:04 PM, John D. Ament wrote: > > Mmmph ok. Do you know how quickly sessions replicate now? Last time I > did this it was about a minute which didn't perform well for me. This is > going back at least 6 years though. > > On Aug 3, 2016 18:50, "Bill Burke" wrote: > >> I think SAML would be ok so long as you have sticky sessions enabled with >> your load balancer. >> >> On 8/3/16 6:07 PM, John D. Ament wrote: >> >> Thanks Bill. What if I'm primarily using SAML? Same session issue? >> >> John >> >> On Wed, Aug 3, 2016 at 5:17 PM Bill Burke wrote: >> >>> It is required. The auth code flow for OAuth is an out of band HTTP >>> request so you may be loadbalanced to a machine that doesn't have the user >>> session. We have "sticky sessions" for out of band requests like this >>> planned, but not implemented yet. >>> >>> On 8/3/16 4:55 PM, John D. Ament wrote: >>> >>> Hey, >>> >>> I was wondering, is clustering actually required on the keycloak server >>> if I have multiple deployed? Or will it read data from the database? >>> >>> John >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b6f4f72c/attachment-0001.html From r.vanloenhout at greenvalley.nl Thu Aug 4 03:51:17 2016 From: r.vanloenhout at greenvalley.nl (Robert van Loenhout) Date: Thu, 4 Aug 2016 07:51:17 +0000 Subject: [keycloak-user] Configuring javascript calling REST service In-Reply-To: References: Message-ID: Hi, To make cross origin requests work I had to make the following changes for my REST service: Put "enable-cors": true in the json config. Enable CORS support in Spring. So far I have just put the @CrossOrigin annotation on my REST controller, which seem to put the request host in the allowed origin response header. https://spring.io/blog/2015/06/08/cors-support-in-spring-framework If someone could explain why both is necessary that would be interesting. From: Sebastien Blanc [mailto:sblanc at redhat.com] Sent: 02 August 2016 18:24 To: Robert van Loenhout Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Configuring javascript calling REST service Hi, I'm not entirely sure but I think that "enable-cors" is not supported for the Spring Security Adapter. For now, you have to deal with CORS "manually" on the server side. I think Spring has a annotation like "@CrossOrigin". Sebi On Tue, Aug 2, 2016 at 5:30 PM, Robert van Loenhout > wrote: I'm using the keycloak javascript adapter and the spring security adapter for my REST service. The REST service is configured as a client with 'bearer-only' access type. The javascript client is authenticated. When it does an ajax call to my REST service I receive the following error in my browser: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:30001/rest1/greeting. (Reason: CORS header 'Access-Control-Allow-Origin' missing). I have added "enable-cors": true to my REST keycloak configuration. However where do I configure which origins are allowed? For 'public' and 'confidential' clients you can configure the web origins in the admin console. But when I set it to 'bearer-only' this field is gone. So what exactly are the steps you have to take to configure a javascript client that call a REST service on another host? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/175b40d1/attachment.html From mposolda at redhat.com Thu Aug 4 05:50:16 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 11:50:16 +0200 Subject: [keycloak-user] Handling SuspectExceptions in Keycloak In-Reply-To: <510A5664-A01D-4494-8188-51084A6CF946@expedia.com> References: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> <579FA3E7.4000809@redhat.com> <510A5664-A01D-4494-8188-51084A6CF946@expedia.com> Message-ID: <57A30FD8.1060800@redhat.com> Hmm... so according to https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem it seems that you're right. It's not easily possible to add the interceptor through infinispan subsystem :/ As a workaround, you can probably try to do it programatically. You may need to create your own InfinispanConnectionProviderFactory and configure it in keycloak-server.json . It can override DefaultInfinispanConnectionProviderFactory and add the interceptor programatically to realms and users caches. Sorry, don't have better proposal to avoid this issue right now :( We likely need to wait until https://issues.jboss.org/browse/ISPN-6857 is fixed... Marek On 02/08/16 06:32, Sarp Kaya wrote: > > Hi Marek, > > How do I add the StateTransferInterceptor to the standalone.xml? Isn?t > that only doable programmatically? > > Thanks, > Sarp > > *From: *Marek Posolda > *Date: *Tuesday, August 2, 2016 at 5:32 AM > *To: *Abdullah Sarp , > "keycloak-user at lists.jboss.org" > *Subject: *Re: [keycloak-user] Handling SuspectExceptions in Keycloak > > See KC issue [1] and related infinispan issue [2] . > > The workaround is to add the StateTransferInterceptor to the proper > place in chain to "realms" and "users" caches. See how I did it > programatically. I think that based on that, you should be able to add > it to infinispan subsystem as well. > > [1] https://issues.jboss.org/browse/KEYCLOAK-3306 > [2] https://issues.jboss.org/browse/ISPN-6857 > > Marek > > On 28/07/16 11:53, Sarp Kaya wrote: > > Hello, > > There is already an existing bug report for Infinispan here: > > https://issues.jboss.org/browse/ISPN-6721 > > Currently for Keycloak, if this exception is thrown then it sends > an Internal Server Error page to the browser. Essentially what > would be really good is that it sends the user back to the login > page instead of displaying Internal Server Error. > > This happens when I am consistently sending login and logout > (around 40 req/s) requests to two Keycloak instances (let?s call > them kc1 and kc2), then one new keycloak instance is started kc3. > Kc3 connects to kc1 and 2 in clustering mode. > > Now kc1 receives a new request (such as login) and while it is > processing that, kc3 is gracefully shut including the cache with > this log: > > 2016-07-28 09:15:53,656 INFO [org.jboss.as.clustering.infinispan] > (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped sessions > cache from keycloak container > > Just shortly after that (6 ms) kc1 throws an exception like this: > > 2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default > task-48) UT005023: Exception handling request to > /auth/realms/{realm}/login-actions/authenticate: > org.jboss.resteasy.spi.UnhandledException: > org.infinispan.statetransfer.OutdatedTopologyException: Cache > topology changed while the command was executing: expected 175, > got 176 > > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > > then shortly after(150 ms) kc1 wants to talk to kc3 and fails to > do so with this exception: > > 2016-07-28 09:15:53,804 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] > (default task-54) ISPN000136: Error executing command > RemoveCommand, writing keys > [f9bde276-dd03-41c9-995b-b1aaf64c1489]: > org.infinispan.remoting.transport.jgroups.SuspectException: Cache > not running on node kc3 > > at > org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46) > > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763) > > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > > at > org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31) > > at org.jgroups.blocks.Request.checkCompletion(Request.java:169) > > at org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261) > > at > org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331) > > at > org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242) > > at > org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684) > > at org.jgroups.JChannel.up(JChannel.java:738) > > at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123) > > at org.jgroups.stack.Protocol.up(Protocol.java:374) > > at org.jgroups.protocols.FORK.up(FORK.java:118) > > at org.jgroups.protocols.FRAG2.up(FRAG2.java:165) > > at org.jgroups.protocols.FlowControl.up(FlowControl.java:394) > > at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454) > > at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735) > > at > org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140) > > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922) > > at org.jgroups.stack.Protocol.up(Protocol.java:412) > > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294) > > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474) > > at org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982) > > at > org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912) > > at > org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846) > > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618) > > at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155) > > at org.jgroups.protocols.FD.up(FD.java:260) > > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310) > > at org.jgroups.protocols.MERGE3.up(MERGE3.java:285) > > at org.jgroups.protocols.Discovery.up(Discovery.java:295) > > at org.jgroups.protocols.TP.passMessageUp(TP.java:1577) > > at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > The key that it tries to write is the user-id. After this, the > browser receives an Internal Server Error page, which looks like > this in html: > > > > > > > > Error > > > > > > > > Internal Server Error > > > > > > I have configured my infinispan cache settings as following (the > rest are default): > > > > > > > > I have tried many things (such as playing with owner amounts or > instance amounts etc). It does not seem to fix this exception. I > am well aware that this seems more Infinispan issue than Keycloak, > but I believe that Keycloak at least should respond the end user a > better error message (perhaps a login again page) rather than an > Internal Server Error page. Could you please handle this exception? > > Kind Regards, > Sarp Kaya > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/e13bc9ac/attachment-0001.html From mposolda at redhat.com Thu Aug 4 06:17:08 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:17:08 +0200 Subject: [keycloak-user] Token generation: possibilities to improve performance In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723DDFF8E@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> <31bfde5a-c56f-473a-de6f-95d15e32bbd9@redhat.com> <57488196.60104@redhat.com> <574C0448.6090108@redhat.com> <574C0FE8.5090003@redhat.com> <574D3660.6060807@redhat.com> Message-ID: <57A31624.5080209@redhat.com> In OIDC specification, there is mentioned that OIDC requests always need to contain "scope=openid" in the initial Authorization request. If it doesn't contain it, it is treated as the OAuth2 request, but not OIDC request. In future releases, we plan to not include IDToken for such requests, which don't contain "scope=openid" . See JIRA https://issues.jboss.org/browse/KEYCLOAK-3237 Isn't it sufficient to have just this possibility instead of introduce another config switch? Marek On 25/07/16 19:10, Thomas Darimont wrote: > Hello, > > I couldn't find the JIRA for the optional exclusion of the IDToken > when refreshing Access Tokens so I created: > https://issues.jboss.org/browse/KEYCLOAK-3360 > > I also did a PR which implements that: > https://github.com/keycloak/keycloak/pull/3069 > > Cheers, > Thomas > > 2016-05-31 8:59 GMT+02:00 Marek Posolda >: > > On 30/05/16 21:04, Stian Thorgersen wrote: >> >> >> On 30 May 2016 at 12:03, Marek Posolda > > wrote: >> >> On 30/05/16 11:51, Stian Thorgersen wrote: >>> >>> >>> On 30 May 2016 at 11:13, Marek Posolda >> > wrote: >>> >>> On 30/05/16 08:02, Stian Thorgersen wrote: >>>> Create a JIRA for ECDSA. I don't think we could/should >>>> change the default, but could be a configuration option >>>> for clients. >>> Added https://issues.jboss.org/browse/KEYCLOAK-3057 with >>> fix version 2.0.0.CR1 for now. >>>> >>>> Looking at OpenID Connect spec it looks like ID token >>>> should always be generated in token response [1]. >>>> However, it should not be generated in refresh [2] >>>> response. >>>> >>>> [1] >>>> http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3 >>>> [2] >>>> http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.12.2 >>> hmm... I am reading 12.2 that refresh response "might >>> not" contain ID Token, hence it's nothing bad if it >>> contains it. So looks we are currently specs compliant >>> if we have IDToken in both code-to-token response and >>> refresh response. >>> >>> What I mean is, that flag for skip IDToken generation >>> might be just optional and disabled by default. So by >>> default, IDToken is available and all the communication >>> is OIDC compliant. However if someone doesn't need >>> IDToken and wants to save some performance, he may skip >>> the IDToken generation. >>> >>> A week before, I've tried some JProfiler testing of >>> login-logout test and token generation was the main CPU >>> consumption (I still had just 1 hashIteration during >>> this profiling, with 20000 it will be likely very >>> different though). I saw 40% of CPU time in >>> TokenManager$AccessTokenResponseBuilder.build()due there >>> are 3 tokens signature here. The option to reduce it >>> from 3 to 2 might slightly improve some CPU cycles "for >>> free" (security won't be reduced). >>> >>> >>> I'd argue that we should just include ID token from the >>> authorization response, while never in the refresh response. >>> That results in better performance without the need for a >>> config option. >> Won't that break compatibility for some client applications, >> which actually use IDToken and rely on the fact that it's >> properly refreshed every time? Among other things, IDToken >> contains fields like "exp" , which might then contain >> expired value as it won't be updated during refreshes. Not >> sure if users won't be confused due to this. >> >> >> Surely the exp for an IDToken should be set to the session >> expiration and not to the expiration of access token though? Do >> we even update the profile details in the token or just fill it >> with whatever was there before? > That's not what we are doing now. Right now, all IDToken claims > (including expiration) are copied from accessToken. So IDToken > expiration is by default defacto just 5 minutes or so. And all the > claims are always updated during refresh. So if we don't refresh > IDToken we lost this and IDToken will always contain claims from > the time of login. Not sure if it's too bad or not, however some > client apps, which use IDToken (like our demo for example) might > be confused that IDToken will still contain old values after > refresh... > > Marek >> >> Marek >> >>> >>> >>> Marek >>> >>> >>>> On 27 May 2016 at 19:19, Marek Posolda >>>> > wrote: >>>> >>>> Regarding this, I wonder if we should add support >>>> for ECDSA based signatures as an alternative to >>>> RSA? Just went through some interesting blog [1] , >>>> which mentions that 256-bits ECDSA has around 9.5 >>>> times better performance of signature generation >>>> than 2048-bits RSA. The time of signature >>>> verification seems to be slightly worse for ECDSA >>>> (see second comment), however there is also >>>> increased security (256-ECDSA is equivalient of >>>> 3248 RSA according to blog). Maybe it's something >>>> we can look at? >>>> >>>> Also the optional flag to skip IDToken generation >>>> will be good too IMO. AFAIK the point of IDToken is >>>> the compliance with OIDC specification. However in >>>> case of Keycloak accessToken usually contains all >>>> the info like IDToken (+ some more) and it's the >>>> accessToken, which is used in REST endpoints. So >>>> with regards to that, most of the Keycloak-secured >>>> applications can live just with access+refresh >>>> token and don't need ID Token at all. So if just 2 >>>> tokens needs to be signed instead of 3, we have >>>> performance gain "for free" (no decrease of >>>> security, just one less useless token). >>>> >>>> [1] >>>> https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ >>>> >>>> Marek >>>> >>>> >>>> On 24/05/16 15:43, Bill Burke wrote: >>>>> Are you sure the performance gains are worth less >>>>> security? What kind of performance are you >>>>> actually worried about? Network (size of tokens) >>>>> or CPU (signatures/marshaling/unmarshalling)? If >>>>> anything, these signatures are only going to get >>>>> stronger in future releases. >>>>> >>>>> On 5/24/16 5:46 AM, Matuszak, Eduard wrote: >>>>>> Hello >>>>>> Motivated by considerations on how to improve the >>>>>> performance of the token generation process I >>>>>> have two questions: >>>>>> >>>>>> * I noticed that Keycloak?s token generation >>>>>> via endpoint >>>>>> ?auth/realms/ccp/protocol/openid-connect/token? >>>>>> generates a triple of tokens (access-, >>>>>> refresh- and id-token). Is there any >>>>>> possibility to dispense with the id-token >>>>>> generation? >>>>>> >>>>>> * Is there a possibility to cause Keycloak to >>>>>> generate more ?simple? bearer tokens then >>>>>> complex jwt-tokens? >>>>>> >>>>>> Best regards, Eduard Matuszak >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >>> >> >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/6c1cf6a5/attachment-0001.html From thomas.darimont at googlemail.com Thu Aug 4 06:25:05 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 4 Aug 2016 12:25:05 +0200 Subject: [keycloak-user] Token generation: possibilities to improve performance In-Reply-To: <57A31624.5080209@redhat.com> References: <61D077C6283D454FAFD06F6AC4AB74D723DDFF8E@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> <31bfde5a-c56f-473a-de6f-95d15e32bbd9@redhat.com> <57488196.60104@redhat.com> <574C0448.6090108@redhat.com> <574C0FE8.5090003@redhat.com> <574D3660.6060807@redhat.com> <57A31624.5080209@redhat.com> Message-ID: You're right, it is better to follow the spec than to introduce a workaround via the switch. So I'm fine with closing the PR. Cheers, Thomas 2016-08-04 12:17 GMT+02:00 Marek Posolda : > In OIDC specification, there is mentioned that OIDC requests always need > to contain "scope=openid" in the initial Authorization request. If it > doesn't contain it, it is treated as the OAuth2 request, but not OIDC > request. In future releases, we plan to not include IDToken for such > requests, which don't contain "scope=openid" . See JIRA > https://issues.jboss.org/browse/KEYCLOAK-3237 > > Isn't it sufficient to have just this possibility instead of introduce > another config switch? > > Marek > > > On 25/07/16 19:10, Thomas Darimont wrote: > > Hello, > > I couldn't find the JIRA for the optional exclusion of the IDToken when > refreshing Access Tokens so I created: > https://issues.jboss.org/browse/KEYCLOAK-3360 > > I also did a PR which implements that: > https://github.com/keycloak/keycloak/pull/3069 > > Cheers, > Thomas > > 2016-05-31 8:59 GMT+02:00 Marek Posolda : > >> On 30/05/16 21:04, Stian Thorgersen wrote: >> >> >> >> On 30 May 2016 at 12:03, Marek Posolda < >> mposolda at redhat.com> wrote: >> >>> On 30/05/16 11:51, Stian Thorgersen wrote: >>> >>> >>> >>> On 30 May 2016 at 11:13, Marek Posolda < >>> mposolda at redhat.com> wrote: >>> >>>> On 30/05/16 08:02, Stian Thorgersen wrote: >>>> >>>> Create a JIRA for ECDSA. I don't think we could/should change the >>>> default, but could be a configuration option for clients. >>>> >>>> Added >>>> https://issues.jboss.org/browse/KEYCLOAK-3057 with fix version >>>> 2.0.0.CR1 for now. >>>> >>>> >>>> Looking at OpenID Connect spec it looks like ID token should always be >>>> generated in token response [1]. However, it should not be generated in >>>> refresh [2] response. >>>> >>>> [1] >>>> >>>> http://openid.net/specs/openid-connect-core-1_0.html# >>>> rfc.section.3.1.3.3 >>>> [2] >>>> >>>> http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.12.2 >>>> >>>> hmm... I am reading 12.2 that refresh response "might not" contain ID >>>> Token, hence it's nothing bad if it contains it. So looks we are currently >>>> specs compliant if we have IDToken in both code-to-token response and >>>> refresh response. >>>> >>>> What I mean is, that flag for skip IDToken generation might be just >>>> optional and disabled by default. So by default, IDToken is available and >>>> all the communication is OIDC compliant. However if someone doesn't need >>>> IDToken and wants to save some performance, he may skip the IDToken >>>> generation. >>>> >>>> A week before, I've tried some JProfiler testing of login-logout test >>>> and token generation was the main CPU consumption (I still had just 1 >>>> hashIteration during this profiling, with 20000 it will be likely very >>>> different though). I saw 40% of CPU time in TokenManager$ >>>> AccessTokenResponseBuilder.build() due there are 3 tokens signature >>>> here. The option to reduce it from 3 to 2 might slightly improve some CPU >>>> cycles "for free" (security won't be reduced). >>>> >>> >>> I'd argue that we should just include ID token from the authorization >>> response, while never in the refresh response. That results in better >>> performance without the need for a config option. >>> >>> Won't that break compatibility for some client applications, which >>> actually use IDToken and rely on the fact that it's properly refreshed >>> every time? Among other things, IDToken contains fields like "exp" , which >>> might then contain expired value as it won't be updated during refreshes. >>> Not sure if users won't be confused due to this. >>> >> >> Surely the exp for an IDToken should be set to the session expiration and >> not to the expiration of access token though? Do we even update the profile >> details in the token or just fill it with whatever was there before? >> >> That's not what we are doing now. Right now, all IDToken claims >> (including expiration) are copied from accessToken. So IDToken expiration >> is by default defacto just 5 minutes or so. And all the claims are always >> updated during refresh. So if we don't refresh IDToken we lost this and >> IDToken will always contain claims from the time of login. Not sure if it's >> too bad or not, however some client apps, which use IDToken (like our demo >> for example) might be confused that IDToken will still contain old values >> after refresh... >> >> Marek >> >> Marek >>> >>> >>> >>>> >>>> >>>> Marek >>>> >>>> >>>> On 27 May 2016 at 19:19, Marek Posolda < >>>> mposolda at redhat.com> wrote: >>>> >>>>> Regarding this, I wonder if we should add support for ECDSA based >>>>> signatures as an alternative to RSA? Just went through some interesting >>>>> blog [1] , which mentions that 256-bits ECDSA has around 9.5 times better >>>>> performance of signature generation than 2048-bits RSA. The time of >>>>> signature verification seems to be slightly worse for ECDSA (see second >>>>> comment), however there is also increased security (256-ECDSA is >>>>> equivalient of 3248 RSA according to blog). Maybe it's something we can >>>>> look at? >>>>> >>>>> Also the optional flag to skip IDToken generation will be good too >>>>> IMO. AFAIK the point of IDToken is the compliance with OIDC specification. >>>>> However in case of Keycloak accessToken usually contains all the info like >>>>> IDToken (+ some more) and it's the accessToken, which is used in REST >>>>> endpoints. So with regards to that, most of the Keycloak-secured >>>>> applications can live just with access+refresh token and don't need ID >>>>> Token at all. So if just 2 tokens needs to be signed instead of 3, we have >>>>> performance gain "for free" (no decrease of security, just one less useless >>>>> token). >>>>> >>>>> [1] >>>>> >>>>> https://blog.cloudflare.com/ecdsa-the-digital-signature- >>>>> algorithm-of-a-better-internet/ >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 24/05/16 15:43, Bill Burke wrote: >>>>> >>>>> Are you sure the performance gains are worth less security? What kind >>>>> of performance are you actually worried about? Network (size of tokens) or >>>>> CPU (signatures/marshaling/unmarshalling)? If anything, these >>>>> signatures are only going to get stronger in future releases. >>>>> >>>>> On 5/24/16 5:46 AM, Matuszak, Eduard wrote: >>>>> >>>>> Hello >>>>> >>>>> Motivated by considerations on how to improve the performance of the >>>>> token generation process I have two questions: >>>>> >>>>> >>>>> - I noticed that Keycloak?s token generation via endpoint >>>>> ?auth/realms/ccp/protocol/openid-connect/token? generates a triple >>>>> of tokens (access-, refresh- and id-token). Is there any possibility to >>>>> dispense with the id-token generation? >>>>> >>>>> >>>>> >>>>> - Is there a possibility to cause Keycloak to generate more >>>>> ?simple? bearer tokens then complex jwt-tokens? >>>>> >>>>> >>>>> >>>>> Best regards, Eduard Matuszak >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>> >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/f2eabbb7/attachment-0001.html From mposolda at redhat.com Thu Aug 4 06:32:13 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:32:13 +0200 Subject: [keycloak-user] Authentication via Facebook Token In-Reply-To: References: Message-ID: <57A319AD.9080608@redhat.com> On 03/08/16 20:34, Luigi De Masi wrote: > > Hi, > > I have to create a rest layer to allow a mobile application to > interact with KC because mobile developers don't want to use any kind > of redirect or webview, only rest calls for login/registration. > > For a username/password authentication/registration is easy, I can > use admin rest api, but for social login (only via facebook), there is > a way to get a keycloak JWT token passing a facebook token using admin > api or any other rest api? > You can use Direct Access Grants (aka. "Resource Owner Password Credential Grant" from OAuth2 specification). We also have possibility to configure your own authentication flow for Direct Grant. Here you can put your Authenticator, which will read facebook accessToken and authenticate (and possibly also lazily create if you trust facebook? ) user based on that. Marek > > If not, it's better to plug an authentication provider using > Authentication SPI or create a custom rest endpoint and generate > (don't know how) a JWT? > > Thanks. > > -- > Luigi De Masi > /"Talk is cheap. Show me the code."/ > / -- Linus Torvalds/ > > > ------------------------------------------------------------------------ > > Extra srl > p: +39 0587975800 > a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy > > w: www.extrasrl.it e: info at extrasys.it > > > > > > > > Le informazioni trasmesse sono riservate alla persona o ente alla > quali sono indirizzate e possono contenere informazioni riservate e/o > materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione o > altro uso, o l'adozione di azioni basate su tali informazioni da parte > di soggetti diversi dal destinatario ? proibita. Se avete ricevuto per > errore questo messaggio, siete pregati di informare il mittente e > cancellare il materiale contenuto da ogni computer. > > The information transmitted is intended for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, > or taking of any action in reliance upon, this information by persons > or entities other than the intended recipient is prohibited. If you > received this in error, please contact the sender and delete the > material from any computer. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/56653349/attachment.html From mposolda at redhat.com Thu Aug 4 06:35:53 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:35:53 +0200 Subject: [keycloak-user] API for User Account Service? In-Reply-To: <1470172805.4159443.684179281.797F86A5@webmail.messagingengine.com> References: <1470172805.4159443.684179281.797F86A5@webmail.messagingengine.com> Message-ID: <57A31A89.7000107@redhat.com> Not right now. We plan to possibly rewrite AccountService to be based on REST + angular. However you can add your own REST endpoints to Keycloak if you want (See RealmResourceProvider and an example we have for that). Another possibility is to trigger admin REST API from your app, assuming it's server-side application so end-users won't see the requests to KC admin REST API done on behalf of admin user. Marek On 02/08/16 23:20, Aikeaguinea wrote: > Can the User Account Service be accessed as an API? I'm interested in > the "forgot password" and "change password" functionality in particular. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/23f8a73c/attachment.html From mposolda at redhat.com Thu Aug 4 06:40:04 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:40:04 +0200 Subject: [keycloak-user] NGINX + Redirect URI is going to http rather than https In-Reply-To: References: Message-ID: <57A31B84.4070603@redhat.com> Didn't when through all the details, just pointing if you read some parts from our docs? https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/network.html (and subpages) https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html Marek On 03/08/16 17:36, abhishek raghav wrote: > > I am trying to configure NGINX as a reverse for my keycloak instance > and customer-portal to do SSL termination. > > So I am accessing the customer-portal over NGINX with https which is > going fine. > The URL which i called looks like this: > > https://192.168.99.100/customer-portal/ > > > Next when I am trying to access any secured resourse by clicking on > lets say 'customer-listing', I am redirected to keyclock with the URI > as below with a error message as invalid redirect URI. > > http://192.168.99.100:31048/auth/realms/nginx/protocol/openid-connect/auth?response_type=code&client_id=customer-portal&redirect_uri=http%3A%2F%2F192.168.99.100%2Fcustomer-portal%2Fcustomers%2Fview.jsp&state=3%2F9ded446e-cecc-4e96-b46a-37dce491a509&login=true > > Here if you see, the redirect URI is going as http in place of https. > which gives me invalid redirect-uri because the URI i have configured > in valid-redirect-URI section of settings in the customer-portal > client settings is below: > > https://192.168.99.100/customer-portal/* > > Am i missing something or i need to do anything else to support nginx > settings in my keycloak. I have made the proxy-forwarding in > standalone.xml also as 'true'. > > *proxy-address-forwarding="true"* > name="default" > socket-binding="http" > redirect-socket="https"/> > > > port also I configured in the socket binding as 443. > > Also i am configuring the required header in my nginx.conf. > > Below is my nginx.conf looks like: > > user nginx; > worker_processes 1; > > error_log /var/log/nginx/error.log warn; > pid /var/run/nginx.pid; > > > events { > worker_connections 1024; > > } > http { > include /etc/nginx/mime.types; > default_type application/octet-stream; > > log_format main '$remote_addr - $remote_user [$time_local] > "$request" ' > '$status $body_bytes_sent "$http_referer" ' > '"$http_user_agent" "$http_x_forwarded_for"'; > server { > listen 443; > server_name ""; > ssl_certificate /etc/nginx/external/cert.pem; > ssl on; > ssl_certificate_key /etc/nginx/external/key.pem; > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_ciphers HIGH:!aNULL:!MD5; > location /customer-portal/ { > proxy_set_header Host $http_host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Server $http_host; > proxy_set_header X-Forwarded-Port 443; > proxy_pass http://192.168.99.100:31050; > } > location /auth/ { > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Server $http_host; > proxy_pass http://192.168.99.100:31048/auth/; > proxy_set_header X-Forwarded-Port 443; > } > } > access_log /var/log/nginx/access.log main; > > sendfile on; > #tcp_nopush on; > > keepalive_timeout 65; > > #gzip on; > > include /etc/nginx/conf.d/*.conf; > } > > > And my keycloak.json file looks like below: > > { > "realm": "nginx", > "realm-public-key": > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB", > "auth-server-url": "https://192.168.99.100/auth/", > "ssl-required": "external", > "resource": "customer-portal", > "credentials": { > "secret": "20d8b6f8-25cc-481c-be66-133da68e9596" > }, > "use-resource-role-mappings": false > } > > Note: I am runnning all the 3 in there own docker containers. > > Here my nginx url is *https://192.168.99.100* > my customer-portal url is *http://192.168.99.100:31050* > my keycloak server url is *http://192.168.99.100:31048* > * > * > Customer-portal is running on tomcat 8 with keycloak tomcat adapter. > > customer-portal and keycloak, both are running behind nginx. > > > Am i doing something wrong. > > Thanks. > Abhishek > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/51f0dffa/attachment-0001.html From mposolda at redhat.com Thu Aug 4 06:43:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:43:38 +0200 Subject: [keycloak-user] Keycloak admin rest api - admin/realms In-Reply-To: References: Message-ID: <57A31C5A.9010300@redhat.com> We have an example for Java admin client [1] and another one showing how to call admin rest endpoints directly [2] [1] https://github.com/keycloak/keycloak/tree/master/examples/admin-client [2] https://github.com/keycloak/keycloak/tree/master/examples/demo-template/admin-access-app Marek On 02/08/16 15:09, Deepak Garg wrote: > Hi, > > I need your help to test the following admin rest api. > > I was able to get the access_token using > http://localhost:9090/auth/realms/master/protocol/openid-connect/token > rest api. > > As a next step, I like to get the list of all realms for which I am > trying to use the below api > > http://localhost:9090/auth/admin/realms > > I have got the access token but don't know how to test this using postman. > > > Please help me on this. > > > Thanks > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/d968ea3f/attachment.html From mposolda at redhat.com Thu Aug 4 06:51:33 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:51:33 +0200 Subject: [keycloak-user] Reverse Proxy - SSL Termination - Invalid parameter: redirect uri In-Reply-To: References: Message-ID: <57A31E35.4060904@redhat.com> We have some docs for this here https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/clustering/load-balancer.html Marek On 01/08/16 22:58, Derek Visch wrote: > Ended up figuring this out, just to save whatever poor soul has to go > down the same/similar path here's what I did. I'm curious why I didn't > get any errors when running keycloak with debug logging turned on as > this must be some kind of host re-write problem with wildfly/keycloak. > > First the only configuration I had to set in standalone.xml was (I > removed all the other custom configurations I had in place the rest is > the vanilla standalone.xml ) > redirect-socket="https" proxy-address-forwarding="true"/> > > Wildfly10 Docs for this: > https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration > > Nginx configuration: > > server { > listen 80; > server_name keycloak_testing.leveldatadevelopment.com > ; > return 301 https://$host$request_uri; > } > > server { > listen 443 ssl; > server_name keycloak_testing.leveldatadevelopment.com > ; > > ssl_certificate /etc/nginx/ssl/star.leveldatadevelopment.com.crt; > ssl_certificate_key /etc/nginx/ssl/star.leveldatadevelopment.com.key; > > location / { > proxy_set_header *Host $host*; > proxy_set_header X-Real-IP $remote_addr; #*Not sure this is > needed for wildfly/keycloak* > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_redirect http:// https://; > > proxy_pass http://0.0.0.0:8080; > } > } > > > Note the Host different, with Host $host:$server_port; I receive a > white page when logging into the admin URL. *Why would this happen*? > Only mention of the host header I could find in the wildFly > documentation is > https://docs.jboss.org/author/display/WFLY10/Undertow+subsystem+configuration > > > Also to get past the invalid_redirect_uri issue, > > 1. Run keycloak locally > 2. Go to the Clients settings in the Master Realm > 3. Click edit on the security-admin-console client id (You may also > have to do this with the account client ID I'm not certain) > 4. Add valid redirect URI's for your new domain, for example > https://website.com/* (Docs tell you to be as limited as possible > with these so in production limit down your redirect URI's as much > as possible) > > Hope this helps someone in the future! What do you think? Should this > be added to the documentation somewhere or should some kind of error > be thrown in this circumstance? I'm not certain if it's Wildfly or > keycloak causing this to happen I didn't dig quite hard enough to find > out :( > > > > > > On Thu, Jul 21, 2016 at 5:21 PM, Derek Visch > wrote: > > Trying to setup reverse SSL for keycloak. Having issues finding > documentation about this, it's mentioned in > https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.0/topics/network/https.html > but the extra detail that's supposed to be in > https://keycloak.gitbooks.io/server-adminstration-guide/content/ I > could not find in regards to reverse SSL proxys. > > Regardless I ended up following > http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html > > From that previous mailling list post: > > Follow the documentation for your web server to enable SSL and configure reverse proxy for Keycloak. It is important that you make sure the web server sets the X-Forwarded-For and X-Forwarded-Proto headers on the requests made to Keycloak. Next you need to enable proxy-address-forwarding on the Keycloak http connector. Assuming that your reverse proxy doesn't use port 8443 for SSL you also need to configure what port http traffic is redirected to. This is done by editing standalone/configuration/standalone.xml. > > First add proxy-address-forwarding and redirect-socket to the http-listener element: > > > ... > > ... > > > Then add a new socket-binding element to the socket-binding-group element: > > > ... > > ... > > > > > but now when I go to log on to the admin console I get "We're > sorry ... Invalid aparameter: redirect uri". > > > > Tried stack overflow / google / IRC. No luck so far. > > Any help would be appreciated :D > > Thanks > > > > > > -- > > *Derek Visch* / Software Developer / Network Technician > dvisch at leveldata.com / Direct: 269-488-2037 > > *Level Data Inc.* > Office: 866.511.3282 > 4787 Campus Dr. | Kalamazoo, MI 49008 > http://www.leveldata.com > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b8662c50/attachment.html From mposolda at redhat.com Thu Aug 4 06:56:05 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 12:56:05 +0200 Subject: [keycloak-user] Naive Question In-Reply-To: References: Message-ID: <57A31F45.4080709@redhat.com> On 03/08/16 12:16, Christopher Davies wrote: > Thanks everyone for all your help: I now have a lash up with my app > talking via spring security to Keycloak. > > OK one last question - more of a redirect to the correct part of the > documentation. > > However I do need a copy of the JWT to pass on to a native application. > Can anyone point me at the api I would need to use to get the signed > JWT from SpingSecurity If you have access to HttpServletRequest from Spring, then something like this ( https://github.com/mposolda/keycloak/blob/master/examples/demo-template/customer-app/src/main/java/org/keycloak/example/CustomerDatabaseClient.java#L65-L70 ) Marek > > > Thanks in advance > > Chris > > On Wed, Aug 3, 2016 at 10:54 AM Christopher Davies > > wrote: > > Thanks for all your help; I have managed to get the adapter to > load and read the keycloak file. I used the following in my > security.xml file: > > > class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean"> > > > > > > Now I can see my app connecting to keycloak. Next issue is that > despite keycloak passing pack the principal with the correct > Roles, Spring security is rejecting the user in the RoleVoter. > Will try to solve this myself before I trouble you. > > Chris > > On Tue, Aug 2, 2016 at 8:09 PM Scott Rossillo > > wrote: > > Well, the adapter does support loading the keycloak.json file > from anywhere on the class path. Jetty AFAIK does > include jetty/resources on the class path. So, you could put > keycloak.json there and if you start the server with the > option below it should work: > > -Dkeycloak.configurationFile:?classpath:keycloak.json" > > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > >> On Aug 2, 2016, at 8:56 AM, Christopher Davies >> > > wrote: >> >> I do not want to have to open the war file just to update / >> change to keycloak credentials. >> I am right that the WEB-INF sits inside the war file ? >> I would like a single security instance for the entire Jetty >> server >> >> Chris >> >> >> On Tue, Aug 2, 2016 at 12:55 PM Sebastien Blanc >> > wrote: >> >> Hi, >> >> Any reasons you don't want to put the keycloak.json in >> /WEB-INF ? >> >> |> class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean"> >> | >> >> Sebi >> >> On Tue, Aug 2, 2016 at 1:33 PM, Christopher Davies >> > > wrote: >> >> I am looking at linking our legacy app to Keycloak. >> >> Currently it is a bespoke jetty server, that only >> serves our war files. >> The security.xml is set in config of the server >> directory. >> I have taken the example setting file from >> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html >> >> I can see this loading keycloak's spring adapter. >> It fails when searching for Keycloak.json. >> >> I was hoping to be able to drop the Keycloak.json >> file in the config directory. >> >> Hope you can be of assistance. Please feel free to >> ask if I have missed any key information. >> I am trying to get up to speed on both KeyCloak and >> SpringSecurity as I am a C++ programmer at heart. >> >> Chris >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/e64e34ab/attachment-0001.html From ushanas.shastri at viteos.com Thu Aug 4 07:54:40 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 4 Aug 2016 11:54:40 +0000 Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. Message-ID: Classification: INTERNAL Hello, We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory. Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only? I'm seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don't know if it matters, but we do have an AD filter. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/fc2ff349/attachment.html From bburke at redhat.com Thu Aug 4 09:10:51 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 4 Aug 2016 09:10:51 -0400 Subject: [keycloak-user] API for User Account Service? In-Reply-To: <57A31A89.7000107@redhat.com> References: <1470172805.4159443.684179281.797F86A5@webmail.messagingengine.com> <57A31A89.7000107@redhat.com> Message-ID: I think the account service can be accessed as an API. On 8/4/16 6:35 AM, Marek Posolda wrote: > Not right now. We plan to possibly rewrite AccountService to be based > on REST + angular. > > However you can add your own REST endpoints to Keycloak if you want > (See RealmResourceProvider and an example we have for that). Another > possibility is to trigger admin REST API from your app, assuming it's > server-side application so end-users won't see the requests to KC > admin REST API done on behalf of admin user. > > Marek > > On 02/08/16 23:20, Aikeaguinea wrote: >> Can the User Account Service be accessed as an API? I'm interested in >> the "forgot password" and "change password" functionality in particular. >> > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/63555f8c/attachment.html From bburke at redhat.com Thu Aug 4 09:19:43 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 4 Aug 2016 09:19:43 -0400 Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. In-Reply-To: References: Message-ID: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried. On 8/4/16 7:54 AM, Ushanas Shastri wrote: > > Classification: INTERNAL > > Hello, > > We have Keycloak setup with SQL Server as a persistent store, and we > have User Federation enabled with Microsoft Active Directory. > > Why does Keycloak go back to querying AD on every page load (Manage-> > Users or the Evaluate tab in Authorization)? Should it not get a list > of users from the local SQL store only? > > I?m seeing that on the page load, Keycloak gets a list of all users > from AD. Considering we have a large number of users, this is time > consuming. Don?t know if it matters, but we do have an AD filter. > > Regards, Ushanas. > > *Viteos Fund Services Ltd**| *www.viteos.com > > > *Direct :*+91-22-61082230 | US : +1- 888-821-7561 extn 240 > > *Cell :*+91-9820225580 > > Email : ushanas.shastri at viteos.com > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediatelydelete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entit. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/de0357db/attachment.html From josh.cain at redhat.com Thu Aug 4 09:32:45 2016 From: josh.cain at redhat.com (Josh Cain) Date: Thu, 4 Aug 2016 08:32:45 -0500 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: We've got social auth data already in a data store, and other applications/enclaves also use that data store, so we'd like to keep it as a single source of truth (rather than point additional applications to the KC database, or require users to link the same account manually again). Maybe in pictures would help. The diagram below would give a high-level understanding of how the current user search works with federation providers: ? Contrast this with the current social auth user lookup process like this (example using Github, but any social auth provider really): ? When the IDP swaps the auth code for the access token and is able to view the user's third party information (userId, name, etc), this information is referenced against the Keycloak database *only*. I'd ideally like to be able to consult an external lookup in order to see if something else was capable of associating this third party information with a Keycloak UserModel. I was wondering if a flow similar to the user's federation provider flow would be possible - something like this: ? Would extending Keycloak to include and SPI for this be an option? Thoughts? I looked at simply altering/delegating one of the existing UserProvider implementations, but it just feels wrong. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke wrote: > Huh? I don't understand. > > On 8/3/16 8:19 PM, Josh Cain wrote: > > Hi all, > > I'm in a situation in which I need to consult an external source of truth > in order to pull social auth credentials (outside the Keycloak database). > I'd ideally like something functionally equivalent to the > UserFederationProvider, in which another source outside the user store is > consulted for this information. Is anything like that currently supported? > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 <%2B1%20843-737-1735> > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/4a40c4a0/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: federatedlogicalflow.png Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/4a40c4a0/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: federatedsocialauthflow.png Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/4a40c4a0/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: currentsocialauthflow.png Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/4a40c4a0/attachment-0005.png From josh.cain at redhat.com Thu Aug 4 09:43:26 2016 From: josh.cain at redhat.com (Josh Cain) Date: Thu, 4 Aug 2016 08:43:26 -0500 Subject: [keycloak-user] Is failing to DB possible for Federated Users? In-Reply-To: References: Message-ID: More like if the provider is down/unavailable. Our lower environments are subject to frequent refreshes/redeploys and our Keycloak IDP being down can really block a good deal of testing there. So more specifically, on the ValidateAndProxy function: protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) { UserModel managed = managedUsers.get(user.getId()); if (managed != null) { return managed; } UserFederationProvider link = getFederationLink(realm, user); if (link != null) { UserModel validatedProxyUser = link.validateAndProxy(realm, user); if (validatedProxyUser != null) { managedUsers.put(user.getId(), validatedProxyUser); return validatedProxyUser; } else { deleteInvalidUser(realm, user); return null; } } return user; } This deletion/null return overrides any user information that might have been retrieved from the KC database (I.E. in getById): @Override public UserModel getUserById(String id, RealmModel realm) { UserModel user = session.userStorage().getUserById(id, realm); if (user != null) { user = validateAndProxyUser(realm, user); // overrides valid user with 'null' } return user; } I'm just wanting a way to be able to say 'if *null* is returned here by the validateAndProxy method, just use the user from userStorage()' Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke wrote: > Not sure what you mean. If the provider is not deployed? > > On 8/3/16 9:00 PM, Josh Cain wrote: > > Hi all, > > I'm using a Keycloak impementation in which the majority of our users come > from a UserFederationProvider. However, I'd ideally like to be able to > fall-back to the Keycloak database when this provider is unavailable. Is > it possible to do so? > > I looked around at the codebase and UserFederationManager seems to be > where I'd like to change (namely the validateAndProxyUser > > method). Is there any way to extend this with our own behavior? Looks > like that particular implementation is hard-coded into the KeycloakSession > interface. > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/48d8b93a/attachment.html From mposolda at redhat.com Thu Aug 4 09:46:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Aug 2016 15:46:38 +0200 Subject: [keycloak-user] Is failing to DB possible for Federated Users? In-Reply-To: References: Message-ID: <57A3473E.90309@redhat.com> On 04/08/16 15:43, Josh Cain wrote: > More like if the provider is down/unavailable. Our lower environments > are subject to frequent refreshes/redeploys and our Keycloak IDP being > down can really block a good deal of testing there. > > So more specifically, on the ValidateAndProxy function: > protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) { > UserModel managed =managedUsers.get(user.getId()); > if (managed !=null) { > return managed; > } > > UserFederationProvider link = getFederationLink(realm, user); > if (link !=null) { > UserModel validatedProxyUser = link.validateAndProxy(realm, user); > if (validatedProxyUser !=null) { > managedUsers.put(user.getId(), validatedProxyUser); > return validatedProxyUser; > }else { > deleteInvalidUser(realm, user); return null; > } > } > return user; > } > > This deletion/null return overrides any user information that might > have been retrieved from the KC database (I.E. in getById): @Override > public UserModel getUserById(String id, RealmModel realm) { > UserModel user =session.userStorage().getUserById(id, realm); > if (user !=null) { > user = validateAndProxyUser(realm, user);// overrides valid user with 'null' > } > return user; > } > > I'm just wanting a way to be able to say 'if /null/ is returned here > by the validateAndProxy method, just use the user from userStorage()' You can return from your validateAndProxy just the local user, which was given as argument then? Marek > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* +1 843-737-1735 > On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke > wrote: > > Not sure what you mean. If the provider is not deployed? > > On 8/3/16 9:00 PM, Josh Cain wrote: >> Hi all, >> I'm using a Keycloak impementation in which the majority of our >> users come from a UserFederationProvider. However, I'd ideally >> like to be able to fall-back to the Keycloak database when this >> provider is unavailable. Is it possible to do so? >> I looked around at the codebase and UserFederationManager seems >> to be where I'd like to change (namely the validateAndProxyUser >> >> method). Is there any way to extend this with our own behavior? >> Looks like that particular implementation is hard-coded into the >> KeycloakSession interface. >> Josh Cain | Software Applications Engineer >> /Identity and Access Management/ >> *Red Hat* +1 843-737-1735 >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/dd637f67/attachment.html From bburke at redhat.com Thu Aug 4 09:47:26 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 4 Aug 2016 09:47:26 -0400 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: So you basically want to choose which provider a social login (brokered login) gets imported into? On 8/4/16 9:32 AM, Josh Cain wrote: > We've got social auth data already in a data store, and other > applications/enclaves also use that data store, so we'd like to keep > it as a single source of truth (rather than point additional > applications to the KC database, or require users to link the same > account manually again). > > Maybe in pictures would help. The diagram below would give a > high-level understanding of how the current user search works with > federation providers: > > ? > Contrast this with the current social auth user lookup process like > this (example using Github, but any social auth provider really): > > > ? > When the IDP swaps the auth code for the access token and is able to > view the user's third party information (userId, name, etc), this > information is referenced against the Keycloak database *only*. I'd > ideally like to be able to consult an external lookup in order to see > if something else was capable of associating this third party > information with a Keycloak UserModel. I was wondering if a flow > similar to the user's federation provider flow would be possible - > something like this: > > > ? > Would extending Keycloak to include and SPI for this be an option? > Thoughts? > > I looked at simply altering/delegating one of the existing > UserProvider implementations, but it just feels wrong. > > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke > wrote: > > Huh? I don't understand. > > > On 8/3/16 8:19 PM, Josh Cain wrote: >> Hi all, >> >> I'm in a situation in which I need to consult an external source >> of truth in order to pull social auth credentials (outside the >> Keycloak database). I'd ideally like something functionally >> equivalent to the UserFederationProvider, in which another source >> outside the user store is consulted for this information. Is >> anything like that currently supported? >> >> Josh Cain | Software Applications Engineer >> /Identity and Access Management/ >> *Red Hat* >> +1 843-737-1735 >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d4a4e24/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d4a4e24/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d4a4e24/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d4a4e24/attachment-0005.png From josh.cain at redhat.com Thu Aug 4 09:56:03 2016 From: josh.cain at redhat.com (Josh Cain) Date: Thu, 4 Aug 2016 08:56:03 -0500 Subject: [keycloak-user] Is failing to DB possible for Federated Users? In-Reply-To: <57A3473E.90309@redhat.com> References: <57A3473E.90309@redhat.com> Message-ID: [image: Inline image 2] That would do it. Thanks Marek! Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Thu, Aug 4, 2016 at 8:46 AM, Marek Posolda wrote: > On 04/08/16 15:43, Josh Cain wrote: > > More like if the provider is down/unavailable. Our lower environments are > subject to frequent refreshes/redeploys and our Keycloak IDP being down can > really block a good deal of testing there. > > So more specifically, on the ValidateAndProxy function: > > protected UserModel validateAndProxyUser(RealmModel realm, UserModel user) { > UserModel managed = managedUsers.get(user.getId()); > if (managed != null) { > return managed; > } > > UserFederationProvider link = getFederationLink(realm, user); > if (link != null) { > UserModel validatedProxyUser = link.validateAndProxy(realm, user); > if (validatedProxyUser != null) { > managedUsers.put(user.getId(), validatedProxyUser); > return validatedProxyUser; > } else { deleteInvalidUser(realm, user); > return null; > } > } > return user; > } > > > This deletion/null return overrides any user information that might have been retrieved from the KC database (I.E. in getById): > @Overridepublic UserModel getUserById(String id, RealmModel realm) { > UserModel user = session.userStorage().getUserById(id, realm); > if (user != null) { > user = validateAndProxyUser(realm, user); // overrides valid user with 'null' > } > return user; > } > I'm just wanting a way to be able to say 'if *null* is returned here by the validateAndProxy method, just use the user from userStorage()' > > You can return from your validateAndProxy just the local user, which was > given as argument then? Marek > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* +1 843-737-1735 > On Wed, Aug 3, 2016 at 8:36 PM, Bill Burke wrote: >> >> Not sure what you mean. If the provider is not deployed? >> On 8/3/16 9:00 PM, Josh Cain wrote: >> >> Hi all, >> I'm using a Keycloak impementation in which the majority of our users >> come from a UserFederationProvider. However, I'd ideally like to be able >> to fall-back to the Keycloak database when this provider is unavailable. >> Is it possible to do so? >> I looked around at the codebase and UserFederationManager seems to be >> where I'd like to change (namely the validateAndProxyUser >> >> method). Is there any way to extend this with our own behavior? Looks >> like that particular implementation is hard-coded into the KeycloakSession >> interface. >> Josh Cain | Software Applications Engineer >> *Identity and Access Management* >> *Red Hat* +1 843-737-1735 >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b8e4a9be/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 25321 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/b8e4a9be/attachment-0001.png From josh.cain at redhat.com Thu Aug 4 09:59:10 2016 From: josh.cain at redhat.com (Josh Cain) Date: Thu, 4 Aug 2016 08:59:10 -0500 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: Not 100% sure what that question is asking; I'd like to provide social auth credential -> Keycloak UserModel associations using another source than the Keycloak database. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke wrote: > So you basically want to choose which provider a social login (brokered > login) gets imported into? > > On 8/4/16 9:32 AM, Josh Cain wrote: > > We've got social auth data already in a data store, and other > applications/enclaves also use that data store, so we'd like to keep it as > a single source of truth (rather than point additional applications to the > KC database, or require users to link the same account manually again). > > Maybe in pictures would help. The diagram below would give a high-level > understanding of how the current user search works with federation > providers: > > ? > Contrast this with the current social auth user lookup process like this > (example using Github, but any social auth provider really): > > > ? > When the IDP swaps the auth code for the access token and is able to view > the user's third party information (userId, name, etc), this information is > referenced against the Keycloak database *only*. I'd ideally like to be > able to consult an external lookup in order to see if something else was > capable of associating this third party information with a Keycloak > UserModel. I was wondering if a flow similar to the user's federation > provider flow would be possible - something like this: > > > ? > Would extending Keycloak to include and SPI for this be an option? > Thoughts? > > I looked at simply altering/delegating one of the existing UserProvider > implementations, but it just feels wrong. > > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 > > On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke wrote: > >> Huh? I don't understand. >> >> On 8/3/16 8:19 PM, Josh Cain wrote: >> >> Hi all, >> >> I'm in a situation in which I need to consult an external source of truth >> in order to pull social auth credentials (outside the Keycloak database). >> I'd ideally like something functionally equivalent to the >> UserFederationProvider, in which another source outside the user store is >> consulted for this information. Is anything like that currently supported? >> >> Josh Cain | Software Applications Engineer >> *Identity and Access Management* >> *Red Hat* >> +1 843-737-1735 >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ebc9c28e/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ebc9c28e/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ebc9c28e/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ebc9c28e/attachment-0005.png From ushanas.shastri at viteos.com Thu Aug 4 10:05:36 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 4 Aug 2016 14:05:36 +0000 Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. In-Reply-To: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> References: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> Message-ID: <878f8a83ecc74a5e92a1323833ed56c1@vitblrex2013.viteos.com> Classification: INTERNAL Not just when I manage Users. Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched. Even if users have to be queries from all providers, shouldn't we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD, on each page load 1000 users are fetched from AD, without even me attempting a search. Regards, Ushanas. From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Thursday, August 04, 2016 6:50 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried. On 8/4/16 7:54 AM, Ushanas Shastri wrote: Classification: INTERNAL Hello, We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory. Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only? I'm seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don't know if it matters, but we do have an AD filter. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/d8fd117d/attachment.html From bburke at redhat.com Thu Aug 4 10:06:17 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 4 Aug 2016 10:06:17 -0400 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: You want to be able to store account links within a different datastore. On 8/4/16 9:59 AM, Josh Cain wrote: > Not 100% sure what that question is asking; I'd like to provide social > auth credential -> Keycloak UserModel associations using another > source than the Keycloak database. > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke > wrote: > > So you basically want to choose which provider a social login > (brokered login) gets imported into? > > > On 8/4/16 9:32 AM, Josh Cain wrote: >> We've got social auth data already in a data store, and other >> applications/enclaves also use that data store, so we'd like to >> keep it as a single source of truth (rather than point additional >> applications to the KC database, or require users to link the >> same account manually again). >> >> Maybe in pictures would help. The diagram below would give a >> high-level understanding of how the current user search works >> with federation providers: >> >> ? >> Contrast this with the current social auth user lookup process >> like this (example using Github, but any social auth provider >> really): >> >> >> ? >> When the IDP swaps the auth code for the access token and is able >> to view the user's third party information (userId, name, etc), >> this information is referenced against the Keycloak database >> *only*. I'd ideally like to be able to consult an external >> lookup in order to see if something else was capable of >> associating this third party information with a Keycloak >> UserModel. I was wondering if a flow similar to the user's >> federation provider flow would be possible - something like this: >> >> >> ? >> Would extending Keycloak to include and SPI for this be an >> option? Thoughts? >> >> I looked at simply altering/delegating one of the existing >> UserProvider implementations, but it just feels wrong. >> >> >> Josh Cain | Software Applications Engineer >> /Identity and Access Management/ >> *Red Hat* >> +1 843-737-1735 >> >> On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke > > wrote: >> >> Huh? I don't understand. >> >> >> On 8/3/16 8:19 PM, Josh Cain wrote: >>> Hi all, >>> >>> I'm in a situation in which I need to consult an external >>> source of truth in order to pull social auth credentials >>> (outside the Keycloak database). I'd ideally like something >>> functionally equivalent to the UserFederationProvider, in >>> which another source outside the user store is consulted for >>> this information. Is anything like that currently supported? >>> >>> Josh Cain | Software Applications Engineer >>> /Identity and Access Management/ >>> *Red Hat* >>> +1 843-737-1735 >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/757b04bb/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/757b04bb/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/757b04bb/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/757b04bb/attachment-0005.png From josh.cain at redhat.com Thu Aug 4 10:14:52 2016 From: josh.cain at redhat.com (Josh Cain) Date: Thu, 4 Aug 2016 09:14:52 -0500 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: Yes, I think we're on the same page now! Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Thu, Aug 4, 2016 at 9:06 AM, Bill Burke wrote: > You want to be able to store account links within a different datastore. > > On 8/4/16 9:59 AM, Josh Cain wrote: > > Not 100% sure what that question is asking; I'd like to provide social > auth credential -> Keycloak UserModel associations using another source > than the Keycloak database. > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 > > On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke wrote: > >> So you basically want to choose which provider a social login (brokered >> login) gets imported into? >> >> On 8/4/16 9:32 AM, Josh Cain wrote: >> >> We've got social auth data already in a data store, and other >> applications/enclaves also use that data store, so we'd like to keep it as >> a single source of truth (rather than point additional applications to the >> KC database, or require users to link the same account manually again). >> >> Maybe in pictures would help. The diagram below would give a high-level >> understanding of how the current user search works with federation >> providers: >> >> ? >> Contrast this with the current social auth user lookup process like this >> (example using Github, but any social auth provider really): >> >> >> ? >> When the IDP swaps the auth code for the access token and is able to view >> the user's third party information (userId, name, etc), this information is >> referenced against the Keycloak database *only*. I'd ideally like to be >> able to consult an external lookup in order to see if something else was >> capable of associating this third party information with a Keycloak >> UserModel. I was wondering if a flow similar to the user's federation >> provider flow would be possible - something like this: >> >> >> ? >> Would extending Keycloak to include and SPI for this be an option? >> Thoughts? >> >> I looked at simply altering/delegating one of the existing UserProvider >> implementations, but it just feels wrong. >> >> >> Josh Cain | Software Applications Engineer >> *Identity and Access Management* >> *Red Hat* >> +1 843-737-1735 <%2B1%20843-737-1735> >> >> On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke wrote: >> >>> Huh? I don't understand. >>> >>> On 8/3/16 8:19 PM, Josh Cain wrote: >>> >>> Hi all, >>> >>> I'm in a situation in which I need to consult an external source of >>> truth in order to pull social auth credentials (outside the Keycloak >>> database). I'd ideally like something functionally equivalent to the >>> UserFederationProvider, in which another source outside the user store is >>> consulted for this information. Is anything like that currently supported? >>> >>> Josh Cain | Software Applications Engineer >>> *Identity and Access Management* >>> *Red Hat* >>> +1 843-737-1735 <%2B1%20843-737-1735> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ keycloak-user mailing >>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>> n/listinfo/keycloak-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/43348c45/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/43348c45/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/43348c45/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/43348c45/attachment-0005.png From bburke at redhat.com Thu Aug 4 10:16:16 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 4 Aug 2016 10:16:16 -0400 Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. In-Reply-To: <878f8a83ecc74a5e92a1323833ed56c1@vitblrex2013.viteos.com> References: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> <878f8a83ecc74a5e92a1323833ed56c1@vitblrex2013.viteos.com> Message-ID: Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users. * IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string. * View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP. I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy? On 8/4/16 10:05 AM, Ushanas Shastri wrote: > > Classification: INTERNAL > > Not just when I manage Users. > > Even in the Evaluation screen or in the User based Policy (any place > we show a list of users), on page load, all users are fetched. > > Even if users have to be queries from all providers, shouldn?t we wait > for the user to enter a search criteria, and only then query based on > that search criteria? At the moment, if I have a 1000 users in AD, on > each page load 1000 users are fetched from AD, without even me > attempting a search. > > Regards, Ushanas. > > *From:*keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Bill Burke > *Sent:* Thursday, August 04, 2016 6:50 PM > *To:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak goes to AD to fetch users > every page load, does not use local store. > > You mean when you manage the users from the Admin Console? The > searchbox is meant to be a general pattern and is equivalent to a LIKE > clause in RDBMS. So this means all providers must be queried. > > On 8/4/16 7:54 AM, Ushanas Shastri wrote: > > Classification: INTERNAL > > Hello, > > We have Keycloak setup with SQL Server as a persistent store, and > we have User Federation enabled with Microsoft Active Directory. > > Why does Keycloak go back to querying AD on every page load > (Manage-> Users or the Evaluate tab in Authorization)? Should it > not get a list of users from the local SQL store only? > > I?m seeing that on the page load, Keycloak gets a list of all > users from AD. Considering we have a large number of users, this > is time consuming. Don?t know if it matters, but we do have an AD > filter. > > Regards, Ushanas. > > *Viteos Fund Services Ltd | *www.viteos.com > > > *Direct :*+91-22-61082230 | US : +1- 888-821-7561 extn 240 > > *Cell :*+91-9820225580 > > Email : ushanas.shastri at viteos.com > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediatelydelete it and all copies of it from your system, > destroy any hard copies of it and notify the sender. You must not, > directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. > Viteos Capital Market Services Ltd.and any of its subsidiaries > each reserve the right to monitor all e-mail communications > through its networks. Any views expressed in this message are > those of the individual sender, except where the message states > otherwise and the sender is authorized to state them to be the > views of any such entit. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediatelydelete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entit. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/99baaec2/attachment.html From bburke at redhat.com Thu Aug 4 10:17:44 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 4 Aug 2016 10:17:44 -0400 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: Ok, I'll have to add that to the roadmap. I'm currently creating a brand new user federation SPI. I was assuming account linking would be completely managed by keycloak. On 8/4/16 10:14 AM, Josh Cain wrote: > Yes, I think we're on the same page now! > > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > On Thu, Aug 4, 2016 at 9:06 AM, Bill Burke > wrote: > > You want to be able to store account links within a different > datastore. > > > On 8/4/16 9:59 AM, Josh Cain wrote: >> Not 100% sure what that question is asking; I'd like to provide >> social auth credential -> Keycloak UserModel associations using >> another source than the Keycloak database. >> >> Josh Cain | Software Applications Engineer >> /Identity and Access Management/ >> *Red Hat* >> +1 843-737-1735 >> >> On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke > > wrote: >> >> So you basically want to choose which provider a social login >> (brokered login) gets imported into? >> >> >> On 8/4/16 9:32 AM, Josh Cain wrote: >>> We've got social auth data already in a data store, and >>> other applications/enclaves also use that data store, so >>> we'd like to keep it as a single source of truth (rather >>> than point additional applications to the KC database, or >>> require users to link the same account manually again). >>> >>> Maybe in pictures would help. The diagram below would give >>> a high-level understanding of how the current user search >>> works with federation providers: >>> >>> ? >>> Contrast this with the current social auth user lookup >>> process like this (example using Github, but any social auth >>> provider really): >>> >>> >>> ? >>> When the IDP swaps the auth code for the access token and is >>> able to view the user's third party information (userId, >>> name, etc), this information is referenced against the >>> Keycloak database *only*. I'd ideally like to be able to >>> consult an external lookup in order to see if something else >>> was capable of associating this third party information with >>> a Keycloak UserModel. I was wondering if a flow similar to >>> the user's federation provider flow would be possible - >>> something like this: >>> >>> >>> ? >>> Would extending Keycloak to include and SPI for this be an >>> option? Thoughts? >>> >>> I looked at simply altering/delegating one of the existing >>> UserProvider implementations, but it just feels wrong. >>> >>> >>> Josh Cain | Software Applications Engineer >>> /Identity and Access Management/ >>> *Red Hat* >>> +1 843-737-1735 >>> >>> On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke >>> > wrote: >>> >>> Huh? I don't understand. >>> >>> >>> On 8/3/16 8:19 PM, Josh Cain wrote: >>>> Hi all, >>>> >>>> I'm in a situation in which I need to consult an >>>> external source of truth in order to pull social auth >>>> credentials (outside the Keycloak database). I'd >>>> ideally like something functionally equivalent to the >>>> UserFederationProvider, in which another source outside >>>> the user store is consulted for this information. Is >>>> anything like that currently supported? >>>> >>>> Josh Cain | Software Applications Engineer >>>> /Identity and Access Management/ >>>> *Red Hat* >>>> +1 843-737-1735 >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ >>> keycloak-user mailing list keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/21846776/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/21846776/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/21846776/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/21846776/attachment-0005.png From josh.cain at redhat.com Thu Aug 4 10:20:16 2016 From: josh.cain at redhat.com (Josh Cain) Date: Thu, 4 Aug 2016 09:20:16 -0500 Subject: [keycloak-user] External Source of Truth for Federated Identities (Social Auth) In-Reply-To: References: <273c76d4-d04c-f085-f61e-03803e6d3ed1@redhat.com> Message-ID: Cool, thanks Bill! We've got some upcoming integrations where this would be a huge win for us. I'd be happy to jump in and help if you have a specific change in mind, just let me know. Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Thu, Aug 4, 2016 at 9:17 AM, Bill Burke wrote: > Ok, I'll have to add that to the roadmap. I'm currently creating a brand > new user federation SPI. I was assuming account linking would be > completely managed by keycloak. > > On 8/4/16 10:14 AM, Josh Cain wrote: > > Yes, I think we're on the same page now! > > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 > > On Thu, Aug 4, 2016 at 9:06 AM, Bill Burke wrote: > >> You want to be able to store account links within a different datastore. >> >> On 8/4/16 9:59 AM, Josh Cain wrote: >> >> Not 100% sure what that question is asking; I'd like to provide social >> auth credential -> Keycloak UserModel associations using another source >> than the Keycloak database. >> >> Josh Cain | Software Applications Engineer >> *Identity and Access Management* >> *Red Hat* >> +1 843-737-1735 <%2B1%20843-737-1735> >> >> On Thu, Aug 4, 2016 at 8:47 AM, Bill Burke wrote: >> >>> So you basically want to choose which provider a social login (brokered >>> login) gets imported into? >>> >>> On 8/4/16 9:32 AM, Josh Cain wrote: >>> >>> We've got social auth data already in a data store, and other >>> applications/enclaves also use that data store, so we'd like to keep it as >>> a single source of truth (rather than point additional applications to the >>> KC database, or require users to link the same account manually again). >>> >>> Maybe in pictures would help. The diagram below would give a high-level >>> understanding of how the current user search works with federation >>> providers: >>> >>> ? >>> Contrast this with the current social auth user lookup process like this >>> (example using Github, but any social auth provider really): >>> >>> >>> ? >>> When the IDP swaps the auth code for the access token and is able to >>> view the user's third party information (userId, name, etc), this >>> information is referenced against the Keycloak database *only*. I'd >>> ideally like to be able to consult an external lookup in order to see if >>> something else was capable of associating this third party information with >>> a Keycloak UserModel. I was wondering if a flow similar to the user's >>> federation provider flow would be possible - something like this: >>> >>> >>> ? >>> Would extending Keycloak to include and SPI for this be an option? >>> Thoughts? >>> >>> I looked at simply altering/delegating one of the existing UserProvider >>> implementations, but it just feels wrong. >>> >>> >>> Josh Cain | Software Applications Engineer >>> *Identity and Access Management* >>> *Red Hat* >>> +1 843-737-1735 <%2B1%20843-737-1735> >>> >>> On Wed, Aug 3, 2016 at 8:35 PM, Bill Burke wrote: >>> >>>> Huh? I don't understand. >>>> >>>> On 8/3/16 8:19 PM, Josh Cain wrote: >>>> >>>> Hi all, >>>> >>>> I'm in a situation in which I need to consult an external source of >>>> truth in order to pull social auth credentials (outside the Keycloak >>>> database). I'd ideally like something functionally equivalent to the >>>> UserFederationProvider, in which another source outside the user store is >>>> consulted for this information. Is anything like that currently supported? >>>> >>>> Josh Cain | Software Applications Engineer >>>> *Identity and Access Management* >>>> *Red Hat* >>>> +1 843-737-1735 <%2B1%20843-737-1735> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ keycloak-user mailing >>>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>>> n/listinfo/keycloak-user >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ec042f60/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 27391 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ec042f60/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 40225 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ec042f60/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 44930 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/ec042f60/attachment-0005.png From ushanas.shastri at viteos.com Thu Aug 4 10:31:56 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 4 Aug 2016 14:31:56 +0000 Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. In-Reply-To: References: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> <878f8a83ecc74a5e92a1323833ed56c1@vitblrex2013.viteos.com> Message-ID: <199e1d7e3adf45dc8ef85b378bebfed8@vitblrex2013.viteos.com> Classification: INTERNAL I meant the Authorization features that have an auto-complete search on pages like Evaluate (under Authorization) and Add Policy User Based. For e.g. [cid:image001.png at 01D1EE8A.A1B86990] If I just access this page, without initiating a search by typing something in Users, a call is made to /auth/admin/realms/servlet-authz/users, which loads all users Here's a snippet of the response which shows 898 users returned. [cid:image002.png at 01D1EE8A.DE2EC680] I believe this user data should be fetched only based on a search criteria, and that too from the SQL cache, instead of going to AD. Regards, Ushanas. From: Bill Burke [mailto:bburke at redhat.com] Sent: Thursday, August 04, 2016 7:46 PM To: Ushanas Shastri; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users. * IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string. * View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP. I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy? On 8/4/16 10:05 AM, Ushanas Shastri wrote: Classification: INTERNAL Not just when I manage Users. Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched. Even if users have to be queries from all providers, shouldn't we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD, on each page load 1000 users are fetched from AD, without even me attempting a search. Regards, Ushanas. From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Thursday, August 04, 2016 6:50 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried. On 8/4/16 7:54 AM, Ushanas Shastri wrote: Classification: INTERNAL Hello, We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory. Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only? I'm seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don't know if it matters, but we do have an AD filter. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d84a36a/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 20249 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d84a36a/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 52717 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/7d84a36a/attachment-0003.png From psilva at redhat.com Thu Aug 4 10:33:49 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 4 Aug 2016 10:33:49 -0400 (EDT) Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. In-Reply-To: References: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> <878f8a83ecc74a5e92a1323833ed56c1@vitblrex2013.viteos.com> Message-ID: <592096791.23700608.1470321229983.JavaMail.zimbra@redhat.com> Regarding the AuthZ UI, I've created https://issues.jboss.org/browse/KEYCLOAK-3398. For the user policy, we are loading *all* users when the page is loaded. I will fix this and also other parts of the UI where data is being eager loaded. ----- Original Message ----- From: "Bill Burke" To: "Ushanas Shastri" , keycloak-user at lists.jboss.org Sent: Thursday, August 4, 2016 11:16:16 AM Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users. * IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string. * View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP. I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy? On 8/4/16 10:05 AM, Ushanas Shastri wrote: Classification: INTERNAL Not just when I manage Users. Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched. Even if users have to be queries from all providers, shouldn?t we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD, on each page load 1000 users are fetched from AD, without even me attempting a search. Regards, Ushanas. From: keycloak-user-bounces at lists.jboss.org [ mailto:keycloak-user-bounces at lists.jboss.org ] On Behalf Of Bill Burke Sent: Thursday, August 04, 2016 6:50 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried. On 8/4/16 7:54 AM, Ushanas Shastri wrote: Classification: INTERNAL Hello, We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory. Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only? I?m seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don?t know if it matters, but we do have an AD filter. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ushanas.shastri at viteos.com Thu Aug 4 10:42:46 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 4 Aug 2016 14:42:46 +0000 Subject: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. In-Reply-To: <592096791.23700608.1470321229983.JavaMail.zimbra@redhat.com> References: <4fe6acbf-2838-d9f8-46f0-dafccf4eefe2@redhat.com> <878f8a83ecc74a5e92a1323833ed56c1@vitblrex2013.viteos.com> <592096791.23700608.1470321229983.JavaMail.zimbra@redhat.com> Message-ID: <5e02240b305d4b96b3b7ba14d99f3cb0@vitblrex2013.viteos.com> Classification: INTERNAL Thank you. -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, August 04, 2016 8:04 PM To: Bill Burke Cc: Ushanas Shastri; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. Regarding the AuthZ UI, I've created https://issues.jboss.org/browse/KEYCLOAK-3398. For the user policy, we are loading *all* users when the page is loaded. I will fix this and also other parts of the UI where data is being eager loaded. ----- Original Message ----- From: "Bill Burke" To: "Ushanas Shastri" , keycloak-user at lists.jboss.org Sent: Thursday, August 4, 2016 11:16:16 AM Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. Again, are you just talking about the Admin Console? Please list exactly what actions load thousands of users. * IN the admin console Users page, if you search for a user, LDAP will be queried once by username, email, or first+last name depending on the format of the search string. * View All Users will *NOT* query LDAP. It will only show imported users aka users that have already be imported from LDAP. I'm not sure about the new Authorization stuff. Is this what you mean by the Evaluation screen or in the User base Policy? On 8/4/16 10:05 AM, Ushanas Shastri wrote: Classification: INTERNAL Not just when I manage Users. Even in the Evaluation screen or in the User based Policy (any place we show a list of users), on page load, all users are fetched. Even if users have to be queries from all providers, shouldn?t we wait for the user to enter a search criteria, and only then query based on that search criteria? At the moment, if I have a 1000 users in AD, on each page load 1000 users are fetched from AD, without even me attempting a search. Regards, Ushanas. From: keycloak-user-bounces at lists.jboss.org [ mailto:keycloak-user-bounces at lists.jboss.org ] On Behalf Of Bill Burke Sent: Thursday, August 04, 2016 6:50 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak goes to AD to fetch users every page load, does not use local store. You mean when you manage the users from the Admin Console? The searchbox is meant to be a general pattern and is equivalent to a LIKE clause in RDBMS. So this means all providers must be queried. On 8/4/16 7:54 AM, Ushanas Shastri wrote: Classification: INTERNAL Hello, We have Keycloak setup with SQL Server as a persistent store, and we have User Federation enabled with Microsoft Active Directory. Why does Keycloak go back to querying AD on every page load (Manage-> Users or the Evaluate tab in Authorization)? Should it not get a list of users from the local SQL store only? I?m seeing that on the page load, Keycloak gets a list of all users from AD. Considering we have a large number of users, this is time consuming. Don?t know if it matters, but we do have an AD filter. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From luigi.demasi at extrasys.it Thu Aug 4 12:36:30 2016 From: luigi.demasi at extrasys.it (Luigi De Masi) Date: Thu, 4 Aug 2016 18:36:30 +0200 Subject: [keycloak-user] CXF Keycloak Admin Client Message-ID: Hi, I'm working on a Spring boot + Fuse integration Service project that use cxf to expose restful web services and KC admin client to manage users in a realm. I had some issues (that I was expecting...) running CXF servers and RESTEasy KC admin client together so I decided to remove all RESTEasy/jboss dependency from KC client and adapt the code to use CXF as JAX-RS implementation. It works quite well with very few changes, so I decided to share it on my github in case someone else is in the same situation as me or prefer CXF over RESTEasy. https://github.com/luigidemasi/keycloak-cxf-admin-client I'm also thinking about adding OSGI support to have the possibility to deploy it in karaf and maybe a camel component as well. Regards. -- Luigi De Masi *"Talk is cheap. Show me the code."* * -- Linus Torvalds* -- ------------------------------ Extra srl p: +39 0587975800 a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy w: www.extrasrl.it e: info at extrasys.it Le informazioni trasmesse sono riservate alla persona o ente alla quali sono indirizzate e possono contenere informazioni riservate e/o materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione o altro uso, o l'adozione di azioni basate su tali informazioni da parte di soggetti diversi dal destinatario ? proibita. Se avete ricevuto per errore questo messaggio, siete pregati di informare il mittente e cancellare il materiale contenuto da ogni computer. The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/6ce31c95/attachment-0001.html From ushanas.shastri at viteos.com Thu Aug 4 14:54:02 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 4 Aug 2016 18:54:02 +0000 Subject: [keycloak-user] Authorization services: Trying to model authz for a typical application. Message-ID: Classification: INTERNAL Hello, I've been looking at all the Authz examples with 2.1.0 CR1, and I've been trying to fit/model them for my application. Let's say there's a feature in an application to process loan applications. Possible actions on a loan application are to view, edit, approve or reject them. However, users can take specific actions on applications based on the geographical zone in which requests are raised. For e.g. User A can view applications across all Zones, but approve or reject applications only if they are from Zone A. User B can only view applications from Zone B, and cannot do anything else. User C can do all actions for all Zones. In the authorization tab, Loan Application is created as a resource, with scopes created for each action (view/edit/approve/reject). Scope based Permissions are created for each scope, and are attached to a policy. Now the policy is where I'd to implement the check on the zone. I could create each Zone as a group or as a client role. I chose to create a client role for each Zone. Now, if user A logs in to the application, I have a screen where they can search for applications to view/process. User A should get to see a list of all applications, since he has view access to all, but only process When I request for an authorization through the entitlement API, the response tells me that Zone A and Zone B are the client roles, and view and approve and reject are allowed scopes, but does *not* say that Zone B scope is only view, and Zone A scopes are view, approve and reject. The response is a list of client roles and scopes (with resources), but does not link the client role to a resource-scope combination. I couldn't find a way to make individual requests (like tell me what scopes are allowed for this resource, for this particular client role/group?) As a result, I cannot use the idea of creating zones as either client roles or groups. How then do I model this in KeyCloak? Thank you for reading the long example, and looking forward to a response! Regards, Ushanas. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/a836f62f/attachment.html From akaya at expedia.com Thu Aug 4 20:17:39 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 5 Aug 2016 00:17:39 +0000 Subject: [keycloak-user] Handling SuspectExceptions in Keycloak In-Reply-To: <57A30FD8.1060800@redhat.com> References: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> <579FA3E7.4000809@redhat.com> <510A5664-A01D-4494-8188-51084A6CF946@expedia.com> <57A30FD8.1060800@redhat.com> Message-ID: Hi Marek, So the issue won?t be fixed by Keycloak 2.3.0? Sarp From: Marek Posolda Date: Thursday, August 4, 2016 at 7:50 PM To: Abdullah Sarp , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Handling SuspectExceptions in Keycloak Hmm... so according to https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem it seems that you're right. It's not easily possible to add the interceptor through infinispan subsystem :/ As a workaround, you can probably try to do it programatically. You may need to create your own InfinispanConnectionProviderFactory and configure it in keycloak-server.json . It can override DefaultInfinispanConnectionProviderFactory and add the interceptor programatically to realms and users caches. Sorry, don't have better proposal to avoid this issue right now :( We likely need to wait until https://issues.jboss.org/browse/ISPN-6857 is fixed... Marek On 02/08/16 06:32, Sarp Kaya wrote: Hi Marek, How do I add the StateTransferInterceptor to the standalone.xml? Isn?t that only doable programmatically? Thanks, Sarp From: Marek Posolda Date: Tuesday, August 2, 2016 at 5:32 AM To: Abdullah Sarp , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Handling SuspectExceptions in Keycloak See KC issue [1] and related infinispan issue [2] . The workaround is to add the StateTransferInterceptor to the proper place in chain to "realms" and "users" caches. See how I did it programatically. I think that based on that, you should be able to add it to infinispan subsystem as well. [1] https://issues.jboss.org/browse/KEYCLOAK-3306 [2] https://issues.jboss.org/browse/ISPN-6857 Marek On 28/07/16 11:53, Sarp Kaya wrote: Hello, There is already an existing bug report for Infinispan here: https://issues.jboss.org/browse/ISPN-6721 Currently for Keycloak, if this exception is thrown then it sends an Internal Server Error page to the browser. Essentially what would be really good is that it sends the user back to the login page instead of displaying Internal Server Error. This happens when I am consistently sending login and logout (around 40 req/s) requests to two Keycloak instances (let?s call them kc1 and kc2), then one new keycloak instance is started kc3. Kc3 connects to kc1 and 2 in clustering mode. Now kc1 receives a new request (such as login) and while it is processing that, kc3 is gracefully shut including the cache with this log: 2016-07-28 09:15:53,656 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped sessions cache from keycloak container Just shortly after that (6 ms) kc1 throws an exception like this: 2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default task-48) UT005023: Exception handling request to /auth/realms/{realm}/login-actions/authenticate: org.jboss.resteasy.spi.UnhandledException: org.infinispan.statetransfer.OutdatedTopologyException: Cache topology changed while the command was executing: expected 175, got 176 at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) then shortly after(150 ms) kc1 wants to talk to kc3 and fails to do so with this exception: 2016-07-28 09:15:53,804 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-54) ISPN000136: Error executing command RemoveCommand, writing keys [f9bde276-dd03-41c9-995b-b1aaf64c1489]: org.infinispan.remoting.transport.jgroups.SuspectException: Cache not running on node kc3 at org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31) at org.jgroups.blocks.Request.checkCompletion(Request.java:169) at org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261) at org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331) at org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242) at org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684) at org.jgroups.JChannel.up(JChannel.java:738) at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123) at org.jgroups.stack.Protocol.up(Protocol.java:374) at org.jgroups.protocols.FORK.up(FORK.java:118) at org.jgroups.protocols.FRAG2.up(FRAG2.java:165) at org.jgroups.protocols.FlowControl.up(FlowControl.java:394) at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454) at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735) at org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140) at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922) at org.jgroups.stack.Protocol.up(Protocol.java:412) at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294) at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474) at org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982) at org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912) at org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846) at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618) at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155) at org.jgroups.protocols.FD.up(FD.java:260) at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310) at org.jgroups.protocols.MERGE3.up(MERGE3.java:285) at org.jgroups.protocols.Discovery.up(Discovery.java:295) at org.jgroups.protocols.TP.passMessageUp(TP.java:1577) at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) The key that it tries to write is the user-id. After this, the browser receives an Internal Server Error page, which looks like this in html: Error Internal Server Error I have configured my infinispan cache settings as following (the rest are default): I have tried many things (such as playing with owner amounts or instance amounts etc). It does not seem to fix this exception. I am well aware that this seems more Infinispan issue than Keycloak, but I believe that Keycloak at least should respond the end user a better error message (perhaps a login again page) rather than an Internal Server Error page. Could you please handle this exception? Kind Regards, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/575c4ddd/attachment-0001.html From fmontadamt at gmail.com Thu Aug 4 22:51:14 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Thu, 4 Aug 2016 19:51:14 -0700 Subject: [keycloak-user] Access to Keyclaok collection and collection clean up issue Message-ID: Hi team, we are using Keycloak and we are facing two issues that we do not know why is happening 1. We are using the same Database to save Keycloak and our App information, we have a Spring boot and MongoDB environment, so we have access directly from our Application level to the Keycloak collections, we had noticed that if we change any value on Keycloak collection form the DB or from our app level it is no reflected on Keycloak Does Keycloak have some security validation for data that are No saved from the Admin or API ? Could be related with Caching ? 2. For some reason our Keycloak collections is getting mess up, after a period of time, what is happening is the Master/Realm/Admin User password is getting clean up and also the credentials for some of our users Do you have any idea what is happening ? Could be related with that we are adding extra values to the "user" collection ? Thanks Francisco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160804/2f11e0af/attachment.html From deepakgarg.garg at gmail.com Fri Aug 5 00:29:13 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Fri, 5 Aug 2016 09:59:13 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak Message-ID: Hi, I have created a nodeJS rest api application. I want to secure my nodeJS API layer using keycloak. Please suggest me how I can achieve the same? What configuration I need to do in the admin keycloak console? like under client->access type should be public or bearer only? Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/1ac01219/attachment.html From shivasaxena999 at gmail.com Fri Aug 5 02:54:58 2016 From: shivasaxena999 at gmail.com (Shiva Saxena) Date: Fri, 5 Aug 2016 12:24:58 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak In-Reply-To: References: Message-ID: Hi Deepak, You can check this example on github https://github.com/keycloak/keycloak-nodejs-connect In the admin console you will need to add a new application, it can be public or bearer depends, on the fact that will your API be directly called and request authentication or they will be called inside a pre authenticated app and just pass the token previously obtained. On Fri, Aug 5, 2016 at 9:59 AM, Deepak Garg wrote: > Hi, > > I have created a nodeJS rest api application. I want to secure my nodeJS > API layer using keycloak. > > Please suggest me how I can achieve the same? > > What configuration I need to do in the admin keycloak console? like under > client->access type should be public or bearer only? > > > Thanks, > Deepak > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Best Regards *Shiva Saxena* *Blog | Linkedin | StackOverflow * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/652494a0/attachment.html From deepakgarg.garg at gmail.com Fri Aug 5 03:32:14 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Fri, 5 Aug 2016 13:02:14 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak In-Reply-To: References: Message-ID: Hi Shiva, Thanks for the reply. I have already gone through this article. I am specially looking for how to set the access type to bearer when using the API from other application and pass on the token? How to pass the authentication token to API and how keycloak would determine the same? Also, I may need to change the keycloak.json as well based upon access type Please suggest me example based upon above requirement. Thanks, Deepak On Fri, Aug 5, 2016 at 12:24 PM, Shiva Saxena wrote: > Hi Deepak, > > You can check this example on github > https://github.com/keycloak/keycloak-nodejs-connect > > In the admin console you will need to add a new application, it can be > public or bearer depends, on the fact that will your API be directly called > and request authentication or they will be called inside a pre > authenticated app and just pass the token previously obtained. > > On Fri, Aug 5, 2016 at 9:59 AM, Deepak Garg > wrote: > >> Hi, >> >> I have created a nodeJS rest api application. I want to secure my nodeJS >> API layer using keycloak. >> >> Please suggest me how I can achieve the same? >> >> What configuration I need to do in the admin keycloak console? like under >> client->access type should be public or bearer only? >> >> >> Thanks, >> Deepak >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Best Regards > *Shiva Saxena* > *Blog | Linkedin > | StackOverflow > * > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/3a6b49b1/attachment.html From shivasaxena999 at gmail.com Fri Aug 5 03:37:47 2016 From: shivasaxena999 at gmail.com (Shiva Saxena) Date: Fri, 5 Aug 2016 13:07:47 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak In-Reply-To: References: Message-ID: Hi, Do you mean how do you set the bearer token when calling the REST endpoint from the browser ? On Fri, Aug 5, 2016 at 1:02 PM, Deepak Garg wrote: > Hi Shiva, > > Thanks for the reply. I have already gone through this article. > > I am specially looking for how to set the access type to bearer when using > the API from other application and pass on the token? How to pass the > authentication token to API and how keycloak would determine the same? > > Also, I may need to change the keycloak.json as well based upon access type > > Please suggest me example based upon above requirement. > > Thanks, > Deepak > > On Fri, Aug 5, 2016 at 12:24 PM, Shiva Saxena > wrote: > >> Hi Deepak, >> >> You can check this example on github >> https://github.com/keycloak/keycloak-nodejs-connect >> >> In the admin console you will need to add a new application, it can be >> public or bearer depends, on the fact that will your API be directly called >> and request authentication or they will be called inside a pre >> authenticated app and just pass the token previously obtained. >> >> On Fri, Aug 5, 2016 at 9:59 AM, Deepak Garg >> wrote: >> >>> Hi, >>> >>> I have created a nodeJS rest api application. I want to secure my nodeJS >>> API layer using keycloak. >>> >>> Please suggest me how I can achieve the same? >>> >>> What configuration I need to do in the admin keycloak console? like >>> under client->access type should be public or bearer only? >>> >>> >>> Thanks, >>> Deepak >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> -- >> Best Regards >> *Shiva Saxena* >> *Blog | Linkedin >> | StackOverflow >> * >> > > -- Best Regards *Shiva Saxena* *Blog | Linkedin | StackOverflow * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/d6381b8f/attachment-0001.html From William.Drescher at celum.com Fri Aug 5 03:45:51 2016 From: William.Drescher at celum.com (William Drescher [CELUM]) Date: Fri, 5 Aug 2016 07:45:51 +0000 Subject: [keycloak-user] Creating a temporary landing page Message-ID: <0dd74d473e6e4c47a6587c3981e34520@EMEA-LNZ-EX01.werk3.local> I have a use case that I'm attempting to accomplish with Keycloak but I'm not sure is possible/practical. In our application we want to invite a user This will cause the following steps to happen: 1. A User is created in Keycloak 2. An email is sent to the user with a unique address to confirm their registration 3. The registration page is created at that address 4. Either the landing page is removed (registration cancelled)/ user goes to registration and confirms their registration with additional information Steps 1 and 2 are possible with existing functionality, was planning on creating a custom event and then using the event SPI to handle the event, creating the user and sending the email I haven't been able to find a way to create a page reachable with an address. The Authentication provider documentation allows me to create a .ftl template which I can display to user through the context, but I was unable to find anything on displaying a page without an already existing user context. I would appreciate suggestions as to how to approach this, (or that it would be better to look at an implementation in the app itself instead) Thanks, Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/218cd764/attachment.html From mposolda at redhat.com Fri Aug 5 04:23:22 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 5 Aug 2016 10:23:22 +0200 Subject: [keycloak-user] Handling SuspectExceptions in Keycloak In-Reply-To: References: <035C5A88-0C9C-4D44-A83D-4A227AFF48B6@expedia.com> <579FA3E7.4000809@redhat.com> <510A5664-A01D-4494-8188-51084A6CF946@expedia.com> <57A30FD8.1060800@redhat.com> Message-ID: <57A44CFA.8020704@redhat.com> We need to wait for infinispan fix here, so no idea :( Option is to workaround on Keycloak, but we likely not going to do that, but rather wait for being it fixed directly in infinispan. Marek On 05/08/16 02:17, Sarp Kaya wrote: > > Hi Marek, > > So the issue won?t be fixed by Keycloak 2.3.0? > > Sarp > > *From: *Marek Posolda > *Date: *Thursday, August 4, 2016 at 7:50 PM > *To: *Abdullah Sarp , > "keycloak-user at lists.jboss.org" > *Subject: *Re: [keycloak-user] Handling SuspectExceptions in Keycloak > > Hmm... so according to > https://docs.jboss.org/author/display/WFLY10/Infinispan+Subsystem it > seems that you're right. It's not easily possible to add the > interceptor through infinispan subsystem :/ > > As a workaround, you can probably try to do it programatically. You > may need to create your own InfinispanConnectionProviderFactory and > configure it in keycloak-server.json . It can override > DefaultInfinispanConnectionProviderFactory and add the interceptor > programatically to realms and users caches. Sorry, don't have better > proposal to avoid this issue right now :( We likely need to wait until > https://issues.jboss.org/browse/ISPN-6857 is fixed... > > Marek > > On 02/08/16 06:32, Sarp Kaya wrote: > > Hi Marek, > > How do I add the StateTransferInterceptor to the standalone.xml? > Isn?t that only doable programmatically? > > Thanks, > Sarp > > *From: *Marek Posolda > > *Date: *Tuesday, August 2, 2016 at 5:32 AM > *To: *Abdullah Sarp > , "keycloak-user at lists.jboss.org" > > > *Subject: *Re: [keycloak-user] Handling SuspectExceptions in Keycloak > > See KC issue [1] and related infinispan issue [2] . > > The workaround is to add the StateTransferInterceptor to the > proper place in chain to "realms" and "users" caches. See how I > did it programatically. I think that based on that, you should be > able to add it to infinispan subsystem as well. > > [1] https://issues.jboss.org/browse/KEYCLOAK-3306 > [2] https://issues.jboss.org/browse/ISPN-6857 > > Marek > > On 28/07/16 11:53, Sarp Kaya wrote: > > Hello, > > There is already an existing bug report for Infinispan here: > > https://issues.jboss.org/browse/ISPN-6721 > > Currently for Keycloak, if this exception is thrown then it > sends an Internal Server Error page to the browser. > Essentially what would be really good is that it sends the > user back to the login page instead of displaying Internal > Server Error. > > This happens when I am consistently sending login and logout > (around 40 req/s) requests to two Keycloak instances (let?s > call them kc1 and kc2), then one new keycloak instance is > started kc3. Kc3 connects to kc1 and 2 in clustering mode. > > Now kc1 receives a new request (such as login) and while it is > processing that, kc3 is gracefully shut including the cache > with this log: > > 2016-07-28 09:15:53,656 INFO > [org.jboss.as.clustering.infinispan] (ServerService Thread > Pool -- 61) WFLYCLINF0003: Stopped sessions cache from > keycloak container > > Just shortly after that (6 ms) kc1 throws an exception like this: > > 2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default > task-48) UT005023: Exception handling request to > /auth/realms/{realm}/login-actions/authenticate: > org.jboss.resteasy.spi.UnhandledException: > org.infinispan.statetransfer.OutdatedTopologyException: Cache > topology changed while the command was executing: expected > 175, got 176 > > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471) > > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415) > > then shortly after(150 ms) kc1 wants to talk to kc3 and fails > to do so with this exception: > > 2016-07-28 09:15:53,804 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] > (default task-54) ISPN000136: Error executing command > RemoveCommand, writing keys > [f9bde276-dd03-41c9-995b-b1aaf64c1489]: > org.infinispan.remoting.transport.jgroups.SuspectException: > Cache not running on node kc3 > > at > org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46) > > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763) > > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612) > > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > > at > org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31) > > at org.jgroups.blocks.Request.checkCompletion(Request.java:169) > > at > org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261) > > at > org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331) > > at > org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242) > > at > org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684) > > at org.jgroups.JChannel.up(JChannel.java:738) > > at > org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123) > > at org.jgroups.stack.Protocol.up(Protocol.java:374) > > at org.jgroups.protocols.FORK.up(FORK.java:118) > > at org.jgroups.protocols.FRAG2.up(FRAG2.java:165) > > at org.jgroups.protocols.FlowControl.up(FlowControl.java:394) > > at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454) > > at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735) > > at > org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140) > > at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922) > > at org.jgroups.stack.Protocol.up(Protocol.java:412) > > at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294) > > at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474) > > at > org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982) > > at > org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912) > > at > org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846) > > at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618) > > at > org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155) > > at org.jgroups.protocols.FD.up(FD.java:260) > > at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310) > > at org.jgroups.protocols.MERGE3.up(MERGE3.java:285) > > at org.jgroups.protocols.Discovery.up(Discovery.java:295) > > at org.jgroups.protocols.TP.passMessageUp(TP.java:1577) > > at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > The key that it tries to write is the user-id. After this, the > browser receives an Internal Server Error page, which looks > like this in html: > > > > > > > > Error > > > > > > > > Internal Server Error > > > > > > I have configured my infinispan cache settings as following > (the rest are default): > > > > owners="1"/> > > owners="1"/> > > I have tried many things (such as playing with owner amounts > or instance amounts etc). It does not seem to fix this > exception. I am well aware that this seems more Infinispan > issue than Keycloak, but I believe that Keycloak at least > should respond the end user a better error message (perhaps a > login again page) rather than an Internal Server Error page. > Could you please handle this exception? > > Kind Regards, > Sarp Kaya > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/6dec91c4/attachment-0001.html From deepakgarg.garg at gmail.com Fri Aug 5 04:45:57 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Fri, 5 Aug 2016 14:15:57 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak In-Reply-To: References: Message-ID: I have created a rest api in node js and used keycloak-connect npm packge. I have mapped the nodejs middleware with keycloak middleware and just put keycloak.Protect() method in side api method. When the user is not logged in, it shows a login screen and ask for credential. After login, it shows the result. but I don't want to show a login screen if user is not already logged in. Instead of that i want to pass the token and get access based upon that token? Do i need to do anything in the API code so that it will accept the user token? I like to use this api through User interface and set the access type bearer for this service in the keycloak admin. see the example: var express = require('express'); var apiRoutes = express.Router(); var User = require('../models/user'); var jwt = require('jsonwebtoken'); var faker = require('faker'); var session = require('express-session'); var Keycloak = require('keycloak-connect'); var hogan = require('hogan-express'); var memoryStore = new session.MemoryStore(); var keycloak = new Keycloak({store: memoryStore}); app.use(session({ secret: app.get('superSecret'), resave: false, saveUninitialized: true, store: memoryStore })); app.use(keycloak.middleware({ logout: '/logout', admin: '/' })); app.get('/api/user',* keycloak.protect()*, function (req, res) { res.json({ name: faker.name.findName(), email: faker.internet.email(), address: faker.address.streetAddress(), bio: faker.lorem.sentence(), image: faker.image.avatar() }); }); Keycloak.json: { "realm" : "nodejs-example", "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url" : "http://xxxx:9090/auth", "ssl-required" : "external", "resource" : "nodejs-connect", "public-client" : true } Thanks, Deepak On Fri, Aug 5, 2016 at 1:07 PM, Shiva Saxena wrote: > Hi, > > Do you mean how do you set the bearer token when calling the REST endpoint > from the browser ? > > On Fri, Aug 5, 2016 at 1:02 PM, Deepak Garg > wrote: > >> Hi Shiva, >> >> Thanks for the reply. I have already gone through this article. >> >> I am specially looking for how to set the access type to bearer when >> using the API from other application and pass on the token? How to pass the >> authentication token to API and how keycloak would determine the same? >> >> Also, I may need to change the keycloak.json as well based upon access >> type >> >> Please suggest me example based upon above requirement. >> >> Thanks, >> Deepak >> >> On Fri, Aug 5, 2016 at 12:24 PM, Shiva Saxena >> wrote: >> >>> Hi Deepak, >>> >>> You can check this example on github >>> https://github.com/keycloak/keycloak-nodejs-connect >>> >>> In the admin console you will need to add a new application, it can be >>> public or bearer depends, on the fact that will your API be directly called >>> and request authentication or they will be called inside a pre >>> authenticated app and just pass the token previously obtained. >>> >>> On Fri, Aug 5, 2016 at 9:59 AM, Deepak Garg >>> wrote: >>> >>>> Hi, >>>> >>>> I have created a nodeJS rest api application. I want to secure my >>>> nodeJS API layer using keycloak. >>>> >>>> Please suggest me how I can achieve the same? >>>> >>>> What configuration I need to do in the admin keycloak console? like >>>> under client->access type should be public or bearer only? >>>> >>>> >>>> Thanks, >>>> Deepak >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> -- >>> Best Regards >>> *Shiva Saxena* >>> *Blog | Linkedin >>> | StackOverflow >>> * >>> >> >> > > > -- > Best Regards > *Shiva Saxena* > *Blog | Linkedin > | StackOverflow > * > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/0ac0065d/attachment.html From shivasaxena999 at gmail.com Fri Aug 5 04:57:01 2016 From: shivasaxena999 at gmail.com (Shiva Saxena) Date: Fri, 5 Aug 2016 14:27:01 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak In-Reply-To: References: Message-ID: Hi, You will have to go to the keycloak admin console and select your realm then the resource ie 'nodejs-connect' and change the access type to bearer-only. Then you can send "Bearer" header having the token in the HttpRequest. If it fails no login will be initiated(i.e you will not be redirected to the login page). On Fri, Aug 5, 2016 at 2:15 PM, Deepak Garg wrote: > I have created a rest api in node js and used keycloak-connect npm packge. > I have mapped the nodejs middleware with keycloak middleware and just put > keycloak.Protect() method in side api method. > > When the user is not logged in, it shows a login screen and ask for > credential. After login, it shows the result. but I don't want to show a > login screen if user is not already logged in. Instead of that i want to > pass the token and get access based upon that token? > > Do i need to do anything in the API code so that it will accept the user > token? > > I like to use this api through User interface and set the access type > bearer for this service in the keycloak admin. > > see the example: > > var express = require('express'); > var apiRoutes = express.Router(); > var User = require('../models/user'); > var jwt = require('jsonwebtoken'); > var faker = require('faker'); > var session = require('express-session'); > var Keycloak = require('keycloak-connect'); > var hogan = require('hogan-express'); > > > > var memoryStore = new session.MemoryStore(); > > var keycloak = new Keycloak({store: memoryStore}); > > app.use(session({ > secret: app.get('superSecret'), > resave: false, > saveUninitialized: true, > store: memoryStore > })); > > app.use(keycloak.middleware({ > logout: '/logout', > admin: '/' > })); > app.get('/api/user',* keycloak.protect()*, function (req, res) { > res.json({ > name: faker.name.findName(), > email: faker.internet.email(), > address: faker.address.streetAddress(), > bio: faker.lorem.sentence(), > image: faker.image.avatar() > > }); > }); > > > Keycloak.json: > > > { > "realm" : "nodejs-example", > "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNAD > CBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1 > tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfP > LPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "auth-server-url" : "http://xxxx:9090/auth", > "ssl-required" : "external", > "resource" : "nodejs-connect", > "public-client" : true > } > > Thanks, > Deepak > > > On Fri, Aug 5, 2016 at 1:07 PM, Shiva Saxena > wrote: > >> Hi, >> >> Do you mean how do you set the bearer token when calling the REST >> endpoint from the browser ? >> >> On Fri, Aug 5, 2016 at 1:02 PM, Deepak Garg >> wrote: >> >>> Hi Shiva, >>> >>> Thanks for the reply. I have already gone through this article. >>> >>> I am specially looking for how to set the access type to bearer when >>> using the API from other application and pass on the token? How to pass the >>> authentication token to API and how keycloak would determine the same? >>> >>> Also, I may need to change the keycloak.json as well based upon access >>> type >>> >>> Please suggest me example based upon above requirement. >>> >>> Thanks, >>> Deepak >>> >>> On Fri, Aug 5, 2016 at 12:24 PM, Shiva Saxena >>> wrote: >>> >>>> Hi Deepak, >>>> >>>> You can check this example on github >>>> https://github.com/keycloak/keycloak-nodejs-connect >>>> >>>> In the admin console you will need to add a new application, it can be >>>> public or bearer depends, on the fact that will your API be directly called >>>> and request authentication or they will be called inside a pre >>>> authenticated app and just pass the token previously obtained. >>>> >>>> On Fri, Aug 5, 2016 at 9:59 AM, Deepak Garg >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have created a nodeJS rest api application. I want to secure my >>>>> nodeJS API layer using keycloak. >>>>> >>>>> Please suggest me how I can achieve the same? >>>>> >>>>> What configuration I need to do in the admin keycloak console? like >>>>> under client->access type should be public or bearer only? >>>>> >>>>> >>>>> Thanks, >>>>> Deepak >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> -- >>>> Best Regards >>>> *Shiva Saxena* >>>> *Blog | Linkedin >>>> | StackOverflow >>>> * >>>> >>> >>> >> >> >> -- >> Best Regards >> *Shiva Saxena* >> *Blog | Linkedin >> | StackOverflow >> * >> > > -- Best Regards *Shiva Saxena* *Blog | Linkedin | StackOverflow * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/cc4eccb1/attachment-0001.html From deepakgarg.garg at gmail.com Fri Aug 5 05:56:51 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Fri, 5 Aug 2016 15:26:51 +0530 Subject: [keycloak-user] Secure NodeJS APIs using keycloak In-Reply-To: References: Message-ID: I did the same thing and defined a new client/resource called " nodejs-connect" and set the access type "bearer-only" . can you look into this below keycloak.json file. If I have specified whether it is correct? but when I am running my node server, it is throwing an error "SyntaxError: *Unexpected token u* at Object.parse (native) at Config.loadConfiguration (D:\Sample Projects\NodePrototypes\NodeSample\no de_modules\keycloak-connect\node_modules\keycloak-auth-utils\lib\config.js:53:23 ) at new Config (D:\Sample Projects\NodePrototypes\NodeSample\node_modules\key cloak-connect\node_modules\keycloak-auth-utils\lib\config.js:40:10) at new Keycloak (D:\Sample Projects\NodePrototypes\NodeSample\node_modules\k eycloak-connect\index.js:61:17)" *Keycloak.json:* { "realm" : "nodejs-example", "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw 1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNab MaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url" : "http://xxxx:9090/auth", "ssl-required" : "none", "resource" : "nodejs-connect", "enable-cors" : true, "credentials": { "secret": "6b620304-b4a9-4007-8701-d3abb3537598" } } On Fri, Aug 5, 2016 at 2:27 PM, Shiva Saxena wrote: > Hi, > > You will have to go to the keycloak admin console and select your realm > then the resource ie 'nodejs-connect' and change the access type to > bearer-only. > > Then you can send "Bearer" header having the token in the HttpRequest. If > it fails no login will be initiated(i.e you will not be redirected to the > login page). > > On Fri, Aug 5, 2016 at 2:15 PM, Deepak Garg > wrote: > >> I have created a rest api in node js and used keycloak-connect npm >> packge. I have mapped the nodejs middleware with keycloak middleware and >> just put keycloak.Protect() method in side api method. >> >> When the user is not logged in, it shows a login screen and ask for >> credential. After login, it shows the result. but I don't want to show a >> login screen if user is not already logged in. Instead of that i want to >> pass the token and get access based upon that token? >> >> Do i need to do anything in the API code so that it will accept the user >> token? >> >> I like to use this api through User interface and set the access type >> bearer for this service in the keycloak admin. >> >> see the example: >> >> var express = require('express'); >> var apiRoutes = express.Router(); >> var User = require('../models/user'); >> var jwt = require('jsonwebtoken'); >> var faker = require('faker'); >> var session = require('express-session'); >> var Keycloak = require('keycloak-connect'); >> var hogan = require('hogan-express'); >> >> >> >> var memoryStore = new session.MemoryStore(); >> >> var keycloak = new Keycloak({store: memoryStore}); >> >> app.use(session({ >> secret: app.get('superSecret'), >> resave: false, >> saveUninitialized: true, >> store: memoryStore >> })); >> >> app.use(keycloak.middleware({ >> logout: '/logout', >> admin: '/' >> })); >> app.get('/api/user',* keycloak.protect()*, function (req, res) { >> res.json({ >> name: faker.name.findName(), >> email: faker.internet.email(), >> address: faker.address.streetAddress(), >> bio: faker.lorem.sentence(), >> image: faker.image.avatar() >> >> }); >> }); >> >> >> Keycloak.json: >> >> >> { >> "realm" : "nodejs-example", >> "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNA >> DCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw >> 1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNab >> MaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", >> "auth-server-url" : "http://xxxx:9090/auth", >> "ssl-required" : "external", >> "resource" : "nodejs-connect", >> "public-client" : true >> } >> >> Thanks, >> Deepak >> >> >> On Fri, Aug 5, 2016 at 1:07 PM, Shiva Saxena >> wrote: >> >>> Hi, >>> >>> Do you mean how do you set the bearer token when calling the REST >>> endpoint from the browser ? >>> >>> On Fri, Aug 5, 2016 at 1:02 PM, Deepak Garg >>> wrote: >>> >>>> Hi Shiva, >>>> >>>> Thanks for the reply. I have already gone through this article. >>>> >>>> I am specially looking for how to set the access type to bearer when >>>> using the API from other application and pass on the token? How to pass the >>>> authentication token to API and how keycloak would determine the same? >>>> >>>> Also, I may need to change the keycloak.json as well based upon access >>>> type >>>> >>>> Please suggest me example based upon above requirement. >>>> >>>> Thanks, >>>> Deepak >>>> >>>> On Fri, Aug 5, 2016 at 12:24 PM, Shiva Saxena >>> > wrote: >>>> >>>>> Hi Deepak, >>>>> >>>>> You can check this example on github >>>>> https://github.com/keycloak/keycloak-nodejs-connect >>>>> >>>>> In the admin console you will need to add a new application, it can be >>>>> public or bearer depends, on the fact that will your API be directly called >>>>> and request authentication or they will be called inside a pre >>>>> authenticated app and just pass the token previously obtained. >>>>> >>>>> On Fri, Aug 5, 2016 at 9:59 AM, Deepak Garg >>>> > wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have created a nodeJS rest api application. I want to secure my >>>>>> nodeJS API layer using keycloak. >>>>>> >>>>>> Please suggest me how I can achieve the same? >>>>>> >>>>>> What configuration I need to do in the admin keycloak console? like >>>>>> under client->access type should be public or bearer only? >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Deepak >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Best Regards >>>>> *Shiva Saxena* >>>>> *Blog | Linkedin >>>>> | StackOverflow >>>>> * >>>>> >>>> >>>> >>> >>> >>> -- >>> Best Regards >>> *Shiva Saxena* >>> *Blog | Linkedin >>> | StackOverflow >>> * >>> >> >> > > > -- > Best Regards > *Shiva Saxena* > *Blog | Linkedin > | StackOverflow > * > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/95f15134/attachment.html From lingvisa at gmail.com Sat Aug 6 01:35:27 2016 From: lingvisa at gmail.com (Ling) Date: Fri, 5 Aug 2016 22:35:27 -0700 Subject: [keycloak-user] How to secure the application's root Message-ID: Hi, if I want to secure the root directory, namely, when I visit http://localhost:8080/myapp, then it redirects me to the keycloak login page, asking for credentials. How to achieve that? I modified the Web.xml as follows, but it doesn't secure anything at all. I thought this should work "/*", but it doesn't. Web Root /* KEYCLOAK bword -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/3fa54250/attachment-0001.html From lingvisa at gmail.com Sat Aug 6 01:52:48 2016 From: lingvisa at gmail.com (Ling) Date: Fri, 5 Aug 2016 22:52:48 -0700 Subject: [keycloak-user] How to secure the application's root In-Reply-To: References: Message-ID: Please ignore this question, just found that I need to add this line " user " to the section. Thank you. On Fri, Aug 5, 2016 at 10:35 PM, Ling wrote: > Hi, if I want to secure the root directory, namely, when I visit > http://localhost:8080/myapp, then it redirects me to the keycloak login > page, asking for credentials. How to achieve that? > > I modified the Web.xml as follows, but it doesn't secure anything at all. > I thought this should work "/*", but it > doesn't. > > > > > > > Web Root > /* > > > > > > > KEYCLOAK > bword > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160805/a02a2afb/attachment.html From fmontadamt at gmail.com Sun Aug 7 01:32:30 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Sat, 6 Aug 2016 22:32:30 -0700 Subject: [keycloak-user] Keycloak Spring Boot Adapter issue with Async calls Message-ID: Hi team we are having the same problem form the ticket below, we have a asyc calls on our application and our Spring boot aplication is not working when we add the Keyclaok Spring boot Adapter Ticket https://issues.jboss.org/browse/KEYCLOAK-3188 ERROR "message": "Async support must be enabled on a servlet and for all filters involved in async request processing. This is done in Java code using the Servlet API or by adding \"true\" to servlet and filter declarations in web.xml.", Can someone have a idea how we can fix it ? Thanks Francisco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160806/6cd2eb7b/attachment.html From shortname at yandex.ru Sun Aug 7 07:26:36 2016 From: shortname at yandex.ru (shortname) Date: Sun, 7 Aug 2016 14:26:36 +0300 Subject: [keycloak-user] Tomee 7.0.1 with Keycloak adapter throw NullPointerException Message-ID: <74eb1a48-77da-bffc-799f-9e01b82c3990@yandex.ru> Hello, I have JAX-RS service secured by Keycloak. It works fine on Wildfly 8-10 and Glassfish 4. But on Tomee 7.0.1 async methods throws NullPointerException (sync works fine). I have created simple project for test on tomee 7.0.1 combination sync/async + keycloak and here is results: 1. no keycloak + sync = ok 2. no keycloak + async = ok 3. keycloak + sync = ok 4. keycloak + async = error Method signature sample: @GET public void findAll(@Suspended AsyncResponse response) Exception stacktrace: java.lang.NullPointerException org.apache.cxf.jaxrs.impl.AsyncResponseImpl.initContinuation(AsyncResponseImpl.java:305) org.apache.cxf.jaxrs.impl.AsyncResponseImpl.(AsyncResponseImpl.java:68) org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameter(JAXRSUtils.java:816) org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameters(JAXRSUtils.java:789) org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:212) org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77) org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:254) org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke(CxfRsHttpListener.java:251) org.apache.tomee.webservices.CXFJAXRSFilter.doFilter(CXFJAXRSFilter.java:94) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) org.apache.openejb.server.httpd.EEFilter.doFilter(EEFilter.java:65) private void initContinuation() { ContinuationProvider provider = (ContinuationProvider)this.inMessage.get(ContinuationProvider.class.getName()); *this.cont = provider.getContinuation();* this.initialSuspend = true; } How this issue can be resolved? May be this is tomcat adapter bug? Best regards, Ilia -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160807/80158d3a/attachment.html From sblanc at redhat.com Sun Aug 7 07:52:16 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Sun, 7 Aug 2016 13:52:16 +0200 Subject: [keycloak-user] Tomee 7.0.1 with Keycloak adapter throw NullPointerException In-Reply-To: <74eb1a48-77da-bffc-799f-9e01b82c3990@yandex.ru> References: <74eb1a48-77da-bffc-799f-9e01b82c3990@yandex.ru> Message-ID: Looks like the same issue that was reported this morning on the mailing list and a ticket was created https://issues.jboss.org/browse/KEYCLOAK-3188 Le dimanche 7 ao?t 2016, shortname a ?crit : > Hello, > > I have JAX-RS service secured by Keycloak. It works fine on Wildfly 8-10 > and Glassfish 4. But on Tomee 7.0.1 async methods throws > NullPointerException (sync works fine). I have created simple project for > test on tomee 7.0.1 combination sync/async + keycloak and here is results: > > 1. no keycloak + sync = ok > 2. no keycloak + async = ok > 3. keycloak + sync = ok > 4. keycloak + async = error > > Method signature sample: > > @GET > public void findAll(@Suspended AsyncResponse response) > > Exception stacktrace: > > java.lang.NullPointerException > org.apache.cxf.jaxrs.impl.AsyncResponseImpl.initContinuation( > AsyncResponseImpl.java:305) > org.apache.cxf.jaxrs.impl.AsyncResponseImpl.( > AsyncResponseImpl.java:68) > org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameter( > JAXRSUtils.java:816) > org.apache.cxf.jaxrs.utils.JAXRSUtils.processParameters( > JAXRSUtils.java:789) > org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest( > JAXRSInInterceptor.java:212) > org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage( > JAXRSInInterceptor.java:77) > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( > PhaseInterceptorChain.java:308) > org.apache.cxf.transport.ChainInitiationObserver.onMessage( > ChainInitiationObserver.java:121) > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke( > AbstractHTTPDestination.java:254) > org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke( > CxfRsHttpListener.java:251) > org.apache.tomee.webservices.CXFJAXRSFilter.doFilter( > CXFJAXRSFilter.java:94) > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > org.apache.openejb.server.httpd.EEFilter.doFilter(EEFilter.java:65) > private void initContinuation() { > ContinuationProvider provider = (ContinuationProvider)this. > inMessage.get(ContinuationProvider.class.getName()); > *this.cont = provider.getContinuation();* > this.initialSuspend = true; > } > > How this issue can be resolved? May be this is tomcat adapter bug? > > Best regards, Ilia > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160807/4c57eeec/attachment-0001.html From fmontadamt at gmail.com Mon Aug 8 00:09:07 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Sun, 7 Aug 2016 21:09:07 -0700 Subject: [keycloak-user] Keycloak theme migration to new versions Message-ID: Hi team We created a new theme for our login page on the Keycloak version 1.9.8.Final, but now we want to upgrade the Keycloak version to the last 2.0.0.Final, Question is, can we just copy our team to the new version or do we need to change something else to make it works ? Thanks Francisco -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160807/702c50ca/attachment.html From deepakgarg.garg at gmail.com Mon Aug 8 01:03:12 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Mon, 8 Aug 2016 10:33:12 +0530 Subject: [keycloak-user] Secure NodeJS API using keycloak - how to authenticate using bearer access type Message-ID: I have created a rest api in node js and used keycloak-connect npm packge. I have mapped the nodejs middleware with keycloak middleware and just put keycloak.Protect() method in side api method. When the user is not logged in, it shows a login screen and ask for credential. After login, it shows the result. but I don't want to show a login screen if user is not already logged in. Instead of that i want to pass the token and get access based upon that token? Do i need to do anything in the API code so that it will accept the user token? I like to use this api through User interface and set the access type bearer for this service in the keycloak admin. see the example: var express = require('express'); var apiRoutes = express.Router(); var User = require('../models/user'); var jwt = require('jsonwebtoken'); var faker = require('faker'); var session = require('express-session'); var Keycloak = require('keycloak-connect'); var hogan = require('hogan-express'); var memoryStore = new session.MemoryStore(); var keycloak = new Keycloak({store: memoryStore}); app.use(session({ secret: app.get('superSecret'), resave: false, saveUninitialized: true, store: memoryStore })); app.use(keycloak.middleware({ logout: '/logout', admin: '/' })); app.get('/api/user',* keycloak.protect()*, function (req, res) { res.json({ name: faker.name.findName(), email: faker.internet.email(), address: faker.address.streetAddress(), bio: faker.lorem.sentence(), image: faker.image.avatar() }); }); Keycloak.json: { "realm" : "nodejs-example", "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0x tL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/ UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/ p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url" : "http://xxxx:9090/auth", "ssl-required" : "external", "resource" : "nodejs-connect", "public-client" : true } Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/f0c3c234/attachment.html From sblanc at redhat.com Mon Aug 8 03:04:56 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 8 Aug 2016 09:04:56 +0200 Subject: [keycloak-user] Secure NodeJS API using keycloak - how to authenticate using bearer access type In-Reply-To: References: Message-ID: Hi, Is your NodeJS app just a REST backend without any frontend ? In this case you should put "bearer-only: true" and then it is the responsibility of your frontend or any other service to pass the token to your rest service. Sebi On Mon, Aug 8, 2016 at 7:03 AM, Deepak Garg wrote: > I have created a rest api in node js and used keycloak-connect npm packge. > I have mapped the nodejs middleware with keycloak middleware and just put > keycloak.Protect() method in side api method. > > When the user is not logged in, it shows a login screen and ask for > credential. After login, it shows the result. but I don't want to show a > login screen if user is not already logged in. Instead of that i want to > pass the token and get access based upon that token? > > Do i need to do anything in the API code so that it will accept the user > token? > > I like to use this api through User interface and set the access type > bearer for this service in the keycloak admin. > > see the example: > > var express = require('express'); > var apiRoutes = express.Router(); > var User = require('../models/user'); > var jwt = require('jsonwebtoken'); > var faker = require('faker'); > var session = require('express-session'); > var Keycloak = require('keycloak-connect'); > var hogan = require('hogan-express'); > > > > var memoryStore = new session.MemoryStore(); > > var keycloak = new Keycloak({store: memoryStore}); > > app.use(session({ > secret: app.get('superSecret'), > resave: false, > saveUninitialized: true, > store: memoryStore > })); > > app.use(keycloak.middleware({ > logout: '/logout', > admin: '/' > })); > app.get('/api/user',* keycloak.protect()*, function (req, res) { > res.json({ > name: faker.name.findName(), > email: faker.internet.email(), > address: faker.address.streetAddress(), > bio: faker.lorem.sentence(), > image: faker.image.avatar() > > }); > }); > > > Keycloak.json: > > > { > "realm" : "nodejs-example", > "realm-public-key" : > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0x > tL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/ > UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/ > p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "auth-server-url" : "http://xxxx:9090/auth", > "ssl-required" : "external", > "resource" : "nodejs-connect", > "public-client" : true > } > > Thanks, > Deepak > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/209f9b66/attachment-0001.html From deepakgarg.garg at gmail.com Mon Aug 8 03:13:20 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Mon, 8 Aug 2016 12:43:20 +0530 Subject: [keycloak-user] Secure NodeJS API using keycloak - how to authenticate using bearer access type In-Reply-To: References: Message-ID: Hi Sebi, I did the same thing and defined a new client/resource called " nodejs-connect" and set the access type "bearer-only" . but when I am running my node server, it is throwing an error "SyntaxError: *Unexpected token u* at Object.parse (native) at Config.loadConfiguration (D:\Sample Projects\NodePrototypes\ NodeSample\no de_modules\keycloak-connect\node_modules\keycloak-auth- utils\lib\config.js:53:23 ) at new Config (D:\Sample Projects\NodePrototypes\ NodeSample\node_modules\key cloak-connect\node_modules\keycloak-auth-utils\lib\config.js:40:10) at new Keycloak (D:\Sample Projects\NodePrototypes\ NodeSample\node_modules\k eycloak-connect\index.js:61:17)" Can you look into this below keycloak.json file. If I have specified whether it is correct? *Keycloak.json* { "realm": "nodejs-example", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtvV0qb8+A0pxKoRpToHhc6srY4PyoX/pwgmR7HyV0PeUw/DgyyCI1Wmvw3T15kWw7Q84gX8IL0wDNtfmbhMPmz5umVeul3LzacjU9qfDqG96Wirn7+5Je1VieH5wRX3mtyQ2TboRVpjFD0fwd063FYOtCynfDSS0Uo6YgjWs8QwIDAQAB", * "bearer-only": true,* "auth-server-url": "http://localhost:9090/auth", "ssl-required": "none", "resource": nodejs-connect", "enable-cors" : true, "credentials": { "secret": "6b620304-b4a9-4007-8701-d3abb3537598" } } Thanks, Deepak On Mon, Aug 8, 2016 at 12:34 PM, Sebastien Blanc wrote: > Hi, > > Is your NodeJS app just a REST backend without any frontend ? In this case > you should put "bearer-only: true" and then it is the responsibility of > your frontend or any other service to pass the token to your rest service. > > Sebi > > > On Mon, Aug 8, 2016 at 7:03 AM, Deepak Garg > wrote: > >> I have created a rest api in node js and used keycloak-connect npm packge. >> I have mapped the nodejs middleware with keycloak middleware and just put >> keycloak.Protect() method in side api method. >> >> When the user is not logged in, it shows a login screen and ask for >> credential. After login, it shows the result. but I don't want to show a >> login screen if user is not already logged in. Instead of that i want to >> pass the token and get access based upon that token? >> >> Do i need to do anything in the API code so that it will accept the user >> token? >> >> I like to use this api through User interface and set the access type >> bearer for this service in the keycloak admin. >> >> see the example: >> >> var express = require('express'); >> var apiRoutes = express.Router(); >> var User = require('../models/user'); >> var jwt = require('jsonwebtoken'); >> var faker = require('faker'); >> var session = require('express-session'); >> var Keycloak = require('keycloak-connect'); >> var hogan = require('hogan-express'); >> >> >> >> var memoryStore = new session.MemoryStore(); >> >> var keycloak = new Keycloak({store: memoryStore}); >> >> app.use(session({ >> secret: app.get('superSecret'), >> resave: false, >> saveUninitialized: true, >> store: memoryStore >> })); >> >> app.use(keycloak.middleware({ >> logout: '/logout', >> admin: '/' >> })); >> app.get('/api/user',* keycloak.protect()*, function (req, res) { >> res.json({ >> name: faker.name.findName(), >> email: faker.internet.email(), >> address: faker.address.streetAddress(), >> bio: faker.lorem.sentence(), >> image: faker.image.avatar() >> >> }); >> }); >> >> >> Keycloak.json: >> >> >> { >> "realm" : "nodejs-example", >> "realm-public-key" : >> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0x >> tL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/ >> UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/ >> p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", >> "auth-server-url" : "http://xxxx:9090/auth", >> "ssl-required" : "external", >> "resource" : "nodejs-connect", >> "public-client" : true >> } >> >> Thanks, >> Deepak >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/13a6e731/attachment.html From niko at n-k.de Mon Aug 8 03:18:28 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Mon, 8 Aug 2016 09:18:28 +0200 Subject: [keycloak-user] Keycloak theme migration to new versions In-Reply-To: References: Message-ID: Hi Francisco, this should work without any adjustments to the theme. I just migrated one of my customers to 2.x and everything went fine - with themes, providers and all the data. :-) Cheers, - Niko > Am 08.08.2016 um 06:09 schrieb Francisco Montada : > > Hi team > > We created a new theme for our login page on the Keycloak version 1.9.8.Final, but now we want to upgrade the Keycloak version to the last 2.0.0.Final, Question is, can we just copy our team to the new version or do we need to change something else to make it works ? > > Thanks > Francisco > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Mon Aug 8 03:24:57 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 8 Aug 2016 09:24:57 +0200 Subject: [keycloak-user] Secure NodeJS API using keycloak - how to authenticate using bearer access type In-Reply-To: References: Message-ID: well in the latest keycloak.json you pasted a " is missing for the line : "resource": nodejs-connect", On Mon, Aug 8, 2016 at 9:13 AM, Deepak Garg wrote: > Hi Sebi, > > I did the same thing and defined a new client/resource called " > nodejs-connect" and set the access type "bearer-only" . > > > but when I am running my node server, it is throwing an error > "SyntaxError: *Unexpected token u* > at Object.parse (native) > at Config.loadConfiguration (D:\Sample Projects\NodePrototypes\NodeSa > mple\no > de_modules\keycloak-connect\node_modules\keycloak-auth-utils > \lib\config.js:53:23 > ) > at new Config (D:\Sample Projects\NodePrototypes\NodeSa > mple\node_modules\key > cloak-connect\node_modules\keycloak-auth-utils\lib\config.js:40:10) > at new Keycloak (D:\Sample Projects\NodePrototypes\NodeSa > mple\node_modules\k > eycloak-connect\index.js:61:17)" > > Can you look into this below keycloak.json file. If I have specified > whether it is correct? > > *Keycloak.json* > > { > "realm": "nodejs-example", > "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtvV0qb8+ > A0pxKoRpToHhc6srY4PyoX/pwgmR7HyV0PeUw/DgyyCI1Wmvw3T15kWw7Q84gX8IL0wD > NtfmbhMPmz5umVeul3LzacjU9qfDqG96Wirn7+5Je1VieH5wRX3mtyQ2TboRVpjFD0fw > d063FYOtCynfDSS0Uo6YgjWs8QwIDAQAB", > * "bearer-only": true,* > "auth-server-url": "http://localhost:9090/auth", > "ssl-required": "none", > "resource": nodejs-connect", > "enable-cors" : true, > "credentials": { > "secret": "6b620304-b4a9-4007-8701-d3abb3537598" > } > } > > > Thanks, > Deepak > > On Mon, Aug 8, 2016 at 12:34 PM, Sebastien Blanc > wrote: > >> Hi, >> >> Is your NodeJS app just a REST backend without any frontend ? In this >> case you should put "bearer-only: true" and then it is the responsibility >> of your frontend or any other service to pass the token to your rest >> service. >> >> Sebi >> >> >> On Mon, Aug 8, 2016 at 7:03 AM, Deepak Garg >> wrote: >> >>> I have created a rest api in node js and used keycloak-connect npm >>> packge. >>> I have mapped the nodejs middleware with keycloak middleware and just put >>> keycloak.Protect() method in side api method. >>> >>> When the user is not logged in, it shows a login screen and ask for >>> credential. After login, it shows the result. but I don't want to show a >>> login screen if user is not already logged in. Instead of that i want to >>> pass the token and get access based upon that token? >>> >>> Do i need to do anything in the API code so that it will accept the user >>> token? >>> >>> I like to use this api through User interface and set the access type >>> bearer for this service in the keycloak admin. >>> >>> see the example: >>> >>> var express = require('express'); >>> var apiRoutes = express.Router(); >>> var User = require('../models/user'); >>> var jwt = require('jsonwebtoken'); >>> var faker = require('faker'); >>> var session = require('express-session'); >>> var Keycloak = require('keycloak-connect'); >>> var hogan = require('hogan-express'); >>> >>> >>> >>> var memoryStore = new session.MemoryStore(); >>> >>> var keycloak = new Keycloak({store: memoryStore}); >>> >>> app.use(session({ >>> secret: app.get('superSecret'), >>> resave: false, >>> saveUninitialized: true, >>> store: memoryStore >>> })); >>> >>> app.use(keycloak.middleware({ >>> logout: '/logout', >>> admin: '/' >>> })); >>> app.get('/api/user',* keycloak.protect()*, function (req, res) { >>> res.json({ >>> name: faker.name.findName(), >>> email: faker.internet.email(), >>> address: faker.address.streetAddress(), >>> bio: faker.lorem.sentence(), >>> image: faker.image.avatar() >>> >>> }); >>> }); >>> >>> >>> Keycloak.json: >>> >>> >>> { >>> "realm" : "nodejs-example", >>> "realm-public-key" : >>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0x >>> tL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/ >>> UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/ >>> p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", >>> "auth-server-url" : "http://xxxx:9090/auth", >>> "ssl-required" : "external", >>> "resource" : "nodejs-connect", >>> "public-client" : true >>> } >>> >>> Thanks, >>> Deepak >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/e7700331/attachment-0001.html From fmontadamt at gmail.com Mon Aug 8 03:34:55 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Mon, 8 Aug 2016 00:34:55 -0700 Subject: [keycloak-user] Keycloak theme migration to new versions In-Reply-To: References: Message-ID: Hi Niko, Thanks for your reply ... Francisco On Mon, Aug 8, 2016 at 12:18 AM, Niko K?bler wrote: > Hi Francisco, > > this should work without any adjustments to the theme. > I just migrated one of my customers to 2.x and everything went fine - with > themes, providers and all the data. :-) > > Cheers, > - Niko > > > > > Am 08.08.2016 um 06:09 schrieb Francisco Montada : > > > > Hi team > > > > We created a new theme for our login page on the Keycloak version > 1.9.8.Final, but now we want to upgrade the Keycloak version to the last > 2.0.0.Final, Question is, can we just copy our team to the new version or > do we need to change something else to make it works ? > > > > Thanks > > Francisco > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/eb0e0014/attachment.html From kevin.thorpe at p-i.net Mon Aug 8 07:17:22 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Mon, 8 Aug 2016 12:17:22 +0100 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final Message-ID: Hi, I'm having problems upgrading from 1.7.0.Final to 2.0.0.Final. I'm using the Docker images on which we build our own images to add https with our certs, our theme and a small patch to match our LDAP configuration. The new image of 2.0.0 works fine with a brand new database but doesn't start up with the existing database. Do I need to upgrade via an earlier release to modify the db? I've attached the startup logs. I don't know enough to see what's wrong. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/25bc0be1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Keycloak-2.0.0 errors Type: application/octet-stream Size: 12432 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/25bc0be1/attachment-0001.obj From shivasaxena999 at gmail.com Mon Aug 8 08:27:09 2016 From: shivasaxena999 at gmail.com (Shiva Saxena) Date: Mon, 8 Aug 2016 17:57:09 +0530 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: References: Message-ID: Hi, You can try setting the "databaseSchema" to "update" in "connectionsJpa". Here is the migration guide doc URL https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe wrote: > Hi, > I'm having problems upgrading from 1.7.0.Final to 2.0.0.Final. I'm > using the Docker images on which we build our own images to add https with > our certs, our theme and a small patch to match our LDAP configuration. The > new image of 2.0.0 works fine with a brand new database but doesn't start > up with the existing database. Do I need to upgrade via an earlier release > to modify the db? > > I've attached the startup logs. I don't know enough to see what's wrong. > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Best Regards *Shiva Saxena* *Blog | Linkedin | StackOverflow * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/f84c28ea/attachment.html From mposolda at redhat.com Mon Aug 8 08:48:56 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 8 Aug 2016 14:48:56 +0200 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: References: Message-ID: <57A87FB8.5000308@redhat.com> From your logs, it seems the problem is related to migration infinispan caches. It looks that you don't have defined some of those caches in standalone.xml. Generally it's recommended to use Keycloak with keycloak-server distribution and upgrade process is like this: - You stop your Keycloak 1.7.0.Final server - You download the Keycloak-server 2.0.0.Final distribution and you just configure the DB ( datasource ) to point to same DB like previously was Keycloak 1.7.0 - You start Keycloak and liquibase make sure to upgrade your DB. Note that with this approach, you don't need to care about any changes, which was done in standalone.xml or keycloak-server.json or other files between Keycloak 1.7 or 2.0. Marek On 08/08/16 14:27, Shiva Saxena wrote: > Hi, > > You can try setting the "databaseSchema" to "update" in "connectionsJpa". > > Here is the migration guide doc URL > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html > > On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe > wrote: > > Hi, > I'm having problems upgrading from 1.7.0.Final to > 2.0.0.Final. I'm using the Docker images on which we build our own > images to add https with our certs, our theme and a small patch to > match our LDAP configuration. The new image of 2.0.0 works fine > with a brand new database but doesn't start up with the existing > database. Do I need to upgrade via an earlier release to modify > the db? > > I've attached the startup logs. I don't know enough to see what's > wrong. > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > > *T: +44 (0)20 3005 6750 | > F: +44(0)20 7730 2635 | T: +44 > (0)808 204 0344 * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom > they are addressed. If you have received this email in error > please notify the system manager. This message contains > confidential information and is intended only for the individual > named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the > sender immediately by e-mail if you have received this e-mail by > mistake and delete this e-mail from your system. If you are not > the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of > this information is strictly prohibited. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Best Regards > *Shiva Saxena*** > *Blog | Linkedin > | StackOverflow > * > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/131c98af/attachment-0001.html From mposolda at redhat.com Mon Aug 8 08:58:48 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 8 Aug 2016 14:58:48 +0200 Subject: [keycloak-user] Access to Keyclaok collection and collection clean up issue In-Reply-To: References: Message-ID: <57A88208.30901@redhat.com> On 05/08/16 04:51, Francisco Montada wrote: > Hi team, we are using Keycloak and we are facing two issues that we do > not know why is happening > > 1. We are using the same Database to save Keycloak and our App > information, we have a Spring boot and MongoDB environment, so we have > access directly from our Application level to the Keycloak > collections, we had noticed that if we change any value on Keycloak > collection form the DB or from our app level it is no reflected on > Keycloak > > Does Keycloak have some security validation for data that are No saved > from the Admin or API ? > Could be related with Caching ? Yes, Keycloak has cache for user data. It's possible to disable it in keycloak admin console. > > 2. For some reason our Keycloak collections is getting mess up, after > a period of time, what is happening is the Master/Realm/Admin User > password is getting clean up and also the credentials for some of our > users > > Do you have any idea what is happening ? > Could be related with that we are adding extra values to the "user" > collection ? Yes. Also the question is, if you're not doing something, which accidentally breaks existing users (delete their passwords etc)? Marek > > Thanks > Francisco > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/de53802e/attachment.html From kevin.thorpe at p-i.net Mon Aug 8 09:06:33 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Mon, 8 Aug 2016 14:06:33 +0100 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: <57A87FB8.5000308@redhat.com> References: <57A87FB8.5000308@redhat.com> Message-ID: What is really, really odd is that I copied the existing database storage (a Docker volume) and started a completely new Keycloak + db on that copy. That worked just fine. Starting a new keycloak pointing to the existing mysql server fails. I've also tried redeploying both mysql and keycloak and that's still wrong. connectionsJpa is set to update. I'll try a productiion deploy on the copy of the database and see if that helps *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 8 August 2016 at 13:48, Marek Posolda wrote: > From your logs, it seems the problem is related to migration infinispan > caches. It looks that you don't have defined some of those caches in > standalone.xml. > > Generally it's recommended to use Keycloak with keycloak-server > distribution and upgrade process is like this: > - You stop your Keycloak 1.7.0.Final server > - You download the Keycloak-server 2.0.0.Final distribution and you just > configure the DB ( datasource ) to point to same DB like previously was > Keycloak 1.7.0 > - You start Keycloak and liquibase make sure to upgrade your DB. > > Note that with this approach, you don't need to care about any changes, > which was done in standalone.xml or keycloak-server.json or other files > between Keycloak 1.7 or 2.0. > > Marek > > > On 08/08/16 14:27, Shiva Saxena wrote: > > Hi, > > You can try setting the "databaseSchema" to "update" in "connectionsJpa". > > Here is the migration guide doc URL > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.0/topics/MigrationFromOlderVersions.html > > On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe wrote: > >> Hi, >> I'm having problems upgrading from 1.7.0.Final to 2.0.0.Final. I'm >> using the Docker images on which we build our own images to add https with >> our certs, our theme and a small patch to match our LDAP configuration. The >> new image of 2.0.0 works fine with a brand new database but doesn't start >> up with the existing database. Do I need to upgrade via an earlier release >> to modify the db? >> >> I've attached the startup logs. I don't know enough to see what's wrong. >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >> <%2B44%20%280%29808%20204%200344> * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Best Regards > *Shiva Saxena* > *Blog | Linkedin > | StackOverflow > * > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/69463b75/attachment-0001.html From kevin.thorpe at p-i.net Mon Aug 8 09:57:16 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Mon, 8 Aug 2016 14:57:16 +0100 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: <57A87FB8.5000308@redhat.com> References: <57A87FB8.5000308@redhat.com> Message-ID: Also, the standalone.xml is yours from the keycloak-mysql image with just the https-listener and our security-realm added using saxon/xslt in the same way as you deploy it *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 8 August 2016 at 13:48, Marek Posolda wrote: > From your logs, it seems the problem is related to migration infinispan > caches. It looks that you don't have defined some of those caches in > standalone.xml. > > Generally it's recommended to use Keycloak with keycloak-server > distribution and upgrade process is like this: > - You stop your Keycloak 1.7.0.Final server > - You download the Keycloak-server 2.0.0.Final distribution and you just > configure the DB ( datasource ) to point to same DB like previously was > Keycloak 1.7.0 > - You start Keycloak and liquibase make sure to upgrade your DB. > > Note that with this approach, you don't need to care about any changes, > which was done in standalone.xml or keycloak-server.json or other files > between Keycloak 1.7 or 2.0. > > Marek > > > On 08/08/16 14:27, Shiva Saxena wrote: > > Hi, > > You can try setting the "databaseSchema" to "update" in "connectionsJpa". > > Here is the migration guide doc URL > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.0/topics/MigrationFromOlderVersions.html > > On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe wrote: > >> Hi, >> I'm having problems upgrading from 1.7.0.Final to 2.0.0.Final. I'm >> using the Docker images on which we build our own images to add https with >> our certs, our theme and a small patch to match our LDAP configuration. The >> new image of 2.0.0 works fine with a brand new database but doesn't start >> up with the existing database. Do I need to upgrade via an earlier release >> to modify the db? >> >> I've attached the startup logs. I don't know enough to see what's wrong. >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >> <%2B44%20%280%29808%20204%200344> * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Best Regards > *Shiva Saxena* > *Blog | Linkedin > | StackOverflow > * > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/b0ab4d50/attachment.html From aikeaguinea at xsmail.com Mon Aug 8 10:14:23 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Mon, 08 Aug 2016 10:14:23 -0400 Subject: [keycloak-user] API for User Account Service? In-Reply-To: References: <1470172805.4159443.684179281.797F86A5@webmail.messagingengine.com> <57A31A89.7000107@redhat.com> Message-ID: <1470665663.2315238.689149481.2652F1C8@webmail.messagingengine.com> I would have sworn that I saw a special generated code embedded in the form on the User Credentials page, but it appears I was mistaken. On Thu, Aug 4, 2016, at 09:10 AM, Bill Burke wrote: > I think the account service can be accessed as an API. > > On 8/4/16 6:35 AM, Marek Posolda wrote: >> Not right now. We plan to possibly rewrite AccountService to be based >> on REST + angular. >> >> However you can add your own REST endpoints to Keycloak if you want >> (See RealmResourceProvider and an example we have for that). Another >> possibility is to trigger admin REST API from your app, assuming >> it's server-side application so end-users won't see the requests to >> KC admin REST API done on behalf of admin user. >> >> Marek >> On 02/08/16 23:20, Aikeaguinea wrote: >>> Can the User Account Service be accessed as an API? I'm interested >>> in the "forgot password" and "change password" functionality in >>> particular. >>> >> >> >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Access all of your messages and folders wherever you are -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/964c4e94/attachment-0001.html From fmontadamt at gmail.com Mon Aug 8 11:23:07 2016 From: fmontadamt at gmail.com (Francisco Montada) Date: Mon, 8 Aug 2016 08:23:07 -0700 Subject: [keycloak-user] Access to Keyclaok collection and collection clean up issue In-Reply-To: <57A88208.30901@redhat.com> References: <57A88208.30901@redhat.com> Message-ID: Hi Marek , thanks so much for you reply The first question is clear. The second question, We are sure we do not have any extra process in our application that can cause Master/Realm/Admin clean up, When you said "Yes" means that if we add new properties to the "User" collection keycloak is detecting it like the DB was hacked ? Thanks Francisco On Mon, Aug 8, 2016 at 5:58 AM, Marek Posolda wrote: > On 05/08/16 04:51, Francisco Montada wrote: > > Hi team, we are using Keycloak and we are facing two issues that we do not > know why is happening > > 1. We are using the same Database to save Keycloak and our App > information, we have a Spring boot and MongoDB environment, so we have > access directly from our Application level to the Keycloak collections, we > had noticed that if we change any value on Keycloak collection form the DB > or from our app level it is no reflected on Keycloak > > Does Keycloak have some security validation for data that are No saved > from the Admin or API ? > Could be related with Caching ? > > Yes, Keycloak has cache for user data. It's possible to disable it in > keycloak admin console. > > > 2. For some reason our Keycloak collections is getting mess up, after a > period of time, what is happening is the Master/Realm/Admin User password > is getting clean up and also the credentials for some of our users > > Do you have any idea what is happening ? > Could be related with that we are adding extra values to the "user" > collection ? > > Yes. Also the question is, if you're not doing something, which > accidentally breaks existing users (delete their passwords etc)? > > Marek > > > Thanks > Francisco > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/c7f1082f/attachment.html From r.vanloenhout at greenvalley.nl Mon Aug 8 11:33:33 2016 From: r.vanloenhout at greenvalley.nl (Robert van Loenhout) Date: Mon, 8 Aug 2016 15:33:33 +0000 Subject: [keycloak-user] Keycloak slf4j logging Message-ID: Hi, Is there any request or effort to let keycloak use slf4j? At the moment ClientCredentialsProviderUtils calls org.jboss.logging.Logger.debugf(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V which does not seem to exist in JBoss 4.2.3.GA, and causes a NoSuchMethodError. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/c427daa2/attachment.html From bruno at abstractj.org Mon Aug 8 13:41:43 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 8 Aug 2016 14:41:43 -0300 Subject: [keycloak-user] Keycloak slf4j logging In-Reply-To: References: Message-ID: <20160808174143.GB2915@abstractj.org> On 2016-08-08, Robert van Loenhout wrote: > Hi, > > Is there any request or effort to let keycloak use slf4j? I couldn't find any requests looking at the mailing list archives or Jiras. > At the moment ClientCredentialsProviderUtils calls > org.jboss.logging.Logger.debugf(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V > which does not seem to exist in JBoss 4.2.3.GA, and causes a NoSuchMethodError. As far as I can tell, only JBoss 7.x or WildFly are supported. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From r.vanloenhout at greenvalley.nl Mon Aug 8 17:34:08 2016 From: r.vanloenhout at greenvalley.nl (Robert van Loenhout) Date: Mon, 8 Aug 2016 21:34:08 +0000 Subject: [keycloak-user] Keycloak slf4j logging In-Reply-To: <20160808174143.GB2915@abstractj.org> References: , <20160808174143.GB2915@abstractj.org> Message-ID: > On 2016-08-08, Robert van Loenhout wrote: > > Hi, > > > > Is there any request or effort to let keycloak use slf4j? > > I couldn't find any requests looking at the mailing list archives or Jiras. > > > At the moment ClientCredentialsProviderUtils calls > > org.jboss.logging.Logger.debugf(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V > > which does not seem to exist in JBoss 4.2.3.GA, and causes a NoSuchMethodError. > > As far as I can tell, only JBoss 7.x or WildFly are supported. I wanted to add that I am referring to the Keycloak Spring Security adapter. And not the Keycloak auth server. ________________________________ From: Bruno Oliveira Sent: Monday, August 8, 2016 7:41:43 PM To: Robert van Loenhout Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak slf4j logging On 2016-08-08, Robert van Loenhout wrote: > Hi, > > Is there any request or effort to let keycloak use slf4j? I couldn't find any requests looking at the mailing list archives or Jiras. > At the moment ClientCredentialsProviderUtils calls > org.jboss.logging.Logger.debugf(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V > which does not seem to exist in JBoss 4.2.3.GA, and causes a NoSuchMethodError. As far as I can tell, only JBoss 7.x or WildFly are supported. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160808/e6de6c6e/attachment-0001.html From eduard.matuszak at atos.net Tue Aug 9 02:40:21 2016 From: eduard.matuszak at atos.net (Matuszak, Eduard) Date: Tue, 9 Aug 2016 06:40:21 +0000 Subject: [keycloak-user] IOT-support Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E103DC@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello My question is: Is Keycloak planned or are there still any efforts to implement standards for the IOT also in the near future, e.g. to support CoAp or CBOR-Web-Tokens? We are asked to integrate resource constrained devices (by a large amount) in our project and it would be nice to keep Keycloak as AuthN/AuthZ-server to do the essential work. Best Regards, Eduard Matuszak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/f5cc0faa/attachment.html From subhrajyotim at gmail.com Tue Aug 9 02:50:47 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Tue, 9 Aug 2016 12:20:47 +0530 Subject: [keycloak-user] Cannot get themes to work as expected Message-ID: Hello, I am trying to create a new theme, similar to the keycloak theme, but with my custom logo and some minor changes. so i copied the default keycloak theme to a new theme name directory. >From the admin pages, I point to my new theme. I was expecting the theme to be "exactly" as the keycloak theme, with the changes I have done. But its not substituting the kcXXXX values in ftl files, that are provided in themes.properties file. For example the themes/base/login/template.ftl has ftl variables like "kcHtmlClass" and "kcContentClass". The values are mentioned in theme.properties file of the respective themes, but these values are not getting picked up from my new theme. What am i doing wrong? I am not able to make this work. Please help. Thanks, Subhro. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/fc665d83/attachment.html From thomas.darimont at googlemail.com Tue Aug 9 04:00:06 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Aug 2016 10:00:06 +0200 Subject: [keycloak-user] IOT-support In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723E103DC@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> References: <61D077C6283D454FAFD06F6AC4AB74D723E103DC@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: Hello Eduard, could you elaborate a bit on your use case? 1) How many devices do you need to manage? thousands, millions, billions? 2) Do you preregister devices or do you need to register them ad-hoc? 3) Do you need a device to user mapping? 4) What (general) metadata do you need to store per device? (DeviceInfo, e.g.: Device class, type, unique-id, device name, create / update timestamp, features (perhaps as "tags"), enabled state, activation state, link to the actual device, link to device specs) 5) Do yo hard code a secret to the device and does the secret needs to be part of the device info in KC? Given the current Keycloak infrastructure I'd (IMHO) rather see a dedicated infrastructure for IoT devices (Device Management?) instead of extending and using the existing client facilities for this. Cheers, Thomas 2016-08-09 8:40 GMT+02:00 Matuszak, Eduard : > Hello > > My question is: Is Keycloak planned or are there still any efforts to > implement standards for the IOT also in the near future, e.g. to support > CoAp or CBOR-Web-Tokens? We are asked to integrate resource constrained > devices (by a large amount) in our project and it would be nice to keep > Keycloak as AuthN/AuthZ-server to do the essential work. > > Best Regards, Eduard Matuszak > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/c9b4ee0d/attachment.html From Edgar at info.nl Tue Aug 9 04:18:16 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 9 Aug 2016 08:18:16 +0000 Subject: [keycloak-user] Can no longer create users in Active Directory from Keycloak Message-ID: <3286EE03-E0AC-41DE-8F7F-29FE963D990B@info.nl> Hi, We no longer seem to be able to create new users in Keycloak with the LDAP/MSAD User Federation set up with ?Sync Registrations? turned on. I think this is since we migrated to Keycloak 2.0.0.Final (not 100% sure). When I try to create a new user from Keycloak (Manage - Users) I only see the error message ?Error! Could not create user? but nothing else. Nothing in the logs unfortunately. Not even at the debug level. Any pointers on where to start looking for a solution? I have the Keycloak source code available. cheers Edgar From bruno at abstractj.org Tue Aug 9 04:25:48 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 9 Aug 2016 05:25:48 -0300 Subject: [keycloak-user] Cannot get themes to work as expected In-Reply-To: References: Message-ID: <20160809082548.GA21935@abstractj.org> Please, try to take a look at the docs[1]. Certainly some configuration step is missing. [1] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/themes.html On 2016-08-09, Subhrajyoti Moitra wrote: > Hello, > > I am trying to create a new theme, similar to the keycloak theme, but with > my custom logo and some minor changes. > > so i copied the default keycloak theme to a new theme name directory. > >From the admin pages, I point to my new theme. > > I was expecting the theme to be "exactly" as the keycloak theme, with the > changes I have done. > > But its not substituting the kcXXXX values in ftl files, that are provided > in themes.properties file. > > For example the themes/base/login/template.ftl has ftl variables like > "kcHtmlClass" and "kcContentClass". The values are mentioned in > theme.properties file of the respective themes, but these values are not > getting picked up from my new theme. > > What am i doing wrong? > > I am not able to make this work. Please help. > > Thanks, > Subhro. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From subhrajyotim at gmail.com Tue Aug 9 05:06:11 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Tue, 9 Aug 2016 14:36:11 +0530 Subject: [keycloak-user] Cannot get themes to work as expected In-Reply-To: <20160809082548.GA21935@abstractj.org> References: <20160809082548.GA21935@abstractj.org> Message-ID: Thanks Bruno, for responding. Yes. I too thought so, but cant seem to find out what is missing. I have been able to make the sunrise example from themes example to work. But that does not define any of the kcXXX ftl variables. shouldnt copying keycloak theme to a new name, result in the same results? That too isnt working it seems. I am using 1.9.2.Final version. Could this be the reason? Thanks, Subhro. On Tue, Aug 9, 2016 at 1:55 PM, Bruno Oliveira wrote: > Please, try to take a look at the docs[1]. Certainly some configuration > step is > missing. > > [1] - https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/themes.html > > On 2016-08-09, Subhrajyoti Moitra wrote: > > Hello, > > > > I am trying to create a new theme, similar to the keycloak theme, but > with > > my custom logo and some minor changes. > > > > so i copied the default keycloak theme to a new theme name directory. > > >From the admin pages, I point to my new theme. > > > > I was expecting the theme to be "exactly" as the keycloak theme, with the > > changes I have done. > > > > But its not substituting the kcXXXX values in ftl files, that are > provided > > in themes.properties file. > > > > For example the themes/base/login/template.ftl has ftl variables like > > "kcHtmlClass" and "kcContentClass". The values are mentioned in > > theme.properties file of the respective themes, but these values are not > > getting picked up from my new theme. > > > > What am i doing wrong? > > > > I am not able to make this work. Please help. > > > > Thanks, > > Subhro. > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/46cb7886/attachment-0001.html From Marek.NEMECKAY at frequentis.com Tue Aug 9 05:48:52 2016 From: Marek.NEMECKAY at frequentis.com (NEMECKAY Marek) Date: Tue, 9 Aug 2016 09:48:52 +0000 Subject: [keycloak-user] ClientRoles property is empty in UserRepresentation Message-ID: <6780F0043CD4A945B043E2484C7C53357C0F2819@vie196nt> Dear all, We are facing a problem with retrieving the client roles from Keycloak. In our implementation we are using the following API to find a retrieve user data via username: http://www.keycloak.org/docs/rest-api/index.html#_get_users In the retrieved UserRepresentation object instance the property clientRoles is always null. We are using Keycloak 1.9.8 connected to a LDAP server for user federation. We are connecting a receiving the access token with a admin-user of the corresponding realm. This works just fine. We are also receiving user data like name, e-mail etc., but the client roles are always null. The mappers to sync roles between Keycloak and LDAP are also defined and working. Is there anything else we have overlooked or we should check? Thanks and BR, Marek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/f35d2df7/attachment.html From tpearson at bkool.com Tue Aug 9 05:56:12 2016 From: tpearson at bkool.com (Tom Pearson) Date: Tue, 9 Aug 2016 11:56:12 +0200 Subject: [keycloak-user] Multiple calls required to create a user Message-ID: Hi, I'm creating a new user through the admin API. In order to do this I have to make 3 separate calls (createUser , resetPassword and addRealmLevelRoles ) as the credentials and realm roles in the UserRepresentation are ignored. I then have to make another call to getEffectiveRealmLevelRoles as the getUser method doesn't return the roles. If I were to require the client level roles this would be 6 calls to create and return the user. Is there a reason as to why this is the case? As an aside, in the docs the reset password method is called "Set up a temporary password for the user" but in my experience the password is never temporary regardless of the value of the temporary flag. Kind regards, Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/c3bd1d89/attachment.html From subhrajyotim at gmail.com Tue Aug 9 07:11:28 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Tue, 9 Aug 2016 16:41:28 +0530 Subject: [keycloak-user] Cannot get themes to work as expected In-Reply-To: References: <20160809082548.GA21935@abstractj.org> Message-ID: Hi I got it to work. The issue seems to be with the name of the theme. It cannot contain numbers, only alphabets allowed. For some reason, which I dont understand, theme name with numbers dont get picked up by the ftl variables. When I changed the name of the theme to a all alphabets, it works fine as expected. Thanks for taking time to look into it. Cheers, Subhro. On Tue, Aug 9, 2016 at 2:36 PM, Subhrajyoti Moitra wrote: > Thanks Bruno, for responding. > Yes. I too thought so, but cant seem to find out what is missing. > > I have been able to make the sunrise example from themes example to work. > But that does not define any of the kcXXX ftl variables. > > shouldnt copying keycloak theme to a new name, result in the same results? > That too isnt working it seems. > > I am using 1.9.2.Final version. Could this be the reason? > > Thanks, > Subhro. > > On Tue, Aug 9, 2016 at 1:55 PM, Bruno Oliveira > wrote: > >> Please, try to take a look at the docs[1]. Certainly some configuration >> step is >> missing. >> >> [1] - https://keycloak.gitbooks.io/server-developer-guide/content/ >> topics/themes.html >> >> On 2016-08-09, Subhrajyoti Moitra wrote: >> > Hello, >> > >> > I am trying to create a new theme, similar to the keycloak theme, but >> with >> > my custom logo and some minor changes. >> > >> > so i copied the default keycloak theme to a new theme name directory. >> > >From the admin pages, I point to my new theme. >> > >> > I was expecting the theme to be "exactly" as the keycloak theme, with >> the >> > changes I have done. >> > >> > But its not substituting the kcXXXX values in ftl files, that are >> provided >> > in themes.properties file. >> > >> > For example the themes/base/login/template.ftl has ftl variables like >> > "kcHtmlClass" and "kcContentClass". The values are mentioned in >> > theme.properties file of the respective themes, but these values are not >> > getting picked up from my new theme. >> > >> > What am i doing wrong? >> > >> > I am not able to make this work. Please help. >> > >> > Thanks, >> > Subhro. >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> >> abstractj >> PGP: 0x84DC9914 >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/be25c46f/attachment.html From mposolda at redhat.com Tue Aug 9 08:22:39 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 14:22:39 +0200 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: References: <57A87FB8.5000308@redhat.com> Message-ID: <57A9CB0F.5020501@redhat.com> Hmm... Actually I am not 100% sure what you did, but from the error message, it's very clear that configuration of your infinispan caches in standalone.xml is out-dated. In Keycloak 2.0 it should look like this: Marek On 08/08/16 15:57, Kevin Thorpe wrote: > Also, the standalone.xml is yours from the keycloak-mysql image with > just the https-listener and our security-realm added using saxon/xslt > in the same way as you deploy it > > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 | F: > +44(0)20 7730 2635 | T: +44 (0)808 > 204 0344 * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. If you > are not the intended recipient you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents > of this information is strictly prohibited. > > > On 8 August 2016 at 13:48, Marek Posolda > wrote: > > From your logs, it seems the problem is related to migration > infinispan caches. It looks that you don't have defined some of > those caches in standalone.xml. > > Generally it's recommended to use Keycloak with keycloak-server > distribution and upgrade process is like this: > - You stop your Keycloak 1.7.0.Final server > - You download the Keycloak-server 2.0.0.Final distribution and > you just configure the DB ( datasource ) to point to same DB like > previously was Keycloak 1.7.0 > - You start Keycloak and liquibase make sure to upgrade your DB. > > Note that with this approach, you don't need to care about any > changes, which was done in standalone.xml or keycloak-server.json > or other files between Keycloak 1.7 or 2.0. > > Marek > > > On 08/08/16 14:27, Shiva Saxena wrote: >> Hi, >> >> You can try setting the "databaseSchema" to "update" in >> "connectionsJpa". >> >> Here is the migration guide doc URL >> >> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html >> >> >> On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe >> > wrote: >> >> Hi, >> I'm having problems upgrading from 1.7.0.Final to >> 2.0.0.Final. I'm using the Docker images on which we build >> our own images to add https with our certs, our theme and a >> small patch to match our LDAP configuration. The new image of >> 2.0.0 works fine with a brand new database but doesn't start >> up with the existing database. Do I need to upgrade via an >> earlier release to modify the db? >> >> I've attached the startup logs. I don't know enough to see >> what's wrong. >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> >> *T: +44 (0)20 3005 6750 >> | F: +44(0)20 7730 >> 2635 | T: +44 (0)808 204 >> 0344 * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential >> and intended solely for the use of the individual or entity >> to whom they are addressed. If you have received this email >> in error please notify the system manager. This message >> contains confidential information and is intended only for >> the individual named. If you are not the named addressee you >> should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have >> received this e-mail by mistake and delete this e-mail from >> your system. If you are not the intended recipient you are >> notified that disclosing, copying, distributing or taking any >> action in reliance on the contents of this information is >> strictly prohibited. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> -- >> Best Regards >> *Shiva Saxena*** >> *Blog | Linkedin >> | StackOverflow >> * >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/dda15b21/attachment-0001.html From bburke at redhat.com Tue Aug 9 08:28:25 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 9 Aug 2016 08:28:25 -0400 Subject: [keycloak-user] IOT-support In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723E103DC@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: We need a good idea of how people want this to work before we can continue. Standards make me nervous as they can be a huge timesink both for implementation, certification, and maintenance. On 8/9/16 4:00 AM, Thomas Darimont wrote: > Hello Eduard, > > could you elaborate a bit on your use case? > > 1) How many devices do you need to manage? thousands, millions, billions? > 2) Do you preregister devices or do you need to register them ad-hoc? > 3) Do you need a device to user mapping? > 4) What (general) metadata do you need to store per device? > (DeviceInfo, e.g.: Device class, type, unique-id, device name, create > / update timestamp, features (perhaps as "tags"), enabled state, > activation state, link to the actual device, link to device specs) > 5) Do yo hard code a secret to the device and does the secret needs to > be part of the device info in KC? > > Given the current Keycloak infrastructure I'd (IMHO) rather see a > dedicated infrastructure > for IoT devices (Device Management?) instead of extending and using > the existing client facilities for this. > > Cheers, > Thomas > > 2016-08-09 8:40 GMT+02:00 Matuszak, Eduard >: > > Hello > My question is: Is Keycloak planned or are there still any efforts > to implement standards for the IOT also in the near future, e.g. > to support CoAp or CBOR-Web-Tokens? We are asked to integrate > resource constrained devices (by a large amount) in our project > and it would be nice to keep Keycloak as AuthN/AuthZ-server to do > the essential work. > Best Regards, Eduard Matuszak > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/fb0a1f32/attachment.html From bburke at redhat.com Tue Aug 9 08:31:38 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 9 Aug 2016 08:31:38 -0400 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: Message-ID: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> On 8/9/16 5:56 AM, Tom Pearson wrote: > Hi, > > I'm creating a new user through the admin API. In order to do this I > have to make 3 separate calls (createUser > , > resetPassword > and > addRealmLevelRoles > ) > as the credentials and realm roles in the UserRepresentation > are > ignored. I then have to make another call to > getEffectiveRealmLevelRoles > as > the getUser > method > doesn't return the roles. If I were to require the client level roles > this would be 6 calls to create and return the user. > > Is there a reason as to why this is the case? > The reason is simply that the admin API was written for the admin console. We've never had time to refactor it. Too many other things on the queue. > As an aside, in the docs the reset password method is called "Set up a > temporary password for the user" but in my experience the password is > never temporary regardless of the value of the temporary flag. > > Kind regards, > Tom > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/10a1c6bf/attachment.html From mposolda at redhat.com Tue Aug 9 08:32:08 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 14:32:08 +0200 Subject: [keycloak-user] Access to Keyclaok collection and collection clean up issue In-Reply-To: References: <57A88208.30901@redhat.com> Message-ID: <57A9CD48.8040507@redhat.com> Sorry to not be clear in my last answer. Keycloak doesn't have any detection, that if you add new property to mongo "user" it will break. You can manually add any property you want to the objects in "user" collection. However note that: - Keycloak data is cached, so direct mongo modifications to user won't be visible by Keycloak until you clear the cache or restart Keycloak server (or disable cache). - I was more thinking about the case, that with your direct modification to "user" object, there is a chance that you accidentally delete some properties of the "user" object. For example you update some attribute of "user" and accidentally delete password etc. Keycloak itself doesn't have anything, which clears the password of existing users. So you can try to just run Keycloak without running the second app. If Keycloak will still work after a period of time, then you will know that breaking user records is probably related to some mongo modifications by your second app. Marek On 08/08/16 17:23, Francisco Montada wrote: > Hi Marek , thanks so much for you reply > > The first question is clear. > The second question, We are sure we do not have any extra process in > our application that can cause Master/Realm/Admin clean up, > When you said "Yes" means that if we add new properties to the "User" > collection keycloak is detecting it like the DB was hacked ? > > Thanks > Francisco > > > > On Mon, Aug 8, 2016 at 5:58 AM, Marek Posolda > wrote: > > On 05/08/16 04:51, Francisco Montada wrote: >> Hi team, we are using Keycloak and we are facing two issues that >> we do not know why is happening >> >> 1. We are using the same Database to save Keycloak and our App >> information, we have a Spring boot and MongoDB environment, so we >> have access directly from our Application level to the Keycloak >> collections, we had noticed that if we change any value on >> Keycloak collection form the DB or from our app level it is no >> reflected on Keycloak >> >> Does Keycloak have some security validation for data that are No >> saved from the Admin or API ? >> Could be related with Caching ? > Yes, Keycloak has cache for user data. It's possible to disable it > in keycloak admin console. >> >> 2. For some reason our Keycloak collections is getting mess up, >> after a period of time, what is happening is the >> Master/Realm/Admin User password is getting clean up and also the >> credentials for some of our users >> >> Do you have any idea what is happening ? >> Could be related with that we are adding extra values to the >> "user" collection ? > Yes. Also the question is, if you're not doing something, which > accidentally breaks existing users (delete their passwords etc)? > > Marek > >> >> Thanks >> Francisco >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/b08d3072/attachment.html From mposolda at redhat.com Tue Aug 9 08:47:43 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 14:47:43 +0200 Subject: [keycloak-user] Keycloak slf4j logging In-Reply-To: References: <20160808174143.GB2915@abstractj.org> Message-ID: <57A9D0EF.4010303@redhat.com> By JBoss 4.2.3.GA you mean JBoss AS 4 or JBoss EAP 4? This is very old and AFAIK we never tried to have our adapters working with so old version of jboss server. Latest we tested was JBoss AS 7.1. AFAIK. It look that this version contains some very old version of jboss-logging library. Maybe you can try to manually delete jboss-logging from the "lib" directory of JBoss 4, and replace with the version used by Keycloak. But that will probably have other consequences, so hard to say if that helps... Probably you will rather see some other issues... Marek On 08/08/16 23:34, Robert van Loenhout wrote: > > On 2016-08-08, Robert van Loenhout wrote: > > > Hi, > > > > > > Is there any request or effort to let keycloak use slf4j? > > > > I couldn't find any requests looking at the mailing list archives or > Jiras. > > > > > At the moment ClientCredentialsProviderUtils calls > > > > org.jboss.logging.Logger.debugf(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V > > > which does not seem to exist in JBoss 4.2.3.GA, and causes a > NoSuchMethodError. > > > > As far as I can tell, only JBoss 7.x or WildFly are supported. > > I wanted to add that I am referring to the Keycloak Spring Security > adapter. > And not the Keycloak auth server. > > ------------------------------------------------------------------------ > *From:* Bruno Oliveira > *Sent:* Monday, August 8, 2016 7:41:43 PM > *To:* Robert van Loenhout > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak slf4j logging > On 2016-08-08, Robert van Loenhout wrote: > > Hi, > > > > Is there any request or effort to let keycloak use slf4j? > > I couldn't find any requests looking at the mailing list archives or > Jiras. > > > At the moment ClientCredentialsProviderUtils calls > > > org.jboss.logging.Logger.debugf(Ljava/lang/String;Ljava/lang/Object;Ljava/lang/Object;)V > > which does not seem to exist in JBoss 4.2.3.GA, and causes a > NoSuchMethodError. > > As far as I can tell, only JBoss 7.x or WildFly are supported. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/15e7ae91/attachment-0001.html From mposolda at redhat.com Tue Aug 9 08:57:24 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 14:57:24 +0200 Subject: [keycloak-user] CXF Keycloak Admin Client In-Reply-To: References: Message-ID: <57A9D334.7000209@redhat.com> Cool, Thanks for sharing this! This might be useful to be available in Keycloak OOTB, so admin-client can pick either resteasy or CXF (or any other available impl) according to what is available. If you want to create JIRA and send PR it will be good :-) Marek On 04/08/16 18:36, Luigi De Masi wrote: > Hi, > > I'm working on a Spring boot + Fuse integration Service project that > use cxf to expose restful web services and KC admin client to manage > users in a realm. > > I had some issues (that I was expecting...) running CXF servers and > RESTEasy KC admin client together so I decided to remove all > RESTEasy/jboss dependency from KC client and adapt the code to use CXF > as JAX-RS implementation. > It works quite well with very few changes, so I decided to share it on > my github > in case someone else is in the same situation as me or prefer CXF over > RESTEasy. > > https://github.com/luigidemasi/keycloak-cxf-admin-client > > > I'm also thinking about adding OSGI support to have the possibility to > deploy it in karaf and maybe a camel component as well. > > Regards. > > -- > Luigi De Masi > /"Talk is cheap. Show me the code."/ > / -- Linus Torvalds/ > > ------------------------------------------------------------------------ > > Extra srl > p: +39 0587975800 > a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy > > w: www.extrasrl.it e: info at extrasys.it > > > > > > > > Le informazioni trasmesse sono riservate alla persona o ente alla > quali sono indirizzate e possono contenere informazioni riservate e/o > materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione o > altro uso, o l'adozione di azioni basate su tali informazioni da parte > di soggetti diversi dal destinatario ? proibita. Se avete ricevuto per > errore questo messaggio, siete pregati di informare il mittente e > cancellare il materiale contenuto da ogni computer. > > The information transmitted is intended for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, > or taking of any action in reliance upon, this information by persons > or entities other than the intended recipient is prohibited. If you > received this in error, please contact the sender and delete the > material from any computer. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/c074857f/attachment.html From mposolda at redhat.com Tue Aug 9 09:04:41 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 15:04:41 +0200 Subject: [keycloak-user] ClientRoles property is empty in UserRepresentation In-Reply-To: <6780F0043CD4A945B043E2484C7C53357C0F2819@vie196nt> References: <6780F0043CD4A945B043E2484C7C53357C0F2819@vie196nt> Message-ID: <57A9D4E9.2050903@redhat.com> On 09/08/16 11:48, NEMECKAY Marek wrote: > Dear all, > We are facing a problem with retrieving the client roles from > Keycloak. In our implementation we are using the following API to find > a retrieve user data via username: > _http://www.keycloak.org/docs/rest-api/index.html#_get_users_ _It seems that you need different admin REST endpoint to get the client role mappings of user. It's this one : _ GET /admin/realms/{realm}/users/{id}/role-mappings/clients/{client} Marek > In the retrieved _UserRepresentation_ > object instance the > property clientRoles is always null. We are using Keycloak 1.9.8 > connected to a LDAP server for user federation. We are connecting a > receiving the access token with a admin-user of the corresponding > realm. This works just fine. We are also receiving user data like > name, e-mail etc., but the client roles are always null. The mappers > to sync roles between Keycloak and LDAP are also defined and working. > Is there anything else we have overlooked or we should check? > Thanks and BR, > Marek > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/c82166cc/attachment.html From mposolda at redhat.com Tue Aug 9 09:07:31 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 15:07:31 +0200 Subject: [keycloak-user] Can no longer create users in Active Directory from Keycloak In-Reply-To: <3286EE03-E0AC-41DE-8F7F-29FE963D990B@info.nl> References: <3286EE03-E0AC-41DE-8F7F-29FE963D990B@info.nl> Message-ID: <57A9D593.1030907@redhat.com> Maybe enable LDAP logging will help? You can enable TRACE logging for "org.keycloak.federation.ldap" in standalone.xml and see what's logged into server.log when you try to create Keycloak user? Marek On 09/08/16 10:18, Edgar Vonk - Info.nl wrote: > Hi, > > We no longer seem to be able to create new users in Keycloak with the LDAP/MSAD User Federation set up with ?Sync Registrations? turned on. > > I think this is since we migrated to Keycloak 2.0.0.Final (not 100% sure). > > When I try to create a new user from Keycloak (Manage - Users) I only see the error message ?Error! Could not create user? but nothing else. Nothing in the logs unfortunately. Not even at the debug level. > > Any pointers on where to start looking for a solution? I have the Keycloak source code available. > > cheers > > Edgar > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/f3153f45/attachment-0001.html From tpearson at bkool.com Tue Aug 9 09:14:34 2016 From: tpearson at bkool.com (Tom Pearson) Date: Tue, 9 Aug 2016 15:14:34 +0200 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> Message-ID: Okay, understood. Would be great if the admin docs could be updated to reflect the implementation although I appreciate you probably have more important matter to attend to. 2016-08-09 14:31 GMT+02:00 Bill Burke : > > > On 8/9/16 5:56 AM, Tom Pearson wrote: > > Hi, > > I'm creating a new user through the admin API. In order to do this I have > to make 3 separate calls (createUser > , > resetPassword > > and addRealmLevelRoles > ) > as the credentials and realm roles in the UserRepresentation > are > ignored. I then have to make another call to getEffectiveRealmLevelRoles > as > the getUser > method > doesn't return the roles. If I were to require the client level roles this > would be 6 calls to create and return the user. > > Is there a reason as to why this is the case? > > The reason is simply that the admin API was written for the admin > console. We've never had time to refactor it. Too many other things on > the queue. > > As an aside, in the docs the reset password method is called "Set up a > temporary password for the user" but in my experience the password is never > temporary regardless of the value of the temporary flag. > > Kind regards, > Tom > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/9aa23606/attachment.html From bburke at redhat.com Tue Aug 9 09:16:52 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 9 Aug 2016 09:16:52 -0400 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> Message-ID: <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> You can send PRs to admin docs if you want. admin REST API is here: https://github.com/keycloak/server_development_guide On 8/9/16 9:14 AM, Tom Pearson wrote: > Okay, understood. Would be great if the admin docs could be updated to > reflect the implementation although I appreciate you probably have > more important matter to attend to. > > 2016-08-09 14:31 GMT+02:00 Bill Burke >: > > > > On 8/9/16 5:56 AM, Tom Pearson wrote: >> Hi, >> >> I'm creating a new user through the admin API. In order to do >> this I have to make 3 separate calls (createUser >> , >> resetPassword >> >> and addRealmLevelRoles >> ) >> as the credentials and realm roles in the UserRepresentation >> are >> ignored. I then have to make another call to >> getEffectiveRealmLevelRoles >> as >> the getUser >> method >> doesn't return the roles. If I were to require the client level >> roles this would be 6 calls to create and return the user. >> >> Is there a reason as to why this is the case? >> > The reason is simply that the admin API was written for the admin > console. We've never had time to refactor it. Too many other > things on the queue. > >> As an aside, in the docs the reset password method is called "Set >> up a temporary password for the user" but in my experience the >> password is never temporary regardless of the value of the >> temporary flag. >> >> Kind regards, >> Tom >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/a92edcd7/attachment.html From tpearson at bkool.com Tue Aug 9 09:19:04 2016 From: tpearson at bkool.com (Tom Pearson) Date: Tue, 9 Aug 2016 15:19:04 +0200 Subject: [keycloak-user] ClientRoles property is empty in UserRepresentation In-Reply-To: <57A9D4E9.2050903@redhat.com> References: <6780F0043CD4A945B043E2484C7C53357C0F2819@vie196nt> <57A9D4E9.2050903@redhat.com> Message-ID: I ran into the same issue with the realm roles. The problem is that the documentation for methods such as getUser should make it clear that the UserRepresentation returns only a subset of the fields. The same goes for creating a user - certain fields in the UserRepresentation such as roles, password are ignored. 2016-08-09 15:04 GMT+02:00 Marek Posolda : > On 09/08/16 11:48, NEMECKAY Marek wrote: > > Dear all, > > We are facing a problem with retrieving the client roles from Keycloak. In > our implementation we are using the following API to find a retrieve user > data via username: > *http://www.keycloak.org/docs/rest-api/index.html#_get_users* > > > *It seems that you need different admin REST endpoint to get the client > role mappings of user. It's this one : * > > GET /admin/realms/{realm}/users/{id}/role-mappings/clients/{client} > > Marek > > > In the retrieved *UserRepresentation* > object instance the > property clientRoles is always null. We are using Keycloak 1.9.8 connected > to a LDAP server for user federation. We are connecting a receiving the > access token with a admin-user of the corresponding realm. This works just > fine. We are also receiving user data like name, e-mail etc., but the > client roles are always null. The mappers to sync roles between Keycloak > and LDAP are also defined and working. > > Is there anything else we have overlooked or we should check? > > Thanks and BR, > Marek > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/ae446c94/attachment.html From tpearson at bkool.com Tue Aug 9 09:20:00 2016 From: tpearson at bkool.com (Tom Pearson) Date: Tue, 9 Aug 2016 15:20:00 +0200 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> Message-ID: Ok cheers, will do when I get a sec 2016-08-09 15:16 GMT+02:00 Bill Burke : > You can send PRs to admin docs if you want. admin REST API is here: > > https://github.com/keycloak/server_development_guide > > > > On 8/9/16 9:14 AM, Tom Pearson wrote: > > Okay, understood. Would be great if the admin docs could be updated to > reflect the implementation although I appreciate you probably have more > important matter to attend to. > > 2016-08-09 14:31 GMT+02:00 Bill Burke : > >> >> >> On 8/9/16 5:56 AM, Tom Pearson wrote: >> >> Hi, >> >> I'm creating a new user through the admin API. In order to do this I have >> to make 3 separate calls (createUser >> , >> resetPassword >> >> and addRealmLevelRoles >> ) >> as the credentials and realm roles in the UserRepresentation >> are >> ignored. I then have to make another call to getEffectiveRealmLevelRoles >> as >> the getUser >> method >> doesn't return the roles. If I were to require the client level roles this >> would be 6 calls to create and return the user. >> >> Is there a reason as to why this is the case? >> >> The reason is simply that the admin API was written for the admin >> console. We've never had time to refactor it. Too many other things on >> the queue. >> >> As an aside, in the docs the reset password method is called "Set up a >> temporary password for the user" but in my experience the password is never >> temporary regardless of the value of the temporary flag. >> >> Kind regards, >> Tom >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/351fe18b/attachment-0001.html From bburke at redhat.com Tue Aug 9 09:22:33 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 9 Aug 2016 09:22:33 -0400 Subject: [keycloak-user] CXF Keycloak Admin Client In-Reply-To: <57A9D334.7000209@redhat.com> References: <57A9D334.7000209@redhat.com> Message-ID: <3b1cb928-87bc-263d-d734-eedf94ab82f0@redhat.com> I wish the JAX-RS JSR would just standardize the proxy stuff that is in Resteasy. They were being stubborn and refused to accept my submission for it even though it is a much used feature. Then we wouldn't have to have separate clients for CXF and Resteasy. Somebody could probably pull it out of Resteasy and make it generic so it could run on any JAX-RS platform. On 8/9/16 8:57 AM, Marek Posolda wrote: > Cool, Thanks for sharing this! > > This might be useful to be available in Keycloak OOTB, so admin-client > can pick either resteasy or CXF (or any other available impl) > according to what is available. If you want to create JIRA and send PR > it will be good :-) > > Marek > > > On 04/08/16 18:36, Luigi De Masi wrote: >> Hi, >> >> I'm working on a Spring boot + Fuse integration Service project that >> use cxf to expose restful web services and KC admin client to manage >> users in a realm. >> >> I had some issues (that I was expecting...) running CXF servers and >> RESTEasy KC admin client together so I decided to remove all >> RESTEasy/jboss dependency from KC client and adapt the code to use >> CXF as JAX-RS implementation. >> It works quite well with very few changes, so I decided to share it >> on my github >> in case someone else is in the same situation as me or prefer CXF >> over RESTEasy. >> >> https://github.com/luigidemasi/keycloak-cxf-admin-client >> >> >> I'm also thinking about adding OSGI support to have the possibility >> to deploy it in karaf and maybe a camel component as well. >> >> Regards. >> >> -- >> Luigi De Masi >> /"Talk is cheap. Show me the code."/ >> / -- Linus Torvalds/ >> >> ------------------------------------------------------------------------ >> >> Extra srl >> p: +39 0587975800 >> a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy >> >> w: www.extrasrl.it e: info at extrasys.it >> >> >> >> >> >> >> >> Le informazioni trasmesse sono riservate alla persona o ente alla >> quali sono indirizzate e possono contenere informazioni riservate e/o >> materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione >> o altro uso, o l'adozione di azioni basate su tali informazioni da >> parte di soggetti diversi dal destinatario ? proibita. Se avete >> ricevuto per errore questo messaggio, siete pregati di informare il >> mittente e cancellare il materiale contenuto da ogni computer. >> >> The information transmitted is intended for the person or entity to >> which it is addressed and may contain confidential and/or privileged >> material. Any review, retransmission, dissemination or other use of, >> or taking of any action in reliance upon, this information by persons >> or entities other than the intended recipient is prohibited. If you >> received this in error, please contact the sender and delete the >> material from any computer. >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/10d6f94e/attachment.html From mposolda at redhat.com Tue Aug 9 09:27:33 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 15:27:33 +0200 Subject: [keycloak-user] ClientRoles property is empty in UserRepresentation In-Reply-To: References: <6780F0043CD4A945B043E2484C7C53357C0F2819@vie196nt> <57A9D4E9.2050903@redhat.com> Message-ID: <57A9DA45.1040603@redhat.com> I agree with improving the docs as you're not alone who ran into this kind of issue with admin REST API. Can you please create JIRA for this and link with this discussion? Thanks, Marek On 09/08/16 15:19, Tom Pearson wrote: > I ran into the same issue with the realm roles. The problem is that > the documentation for methods such as getUser > should > make it clear that the UserRepresentation returns only a subset of the > fields. The same goes for creating a user - certain fields in the > UserRepresentation such as roles, password are ignored. > > 2016-08-09 15:04 GMT+02:00 Marek Posolda >: > > On 09/08/16 11:48, NEMECKAY Marek wrote: >> Dear all, >> We are facing a problem with retrieving the client roles from >> Keycloak. In our implementation we are using the following API to >> find a retrieve user data via username: >> _http://www.keycloak.org/docs/rest-api/index.html#_get_users_ >> > _It seems that you need different admin REST endpoint to get the > client role mappings of user. It's this one : _ > > GET /admin/realms/{realm}/users/{id}/role-mappings/clients/{client} > > Marek > >> In the retrieved _UserRepresentation_ >> object >> instance the property clientRoles is always null. We are using >> Keycloak 1.9.8 connected to a LDAP server for user federation. We >> are connecting a receiving the access token with a admin-user of >> the corresponding realm. This works just fine. We are also >> receiving user data like name, e-mail etc., but the client roles >> are always null. The mappers to sync roles between Keycloak and >> LDAP are also defined and working. >> Is there anything else we have overlooked or we should check? >> Thanks and BR, >> Marek >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/8f6558f5/attachment-0001.html From mposolda at redhat.com Tue Aug 9 09:48:22 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Aug 2016 15:48:22 +0200 Subject: [keycloak-user] CXF Keycloak Admin Client In-Reply-To: <3b1cb928-87bc-263d-d734-eedf94ab82f0@redhat.com> References: <57A9D334.7000209@redhat.com> <3b1cb928-87bc-263d-d734-eedf94ab82f0@redhat.com> Message-ID: <57A9DF26.3020002@redhat.com> It seems that at least CXF has something very similar too - https://github.com/luigidemasi/keycloak-cxf-admin-client/blob/master/src/main/java/org/keycloak/admin/client/Keycloak.java#L96-L103 Marek On 09/08/16 15:22, Bill Burke wrote: > > I wish the JAX-RS JSR would just standardize the proxy stuff that is > in Resteasy. They were being stubborn and refused to accept my > submission for it even though it is a much used feature. Then we > wouldn't have to have separate clients for CXF and Resteasy. Somebody > could probably pull it out of Resteasy and make it generic so it could > run on any JAX-RS platform. > > > On 8/9/16 8:57 AM, Marek Posolda wrote: >> Cool, Thanks for sharing this! >> >> This might be useful to be available in Keycloak OOTB, so >> admin-client can pick either resteasy or CXF (or any other available >> impl) according to what is available. If you want to create JIRA and >> send PR it will be good :-) >> >> Marek >> >> >> On 04/08/16 18:36, Luigi De Masi wrote: >>> Hi, >>> >>> I'm working on a Spring boot + Fuse integration Service project that >>> use cxf to expose restful web services and KC admin client to manage >>> users in a realm. >>> >>> I had some issues (that I was expecting...) running CXF servers and >>> RESTEasy KC admin client together so I decided to remove all >>> RESTEasy/jboss dependency from KC client and adapt the code to use >>> CXF as JAX-RS implementation. >>> It works quite well with very few changes, so I decided to share it >>> on my github >>> in case someone else is in the same situation as me or prefer CXF >>> over RESTEasy. >>> >>> https://github.com/luigidemasi/keycloak-cxf-admin-client >>> >>> >>> I'm also thinking about adding OSGI support to have the possibility >>> to deploy it in karaf and maybe a camel component as well. >>> >>> Regards. >>> >>> -- >>> Luigi De Masi >>> /"Talk is cheap. Show me the code."/ >>> / -- Linus Torvalds/ >>> >>> ------------------------------------------------------------------------ >>> >>> Extra srl >>> p: +39 0587975800 >>> a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy >>> >>> w: www.extrasrl.it e: info at extrasys.it >>> >>> >>> >>> >>> >>> >>> Le informazioni trasmesse sono riservate alla persona o ente alla >>> quali sono indirizzate e possono contenere informazioni riservate >>> e/o materiale di valore. Qualsiasi revisione, ritrasmissione, >>> diffusione o altro uso, o l'adozione di azioni basate su tali >>> informazioni da parte di soggetti diversi dal destinatario ? >>> proibita. Se avete ricevuto per errore questo messaggio, siete >>> pregati di informare il mittente e cancellare il materiale contenuto >>> da ogni computer. >>> >>> The information transmitted is intended for the person or entity to >>> which it is addressed and may contain confidential and/or privileged >>> material. Any review, retransmission, dissemination or other use of, >>> or taking of any action in reliance upon, this information by >>> persons or entities other than the intended recipient is prohibited. >>> If you received this in error, please contact the sender and delete >>> the material from any computer. >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/7bbee669/attachment.html From Edgar at info.nl Tue Aug 9 09:56:53 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 9 Aug 2016 13:56:53 +0000 Subject: [keycloak-user] Can no longer create users in Active Directory from Keycloak In-Reply-To: <57A9D593.1030907@redhat.com> References: <3286EE03-E0AC-41DE-8F7F-29FE963D990B@info.nl> <57A9D593.1030907@redhat.com> Message-ID: <8F784300-4515-4448-8381-0B55EB457362@info.nl> Hi Marek, Sorry, never mind. We were missing the ?cn? user attribute mapper for some reason.. Adding this mapper fixes the issue. I did manage to reproduce the issue by debugging (using my IDE) the Keycloak source code in LDAPUtils#addUserToLDAP In UsersResource#createUser a ModelException is caught but never logged so this information gets lost completely: catch (ModelException me){ if (session.getTransaction().isActive()) { session.getTransaction().setRollbackOnly(); } return ErrorResponse.exists("Could not create user"); } It would be great if some exception logging could be added to this class to help in troubleshooting. cheers Edgar On 09 Aug 2016, at 15:07, Marek Posolda > wrote: Maybe enable LDAP logging will help? You can enable TRACE logging for "org.keycloak.federation.ldap" in standalone.xml and see what's logged into server.log when you try to create Keycloak user? Marek On 09/08/16 10:18, Edgar Vonk - Info.nl wrote: Hi, We no longer seem to be able to create new users in Keycloak with the LDAP/MSAD User Federation set up with ?Sync Registrations? turned on. I think this is since we migrated to Keycloak 2.0.0.Final (not 100% sure). When I try to create a new user from Keycloak (Manage - Users) I only see the error message ?Error! Could not create user? but nothing else. Nothing in the logs unfortunately. Not even at the debug level. Any pointers on where to start looking for a solution? I have the Keycloak source code available. cheers Edgar _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/4ccd05f7/attachment-0001.html From kevin.thorpe at p-i.net Tue Aug 9 10:01:54 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Tue, 9 Aug 2016 15:01:54 +0100 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: <57A9CB0F.5020501@redhat.com> References: <57A87FB8.5000308@redhat.com> <57A9CB0F.5020501@redhat.com> Message-ID: Not according to your base image: [kevin at kev-c7-test pi-keycloak]$ docker run -ti --entrypoint /bin/bash jboss/keycloak-mysql:2.0.0.Final -s Unable to find image 'jboss/keycloak-mysql:2.0.0.Final' locally 2.0.0.Final: Pulling from jboss/keycloak-mysql a3ed95caeb02: Pull complete da71393503ec: Pull complete eb78add5bf3f: Pull complete 046239789b53: Pull complete 364eb6df56ec: Pull complete 21beacec2ed4: Pull complete b0c6b264da5a: Pull complete 1cb268ec5855: Pull complete 5400749767a0: Pull complete 710ca18f9c2a: Pull complete 76d4c31a5749: Pull complete 4763ae5ce42d: Pull complete 3929a1cda72b: Pull complete 840a187f62cf: Pull complete Digest: sha256:cce1b09f3423851f72ee93c87d66d8de4663e7b231a2158cfbaef6846701c7ec Status: Downloaded newer image for jboss/keycloak-mysql:2.0.0.Final [jboss at ccef1862480f ~]$ vi keycloak/standalone/configuration/standalone.xml snipped out the infinispan config: *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 9 August 2016 at 13:22, Marek Posolda wrote: > Hmm... Actually I am not 100% sure what you did, but from the error > message, it's very clear that configuration of your infinispan caches in > standalone.xml is out-dated. In Keycloak 2.0 it should look like this: > > > > > > > > > > > > > > Marek > > > > On 08/08/16 15:57, Kevin Thorpe wrote: > > Also, the standalone.xml is yours from the keycloak-mysql image with just > the https-listener and our security-realm added using saxon/xslt in the > same way as you deploy it > > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > On 8 August 2016 at 13:48, Marek Posolda wrote: > >> From your logs, it seems the problem is related to migration infinispan >> caches. It looks that you don't have defined some of those caches in >> standalone.xml. >> >> Generally it's recommended to use Keycloak with keycloak-server >> distribution and upgrade process is like this: >> - You stop your Keycloak 1.7.0.Final server >> - You download the Keycloak-server 2.0.0.Final distribution and you just >> configure the DB ( datasource ) to point to same DB like previously was >> Keycloak 1.7.0 >> - You start Keycloak and liquibase make sure to upgrade your DB. >> >> Note that with this approach, you don't need to care about any changes, >> which was done in standalone.xml or keycloak-server.json or other files >> between Keycloak 1.7 or 2.0. >> >> Marek >> >> >> On 08/08/16 14:27, Shiva Saxena wrote: >> >> Hi, >> >> You can try setting the "databaseSchema" to "update" in "connectionsJpa". >> >> Here is the migration guide doc URL >> >> >> >> https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/v/2.0/topics/MigrationFromOlderVersions.html >> >> On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe < >> kevin.thorpe at p-i.net> wrote: >> >>> Hi, >>> I'm having problems upgrading from 1.7.0.Final to 2.0.0.Final. I'm >>> using the Docker images on which we build our own images to add https with >>> our certs, our theme and a small patch to match our LDAP configuration. The >>> new image of 2.0.0 works fine with a brand new database but doesn't start >>> up with the existing database. Do I need to upgrade via an earlier release >>> to modify the db? >>> >>> I've attached the startup logs. I don't know enough to see what's wrong. >>> >>> *Kevin Thorpe* >>> VP Enterprise Platform >>> >>> www.p-i.net | @PI_150 >>> >>> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >>> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >>> <%2B44%20%280%29808%20204%200344> * >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they are >>> addressed. If you have received this email in error please notify the >>> system manager. This message contains confidential information and is >>> intended only for the individual named. If you are not the named addressee >>> you should not disseminate, distribute or copy this e-mail. Please notify >>> the sender immediately by e-mail if you have received this e-mail by >>> mistake and delete this e-mail from your system. If you are not the >>> intended recipient you are notified that disclosing, copying, distributing >>> or taking any action in reliance on the contents of this information is >>> strictly prohibited. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> -- >> Best Regards >> *Shiva Saxena* >> *Blog | Linkedin >> | StackOverflow >> * >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/fe20e7f0/attachment-0001.html From luigi.demasi at extrasys.it Tue Aug 9 10:07:31 2016 From: luigi.demasi at extrasys.it (Luigi De Masi) Date: Tue, 9 Aug 2016 16:07:31 +0200 Subject: [keycloak-user] CXF Keycloak Admin Client In-Reply-To: <57A9DF26.3020002@redhat.com> References: <57A9D334.7000209@redhat.com> <3b1cb928-87bc-263d-d734-eedf94ab82f0@redhat.com> <57A9DF26.3020002@redhat.com> Message-ID: Exactly, is what I used to replace RESTEasy proxy feature, but I'm agree with Bill that there should be a standard way of creating proxies. Also the Multipart stuff use RESTEasy-specific object: import org.jboss.resteasy.plugins.providers.multipart .MultipartFormDataOutput; 2016-08-09 15:48 GMT+02:00 Marek Posolda : > It seems that at least CXF has something very similar too - > https://github.com/luigidemasi/keycloak-cxf-admin-client/blob/master/src/ > main/java/org/keycloak/admin/client/Keycloak.java#L96-L103 > > Marek > > > On 09/08/16 15:22, Bill Burke wrote: > > I wish the JAX-RS JSR would just standardize the proxy stuff that is in > Resteasy. They were being stubborn and refused to accept my submission for > it even though it is a much used feature. Then we wouldn't have to have > separate clients for CXF and Resteasy. Somebody could probably pull it out > of Resteasy and make it generic so it could run on any JAX-RS platform. > > On 8/9/16 8:57 AM, Marek Posolda wrote: > > Cool, Thanks for sharing this! > > This might be useful to be available in Keycloak OOTB, so admin-client can > pick either resteasy or CXF (or any other available impl) according to what > is available. If you want to create JIRA and send PR it will be good :-) > > Marek > > > On 04/08/16 18:36, Luigi De Masi wrote: > > Hi, > > I'm working on a Spring boot + Fuse integration Service project that use > cxf to expose restful web services and KC admin client to manage users in a > realm. > > I had some issues (that I was expecting...) running CXF servers and > RESTEasy KC admin client together so I decided to remove all > RESTEasy/jboss dependency from KC client and adapt the code to use CXF as > JAX-RS implementation. > It works quite well with very few changes, so I decided to share it on my > github > in case someone else is in the same situation as me or prefer CXF over > RESTEasy. > > https://github.com/luigidemasi/keycloak-cxf-admin-client > > I'm also thinking about adding OSGI support to have the possibility to > deploy it in karaf and maybe a camel component as well. > > Regards. > > -- > Luigi De Masi > *"Talk is cheap. Show me the code."* > * -- Linus Torvalds* > > ------------------------------ > Extra srl > p: +39 0587975800 > a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy > > w: www.extrasrl.it e: info at extrasys.it > > > > > > Le informazioni trasmesse sono riservate alla persona o ente alla quali > sono indirizzate e possono contenere informazioni riservate e/o materiale > di valore. Qualsiasi revisione, ritrasmissione, diffusione o altro uso, o > l'adozione di azioni basate su tali informazioni da parte di soggetti > diversi dal destinatario ? proibita. Se avete ricevuto per errore questo > messaggio, siete pregati di informare il mittente e cancellare il materiale > contenuto da ogni computer. > > > > The information transmitted is intended for the person or entity to which > it is addressed and may contain confidential and/or privileged material. > Any review, retransmission, dissemination or other use of, or taking of any > action in reliance upon, this information by persons or entities other than > the intended recipient is prohibited. If you received this in error, please > contact the sender and delete the material from any computer. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Luigi De Masi *"Talk is cheap. Show me the code."* * -- Linus Torvalds* ------------------------------ -- ------------------------------ Extra srl p: +39 0587975800 a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy w: www.extrasrl.it e: info at extrasys.it Le informazioni trasmesse sono riservate alla persona o ente alla quali sono indirizzate e possono contenere informazioni riservate e/o materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione o altro uso, o l'adozione di azioni basate su tali informazioni da parte di soggetti diversi dal destinatario ? proibita. Se avete ricevuto per errore questo messaggio, siete pregati di informare il mittente e cancellare il materiale contenuto da ogni computer. The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/54b00039/attachment-0001.html From thomas.darimont at googlemail.com Tue Aug 9 11:28:31 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Aug 2016 17:28:31 +0200 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> Message-ID: Hello Tom, I was also bitten by this a bit... I created [0] and already issued a PR [1] that allows creating a user with initial realm / client roles with a single request. Cheers, Thomas [0] https://issues.jboss.org/browse/KEYCLOAK-3410 [1] https://github.com/keycloak/keycloak/pull/3120 2016-08-09 15:20 GMT+02:00 Tom Pearson : > Ok cheers, will do when I get a sec > > 2016-08-09 15:16 GMT+02:00 Bill Burke : > >> You can send PRs to admin docs if you want. admin REST API is here: >> >> https://github.com/keycloak/server_development_guide >> >> >> >> On 8/9/16 9:14 AM, Tom Pearson wrote: >> >> Okay, understood. Would be great if the admin docs could be updated to >> reflect the implementation although I appreciate you probably have more >> important matter to attend to. >> >> 2016-08-09 14:31 GMT+02:00 Bill Burke : >> >>> >>> >>> On 8/9/16 5:56 AM, Tom Pearson wrote: >>> >>> Hi, >>> >>> I'm creating a new user through the admin API. In order to do this I >>> have to make 3 separate calls (createUser >>> , >>> resetPassword >>> >>> and addRealmLevelRoles >>> ) >>> as the credentials and realm roles in the UserRepresentation >>> are >>> ignored. I then have to make another call to getEffectiveRealmLevelRoles >>> as >>> the getUser >>> method >>> doesn't return the roles. If I were to require the client level roles this >>> would be 6 calls to create and return the user. >>> >>> Is there a reason as to why this is the case? >>> >>> The reason is simply that the admin API was written for the admin >>> console. We've never had time to refactor it. Too many other things on >>> the queue. >>> >>> As an aside, in the docs the reset password method is called "Set up a >>> temporary password for the user" but in my experience the password is never >>> temporary regardless of the value of the temporary flag. >>> >>> Kind regards, >>> Tom >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ keycloak-user mailing >>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>> n/listinfo/keycloak-user >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/75282cbf/attachment.html From pires at littlebits.cc Tue Aug 9 11:36:49 2016 From: pires at littlebits.cc (Paulo Pires) Date: Tue, 9 Aug 2016 16:36:49 +0100 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> Message-ID: +1 Regarding PRs, while I'm all in for it [1] the truth is that it seems there's no bandwidth to actually review them. Cheers, Pires 1 - https://github.com/keycloak/keycloak/pull/3056 On Tue, Aug 9, 2016 at 4:28 PM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hello Tom, > > I was also bitten by this a bit... I created [0] and already issued a PR > [1] that allows > creating a user with initial realm / client roles with a single request. > > Cheers, > Thomas > > [0] https://issues.jboss.org/browse/KEYCLOAK-3410 > [1] https://github.com/keycloak/keycloak/pull/3120 > > 2016-08-09 15:20 GMT+02:00 Tom Pearson : > >> Ok cheers, will do when I get a sec >> >> 2016-08-09 15:16 GMT+02:00 Bill Burke : >> >>> You can send PRs to admin docs if you want. admin REST API is here: >>> >>> https://github.com/keycloak/server_development_guide >>> >>> >>> >>> On 8/9/16 9:14 AM, Tom Pearson wrote: >>> >>> Okay, understood. Would be great if the admin docs could be updated to >>> reflect the implementation although I appreciate you probably have more >>> important matter to attend to. >>> >>> 2016-08-09 14:31 GMT+02:00 Bill Burke : >>> >>>> >>>> >>>> On 8/9/16 5:56 AM, Tom Pearson wrote: >>>> >>>> Hi, >>>> >>>> I'm creating a new user through the admin API. In order to do this I >>>> have to make 3 separate calls (createUser >>>> , >>>> resetPassword >>>> >>>> and addRealmLevelRoles >>>> ) >>>> as the credentials and realm roles in the UserRepresentation >>>> are >>>> ignored. I then have to make another call to >>>> getEffectiveRealmLevelRoles >>>> as >>>> the getUser >>>> method >>>> doesn't return the roles. If I were to require the client level roles this >>>> would be 6 calls to create and return the user. >>>> >>>> Is there a reason as to why this is the case? >>>> >>>> The reason is simply that the admin API was written for the admin >>>> console. We've never had time to refactor it. Too many other things on >>>> the queue. >>>> >>>> As an aside, in the docs the reset password method is called "Set up a >>>> temporary password for the user" but in my experience the password is never >>>> temporary regardless of the value of the temporary flag. >>>> >>>> Kind regards, >>>> Tom >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ keycloak-user mailing >>>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>>> n/listinfo/keycloak-user >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Paulo Pires* senior infrastructure engineer | littleBits *T* (917) 464-4577 unleash your inner inventor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/fc1e670e/attachment.html From bburke at redhat.com Tue Aug 9 11:48:53 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 9 Aug 2016 11:48:53 -0400 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> Message-ID: <24828066-6642-78ff-a2f3-bcd0d38e3437@redhat.com> Review is assigned to Stian and he's on vacation...You know those Europeans and their weeks long vacations ;-p On 8/9/16 11:36 AM, Paulo Pires wrote: > +1 > > Regarding PRs, while I'm all in for it [1] the truth is that it seems > there's no bandwidth to actually review them. > > Cheers, > Pires > > 1 - https://github.com/keycloak/keycloak/pull/3056 > > On Tue, Aug 9, 2016 at 4:28 PM, Thomas Darimont > > wrote: > > Hello Tom, > > I was also bitten by this a bit... I created [0] and already > issued a PR [1] that allows > creating a user with initial realm / client roles with a single > request. > > Cheers, > Thomas > > [0] https://issues.jboss.org/browse/KEYCLOAK-3410 > > [1] https://github.com/keycloak/keycloak/pull/3120 > > > 2016-08-09 15:20 GMT+02:00 Tom Pearson >: > > Ok cheers, will do when I get a sec > > 2016-08-09 15:16 GMT+02:00 Bill Burke >: > > You can send PRs to admin docs if you want. admin REST > API is here: > > https://github.com/keycloak/server_development_guide > > > > > On 8/9/16 9:14 AM, Tom Pearson wrote: >> Okay, understood. Would be great if the admin docs could >> be updated to reflect the implementation although I >> appreciate you probably have more important matter to >> attend to. >> >> 2016-08-09 14:31 GMT+02:00 Bill Burke > >: >> >> >> >> On 8/9/16 5:56 AM, Tom Pearson wrote: >>> Hi, >>> >>> I'm creating a new user through the admin API. In >>> order to do this I have to make 3 separate calls >>> (createUser >>> , >>> resetPassword >>> and >>> addRealmLevelRoles >>> ) >>> as the credentials and realm roles in the >>> UserRepresentation >>> are >>> ignored. I then have to make another call to >>> getEffectiveRealmLevelRoles >>> as >>> the getUser >>> method >>> doesn't return the roles. If I were to require the >>> client level roles this would be 6 calls to create >>> and return the user. >>> >>> Is there a reason as to why this is the case? >>> >> The reason is simply that the admin API was written >> for the admin console. We've never had time to >> refactor it. Too many other things on the queue. >> >>> As an aside, in the docs the reset password method >>> is called "Set up a temporary password for the user" >>> but in my experience the password is never temporary >>> regardless of the value of the temporary flag. >>> >>> Kind regards, >>> Tom >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > *Paulo Pires* > > senior infrastructure engineer | littleBits > > > *T* (917) 464-4577unleash your inner inventor. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/95890e41/attachment-0001.html From pires at littlebits.cc Tue Aug 9 12:16:31 2016 From: pires at littlebits.cc (Paulo Pires) Date: Tue, 9 Aug 2016 17:16:31 +0100 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: <24828066-6642-78ff-a2f3-bcd0d38e3437@redhat.com> References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> <24828066-6642-78ff-a2f3-bcd0d38e3437@redhat.com> Message-ID: Oh, glad to hear Bill! Thanks for clarifying that. Btw, I am European and just enjoyed 7 days and was still on-call. Am I a bad European? :-D Pires On Tue, Aug 9, 2016 at 4:48 PM, Bill Burke wrote: > Review is assigned to Stian and he's on vacation...You know those > Europeans and their weeks long vacations ;-p > > On 8/9/16 11:36 AM, Paulo Pires wrote: > > +1 > > Regarding PRs, while I'm all in for it [1] the truth is that it seems > there's no bandwidth to actually review them. > > Cheers, > Pires > > 1 - https://github.com/keycloak/keycloak/pull/3056 > > On Tue, Aug 9, 2016 at 4:28 PM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Hello Tom, >> >> I was also bitten by this a bit... I created [0] and already issued a PR >> [1] that allows >> creating a user with initial realm / client roles with a single request. >> >> Cheers, >> Thomas >> >> [0] https://issues.jboss.org/browse/KEYCLOAK-3410 >> [1] https://github.com/keycloak/keycloak/pull/3120 >> >> 2016-08-09 15:20 GMT+02:00 Tom Pearson : >> >>> Ok cheers, will do when I get a sec >>> >>> 2016-08-09 15:16 GMT+02:00 Bill Burke : >>> >>>> You can send PRs to admin docs if you want. admin REST API is here: >>>> >>>> https://github.com/keycloak/server_development_guide >>>> >>>> >>>> >>>> On 8/9/16 9:14 AM, Tom Pearson wrote: >>>> >>>> Okay, understood. Would be great if the admin docs could be updated to >>>> reflect the implementation although I appreciate you probably have more >>>> important matter to attend to. >>>> >>>> 2016-08-09 14:31 GMT+02:00 Bill Burke : >>>> >>>>> >>>>> >>>>> On 8/9/16 5:56 AM, Tom Pearson wrote: >>>>> >>>>> Hi, >>>>> >>>>> I'm creating a new user through the admin API. In order to do this I >>>>> have to make 3 separate calls (createUser >>>>> >>>>> , resetPassword >>>>> >>>>> and addRealmLevelRoles >>>>> ) >>>>> as the credentials and realm roles in the UserRepresentation >>>>> are >>>>> ignored. I then have to make another call to >>>>> getEffectiveRealmLevelRoles >>>>> as >>>>> the getUser >>>>> method >>>>> doesn't return the roles. If I were to require the client level roles this >>>>> would be 6 calls to create and return the user. >>>>> >>>>> Is there a reason as to why this is the case? >>>>> >>>>> The reason is simply that the admin API was written for the admin >>>>> console. We've never had time to refactor it. Too many other things on >>>>> the queue. >>>>> >>>>> As an aside, in the docs the reset password method is called "Set up a >>>>> temporary password for the user" but in my experience the password is never >>>>> temporary regardless of the value of the temporary flag. >>>>> >>>>> Kind regards, >>>>> Tom >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> _______________________________________________ keycloak-user mailing >>>>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>>>> n/listinfo/keycloak-user >>>> >>>> _______________________________________________ keycloak-user mailing >>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>> n/listinfo/keycloak-user >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > -- > > *Paulo Pires* > > senior infrastructure engineer | littleBits > > > *T* (917) 464-4577 unleash your inner inventor. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Paulo Pires* senior infrastructure engineer | littleBits *T* (917) 464-4577 unleash your inner inventor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/20cc9b76/attachment.html From bburke at redhat.com Tue Aug 9 12:17:37 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 9 Aug 2016 12:17:37 -0400 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> <24828066-6642-78ff-a2f3-bcd0d38e3437@redhat.com> Message-ID: On 8/9/16 12:16 PM, Paulo Pires wrote: > Oh, glad to hear Bill! Thanks for clarifying that. > > Btw, I am European and just enjoyed 7 days and was still on-call. Am I > a bad European? :-D > Yes, you are all bad! Bill From john.d.ament at gmail.com Tue Aug 9 13:50:15 2016 From: john.d.ament at gmail.com (John D. Ament) Date: Tue, 09 Aug 2016 17:50:15 +0000 Subject: [keycloak-user] Keycloak Competitors Message-ID: Hey, I'm not sure if anyone on this list has some insight, I'm trying to do a format tech evaluation. I was wondering if anyone had some competitors of keycloak in the same space, self hosted etc. John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/60084a36/attachment-0001.html From paul.bakker at luminis.eu Tue Aug 9 14:01:36 2016 From: paul.bakker at luminis.eu (Paul Bakker) Date: Tue, 9 Aug 2016 18:01:36 +0000 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: I have recently looked at this and ended up with KeyCloak (happy I did). Auth0 looked good as a hosted solution. CoreOS dex looks promising, but it's quite early in it's life cycle. I have some experience with Atlassian Crowd as well, which can be used as an openid provider, but is much more limited in features. Cheers, Paul > On 09 Aug 2016, at 19:50, John D. Ament wrote: > > Hey, > > I'm not sure if anyone on this list has some insight, I'm trying to do a format tech evaluation. I was wondering if anyone had some competitors of keycloak in the same space, self hosted etc. > > John > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.darimont at googlemail.com Tue Aug 9 14:48:18 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Aug 2016 20:48:18 +0200 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: Hello, some Identity Management Server / Libraries / Solutions that I looked at (in addition to those already mentioned) keystone: http://docs.openstack.org/developer/keystone/ forgerock: https://www.forgerock.com/platform/access-management/ midpoint: https://evolveum.com/midpoint/ Apache syncope: https://syncope.apache.org/ Apache fortress: http://directory.apache.org/fortress/ Apache Usergrid: http://usergrid.apache.org/ Apache Kerby: http://directory.apache.org/kerby/ OSIAM: https://github.com/osiam/osiam MITREid Connect: https://github.com/mitreid-connect/ CloudFoundry UAA: https://github.com/cloudfoundry/uaa Keycloak provided me with the best getting started experience. Still happy with it relatively easy to extend, to integrate and the community support is quite good. Cheers, Thomas 2016-08-09 20:01 GMT+02:00 Paul Bakker : > I have recently looked at this and ended up with KeyCloak (happy I did). > > Auth0 looked good as a hosted solution. CoreOS dex looks promising, but > it's quite early in it's life cycle. > I have some experience with Atlassian Crowd as well, which can be used as > an openid provider, but is much more limited in features. > > Cheers, > > Paul > > > > On 09 Aug 2016, at 19:50, John D. Ament wrote: > > > > Hey, > > > > I'm not sure if anyone on this list has some insight, I'm trying to do a > format tech evaluation. I was wondering if anyone had some competitors of > keycloak in the same space, self hosted etc. > > > > John > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/c1f5c124/attachment.html From marc.boorshtein at tremolosecurity.com Tue Aug 9 15:12:29 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Tue, 9 Aug 2016 15:12:29 -0400 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: >> > >> > I'm not sure if anyone on this list has some insight, I'm trying to do a >> > format tech evaluation. I was wondering if anyone had some competitors of >> > keycloak in the same space, self hosted etc. >> > What are you trying to accomplish? An identity management tool can run the gambit from directory management, sso, identity provider, user management portal, user self service provisioning, etc. Also, the type of applications could matter as well (ie are you looking for a primarily Java or .Net world, SaaS, etc)? From abelardovacca at yahoo.com Tue Aug 9 16:25:24 2016 From: abelardovacca at yahoo.com (Abelardo Vacca) Date: Tue, 9 Aug 2016 20:25:24 +0000 (UTC) Subject: [keycloak-user] Is it possible to authenticate against a Keycloak's Identity Provider (OpenAM) without using the Login screen? References: <1157262288.14426508.1470774324298.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1157262288.14426508.1470774324298.JavaMail.yahoo@mail.yahoo.com> I am wondering if it is possible to delegate to authentication to an identity provider, as you would on the Login Page, but using the REST API. I've posted to stackoverflow a few minutes ago with details and diagrams to try to explain the best I could:? http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w Please feel free to correct any misconceptions I might have, I am new to all these tools I am posting about (APIMAN, Keycloak and OpenAM) Thanks,Abelardo -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/45c9f1bc/attachment.html From jarekala at axway.com Tue Aug 9 17:14:15 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Tue, 9 Aug 2016 21:14:15 +0000 Subject: [keycloak-user] Keycloak doesn't close the user session after the user is deleted Message-ID: <33A971E161C79C44B0AE524C102277EA30AAFE5D@WPHXMAIL1.phx.axway.int> Hello, We are using Keycloak with SAML HTTP post binding with service provider clients. User 'X' is logged into the service provider via Keycloak's SSO. The user 'X' has been deleted by admin user via Keycloak's Admin console. Still the user session for 'X' is maintained. Keycloak doesn't logout the active session for the user 'X'. Please let me know if there is any configuration to force logout the user after the user deletion from Admin console. Thanks, Jagan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160809/ba963312/attachment.html From srossillo at smartling.com Tue Aug 9 23:00:07 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Tue, 9 Aug 2016 23:00:07 -0400 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: <128AAE11-8A34-462D-8EB7-C1D33F8E6B3E@smartling.com> Paul, If you?re doing a formal evaluation of identity management providers (IDPs) - presumably for your own purposes - you?d have to propose a set of criteria that a solution must satisfy to meet your requirements. If you list your requirements, someone could help you identify if Keycloak is a potential solution. Asking for a list of Keycloak competitors is counterproductive. ~ Scott > On Aug 9, 2016, at 3:12 PM, Marc Boorshtein wrote: > >>>> >>>> I'm not sure if anyone on this list has some insight, I'm trying to do a >>>> format tech evaluation. I was wondering if anyone had some competitors of >>>> keycloak in the same space, self hosted etc. >>>> > > What are you trying to accomplish? An identity management tool can > run the gambit from directory management, sso, identity provider, user > management portal, user self service provisioning, etc. Also, the > type of applications could matter as well (ie are you looking for a > primarily Java or .Net world, SaaS, etc)? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tpearson at bkool.com Wed Aug 10 04:04:12 2016 From: tpearson at bkool.com (Tom Pearson) Date: Wed, 10 Aug 2016 10:04:12 +0200 Subject: [keycloak-user] Multiple calls required to create a user In-Reply-To: References: <094a14d4-03a0-7e6c-9625-f30a4f4bac55@redhat.com> <8857d2ae-b28e-e54f-430d-2a0781b039da@redhat.com> Message-ID: Ah fantastic, thanks Thomas! 2016-08-09 17:28 GMT+02:00 Thomas Darimont : > Hello Tom, > > I was also bitten by this a bit... I created [0] and already issued a PR > [1] that allows > creating a user with initial realm / client roles with a single request. > > Cheers, > Thomas > > [0] https://issues.jboss.org/browse/KEYCLOAK-3410 > [1] https://github.com/keycloak/keycloak/pull/3120 > > 2016-08-09 15:20 GMT+02:00 Tom Pearson : > >> Ok cheers, will do when I get a sec >> >> 2016-08-09 15:16 GMT+02:00 Bill Burke : >> >>> You can send PRs to admin docs if you want. admin REST API is here: >>> >>> https://github.com/keycloak/server_development_guide >>> >>> >>> >>> On 8/9/16 9:14 AM, Tom Pearson wrote: >>> >>> Okay, understood. Would be great if the admin docs could be updated to >>> reflect the implementation although I appreciate you probably have more >>> important matter to attend to. >>> >>> 2016-08-09 14:31 GMT+02:00 Bill Burke : >>> >>>> >>>> >>>> On 8/9/16 5:56 AM, Tom Pearson wrote: >>>> >>>> Hi, >>>> >>>> I'm creating a new user through the admin API. In order to do this I >>>> have to make 3 separate calls (createUser >>>> , >>>> resetPassword >>>> >>>> and addRealmLevelRoles >>>> ) >>>> as the credentials and realm roles in the UserRepresentation >>>> are >>>> ignored. I then have to make another call to >>>> getEffectiveRealmLevelRoles >>>> as >>>> the getUser >>>> method >>>> doesn't return the roles. If I were to require the client level roles this >>>> would be 6 calls to create and return the user. >>>> >>>> Is there a reason as to why this is the case? >>>> >>>> The reason is simply that the admin API was written for the admin >>>> console. We've never had time to refactor it. Too many other things on >>>> the queue. >>>> >>>> As an aside, in the docs the reset password method is called "Set up a >>>> temporary password for the user" but in my experience the password is never >>>> temporary regardless of the value of the temporary flag. >>>> >>>> Kind regards, >>>> Tom >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ keycloak-user mailing >>>> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >>>> n/listinfo/keycloak-user >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/d71bc84e/attachment.html From sigbjorn at fifty-five.com Wed Aug 10 04:47:24 2016 From: sigbjorn at fifty-five.com (=?UTF-8?Q?Sigbj=C3=B8rn_Dybdahl?=) Date: Wed, 10 Aug 2016 10:47:24 +0200 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 Message-ID: Hello, I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 and I've run into a problem when using the Google Identity Provider with the default configuration. That is, during the callback I observe a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes (see complete stacktrace below for details) from userinfo endpoint which seems to be linked to the 403 Forbidden return code when calling https://www.googleapis.com/plus/v1/people/me/openIdConnect. This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942, but even when adding the additional Google+ scopes (making scope=openid profile email https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.login) the call fails. As for JIRA-2942, I've tried setting up a user-defined OpenId Connect provider with the default scope, which works just fine. Have I forgotten any important parameter while configuring the standard Google support? Or is this a regression for this release? Regards, Sigbj?rn Dybdahl --- Here's the complete stacktrace for the exception: 20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-20) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint. at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:304) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:148) at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimpleHttp.java:46) at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:267) ... 50 more Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(HttpsURLConnectionImpl.java:291) at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:147) ... 52 more -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/d0a6be56/attachment-0001.html From mposolda at redhat.com Wed Aug 10 05:17:20 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 10 Aug 2016 11:17:20 +0200 Subject: [keycloak-user] Can no longer create users in Active Directory from Keycloak In-Reply-To: <8F784300-4515-4448-8381-0B55EB457362@info.nl> References: <3286EE03-E0AC-41DE-8F7F-29FE963D990B@info.nl> <57A9D593.1030907@redhat.com> <8F784300-4515-4448-8381-0B55EB457362@info.nl> Message-ID: <57AAF120.1090008@redhat.com> Could you please create JIRA for this? Thanks, Marek On 09/08/16 15:56, Edgar Vonk - Info.nl wrote: > Hi Marek, > > Sorry, never mind. We were missing the ?cn? user attribute mapper for > some reason.. Adding this mapper fixes the issue. I did manage to > reproduce the issue by debugging (using my IDE) the Keycloak source > code in LDAPUtils#addUserToLDAP > > In UsersResource#createUser a ModelException is caught but never > logged so this information gets lost completely: > > > catch (ModelException me){ > if (session.getTransaction().isActive()) { > session.getTransaction().setRollbackOnly(); > } > return ErrorResponse.exists("Could not create user"); > } > > > It would be great if some exception logging could be added to this > class to help in troubleshooting. > > cheers > > Edgar > >> On 09 Aug 2016, at 15:07, Marek Posolda > > wrote: >> >> Maybe enable LDAP logging will help? You can enable TRACE logging for >> "org.keycloak.federation.ldap" in standalone.xml and see what's >> logged into server.log when you try to create Keycloak user? >> >> Marek >> >> On 09/08/16 10:18, Edgar Vonk - Info.nl wrote: >>> Hi, >>> >>> We no longer seem to be able to create new users in Keycloak with the LDAP/MSAD User Federation set up with ?Sync Registrations? turned on. >>> >>> I think this is since we migrated to Keycloak 2.0.0.Final (not 100% sure). >>> >>> When I try to create a new user from Keycloak (Manage - Users) I only see the error message ?Error! Could not create user? but nothing else. Nothing in the logs unfortunately. Not even at the debug level. >>> >>> Any pointers on where to start looking for a solution? I have the Keycloak source code available. >>> >>> cheers >>> >>> Edgar >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/a85adb74/attachment.html From mposolda at redhat.com Wed Aug 10 05:43:30 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 10 Aug 2016 11:43:30 +0200 Subject: [keycloak-user] Is it possible to authenticate against a Keycloak's Identity Provider (OpenAM) without using the Login screen? In-Reply-To: <1157262288.14426508.1470774324298.JavaMail.yahoo@mail.yahoo.com> References: <1157262288.14426508.1470774324298.JavaMail.yahoo.ref@mail.yahoo.com> <1157262288.14426508.1470774324298.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57AAF742.8000104@redhat.com> - If you want to skip just Keycloak login page, then you can possibly set the "Authenticate by default" in the Keycloak admin console on the OpenAM identity provider screen. This means that Keycloak won't try to show the login screen, but immediatelly redirect to OpenAM login screen. However in case that you're not yet logged to OpenAM, you will still see the OpenAM login screen. So this is likely not sufficient for you? -Option 2) Probably better for non-browser usecase, but more complex. Keycloak has support for "direct access grants" aka. OAuth2 "Resource Owner password credentials grant". See the OAuth2 specs for details. So you can implement your own Authenticator, which will re-send the provided username+password to OpenAM and then if it success, the Authenticator itself will create user to KEycloak DB (if doesn't yet exists). You will need to create new Authentication flow and put your Authenticator here and configure as "Direct Grant" authenticator in Keycloak admin console. See Authentication SPI docs for more details. This is possible just if OpenAM itself also has support for "Resource owner password credentials grant" or something like that, which will allow to send just REST request for validate username+password . Maybe we should support this OOTB as it looks there are more people asking for it... Marek On 09/08/16 22:25, Abelardo Vacca wrote: > > I am wondering if it is possible to delegate to authentication to an > identity provider, as you would on the Login Page, but using the REST API. > I've posted to stackoverflow a few minutes ago with details and > diagrams to try to explain the best I could: > http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w > > > Please feel free to correct any misconceptions I might have, I am new > to all these tools I am posting about (APIMAN, Keycloak and OpenAM) > > Thanks, > Abelardo > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/4b84e16f/attachment.html From mposolda at redhat.com Wed Aug 10 05:49:16 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 10 Aug 2016 11:49:16 +0200 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 In-Reply-To: References: Message-ID: <57AAF89C.1090902@redhat.com> Did you enable Google+ API in Google admin console? Configuration of this is on Google side, not scopes on Keycloak side on identityProvider page. Marek On 10/08/16 10:47, Sigbj?rn Dybdahl wrote: > Hello, > > I'm trying to configure an instance of Keycloak using version > 2.1.0.CR1 and I've run into a problem when using the Google Identity > Provider with the default configuration. That is, during the callback > I observe a org.keycloak.broker.provider.IdentityBrokerException: > Could not fetch attributes (see complete stacktrace below for details) > from userinfo endpoint which seems to be linked to the 403 Forbidden > return code when calling > https://www.googleapis.com/plus/v1/people/me/openIdConnect. > > This seems to be similar to > https://issues.jboss.org/browse/KEYCLOAK-2942, but even when adding > the additional Google+ scopes (making scope=openid profile email > https://www.googleapis.com/auth/plus.me > https://www.googleapis.com/auth/plus.login) the call fails. As for > JIRA-2942, I've tried setting up a user-defined OpenId Connect > provider with the default scope, which works just fine. > > Have I forgotten any important parameter while configuring the > standard Google support? Or is this a regression for this release? > > > Regards, > Sigbj?rn Dybdahl > > --- > > Here's the complete stacktrace for the exception: > > 20:07:12,247 ERROR > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default > task-20) Failed to make identity provider oauth callback: > org.keycloak.broker.provider.IdentityBrokerException: Could not fetch > attributes from userinfo endpoint. > at > org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:304) > at > org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: Server returned HTTP response code: > 403 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890) > at > sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) > at > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:148) > at > org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimpleHttp.java:46) > at > org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:267) > ... 50 more > Caused by: java.io.IOException: Server returned HTTP response code: > 403 for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) > at > sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(HttpsURLConnectionImpl.java:291) > at > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:147) > ... 52 more > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/7a3e1726/attachment-0001.html From pires at littlebits.cc Wed Aug 10 05:57:00 2016 From: pires at littlebits.cc (Paulo Pires) Date: Wed, 10 Aug 2016 10:57:00 +0100 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 In-Reply-To: References: Message-ID: It has been broken for a while. Here's what works for me: * Login to Keycloak's Admin console and select the Identity Providers tab. Click Add provider and select OpenID Connect v1.0. * Set Alias to google * Set Authorization URL to https://accounts.google.com/o/oauth2/auth * Set User Info URL to https://www.googleapis.com/oauth2/v3/userinfo * Set Token URL to https://accounts.google.com/o/oauth2/token * Fill in the client id and client secret with the ones provided by Google * Set Default Scopes to openid profile email * Click Save * Copy the Redirect URL go back to Google API Manager and add it to the Authorized redirect URIs list. On Wed, Aug 10, 2016 at 9:47 AM, Sigbj?rn Dybdahl wrote: > Hello, > > I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 > and I've run into a problem when using the Google Identity Provider with > the default configuration. That is, during the callback I observe > a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch > attributes (see complete stacktrace below for details) from userinfo > endpoint which seems to be linked to the 403 Forbidden return code when > calling https://www.googleapis.com/plus/v1/people/me/openIdConnect. > > This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942, > but even when adding the additional Google+ scopes (making scope=openid > profile email https://www.googleapis.com/auth/plus.me > https://www.googleapis.com/auth/plus.login) the call fails. As for > JIRA-2942, I've tried setting up a user-defined OpenId Connect provider > with the default scope, which works just fine. > > Have I forgotten any important parameter while configuring the standard > Google support? Or is this a regression for this release? > > > Regards, > Sigbj?rn Dybdahl > > --- > > Here's the complete stacktrace for the exception: > > 20:07:12,247 ERROR [org.keycloak.broker.oidc. > AbstractOAuth2IdentityProvider] (default task-20) Failed to make identity > provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: > Could not fetch attributes from userinfo endpoint. > at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity( > OIDCIdentityProvider.java:304) > at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider > $Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter. > doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler. > handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.servlet.handlers.security. > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security. > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security. > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security. > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler. > handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:202) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: Server returned HTTP response code: 403 > for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at sun.net.www.protocol.http.HttpURLConnection$10.run( > HttpURLConnection.java:1890) > at sun.net.www.protocol.http.HttpURLConnection$10.run( > HttpURLConnection.java:1885) > at java.security.AccessController.doPrivileged(Native Method) > at sun.net.www.protocol.http.HttpURLConnection.getChainedException( > HttpURLConnection.java:1884) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( > HttpURLConnection.java:1457) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:1441) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream( > HttpsURLConnectionImpl.java:254) > at org.keycloak.broker.provider.util.SimpleHttp.asString( > SimpleHttp.java:148) > at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson( > JsonSimpleHttp.java:46) > at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity( > OIDCIdentityProvider.java:267) > ... 50 more > Caused by: java.io.IOException: Server returned HTTP response code: 403 > for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( > HttpURLConnection.java:1840) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:1441) > at sun.net.www.protocol.http.HttpURLConnection.getHeaderField( > HttpURLConnection.java:2943) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField( > HttpsURLConnectionImpl.java:291) > at org.keycloak.broker.provider.util.SimpleHttp.asString( > SimpleHttp.java:147) > ... 52 more > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Paulo Pires* senior infrastructure engineer | littleBits *T* (917) 464-4577 unleash your inner inventor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/ea3d3ed4/attachment.html From sigbjorn at fifty-five.com Wed Aug 10 06:03:31 2016 From: sigbjorn at fifty-five.com (=?UTF-8?Q?Sigbj=C3=B8rn_Dybdahl?=) Date: Wed, 10 Aug 2016 12:03:31 +0200 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 In-Reply-To: <57AAF89C.1090902@redhat.com> References: <57AAF89C.1090902@redhat.com> Message-ID: Thanks for you quick reply, Marek! When re-reading the documentation now I see the part on enabling the Google+ API in the Google Developer console, which I apparently didn't pay attention to. It all works smoothly now, and I can remove the user-defined OpenId Connect provider. Regards, Sigbj?rn On 10 August 2016 at 11:49, Marek Posolda wrote: > Did you enable Google+ API in Google admin console? Configuration of this > is on Google side, not scopes on Keycloak side on identityProvider page. > > Marek > > > On 10/08/16 10:47, Sigbj?rn Dybdahl wrote: > > Hello, > > I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 > and I've run into a problem when using the Google Identity Provider with > the default configuration. That is, during the callback I observe > a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch > attributes (see complete stacktrace below for details) from userinfo > endpoint which seems to be linked to the 403 Forbidden return code when > calling > https://www.googleapis.com/plus/v1/people/me/openIdConnect. > > This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942, > but even when adding the additional Google+ scopes (making scope=openid > profile email https://www.googleapis.com/auth/plus.me > https://www.googleapis.com/auth/plus.login) the call fails. As for > JIRA-2942, I've tried setting up a user-defined OpenId Connect provider > with the default scope, which works just fine. > > Have I forgotten any important parameter while configuring the standard > Google support? Or is this a regression for this release? > > > Regards, > Sigbj?rn Dybdahl > > --- > > Here's the complete stacktrace for the exception: > > 20:07:12,247 ERROR [org.keycloak.broker.oidc. > AbstractOAuth2IdentityProvider] (default task-20) Failed to make identity > provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: > Could not fetch attributes from userinfo endpoint. > at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity( > OIDCIdentityProvider.java:304) > at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider > $Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker. > invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter. > doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler. > handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security. > SecurityContextAssociationHandler.handleRequest( > SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.servlet.handlers.security. > SSLInformationAssociationHandler.handleRequest( > SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security. > ServletAuthenticationCallHandler.handleRequest( > ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security. > ServletConfidentialityConstraintHandler.handleRequest( > ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security. > CachedAuthenticatedSessionHandler.handleRequest( > CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler. > handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler. > handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:202) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.IOException: Server returned HTTP response code: 403 > for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at sun.net.www.protocol.http.HttpURLConnection$10.run( > HttpURLConnection.java:1890) > at sun.net.www.protocol.http.HttpURLConnection$10.run( > HttpURLConnection.java:1885) > at java.security.AccessController.doPrivileged(Native Method) > at sun.net.www.protocol.http.HttpURLConnection.getChainedException( > HttpURLConnection.java:1884) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( > HttpURLConnection.java:1457) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:1441) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream( > HttpsURLConnectionImpl.java:254) > at org.keycloak.broker.provider.util.SimpleHttp.asString( > SimpleHttp.java:148) > at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson( > JsonSimpleHttp.java:46) > at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity( > OIDCIdentityProvider.java:267) > ... 50 more > Caused by: java.io.IOException: Server returned HTTP response code: 403 > for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( > HttpURLConnection.java:1840) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:1441) > at sun.net.www.protocol.http.HttpURLConnection.getHeaderField( > HttpURLConnection.java:2943) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField( > HttpsURLConnectionImpl.java:291) > at org.keycloak.broker.provider.util.SimpleHttp.asString( > SimpleHttp.java:147) > ... 52 more > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/7db12d6b/attachment-0001.html From pires at littlebits.cc Wed Aug 10 06:17:58 2016 From: pires at littlebits.cc (Paulo Pires) Date: Wed, 10 Aug 2016 11:17:58 +0100 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 In-Reply-To: References: <57AAF89C.1090902@redhat.com> Message-ID: Ah, nice tip. My tests were made with a corporate account which has no permissions to enable such API, but I too slipped that part in docs. Thanks On Wed, Aug 10, 2016 at 11:03 AM, Sigbj?rn Dybdahl wrote: > Thanks for you quick reply, Marek! > > When re-reading the documentation now I see the part on enabling the > Google+ API in the Google Developer console, which I apparently didn't pay > attention to. It all works smoothly now, and I can remove the user-defined > OpenId Connect provider. > > > Regards, > Sigbj?rn > > On 10 August 2016 at 11:49, Marek Posolda wrote: > >> Did you enable Google+ API in Google admin console? Configuration of this >> is on Google side, not scopes on Keycloak side on identityProvider page. >> >> Marek >> >> >> On 10/08/16 10:47, Sigbj?rn Dybdahl wrote: >> >> Hello, >> >> I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 >> and I've run into a problem when using the Google Identity Provider with >> the default configuration. That is, during the callback I observe >> a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch >> attributes (see complete stacktrace below for details) from userinfo >> endpoint which seems to be linked to the 403 Forbidden return code when >> calling >> https://www.googleapis.com/plus/v1/people/me/openIdConnect. >> >> This seems to be similar to https://issues.jboss.org/browse/KEYCLOAK-2942, >> but even when adding the additional Google+ scopes (making scope=openid >> profile email https://www.googleapis.com/auth/plus.me >> https://www.googleapis.com/auth/plus.login) the call fails. As for >> JIRA-2942, I've tried setting up a user-defined OpenId Connect provider >> with the default scope, which works just fine. >> >> Have I forgotten any important parameter while configuring the standard >> Google support? Or is this a regression for this release? >> >> >> Regards, >> Sigbj?rn Dybdahl >> >> --- >> >> Here's the complete stacktrace for the exception: >> >> 20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >> (default task-20) Failed to make identity provider oauth callback: >> org.keycloak.broker.provider.IdentityBrokerException: Could not fetch >> attributes from userinfo endpoint. >> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId >> entity(OIDCIdentityProvider.java:304) >> at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$ >> Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >> ctorImpl.java:139) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >> (ResourceMethodInvoker.java:295) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >> eMethodInvoker.java:249) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >> tObject(ResourceLocatorInvoker.java:138) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >> ceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >> tObject(ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >> ceLocatorInvoker.java:101) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >> nousDispatcher.java:395) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >> nousDispatcher.java:202) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.service(ServletContainerDispatcher.java:221) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.service(HttpServletDispatcher.java:56) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >> rvletHandler.java:85) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >> oFilter(FilterHandler.java:129) >> at org.keycloak.services.filters.KeycloakSessionServletFilter.d >> oFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >> r.java:60) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >> oFilter(FilterHandler.java:131) >> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >> terHandler.java:84) >> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >> dler.handleRequest(ServletSecurityRoleHandler.java:62) >> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >> eRequest(ServletDispatchingHandler.java:36) >> at org.wildfly.extension.undertow.security.SecurityContextAssoc >> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.servlet.handlers.security.SSLInformationAssociat >> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at io.undertow.servlet.handlers.security.ServletAuthenticationC >> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.security.handlers.AbstractConfidentialityHandler >> .handleRequest(AbstractConfidentialityHandler.java:46) >> at io.undertow.servlet.handlers.security.ServletConfidentiality >> ConstraintHandler.handleRequest(ServletConfident >> ialityConstraintHandler.java:64) >> at io.undertow.security.handlers.AuthenticationMechanismsHandle >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes >> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at io.undertow.security.handlers.NotificationReceiverHandler.ha >> ndleRequest(NotificationReceiverHandler.java:50) >> at io.undertow.security.handlers.AbstractSecurityContextAssocia >> tionHandler.handleRequest(AbstractSecurityContextAssociation >> Handler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >> ndler.handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >> stRequest(ServletInitialHandler.java:284) >> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >> equest(ServletInitialHandler.java:263) >> at io.undertow.servlet.handlers.ServletInitialHandler.access$00 >> 0(ServletInitialHandler.java:81) >> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >> equest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors. >> java:202) >> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >> ge.java:793) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.io.IOException: Server returned HTTP response code: 403 >> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> Method) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >> ConstructorAccessorImpl.java:62) >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >> legatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo >> nnection.java:1890) >> at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo >> nnection.java:1885) >> at java.security.AccessController.doPrivileged(Native Method) >> at sun.net.www.protocol.http.HttpURLConnection.getChainedExcept >> ion(HttpURLConnection.java:1884) >> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( >> HttpURLConnection.java:1457) >> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H >> ttpURLConnection.java:1441) >> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputSt >> ream(HttpsURLConnectionImpl.java:254) >> at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple >> Http.java:148) >> at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimp >> leHttp.java:46) >> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId >> entity(OIDCIdentityProvider.java:267) >> ... 50 more >> Caused by: java.io.IOException: Server returned HTTP response code: 403 >> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect >> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( >> HttpURLConnection.java:1840) >> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H >> ttpURLConnection.java:1441) >> at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(H >> ttpURLConnection.java:2943) >> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderF >> ield(HttpsURLConnectionImpl.java:291) >> at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple >> Http.java:147) >> ... 52 more >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Paulo Pires* senior infrastructure engineer | littleBits *T* (917) 464-4577 unleash your inner inventor. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/9b934a4d/attachment-0001.html From mposolda at redhat.com Wed Aug 10 06:25:35 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 10 Aug 2016 12:25:35 +0200 Subject: [keycloak-user] Keycloak 2.1.0.Final released Message-ID: <57AB011F.7000007@redhat.com> Keycloak 2.1.0.Final has just been released. This release only contains one fix related to Authorization services since 2.1.0.CR1 release. For the list of resolved issues check out JIRA and to download the release go to the Keycloak homepage . Before you upgrade refer to the migration guide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/14d6fb24/attachment.html From john.d.ament at gmail.com Wed Aug 10 10:06:58 2016 From: john.d.ament at gmail.com (John D. Ament) Date: Wed, 10 Aug 2016 14:06:58 +0000 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: Right now, its more to identify the list of what's out there. I have some good pointers based on this thread, so thanks everyone. On Tue, Aug 9, 2016 at 3:13 PM Marc Boorshtein < marc.boorshtein at tremolosecurity.com> wrote: > >> > > >> > I'm not sure if anyone on this list has some insight, I'm trying to > do a > >> > format tech evaluation. I was wondering if anyone had some > competitors of > >> > keycloak in the same space, self hosted etc. > >> > > > What are you trying to accomplish? An identity management tool can > run the gambit from directory management, sso, identity provider, user > management portal, user self service provisioning, etc. Also, the > type of applications could matter as well (ie are you looking for a > primarily Java or .Net world, SaaS, etc)? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/d9700834/attachment.html From Gta.fox at hotmail.com Wed Aug 10 10:15:45 2016 From: Gta.fox at hotmail.com (Fox 69) Date: Wed, 10 Aug 2016 14:15:45 +0000 Subject: [keycloak-user] Keycloak I can not change the password in ldap Message-ID: Hello My use case is the following: Create an ldap federation keycloak-windows server Create a user in keycloak. And my problem is here when I want to change the cardenciais, does not work and shows the error "Invalid password Error:. Fails to match regex pattern (s)." Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/c0065741/attachment.html From aikeaguinea at xsmail.com Wed Aug 10 10:21:54 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Wed, 10 Aug 2016 10:21:54 -0400 Subject: [keycloak-user] Is it possible to authenticate against a Keycloak's Identity Provider (OpenAM) without using the Login screen? In-Reply-To: <1157262288.14426508.1470774324298.JavaMail.yahoo@mail.yahoo.com> References: <1157262288.14426508.1470774324298.JavaMail.yahoo.ref@mail.yahoo.com> <1157262288.14426508.1470774324298.JavaMail.yahoo@mail.yahoo.com> Message-ID: <1470838914.1421747.691389969.798F15ED@webmail.messagingengine.com> I ran into this issue when wanting to use the auth code flow without a browser; currently out of the box you can't pass an Accept header to Keycloak and get a challenge response in JSON rather than HTML. We're passing requests through an API gateway, so I was able to do some funny business to get it to work. Basically the steps are: 1. The user agent submits a POST request to /realms/{realm}/login- actions/authenticate to the gateway with a username and password parameter. 2. The API gateway intercepts the request and first makes a GET request to /realms/{realm}/protocol/openid-connect/auth to grab the authentication form HTML 3. The API gateway digs out the "code" and "execution" query string parameters in the form action 4. The API gateway adds those parameters to the form parameters in the POST request before passing it through to Keycloak. This results in a redirect response with an auth code for the user agent to follow. Another approach would be to write an authenticator to supply the challenge response in JSON, which we may ultimately do. On Tue, Aug 9, 2016, at 04:25 PM, Abelardo Vacca wrote: > > I am wondering if it is possible to delegate to authentication to an > identity provider, as you would on the Login Page, but using the > REST API. > I've posted to stackoverflow a few minutes ago with details and > diagrams to try to explain the best I could: > http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w > > Please feel free to correct any misconceptions I might have, I am new > to all these tools I am posting about (APIMAN, Keycloak and OpenAM) > > Thanks, > Abelardo > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Same, same, but different... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/ff81eec2/attachment.html From bburke at redhat.com Wed Aug 10 10:50:32 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Aug 2016 10:50:32 -0400 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 In-Reply-To: References: <57AAF89C.1090902@redhat.com> Message-ID: So the docs are ok then? On 8/10/16 6:17 AM, Paulo Pires wrote: > Ah, nice tip. My tests were made with a corporate account which has no > permissions to enable such API, but I too slipped that part in docs. > > Thanks > > On Wed, Aug 10, 2016 at 11:03 AM, Sigbj?rn Dybdahl > > wrote: > > Thanks for you quick reply, Marek! > > When re-reading the documentation now I see the part on enabling > the Google+ API in the Google Developer console, which I > apparently didn't pay attention to. It all works smoothly now, and > I can remove the user-defined OpenId Connect provider. > > > Regards, > Sigbj?rn > > On 10 August 2016 at 11:49, Marek Posolda > wrote: > > Did you enable Google+ API in Google admin console? > Configuration of this is on Google side, not scopes on > Keycloak side on identityProvider page. > > Marek > > > On 10/08/16 10:47, Sigbj?rn Dybdahl wrote: >> Hello, >> >> I'm trying to configure an instance of Keycloak using version >> 2.1.0.CR1 and I've run into a problem when using the Google >> Identity Provider with the default configuration. That is, >> during the callback I observe >> a org.keycloak.broker.provider.IdentityBrokerException: Could >> not fetch attributes (see complete stacktrace below for >> details) from userinfo endpoint which seems to be linked to >> the 403 Forbidden return code when calling >> https://www.googleapis.com/plus/v1/people/me/openIdConnect >> . >> >> This seems to be similar to >> https://issues.jboss.org/browse/KEYCLOAK-2942 >> , but even >> when adding the additional Google+ scopes (making >> scope=openid profile email >> https://www.googleapis.com/auth/plus.me >> >> https://www.googleapis.com/auth/plus.login >> ) the call fails. >> As for JIRA-2942, I've tried setting up a user-defined OpenId >> Connect provider with the default scope, which works just fine. >> >> Have I forgotten any important parameter while configuring >> the standard Google support? Or is this a regression for this >> release? >> >> >> Regards, >> Sigbj?rn Dybdahl >> >> --- >> >> Here's the complete stacktrace for the exception: >> >> 20:07:12,247 ERROR >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >> (default task-20) Failed to make identity provider oauth >> callback: >> org.keycloak.broker.provider.IdentityBrokerException: Could >> not fetch attributes from userinfo endpoint. >> at >> org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:304) >> at >> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) >> at >> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >> at >> javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >> at >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at io.undertow.server.handlers.Pr >> edicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.io.IOException: Server returned HTTP response >> code: 403 for URL: >> https://www.googleapis.com/plus/v1/people/me/openIdConnect >> >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> Method) >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >> at >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> at >> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> at >> sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890) >> at >> sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884) >> at >> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457) >> at >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) >> at >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >> at >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:148) >> at >> org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimpleHttp.java:46) >> at >> org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:267) >> ... 50 more >> Caused by: java.io.IOException: Server returned HTTP response >> code: 403 for URL: >> https://www.googleapis.com/plus/v1/people/me/openIdConnect >> >> at >> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) >> at >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) >> at >> sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943) >> at >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderField(HttpsURLConnectionImpl.java:291) >> at >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:147) >> ... 52 more >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > *Paulo Pires* > > senior infrastructure engineer | littleBits > > > *T* (917) 464-4577unleash your inner inventor. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/a1ffa818/attachment-0001.html From bburke at redhat.com Wed Aug 10 10:51:11 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Aug 2016 10:51:11 -0400 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: Nah, its all good. We need to hear stuff. We have our heads down most of the time coding like banshees and ignore the rest of the world sometimes. On 8/10/16 10:06 AM, John D. Ament wrote: > Right now, its more to identify the list of what's out there. I have > some good pointers based on this thread, so thanks everyone. > > On Tue, Aug 9, 2016 at 3:13 PM Marc Boorshtein > > wrote: > > >> > > >> > I'm not sure if anyone on this list has some insight, I'm > trying to do a > >> > format tech evaluation. I was wondering if anyone had some > competitors of > >> > keycloak in the same space, self hosted etc. > >> > > > What are you trying to accomplish? An identity management tool can > run the gambit from directory management, sso, identity provider, user > management portal, user self service provisioning, etc. Also, the > type of applications could matter as well (ie are you looking for a > primarily Java or .Net world, SaaS, etc)? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/e8cca98b/attachment.html From sigbjorn at fifty-five.com Wed Aug 10 11:09:21 2016 From: sigbjorn at fifty-five.com (=?UTF-8?Q?Sigbj=C3=B8rn_Dybdahl?=) Date: Wed, 10 Aug 2016 17:09:21 +0200 Subject: [keycloak-user] GoogleIdentityProvider seems to be broken for Keycloak 2.1.0.CR1 In-Reply-To: References: <57AAF89C.1090902@redhat.com> Message-ID: Hi Bill, Yes, the information is present on https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/identity-broker/social/google.html . As it seems like I'm not the only one having this problem, it might be an idea to highlight the section on activating the Google+ API, if possible. Regards, Sigbj?rn On 10 August 2016 at 16:50, Bill Burke wrote: > So the docs are ok then? > > On 8/10/16 6:17 AM, Paulo Pires wrote: > > Ah, nice tip. My tests were made with a corporate account which has no > permissions to enable such API, but I too slipped that part in docs. > > Thanks > > On Wed, Aug 10, 2016 at 11:03 AM, Sigbj?rn Dybdahl < > sigbjorn at fifty-five.com> wrote: > >> Thanks for you quick reply, Marek! >> >> When re-reading the documentation now I see the part on enabling the >> Google+ API in the Google Developer console, which I apparently didn't pay >> attention to. It all works smoothly now, and I can remove the user-defined >> OpenId Connect provider. >> >> >> Regards, >> Sigbj?rn >> >> On 10 August 2016 at 11:49, Marek Posolda wrote: >> >>> Did you enable Google+ API in Google admin console? Configuration of >>> this is on Google side, not scopes on Keycloak side on identityProvider >>> page. >>> >>> Marek >>> >>> >>> On 10/08/16 10:47, Sigbj?rn Dybdahl wrote: >>> >>> Hello, >>> >>> I'm trying to configure an instance of Keycloak using version 2.1.0.CR1 >>> and I've run into a problem when using the Google Identity Provider with >>> the default configuration. That is, during the callback I observe >>> a org.keycloak.broker.provider.IdentityBrokerException: Could not fetch >>> attributes (see complete stacktrace below for details) from userinfo >>> endpoint which seems to be linked to the 403 Forbidden return code when >>> calling https://www.googleapis.com/plus/v1/people/me/openIdConnect. >>> >>> This seems to be similar to https://issues.jboss.org/br >>> owse/KEYCLOAK-2942, but even when adding the additional Google+ scopes >>> (making scope=openid profile email https://www.googleapis.com/aut >>> h/plus.me https://www.googleapis.com/auth/plus.login) the call fails. >>> As for JIRA-2942, I've tried setting up a user-defined OpenId Connect >>> provider with the default scope, which works just fine. >>> >>> Have I forgotten any important parameter while configuring the standard >>> Google support? Or is this a regression for this release? >>> >>> >>> Regards, >>> Sigbj?rn Dybdahl >>> >>> --- >>> >>> Here's the complete stacktrace for the exception: >>> >>> 20:07:12,247 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >>> (default task-20) Failed to make identity provider oauth callback: >>> org.keycloak.broker.provider.IdentityBrokerException: Could not fetch >>> attributes from userinfo endpoint. >>> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId >>> entity(OIDCIdentityProvider.java:304) >>> at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endp >>> oint.authResponse(AbstractOAuth2IdentityProvider.java:230) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >>> ctorImpl.java:139) >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >>> (ResourceMethodInvoker.java:295) >>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >>> eMethodInvoker.java:249) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >>> tObject(ResourceLocatorInvoker.java:138) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >>> ceLocatorInvoker.java:107) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >>> tObject(ResourceLocatorInvoker.java:133) >>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >>> ceLocatorInvoker.java:101) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>> nousDispatcher.java:395) >>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >>> nousDispatcher.java:202) >>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>> spatcher.service(ServletContainerDispatcher.java:221) >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.service(HttpServletDispatcher.java:56) >>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >>> rvletHandler.java:85) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>> oFilter(FilterHandler.java:129) >>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d >>> oFilter(KeycloakSessionServletFilter.java:90) >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>> r.java:60) >>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>> oFilter(FilterHandler.java:131) >>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >>> terHandler.java:84) >>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>> dler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>> eRequest(ServletDispatchingHandler.java:36) >>> at org.wildfly.extension.undertow.security.SecurityContextAssoc >>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.servlet.handlers.security.SSLInformationAssociat >>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>> at io.undertow.servlet.handlers.security.ServletAuthenticationC >>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.security.handlers.AbstractConfidentialityHandler >>> .handleRequest(AbstractConfidentialityHandler.java:46) >>> at io.undertow.servlet.handlers.security.ServletConfidentiality >>> ConstraintHandler.handleRequest(ServletConfidentialityConstr >>> aintHandler.java:64) >>> at io.undertow.security.handlers.AuthenticationMechanismsHandle >>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes >>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at io.undertow.security.handlers.NotificationReceiverHandler.ha >>> ndleRequest(NotificationReceiverHandler.java:50) >>> at io.undertow.security.handlers.AbstractSecurityContextAssocia >>> tionHandler.handleRequest(AbstractSecurityContextAssociation >>> Handler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >>> ndler.handleRequest(JACCContextIdHandler.java:61) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>> stRequest(ServletInitialHandler.java:284) >>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >>> equest(ServletInitialHandler.java:263) >>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00 >>> 0(ServletInitialHandler.java:81) >>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >>> equest(ServletInitialHandler.java:174) >>> at io.undertow.server.Connectors.executeRootHandler(Connectors. >>> java:202) >>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >>> ge.java:793) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: java.io.IOException: Server returned HTTP response code: 403 >>> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>> Method) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>> ConstructorAccessorImpl.java:62) >>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>> legatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo >>> nnection.java:1890) >>> at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLCo >>> nnection.java:1885) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at sun.net.www.protocol.http.HttpURLConnection.getChainedExcept >>> ion(HttpURLConnection.java:1884) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( >>> HttpURLConnection.java:1457) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H >>> ttpURLConnection.java:1441) >>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputSt >>> ream(HttpsURLConnectionImpl.java:254) >>> at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple >>> Http.java:148) >>> at org.keycloak.broker.oidc.util.JsonSimpleHttp.asJson(JsonSimp >>> leHttp.java:46) >>> at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedId >>> entity(OIDCIdentityProvider.java:267) >>> ... 50 more >>> Caused by: java.io.IOException: Server returned HTTP response code: 403 >>> for URL: https://www.googleapis.com/plus/v1/people/me/openIdConnect >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0( >>> HttpURLConnection.java:1840) >>> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(H >>> ttpURLConnection.java:1441) >>> at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(H >>> ttpURLConnection.java:2943) >>> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderF >>> ield(HttpsURLConnectionImpl.java:291) >>> at org.keycloak.broker.provider.util.SimpleHttp.asString(Simple >>> Http.java:147) >>> ... 52 more >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > -- > > *Paulo Pires* > > senior infrastructure engineer | littleBits > > > *T* (917) 464-4577 unleash your inner inventor. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/20cdf917/attachment-0001.html From filipelautert at gmail.com Wed Aug 10 16:02:50 2016 From: filipelautert at gmail.com (Filipe Lautert) Date: Wed, 10 Aug 2016 20:02:50 +0000 Subject: [keycloak-user] Username Password Form as Alternative Message-ID: Hello I would like to have the "Username Password Form" auth type as a fallback option - I've setup my personalized auth methods, but if they don't succeed I wan't the user to be shown the login form. The issue that I face is that even when I authenticate the user successfully (in my Authenticator code with context.setUser(myUser); context.success(); ) the login form is still shown to the user, even if it's inside a auth type "Browser Forms" set up as alternative. I worked around it creating a class called AlternativeUsernamePasswordFormFactory that extends UsernamePasswordFormFactory, and the only change that I did to it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative in Keycloak, it does what I want. So my questions are: am I missing something to mark my Authenticator as sufficient to end the flow and return to the client? if not, is there a reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE option, and can I suggest a patch to add it to this class? Cheers filipe -- filipe lautert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/654d4e60/attachment.html From pnalyvayko at agi.com Wed Aug 10 21:26:36 2016 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 11 Aug 2016 01:26:36 +0000 Subject: [keycloak-user] Username Password Form as Alternative In-Reply-To: References: Message-ID: Hi Filipe, I have a similar use case where Username Form is a fallback option, and I am able to skip the login page by setting the user and returning the success flow status. The custom authenticator sets the user upon success and updates the flow context status, i.e.: ... context.setUser(user); context.success(); return; ... Attached is the custom browser authentication flow screenshot. Hope it helps Regards, Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Filipe Lautert [filipelautert at gmail.com] Sent: Wednesday, August 10, 2016 4:02 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Username Password Form as Alternative Hello I would like to have the "Username Password Form" auth type as a fallback option - I've setup my personalized auth methods, but if they don't succeed I wan't the user to be shown the login form. The issue that I face is that even when I authenticate the user successfully (in my Authenticator code with context.setUser(myUser); context.success(); ) the login form is still shown to the user, even if it's inside a auth type "Browser Forms" set up as alternative. I worked around it creating a class called AlternativeUsernamePasswordFormFactory that extends UsernamePasswordFormFactory, and the only change that I did to it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative in Keycloak, it does what I want. So my questions are: am I missing something to mark my Authenticator as sufficient to end the flow and return to the client? if not, is there a reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE option, and can I suggest a patch to add it to this class? Cheers filipe -- filipe lautert -------------- next part -------------- A non-text attachment was scrubbed... Name: Keycloak-browser-flow.png Type: image/png Size: 49587 bytes Desc: Keycloak-browser-flow.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/b02c3e5b/attachment-0001.png From subhrajyotim at gmail.com Thu Aug 11 02:21:07 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 11 Aug 2016 11:51:07 +0530 Subject: [keycloak-user] 2 Keycloak instance using the same DB. Message-ID: Hello, We are trying to load balance keycloak servers to accommodate more traffic and as a failover. We are pointing 2 instances of keycloak servers(running on 2 different machines) to the same DB. Could there be a problem with that setup? If so what kind of issues are expected to come? Do we have to setup something special on the load balancer so that the sessions are maintained properly? The keycloak servers also integrates with our organization's Active Directory to defer the authentication process. Should we disable sync on one and allow ldap sync from only one server? Is there a potential problem with the same, ie 2 keycloak instance pointing to the same DB? How are other people doing loadbalancing and failover for keycloak server. Please guide. Thanks, Subhro. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/dd37cdbe/attachment.html From ushanas.shastri at viteos.com Thu Aug 11 03:33:19 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 11 Aug 2016 07:33:19 +0000 Subject: [keycloak-user] Authorization services: Trying to model authz for a typical application. In-Reply-To: References: Message-ID: <15c48f9cde9c4ebaa95d3dd4490dfc7c@vitblrex2013.viteos.com> Classification: INTERNAL Anyone have any ideas/suggestions? Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Ushanas Shastri Sent: Friday, August 05, 2016 12:24 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Authorization services: Trying to model authz for a typical application. Classification: INTERNAL Hello, I've been looking at all the Authz examples with 2.1.0 CR1, and I've been trying to fit/model them for my application. Let's say there's a feature in an application to process loan applications. Possible actions on a loan application are to view, edit, approve or reject them. However, users can take specific actions on applications based on the geographical zone in which requests are raised. For e.g. User A can view applications across all Zones, but approve or reject applications only if they are from Zone A. User B can only view applications from Zone B, and cannot do anything else. User C can do all actions for all Zones. In the authorization tab, Loan Application is created as a resource, with scopes created for each action (view/edit/approve/reject). Scope based Permissions are created for each scope, and are attached to a policy. Now the policy is where I'd to implement the check on the zone. I could create each Zone as a group or as a client role. I chose to create a client role for each Zone. Now, if user A logs in to the application, I have a screen where they can search for applications to view/process. User A should get to see a list of all applications, since he has view access to all, but only process When I request for an authorization through the entitlement API, the response tells me that Zone A and Zone B are the client roles, and view and approve and reject are allowed scopes, but does *not* say that Zone B scope is only view, and Zone A scopes are view, approve and reject. The response is a list of client roles and scopes (with resources), but does not link the client role to a resource-scope combination. I couldn't find a way to make individual requests (like tell me what scopes are allowed for this resource, for this particular client role/group?) As a result, I cannot use the idea of creating zones as either client roles or groups. How then do I model this in KeyCloak? Thank you for reading the long example, and looking forward to a response! Regards, Ushanas. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediatelydelete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entit. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/a382b17c/attachment.html From William.Drescher at celum.com Thu Aug 11 04:27:59 2016 From: William.Drescher at celum.com (William Drescher [CELUM]) Date: Thu, 11 Aug 2016 08:27:59 +0000 Subject: [keycloak-user] Login redirect after registration Message-ID: I am creating a basic invitation flow, Step1: User receives email with link to registration Step1: User fills out registration Step1: User is transferred to application The first two steps I completed by creating a required action provider and remotely created the user with the proper email and then sent an ExecuteActionsEmail, the problem is that after the user fills out the information and updates their account I am unable to redirect them to the application. I've tried setting the redirect URI in the context client session without success and was wondering if anyone knew a way to do this. I also would like to authorize the user for the application so they don't have to login again. I've gone through the documentation but wasn't able to find anything applicable. I'm also wondering where I can find documentation on the Keycloak project architecture to help in understanding how Keycloak works. Thanks, Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/f98eff3a/attachment-0001.html From j.kamal at ymail.com Thu Aug 11 08:20:29 2016 From: j.kamal at ymail.com (Kamal Jagadevan) Date: Thu, 11 Aug 2016 12:20:29 +0000 (UTC) Subject: [keycloak-user] SAML Subsequent login fails with Account disabled error References: <866458232.12507273.1470918029020.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <866458232.12507273.1470918029020.JavaMail.yahoo@mail.yahoo.com> Hello,? We are using Keycloak 1.9.2 for our Authentication flow and SAML interactions (not using SAML adapters) and they are working well in DEV/QA instances.But in Integration environment we are seeing a strange issue of ONLY FIRST TIME login works fine. Further login fails with the following error even though user is enabled. "Account is disabled, contact admin."? Is there anything obvious that we have missed please advise. Enabling debug log didnt reveal anything other than fetching entities from db.Any inputs to debug further is also welcome. Setting in Federated Identity -? First login flow is set to First Broker Login flow Settings in First login flow - Disabled Review profile page, rest of the properties was set to default values altering rest of the fields didnt change the behavior. Following are the sequence of steps - With the help of static login URL to Keycloak with suffixed by the KC_IDP_HINT, Keycloak redirects to External IDP - Verified for the SAML request being sent using SAML Tracer. - External IDP login prompts for username and password. - After entering credentials, redirected back to Keycloak for getting token but THROWS error "Account is disabled, contact admin" - Verified the SAML response with Assertion status as success using SAML tracer. - Verified the user is enabled from the Admin console. - Verified the user_entity table for the status. BestKamal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/11c1920a/attachment.html From bburke at redhat.com Thu Aug 11 08:47:26 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 11 Aug 2016 08:47:26 -0400 Subject: [keycloak-user] 2 Keycloak instance using the same DB. In-Reply-To: References: Message-ID: <32be54c1-d002-f193-1f2e-1ad72d95db2c@redhat.com> You need to cluster. https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/ On 8/11/16 2:21 AM, Subhrajyoti Moitra wrote: > Hello, > > We are trying to load balance keycloak servers to accommodate more > traffic and as a failover. We are pointing 2 instances of keycloak > servers(running on 2 different machines) to the same DB. Could there > be a problem with that setup? > If so what kind of issues are expected to come? Do we have to setup > something special on the load balancer so that the sessions are > maintained properly? > > The keycloak servers also integrates with our organization's Active > Directory to defer the authentication process. Should we disable sync > on one and allow ldap sync from only one server? Is there a potential > problem with the same, ie 2 keycloak instance pointing to the same DB? > > How are other people doing loadbalancing and failover for keycloak server. > > Please guide. > > Thanks, > Subhro. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/6557acf2/attachment.html From bburke at redhat.com Thu Aug 11 09:01:35 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 11 Aug 2016 09:01:35 -0400 Subject: [keycloak-user] SAML Subsequent login fails with Account disabled error In-Reply-To: <866458232.12507273.1470918029020.JavaMail.yahoo@mail.yahoo.com> References: <866458232.12507273.1470918029020.JavaMail.yahoo.ref@mail.yahoo.com> <866458232.12507273.1470918029020.JavaMail.yahoo@mail.yahoo.com> Message-ID: <6ae7f8b2-1ad1-e36f-0d94-3dbe2dd7a1fe@redhat.com> I don't see anything in code. Broker first time login creates the user and sets enabled to true. #1 Turn on debugging #2 Upgrade to 1.9.8. Our product is based on 1.9.8 and A LOT of work went into stabilizing the codebase between 1.9.2 and 1.9.8. On 8/11/16 8:20 AM, Kamal Jagadevan wrote: > Hello, > We are using Keycloak 1.9.2 for our Authentication flow and SAML > interactions (not using SAML adapters) and they are working well in > DEV/QA instances. > But in Integration environment we are seeing a strange issue of ONLY > FIRST TIME login works fine. Further login fails with the following > error even though user is enabled. > > "Account is disabled, contact admin." Is there anything obvious that > we have missed please advise. Enabling debug log didnt reveal anything > other than fetching entities from db. > Any inputs to debug further is also welcome. > > Setting in Federated Identity - First login flow is set to First > Broker Login flow > Settings in First login flow - Disabled Review profile page, rest of > the properties was set to default values altering rest of the fields > didnt change the behavior. > > > Following are the sequence of steps > > 1. With the help of static login URL to Keycloak with suffixed by the > KC_IDP_HINT, Keycloak redirects to External IDP > 2. Verified for the SAML request being sent using SAML Tracer. > 3. External IDP login prompts for username and password. > 4. After entering credentials, redirected back to Keycloak for > getting token but THROWS error "Account is disabled, contact admin" > 5. Verified the SAML response with Assertion status as success using > SAML tracer. > 6. Verified the user is enabled from the Admin console. > 7. Verified the user_entity table for the status. > > > Best > Kamal > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/7aba84d5/attachment.html From adrianmatei at gmail.com Thu Aug 11 10:55:36 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Thu, 11 Aug 2016 16:55:36 +0200 Subject: [keycloak-user] HTML injection on registration page Message-ID: Hi everyone, After a security audit we've found out that by user registration one can do HTML injection by inserting for example the following code in the Name field: Victim

Konto aktivieren The victim receives the validation email with the malicious link right after their name. Therefore the injected html is rendered instead of escaped by the email service. Is there any way we can avoid this declaratively or what would be an alternative solution? Best regards, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/e8f6c673/attachment.html From mposolda at redhat.com Thu Aug 11 11:03:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 11 Aug 2016 17:03:38 +0200 Subject: [keycloak-user] Keycloak I can not change the password in ldap In-Reply-To: References: Message-ID: <57AC93CA.6030806@redhat.com> It looks like there is password-policy in your MS Active Directory server? Can you try some more tricky password, which will pass the policy? For example something like "PaSSword123:{%$#456" instead of just "password" ? Marek On 10/08/16 16:15, Fox 69 wrote: > > Hello > > > My use case is the following: > Create an ldap federation keycloak-windows server > Create a user in keycloak. > And my problem is here when I want to change the cardenciais, does not > work and shows the error "Invalid password Error:. Fails to match > regex pattern (s)." > > Thanks > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/774e6d0c/attachment-0001.html From subhrajyotim at gmail.com Thu Aug 11 11:38:12 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 11 Aug 2016 21:08:12 +0530 Subject: [keycloak-user] 2 Keycloak instance using the same DB. In-Reply-To: <32be54c1-d002-f193-1f2e-1ad72d95db2c@redhat.com> References: <32be54c1-d002-f193-1f2e-1ad72d95db2c@redhat.com> Message-ID: Thanks a lot Bill. Already on to it, should have seen that first before posting. :D Is the same valid for 1.9.2.Final or is it only for 2.x onwards- then i have to first upgrade. Thanks, Subhro. On Thu, Aug 11, 2016 at 6:17 PM, Bill Burke wrote: > You need to cluster. > > > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/v/2.1/ > > On 8/11/16 2:21 AM, Subhrajyoti Moitra wrote: > > Hello, > > We are trying to load balance keycloak servers to accommodate more traffic > and as a failover. We are pointing 2 instances of keycloak servers(running > on 2 different machines) to the same DB. Could there be a problem with that > setup? > If so what kind of issues are expected to come? Do we have to setup > something special on the load balancer so that the sessions are maintained > properly? > > The keycloak servers also integrates with our organization's Active > Directory to defer the authentication process. Should we disable sync on > one and allow ldap sync from only one server? Is there a potential problem > with the same, ie 2 keycloak instance pointing to the same DB? > > How are other people doing loadbalancing and failover for keycloak server. > > Please guide. > > Thanks, > Subhro. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/6acb7d74/attachment.html From psilva at redhat.com Thu Aug 11 11:51:49 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 11 Aug 2016 11:51:49 -0400 (EDT) Subject: [keycloak-user] Authorization services: Trying to model authz for a typical application. In-Reply-To: <15c48f9cde9c4ebaa95d3dd4490dfc7c@vitblrex2013.viteos.com> References: <15c48f9cde9c4ebaa95d3dd4490dfc7c@vitblrex2013.viteos.com> Message-ID: <652161093.2545967.1470930709799.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Ushanas Shastri" > To: keycloak-user at lists.jboss.org > Sent: Thursday, August 11, 2016 4:33:19 AM > Subject: Re: [keycloak-user] Authorization services: Trying to model authz for a typical application. > > User A can view applications across all Zones, but approve or reject > applications only if they are from Zone A. > > User B can only view applications from Zone B, and cannot do anything else. > > User C can do all actions for all Zones. > Do they represent roles in your application ? For instance, User A would be a "manager" role and User C an "administrator" role ? From ushanas.shastri at viteos.com Thu Aug 11 11:53:44 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 11 Aug 2016 15:53:44 +0000 Subject: [keycloak-user] Authorization services: Trying to model authz for a typical application. In-Reply-To: <652161093.2545967.1470930709799.JavaMail.zimbra@redhat.com> References: <15c48f9cde9c4ebaa95d3dd4490dfc7c@vitblrex2013.viteos.com> <652161093.2545967.1470930709799.JavaMail.zimbra@redhat.com> Message-ID: Classification: INTERNAL Hello, We've trying to model them as Client Roles, as these roles are not realm level, and can change for each client. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, August 11, 2016 9:22 PM To: Ushanas Shastri Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Authorization services: Trying to model authz for a typical application. ----- Original Message ----- > From: "Ushanas Shastri" > To: keycloak-user at lists.jboss.org > Sent: Thursday, August 11, 2016 4:33:19 AM > Subject: Re: [keycloak-user] Authorization services: Trying to model authz for a typical application. > > User A can view applications across all Zones, but approve or reject > applications only if they are from Zone A. > > User B can only view applications from Zone B, and cannot do anything else. > > User C can do all actions for all Zones. > Do they represent roles in your application ? For instance, User A would be a "manager" role and User C an "administrator" role ? This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From bburke at redhat.com Thu Aug 11 13:42:29 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 11 Aug 2016 13:42:29 -0400 Subject: [keycloak-user] 2 Keycloak instance using the same DB. In-Reply-To: References: <32be54c1-d002-f193-1f2e-1ad72d95db2c@redhat.com> Message-ID: <83611e95-7502-9677-e17f-0d344360f783@redhat.com> I strongly suggest you at least upgrade to 1.9.8. Our product is based on that and a lot of stability and bug fixes were done in between 1.9.2 and 1.9.8. Docs are available for that here: http://www.keycloak.org/documentation-archive.html On 8/11/16 11:38 AM, Subhrajyoti Moitra wrote: > Thanks a lot Bill. > Already on to it, should have seen that first before posting. :D > Is the same valid for 1.9.2.Final or is it only for 2.x onwards- then > i have to first upgrade. > > Thanks, > Subhro. > > On Thu, Aug 11, 2016 at 6:17 PM, Bill Burke > wrote: > > You need to cluster. > > > https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/ > > > > On 8/11/16 2:21 AM, Subhrajyoti Moitra wrote: >> Hello, >> >> We are trying to load balance keycloak servers to accommodate >> more traffic and as a failover. We are pointing 2 instances of >> keycloak servers(running on 2 different machines) to the same DB. >> Could there be a problem with that setup? >> If so what kind of issues are expected to come? Do we have to >> setup something special on the load balancer so that the sessions >> are maintained properly? >> >> The keycloak servers also integrates with our organization's >> Active Directory to defer the authentication process. Should we >> disable sync on one and allow ldap sync from only one server? Is >> there a potential problem with the same, ie 2 keycloak instance >> pointing to the same DB? >> >> How are other people doing loadbalancing and failover for >> keycloak server. >> >> Please guide. >> >> Thanks, >> Subhro. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/fbb7f1c4/attachment.html From mailamitarora at gmail.com Thu Aug 11 19:35:37 2016 From: mailamitarora at gmail.com (Amit Arora) Date: Thu, 11 Aug 2016 19:35:37 -0400 Subject: [keycloak-user] KeyCloak customization In-Reply-To: References: Message-ID: Hi Can any suggest I am looking to customize /token service for password grant..so when i call /token service from my client,keycloak calls my authentication service to authenticate the user and take the response from my auth service and then tie this response with the access token.. And when i call the secured service with the access token..keycloak can fetch specific user information from my db using access token (which we tied with auth response earlier) and stuff it in request before sending it to secured api.. Can i achieve this and what hooks or customizations i need to do for this Thanks Amit -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160811/c4dcf3eb/attachment-0001.html From jahenao at itroisolutions.com Thu Aug 11 21:16:24 2016 From: jahenao at itroisolutions.com (Jairo Henao) Date: Fri, 12 Aug 2016 01:16:24 +0000 Subject: [keycloak-user] Firstname and Lastname are null when REGISTER event Message-ID: Hello community: I have a listener for REGISTER event and it works well, but when I try to get the first and last names of the user are null, but all other fields are filled as mail, telephone, etc. @Override public void onEvent(Event event) { if (includedEvents.contains(event.getType())) { if (event.getRealmId() != null && event.getUserId() != null) { RealmModel realm = model.getRealm(event.getRealmId()); UserModel user = session.users().getUserById(event.getUserId(), realm); if (user != null) { if(isUserEnroledForClients(user, realm)){ //Cheking the event type if(EventType.REGISTER.equals(event.getType())){ //Sending the new data to hubspot log.infov("Registering the new user {0} in Hubspot...", user.getEmail()); user.getEmail(); //IS FILLED user.getFirstName (); //IS NULL user.getLastName (); //IS NULL After the registration process ends if I check the table, the new user has a firstName and lastName. Jairo Henao Rojas IT ROI Solutions -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/f91e9f3e/attachment.html From jeremy at jeremysimon.com Thu Aug 11 23:46:02 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Thu, 11 Aug 2016 23:46:02 -0400 Subject: [keycloak-user] Keycloak Competitors In-Reply-To: References: Message-ID: Hey John, I had to do a bunch of research last year when we were looking for an SSO solution for our apps. Here's a list I came across on Wikipedia at some point which really helped me understand a good range of stuff out there: https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations We landed on Keycloak at the end because it was pretty no nonsense to get off the ground and we were able to get a proof of concept including coding our needed core customizations out the door in about a week. Prior to that, we wasted a lot of time with WSO2 Identity Server, which seemed nice at the start. Unfortunately the documentation was not as good as it looked when it came to many important details, and sadly we learned even though it was open source, that did not apply to the most current security patches. For us, they were touching areas of code we needed to customize or patch (since they weren't totally adherent to SAML standards). So that would've been crazy money for support and maintenance just to get the patch code... aside from that, there were just weird quirks with it consistency-wise. So it was back to hunting and looking into things like OpenAM, Gluu Server, Shibbolth, etc.... then I learned Red Hat had something other than PicketLink... Keycloak crew, you really nailed it. It's been in production for months and totally reliable. Anyway, hope the notes are helpful in someway. jeremy jeremy at jeremysimon.com www.JeremySimon.com On Wed, Aug 10, 2016 at 10:51 AM, Bill Burke wrote: > Nah, its all good. We need to hear stuff. We have our heads down most of > the time coding like banshees and ignore the rest of the world sometimes. > > > On 8/10/16 10:06 AM, John D. Ament wrote: > > Right now, its more to identify the list of what's out there. I have some > good pointers based on this thread, so thanks everyone. > > On Tue, Aug 9, 2016 at 3:13 PM Marc Boorshtein > wrote: >> >> >> > >> >> > I'm not sure if anyone on this list has some insight, I'm trying to >> >> > do a >> >> > format tech evaluation. I was wondering if anyone had some >> >> > competitors of >> >> > keycloak in the same space, self hosted etc. >> >> > >> >> What are you trying to accomplish? An identity management tool can >> run the gambit from directory management, sso, identity provider, user >> management portal, user self service provisioning, etc. Also, the >> type of applications could matter as well (ie are you looking for a >> primarily Java or .Net world, SaaS, etc)? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From abhi.raghav007 at gmail.com Fri Aug 12 03:44:20 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 12 Aug 2016 13:14:20 +0530 Subject: [keycloak-user] Signed JWT issue Message-ID: Hi Team, Recently i ran into an issue where i am using signedJWT tokens as client authentication mechnaism instead of client id/secret. My keyclok.json looks like this: "realm": "nginx", "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB", "auth-server-url": "http://192.168.99.100:31048/auth", "ssl-required": "external", "resource": "product-portal", "enable-cors" : false, "credentials": { "jwt": { "client-key-password": "changeit", "client-keystore-file": "/keystore/keystore.jks", "client-keystore-password": "changeit", "client-key-alias": "product-portal", "token-timeout": 10, "client-keystore-type": "jks" } } } But when i am trying to deploy this app in my local tomcat, the app doesnt deploy and failed. I saw my catalina.log file which tells this: 12-Aug-2016 07:13:09.400 SEVERE [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Error deploying web applicatio n archive /usr/local/tomcat/webapps/product-portal.war java.lang.RuntimeException: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of java.lang.String out of STA RT_OBJECT token at [Source: java.io.FileInputStream at 7d33dbab; line: 9, column: 5] (through reference chain: org.keycloak.representations.adapters.conf ig.AdapterConfig["credentials"]) at org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:104) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:93) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:116) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:65) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:165) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:940) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1816) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) Caused by: org.codehaus.jackson.map.JsonMappingException: Can not deserialize instance of java.lang.String out of START_OBJECT token at [Source: java.io.FileInputStream at 7d33dbab; line: 9, column: 5] (through reference chain: org.keycloak.representations.adapters.conf ig.AdapterConfig["credentials"]) at org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) at org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219) at org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:44) at org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:13) at org.codehaus.jackson.map.deser.std.MapDeserializer._readAndBind(MapDeserializer.java:319) at org.codehaus.jackson.map.deser.std.MapDeserializer.deserialize(MapDeserializer.java:249) at org.codehaus.jackson.map.deser.std.MapDeserializer.deserialize(MapDeserializer.java:33) at org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:299) at org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet(SettableBeanProperty.java:414) at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:697) ...... It shows problem in "credentials" property to deserilize. I am using Keycloak 2.0.0.Final and tomcat 8.0.36 version. for keycloak I am using tomcat adapter for my app. Please help. *- Best Regards* Abhishek Raghav -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/23c74f43/attachment-0001.html From subhrajyotim at gmail.com Fri Aug 12 05:13:25 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Fri, 12 Aug 2016 14:43:25 +0530 Subject: [keycloak-user] 2 Keycloak instance using the same DB. In-Reply-To: <83611e95-7502-9677-e17f-0d344360f783@redhat.com> References: <32be54c1-d002-f193-1f2e-1ad72d95db2c@redhat.com> <83611e95-7502-9677-e17f-0d344360f783@redhat.com> Message-ID: Thanks very much Bill, for pointing this out. We are in the process of doing the upgrade. Thanks, Subhro. On Thu, Aug 11, 2016 at 11:12 PM, Bill Burke wrote: > I strongly suggest you at least upgrade to 1.9.8. Our product is based on > that and a lot of stability and bug fixes were done in between 1.9.2 and > 1.9.8. Docs are available for that here: > > > http://www.keycloak.org/documentation-archive.html > > On 8/11/16 11:38 AM, Subhrajyoti Moitra wrote: > > Thanks a lot Bill. > Already on to it, should have seen that first before posting. :D > Is the same valid for 1.9.2.Final or is it only for 2.x onwards- then i > have to first upgrade. > > Thanks, > Subhro. > > On Thu, Aug 11, 2016 at 6:17 PM, Bill Burke wrote: > >> You need to cluster. >> >> >> https://keycloak.gitbooks.io/server-installation-and-configu >> ration/content/v/2.1/ >> >> On 8/11/16 2:21 AM, Subhrajyoti Moitra wrote: >> >> Hello, >> >> We are trying to load balance keycloak servers to accommodate more >> traffic and as a failover. We are pointing 2 instances of keycloak >> servers(running on 2 different machines) to the same DB. Could there be a >> problem with that setup? >> If so what kind of issues are expected to come? Do we have to setup >> something special on the load balancer so that the sessions are maintained >> properly? >> >> The keycloak servers also integrates with our organization's Active >> Directory to defer the authentication process. Should we disable sync on >> one and allow ldap sync from only one server? Is there a potential problem >> with the same, ie 2 keycloak instance pointing to the same DB? >> >> How are other people doing loadbalancing and failover for keycloak server. >> >> Please guide. >> >> Thanks, >> Subhro. >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/8d6429a8/attachment.html From bburke at redhat.com Fri Aug 12 08:41:42 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 12 Aug 2016 08:41:42 -0400 Subject: [keycloak-user] KeyCloak customization In-Reply-To: References: Message-ID: <3d13b13c-efc4-3864-57e1-f8fcacb06ac5@redhat.com> keycloak.org/documentation On 8/11/16 7:35 PM, Amit Arora wrote: > > Hi > > Can any suggest > > I am looking to customize /token service for password grant..so when i > call /token service from my client,keycloak calls my authentication > service to authenticate the user and take the response from my auth > service and then tie this response with the access token.. > > And when i call the secured service with the access token..keycloak > can fetch specific user information from my db using access token > (which we tied with auth response earlier) and stuff it in request > before sending it to secured api.. > > Can i achieve this and what hooks or customizations i need to do for this > > Thanks > Amit > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/7b6015bc/attachment.html From marc.boorshtein at tremolosecurity.com Fri Aug 12 09:18:20 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Fri, 12 Aug 2016 09:18:20 -0400 Subject: [keycloak-user] Client secret for openid connect? Message-ID: KCers, I've got KC 2.1 up and running and integrated with my virtual directory. I'm trying to connect an OpenID connect client with it but I think I'm missing something. I created a realm and created an OIDC client. I see the client id, but how do I get the client secret? The client works with Google's OIDC implementation as a point of reference. Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From marc.boorshtein at tremolosecurity.com Fri Aug 12 09:26:02 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Fri, 12 Aug 2016 09:26:02 -0400 Subject: [keycloak-user] Client secret for openid connect? In-Reply-To: References: Message-ID: Answered my own question. my client was setup as "public" instead of "confidential" and I see the client secret in the JSON under "Installation" Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity On Fri, Aug 12, 2016 at 9:18 AM, Marc Boorshtein wrote: > KCers, > > I've got KC 2.1 up and running and integrated with my virtual > directory. I'm trying to connect an OpenID connect client with it but > I think I'm missing something. I created a realm and created an OIDC > client. I see the client id, but how do I get the client secret? The > client works with Google's OIDC implementation as a point of > reference. > > Thanks > > > Marc Boorshtein > CTO Tremolo Security > marc.boorshtein at tremolosecurity.com > Twitter - @mlbiam / @tremolosecurity From mike.hills at sematree.com Fri Aug 12 11:25:31 2016 From: mike.hills at sematree.com (Mike Hills) Date: Fri, 12 Aug 2016 11:25:31 -0400 Subject: [keycloak-user] Keycloak Installation on fabric8 Message-ID: Hi Could anyone suggest best practice to install keycloak on fabric8/openshift 3? it looks like apiMan uses Keycloak to secure REST services??. I also need to configure keycloak configured to use SQL Server database. Thanks Mike -- Michael J. Hills Sr. CRM Architect Mobile: 603.475.5093 Email : mike.hills at sematree.com Skype : mhills_sematree -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/d1c5e45d/attachment.html From bburke at redhat.com Fri Aug 12 11:31:04 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 12 Aug 2016 11:31:04 -0400 Subject: [keycloak-user] Keycloak Installation on fabric8 In-Reply-To: References: Message-ID: <8b2adc0a-e8c1-b413-cb26-779459a060ad@redhat.com> DB setup: https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.1/topics/database.html Fabric8/Openshift3? I think we've done stuff on that but I dont' know where it is. On 8/12/16 11:25 AM, Mike Hills wrote: > Hi > > Could anyone suggest best practice to install keycloak on > fabric8/openshift 3? it looks like apiMan uses Keycloak to secure REST > services??. I also need to configure keycloak configured to use SQL > Server database. > > Thanks > Mike > > -- > Michael J. Hills > Sr. CRM Architect > > Mobile: 603.475.5093 > Email : mike.hills at sematree.com > Skype : mhills_sematree > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/f7b4910c/attachment-0001.html From tawura at hotmail.com Fri Aug 12 12:51:54 2016 From: tawura at hotmail.com (Attila Bara) Date: Fri, 12 Aug 2016 16:51:54 +0000 Subject: [keycloak-user] Custom set password page and email Message-ID: Hi All, I just started to work with Keycloak and I would appreciate a brief help to get on the track. I need to create a separate page that allows newly added users initially set their own password. Users bulk added by admin, and a general link should be provided for every user to this page. There they enter their username/email and receive a custom email with link to set the password. Basically it is a copy of reset-password function, but it needs to be on a different url with different page content, and also using a separate email template than reset-password.ftl Could you get me an overview how this could be achieved? Kind regards, Tawura -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/edd0be11/attachment.html From jahenao at itroisolutions.com Fri Aug 12 17:48:31 2016 From: jahenao at itroisolutions.com (Jairo Henao) Date: Fri, 12 Aug 2016 21:48:31 +0000 Subject: [keycloak-user] Firstname and Lastname are null when REGISTER event Message-ID: Hello community: I have a listener for REGISTER event and it works well, but when I try to get the first and last names of the user are null, but all other fields are filled as mail, telephone, etc. @Override public void onEvent(Event event) { if (includedEvents.contains(event.getType())) { if (event.getRealmId() != null && event.getUserId() != null) { RealmModel realm = model.getRealm(event.getRealmId()); UserModel user = session.users().getUserById(event.getUserId(), realm); if (user != null) { if(isUserEnroledForClients(user, realm)){ //Cheking the event type if(EventType.REGISTER.equals(event.getType())){ //Sending the new data to hubspot log.infov("Registering the new user {0} in Hubspot...", user.getEmail()); user.getEmail(); //IS FILLED user.getFirstName (); //IS NULL user.getLastName (); //IS NULL After the registration process ends if I check the table, the new user has a firstName and lastName. Jairo Henao Rojas IT ROI Solutions -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160812/1a3f4e1b/attachment-0001.html From nizar2yas at gmail.com Mon Aug 15 10:48:46 2016 From: nizar2yas at gmail.com (hasane has) Date: Mon, 15 Aug 2016 15:48:46 +0100 Subject: [keycloak-user] Error when adding users programmatically Message-ID: Hi, I'm trying to add a user pro grammatically to keycloak server like this : Keycloak kc = KeycloakBuilder .builder() .serverUrl("http://localhost:8080/auth/") .realm("myApp") .username("admin") .password("123") .clientId("admin-cli") .clientSecret("acce91b1-53ad-467e-8895-5ef8630a3295") .clientId("Frontend") .resteasyClient( new ResteasyClientBuilder().connectionPoolSize(10) .build()).build(); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setEnabled(true); user.setCredentials(Arrays.asList(credential)); kc.realm("myApp").users().create(user); but I get this error : 15:46:51,412 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-22) Failed executing POST /admin/realms/myApp/users: org.keycloak.services.ForbiddenException at org.keycloak.services.resources.admin.RealmAuth.requireManage(RealmAuth.java:59) at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:181) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) I think that the problem come from user role so I tried to grant the admin role to that user but it doesn't work . I'm working with keycloka 1.6 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160815/a293c67b/attachment.html From sthorger at redhat.com Tue Aug 16 03:45:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 09:45:51 +0200 Subject: [keycloak-user] [KEYCLOAK-2741] Don't remove KEYCLOAK_REMEMBERME cookie when sso session expires. Add timeout for KEYCLOAK_REMEMBERME cookie - JBoss Issue Tracker In-Reply-To: References: Message-ID: Cookie authenticator doesn't start a new session. It can only authenticate the user if the session is still active. If you want users to remain authenticated for a longer even when inactive you should increase the SSO timeout. That's what it's for. KEYCLOAK-2741 is about remembering the username so the user only has to provide the password. On 22 July 2016 at 11:18, Valerij Timofeev wrote: > https://issues.jboss.org/browse/KEYCLOAK-2741 > > Hi, > > are there any concret plans to implement this ticket? > > The current implementation does not find any positive feedback by our > customers. We are even thinking about increasing SSO timeout from 30 > minutes to a couple of days to compensate at least a little bit the current > drawback. Would this break normal operation of the Keycloak servers? > > Would it be enough to implement this ticket to provide full "remember me" > feature? Can cookie authenticator (auth-cookie) start a new SSO session if > the initial one is already expired? > > Kind regards > Valerij Timofeev > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/45c3e332/attachment.html From sthorger at redhat.com Tue Aug 16 03:46:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 09:46:32 +0200 Subject: [keycloak-user] Group names are not unique In-Reply-To: References: Message-ID: This is a known issue https://issues.jboss.org/browse/KEYCLOAK-2720 On 19 July 2016 at 16:22, Manavalan, Priya J. wrote: > > Group names don?t seem to be unique . Based on the admin API in the link > below this call should update if the group exists and create otherwise. > This does not seem to be the behavior. It creates a new group with a > different id. Is there a way to enforce unique group names? > > create or add a top level realm groupSet or create child. > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/2e3488e2/attachment-0001.html From sthorger at redhat.com Tue Aug 16 03:51:48 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 09:51:48 +0200 Subject: [keycloak-user] Offline tokens with external IDP In-Reply-To: References: Message-ID: On 25 July 2016 at 09:01, Haim Vana wrote: > Hi, > > > > We are using KeyCloak for a several weeks now, one of the flows is user > script authentication with offline token: > > > > 1. The user log in to the UI > > 2. Generates offline token by entering his password again > > 3. Put the offline token in his script > > 4. Executes the script > > > > Now we want to add external IDP support, first is it possible to generate > offline tokens for extremal IDP in KeyCloak ? if so how ? > Assuming you're using the Keycloak login screen it's just a matter of configuring the external IdP as an identity broker provider and it will be displayed as an option on the login screen. > > > Second in section #2 above the user enters his password to generate the > offline token, with external IDP we can?t use his password, one alternative > is to always generate the offline token in the login (add offline_access), > however is it make sense to create offline token for every login ? > You shouldn't create offline token for every login, just once for a new user or once offline token is no longer valid. > > > > > Thanks, > > Haim. > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/33b8b4e6/attachment.html From sthorger at redhat.com Tue Aug 16 03:54:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 09:54:12 +0200 Subject: [keycloak-user] Client roles for 'security-admin-console' application are not fine grained enough In-Reply-To: References: Message-ID: We're aware that permissions are not fine grained enough at the moment and we are planning on providing something better in the future. It will however be a while until we are able to do so. On 22 July 2016 at 16:36, Valerij Timofeev wrote: > Hi, > > after reading the ticket KEYCLOAK-528 I've encountered two other issues in > the "security-admin-console" application (tested on RH SSO 7.0.0): > > 1) As soon as a realm user gets the 'manage-users' role, he can manage > "User federation" settings and even delete it. This can result in > unintentional removal of all users linked with the user federation provider > and thus affect potentially millions of users. > > 2) Users having 'view-users' role can view "User Federation". "Delete" > button is visible as well although it does not work finally. > > IMO "User federation" should be covered by the realm management roles > instead. > > Additionally the provided roles for the 'realm-management' client are not > fine grained enough IMO. One role per REST method would be ideal and, I > suppose, simplier to consider in the Keycloak Admin API. > > The "security-admin-console" application without fine grained roles > exposes too much risk in real life scenarios and so makes it unusable. One > use case in mind: prevent deletion of any kind for Helpdesk employees e.g. > managing users. Having dedicated roles for DELETE operation would make such > task possible. > > Kind regards > Valerij Timofeev > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/360d947f/attachment.html From sthorger at redhat.com Tue Aug 16 04:04:43 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 10:04:43 +0200 Subject: [keycloak-user] Authenticate externally (broker identity) or locally In-Reply-To: References: Message-ID: You can add "&kc_idp_hint=" to the login url to automatically redirect to a specific external IdP. On 26 July 2016 at 10:54, Haim Vana wrote: > Hi, > > > > In Identity provider settings using the '*Authenticate by Default*' > option the user can choose between authentication with the external IDP or > locally (for example). > > > > Is there an option to achieve the same with different URL's one for local > and one for external ? so it will be without the user intervention. > > > > The motivation is that sometime we want the external user to authenticate > locally, for example due to some customization we have in our login page (a > plugin that injects the user/psw to the local login page). > > > > > > Thanks, > > Haim. > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/9e4c984d/attachment.html From haimv at perfectomobile.com Tue Aug 16 04:11:07 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Tue, 16 Aug 2016 08:11:07 +0000 Subject: [keycloak-user] Offline tokens with external IDP In-Reply-To: References: Message-ID: Hi Stian, Thanks for your answer. What I meant to ask is how to create offline token for external IDP, I wasn't able to it with REST API (I am able to it if it's not external IDP). The only way I managed to do it was when adding offline_access to the UI login page, so for external IDP ? is it the only way ? REST API is not supported ? Assuming it's the only way I thought to create external UI service for the user to log in and get his offline token. What do you think about such solution ? also if the user will be already logged in ? do you know if the offline token will be created ? or the will have to logout and login again? Thanks, Haim. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, August 16, 2016 10:52 AM To: Haim Vana Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Offline tokens with external IDP On 25 July 2016 at 09:01, Haim Vana > wrote: Hi, We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token: 1. The user log in to the UI 2. Generates offline token by entering his password again 3. Put the offline token in his script 4. Executes the script Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ? Assuming you're using the Keycloak login screen it's just a matter of configuring the external IdP as an identity broker provider and it will be displayed as an option on the login screen. Second in section #2 above the user enters his password to generate the offline token, with external IDP we can?t use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ? You shouldn't create offline token for every login, just once for a new user or once offline token is no longer valid. Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/93193e80/attachment-0001.html From sthorger at redhat.com Tue Aug 16 04:14:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 10:14:34 +0200 Subject: [keycloak-user] Using KeyCloak with multiple Realms In-Reply-To: <10f62b14-2a7a-4078-a6d2-ab91a4290eaa@me.com> References: <10f62b14-2a7a-4078-a6d2-ab91a4290eaa@me.com> Message-ID: I didn't say Keycloak isn't meant to work with multiple realms, but it's wasn't designed to work with a large number of realms. We considered it initially, but then figured true multi tenancy would be best introduced by having multiple instances rather than trying to achieve total isolation between realms. We don't test how well it scales with a large number of realms either. KEYCLOAK-3067, complexity of having a "master" realm and finally the fact that an admin may be managing realms on a single instance or on multiple instances we've decided that in the future we'll drop the master realm. Instead we'll have an option to setup "trust" between realms so an admin can easily authenticate to a different realm. To prevent being locked out from the master realm you can remove the roles from the new realm in the admin composite realm. On 28 July 2016 at 09:55, Tobias Schmidt wrote: > Dear Stian, > > > > we faced an issue when using KeyCloak with a multiple-tenant service and > came up with a working solution we would like your opinion on. > > > > Our old approach was outlined as follows: > > Each of our tenants was assigned a single realm. Within this realm, an > "administrator" user was created that enabled the tenant to full extent > within our application, but not within the KeyCloak realm itself. > > > > Our software utilized the master realms root user to obtain the JSON > installation files for our respective services. > > Thus, we ran into the problem of roots ever growing access rights, as > described in this issue: > > https://issues.jboss.org/browse/KEYCLOAK-3067 > > > > The encoded list of roots rights in the ?Authentication? header exceeded > 8KB and our web server was unable to process any requests from this point > onward. > > > > To get rid of this problem, we devised a literal workaround: Each realm > gets its specific master user who is entitled with all rights the client > ?realm-management? has to offer- one could say we created a local root for > each realm. This master now steps up to the hole left by root and provides > the public keys etc. for our services. As its rights are limited to its own > realm, its bearer token remains at a constant, reasonable size. > > > > > > The (scripted) creation of such a new realm works like this: > > > > We manually added a user in the master realm who has no rights besides > creating new users. We access this user via the admin-cli client and create > a new user ?creator?. > > Creator is then assigned a random password (which is cached) and the role > ?create-realm?. > > > > In the next step, we access creator and create our new realm, complete > with clients, roles, groups and the two users , the administrator and the > master. > > > > After successful creation of the realm, creator has fulfilled its purpose > and is deleted. As he possesses full rights in the newly created realm, his > continued existence presents a potential insecurity with no practical use > to justify it. > > > > The big downside of our new approach is the fact that the rights of the > master realms root user still keep growing. So we inevitably lock ourselves > out of the mater realm security console in the long run. > > Of course, we?re still able to access each realms console via > /auth/admin//console with the master user. > > Also, in the issue linked above, you commented that KeyCloak is not meant > to be used with multiple realms. However, if the master realm was actually > removed from KeyCloak in the future, our temporary workaround might yet > turn into a long ? lasting solution. Are we right on this part? > > > > Thank you very much for your consideration. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/5e403b4d/attachment.html From sthorger at redhat.com Tue Aug 16 04:19:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 10:19:44 +0200 Subject: [keycloak-user] Customize Themes by Client In-Reply-To: References: <20160728163603.GA16955@abstractj.org> <20160728203720.GA23642@abstractj.org> Message-ID: Josh - could you describe your use case please? It just doesn't make any sense to me to have the login screen change depending on the client as you are not authenticating with a specific client rather with a SSO server. On 28 July 2016 at 22:53, Josh Cain wrote: > Sounds good! KEYCLOAK-3370 filed, the only thing I think we might have to > discuss is how configuration of said SPI extension would work. We're > trying to keep out-of-band configs to a minimum, and something like an SPI > would still have to be configured against clients in any particular realm, > which would make the GUI seem like an appropriate choice for the > configuration (IMO anyway). > > I'll take the discussion there, thanks for pointing me in the right > direction. > > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 > > On Thu, Jul 28, 2016 at 3:37 PM, Bruno Oliveira > wrote: > >> Hi Josh, some answers inline. >> >> On 2016-07-28, Josh Cain wrote: >> > Bruno, >> > >> > Thanks for the link! Wasn't on this list when it was discussed. So if >> I >> > understand the thread correctly: >> > >> > - This feature has already been given a 'No' response by the Keycloak >> > team. >> >> I'd say yes/no. From what I understood on that thread Stian suggested to >> expose a theme SPI. Which gives more flexibility. >> >> > - Best way to implement client-specific theme functionality, as per >> the >> > thread, is to use the client variable + conditionals in the template >> to >> > change how a page renders. >> >> At the moment yes, you are correct. >> >> > >> > I'm a bit disappointed - I also have this requirement. Don't want to go >> > back through and re-hash the reasons why (most were already covered on >> the >> > previous thread), but a client config for a theme would be immensely >> > helpful. >> > >> > As a side note, I'll be doing the work to either a) provide a mechanism >> for >> > clients to arbitrarily theme the login template, or b) allow clients to >> > select a login theme in Keycloak proper. I'd much prefer b), but it >> looks >> > like a) might be my only option... >> >> Wouldn't the theme SPI sufficient for your use cases? If yes, I'd >> suggest to file a Jira and maybe start a thread at keycloak-dev. Stian >> is not here and I cannot speak on his behalf. But based on that thread >> I believe that having a theme SPI is a fair request. >> >> > >> > >> > Josh Cain | Software Applications Engineer >> > *Identity and Access Management* >> > *Red Hat* >> > +1 843-737-1735 >> > >> > On Thu, Jul 28, 2016 at 11:36 AM, Bruno Oliveira >> > wrote: >> > >> > > Hi Josh, there was a discussion about it here[1]. >> > > >> > > [1] - >> > > http://lists.jboss.org/pipermail/keycloak-user/2016- >> January/004288.html >> > > >> > > On 2016-07-28, Josh Cain wrote: >> > > > Hi All, >> > > > >> > > > I've got some SP's that want the ability to customize the look/feel >> of >> > > the >> > > > login page. Couldn't find anything on the docs/jira site, but was >> > > curious >> > > > as to whether: >> > > > >> > > > - Keycloak currently supports login themes by client >> > > > - If not, would the team be open to such a feature? >> > > > >> > > > >> > > > Josh Cain | Software Applications Engineer >> > > > *Identity and Access Management* >> > > > *Red Hat* >> > > > +1 843-737-1735 >> > > >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > >> > > >> > > -- >> > > >> > > abstractj >> > > PGP: 0x84DC9914 >> > > >> >> -- >> >> abstractj >> PGP: 0x84DC9914 >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/e44fb1e4/attachment.html From sthorger at redhat.com Tue Aug 16 04:22:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 10:22:38 +0200 Subject: [keycloak-user] Keycloak Reference Token Support In-Reply-To: References: Message-ID: We don't have support for reference tokens at the moment On 26 July 2016 at 09:47, Jitendra Chouhan wrote: > Please ignore information mentioned about KEYCLOAK-2738 in my previous > mail. Still my question stand whether there is any support for reference > token(generation) in keycloak or not? > > Thanks > > On Tue, Jul 26, 2016 at 1:04 PM, Jitendra Chouhan < > jitendrachouhan03 at gmail.com> wrote: > >> I want to know does keycloak have support for Reference/Opaque token. I >> have found one feature request which is still in open submitted for >> implementing reference token fetaure i.e. KEYCLOAK-1719. Today i came >> across "KEYCLOAK-2738" which talks about problem related to aud is missing >> from reference token.Can someone confirm, whether Reference/Opaque token >> feature is provided by keycloak if yes then please provide reference point >> to do configuration to generate "Reference/Opqaue" token. >> >> Thanks, >> Jitendra Chouhan >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/803a9352/attachment-0001.html From sthorger at redhat.com Tue Aug 16 04:25:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 10:25:30 +0200 Subject: [keycloak-user] Why is the Base URL repeated in client configuration? In-Reply-To: References: <20160729204014.GA8666@abstractj.org> Message-ID: Looks like it's a bug in the admin console on how it handles relative URLs. As you have a root url it should be prefixed to any relative urls, but as the base url you have is not a relative url it's should have the root url added. Please create a JIRA for it. On 30 July 2016 at 02:31, Martin Min wrote: > Hi, Bruno: > > I will try the customer-portal demo. I had made these demo working in > keycloak 1.7, but the same way configured in 2.0, it doesn't seem to work. > I need to look at these modified examples. How to delete a realm in > KeyCloak? I wanted to delete the Demo realm I created and just imported the > realm in the examples/ directory for customer-portal. I can't find a place > I can delete a realm in the Admin console. > > Thank you. > Martin > > On Fri, Jul 29, 2016 at 1:40 PM, Bruno Oliveira > wrote: > >> Hi Martin, you can just /bword/ at the Admin URL or nothing, it depends. >> Take a look at our demo distribution[1]. For example, customer-portal. >> >> [1] - http://www.keycloak.org/downloads.html >> >> On 2016-07-27, Martin Min wrote: >> > Hello, I am configuring a client in the KeyCloak admin console, but am >> > having a trouble to create an client to secure. Specifically, The Base >> URL >> > field is wrong (repeated), as I saved in the configuration page. >> > >> > Please see the two attachments for an illustration of the the issue. >> This >> > looks very weird. >> > >> > As you can see clearly from keycloak2.png, the base URL i typed is >> > repeated, thus invalid. >> > >> > Thanks for any information that might be helpful. >> > >> > Martin >> >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> >> abstractj >> PGP: 0x84DC9914 >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/53dde36d/attachment.html From marc.boorshtein at tremolosecurity.com Tue Aug 16 05:01:41 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Tue, 16 Aug 2016 05:01:41 -0400 Subject: [keycloak-user] Issues with Kubernetes OIDC implementation integrating with KC Message-ID: All, Just a heads up of an issue I'm running into with Kubernetes' 1.3 OIDC implementation and KeyCloak when KeyCloak is using TLS with a self signed cert: https://github.com/kubernetes/kubernetes/issues/30650 Looks like kubernetes rejects a self signed cert, will only work if a cert is signed. Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From sthorger at redhat.com Tue Aug 16 05:08:48 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Aug 2016 11:08:48 +0200 Subject: [keycloak-user] Offline tokens with external IDP In-Reply-To: References: Message-ID: On 16 August 2016 at 10:11, Haim Vana wrote: > Hi Stian, > > Thanks for your answer. > > > > What I meant to ask is how to create offline token for external IDP, I > wasn't able to it with REST API (I am able to it if it's not external IDP). > > The only way I managed to do it was when adding offline_access to the UI > login page, so for external IDP ? is it the only way ? REST API is not > supported ? > Login page is the only way for external IdPs. > > > Assuming it's the only way I thought to create external UI service for the > user to log in and get his offline token. > > What do you think about such solution ? also if the user will be already > logged in ? do you know if the offline token will be created ? or the will > have to logout and login again? > Depends on what your script is implemented in it can also start a web server on localhost, then popup the browser window to do the login and finally it'll get the code and can get the offline token directly itself. Take a look at our customer-app-cli example. It doesn't do offline token, but would be trivial to change it to do that instead. > > > Thanks, > > Haim. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Tuesday, August 16, 2016 10:52 AM > *To:* Haim Vana > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Offline tokens with external IDP > > > > > > > > On 25 July 2016 at 09:01, Haim Vana wrote: > > Hi, > > > > We are using KeyCloak for a several weeks now, one of the flows is user > script authentication with offline token: > > > > 1. The user log in to the UI > > 2. Generates offline token by entering his password again > > 3. Put the offline token in his script > > 4. Executes the script > > > > Now we want to add external IDP support, first is it possible to generate > offline tokens for extremal IDP in KeyCloak ? if so how ? > > > > Assuming you're using the Keycloak login screen it's just a matter of > configuring the external IdP as an identity broker provider and it will be > displayed as an option on the login screen. > > > > > > Second in section #2 above the user enters his password to generate the > offline token, with external IDP we can?t use his password, one alternative > is to always generate the offline token in the login (add offline_access), > however is it make sense to create offline token for every login ? > > > > You shouldn't create offline token for every login, just once for a new > user or once offline token is no longer valid. > > > > > > > > Thanks, > > Haim. > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/ac967c1f/attachment.html From nizar2yas at gmail.com Tue Aug 16 06:30:43 2016 From: nizar2yas at gmail.com (hasane has) Date: Tue, 16 Aug 2016 11:30:43 +0100 Subject: [keycloak-user] Keycloak Custom User Attributes description not correcte from the reference guide Message-ID: Hi, I'm working with keycloak 1.6.1, and I'm following the ref guide to customize users attributs, but I found that there is a lot of incorrecte information for example to customize users attributs you should: 1. Create a new theme within the *themes/admin/mytheme* directory in your distribution. Where mytheme is whatever you want to name your theme. (but the path doesn't existe, I think the correct path is *themes\keycloak\admin* ) 2. ....(is correcte) 3. Copy the file *themes/admin/base/resources/partials/user-attribute-entry.html* into ....(the path is not correct, but in *themes\base\admin\resources\partials* I find that doesn't contains user-attribute-entry.html) Thanks in advance . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/a371c7d8/attachment-0001.html From haimv at perfectomobile.com Tue Aug 16 09:01:19 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Tue, 16 Aug 2016 13:01:19 +0000 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails Message-ID: Hi, We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, the cluster is up without errors however the login fails with the below error: WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, error=invalid_code we have followed this (http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html ) post but used S3_PING instead of JDBC_PING. It seems that the nodes detect each other: INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view for channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] We suspect that the nodes doesn't communicate with each other, when we queried the jboss mbean "jboss.as.expr:subsystem=jgroups,channel=ee" the result was: jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] jgroups,channel=ee receivedMessages = 0 jgroups,channel=ee sentMessages = 0 And for the second node: jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] jgroups,channel=ee receivedMessages = 0 jgroups,channel=ee sentMessages = 5 We also verified that the TCP ports 57600 and 7600 are open. Any idea what might cause it ? Here is the relevant standalone-ha.xml configuration and below is that startup command: 200.129.4.189 AAAAAAAAAAAAAA BBBBBBBBBBBBBB CCCCCCCCCCCCCCCCCCCC 200.129.4.189 And we start the server using the below ($INTERNAL_HOST_IP is the container internal IP address): standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP Any help will be appreciated. Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/6fb2c124/attachment.html From igor.zuk at qualitytaskforce.com Tue Aug 16 09:38:29 2016 From: igor.zuk at qualitytaskforce.com (Igor Zuk) Date: Tue, 16 Aug 2016 13:38:29 +0000 Subject: [keycloak-user] Keycloak user data encoding References: Message-ID: Hi Stian I hope you had a good time during holiday. Your autoresponse asked me to resend you the email when you?re back, so here it is. From: Igor Zuk Sent: Wednesday, August 03, 2016 4:37 PM To: 'stian at redhat.com' Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Keycloak user data encoding Sorry for a delayed response, I had to temporarily suspend the investigation. Yes, I can reproduce the issue anytime using Docker. I set up as default as possible environment with latest MySQL: docker run --name mysql -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -P -d mysql:latest and Keycloak in the same version as where I found the issue, 1.9.2.Final: docker run --name keycloak -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e MYSQL_PORT_3306_TCP_ADDR=192.168.99.100 -e MYSQL_PORT_3306_TCP_PORT=32779 -P -d jboss/keycloak-mysql:1.9.2.Final The results were identical, special letters in names were replaced with question marks. It turned out, that Keycloak created all its tables with the DB's default encoding, latin1 (ISO-8859-1). I've checked it with a query: SELECT character_set_name FROM information_schema.`COLUMNS` WHERE table_name = "USER_ENTITY" AND column_name = "FIRST_NAME"; Once again I've manually changed the encoding of a single column: ALTER TABLE `USER_ENTITY` MODIFY `FIRST_NAME` VARCHAR(255) CHARACTER SET utf8; It worked, but Keycloak was still putting there names with question marks, so the issue was fully reproduced. Because it seems, that Keycloak uses the DB's default encoding, I tried changing it in MySQL. I've removed its container entirely and started it with two parameters appended to Docker run command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci It seems, that it worked, but then Keycloak refused to start at all throwing exception with error: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)] It looks that Keycloak is not able to work with UTF-8 in databases at all! The full startup log is here: http://pastebin.com/VMTARqgF Because 1.9.2.Final is quite dated, I've checked the latest available MySQL-preconfigured version, 2.0.0.Final. I've repeated all the steps and the results were identical. The example name I'm working with is M?ciwy ???w. Only the letter '?' is working, that's because it's encodable in ISO-8859-1. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, July 15, 2016 6:48 AM To: Igor Zuk > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding It's strange that no one else has reported this. We had several people report the issue with umlats, but no one else seems to have the issue with the database encoding. Maybe there's something different with your database config? Could you try with a default MySQL database installation and see if you can reproduce the issue? Also, can you give me a sample name that shows the problems. I added a test for umlats to registration and account management, see https://github.com/keycloak/keycloak/pull/3036. Once it's in I'll schedule a run with CI, which tests with a range of different databases. On 12 July 2016 at 16:13, Igor Zuk > wrote: Thank you for a quick response. I?m using 1.9.2.Final and the problem is a bit different, it?s not limited to registration screen. I?m saying, that ISO-8859-1 is the default encoding, because all the text columns in USER_ENTITY table had encoding latin1. The table was created completely by Keycloak as the database was empty in the beginning. I manually switched encoding of FIRST_NAME to UTF-8 and modified it so it contained special letters. I started the user editor in Keycloak admin console and this name was displayed correctly. I added a single character to it, saved, and then the name got messed up with question marks instead of all special characters. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, July 12, 2016 3:43 PM To: Stian Thorgersen > Cc: Igor Zuk >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding By the way this was fixed in 1.6.0.Final, see https://issues.jboss.org/browse/KEYCLOAK-1830?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20%22encoding%22 Are you using an old version? On 12 July 2016 at 15:37, Stian Thorgersen > wrote: Why are you saying the default encoding is ISO-8859-1? All forms are encoded as UTF-8 and all strings passed to the database should be UTF-8 encoded as well. The only thing that is ISO-8859-1 is the message properties, but those are converted to UTF-8 when added to HTML pages. On 12 July 2016 at 14:58, Igor Zuk > wrote: Hi I have an encoding problem. By default users' data fields (e.g. first name and last name) are encoded using ISO-8859-1. People from many countries can't properly create accounts as their personal data is silently messed up. How can I fix it? ? The MySQL DB receives already damaged names. By default all columns are ISO-8859-1-encoded, but manually converting them to UTF-8 doesn't help. ? Manual account modification from admin console has same effect. ? Change of default server (Wildfly) encoding to UTF-8 doesn't do anything. Best regards Igor ?uk _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/18db6d75/attachment-0001.html From aikeaguinea at xsmail.com Tue Aug 16 09:59:08 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 16 Aug 2016 09:59:08 -0400 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: References: Message-ID: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> Yes, this gets more complicated than your standard installation. AWS doesn't allow UDP communication in S3, and you also need to configure your Infinispan cache to work while you're running in Docker. There was a thread on this list "Using Keycloak in AWS EC2. What are people using? / Infinispan not working" where this was discussed; this is from that three describing howI got things working: ________________________________________________________ I just got JGroups/Infinispan with JDBC_PING working from inside a Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since I need a database anyway and didn't want to have to set up an S3 bucket just for this one purpose. Nicol?s, if you're on AWS the default UDP transport for JGroups doesn't work because multicast isn't supported inside EC2, which may be your problem. Here are the configurations you'd need: 1. The JGroups module has to reference to the db module. So in jgroups-module.xml I have: 2. The standalone-ha.xml has a JGroups subsystem (with TCP and JDBC_PING) that looks like the configuration below; I read certain variables from the environment, but may use the Wildfly vault tool for some of them. The external_addr property configurations are only needed if you're inside a Docker container, since Wildfly has to read the address of the EC2 instance hosting the container to register itself with JGroups. For the initialize_sql you can generally use the default, but for Postgres I needed a custom DDL because I needed the BYTEA data type which isn't in the default DDL. ${env.EXTERNAL_HOST_IP} org.postgresql.Driver jdbc:postgresql://${env.POSTGRES_TC- P_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE}- ${env.POSTGRES_USER} ${env.POSTGRES_PASSWORD} CREATE TABLE IF NOT EXISTS jgroupsping ( own_addr VARCHAR(200) NOT NULL, cluster_name VARCHAR(200) NOT NULL, ping_data BYTEA DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name) ) ${env.EXTERNAL_HOST_IP} 3. If you're in a Docker container, you have to expose the JGroups ports so they are visible from outside the container, so in standalone-ha.xml in the socket bindings I have changed to the public interface: 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP variable. I have a wrapper start script that first queries the AWS instance metadata service at 169.254.169.254 for the host's private IP address: export EXTERNAL_HOST_IP=$(curl -s 169.254.169.254/latest/meta-data/local-ipv4) exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: > Hi, > > We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, > the cluster is up without errors however the login fails with the > below error: > > *WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, > realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, > error=invalid_code* > > we have followed this (http://lists.jboss.org/pipermail/keycloak-user/2016- > February/004940.html ) post but used S3_PING instead of JDBC_PING. > > It seems that the nodes detect each other: > > *INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming- > 2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view for channel > keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd]* > > We suspect that the nodes doesn't communicate with each other, when we > queried the jboss mbean "*jboss.as.expr:subsystem=jgroups,channel=ee" > *the result was: > jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > jgroups,channel=ee receivedMessages = 0 > jgroups,channel=ee sentMessages = 0 > > And for the second node: > jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > jgroups,channel=ee receivedMessages = 0 > jgroups,channel=ee sentMessages = 5 > > > We also verified that the TCP ports 57600 and 7600 are open. > > Any idea what might cause it ? > > > Here is the relevant standalone-ha.xml configuration and below is that > startup command: > > > > > > > > > > > > > > > > > > > > > > > > name="external_addr">200.129.4.189 > > > AAAAAAAAA- > AAAAA > BB- > BBBBBBBBBBBB > CCCCCCCCCCC- > CCCCCCCCC > > > > name="external_addr">200.129.4.189 > > > > > > > > > > > > > > > port="7600"/> > port="57600"/> > > And we start the server using the below ($INTERNAL_HOST_IP is the > container internal IP address): > standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP - > bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP > > > Any help will be appreciated. > > > Thanks, > Haim. > > > The information contained in this message is proprietary to the > sender, protected from disclosure, and may be privileged. The > information is intended to be conveyed only to the designated > recipient(s) of the message. If the reader of this message is not the > intended recipient, you are hereby notified that any dissemination, > use, distribution or copying of this communication is strictly > prohibited and may be unlawful. If you have received this > communication in error, please notify us immediately by replying to > the message and deleting it from your computer. Thank you. > _________________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Same, same, but different... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/10aaff39/attachment-0001.html From Gta.fox at hotmail.com Tue Aug 16 11:59:18 2016 From: Gta.fox at hotmail.com (Fox 69) Date: Tue, 16 Aug 2016 15:59:18 +0000 Subject: [keycloak-user] Keycloak I can not change the password in ldap In-Reply-To: <57AC93CA.6030806@redhat.com> References: , <57AC93CA.6030806@redhat.com> Message-ID: Hello and thank for your precious time. I try some more tricky password, the problem was there, but not only, I found this post (http://stackoverflow.com/questions/9699912/can-i-change-myself-active-directory-password-from-ldap-without-administrative) that to change the password I needed to have ldaps configurated. Configure ldaps solved my problem :) Here is the answer to someone who has my problem. Thanks ________________________________ De: Marek Posolda Enviado: 11 de agosto de 2016 16:03 Para: Fox 69; keycloak-user at lists.jboss.org Assunto: Re: [keycloak-user] Keycloak I can not change the password in ldap It looks like there is password-policy in your MS Active Directory server? Can you try some more tricky password, which will pass the policy? For example something like "PaSSword123:{%$#456" instead of just "password" ? Marek On 10/08/16 16:15, Fox 69 wrote: Hello My use case is the following: Create an ldap federation keycloak-windows server Create a user in keycloak. And my problem is here when I want to change the cardenciais, does not work and shows the error "Invalid password Error:. Fails to match regex pattern (s)." Thanks _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/138ffc98/attachment.html From cjhenck at live.com Tue Aug 16 15:49:01 2016 From: cjhenck at live.com (Charles Henck) Date: Tue, 16 Aug 2016 15:49:01 -0400 Subject: [keycloak-user] Organization Based Accounts and Permissions Message-ID: Hello all,I?m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I?m not familiar with the specific terminology, I?m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160816/f5266be9/attachment.html From bburke at redhat.com Wed Aug 17 00:16:43 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 17 Aug 2016 00:16:43 -0400 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> References: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> Message-ID: <5514103c-7a24-76d7-ce11-4a62c5395b0d@redhat.com> We should create a domain profile for this EC2 config. On 8/16/16 9:59 AM, Aikeaguinea wrote: > Yes, this gets more complicated than your standard installation. AWS > doesn't allow UDP communication in S3, and you also need to configure > your Infinispan cache to work while you're running in Docker. > > There was a thread on this list "Using Keycloak in AWS EC2. What are > people using? / Infinispan not working" where this was discussed; this > is from that three describing howI got things working: > > ________________________________________________________ > > I just got JGroups/Infinispan with JDBC_PING working from inside a > Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since > I need a database anyway and didn't want to have to set up an S3 bucket > just for this one purpose. Nicol?s, if you're on AWS the default UDP > transport for JGroups doesn't work because multicast isn't supported > inside EC2, which may be your problem. > > Here are the configurations you'd need: > > 1. The JGroups module has to reference to the db module. So in > jgroups-module.xml I have: > > > > > > > 2. The standalone-ha.xml has a JGroups subsystem (with TCP and > JDBC_PING) that looks like the configuration below; I read certain > variables from the environment, but may use the Wildfly vault tool for > some of them. The external_addr property configurations are only needed > if you're inside a Docker container, since Wildfly has to read the > address of the EC2 instance hosting the container to register itself > with JGroups. For the initialize_sql you can generally use the default, > but for Postgres I needed a custom DDL because I needed the BYTEA data > type which isn't in the default DDL. > > > > > > > > > > name="external_addr">${env.EXTERNAL_HOST_IP} > > > > name="connection_driver">org.postgresql.Driver > name="connection_url">jdbc:postgresql://${env.POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE} > name="connection_username">${env.POSTGRES_USER} > name="connection_password">${env.POSTGRES_PASSWORD} > > CREATE TABLE IF NOT EXISTS jgroupsping ( > own_addr VARCHAR(200) NOT NULL, > cluster_name VARCHAR(200) NOT NULL, > ping_data BYTEA DEFAULT NULL, > PRIMARY KEY (own_addr, cluster_name) > ) > > > > > > name="external_addr">${env.EXTERNAL_HOST_IP} > > > > > > > > > > > > > > > 3. If you're in a Docker container, you have to expose the JGroups ports > so they are visible from outside the container, so in standalone-ha.xml > in the socket bindings I have changed to the public interface: > > port="7600"/> > port="57600"/> > > 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP > variable. I have a wrapper start script that first queries the AWS > instance metadata service at 169.254.169.254 for the host's private IP > address: > > export EXTERNAL_HOST_IP=$(curl -s > 169.254.169.254/latest/meta-data/local-ipv4) > exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml > -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME > > > On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: >> >> Hi, >> >> >> We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, >> the cluster is up without errors however the login fails with the >> below error: >> >> >> *WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, >> realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, >> error=invalid_code* >> >> >> we have followed this >> (http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html >> ) post but used S3_PING instead of JDBC_PING. >> >> >> It seems that the nodes detect each other: >> >> >> *INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view >> for channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd]* >> >> >> We suspect that the nodes doesn't communicate with each other, when >> we queried the jboss mbean >> "*jboss.as.expr:subsystem=jgroups,channel=ee" *the result was: >> >> jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] >> >> jgroups,channel=ee receivedMessages = 0 >> >> jgroups,channel=ee sentMessages = 0 >> >> >> And for the second node: >> >> jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] >> >> jgroups,channel=ee receivedMessages = 0 >> >> jgroups,channel=ee sentMessages = 5 >> >> >> >> We also verified that the TCP ports 57600 and 7600 are open. >> >> >> Any idea what might cause it ? >> >> >> >> Here is the relevant standalone-ha.xml configuration and below is >> that startup command: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > socket-binding="jgroups-udp-fd"/> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> 200.129.4.189 >> >> >> >> >> >> AAAAAAAAAAAAAA >> >> BBBBBBBBBBBBBB >> >> CCCCCCCCCCCCCCCCCCCC >> >> >> >> >> >> > socket-binding="jgroups-tcp-fd"> >> >> 200.129.4.189 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > port="7600"/> >> >> > port="57600"/> >> >> >> And we start the server using the below ($INTERNAL_HOST_IP is the >> container internal IP address): >> >> standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP >> -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP >> >> >> >> Any help will be appreciated. >> >> >> >> Thanks, >> >> Haim. >> >> >> >> The information contained in this message is proprietary to the >> sender, protected from disclosure, and may be privileged. The >> information is intended to be conveyed only to the designated >> recipient(s) of the message. If the reader of this message is not the >> intended recipient, you are hereby notified that any dissemination, >> use, distribution or copying of this communication is strictly >> prohibited and may be unlawful. If you have received this >> communication in error, please notify us immediately by replying to >> the message and deleting it from your computer. Thank you. >> _________________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > > -- > http://www.fastmail.com - Same, same, but different... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/d3c43a0e/attachment-0001.html From sthorger at redhat.com Wed Aug 17 03:50:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 17 Aug 2016 09:50:23 +0200 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: <5514103c-7a24-76d7-ce11-4a62c5395b0d@redhat.com> References: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> <5514103c-7a24-76d7-ce11-4a62c5395b0d@redhat.com> Message-ID: That'd be nice. Not sure how we would test it though. Especially not how we'd automate testing of it. On 17 August 2016 at 06:16, Bill Burke wrote: > We should create a domain profile for this EC2 config. > > > On 8/16/16 9:59 AM, Aikeaguinea wrote: > > Yes, this gets more complicated than your standard installation. AWS > doesn't allow UDP communication in S3, and you also need to configure your > Infinispan cache to work while you're running in Docker. > > There was a thread on this list "Using Keycloak in AWS EC2. What are > people using? / Infinispan not working" where this was discussed; this is > from that three describing howI got things working: > > ________________________________________________________ > > I just got JGroups/Infinispan with JDBC_PING working from inside a > Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since > I need a database anyway and didn't want to have to set up an S3 bucket > just for this one purpose. Nicol?s, if you're on AWS the default UDP > transport for JGroups doesn't work because multicast isn't supported > inside EC2, which may be your problem. > > Here are the configurations you'd need: > > 1. The JGroups module has to reference to the db module. So in > jgroups-module.xml I have: > > > > > > > 2. The standalone-ha.xml has a JGroups subsystem (with TCP and > JDBC_PING) that looks like the configuration below; I read certain > variables from the environment, but may use the Wildfly vault tool for > some of them. The external_addr property configurations are only needed > if you're inside a Docker container, since Wildfly has to read the > address of the EC2 instance hosting the container to register itself > with JGroups. For the initialize_sql you can generally use the default, > but for Postgres I needed a custom DDL because I needed the BYTEA data > type which isn't in the default DDL. > > > > > > > > > > name="external_addr">${env.EXTERNAL_HOST_IP} > > > > name="connection_driver">org.postgresql.Driver > name="connection_url">jdbc:postgresql://${env. > POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env. > POSTGRES_DATABASE} > name="connection_username">${env.POSTGRES_USER} > name="connection_password">${env.POSTGRES_PASSWORD} > > CREATE TABLE IF NOT EXISTS jgroupsping ( > own_addr VARCHAR(200) NOT NULL, > cluster_name VARCHAR(200) NOT NULL, > ping_data BYTEA DEFAULT NULL, > PRIMARY KEY (own_addr, cluster_name) > ) > > > > > > name="external_addr">${env.EXTERNAL_HOST_IP} > > > > > > > > > > > > > > > 3. If you're in a Docker container, you have to expose the JGroups ports > so they are visible from outside the container, so in standalone-ha.xml > in the socket bindings I have changed to the public interface: > > port="7600"/> > port="57600"/> > > 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP > variable. I have a wrapper start script that first queries the AWS > instance metadata service at 169.254.169.254 for the host's private IP > address: > > export EXTERNAL_HOST_IP=$(curl -s > 169.254.169.254/latest/meta-data/local-ipv4) > exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml > -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME > > > On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: > > Hi, > > > > We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, the > cluster is up without errors however the login fails with the below error: > > > > *WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, > realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, > error=invalid_code* > > > > we have followed this (http://lists.jboss.org/ > pipermail/keycloak-user/2016-February/004940.html ) post but used S3_PING > instead of JDBC_PING. > > > > It seems that the nodes detect each other: > > > > *INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view for > channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd]* > > > > We suspect that the nodes doesn't communicate with each other, when we > queried the jboss mbean "*jboss.as.expr:subsystem=jgroups,channel=ee" *the > result was: > > jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > > jgroups,channel=ee receivedMessages = 0 > > jgroups,channel=ee sentMessages = 0 > > > > And for the second node: > > jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > > jgroups,channel=ee receivedMessages = 0 > > jgroups,channel=ee sentMessages = 5 > > > > > > We also verified that the TCP ports 57600 and 7600 are open. > > > > Any idea what might cause it ? > > > > > > Here is the relevant standalone-ha.xml configuration and below is that > startup command: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 200.129. > 4.189 > > > > > > > AAAAAAAAAAAAAA > > > BBBBBBBBBBBBBB > > > CCCCCCCCCCCCCCCCCCCC > > > > > > > > 200.129. > 4.189 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > port="57600"/> > > > > And we start the server using the below ($INTERNAL_HOST_IP is the > container internal IP address): > > standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP > -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP > > > > > > Any help will be appreciated. > > > > > > Thanks, > > Haim. > > > > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > *_______________________________________________* > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > > -- http://www.fastmail.com - Same, same, but different... > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/555bf3fe/attachment-0001.html From sthorger at redhat.com Wed Aug 17 03:58:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 17 Aug 2016 09:58:20 +0200 Subject: [keycloak-user] Keycloak user data encoding In-Reply-To: References: Message-ID: Took a look at this yesterday and could confirm the problem. Seems to be isolated to MySQL as it works fine on H2 and PostgreSQL at least. Can you create a JIRA for it please? On 16 August 2016 at 15:38, Igor Zuk wrote: > Hi Stian > > > > I hope you had a good time during holiday. Your autoresponse asked me to > resend you the email when you?re back, so here it is. > > > > *From:* Igor Zuk > *Sent:* Wednesday, August 03, 2016 4:37 PM > *To:* 'stian at redhat.com' > *Cc:* keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] Keycloak user data encoding > > > > Sorry for a delayed response, I had to temporarily suspend the > investigation. > > > > > > Yes, I can reproduce the issue anytime using Docker. > > > > I set up as default as possible environment with latest MySQL: > > *docker run --name mysql -e MYSQL_ROOT_PASSWORD=root -e > MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak > -P -d mysql:latest* > > and Keycloak in the same version as where I found the issue, 1.9.2.Final: > > *docker run --name keycloak -e MYSQL_DATABASE=keycloak -e > MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e > MYSQL_PORT_3306_TCP_ADDR=192.168.99.100 -e MYSQL_PORT_3306_TCP_PORT=32779 > -P -d jboss/keycloak-mysql:1.9.2.Final* > > > > The results were identical, special letters in names were replaced with > question marks. It turned out, that Keycloak created all its tables with > the DB's default encoding, latin1 (ISO-8859-1). I've checked it with a > query: > > *SELECT character_set_name FROM information_schema.`COLUMNS` WHERE > table_name = "USER_ENTITY" AND column_name = "FIRST_NAME";* > > > > Once again I've manually changed the encoding of a single column: > > *ALTER TABLE `USER_ENTITY` MODIFY `FIRST_NAME` VARCHAR(255) CHARACTER SET > utf8;* > > It worked, but Keycloak was still putting there names with question marks, > so the issue was fully reproduced. > > > > > > Because it seems, that Keycloak uses the DB's default encoding, I tried > changing it in MySQL. I've removed its container entirely and started it > with two parameters appended to Docker run command: > > *--character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci* > > It seems, that it worked, but then Keycloak refused to start at all > throwing exception with error: > > *Row size too large. The maximum row size for the used table type, not > counting BLOBs, is 65535. This includes storage overhead, check the manual. > You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE > keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)]* > > It looks that Keycloak is not able to work with UTF-8 in databases at all! > The full startup log is here: http://pastebin.com/VMTARqgF > > > > > > Because 1.9.2.Final is quite dated, I've checked the latest available > MySQL-preconfigured version, 2.0.0.Final. I've repeated all the steps and > the results were identical. > > > > > > The example name I'm working with is M?ciwy ???w. Only the letter '?' is > working, that's because it's encodable in ISO-8859-1. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* Friday, July 15, 2016 6:48 AM > *To:* Igor Zuk > *Cc:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Keycloak user data encoding > > > > It's strange that no one else has reported this. We had several people > report the issue with umlats, but no one else seems to have the issue with > the database encoding. Maybe there's something different with your database > config? Could you try with a default MySQL database installation and see if > you can reproduce the issue? Also, can you give me a sample name that shows > the problems. > > > > I added a test for umlats to registration and account management, see > https://github.com/keycloak/keycloak/pull/3036. Once it's in I'll > schedule a run with CI, which tests with a range of different databases. > > > > On 12 July 2016 at 16:13, Igor Zuk wrote: > > Thank you for a quick response. > > > > I?m using 1.9.2.Final and the problem is a bit different, it?s not limited > to registration screen. > > > > I?m saying, that ISO-8859-1 is the default encoding, because all the text > columns in USER_ENTITY table had encoding latin1. The table was created > completely by Keycloak as the database was empty in the beginning. I > manually switched encoding of FIRST_NAME to UTF-8 and modified it so it > contained special letters. I started the user editor in Keycloak admin > console and this name was displayed correctly. I added a single character > to it, saved, and then the name got messed up with question marks instead > of all special characters. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Tuesday, July 12, 2016 3:43 PM > *To:* Stian Thorgersen > *Cc:* Igor Zuk ; > keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak user data encoding > > > > By the way this was fixed in 1.6.0.Final, see https://issues.jboss.org/ > browse/KEYCLOAK-1830?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20% > 22encoding%22 > > > > Are you using an old version? > > > > On 12 July 2016 at 15:37, Stian Thorgersen wrote: > > Why are you saying the default encoding is ISO-8859-1? All forms are > encoded as UTF-8 and all strings passed to the database should be UTF-8 > encoded as well. > > > > The only thing that is ISO-8859-1 is the message properties, but those are > converted to UTF-8 when added to HTML pages. > > > > On 12 July 2016 at 14:58, Igor Zuk wrote: > > Hi > > > > I have an encoding problem. By default users' data fields (e.g. first name > and last name) are encoded using ISO-8859-1. People from many countries > can't properly create accounts as their personal data is silently messed > up. How can I fix it? > > ? The MySQL DB receives already damaged names. By default all > columns are ISO-8859-1-encoded, but manually converting them to UTF-8 > doesn't help. > > ? Manual account modification from admin console has same effect. > > ? Change of default server (Wildfly) encoding to UTF-8 doesn't do > anything. > > > > Best regards > > Igor ?uk > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/194f9a28/attachment-0001.html From sthorger at redhat.com Wed Aug 17 03:59:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 17 Aug 2016 09:59:22 +0200 Subject: [keycloak-user] Keycloak Custom User Attributes description not correcte from the reference guide In-Reply-To: References: Message-ID: Please upgrade to a more recent version of Keycloak and follow the new documentations. On 16 August 2016 at 12:30, hasane has wrote: > Hi, > I'm working with keycloak 1.6.1, and I'm following the ref guide to > customize users attributs, but I found that there is a lot of incorrecte > information > for example to customize users attributs you should: > > 1. Create a new theme within the *themes/admin/mytheme* directory in your > distribution. Where mytheme is whatever you want to name your theme. (but > the path doesn't existe, I think the correct path is > *themes\keycloak\admin* ) > 2. ....(is correcte) > 3. Copy the file *themes/admin/base/resources/ > partials/user-attribute-entry.html* into ....(the path is not correct, > but in *themes\base\admin\resources\partials* I find that doesn't > contains user-attribute-entry.html) > Thanks in advance . > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/0ebb8808/attachment.html From haimv at perfectomobile.com Wed Aug 17 04:08:53 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Wed, 17 Aug 2016 08:08:53 +0000 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> References: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> Message-ID: Thanks, the below is the exact post we were using as a reference. Any other idea what might cause it ? or what to search in the logs or JMX ? From: Aikeaguinea [mailto:aikeaguinea at xsmail.com] Sent: Tuesday, August 16, 2016 4:59 PM To: Haim Vana ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails Yes, this gets more complicated than your standard installation. AWS doesn't allow UDP communication in S3, and you also need to configure your Infinispan cache to work while you're running in Docker. There was a thread on this list "Using Keycloak in AWS EC2. What are people using? / Infinispan not working" where this was discussed; this is from that three describing howI got things working: ________________________________________________________ I just got JGroups/Infinispan with JDBC_PING working from inside a Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since I need a database anyway and didn't want to have to set up an S3 bucket just for this one purpose. Nicol?s, if you're on AWS the default UDP transport for JGroups doesn't work because multicast isn't supported inside EC2, which may be your problem. Here are the configurations you'd need: 1. The JGroups module has to reference to the db module. So in jgroups-module.xml I have: 2. The standalone-ha.xml has a JGroups subsystem (with TCP and JDBC_PING) that looks like the configuration below; I read certain variables from the environment, but may use the Wildfly vault tool for some of them. The external_addr property configurations are only needed if you're inside a Docker container, since Wildfly has to read the address of the EC2 instance hosting the container to register itself with JGroups. For the initialize_sql you can generally use the default, but for Postgres I needed a custom DDL because I needed the BYTEA data type which isn't in the default DDL. ${env.EXTERNAL_HOST_IP} org.postgresql.Driver jdbc:postgresql://${env.POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE} ${env.POSTGRES_USER} ${env.POSTGRES_PASSWORD} CREATE TABLE IF NOT EXISTS jgroupsping ( own_addr VARCHAR(200) NOT NULL, cluster_name VARCHAR(200) NOT NULL, ping_data BYTEA DEFAULT NULL, PRIMARY KEY (own_addr, cluster_name) ) ${env.EXTERNAL_HOST_IP} 3. If you're in a Docker container, you have to expose the JGroups ports so they are visible from outside the container, so in standalone-ha.xml in the socket bindings I have changed to the public interface: 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP variable. I have a wrapper start script that first queries the AWS instance metadata service at 169.254.169.254 for the host's private IP address: export EXTERNAL_HOST_IP=$(curl -s 169.254.169.254/latest/meta-data/local-ipv4) exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: Hi, We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, the cluster is up without errors however the login fails with the below error: WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, error=invalid_code we have followed this (http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html ) post but used S3_PING instead of JDBC_PING. It seems that the nodes detect each other: INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view for channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] We suspect that the nodes doesn't communicate with each other, when we queried the jboss mbean "jboss.as.expr:subsystem=jgroups,channel=ee" the result was: jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] jgroups,channel=ee receivedMessages = 0 jgroups,channel=ee sentMessages = 0 And for the second node: jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] jgroups,channel=ee receivedMessages = 0 jgroups,channel=ee sentMessages = 5 We also verified that the TCP ports 57600 and 7600 are open. Any idea what might cause it ? Here is the relevant standalone-ha.xml configuration and below is that startup command: 200.129.4.189 AAAAAAAAAAAAAA BBBBBBBBBBBBBB CCCCCCCCCCCCCCCCCCCC 200.129.4.189 And we start the server using the below ($INTERNAL_HOST_IP is the container internal IP address): standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP Any help will be appreciated. Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Same, same, but different... The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/3aa9c887/attachment-0001.html From postmaster at lists.jboss.org Wed Aug 17 04:52:29 2016 From: postmaster at lists.jboss.org (The Post Office) Date: Wed, 17 Aug 2016 14:22:29 +0530 Subject: [keycloak-user] Delivery reports about your e-mail Message-ID: <201608170853.u7H8rlu6021122@lists01.dmz-a.mwc.hst.phx2.redhat.com> The original message was included as attachment -------------- next part -------------- A non-text attachment was scrubbed... Name: WVRPV.SCR Type: application/octet-stream Size: 28864 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/99e2b714/attachment-0001.obj From igor.zuk at qualitytaskforce.com Wed Aug 17 06:33:45 2016 From: igor.zuk at qualitytaskforce.com (Igor Zuk) Date: Wed, 17 Aug 2016 10:33:45 +0000 Subject: [keycloak-user] Keycloak user data encoding In-Reply-To: References: Message-ID: I?ve created a new issue on Jira: https://issues.jboss.org/browse/KEYCLOAK-3439. Thank you for your help ? From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, August 17, 2016 9:58 AM To: Igor Zuk Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding Took a look at this yesterday and could confirm the problem. Seems to be isolated to MySQL as it works fine on H2 and PostgreSQL at least. Can you create a JIRA for it please? On 16 August 2016 at 15:38, Igor Zuk > wrote: Hi Stian I hope you had a good time during holiday. Your autoresponse asked me to resend you the email when you?re back, so here it is. From: Igor Zuk Sent: Wednesday, August 03, 2016 4:37 PM To: 'stian at redhat.com' > Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Keycloak user data encoding Sorry for a delayed response, I had to temporarily suspend the investigation. Yes, I can reproduce the issue anytime using Docker. I set up as default as possible environment with latest MySQL: docker run --name mysql -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -P -d mysql:latest and Keycloak in the same version as where I found the issue, 1.9.2.Final: docker run --name keycloak -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e MYSQL_PORT_3306_TCP_ADDR=192.168.99.100 -e MYSQL_PORT_3306_TCP_PORT=32779 -P -d jboss/keycloak-mysql:1.9.2.Final The results were identical, special letters in names were replaced with question marks. It turned out, that Keycloak created all its tables with the DB's default encoding, latin1 (ISO-8859-1). I've checked it with a query: SELECT character_set_name FROM information_schema.`COLUMNS` WHERE table_name = "USER_ENTITY" AND column_name = "FIRST_NAME"; Once again I've manually changed the encoding of a single column: ALTER TABLE `USER_ENTITY` MODIFY `FIRST_NAME` VARCHAR(255) CHARACTER SET utf8; It worked, but Keycloak was still putting there names with question marks, so the issue was fully reproduced. Because it seems, that Keycloak uses the DB's default encoding, I tried changing it in MySQL. I've removed its container entirely and started it with two parameters appended to Docker run command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci It seems, that it worked, but then Keycloak refused to start at all throwing exception with error: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)] It looks that Keycloak is not able to work with UTF-8 in databases at all! The full startup log is here: http://pastebin.com/VMTARqgF Because 1.9.2.Final is quite dated, I've checked the latest available MySQL-preconfigured version, 2.0.0.Final. I've repeated all the steps and the results were identical. The example name I'm working with is M?ciwy ???w. Only the letter '?' is working, that's because it's encodable in ISO-8859-1. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, July 15, 2016 6:48 AM To: Igor Zuk > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding It's strange that no one else has reported this. We had several people report the issue with umlats, but no one else seems to have the issue with the database encoding. Maybe there's something different with your database config? Could you try with a default MySQL database installation and see if you can reproduce the issue? Also, can you give me a sample name that shows the problems. I added a test for umlats to registration and account management, see https://github.com/keycloak/keycloak/pull/3036. Once it's in I'll schedule a run with CI, which tests with a range of different databases. On 12 July 2016 at 16:13, Igor Zuk > wrote: Thank you for a quick response. I?m using 1.9.2.Final and the problem is a bit different, it?s not limited to registration screen. I?m saying, that ISO-8859-1 is the default encoding, because all the text columns in USER_ENTITY table had encoding latin1. The table was created completely by Keycloak as the database was empty in the beginning. I manually switched encoding of FIRST_NAME to UTF-8 and modified it so it contained special letters. I started the user editor in Keycloak admin console and this name was displayed correctly. I added a single character to it, saved, and then the name got messed up with question marks instead of all special characters. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, July 12, 2016 3:43 PM To: Stian Thorgersen > Cc: Igor Zuk >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak user data encoding By the way this was fixed in 1.6.0.Final, see https://issues.jboss.org/browse/KEYCLOAK-1830?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20%22encoding%22 Are you using an old version? On 12 July 2016 at 15:37, Stian Thorgersen > wrote: Why are you saying the default encoding is ISO-8859-1? All forms are encoded as UTF-8 and all strings passed to the database should be UTF-8 encoded as well. The only thing that is ISO-8859-1 is the message properties, but those are converted to UTF-8 when added to HTML pages. On 12 July 2016 at 14:58, Igor Zuk > wrote: Hi I have an encoding problem. By default users' data fields (e.g. first name and last name) are encoded using ISO-8859-1. People from many countries can't properly create accounts as their personal data is silently messed up. How can I fix it? ? The MySQL DB receives already damaged names. By default all columns are ISO-8859-1-encoded, but manually converting them to UTF-8 doesn't help. ? Manual account modification from admin console has same effect. ? Change of default server (Wildfly) encoding to UTF-8 doesn't do anything. Best regards Igor ?uk _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/916e0b9a/attachment-0001.html From postmaster at lists.jboss.org Wed Aug 17 07:14:10 2016 From: postmaster at lists.jboss.org (Mail Delivery Subsystem) Date: Wed, 17 Aug 2016 16:44:10 +0530 Subject: [keycloak-user] Status Message-ID: <201608171114.u7HBEtDm001030@lists01.dmz-a.mwc.hst.phx2.redhat.com> Dear user keycloak-user at lists.jboss.org, We have detected that your email account was used to send a large amount of spam messages during the last week. We suspect that your computer was infected by a recent virus and now runs a trojan proxy server. Please follow the instructions in order to keep your computer safe. Sincerely yours, lists.jboss.org technical support team. -------------- next part -------------- A non-text attachment was scrubbed... Name: document.scr Type: application/octet-stream Size: 28864 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/966deb7a/attachment-0001.obj From sthorger at redhat.com Wed Aug 17 08:24:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 17 Aug 2016 14:24:30 +0200 Subject: [keycloak-user] Keycloak user data encoding In-Reply-To: References: Message-ID: Thanks, I'll try to get someone to look at it soon. If you make any progress on your end please let us know. On 17 August 2016 at 12:33, Igor Zuk wrote: > I?ve created a new issue on Jira: https://issues.jboss.org/ > browse/KEYCLOAK-3439. Thank you for your help J > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Wednesday, August 17, 2016 9:58 AM > > *To:* Igor Zuk > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak user data encoding > > > > Took a look at this yesterday and could confirm the problem. Seems to be > isolated to MySQL as it works fine on H2 and PostgreSQL at least. > > > > Can you create a JIRA for it please? > > > > > > > > On 16 August 2016 at 15:38, Igor Zuk > wrote: > > Hi Stian > > > > I hope you had a good time during holiday. Your autoresponse asked me to > resend you the email when you?re back, so here it is. > > > > *From:* Igor Zuk > *Sent:* Wednesday, August 03, 2016 4:37 PM > *To:* 'stian at redhat.com' > *Cc:* keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] Keycloak user data encoding > > > > Sorry for a delayed response, I had to temporarily suspend the > investigation. > > > > > > Yes, I can reproduce the issue anytime using Docker. > > > > I set up as default as possible environment with latest MySQL: > > *docker run --name mysql -e MYSQL_ROOT_PASSWORD=root -e > MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak > -P -d mysql:latest* > > and Keycloak in the same version as where I found the issue, 1.9.2.Final: > > *docker run --name keycloak -e MYSQL_DATABASE=keycloak -e > MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e > MYSQL_PORT_3306_TCP_ADDR=192.168.99.100 -e MYSQL_PORT_3306_TCP_PORT=32779 > -P -d jboss/keycloak-mysql:1.9.2.Final* > > > > The results were identical, special letters in names were replaced with > question marks. It turned out, that Keycloak created all its tables with > the DB's default encoding, latin1 (ISO-8859-1). I've checked it with a > query: > > *SELECT character_set_name FROM information_schema.`COLUMNS` WHERE > table_name = "USER_ENTITY" AND column_name = "FIRST_NAME";* > > > > Once again I've manually changed the encoding of a single column: > > *ALTER TABLE `USER_ENTITY` MODIFY `FIRST_NAME` VARCHAR(255) CHARACTER SET > utf8;* > > It worked, but Keycloak was still putting there names with question marks, > so the issue was fully reproduced. > > > > > > Because it seems, that Keycloak uses the DB's default encoding, I tried > changing it in MySQL. I've removed its container entirely and started it > with two parameters appended to Docker run command: > > *--character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci* > > It seems, that it worked, but then Keycloak refused to start at all > throwing exception with error: > > *Row size too large. The maximum row size for the used table type, not > counting BLOBs, is 65535. This includes storage overhead, check the manual. > You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE > keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)]* > > It looks that Keycloak is not able to work with UTF-8 in databases at all! > The full startup log is here: http://pastebin.com/VMTARqgF > > > > > > Because 1.9.2.Final is quite dated, I've checked the latest available > MySQL-preconfigured version, 2.0.0.Final. I've repeated all the steps and > the results were identical. > > > > > > The example name I'm working with is M?ciwy ???w. Only the letter '?' is > working, that's because it's encodable in ISO-8859-1. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* Friday, July 15, 2016 6:48 AM > *To:* Igor Zuk > *Cc:* keycloak-user at lists.jboss.org > > > *Subject:* Re: [keycloak-user] Keycloak user data encoding > > > > It's strange that no one else has reported this. We had several people > report the issue with umlats, but no one else seems to have the issue with > the database encoding. Maybe there's something different with your database > config? Could you try with a default MySQL database installation and see if > you can reproduce the issue? Also, can you give me a sample name that shows > the problems. > > > > I added a test for umlats to registration and account management, see > https://github.com/keycloak/keycloak/pull/3036. Once it's in I'll > schedule a run with CI, which tests with a range of different databases. > > > > On 12 July 2016 at 16:13, Igor Zuk wrote: > > Thank you for a quick response. > > > > I?m using 1.9.2.Final and the problem is a bit different, it?s not limited > to registration screen. > > > > I?m saying, that ISO-8859-1 is the default encoding, because all the text > columns in USER_ENTITY table had encoding latin1. The table was created > completely by Keycloak as the database was empty in the beginning. I > manually switched encoding of FIRST_NAME to UTF-8 and modified it so it > contained special letters. I started the user editor in Keycloak admin > console and this name was displayed correctly. I added a single character > to it, saved, and then the name got messed up with question marks instead > of all special characters. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Tuesday, July 12, 2016 3:43 PM > *To:* Stian Thorgersen > *Cc:* Igor Zuk ; > keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Keycloak user data encoding > > > > By the way this was fixed in 1.6.0.Final, see https://issues.jboss.org/ > browse/KEYCLOAK-1830?jql=project%20%3D%20KEYCLOAK%20AND%20text%20~%20% > 22encoding%22 > > > > Are you using an old version? > > > > On 12 July 2016 at 15:37, Stian Thorgersen wrote: > > Why are you saying the default encoding is ISO-8859-1? All forms are > encoded as UTF-8 and all strings passed to the database should be UTF-8 > encoded as well. > > > > The only thing that is ISO-8859-1 is the message properties, but those are > converted to UTF-8 when added to HTML pages. > > > > On 12 July 2016 at 14:58, Igor Zuk wrote: > > Hi > > > > I have an encoding problem. By default users' data fields (e.g. first name > and last name) are encoded using ISO-8859-1. People from many countries > can't properly create accounts as their personal data is silently messed > up. How can I fix it? > > ? The MySQL DB receives already damaged names. By default all > columns are ISO-8859-1-encoded, but manually converting them to UTF-8 > doesn't help. > > ? Manual account modification from admin console has same effect. > > ? Change of default server (Wildfly) encoding to UTF-8 doesn't do > anything. > > > > Best regards > > Igor ?uk > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/0c9c7e40/attachment-0001.html From srossillo at smartling.com Wed Aug 17 10:50:21 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 17 Aug 2016 10:50:21 -0400 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: References: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> Message-ID: <1B0F0ECF-AABF-4870-A042-1B34B44B1E4C@smartling.com> Have you looked at this Gist of mine [0]? I posted to the mailing list once before. Maybe I should make a more official document but it may help if you?re using docker. [0]: https://gist.github.com/foo4u/ad2fa7251ac5b4d4fd318f668f50f7ac Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Aug 17, 2016, at 4:08 AM, Haim Vana wrote: > > Thanks, the below is the exact post we were using as a reference. > > Any other idea what might cause it ? or what to search in the logs or JMX ? > > > From: Aikeaguinea [mailto:aikeaguinea at xsmail.com ] > Sent: Tuesday, August 16, 2016 4:59 PM > To: Haim Vana >; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails > > Yes, this gets more complicated than your standard installation. AWS doesn't allow UDP communication in S3, and you also need to configure your Infinispan cache to work while you're running in Docker. > > There was a thread on this list "Using Keycloak in AWS EC2. What are people using? / Infinispan not working" where this was discussed; this is from that three describing howI got things working: > > ________________________________________________________ > > I just got JGroups/Infinispan with JDBC_PING working from inside a > Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since > I need a database anyway and didn't want to have to set up an S3 bucket > just for this one purpose. Nicol?s, if you're on AWS the default UDP > transport for JGroups doesn't work because multicast isn't supported > inside EC2, which may be your problem. > > Here are the configurations you'd need: > > 1. The JGroups module has to reference to the db module. So in > jgroups-module.xml I have: > > > > > > > 2. The standalone-ha.xml has a JGroups subsystem (with TCP and > JDBC_PING) that looks like the configuration below; I read certain > variables from the environment, but may use the Wildfly vault tool for > some of them. The external_addr property configurations are only needed > if you're inside a Docker container, since Wildfly has to read the > address of the EC2 instance hosting the container to register itself > with JGroups. For the initialize_sql you can generally use the default, > but for Postgres I needed a custom DDL because I needed the BYTEA data > type which isn't in the default DDL. > > > > > > > > > > name="external_addr">${env.EXTERNAL_HOST_IP} > > > > name="connection_driver">org.postgresql.Driver > name="connection_url">jdbc:postgresql://${env.POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE} > name="connection_username">${env.POSTGRES_USER} > name="connection_password">${env.POSTGRES_PASSWORD} > > CREATE TABLE IF NOT EXISTS jgroupsping ( > own_addr VARCHAR(200) NOT NULL, > cluster_name VARCHAR(200) NOT NULL, > ping_data BYTEA DEFAULT NULL, > PRIMARY KEY (own_addr, cluster_name) > ) > > > > > > name="external_addr">${env.EXTERNAL_HOST_IP} > > > > > > > > > > > > > > > 3. If you're in a Docker container, you have to expose the JGroups ports > so they are visible from outside the container, so in standalone-ha.xml > in the socket bindings I have changed to the public interface: > > port="7600"/> > port="57600"/> > > 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP > variable. I have a wrapper start script that first queries the AWS > instance metadata service at 169.254.169.254 for the host's private IP address: > > export EXTERNAL_HOST_IP=$(curl -s > 169.254.169.254/latest/meta-data/local-ipv4) > exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml > -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME > > > On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: > Hi, > > We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, the cluster is up without errors however the login fails with the below error: > > WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, error=invalid_code > > we have followed this (http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html ) post but used S3_PING instead of JDBC_PING. > > It seems that the nodes detect each other: > > INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view for channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > > We suspect that the nodes doesn't communicate with each other, when we queried the jboss mbean "jboss.as.expr:subsystem=jgroups,channel=ee" the result was: > jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > jgroups,channel=ee receivedMessages = 0 > jgroups,channel=ee sentMessages = 0 > > And for the second node: > jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] > jgroups,channel=ee receivedMessages = 0 > jgroups,channel=ee sentMessages = 5 > > > We also verified that the TCP ports 57600 and 7600 are open. > > Any idea what might cause it ? > > > Here is the relevant standalone-ha.xml configuration and below is that startup command: > > > > > > > > > > > > > > > > > > > > > > > > 200.129.4.189 > > > AAAAAAAAAAAAAA > BBBBBBBBBBBBBB > CCCCCCCCCCCCCCCCCCCC > > > > 200.129.4.189 > > > > > > > > > > > > > > > > > > And we start the server using the below ($INTERNAL_HOST_IP is the container internal IP address): > standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP > > > Any help will be appreciated. > > > Thanks, > Haim. > > > The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > > > -- > http://www.fastmail.com - Same, same, but different... > The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/53af0015/attachment-0001.html From bburke at redhat.com Wed Aug 17 10:54:11 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 17 Aug 2016 10:54:11 -0400 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: <1B0F0ECF-AABF-4870-A042-1B34B44B1E4C@smartling.com> References: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> <1B0F0ECF-AABF-4870-A042-1B34B44B1E4C@smartling.com> Message-ID: <44e330c2-31b9-2e2a-0f5a-4698636d2bed@redhat.com> Do you have to use JDBC-PING? On 8/17/16 10:50 AM, Scott Rossillo wrote: > Have you looked at this Gist of mine [0]? I posted to the mailing list > once before. Maybe I should make a more official document but it may > help if you?re using docker. > > > [0]: https://gist.github.com/foo4u/ad2fa7251ac5b4d4fd318f668f50f7ac > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > >> On Aug 17, 2016, at 4:08 AM, Haim Vana > > wrote: >> >> Thanks, the below is the exact post we were using as a reference. >> Any other idea what might cause it ? or what to search in the logs or >> JMX ? >> *From:*Aikeaguinea [mailto:aikeaguinea at xsmail.com] >> *Sent:*Tuesday, August 16, 2016 4:59 PM >> *To:*Haim Vana > >;keycloak-user at lists.jboss.org >> >> *Subject:*Re: [keycloak-user] KeyCloak HA on AWS EC2 with docker - >> cluster is up but login fails >> Yes, this gets more complicated than your standard installation. AWS >> doesn't allow UDP communication in S3, and you also need to configure >> your Infinispan cache to work while you're running in Docker. >> There was a thread on this list "Using Keycloak in AWS EC2. What are >> people using? / Infinispan not working" where this was discussed; >> this is from that three describing howI got things working: >> ________________________________________________________ >> I just got JGroups/Infinispan with JDBC_PING working from inside a >> Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since >> I need a database anyway and didn't want to have to set up an S3 bucket >> just for this one purpose. Nicol?s, if you're on AWS the default UDP >> transport for JGroups doesn't work because multicast isn't supported >> inside EC2, which may be your problem. >> Here are the configurations you'd need: >> 1. The JGroups module has to reference to the db module. So in >> jgroups-module.xml I have: >> >> >> >> >> 2. The standalone-ha.xml has a JGroups subsystem (with TCP and >> JDBC_PING) that looks like the configuration below; I read certain >> variables from the environment, but may use the Wildfly vault tool for >> some of them. The external_addr property configurations are only needed >> if you're inside a Docker container, since Wildfly has to read the >> address of the EC2 instance hosting the container to register itself >> with JGroups. For the initialize_sql you can generally use the default, >> but for Postgres I needed a custom DDL because I needed the BYTEA data >> type which isn't in the default DDL. >> >> >> >> >> >> >> >> > name="external_addr">${env.EXTERNAL_HOST_IP} >> >> >> > name="connection_driver">org.postgresql.Driver >> > name="connection_url">jdbc:postgresql://${env.POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE} >> > name="connection_username">${env.POSTGRES_USER} >> > name="connection_password">${env.POSTGRES_PASSWORD} >> >> CREATE TABLE IF NOT EXISTS jgroupsping ( >> own_addr VARCHAR(200) NOT NULL, >> cluster_name VARCHAR(200) NOT NULL, >> ping_data BYTEA DEFAULT NULL, >> PRIMARY KEY (own_addr, cluster_name) >> ) >> >> >> >> >> > name="external_addr">${env.EXTERNAL_HOST_IP} >> >> >> >> >> >> >> >> >> >> >> >> >> 3. If you're in a Docker container, you have to expose the JGroups ports >> so they are visible from outside the container, so in standalone-ha.xml >> in the socket bindings I have changed to the public interface: >> > port="7600"/> >> > port="57600"/> >> 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP >> variable. I have a wrapper start script that first queries the AWS >> instance metadata service at 169.254.169.254 for the host's private >> IP address: >> export EXTERNAL_HOST_IP=$(curl -s >> 169.254.169.254/latest/meta-data/local-ipv4) >> exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml >> -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME >> On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: >> >> Hi, >> We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with >> docker, the cluster is up without errors however the login fails >> with the below error: >> *WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, >> realmId=master, clientId=null, userId=null, >> ipAddress=172.30.200.171, error=invalid_code* >> we have followed this >> (http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html >> ) >> post but used S3_PING instead of JDBC_PING. >> It seems that the nodes detect each other: >> *INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster >> view for channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, >> 75f2b2e98cfd]* >> We suspect that the nodes doesn't communicate with each other, >> when we queried the jboss mbean >> "*jboss.as.expr:subsystem=jgroups,channel=ee"*the result was: >> jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, >> 75f2b2e98cfd] >> jgroups,channel=ee receivedMessages = 0 >> jgroups,channel=ee sentMessages = 0 >> And for the second node: >> jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, >> 75f2b2e98cfd] >> jgroups,channel=ee receivedMessages = 0 >> jgroups,channel=ee sentMessages = 5 >> We also verified that the TCP ports 57600 and 7600 are open. >> Any idea what might cause it ? >> Here is the relevant standalone-ha.xml configuration and below is >> that startup command: >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> 200.129.4.189 >> >> >> AAAAAAAAAAAAAA >> BBBBBBBBBBBBBB >> CCCCCCCCCCCCCCCCCCCC >> >> >> >> 200.129.4.189 >> >> >> >> >> >> >> >> >> >> >> >> >> >> > port="57600"/> >> And we start the server using the below ($INTERNAL_HOST_IP is the >> container internal IP address): >> standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP >> -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP >> Any help will be appreciated. >> Thanks, >> Haim. >> The information contained in this message is proprietary to the >> sender, protected from disclosure, and may be privileged. The >> information is intended to be conveyed only to the designated >> recipient(s) of the message. If the reader of this message is not >> the intended recipient, you are hereby notified that any >> dissemination, use, distribution or copying of this communication >> is strictly prohibited and may be unlawful. If you have received >> this communication in error, please notify us immediately by >> replying to the message and deleting it from your computer. Thank >> you. >> _________________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Aikeaguinea >> aikeaguinea at xsmail.com >> -- >> http://www.fastmail.com - Same, same, but different... >> The information contained in this message is proprietary to the >> sender, protected from disclosure, and may be privileged. The >> information is intended to be conveyed only to the designated >> recipient(s) of the message. If the reader of this message is not the >> intended recipient, you are hereby notified that any dissemination, >> use, distribution or copying of this communication is strictly >> prohibited and may be unlawful. If you have received this >> communication in error, please notify us immediately by replying to >> the message and deleting it from your computer. Thank >> you._______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/622a3d1f/attachment-0001.html From joe at joethielen.com Wed Aug 17 11:30:29 2016 From: joe at joethielen.com (Joe Thielen) Date: Wed, 17 Aug 2016 11:30:29 -0400 Subject: [keycloak-user] Newbie question about session last access time updating. Message-ID: Hello all. I am new to both Keycloak and OpenID Connect. Keycloak looks like a fantastic project and thanks to all who've put in work on it. I love that Keycloak can be set up to save events (login/logout/etc...). I love that there is a way to administratively log out user sessions. All this is great. My question is, what is the proper procedure to update the session's "Last Access" if I want it to be updated on every page request by a user? In some cases I have strict application requirements where it's important to know exactly when the user last did something. So I can't just log them in and periodically do a refresh to keep the session going. I want to update the session every time the user does something (i.e., every page request or API request). Maybe this is overkill for most applications. Like I said, I'm new to both Keycloak and OpenID Connect. I've figured out how to do the authorization flow, request user info, and logout. And I think I've figured out how to update the session in such a manner that it does update the last access time. However, I'm not sure I'm doing it correctly... Here is an example using curl of what I've been doing to keep the last access time updated: curl -s --data "grant_type=refresh_token&client_id=CLIENTID&client_secret=CLIENTSECRET&refresh_token=REFRESHTOKEN" "https://HOSTNAME:8443/auth/realms/REALMNAME/protocol/openid-connect/token Am I incorrectly using the refresh token here? In reading up on the flow, it seems like this should only be used periodically, like when the access_token expires. A positive side effect of this is that on every single request I'm checking to ensure the session hasn't been administratively logged out. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/4abf5d41/attachment.html From TBarcia at wfscorp.com Wed Aug 17 11:44:17 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Wed, 17 Aug 2016 15:44:17 +0000 Subject: [keycloak-user] Import and exported client Message-ID: In Keycloak 1.9.8-Final I have to create identical clients in different realms for DEV/QA/TEST environments and was hoping that I could export the clients and import them into other realms. When I try this, I receive the error that the client already exists. I have verified that the client does NOT exist in the realm and that I can create a client manually with the same name and information but for whatever reason the import fials. Can I simply remove the ID from the json for the import or is there some other method to import an existing client to a different realm? Thank you. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/18909885/attachment.html From jarekala at axway.com Wed Aug 17 11:52:26 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Wed, 17 Aug 2016 15:52:26 +0000 Subject: [keycloak-user] Import and exported client In-Reply-To: References: Message-ID: <33A971E161C79C44B0AE524C102277EA30ABBA7C@WPHXMAIL1.phx.axway.int> Thomas, This is due to the internal id representation in the exported json file. Though you changed the client id (physical name) it still had the same internal id in the json export file. You might want to change that uuid and try again. Example: "id" : "phxcm002-4d72-4c56-8e2b-5536fc095887" You need to prefix or modify to make unique than the previous id. Hope this helps! Thanks, Jagan Rekala From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas Barcia Sent: Wednesday, August 17, 2016 8:44 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Import and exported client In Keycloak 1.9.8-Final I have to create identical clients in different realms for DEV/QA/TEST environments and was hoping that I could export the clients and import them into other realms. When I try this, I receive the error that the client already exists. I have verified that the client does NOT exist in the realm and that I can create a client manually with the same name and information but for whatever reason the import fials. Can I simply remove the ID from the json for the import or is there some other method to import an existing client to a different realm? Thank you. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/dccf4000/attachment.html From valerij.timofeev at gmail.com Wed Aug 17 11:53:38 2016 From: valerij.timofeev at gmail.com (Valerij Timofeev) Date: Wed, 17 Aug 2016 17:53:38 +0200 Subject: [keycloak-user] [KEYCLOAK-2741] Don't remove KEYCLOAK_REMEMBERME cookie when sso session expires. Add timeout for KEYCLOAK_REMEMBERME cookie - JBoss Issue Tracker In-Reply-To: References: Message-ID: Thank you Stian. We will try SSO time-out of 3 days to workaround the current limitation of the "remember me" function. More optimal solution would be https://issues.jboss.org/browse/KEYCLOAK-1267 Are there any plans to work on it? 2016-08-16 9:45 GMT+02:00 Stian Thorgersen : > Cookie authenticator doesn't start a new session. It can only authenticate > the user if the session is still active. > > If you want users to remain authenticated for a longer even when inactive > you should increase the SSO timeout. That's what it's for. > > KEYCLOAK-2741 is about remembering the username so the user only has to > provide the password. > > On 22 July 2016 at 11:18, Valerij Timofeev > wrote: > >> https://issues.jboss.org/browse/KEYCLOAK-2741 >> >> Hi, >> >> are there any concret plans to implement this ticket? >> >> The current implementation does not find any positive feedback by our >> customers. We are even thinking about increasing SSO timeout from 30 >> minutes to a couple of days to compensate at least a little bit the current >> drawback. Would this break normal operation of the Keycloak servers? >> >> Would it be enough to implement this ticket to provide full "remember me" >> feature? Can cookie authenticator (auth-cookie) start a new SSO session if >> the initial one is already expired? >> >> Kind regards >> Valerij Timofeev >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/a2f4b5ae/attachment-0001.html From kevin.thorpe at p-i.net Wed Aug 17 12:47:48 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 17 Aug 2016 17:47:48 +0100 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql Message-ID: I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I can't log in once running. It all starts up ok and it creates the initial schema ok. When I try to log in to the admion console it can't find the admin user. What am I doing wrong? I thought it was my modifications to the image to add https that were wrong but it doesn't work from the published image anyway. lots snipped.... keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 services (542 services are lazy, passive or on-demand) keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin docker-compose.yml is: keycloak: image: jboss/keycloak-mysql:2.0.0.Final # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 environment: MYSQL_PORT_3306_TCP_ADDR: mysql MYSQL_PORT_3306_TCP_PORT: 3306 MYSQL_USERNAME: keycloak MYSQL_PASSWORD: xxxxxx ports: - "8443:8443/tcp" - "8080:8080/tcp" links: - keycloak-db:mysql # tty: true # stdin_open: true keycloak-db: environment: MYSQL_ROOT_PASSWORD: yyyyyy MYSQL_DATABASE: keycloak MYSQL_USER: keycloak MYSQL_PASSWORD: xxxxxx image: mysql/mysql-server:5.6 volumes: - keycloak-test-db:/var/lib/mysql volume_driver: convoy *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/06bfd3a3/attachment.html From jarekala at axway.com Wed Aug 17 13:02:51 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Wed, 17 Aug 2016 17:02:51 +0000 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: Message-ID: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> There needs to be an admin user created while Keycloak being started. So, you need to pass the environment variables to the docker container. Without passing the environment variables Keycloak will not have an admin user unless you use the previous database of Keycloak that had admin user already. Try adding these two variables in your compose file and let us know. - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=password-here Thanks, Jagan Rekala From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kevin Thorpe Sent: Wednesday, August 17, 2016 9:48 AM To: keycloak-user Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I can't log in once running. It all starts up ok and it creates the initial schema ok. When I try to log in to the admion console it can't find the admin user. What am I doing wrong? I thought it was my modifications to the image to add https that were wrong but it doesn't work from the published image anyway. lots snipped.... keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 services (542 services are lazy, passive or on-demand) keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin docker-compose.yml is: keycloak: image: jboss/keycloak-mysql:2.0.0.Final # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 environment: MYSQL_PORT_3306_TCP_ADDR: mysql MYSQL_PORT_3306_TCP_PORT: 3306 MYSQL_USERNAME: keycloak MYSQL_PASSWORD: xxxxxx ports: - "8443:8443/tcp" - "8080:8080/tcp" links: - keycloak-db:mysql # tty: true # stdin_open: true keycloak-db: environment: MYSQL_ROOT_PASSWORD: yyyyyy MYSQL_DATABASE: keycloak MYSQL_USER: keycloak MYSQL_PASSWORD: xxxxxx image: mysql/mysql-server:5.6 volumes: - keycloak-test-db:/var/lib/mysql volume_driver: convoy Kevin Thorpe VP Enterprise Platform [http://i.imgur.com/8UeC1YO.png] www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/2c14ce85/attachment-0001.html From kevin.thorpe at p-i.net Wed Aug 17 13:29:22 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 17 Aug 2016 18:29:22 +0100 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> Message-ID: Ah, ok I'll try that. The original issue though was that it wasn't picking up the admin user from the existing 1.7.0 database. Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database by adding the admin user to the environment. It still doesn't work on my old database. I get these errors indicating that it's trying to add the admin user and failing as it already exists: keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: Importing users from '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json' keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) Duplicate entry 'master-admin' for key 'UK_RU8TT6T700S9V50BU18WS5HA6' keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (ServerService Thread Pool -- 49) HHH000010: On release of batch it still contained JDBC statements keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists Problem is that the admin login is now admin/admin which I set in the environment vars, not the original admin user password from the old installation. Once I'm in I see I have a completely empty database. I'm confused, *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 17 August 2016 at 18:02, Jagannadha Rekala wrote: > There needs to be an admin user created while Keycloak being started. So, > you need to pass the environment variables to the docker container. Without > passing the environment variables Keycloak will not have an admin user > unless you use the previous database of Keycloak that had admin user > already. Try adding these two variables in your compose file and let us > know. > > > > - KEYCLOAK_USER=admin > > - KEYCLOAK_PASSWORD=password-here > > > > Thanks, > > Jagan Rekala > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe > *Sent:* Wednesday, August 17, 2016 9:48 AM > *To:* keycloak-user > *Subject:* [keycloak-user] Cannot log in as admin when using docker image > 2.0.0 mysql > > > > I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I > can't log in once running. It all starts up ok and it creates the initial > schema ok. When I try to log in to the admion console it can't find the > admin user. What am I doing wrong? I thought it was my modifications to the > image to add https that were wrong but it doesn't work from the published > image anyway. > > > > lots snipped.... > > keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ > org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final > (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 > services (542 services are lazy, passive or on-demand) > > keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN > [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, > clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, > error=user_not_found, auth_method=openid-connect, auth_type=code, > redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, > code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin > > > > docker-compose.yml is: > > keycloak: > > image: jboss/keycloak-mysql:2.0.0.Final > > # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 > > environment: > > MYSQL_PORT_3306_TCP_ADDR: mysql > > MYSQL_PORT_3306_TCP_PORT: 3306 > > MYSQL_USERNAME: keycloak > > MYSQL_PASSWORD: xxxxxx > > ports: > > - "8443:8443/tcp" > > - "8080:8080/tcp" > > links: > > - keycloak-db:mysql > > # tty: true > > # stdin_open: true > > > > keycloak-db: > > environment: > > MYSQL_ROOT_PASSWORD: yyyyyy > > MYSQL_DATABASE: keycloak > > MYSQL_USER: keycloak > > MYSQL_PASSWORD: xxxxxx > > image: mysql/mysql-server:5.6 > > volumes: > > - keycloak-test-db:/var/lib/mysql > > volume_driver: convoy > > > > > > > > *Kevin Thorpe* > > VP Enterprise Platform > > www.p-i.net | @PI_150 > > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/050a34b8/attachment.html From jarekala at axway.com Wed Aug 17 15:53:52 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Wed, 17 Aug 2016 19:53:52 +0000 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> Message-ID: <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Kevin, Since the admin user already exists in the older database it cannot create the same user. You can take export of the older database from a standalone (not dockered) Keycloak version 1.7.0. This will export into a json file and you can verify whether that export has all the data that you wanted. Then you can import the same into the Keycloak 2.0.0 that is started in the newer database. This is just a work-around to see whether data still persists but not sure what caused the data being deleted from the database of 1.7.0. You can refer the following link for export and import https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/paged/server-administration-guide/chapter-16-export-and-import Thanks, Jagan Rekala From: Kevin Thorpe [mailto:kevin.thorpe at p-i.net] Sent: Wednesday, August 17, 2016 10:29 AM To: Jagannadha Rekala Cc: keycloak-user Subject: Re: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql Ah, ok I'll try that. The original issue though was that it wasn't picking up the admin user from the existing 1.7.0 database. Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database by adding the admin user to the environment. It still doesn't work on my old database. I get these errors indicating that it's trying to add the admin user and failing as it already exists: keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: Importing users from '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json' keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) Duplicate entry 'master-admin' for key 'UK_RU8TT6T700S9V50BU18WS5HA6' keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (ServerService Thread Pool -- 49) HHH000010: On release of batch it still contained JDBC statements keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists Problem is that the admin login is now admin/admin which I set in the environment vars, not the original admin user password from the old installation. Once I'm in I see I have a completely empty database. I'm confused, Kevin Thorpe VP Enterprise Platform [http://i.imgur.com/8UeC1YO.png] www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 17 August 2016 at 18:02, Jagannadha Rekala > wrote: There needs to be an admin user created while Keycloak being started. So, you need to pass the environment variables to the docker container. Without passing the environment variables Keycloak will not have an admin user unless you use the previous database of Keycloak that had admin user already. Try adding these two variables in your compose file and let us know. - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=password-here Thanks, Jagan Rekala From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kevin Thorpe Sent: Wednesday, August 17, 2016 9:48 AM To: keycloak-user > Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I can't log in once running. It all starts up ok and it creates the initial schema ok. When I try to log in to the admion console it can't find the admin user. What am I doing wrong? I thought it was my modifications to the image to add https that were wrong but it doesn't work from the published image anyway. lots snipped.... keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 services (542 services are lazy, passive or on-demand) keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin docker-compose.yml is: keycloak: image: jboss/keycloak-mysql:2.0.0.Final # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 environment: MYSQL_PORT_3306_TCP_ADDR: mysql MYSQL_PORT_3306_TCP_PORT: 3306 MYSQL_USERNAME: keycloak MYSQL_PASSWORD: xxxxxx ports: - "8443:8443/tcp" - "8080:8080/tcp" links: - keycloak-db:mysql # tty: true # stdin_open: true keycloak-db: environment: MYSQL_ROOT_PASSWORD: yyyyyy MYSQL_DATABASE: keycloak MYSQL_USER: keycloak MYSQL_PASSWORD: xxxxxx image: mysql/mysql-server:5.6 volumes: - keycloak-test-db:/var/lib/mysql volume_driver: convoy Kevin Thorpe VP Enterprise Platform [http://i.imgur.com/8UeC1YO.png] www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK [https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/8c227cb6/attachment-0001.html From raymond.zhou at moneris.com Wed Aug 17 16:05:02 2016 From: raymond.zhou at moneris.com (Zhou, Limin (Ray)) Date: Wed, 17 Aug 2016 20:05:02 +0000 Subject: [keycloak-user] disable kerberos SSO when needed Message-ID: <0ABE2BE06E188B4FA117BC5D9D11ECCF50520805@sq9bmexpr03.MONAD.MONERIS.COM> Hello Right now our keycloak server was setup to do kerberos authentication with ldap as backup, so in this case, the user will get them in automatically from the company domain when they hitting the URL, we have application role definitions in the keycloak, if the user does not have the role configured then we want to logout them back to the default key cloack login page and let them try their LDAP user account. But because kerberos authentication is always on the top, so right after we logout the user, the kerberos will let them in automatically right now we are using keycloak.logout from keycloak.js to logout user I am wondering what is the good practice to achieve this? Any suggestions are welcome thanks raymond ________________________________ Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 If you wish to unsubscribe from future updates from Moneris, please click here. Please see the Moneris Privacy Policy here. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. ________________________________ Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, veuillez cliquer ici. Veuillez consulter la Politique de confidentialit? de Moneris ici. Ce courriel peut contenir des renseignements confidentiels ou privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune obligation connexe. La distribution, l?utilisation ou la reproduction du pr?sent courriel ou des renseignements qu?il contient par une personne autre que son destinataire pr?vu sont interdites. Si vous avez re?u ce courriel par erreur, veuillez m?en aviser imm?diatement (par retour de courriel ou autrement). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/b89bb5d9/attachment.html From kevin.thorpe at p-i.net Wed Aug 17 16:29:52 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Wed, 17 Aug 2016 21:29:52 +0100 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: Yes I understand why the warnings about adding the admin user. That actually makes me comfortable that it is connecting to the mysql database correctly. What is odd is the subsequent empty config. The mysql database is still fully populated. So it looks horribly like it's not using the mysql db at all. On 17 Aug 2016 20:53, "Jagannadha Rekala" wrote: > Kevin, > > > > Since the admin user already exists in the older database it cannot create > the same user. You can take export of the older database from a standalone > (not dockered) Keycloak version 1.7.0. This will export into a json file > and you can verify whether that export has all the data that you wanted. > Then you can import the same into the Keycloak 2.0.0 that is started in the > newer database. This is just a work-around to see whether data still > persists but not sure what caused the data being deleted from the database > of 1.7.0. > > > > You can refer the following link for export and import > > > > https://access.redhat.com/documentation/en/red-hat- > single-sign-on/7.0/paged/server-administration-guide/ > chapter-16-export-and-import > > > > > > Thanks, > > Jagan Rekala > > > > > > > > > > > > > > > > > > > > > > > *From:* Kevin Thorpe [mailto:kevin.thorpe at p-i.net] > *Sent:* Wednesday, August 17, 2016 10:29 AM > *To:* Jagannadha Rekala > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Cannot log in as admin when using docker > image 2.0.0 mysql > > > > Ah, ok I'll try that. The original issue though was that it wasn't picking > up the admin user from the existing 1.7.0 database. > > > > Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database by > adding the admin user to the environment. It still doesn't work on my old > database. > > > > I get these errors indicating that it's trying to add the admin user and > failing as it already exists: > > keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO > [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: > Importing users from '/opt/jboss/keycloak/standalone/configuration/ > keycloak-add-user.json' > > keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread > Pool -- 49) SQL Error: 1062, SQLState: 23000 > > keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread > Pool -- 49) Duplicate entry 'master-admin' for key > 'UK_RU8TT6T700S9V50BU18WS5HA6' > > keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO > [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] > (ServerService Thread Pool -- 49) HHH000010: On release of batch it still > contained JDBC statements > > keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR > [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: > Failed to add user 'admin' to realm 'master': user with username exists > > > > Problem is that the admin login is now admin/admin which I set in the > environment vars, not the original admin user password from the old > installation. Once I'm in I see I have a completely empty database. I'm > confused, > > > > > > > > > > > *Kevin Thorpe* > > VP Enterprise Platform > > [image: http://i.imgur.com/8UeC1YO.png] > > www.p-i.net | @PI_150 > > > *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 > 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* > <%2B44%20%280%29808%20204%200344> > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > [image: > https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] > [image: > https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] > [image: > https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: > https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > > > On 17 August 2016 at 18:02, Jagannadha Rekala wrote: > > There needs to be an admin user created while Keycloak being started. So, > you need to pass the environment variables to the docker container. Without > passing the environment variables Keycloak will not have an admin user > unless you use the previous database of Keycloak that had admin user > already. Try adding these two variables in your compose file and let us > know. > > > > - KEYCLOAK_USER=admin > > - KEYCLOAK_PASSWORD=password-here > > > > Thanks, > > Jagan Rekala > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe > *Sent:* Wednesday, August 17, 2016 9:48 AM > *To:* keycloak-user > *Subject:* [keycloak-user] Cannot log in as admin when using docker image > 2.0.0 mysql > > > > I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I > can't log in once running. It all starts up ok and it creates the initial > schema ok. When I try to log in to the admion console it can't find the > admin user. What am I doing wrong? I thought it was my modifications to the > image to add https that were wrong but it doesn't work from the published > image anyway. > > > > lots snipped.... > > keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ > org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final > (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 > services (542 services are lazy, passive or on-demand) > > keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN > [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, > clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, > error=user_not_found, auth_method=openid-connect, auth_type=code, > redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, > code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin > > > > docker-compose.yml is: > > keycloak: > > image: jboss/keycloak-mysql:2.0.0.Final > > # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 > > environment: > > MYSQL_PORT_3306_TCP_ADDR: mysql > > MYSQL_PORT_3306_TCP_PORT: 3306 > > MYSQL_USERNAME: keycloak > > MYSQL_PASSWORD: xxxxxx > > ports: > > - "8443:8443/tcp" > > - "8080:8080/tcp" > > links: > > - keycloak-db:mysql > > # tty: true > > # stdin_open: true > > > > keycloak-db: > > environment: > > MYSQL_ROOT_PASSWORD: yyyyyy > > MYSQL_DATABASE: keycloak > > MYSQL_USER: keycloak > > MYSQL_PASSWORD: xxxxxx > > image: mysql/mysql-server:5.6 > > volumes: > > - keycloak-test-db:/var/lib/mysql > > volume_driver: convoy > > > > > > > > *Kevin Thorpe* > > VP Enterprise Platform > > [image: http://i.imgur.com/8UeC1YO.png] > > www.p-i.net | @PI_150 > > > *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 > 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* > <%2B44%20%280%29808%20204%200344> > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > [image: > https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] > [image: > https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] > [image: > https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: > https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/76e7dbc7/attachment-0001.html From srossillo at smartling.com Wed Aug 17 17:34:31 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Wed, 17 Aug 2016 17:34:31 -0400 Subject: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails In-Reply-To: <44e330c2-31b9-2e2a-0f5a-4698636d2bed@redhat.com> References: <1471355948.921113.696855193.408EA451@webmail.messagingengine.com> <1B0F0ECF-AABF-4870-A042-1B34B44B1E4C@smartling.com> <44e330c2-31b9-2e2a-0f5a-4698636d2bed@redhat.com> Message-ID: <4FB23261-72CD-41CD-BBC2-345958226089@smartling.com> If the JDBC-PING question is for me, it just seemed to be the most logical choice since we have a relational database anyway. S3_PING or the other AWS options should work well but are more complex to configure, IMO. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Aug 17, 2016, at 10:54 AM, Bill Burke wrote: > > Do you have to use JDBC-PING? > > On 8/17/16 10:50 AM, Scott Rossillo wrote: >> Have you looked at this Gist of mine [0]? I posted to the mailing list once before. Maybe I should make a more official document but it may help if you?re using docker. >> >> >> [0]: https://gist.github.com/foo4u/ad2fa7251ac5b4d4fd318f668f50f7ac >> >> Scott Rossillo >> Smartling | Senior Software Engineer >> srossillo at smartling.com >> >>> On Aug 17, 2016, at 4:08 AM, Haim Vana > wrote: >>> >>> Thanks, the below is the exact post we were using as a reference. >>> >>> Any other idea what might cause it ? or what to search in the logs or JMX ? >>> >>> >>> From: Aikeaguinea [mailto:aikeaguinea at xsmail.com ] >>> Sent: Tuesday, August 16, 2016 4:59 PM >>> To: Haim Vana >; keycloak-user at lists.jboss.org >>> Subject: Re: [keycloak-user] KeyCloak HA on AWS EC2 with docker - cluster is up but login fails >>> >>> Yes, this gets more complicated than your standard installation. AWS doesn't allow UDP communication in S3, and you also need to configure your Infinispan cache to work while you're running in Docker. >>> >>> There was a thread on this list "Using Keycloak in AWS EC2. What are people using? / Infinispan not working" where this was discussed; this is from that three describing howI got things working: >>> >>> ________________________________________________________ >>> >>> I just got JGroups/Infinispan with JDBC_PING working from inside a >>> Docker cluster in ECS on EC2. I use JDBC_PING rather than S3_PING, since >>> I need a database anyway and didn't want to have to set up an S3 bucket >>> just for this one purpose. Nicol?s, if you're on AWS the default UDP >>> transport for JGroups doesn't work because multicast isn't supported >>> inside EC2, which may be your problem. >>> >>> Here are the configurations you'd need: >>> >>> 1. The JGroups module has to reference to the db module. So in >>> jgroups-module.xml I have: >>> >>> >>> >>> >>> >>> >>> 2. The standalone-ha.xml has a JGroups subsystem (with TCP and >>> JDBC_PING) that looks like the configuration below; I read certain >>> variables from the environment, but may use the Wildfly vault tool for >>> some of them. The external_addr property configurations are only needed >>> if you're inside a Docker container, since Wildfly has to read the >>> address of the EC2 instance hosting the container to register itself >>> with JGroups. For the initialize_sql you can generally use the default, >>> but for Postgres I needed a custom DDL because I needed the BYTEA data >>> type which isn't in the default DDL. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> name="external_addr">${env.EXTERNAL_HOST_IP} >>> >>> >>> >>> >> name="connection_driver">org.postgresql.Driver >>> >> name="connection_url">jdbc:postgresql://${env.POSTGRES_TCP_ADDR}:${env.POSTGRES_TCP_PORT}/${env.POSTGRES_DATABASE} >>> >> name="connection_username">${env.POSTGRES_USER} >>> >> name="connection_password">${env.POSTGRES_PASSWORD} >>> >>> CREATE TABLE IF NOT EXISTS jgroupsping ( >>> own_addr VARCHAR(200) NOT NULL, >>> cluster_name VARCHAR(200) NOT NULL, >>> ping_data BYTEA DEFAULT NULL, >>> PRIMARY KEY (own_addr, cluster_name) >>> ) >>> >>> >>> >>> >>> >>> >> name="external_addr">${env.EXTERNAL_HOST_IP} >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> 3. If you're in a Docker container, you have to expose the JGroups ports >>> so they are visible from outside the container, so in standalone-ha.xml >>> in the socket bindings I have changed to the public interface: >>> >>> >> port="7600"/> >>> >> port="57600"/> >>> >>> 4. For Docker, the startup script needs to pass the EXTERNAL_HOST_IP >>> variable. I have a wrapper start script that first queries the AWS >>> instance metadata service at 169.254.169.254 for the host's private IP address: >>> >>> export EXTERNAL_HOST_IP=$(curl -s >>> 169.254.169.254/latest/meta-data/local-ipv4) >>> exec $WILDFLY_HOME/bin/standalone.sh -c standalone-keycloak-ha.xml >>> -Djboss.node.name=$HOSTNAME -Djgroups.bind_addr=global -b $HOSTNAME >>> >>> >>> On Tue, Aug 16, 2016, at 09:01 AM, Haim Vana wrote: >>> Hi, >>> >>> We are trying to set KeyCloak 1.9.3 with HA on AWS EC2 with docker, the cluster is up without errors however the login fails with the below error: >>> >>> WARN [org.keycloak.events] (default task-10) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.30.200.171, error=invalid_code >>> >>> we have followed this (http://lists.jboss.org/pipermail/keycloak-user/2016-February/004940.html ) post but used S3_PING instead of JDBC_PING. >>> >>> It seems that the nodes detect each other: >>> >>> INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (Incoming-2,ee,6dbce1e2a05a) ISPN000094: Received new cluster view for channel keycloak: [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] >>> >>> We suspect that the nodes doesn't communicate with each other, when we queried the jboss mbean "jboss.as.expr:subsystem=jgroups,channel=ee" the result was: >>> jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] >>> jgroups,channel=ee receivedMessages = 0 >>> jgroups,channel=ee sentMessages = 0 >>> >>> And for the second node: >>> jgroups,channel=ee = [6dbce1e2a05a|1] (2) [6dbce1e2a05a, 75f2b2e98cfd] >>> jgroups,channel=ee receivedMessages = 0 >>> jgroups,channel=ee sentMessages = 5 >>> >>> >>> We also verified that the TCP ports 57600 and 7600 are open. >>> >>> Any idea what might cause it ? >>> >>> >>> Here is the relevant standalone-ha.xml configuration and below is that startup command: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> 200.129.4.189 >>> >>> >>> AAAAAAAAAAAAAA >>> BBBBBBBBBBBBBB >>> CCCCCCCCCCCCCCCCCCCC >>> >>> >>> >>> 200.129.4.189 >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> And we start the server using the below ($INTERNAL_HOST_IP is the container internal IP address): >>> standalone.sh -c=standalone-ha.xml -b=$INTERNAL_HOST_IP -bmanagement=$INTERNAL_HOST_IP -bprivate=$INTERNAL_HOST_IP >>> >>> >>> Any help will be appreciated. >>> >>> >>> Thanks, >>> Haim. >>> >>> >>> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -- >>> Aikeaguinea >>> aikeaguinea at xsmail.com >>> >>> >>> >>> -- >>> http://www.fastmail.com - Same, same, but different... >>> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/993bbee9/attachment-0001.html From bburke at redhat.com Wed Aug 17 17:38:13 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 17 Aug 2016 17:38:13 -0400 Subject: [keycloak-user] disable kerberos SSO when needed In-Reply-To: <0ABE2BE06E188B4FA117BC5D9D11ECCF50520805@sq9bmexpr03.MONAD.MONERIS.COM> References: <0ABE2BE06E188B4FA117BC5D9D11ECCF50520805@sq9bmexpr03.MONAD.MONERIS.COM> Message-ID: <68192f27-8c92-d0f7-fed4-f27aff9922cd@redhat.com> You would need to create a custom authenticator that is like an account chooser page, i.e. two buttons one says "login to kerberos" the other says "login to ldap". A custom flow would look like this: * Cookie Authenticator * create an ALTERNATIVE sub flow * REQUIRED Account Chooser Custom authenticator page - if the kerberos button is clicked, call AuthFlowContext.success() otherwise AuthFLowContext.attempted(). Attempted will abort this alternative flow * REQUIRED Built in Kerberos Authenticator * create another ALTERNATIVE sub flow * REQUIRED built in username/password authenticator On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote: > > Hello > > Right now our keycloak server was setup to do kerberos authentication > with ldap as backup, so in this case, the user will get them in > automatically > > from the company domain when they hitting the URL, we have application > role definitions in the keycloak, if the user does not have the role > configured > > then we want to logout them back to the default key cloack login page > and let them try their LDAP user account. > > But because kerberos authentication is always on the top, so right > after we logout the user, the kerberos will let them in automatically > > right now we are using keycloak.logout from keycloak.js to logout user > > I am wondering what is the good practice to achieve this? > > Any suggestions are welcome > > thanks > > raymond > > ------------------------------------------------------------------------ > Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | > Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 > If you wish to unsubscribe from future updates from Moneris, please > click here > . > Please see the Moneris Privacy Policy here > . > > This e-mail may be privileged and/or confidential, and the sender does > not waive any related rights and obligations. Any distribution, use or > copying of this e-mail or the information it contains by other than an > intended recipient is unauthorized. If you received this e-mail in > error, please advise me (by return e-mail or otherwise) immediately. > ------------------------------------------------------------------------ > Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | > Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 > Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, > veuillez cliquer ici > . > Veuillez consulter la Politique de confidentialit? de Moneris ici > . > > > Ce courriel peut contenir des renseignements confidentiels ou > privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune > obligation connexe. La distribution, l?utilisation ou la reproduction > du pr?sent courriel ou des renseignements qu?il contient par une > personne autre que son destinataire pr?vu sont interdites. Si vous > avez re?u ce courriel par erreur, veuillez m?en aviser imm?diatement > (par retour de courriel ou autrement). > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160817/58ad3291/attachment.html From psilva at redhat.com Wed Aug 17 18:25:32 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 17 Aug 2016 18:25:32 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: Message-ID: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> ----- Original Message ----- From: "Pedro Igor Silva" To: "Charles Henck" Cc: keycloak-user at lists.jboss.org Sent: Wednesday, August 17, 2016 6:38:01 PM Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Charles Henck" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, August 16, 2016 4:49:01 PM > Subject: [keycloak-user] Organization Based Accounts and Permissions > > > > Hello all, > > I?m working on an organization-based service and want to have > resource-specific permissions that are restricted by (from a user > perspective) organization-specific roles. Since I?m not familiar with the > specific terminology, I?m thinking of something similar to how GitHub > manages their permissions: > > > > - A single user can be a member of multiple organizations > > - A user can have a different roles with different organizations that grant > them access to all of an organization's resources If the organizations each represent a separated realm, you won't be able to share users. In Keycloak, an user belongs to a single realm. I think that with some creative naming for roles (and groups), you can get there. > > - A user can have access to a specific resource > > - That organization-specific role determines access to different organization > resources You can address these two by using our authorization services. Or even writing a plenty of "ifs" in your application based on the information carried by a token. I would suggest you to give a try to the authorization services :) For instance, let's say you have a "Organization A Resource". This resource is associated with a "Organization A Resource Permission". Here the "Organization A Resource" represents any resource in Organization A and "Organization A Resource Permission" represents all the policies you want to enforce to any resource that belongs to Organization A. In this case, you can apply different types of policies to these resources, for instance, only users with role "organization-a-role" are allowed. You may also have a "Charles Resource", which was created by your service using the Protection API. In this case, your service may specify that "Charles Resource" belongs to Charles (resource owner) and apply permissions/policies to this resource that define that only Charles is allowed to access. Going further, let's say that you want to give temporary access to your resource to someone. You may create a "Temporary Access Policy" that specifies which users (user-based policy) are allowed to access your resource. Another thing you can do is perform access decisions based on the actions that you can perform on your resource. Let's say that everybody can see your resource, but only the resource owner (you) can edit or delete it. I'm really thinking about pushing a new example application with a permission model similar to github, it will be fun :) > > > > Are there any best practices or patterns for this model? > > > > Thanks! > > Justin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From marc.boorshtein at tremolosecurity.com Wed Aug 17 22:05:14 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Wed, 17 Aug 2016 22:05:14 -0400 Subject: [keycloak-user] Keycloak, OpenUnison and Kubernetes OpenID Connect Message-ID: KC Team, I posted a blog post on how I got KC, OpenUnison and Kubernetes all working together to provide SSO into Kubernetes and the dashboard. https://www.tremolosecurity.com/kubernetes-idm-part-i/ I'd really appreciate any thoughts and feedback you have on the ideas and architecture. BTW - getting KC up and running was super easy. great project! Thanks Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com Twitter - @mlbiam / @tremolosecurity From sthorger at redhat.com Thu Aug 18 00:06:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 18 Aug 2016 06:06:08 +0200 Subject: [keycloak-user] Newbie question about session last access time updating. In-Reply-To: References: Message-ID: What you're doing works just fine and is the only way available at the moment at least. It will have an impact on performance, both in terms of latency for request in your app and also additional load on the KC server. As long as you take that into consideration you should be fine. On 17 August 2016 at 17:30, Joe Thielen wrote: > Hello all. I am new to both Keycloak and OpenID Connect. Keycloak looks > like a fantastic project and thanks to all who've put in work on it. > > I love that Keycloak can be set up to save events (login/logout/etc...). > I love that there is a way to administratively log out user sessions. All > this is great. My question is, what is the proper procedure to update the > session's "Last Access" if I want it to be updated on every page request by > a user? In some cases I have strict application requirements where it's > important to know exactly when the user last did something. So I can't > just log them in and periodically do a refresh to keep the session going. > I want to update the session every time the user does something (i.e., > every page request or API request). > > Maybe this is overkill for most applications. Like I said, I'm new to > both Keycloak and OpenID Connect. I've figured out how to do the > authorization flow, request user info, and logout. And I think I've > figured out how to update the session in such a manner that it does update > the last access time. However, I'm not sure I'm doing it correctly... > > Here is an example using curl of what I've been doing to keep the last > access time updated: > > curl -s --data "grant_type=refresh_token&client_id=CLIENTID&client_ > secret=CLIENTSECRET&refresh_token=REFRESHTOKEN" " > https://HOSTNAME:8443/auth/realms/REALMNAME/protocol/openid-connect/token > > Am I incorrectly using the refresh token here? In reading up on the flow, > it seems like this should only be used periodically, like when the > access_token expires. > > A positive side effect of this is that on every single request I'm > checking to ensure the session hasn't been administratively logged out. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/956ac2dc/attachment.html From sthorger at redhat.com Thu Aug 18 00:07:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 18 Aug 2016 06:07:20 +0200 Subject: [keycloak-user] Import and exported client In-Reply-To: <33A971E161C79C44B0AE524C102277EA30ABBA7C@WPHXMAIL1.phx.axway.int> References: <33A971E161C79C44B0AE524C102277EA30ABBA7C@WPHXMAIL1.phx.axway.int> Message-ID: You can also just remove the "id" field altogether and a new one will be generated by the server. On 17 August 2016 at 17:52, Jagannadha Rekala wrote: > Thomas, > > > > This is due to the internal id representation in the exported json file. > Though you changed the client id (physical name) it still had the same > internal id in the json export file. You might want to change that uuid and > try again. > > > > Example: > > > > "id" : "phxcm002-4d72-4c56-8e2b-5536fc095887" > > > > You need to prefix or modify to make unique than the previous id. Hope > this helps! > > > > Thanks, > > Jagan Rekala > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Thomas Barcia > *Sent:* Wednesday, August 17, 2016 8:44 AM > *To:* keycloak-user at lists.jboss.org > *Subject:* [keycloak-user] Import and exported client > > > > In Keycloak 1.9.8-Final I have to create identical clients in different > realms for DEV/QA/TEST environments and was hoping that I could export the > clients and import them into other realms. When I try this, I receive the > error that the client already exists. I have verified that the client does > NOT exist in the realm and that I can create a client manually with the > same name and information but for whatever reason the import fials. > > > > Can I simply remove the ID from the json for the import or is there some > other method to import an existing client to a different realm? > > > > Thank you. > > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient > only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, > use, or distribution of the information included in this communication > and any attachments is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to this > communication and delete the communication, including any > attachments, from your computer. Electronic communications sent to or > from World Fuel Services Corporation or its subsidiaries or its affiliates > may be monitored for quality assurance and compliance purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/87cf2d44/attachment-0001.html From sthorger at redhat.com Thu Aug 18 00:14:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 18 Aug 2016 06:14:30 +0200 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: Strange one - do you have a debug log available from first time starting the 2.0 image? The migration logs may shed some light on what's happened. On 17 August 2016 at 22:29, Kevin Thorpe wrote: > Yes I understand why the warnings about adding the admin user. That > actually makes me comfortable that it is connecting to the mysql database > correctly. > > What is odd is the subsequent empty config. The mysql database is still > fully populated. So it looks horribly like it's not using the mysql db at > all. > > On 17 Aug 2016 20:53, "Jagannadha Rekala" wrote: > >> Kevin, >> >> >> >> Since the admin user already exists in the older database it cannot >> create the same user. You can take export of the older database from a >> standalone (not dockered) Keycloak version 1.7.0. This will export into a >> json file and you can verify whether that export has all the data that you >> wanted. Then you can import the same into the Keycloak 2.0.0 that is >> started in the newer database. This is just a work-around to see whether >> data still persists but not sure what caused the data being deleted from >> the database of 1.7.0. >> >> >> >> You can refer the following link for export and import >> >> >> >> https://access.redhat.com/documentation/en/red-hat-single- >> sign-on/7.0/paged/server-administration-guide/chapter- >> 16-export-and-import >> >> >> >> >> >> Thanks, >> >> Jagan Rekala >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *From:* Kevin Thorpe [mailto:kevin.thorpe at p-i.net] >> *Sent:* Wednesday, August 17, 2016 10:29 AM >> *To:* Jagannadha Rekala >> *Cc:* keycloak-user >> *Subject:* Re: [keycloak-user] Cannot log in as admin when using docker >> image 2.0.0 mysql >> >> >> >> Ah, ok I'll try that. The original issue though was that it wasn't >> picking up the admin user from the existing 1.7.0 database. >> >> >> >> Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database by >> adding the admin user to the environment. It still doesn't work on my old >> database. >> >> >> >> I get these errors indicating that it's trying to add the admin user and >> failing as it already exists: >> >> keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO >> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: >> Importing users from '/opt/jboss/keycloak/standalon >> e/configuration/keycloak-add-user.json' >> >> keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN >> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >> Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 >> >> keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR >> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread >> Pool -- 49) Duplicate entry 'master-admin' for key >> 'UK_RU8TT6T700S9V50BU18WS5HA6' >> >> keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [ >> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] >> (ServerService Thread Pool -- 49) HHH000010: On release of batch it still >> contained JDBC statements >> >> keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR >> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: >> Failed to add user 'admin' to realm 'master': user with username exists >> >> >> >> Problem is that the admin login is now admin/admin which I set in the >> environment vars, not the original admin user password from the old >> installation. Once I'm in I see I have a completely empty database. I'm >> confused, >> >> >> >> >> >> >> >> >> >> >> *Kevin Thorpe* >> >> VP Enterprise Platform >> >> [image: http://i.imgur.com/8UeC1YO.png] >> >> www.p-i.net | @PI_150 >> >> >> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* >> <%2B44%20%280%29808%20204%200344> >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> [image: >> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >> [image: >> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >> [image: >> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> >> >> On 17 August 2016 at 18:02, Jagannadha Rekala wrote: >> >> There needs to be an admin user created while Keycloak being started. So, >> you need to pass the environment variables to the docker container. Without >> passing the environment variables Keycloak will not have an admin user >> unless you use the previous database of Keycloak that had admin user >> already. Try adding these two variables in your compose file and let us >> know. >> >> >> >> - KEYCLOAK_USER=admin >> >> - KEYCLOAK_PASSWORD=password-here >> >> >> >> Thanks, >> >> Jagan Rekala >> >> >> >> *From:* keycloak-user-bounces at lists.jboss.org [mailto: >> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe >> *Sent:* Wednesday, August 17, 2016 9:48 AM >> *To:* keycloak-user >> *Subject:* [keycloak-user] Cannot log in as admin when using docker >> image 2.0.0 mysql >> >> >> >> I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I >> can't log in once running. It all starts up ok and it creates the initial >> schema ok. When I try to log in to the admion console it can't find the >> admin user. What am I doing wrong? I thought it was my modifications to the >> image to add https that were wrong but it doesn't work from the published >> image anyway. >> >> >> >> lots snipped.... >> >> keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ >> org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final >> (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 >> services (542 services are lazy, passive or on-demand) >> >> keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN >> [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, >> clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, >> error=user_not_found, auth_method=openid-connect, auth_type=code, >> redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, >> code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin >> >> >> >> docker-compose.yml is: >> >> keycloak: >> >> image: jboss/keycloak-mysql:2.0.0.Final >> >> # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 >> >> environment: >> >> MYSQL_PORT_3306_TCP_ADDR: mysql >> >> MYSQL_PORT_3306_TCP_PORT: 3306 >> >> MYSQL_USERNAME: keycloak >> >> MYSQL_PASSWORD: xxxxxx >> >> ports: >> >> - "8443:8443/tcp" >> >> - "8080:8080/tcp" >> >> links: >> >> - keycloak-db:mysql >> >> # tty: true >> >> # stdin_open: true >> >> >> >> keycloak-db: >> >> environment: >> >> MYSQL_ROOT_PASSWORD: yyyyyy >> >> MYSQL_DATABASE: keycloak >> >> MYSQL_USER: keycloak >> >> MYSQL_PASSWORD: xxxxxx >> >> image: mysql/mysql-server:5.6 >> >> volumes: >> >> - keycloak-test-db:/var/lib/mysql >> >> volume_driver: convoy >> >> >> >> >> >> >> >> *Kevin Thorpe* >> >> VP Enterprise Platform >> >> [image: http://i.imgur.com/8UeC1YO.png] >> >> www.p-i.net | @PI_150 >> >> >> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* >> <%2B44%20%280%29808%20204%200344> >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> [image: >> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >> [image: >> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >> [image: >> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/afd6057f/attachment-0001.html From sthorger at redhat.com Thu Aug 18 00:16:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 18 Aug 2016 06:16:35 +0200 Subject: [keycloak-user] [KEYCLOAK-2741] Don't remove KEYCLOAK_REMEMBERME cookie when sso session expires. Add timeout for KEYCLOAK_REMEMBERME cookie - JBoss Issue Tracker In-Reply-To: References: Message-ID: We don't have any plans to work on it ourselves, but would happily accept a contribution. It would need to take the approach of different SSO max/idle values for remember me rather than simply ignoring idle as initially proposed. On 17 August 2016 at 17:53, Valerij Timofeev wrote: > Thank you Stian. > > We will try SSO time-out of 3 days to workaround the current limitation of > the "remember me" function. > > More optimal solution would be https://issues.jboss.org/ > browse/KEYCLOAK-1267 > Are there any plans to work on it? > > 2016-08-16 9:45 GMT+02:00 Stian Thorgersen : > >> Cookie authenticator doesn't start a new session. It can only >> authenticate the user if the session is still active. >> >> If you want users to remain authenticated for a longer even when inactive >> you should increase the SSO timeout. That's what it's for. >> >> KEYCLOAK-2741 is about remembering the username so the user only has to >> provide the password. >> >> On 22 July 2016 at 11:18, Valerij Timofeev >> wrote: >> >>> https://issues.jboss.org/browse/KEYCLOAK-2741 >>> >>> Hi, >>> >>> are there any concret plans to implement this ticket? >>> >>> The current implementation does not find any positive feedback by our >>> customers. We are even thinking about increasing SSO timeout from 30 >>> minutes to a couple of days to compensate at least a little bit the current >>> drawback. Would this break normal operation of the Keycloak servers? >>> >>> Would it be enough to implement this ticket to provide full "remember >>> me" feature? Can cookie authenticator (auth-cookie) start a new SSO session >>> if the initial one is already expired? >>> >>> Kind regards >>> Valerij Timofeev >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/631887e7/attachment.html From akaya at expedia.com Thu Aug 18 01:30:23 2016 From: akaya at expedia.com (Sarp Kaya) Date: Thu, 18 Aug 2016 05:30:23 +0000 Subject: [keycloak-user] Keycloak 2.1.0 infinite redirection after login Message-ID: <5D9867FF-3230-4C59-A40F-0B18D4564389@expedia.com> Hello, I?m using Tomcat adapter (keycloak-tomcat8-adapter). The issue is that once you login in keycloak, then it redirects you back to the application with state and code query parameter. So far no issue, but this then gives you a KEYCLOAK_ADAPTER_STATE cookie and redirects you back to the application. Then something happens (which I could not figure out what) and browser decides not to send KEYCLOAK_ADAPTER_STATE cookie back to the application. At first I thought this was an application issue rather than keycloak, but after reverting my changes the problem still persisted. Then I went back to Keycloak 2.0.0 from 2.1.0 and problem was solved. So the flow is like this: 1) Request: Address/app | Response: 302 to Keycloak login page 2) Request: Keycloak/auth | Response: 200 expects you to login 3) (After logging in) Request: Keycloak/authenticate | Response 302 to application with state 4) Request: Address/app/?state=?&code=? | Response 302 to application page (with KEYCLOAK_ADAPTER_STATE cookie) 5) Request: Address/app (this request does not contain KEYCLOAK_ADAPTER_STATE for an unknown reason) | Response 302 to Keycloak login page (instead of actually letting through) 6) Request: Keycloak/auth | Response: 302 to application with state 7) Go to step 4 So it?s infinitely redirecting. I have tried this with both tomcat adapter version 2.1.0 and 2.0.0 both behaves the same. I have also inspected the response headers and don?t really see any difference Just wondering if someone had a similar issue? If so how did you fix it? Thanks, Sarp -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/971f0ca9/attachment.html From ushanas.shastri at viteos.com Thu Aug 18 03:13:18 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 18 Aug 2016 07:13:18 +0000 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> Message-ID: <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> Classification: INTERNAL Hello, I don?t mean to hijack this thread, but I've had similar requirements, and would love some advice. Do you create Resources based on Features (menus in an application) or based on actual data. For e.g. if Bank Account Maintenance is a feature that allows you to create/update bank account information, do you create a Resource in KC for each bank account in the system, and then give permissions/policies on it, or do you create one Bank Account resource as indicative of the type Bank Account? Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Thursday, August 18, 2016 3:56 AM To: Charles Henck Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- From: "Pedro Igor Silva" To: "Charles Henck" Cc: keycloak-user at lists.jboss.org Sent: Wednesday, August 17, 2016 6:38:01 PM Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Charles Henck" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, August 16, 2016 4:49:01 PM > Subject: [keycloak-user] Organization Based Accounts and Permissions > > > > Hello all, > > I?m working on an organization-based service and want to have > resource-specific permissions that are restricted by (from a user > perspective) organization-specific roles. Since I?m not familiar with > the specific terminology, I?m thinking of something similar to how > GitHub manages their permissions: > > > > - A single user can be a member of multiple organizations > > - A user can have a different roles with different organizations that > grant them access to all of an organization's resources If the organizations each represent a separated realm, you won't be able to share users. In Keycloak, an user belongs to a single realm. I think that with some creative naming for roles (and groups), you can get there. > > - A user can have access to a specific resource > > - That organization-specific role determines access to different > organization resources You can address these two by using our authorization services. Or even writing a plenty of "ifs" in your application based on the information carried by a token. I would suggest you to give a try to the authorization services :) For instance, let's say you have a "Organization A Resource". This resource is associated with a "Organization A Resource Permission". Here the "Organization A Resource" represents any resource in Organization A and "Organization A Resource Permission" represents all the policies you want to enforce to any resource that belongs to Organization A. In this case, you can apply different types of policies to these resources, for instance, only users with role "organization-a-role" are allowed. You may also have a "Charles Resource", which was created by your service using the Protection API. In this case, your service may specify that "Charles Resource" belongs to Charles (resource owner) and apply permissions/policies to this resource that define that only Charles is allowed to access. Going further, let's say that you want to give temporary access to your resource to someone. You may create a "Temporary Access Policy" that specifies which users (user-based policy) are allowed to access your resource. Another thing you can do is perform access decisions based on the actions that you can perform on your resource. Let's say that everybody can see your resource, but only the resource owner (you) can edit or delete it. I'm really thinking about pushing a new example application with a permission model similar to github, it will be fun :) > > > > Are there any best practices or patterns for this model? > > > > Thanks! > > Justin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From kevin.thorpe at p-i.net Thu Aug 18 05:38:38 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Thu, 18 Aug 2016 10:38:38 +0100 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: I'm not sure how to do that. I'm using their pre-built Docker image and I also am definitely not a Java programmer. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 18 August 2016 at 05:14, Stian Thorgersen wrote: > Strange one - do you have a debug log available from first time starting > the 2.0 image? The migration logs may shed some light on what's happened. > > On 17 August 2016 at 22:29, Kevin Thorpe wrote: > >> Yes I understand why the warnings about adding the admin user. That >> actually makes me comfortable that it is connecting to the mysql database >> correctly. >> >> What is odd is the subsequent empty config. The mysql database is still >> fully populated. So it looks horribly like it's not using the mysql db at >> all. >> >> On 17 Aug 2016 20:53, "Jagannadha Rekala" wrote: >> >>> Kevin, >>> >>> >>> >>> Since the admin user already exists in the older database it cannot >>> create the same user. You can take export of the older database from a >>> standalone (not dockered) Keycloak version 1.7.0. This will export into a >>> json file and you can verify whether that export has all the data that you >>> wanted. Then you can import the same into the Keycloak 2.0.0 that is >>> started in the newer database. This is just a work-around to see whether >>> data still persists but not sure what caused the data being deleted from >>> the database of 1.7.0. >>> >>> >>> >>> You can refer the following link for export and import >>> >>> >>> >>> https://access.redhat.com/documentation/en/red-hat-single-si >>> gn-on/7.0/paged/server-administration-guide/chapter-16-export-and-import >>> >>> >>> >>> >>> >>> Thanks, >>> >>> Jagan Rekala >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> *From:* Kevin Thorpe [mailto:kevin.thorpe at p-i.net] >>> *Sent:* Wednesday, August 17, 2016 10:29 AM >>> *To:* Jagannadha Rekala >>> *Cc:* keycloak-user >>> *Subject:* Re: [keycloak-user] Cannot log in as admin when using docker >>> image 2.0.0 mysql >>> >>> >>> >>> Ah, ok I'll try that. The original issue though was that it wasn't >>> picking up the admin user from the existing 1.7.0 database. >>> >>> >>> >>> Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database >>> by adding the admin user to the environment. It still doesn't work on my >>> old database. >>> >>> >>> >>> I get these errors indicating that it's trying to add the admin user and >>> failing as it already exists: >>> >>> keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO >>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: >>> Importing users from '/opt/jboss/keycloak/standalon >>> e/configuration/keycloak-add-user.json' >>> >>> keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN >>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>> Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 >>> >>> keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR >>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>> Thread Pool -- 49) Duplicate entry 'master-admin' for key >>> 'UK_RU8TT6T700S9V50BU18WS5HA6' >>> >>> keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [ >>> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] >>> (ServerService Thread Pool -- 49) HHH000010: On release of batch it still >>> contained JDBC statements >>> >>> keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR >>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: >>> Failed to add user 'admin' to realm 'master': user with username exists >>> >>> >>> >>> Problem is that the admin login is now admin/admin which I set in the >>> environment vars, not the original admin user password from the old >>> installation. Once I'm in I see I have a completely empty database. I'm >>> confused, >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> *Kevin Thorpe* >>> >>> VP Enterprise Platform >>> >>> [image: http://i.imgur.com/8UeC1YO.png] >>> >>> www.p-i.net | @PI_150 >>> >>> >>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* >>> <%2B44%20%280%29808%20204%200344> >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> [image: >>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>> [image: >>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>> [image: >>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they are >>> addressed. If you have received this email in error please notify the >>> system manager. This message contains confidential information and is >>> intended only for the individual named. If you are not the named addressee >>> you should not disseminate, distribute or copy this e-mail. Please notify >>> the sender immediately by e-mail if you have received this e-mail by >>> mistake and delete this e-mail from your system. If you are not the >>> intended recipient you are notified that disclosing, copying, distributing >>> or taking any action in reliance on the contents of this information is >>> strictly prohibited. >>> >>> >>> >>> On 17 August 2016 at 18:02, Jagannadha Rekala >>> wrote: >>> >>> There needs to be an admin user created while Keycloak being started. >>> So, you need to pass the environment variables to the docker container. >>> Without passing the environment variables Keycloak will not have an admin >>> user unless you use the previous database of Keycloak that had admin user >>> already. Try adding these two variables in your compose file and let us >>> know. >>> >>> >>> >>> - KEYCLOAK_USER=admin >>> >>> - KEYCLOAK_PASSWORD=password-here >>> >>> >>> >>> Thanks, >>> >>> Jagan Rekala >>> >>> >>> >>> *From:* keycloak-user-bounces at lists.jboss.org [mailto: >>> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe >>> *Sent:* Wednesday, August 17, 2016 9:48 AM >>> *To:* keycloak-user >>> *Subject:* [keycloak-user] Cannot log in as admin when using docker >>> image 2.0.0 mysql >>> >>> >>> >>> I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I >>> can't log in once running. It all starts up ok and it creates the initial >>> schema ok. When I try to log in to the admion console it can't find the >>> admin user. What am I doing wrong? I thought it was my modifications to the >>> image to add https that were wrong but it doesn't work from the published >>> image anyway. >>> >>> >>> >>> lots snipped.... >>> >>> keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ >>> org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak >>> 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of >>> 800 services (542 services are lazy, passive or on-demand) >>> >>> keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN >>> [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, >>> clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, >>> error=user_not_found, auth_method=openid-connect, auth_type=code, >>> redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, >>> code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin >>> >>> >>> >>> docker-compose.yml is: >>> >>> keycloak: >>> >>> image: jboss/keycloak-mysql:2.0.0.Final >>> >>> # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 >>> >>> environment: >>> >>> MYSQL_PORT_3306_TCP_ADDR: mysql >>> >>> MYSQL_PORT_3306_TCP_PORT: 3306 >>> >>> MYSQL_USERNAME: keycloak >>> >>> MYSQL_PASSWORD: xxxxxx >>> >>> ports: >>> >>> - "8443:8443/tcp" >>> >>> - "8080:8080/tcp" >>> >>> links: >>> >>> - keycloak-db:mysql >>> >>> # tty: true >>> >>> # stdin_open: true >>> >>> >>> >>> keycloak-db: >>> >>> environment: >>> >>> MYSQL_ROOT_PASSWORD: yyyyyy >>> >>> MYSQL_DATABASE: keycloak >>> >>> MYSQL_USER: keycloak >>> >>> MYSQL_PASSWORD: xxxxxx >>> >>> image: mysql/mysql-server:5.6 >>> >>> volumes: >>> >>> - keycloak-test-db:/var/lib/mysql >>> >>> volume_driver: convoy >>> >>> >>> >>> >>> >>> >>> >>> *Kevin Thorpe* >>> >>> VP Enterprise Platform >>> >>> [image: http://i.imgur.com/8UeC1YO.png] >>> >>> www.p-i.net | @PI_150 >>> >>> >>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* >>> <%2B44%20%280%29808%20204%200344> >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> [image: >>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>> [image: >>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>> [image: >>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they are >>> addressed. If you have received this email in error please notify the >>> system manager. This message contains confidential information and is >>> intended only for the individual named. If you are not the named addressee >>> you should not disseminate, distribute or copy this e-mail. Please notify >>> the sender immediately by e-mail if you have received this e-mail by >>> mistake and delete this e-mail from your system. If you are not the >>> intended recipient you are notified that disclosing, copying, distributing >>> or taking any action in reliance on the contents of this information is >>> strictly prohibited. >>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/f0f21650/attachment-0001.html From sthorger at redhat.com Thu Aug 18 06:26:48 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 18 Aug 2016 12:26:48 +0200 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: Take a look at instructions from the root image: https://hub.docker.com/r/jboss/keycloak/ You should be able to enable debug logging with: "-e KEYCLOAK_LOGLEVEL=DEBUG" On 18 August 2016 at 11:38, Kevin Thorpe wrote: > I'm not sure how to do that. I'm using their pre-built Docker image and I > also am definitely not a Java programmer. > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > On 18 August 2016 at 05:14, Stian Thorgersen wrote: > >> Strange one - do you have a debug log available from first time starting >> the 2.0 image? The migration logs may shed some light on what's happened. >> >> On 17 August 2016 at 22:29, Kevin Thorpe wrote: >> >>> Yes I understand why the warnings about adding the admin user. That >>> actually makes me comfortable that it is connecting to the mysql database >>> correctly. >>> >>> What is odd is the subsequent empty config. The mysql database is still >>> fully populated. So it looks horribly like it's not using the mysql db at >>> all. >>> >>> On 17 Aug 2016 20:53, "Jagannadha Rekala" wrote: >>> >>>> Kevin, >>>> >>>> >>>> >>>> Since the admin user already exists in the older database it cannot >>>> create the same user. You can take export of the older database from a >>>> standalone (not dockered) Keycloak version 1.7.0. This will export into a >>>> json file and you can verify whether that export has all the data that you >>>> wanted. Then you can import the same into the Keycloak 2.0.0 that is >>>> started in the newer database. This is just a work-around to see whether >>>> data still persists but not sure what caused the data being deleted from >>>> the database of 1.7.0. >>>> >>>> >>>> >>>> You can refer the following link for export and import >>>> >>>> >>>> >>>> https://access.redhat.com/documentation/en/red-hat-single-si >>>> gn-on/7.0/paged/server-administration-guide/chapter-16-expor >>>> t-and-import >>>> >>>> >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Jagan Rekala >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> *From:* Kevin Thorpe [mailto:kevin.thorpe at p-i.net] >>>> *Sent:* Wednesday, August 17, 2016 10:29 AM >>>> *To:* Jagannadha Rekala >>>> *Cc:* keycloak-user >>>> *Subject:* Re: [keycloak-user] Cannot log in as admin when using >>>> docker image 2.0.0 mysql >>>> >>>> >>>> >>>> Ah, ok I'll try that. The original issue though was that it wasn't >>>> picking up the admin user from the existing 1.7.0 database. >>>> >>>> >>>> >>>> Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database >>>> by adding the admin user to the environment. It still doesn't work on my >>>> old database. >>>> >>>> >>>> >>>> I get these errors indicating that it's trying to add the admin user >>>> and failing as it already exists: >>>> >>>> keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO >>>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: >>>> Importing users from '/opt/jboss/keycloak/standalon >>>> e/configuration/keycloak-add-user.json' >>>> >>>> keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN >>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>>> Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 >>>> >>>> keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR >>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>>> Thread Pool -- 49) Duplicate entry 'master-admin' for key >>>> 'UK_RU8TT6T700S9V50BU18WS5HA6' >>>> >>>> keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [ >>>> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] >>>> (ServerService Thread Pool -- 49) HHH000010: On release of batch it still >>>> contained JDBC statements >>>> >>>> keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR >>>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: >>>> Failed to add user 'admin' to realm 'master': user with username exists >>>> >>>> >>>> >>>> Problem is that the admin login is now admin/admin which I set in the >>>> environment vars, not the original admin user password from the old >>>> installation. Once I'm in I see I have a completely empty database. I'm >>>> confused, >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> *Kevin Thorpe* >>>> >>>> VP Enterprise Platform >>>> >>>> [image: http://i.imgur.com/8UeC1YO.png] >>>> >>>> www.p-i.net | @PI_150 >>>> >>>> >>>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* >>>> <%2B44%20%280%29808%20204%200344> >>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>> >>>> [image: >>>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>>> [image: >>>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>>> [image: >>>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >>>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>>> >>>> >>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>> >>>> ____________________________________________________________________ >>>> >>>> This email and any files transmitted with it are confidential and >>>> intended solely for the use of the individual or entity to whom they are >>>> addressed. If you have received this email in error please notify the >>>> system manager. This message contains confidential information and is >>>> intended only for the individual named. If you are not the named addressee >>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>> the sender immediately by e-mail if you have received this e-mail by >>>> mistake and delete this e-mail from your system. If you are not the >>>> intended recipient you are notified that disclosing, copying, distributing >>>> or taking any action in reliance on the contents of this information is >>>> strictly prohibited. >>>> >>>> >>>> >>>> On 17 August 2016 at 18:02, Jagannadha Rekala >>>> wrote: >>>> >>>> There needs to be an admin user created while Keycloak being started. >>>> So, you need to pass the environment variables to the docker container. >>>> Without passing the environment variables Keycloak will not have an admin >>>> user unless you use the previous database of Keycloak that had admin user >>>> already. Try adding these two variables in your compose file and let us >>>> know. >>>> >>>> >>>> >>>> - KEYCLOAK_USER=admin >>>> >>>> - KEYCLOAK_PASSWORD=password-here >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Jagan Rekala >>>> >>>> >>>> >>>> *From:* keycloak-user-bounces at lists.jboss.org [mailto: >>>> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe >>>> *Sent:* Wednesday, August 17, 2016 9:48 AM >>>> *To:* keycloak-user >>>> *Subject:* [keycloak-user] Cannot log in as admin when using docker >>>> image 2.0.0 mysql >>>> >>>> >>>> >>>> I'm trying to use Keycloak 2.0.0 from the docker image using mysql and >>>> I can't log in once running. It all starts up ok and it creates the initial >>>> schema ok. When I try to log in to the admion console it can't find the >>>> admin user. What am I doing wrong? I thought it was my modifications to the >>>> image to add https that were wrong but it doesn't work from the published >>>> image anyway. >>>> >>>> >>>> >>>> lots snipped.... >>>> >>>> keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ >>>> org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak >>>> 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of >>>> 800 services (542 services are lazy, passive or on-demand) >>>> >>>> keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN >>>> [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, >>>> clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, >>>> error=user_not_found, auth_method=openid-connect, auth_type=code, >>>> redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, >>>> code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin >>>> >>>> >>>> >>>> docker-compose.yml is: >>>> >>>> keycloak: >>>> >>>> image: jboss/keycloak-mysql:2.0.0.Final >>>> >>>> # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 >>>> >>>> environment: >>>> >>>> MYSQL_PORT_3306_TCP_ADDR: mysql >>>> >>>> MYSQL_PORT_3306_TCP_PORT: 3306 >>>> >>>> MYSQL_USERNAME: keycloak >>>> >>>> MYSQL_PASSWORD: xxxxxx >>>> >>>> ports: >>>> >>>> - "8443:8443/tcp" >>>> >>>> - "8080:8080/tcp" >>>> >>>> links: >>>> >>>> - keycloak-db:mysql >>>> >>>> # tty: true >>>> >>>> # stdin_open: true >>>> >>>> >>>> >>>> keycloak-db: >>>> >>>> environment: >>>> >>>> MYSQL_ROOT_PASSWORD: yyyyyy >>>> >>>> MYSQL_DATABASE: keycloak >>>> >>>> MYSQL_USER: keycloak >>>> >>>> MYSQL_PASSWORD: xxxxxx >>>> >>>> image: mysql/mysql-server:5.6 >>>> >>>> volumes: >>>> >>>> - keycloak-test-db:/var/lib/mysql >>>> >>>> volume_driver: convoy >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> *Kevin Thorpe* >>>> >>>> VP Enterprise Platform >>>> >>>> [image: http://i.imgur.com/8UeC1YO.png] >>>> >>>> www.p-i.net | @PI_150 >>>> >>>> >>>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 0344* >>>> <%2B44%20%280%29808%20204%200344> >>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>> >>>> [image: >>>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>>> [image: >>>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>>> [image: >>>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >>>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>>> >>>> >>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>> >>>> ____________________________________________________________________ >>>> >>>> This email and any files transmitted with it are confidential and >>>> intended solely for the use of the individual or entity to whom they are >>>> addressed. If you have received this email in error please notify the >>>> system manager. This message contains confidential information and is >>>> intended only for the individual named. If you are not the named addressee >>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>> the sender immediately by e-mail if you have received this e-mail by >>>> mistake and delete this e-mail from your system. If you are not the >>>> intended recipient you are notified that disclosing, copying, distributing >>>> or taking any action in reliance on the contents of this information is >>>> strictly prohibited. >>>> >>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/cc2e3dc2/attachment-0001.html From kevin.thorpe at p-i.net Thu Aug 18 06:43:10 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Thu, 18 Aug 2016 11:43:10 +0100 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: Thanks for that Stian. I did manage to find that on the 'net. Thank you for all your help but it turned out it wasn't Keycloak causing the issue at all. The problem was with the mysql container and migrating a database in. A combination of permissions differences and the way the mysql image detects an existing database meant it was creating a new one. This wasn't obvious until I picked the mysql image apart and built my own. Sorry to use up part of your valuable time. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 18 August 2016 at 11:26, Stian Thorgersen wrote: > Take a look at instructions from the root image: > > https://hub.docker.com/r/jboss/keycloak/ > > You should be able to enable debug logging with: > > "-e KEYCLOAK_LOGLEVEL=DEBUG" > > On 18 August 2016 at 11:38, Kevin Thorpe wrote: > >> I'm not sure how to do that. I'm using their pre-built Docker image and I >> also am definitely not a Java programmer. >> >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >> <%2B44%20%280%29808%20204%200344> * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom they are >> addressed. If you have received this email in error please notify the >> system manager. This message contains confidential information and is >> intended only for the individual named. If you are not the named addressee >> you should not disseminate, distribute or copy this e-mail. Please notify >> the sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not the >> intended recipient you are notified that disclosing, copying, distributing >> or taking any action in reliance on the contents of this information is >> strictly prohibited. >> >> On 18 August 2016 at 05:14, Stian Thorgersen wrote: >> >>> Strange one - do you have a debug log available from first time starting >>> the 2.0 image? The migration logs may shed some light on what's happened. >>> >>> On 17 August 2016 at 22:29, Kevin Thorpe wrote: >>> >>>> Yes I understand why the warnings about adding the admin user. That >>>> actually makes me comfortable that it is connecting to the mysql database >>>> correctly. >>>> >>>> What is odd is the subsequent empty config. The mysql database is still >>>> fully populated. So it looks horribly like it's not using the mysql db at >>>> all. >>>> >>>> On 17 Aug 2016 20:53, "Jagannadha Rekala" wrote: >>>> >>>>> Kevin, >>>>> >>>>> >>>>> >>>>> Since the admin user already exists in the older database it cannot >>>>> create the same user. You can take export of the older database from a >>>>> standalone (not dockered) Keycloak version 1.7.0. This will export into a >>>>> json file and you can verify whether that export has all the data that you >>>>> wanted. Then you can import the same into the Keycloak 2.0.0 that is >>>>> started in the newer database. This is just a work-around to see whether >>>>> data still persists but not sure what caused the data being deleted from >>>>> the database of 1.7.0. >>>>> >>>>> >>>>> >>>>> You can refer the following link for export and import >>>>> >>>>> >>>>> >>>>> https://access.redhat.com/documentation/en/red-hat-single-si >>>>> gn-on/7.0/paged/server-administration-guide/chapter-16-expor >>>>> t-and-import >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Jagan Rekala >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *From:* Kevin Thorpe [mailto:kevin.thorpe at p-i.net] >>>>> *Sent:* Wednesday, August 17, 2016 10:29 AM >>>>> *To:* Jagannadha Rekala >>>>> *Cc:* keycloak-user >>>>> *Subject:* Re: [keycloak-user] Cannot log in as admin when using >>>>> docker image 2.0.0 mysql >>>>> >>>>> >>>>> >>>>> Ah, ok I'll try that. The original issue though was that it wasn't >>>>> picking up the admin user from the existing 1.7.0 database. >>>>> >>>>> >>>>> >>>>> Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database >>>>> by adding the admin user to the environment. It still doesn't work on my >>>>> old database. >>>>> >>>>> >>>>> >>>>> I get these errors indicating that it's trying to add the admin user >>>>> and failing as it already exists: >>>>> >>>>> keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO >>>>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: >>>>> Importing users from '/opt/jboss/keycloak/standalon >>>>> e/configuration/keycloak-add-user.json' >>>>> >>>>> keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN >>>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>>>> Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 >>>>> >>>>> keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR >>>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>>>> Thread Pool -- 49) Duplicate entry 'master-admin' for key >>>>> 'UK_RU8TT6T700S9V50BU18WS5HA6' >>>>> >>>>> keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [ >>>>> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] >>>>> (ServerService Thread Pool -- 49) HHH000010: On release of batch it still >>>>> contained JDBC statements >>>>> >>>>> keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR >>>>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: >>>>> Failed to add user 'admin' to realm 'master': user with username exists >>>>> >>>>> >>>>> >>>>> Problem is that the admin login is now admin/admin which I set in the >>>>> environment vars, not the original admin user password from the old >>>>> installation. Once I'm in I see I have a completely empty database. I'm >>>>> confused, >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *Kevin Thorpe* >>>>> >>>>> VP Enterprise Platform >>>>> >>>>> [image: http://i.imgur.com/8UeC1YO.png] >>>>> >>>>> www.p-i.net | @PI_150 >>>>> >>>>> >>>>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>>>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 >>>>> 0344* <%2B44%20%280%29808%20204%200344> >>>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>>> >>>>> [image: >>>>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>>>> [image: >>>>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>>>> [image: >>>>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >>>>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>>>> >>>>> >>>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>>> >>>>> ____________________________________________________________________ >>>>> >>>>> This email and any files transmitted with it are confidential and >>>>> intended solely for the use of the individual or entity to whom they are >>>>> addressed. If you have received this email in error please notify the >>>>> system manager. This message contains confidential information and is >>>>> intended only for the individual named. If you are not the named addressee >>>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>>> the sender immediately by e-mail if you have received this e-mail by >>>>> mistake and delete this e-mail from your system. If you are not the >>>>> intended recipient you are notified that disclosing, copying, distributing >>>>> or taking any action in reliance on the contents of this information is >>>>> strictly prohibited. >>>>> >>>>> >>>>> >>>>> On 17 August 2016 at 18:02, Jagannadha Rekala >>>>> wrote: >>>>> >>>>> There needs to be an admin user created while Keycloak being started. >>>>> So, you need to pass the environment variables to the docker container. >>>>> Without passing the environment variables Keycloak will not have an admin >>>>> user unless you use the previous database of Keycloak that had admin user >>>>> already. Try adding these two variables in your compose file and let us >>>>> know. >>>>> >>>>> >>>>> >>>>> - KEYCLOAK_USER=admin >>>>> >>>>> - KEYCLOAK_PASSWORD=password-here >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Jagan Rekala >>>>> >>>>> >>>>> >>>>> *From:* keycloak-user-bounces at lists.jboss.org [mailto: >>>>> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe >>>>> *Sent:* Wednesday, August 17, 2016 9:48 AM >>>>> *To:* keycloak-user >>>>> *Subject:* [keycloak-user] Cannot log in as admin when using docker >>>>> image 2.0.0 mysql >>>>> >>>>> >>>>> >>>>> I'm trying to use Keycloak 2.0.0 from the docker image using mysql and >>>>> I can't log in once running. It all starts up ok and it creates the initial >>>>> schema ok. When I try to log in to the admion console it can't find the >>>>> admin user. What am I doing wrong? I thought it was my modifications to the >>>>> image to add https that were wrong but it doesn't work from the published >>>>> image anyway. >>>>> >>>>> >>>>> >>>>> lots snipped.... >>>>> >>>>> keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ >>>>> org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak >>>>> 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of >>>>> 800 services (542 services are lazy, passive or on-demand) >>>>> >>>>> keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN >>>>> [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, >>>>> clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, >>>>> error=user_not_found, auth_method=openid-connect, auth_type=code, >>>>> redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, >>>>> code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin >>>>> >>>>> >>>>> >>>>> docker-compose.yml is: >>>>> >>>>> keycloak: >>>>> >>>>> image: jboss/keycloak-mysql:2.0.0.Final >>>>> >>>>> # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 >>>>> >>>>> environment: >>>>> >>>>> MYSQL_PORT_3306_TCP_ADDR: mysql >>>>> >>>>> MYSQL_PORT_3306_TCP_PORT: 3306 >>>>> >>>>> MYSQL_USERNAME: keycloak >>>>> >>>>> MYSQL_PASSWORD: xxxxxx >>>>> >>>>> ports: >>>>> >>>>> - "8443:8443/tcp" >>>>> >>>>> - "8080:8080/tcp" >>>>> >>>>> links: >>>>> >>>>> - keycloak-db:mysql >>>>> >>>>> # tty: true >>>>> >>>>> # stdin_open: true >>>>> >>>>> >>>>> >>>>> keycloak-db: >>>>> >>>>> environment: >>>>> >>>>> MYSQL_ROOT_PASSWORD: yyyyyy >>>>> >>>>> MYSQL_DATABASE: keycloak >>>>> >>>>> MYSQL_USER: keycloak >>>>> >>>>> MYSQL_PASSWORD: xxxxxx >>>>> >>>>> image: mysql/mysql-server:5.6 >>>>> >>>>> volumes: >>>>> >>>>> - keycloak-test-db:/var/lib/mysql >>>>> >>>>> volume_driver: convoy >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *Kevin Thorpe* >>>>> >>>>> VP Enterprise Platform >>>>> >>>>> [image: http://i.imgur.com/8UeC1YO.png] >>>>> >>>>> www.p-i.net | @PI_150 >>>>> >>>>> >>>>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>>>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 >>>>> 0344* <%2B44%20%280%29808%20204%200344> >>>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>>> >>>>> [image: >>>>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>>>> [image: >>>>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>>>> [image: >>>>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] [image: >>>>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>>>> >>>>> >>>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>>> >>>>> ____________________________________________________________________ >>>>> >>>>> This email and any files transmitted with it are confidential and >>>>> intended solely for the use of the individual or entity to whom they are >>>>> addressed. If you have received this email in error please notify the >>>>> system manager. This message contains confidential information and is >>>>> intended only for the individual named. If you are not the named addressee >>>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>>> the sender immediately by e-mail if you have received this e-mail by >>>>> mistake and delete this e-mail from your system. If you are not the >>>>> intended recipient you are notified that disclosing, copying, distributing >>>>> or taking any action in reliance on the contents of this information is >>>>> strictly prohibited. >>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/2654bece/attachment-0001.html From psilva at redhat.com Thu Aug 18 07:54:55 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 18 Aug 2016 07:54:55 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> Message-ID: <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" , "Charles Henck" > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 4:13:18 AM > Subject: RE: [keycloak-user] Organization Based Accounts and Permissions > > Classification: INTERNAL > Hello, > > I don?t mean to hijack this thread, but I've had similar requirements, and > would love some advice. > > Do you create Resources based on Features (menus in an application) or based > on actual data. For e.g. if Bank Account Maintenance is a feature that > allows you to create/update bank account information, do you create a > Resource in KC for each bank account in the system, and then give > permissions/policies on it, or do you create one Bank Account resource as > indicative of the type Bank Account? > The idea is that you can do both: feature and/or resource. That is the reason behind our Protection API (based on UMA spec). It provides an API that allows client applications acting as a resource server (your service) to create "resources instances" whose owner could be an user. But nothing stops you to still have a typed resource (eg.: type Bank Account) and apply general permissions/policies to it. Take a look at that "authz/photoz" example application, there we try to demonstrate that. There you have a general purpose "Album Resource" and every time an user creates a new album it is also created a corresponding resource in the server. In this case, the new resource is going to inherit the permissions applied to the "Album Resource". For the feature-based resource scenario, you may take a look to "authz/servlet-authz-app". There we try to demonstrate how you can protect resources and actions/scopes in order to build, for instance, a dynamic menu with the permissions granted by the server. From ushanas.shastri at viteos.com Thu Aug 18 08:05:00 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Thu, 18 Aug 2016 12:05:00 +0000 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> Message-ID: <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> Classification: INTERNAL Thank you! I have looked at both examples, and we tried to create resources as being types. Where we're stuck is that we need one additional parameterized context, which we thought we'd achieve by creating client roles. So, the idea is that scope based permissions apply for a given client role. There are no issues setting this up in KC, but the Entitlement API returns a representation that does not combine resource, scopes *and* client roles. It combines resources and scopes, but client roles are a separate list. The JSON (a part of it) looks like this "resource_access": { "servlet-authz-app": { "roles": [ "Setup1", "Setup2" ] } }, "authorization": { "permissions": [ { "scopes": [ "view" ], "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", "resource_set_name": "Account Setup" }, { "scopes": [ "view" ], "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", "resource_set_name": "Investor Setup" } ] } The way its setup, is that this user can do view scope for resource "Account Setup" for only client role "Setup1", and cannot do scope view for resource "Account Setup" for client role "Setup2". If the authorization property put relevant client roles inside permissions, it would do everything we needed. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, August 18, 2016 5:25 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" , "Charles Henck" > > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 4:13:18 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > I don?t mean to hijack this thread, but I've had similar requirements, > and would love some advice. > > Do you create Resources based on Features (menus in an application) or > based on actual data. For e.g. if Bank Account Maintenance is a > feature that allows you to create/update bank account information, do > you create a Resource in KC for each bank account in the system, and > then give permissions/policies on it, or do you create one Bank > Account resource as indicative of the type Bank Account? > The idea is that you can do both: feature and/or resource. That is the reason behind our Protection API (based on UMA spec). It provides an API that allows client applications acting as a resource server (your service) to create "resources instances" whose owner could be an user. But nothing stops you to still have a typed resource (eg.: type Bank Account) and apply general permissions/policies to it. Take a look at that "authz/photoz" example application, there we try to demonstrate that. There you have a general purpose "Album Resource" and every time an user creates a new album it is also created a corresponding resource in the server. In this case, the new resource is going to inherit the permissions applied to the "Album Resource". For the feature-based resource scenario, you may take a look to "authz/servlet-authz-app". There we try to demonstrate how you can protect resources and actions/scopes in order to build, for instance, a dynamic menu with the permissions granted by the server. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From psilva at redhat.com Thu Aug 18 08:25:15 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 18 Aug 2016 08:25:15 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> Message-ID: <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> Can you attach export your authorization settings ? Would like to understand better what you are doing. The realm config would also help. Also, your requirement is that an user can only access one resource or another, but never both ? ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Thursday, August 18, 2016 9:05:00 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Thank you! I have looked at both examples, and we tried to create resources as being types. Where we're stuck is that we need one additional parameterized context, which we thought we'd achieve by creating client roles. So, the idea is that scope based permissions apply for a given client role. There are no issues setting this up in KC, but the Entitlement API returns a representation that does not combine resource, scopes *and* client roles. It combines resources and scopes, but client roles are a separate list. The JSON (a part of it) looks like this "resource_access": { "servlet-authz-app": { "roles": [ "Setup1", "Setup2" ] } }, "authorization": { "permissions": [ { "scopes": [ "view" ], "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", "resource_set_name": "Account Setup" }, { "scopes": [ "view" ], "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", "resource_set_name": "Investor Setup" } ] } The way its setup, is that this user can do view scope for resource "Account Setup" for only client role "Setup1", and cannot do scope view for resource "Account Setup" for client role "Setup2". If the authorization property put relevant client roles inside permissions, it would do everything we needed. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, August 18, 2016 5:25 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" , "Charles Henck" > > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 4:13:18 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > I don?t mean to hijack this thread, but I've had similar requirements, > and would love some advice. > > Do you create Resources based on Features (menus in an application) or > based on actual data. For e.g. if Bank Account Maintenance is a > feature that allows you to create/update bank account information, do > you create a Resource in KC for each bank account in the system, and > then give permissions/policies on it, or do you create one Bank > Account resource as indicative of the type Bank Account? > The idea is that you can do both: feature and/or resource. That is the reason behind our Protection API (based on UMA spec). It provides an API that allows client applications acting as a resource server (your service) to create "resources instances" whose owner could be an user. But nothing stops you to still have a typed resource (eg.: type Bank Account) and apply general permissions/policies to it. Take a look at that "authz/photoz" example application, there we try to demonstrate that. There you have a general purpose "Album Resource" and every time an user creates a new album it is also created a corresponding resource in the server. In this case, the new resource is going to inherit the permissions applied to the "Album Resource". For the feature-based resource scenario, you may take a look to "authz/servlet-authz-app". There we try to demonstrate how you can protect resources and actions/scopes in order to build, for instance, a dynamic menu with the permissions granted by the server. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From sthorger at redhat.com Thu Aug 18 08:52:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 18 Aug 2016 14:52:35 +0200 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: Np, pleased it's sorted :) On 18 August 2016 at 12:43, Kevin Thorpe wrote: > Thanks for that Stian. I did manage to find that on the 'net. > > Thank you for all your help but it turned out it wasn't Keycloak causing > the issue at all. The problem was with the mysql container and migrating a > database in. A combination of permissions differences and the way the mysql > image detects an existing database meant it was creating a new one. This > wasn't obvious until I picked the mysql image apart and built my own. > > Sorry to use up part of your valuable time. > > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 > 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 > <%2B44%20%280%29808%20204%200344> * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error please notify the system manager. > This message contains confidential information and is intended only for the > individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. If you are not the intended recipient > you are notified that disclosing, copying, distributing or taking any > action in reliance on the contents of this information is strictly > prohibited. > > On 18 August 2016 at 11:26, Stian Thorgersen wrote: > >> Take a look at instructions from the root image: >> >> https://hub.docker.com/r/jboss/keycloak/ >> >> You should be able to enable debug logging with: >> >> "-e KEYCLOAK_LOGLEVEL=DEBUG" >> >> On 18 August 2016 at 11:38, Kevin Thorpe wrote: >> >>> I'm not sure how to do that. I'm using their pre-built Docker image and >>> I also am definitely not a Java programmer. >>> >>> >>> *Kevin Thorpe* >>> VP Enterprise Platform >>> >>> www.p-i.net | @PI_150 >>> >>> *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 >>> 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 >>> <%2B44%20%280%29808%20204%200344> * >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are confidential and >>> intended solely for the use of the individual or entity to whom they are >>> addressed. If you have received this email in error please notify the >>> system manager. This message contains confidential information and is >>> intended only for the individual named. If you are not the named addressee >>> you should not disseminate, distribute or copy this e-mail. Please notify >>> the sender immediately by e-mail if you have received this e-mail by >>> mistake and delete this e-mail from your system. If you are not the >>> intended recipient you are notified that disclosing, copying, distributing >>> or taking any action in reliance on the contents of this information is >>> strictly prohibited. >>> >>> On 18 August 2016 at 05:14, Stian Thorgersen >>> wrote: >>> >>>> Strange one - do you have a debug log available from first time >>>> starting the 2.0 image? The migration logs may shed some light on what's >>>> happened. >>>> >>>> On 17 August 2016 at 22:29, Kevin Thorpe wrote: >>>> >>>>> Yes I understand why the warnings about adding the admin user. That >>>>> actually makes me comfortable that it is connecting to the mysql database >>>>> correctly. >>>>> >>>>> What is odd is the subsequent empty config. The mysql database is >>>>> still fully populated. So it looks horribly like it's not using the mysql >>>>> db at all. >>>>> >>>>> On 17 Aug 2016 20:53, "Jagannadha Rekala" wrote: >>>>> >>>>>> Kevin, >>>>>> >>>>>> >>>>>> >>>>>> Since the admin user already exists in the older database it cannot >>>>>> create the same user. You can take export of the older database from a >>>>>> standalone (not dockered) Keycloak version 1.7.0. This will export into a >>>>>> json file and you can verify whether that export has all the data that you >>>>>> wanted. Then you can import the same into the Keycloak 2.0.0 that is >>>>>> started in the newer database. This is just a work-around to see whether >>>>>> data still persists but not sure what caused the data being deleted from >>>>>> the database of 1.7.0. >>>>>> >>>>>> >>>>>> >>>>>> You can refer the following link for export and import >>>>>> >>>>>> >>>>>> >>>>>> https://access.redhat.com/documentation/en/red-hat-single-si >>>>>> gn-on/7.0/paged/server-administration-guide/chapter-16-expor >>>>>> t-and-import >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Jagan Rekala >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *From:* Kevin Thorpe [mailto:kevin.thorpe at p-i.net] >>>>>> *Sent:* Wednesday, August 17, 2016 10:29 AM >>>>>> *To:* Jagannadha Rekala >>>>>> *Cc:* keycloak-user >>>>>> *Subject:* Re: [keycloak-user] Cannot log in as admin when using >>>>>> docker image 2.0.0 mysql >>>>>> >>>>>> >>>>>> >>>>>> Ah, ok I'll try that. The original issue though was that it wasn't >>>>>> picking up the admin user from the existing 1.7.0 database. >>>>>> >>>>>> >>>>>> >>>>>> Ok. Now I've got further. I can start Keycloak 2.0.0 on a new >>>>>> database by adding the admin user to the environment. It still doesn't work >>>>>> on my old database. >>>>>> >>>>>> >>>>>> >>>>>> I get these errors indicating that it's trying to add the admin user >>>>>> and failing as it already exists: >>>>>> >>>>>> keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO >>>>>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: >>>>>> Importing users from '/opt/jboss/keycloak/standalon >>>>>> e/configuration/keycloak-add-user.json' >>>>>> >>>>>> keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN >>>>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>>>>> Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 >>>>>> >>>>>> keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR >>>>>> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService >>>>>> Thread Pool -- 49) Duplicate entry 'master-admin' for key >>>>>> 'UK_RU8TT6T700S9V50BU18WS5HA6' >>>>>> >>>>>> keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [ >>>>>> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] >>>>>> (ServerService Thread Pool -- 49) HHH000010: On release of batch it still >>>>>> contained JDBC statements >>>>>> >>>>>> keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR >>>>>> [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: >>>>>> Failed to add user 'admin' to realm 'master': user with username exists >>>>>> >>>>>> >>>>>> >>>>>> Problem is that the admin login is now admin/admin which I set in the >>>>>> environment vars, not the original admin user password from the old >>>>>> installation. Once I'm in I see I have a completely empty database. I'm >>>>>> confused, >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *Kevin Thorpe* >>>>>> >>>>>> VP Enterprise Platform >>>>>> >>>>>> [image: http://i.imgur.com/8UeC1YO.png] >>>>>> >>>>>> www.p-i.net | @PI_150 >>>>>> >>>>>> >>>>>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>>>>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 >>>>>> 0344* <%2B44%20%280%29808%20204%200344> >>>>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>>>> >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>>>>> >>>>>> >>>>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>>>> >>>>>> ____________________________________________________________________ >>>>>> >>>>>> This email and any files transmitted with it are confidential and >>>>>> intended solely for the use of the individual or entity to whom they are >>>>>> addressed. If you have received this email in error please notify the >>>>>> system manager. This message contains confidential information and is >>>>>> intended only for the individual named. If you are not the named addressee >>>>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>>>> the sender immediately by e-mail if you have received this e-mail by >>>>>> mistake and delete this e-mail from your system. If you are not the >>>>>> intended recipient you are notified that disclosing, copying, distributing >>>>>> or taking any action in reliance on the contents of this information is >>>>>> strictly prohibited. >>>>>> >>>>>> >>>>>> >>>>>> On 17 August 2016 at 18:02, Jagannadha Rekala >>>>>> wrote: >>>>>> >>>>>> There needs to be an admin user created while Keycloak being started. >>>>>> So, you need to pass the environment variables to the docker container. >>>>>> Without passing the environment variables Keycloak will not have an admin >>>>>> user unless you use the previous database of Keycloak that had admin user >>>>>> already. Try adding these two variables in your compose file and let us >>>>>> know. >>>>>> >>>>>> >>>>>> >>>>>> - KEYCLOAK_USER=admin >>>>>> >>>>>> - KEYCLOAK_PASSWORD=password-here >>>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Jagan Rekala >>>>>> >>>>>> >>>>>> >>>>>> *From:* keycloak-user-bounces at lists.jboss.org [mailto: >>>>>> keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Kevin Thorpe >>>>>> *Sent:* Wednesday, August 17, 2016 9:48 AM >>>>>> *To:* keycloak-user >>>>>> *Subject:* [keycloak-user] Cannot log in as admin when using docker >>>>>> image 2.0.0 mysql >>>>>> >>>>>> >>>>>> >>>>>> I'm trying to use Keycloak 2.0.0 from the docker image using mysql >>>>>> and I can't log in once running. It all starts up ok and it creates the >>>>>> initial schema ok. When I try to log in to the admion console it can't find >>>>>> the admin user. What am I doing wrong? I thought it was my modifications to >>>>>> the image to add https that were wrong but it doesn't work from the >>>>>> published image anyway. >>>>>> >>>>>> >>>>>> >>>>>> lots snipped.... >>>>>> >>>>>> keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [ >>>>>> org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak >>>>>> 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of >>>>>> 800 services (542 services are lazy, passive or on-demand) >>>>>> >>>>>> keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN >>>>>> [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, >>>>>> clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, >>>>>> error=user_not_found, auth_method=openid-connect, auth_type=code, >>>>>> redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, >>>>>> code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin >>>>>> >>>>>> >>>>>> >>>>>> docker-compose.yml is: >>>>>> >>>>>> keycloak: >>>>>> >>>>>> image: jboss/keycloak-mysql:2.0.0.Final >>>>>> >>>>>> # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 >>>>>> >>>>>> environment: >>>>>> >>>>>> MYSQL_PORT_3306_TCP_ADDR: mysql >>>>>> >>>>>> MYSQL_PORT_3306_TCP_PORT: 3306 >>>>>> >>>>>> MYSQL_USERNAME: keycloak >>>>>> >>>>>> MYSQL_PASSWORD: xxxxxx >>>>>> >>>>>> ports: >>>>>> >>>>>> - "8443:8443/tcp" >>>>>> >>>>>> - "8080:8080/tcp" >>>>>> >>>>>> links: >>>>>> >>>>>> - keycloak-db:mysql >>>>>> >>>>>> # tty: true >>>>>> >>>>>> # stdin_open: true >>>>>> >>>>>> >>>>>> >>>>>> keycloak-db: >>>>>> >>>>>> environment: >>>>>> >>>>>> MYSQL_ROOT_PASSWORD: yyyyyy >>>>>> >>>>>> MYSQL_DATABASE: keycloak >>>>>> >>>>>> MYSQL_USER: keycloak >>>>>> >>>>>> MYSQL_PASSWORD: xxxxxx >>>>>> >>>>>> image: mysql/mysql-server:5.6 >>>>>> >>>>>> volumes: >>>>>> >>>>>> - keycloak-test-db:/var/lib/mysql >>>>>> >>>>>> volume_driver: convoy >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> *Kevin Thorpe* >>>>>> >>>>>> VP Enterprise Platform >>>>>> >>>>>> [image: http://i.imgur.com/8UeC1YO.png] >>>>>> >>>>>> www.p-i.net | @PI_150 >>>>>> >>>>>> >>>>>> *T: **+44 (0)20 3005 6750* <%2B44%20%280%2920%203005%206750>* | F: **+44(0)20 >>>>>> 7730 2635* <%2B44%280%2920%207730%202635>* | T: **+44 (0)808 204 >>>>>> 0344* <%2B44%20%280%29808%20204%200344> >>>>>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>>>>> >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/BSI-UKAS.logo_150.png] >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/ISO27001.logo_150.png] >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/QMS.logo_150.png] >>>>>> [image: >>>>>> https://clients.p-i.net/documents/11003/1116416/pci.logo_150.png] >>>>>> >>>>>> >>>>>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>>>>> >>>>>> ____________________________________________________________________ >>>>>> >>>>>> This email and any files transmitted with it are confidential and >>>>>> intended solely for the use of the individual or entity to whom they are >>>>>> addressed. If you have received this email in error please notify the >>>>>> system manager. This message contains confidential information and is >>>>>> intended only for the individual named. If you are not the named addressee >>>>>> you should not disseminate, distribute or copy this e-mail. Please notify >>>>>> the sender immediately by e-mail if you have received this e-mail by >>>>>> mistake and delete this e-mail from your system. If you are not the >>>>>> intended recipient you are notified that disclosing, copying, distributing >>>>>> or taking any action in reliance on the contents of this information is >>>>>> strictly prohibited. >>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/d62360ae/attachment-0001.html From luc.verstraete at altran.com Thu Aug 18 10:10:48 2016 From: luc.verstraete at altran.com (VERSTRAETE Luc) Date: Thu, 18 Aug 2016 14:10:48 +0000 Subject: [keycloak-user] Hello issue in the keycloack deployment Message-ID: We had an issue with a keycloack image already running in another environment but failing here Here find the trace we got Thanks a lot for cooperation Luc V Following: 7:51:36,516 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Foreign key FK_RLM_CLI_TMPLT_RLM dropped 07:51:36,838 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Foreign key FK_RLM_CLI_TMPLT_CLI dropped 07:51:37,344 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Table REALM_CLIENT_TEMPLATE dropped 07:51:37,629 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Foreign key FK_213LYQ09FKXQ8K8NY8DY3737T dropped 07:51:38,020 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Foreign key FK_DCCIRJLIPU1478VQC89DID88C dropped 07:51:40,063 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Unique constraint UK_DCCIRJLIPU1478VQC89DID88C dropped from FED_PROVIDERS 07:51:40,565 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Table FED_PROVIDERS dropped 07:51:41,108 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_US_SESS_ID_ON_CL_SESS created 07:51:41,109 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) ChangeSet META-INF/jpa-changelog-1.9.0.xml::1.9.0::mposolda at redhat.com ran successfully in 6637ms 07:51:41,550 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) REALM.PRIVATE_KEY datatype was changed to VARCHAR(4000) 07:51:41,916 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) REALM.PUBLIC_KEY datatype was changed to VARCHAR(4000) 07:51:42,276 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) REALM.CERTIFICATE datatype was changed to VARCHAR(4000) 07:51:42,276 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) ChangeSet META-INF/jpa-changelog-1.9.1.xml::1.9.1::keycloak ran successfully in 1033ms 07:51:43,099 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_EMAIL created 07:51:43,922 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_ROLE_MAPPING created 07:51:44,563 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_GROUP_MAPPING created 07:51:45,288 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_CONSENT created 07:51:45,879 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_CONSENT_PROTMAPPER created 07:51:46,649 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_CONSENT_ROLE created 07:51:47,370 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_ATTRIBUTE created 07:51:48,217 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_CREDENTIAL created 07:51:48,850 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_USER_REQACTIONS created 07:51:49,566 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_FEDIDENTITY_USER created 07:51:50,099 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) Index IDX_FEDIDENTITY_FEDUSER created 07:51:50,100 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) ChangeSet META-INF/jpa-changelog-1.9.2.xml::1.9.2::keycloak ran successfully in 7666ms 07:51:50,209 DEBUG [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 67) Completed database update 07:51:51,083 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 67) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 07:51:51,294 INFO [org.hibernate.Version] (ServerService Thread Pool -- 67) HHH000412: Hibernate Core {5.0.9.Final-redhat-1} 07:51:51,295 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 67) HHH000206: hibernate.properties not found 07:51:51,297 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 67) HHH000021: Bytecode provider name : javassist 07:51:51,412 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 67) HCANN000001: Hibernate Commons Annotations {5.0.1.Final-redhat-2} 07:51:52,303 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 67) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect 07:51:52,507 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 67) Envers integration enabled? : true 07:51:56,015 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 67) HV000001: Hibernate Validator 5.2.4.Final-redhat-1 07:52:02,809 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 67) HHH000397: Using ASTQueryTranslatorFactory 07:52:06,975 INFO [org.keycloak.services] (ServerService Thread Pool -- 67) KC-SERVICES0050: Initializing master realm 07:52:15,210 DEBUG [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 67) Going to release database lock 07:52:15,218 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 67) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:239) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:527) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.RuntimeException: Failed to parse json at org.keycloak.services.resources.KeycloakApplication.loadJson(KeycloakApplication.java:366) at org.keycloak.services.resources.KeycloakApplication.importRealms(KeycloakApplication.java:265) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:131) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 19 more Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.RealmRepresentation out of START_ARRAY token at [Source: java.io.FileInputStream at 310ebf9f; line: 1, column: 1] at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromArray(BeanDeserializerBase.java:1229) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:165) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:144) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3564) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2650) at org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:88) at org.keycloak.util.JsonSerialization.readValue(JsonSerialization.java:77) at org.keycloak.services.resources.KeycloakApplication.loadJson(KeycloakApplication.java:364) ... 26 more 07:52:15,224 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: Failed to parse json Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.RealmRepresentation out of START_ARRAY token at [Source: java.io.FileInputStream at 310ebf9f; line: 1, column: 1]"}} 07:52:15,409 INFO [org.jboss.as.server] (ServerService Thread Pool -- 35) WFLYSRV0010: Deployed "activemq-rar.rar" (runtime-name : "activemq-rar.rar") 07:52:15,411 INFO [org.jboss.as.server] (ServerService Thread Pool -- 59) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 07:52:15,602 INFO [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 07:52:16,317 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 07:52:16,317 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 07:52:16,317 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: JBoss EAP 7.0.0.GA (WildFly Core 2.1.2.Final-redhat-1) started (with errors) in 433349ms - Started 465 of 832 services (2 services failed or missing dependencies, 526 services are lazy, passive or on-demand) [root at keycloak-2-g6ddf keycloak-app]# -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/f4f529f4/attachment-0001.html From thomas.darimont at googlemail.com Thu Aug 18 10:15:28 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 18 Aug 2016 16:15:28 +0200 Subject: [keycloak-user] Hello issue in the keycloack deployment In-Reply-To: References: Message-ID: Looks like your json file with the realm definitions is broken. ... Caused by: java.lang.RuntimeException: Failed to parse json at org.keycloak.services.resources.KeycloakApplication. loadJson(KeycloakApplication.java:366) at org.keycloak.services.resources.KeycloakApplication.importRealms( KeycloakApplication.java:265) at org.keycloak.services.resources.KeycloakApplication. (KeycloakApplication.java:131) ... Cheers, Thomas 2016-08-18 16:10 GMT+02:00 VERSTRAETE Luc : > We had an issue with a keycloack image already running in another > environment but failing here > > > > Here find the trace we got > > > > Thanks a lot for cooperation > > > > Luc V > > > > Following: > > > > > > 7:51:36,516 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Foreign key FK_RLM_CLI_TMPLT_RLM dropped > > 07:51:36,838 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Foreign key FK_RLM_CLI_TMPLT_CLI dropped > > 07:51:37,344 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Table REALM_CLIENT_TEMPLATE dropped > > 07:51:37,629 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Foreign key FK_213LYQ09FKXQ8K8NY8DY3737T dropped > > 07:51:38,020 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Foreign key FK_DCCIRJLIPU1478VQC89DID88C dropped > > 07:51:40,063 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Unique constraint UK_DCCIRJLIPU1478VQC89DID88C dropped from FED_PROVIDERS > > 07:51:40,565 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Table FED_PROVIDERS dropped > > 07:51:41,108 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_US_SESS_ID_ON_CL_SESS created > > 07:51:41,109 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > ChangeSet META-INF/jpa-changelog-1.9.0.xml::1.9.0::mposolda at redhat.com > ran successfully in 6637ms > > 07:51:41,550 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > REALM.PRIVATE_KEY datatype was changed to VARCHAR(4000) > > 07:51:41,916 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > REALM.PUBLIC_KEY datatype was changed to VARCHAR(4000) > > 07:51:42,276 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > REALM.CERTIFICATE datatype was changed to VARCHAR(4000) > > 07:51:42,276 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > ChangeSet META-INF/jpa-changelog-1.9.1.xml::1.9.1::keycloak ran > successfully in 1033ms > > 07:51:43,099 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_EMAIL created > > 07:51:43,922 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_ROLE_MAPPING created > > 07:51:44,563 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_GROUP_MAPPING created > > 07:51:45,288 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_CONSENT created > > 07:51:45,879 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_CONSENT_PROTMAPPER created > > 07:51:46,649 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_CONSENT_ROLE created > > 07:51:47,370 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_ATTRIBUTE created > > 07:51:48,217 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_CREDENTIAL created > > 07:51:48,850 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_USER_REQACTIONS created > > 07:51:49,566 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_FEDIDENTITY_USER created > > 07:51:50,099 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > Index IDX_FEDIDENTITY_FEDUSER created > > 07:51:50,100 DEBUG [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 67) > ChangeSet META-INF/jpa-changelog-1.9.2.xml::1.9.2::keycloak ran > successfully in 7666ms > > 07:51:50,209 DEBUG [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 67) Completed database update > > 07:51:51,083 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 67) HHH000204: Processing PersistenceUnitInfo > [ > > name: keycloak-default > > ...] > > 07:51:51,294 INFO [org.hibernate.Version] (ServerService Thread Pool -- > 67) HHH000412: Hibernate Core {5.0.9.Final-redhat-1} > > 07:51:51,295 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 67) HHH000206: hibernate.properties not found > > 07:51:51,297 INFO [org.hibernate.cfg.Environment] (ServerService Thread > Pool -- 67) HHH000021: Bytecode provider name : javassist > > 07:51:51,412 INFO [org.hibernate.annotations.common.Version] > (ServerService Thread Pool -- 67) HCANN000001: Hibernate Commons > Annotations {5.0.1.Final-redhat-2} > > 07:51:52,303 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 67) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect > > 07:51:52,507 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 67) Envers integration enabled? : true > > 07:51:56,015 INFO [org.hibernate.validator.internal.util.Version] > (ServerService Thread Pool -- 67) HV000001: Hibernate Validator > 5.2.4.Final-redhat-1 > > 07:52:02,809 INFO [org.hibernate.hql.internal. > QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 67) > HHH000397: Using ASTQueryTranslatorFactory > > 07:52:06,975 INFO [org.keycloak.services] (ServerService Thread Pool -- > 67) KC-SERVICES0050: Initializing master realm > > 07:52:15,210 DEBUG [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 67) Going to release database lock > > *07:52:15,218 ERROR [org.jboss.msc.service.fail] (ServerService Thread > Pool -- 67) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)* > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:162) > > at org.jboss.resteasy.spi.ResteasyProviderFactory. > createProviderInstance(ResteasyProviderFactory.java:2209) > > at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.java:299) > > at org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:240) > > at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:117) > > at org.wildfly.extension.undertow.security. > RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:103) > > at io.undertow.servlet.core.ManagedServlet$ > DefaultInstanceStrategy.start(ManagedServlet.java:239) > > at io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:133) > > at io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:527) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > ... 6 more > > Caused by: java.lang.RuntimeException: Failed to parse json > > at org.keycloak.services.resources.KeycloakApplication. > loadJson(KeycloakApplication.java:366) > > at org.keycloak.services.resources.KeycloakApplication. > importRealms(KeycloakApplication.java:265) > > at org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:131) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > at org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:150) > > ... 19 more > > Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not > deserialize instance of org.keycloak.representations.idm.RealmRepresentation > out of START_ARRAY token > > at [Source: java.io.FileInputStream at 310ebf9f; line: 1, column: 1] > > at com.fasterxml.jackson.databind.JsonMappingException. > from(JsonMappingException.java:148) > > at com.fasterxml.jackson.databind.DeserializationContext. > mappingException(DeserializationContext.java:835) > > at com.fasterxml.jackson.databind.DeserializationContext. > mappingException(DeserializationContext.java:831) > > at com.fasterxml.jackson.databind.deser.BeanDeserializerBase. > deserializeFromArray(BeanDeserializerBase.java:1229) > > at com.fasterxml.jackson.databind.deser.BeanDeserializer._ > deserializeOther(BeanDeserializer.java:165) > > at com.fasterxml.jackson.databind.deser. > BeanDeserializer.deserialize(BeanDeserializer.java:144) > > at com.fasterxml.jackson.databind.ObjectMapper._ > readMapAndClose(ObjectMapper.java:3564) > > at com.fasterxml.jackson.databind.ObjectMapper. > readValue(ObjectMapper.java:2650) > > at org.keycloak.util.JsonSerialization.readValue( > JsonSerialization.java:88) > > at org.keycloak.util.JsonSerialization.readValue( > JsonSerialization.java:77) > > at org.keycloak.services.resources.KeycloakApplication. > loadJson(KeycloakApplication.java:364) > > ... 26 more > > > > 07:52:15,224 ERROR [org.jboss.as.controller.management-operation] > (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: > ([("deployment" => "keycloak-server.war")]) - failure description: > {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment. > default-server.default-host./auth" => "org.jboss.msc.service.StartException > in service jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > Caused by: java.lang.RuntimeException: Failed to parse json > > Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can > not deserialize instance of org.keycloak.representations.idm.RealmRepresentation > out of START_ARRAY token > > at [Source: java.io.FileInputStream at 310ebf9f; line: 1, column: 1]"}} > > 07:52:15,409 INFO [org.jboss.as.server] (ServerService Thread Pool -- 35) > WFLYSRV0010: Deployed "activemq-rar.rar" (runtime-name : "activemq-rar.rar") > > 07:52:15,411 INFO [org.jboss.as.server] (ServerService Thread Pool -- 59) > WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : > "keycloak-server.war") > > 07:52:15,602 INFO [org.jboss.as.controller] (Controller Boot Thread) > WFLYCTL0183: Service status report > > WFLYCTL0186: Services which failed to start: service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service jboss.undertow.deployment. > default-server.default-host./auth: java.lang.RuntimeException: > RESTEASY003325: Failed to construct public org.keycloak.services. > resources.KeycloakApplication(javax.servlet.ServletContext, > org.jboss.resteasy.core.Dispatcher) > > > > 07:52:16,317 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: > Http management interface listening on http://127.0.0.1:9990/management > > 07:52:16,317 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: > Admin console listening on http://127.0.0.1:9990 > > 07:52:16,317 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: > JBoss EAP 7.0.0.GA (WildFly Core 2.1.2.Final-redhat-1) started (with > errors) in 433349ms - Started 465 of 832 services (2 services failed or > missing dependencies, 526 services are lazy, passive or on-demand) > > [root at keycloak-2-g6ddf keycloak-app]# > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/749e40a4/attachment-0001.html From jarekala at axway.com Thu Aug 18 12:24:19 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Thu, 18 Aug 2016 16:24:19 +0000 Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql In-Reply-To: References: <33A971E161C79C44B0AE524C102277EA30ABBB82@WPHXMAIL1.phx.axway.int> <33A971E161C79C44B0AE524C102277EA30ABBE8D@WPHXMAIL1.phx.axway.int> Message-ID: <33A971E161C79C44B0AE524C102277EA30ABD361@WPHXMAIL1.phx.axway.int> Good to hear that! Have a nice day. JAGAN REKALA Lead/Architect, R&D, Axway Phoenix, Arizona 85054 jarekala at axway.com - http://www.axway.com From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, August 18, 2016 5:53 AM To: Kevin Thorpe Cc: Jagannadha Rekala ; keycloak-user Subject: Re: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql Np, pleased it's sorted :) On 18 August 2016 at 12:43, Kevin Thorpe > wrote: Thanks for that Stian. I did manage to find that on the 'net. Thank you for all your help but it turned out it wasn't Keycloak causing the issue at all. The problem was with the mysql container and migrating a database in. A combination of permissions differences and the way the mysql image detects an existing database meant it was creating a new one. This wasn't obvious until I picked the mysql image apart and built my own. Sorry to use up part of your valuable time. Kevin Thorpe VP Enterprise Platform www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 18 August 2016 at 11:26, Stian Thorgersen > wrote: Take a look at instructions from the root image: https://hub.docker.com/r/jboss/keycloak/ You should be able to enable debug logging with: "-e KEYCLOAK_LOGLEVEL=DEBUG" On 18 August 2016 at 11:38, Kevin Thorpe > wrote: I'm not sure how to do that. I'm using their pre-built Docker image and I also am definitely not a Java programmer. Kevin Thorpe VP Enterprise Platform www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 18 August 2016 at 05:14, Stian Thorgersen > wrote: Strange one - do you have a debug log available from first time starting the 2.0 image? The migration logs may shed some light on what's happened. On 17 August 2016 at 22:29, Kevin Thorpe > wrote: Yes I understand why the warnings about adding the admin user. That actually makes me comfortable that it is connecting to the mysql database correctly. What is odd is the subsequent empty config. The mysql database is still fully populated. So it looks horribly like it's not using the mysql db at all. On 17 Aug 2016 20:53, "Jagannadha Rekala" > wrote: Kevin, Since the admin user already exists in the older database it cannot create the same user. You can take export of the older database from a standalone (not dockered) Keycloak version 1.7.0. This will export into a json file and you can verify whether that export has all the data that you wanted. Then you can import the same into the Keycloak 2.0.0 that is started in the newer database. This is just a work-around to see whether data still persists but not sure what caused the data being deleted from the database of 1.7.0. You can refer the following link for export and import https://access.redhat.com/documentation/en/red-hat-single-sign-on/7.0/paged/server-administration-guide/chapter-16-export-and-import Thanks, Jagan Rekala From: Kevin Thorpe [mailto:kevin.thorpe at p-i.net] Sent: Wednesday, August 17, 2016 10:29 AM To: Jagannadha Rekala > Cc: keycloak-user > Subject: Re: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql Ah, ok I'll try that. The original issue though was that it wasn't picking up the admin user from the existing 1.7.0 database. Ok. Now I've got further. I can start Keycloak 2.0.0 on a new database by adding the admin user to the environment. It still doesn't work on my old database. I get these errors indicating that it's trying to add the admin user and failing as it already exists: keycloak_1 | 2016-08-17T17:24:10.666079599Z 17:24:10,665 INFO [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0006: Importing users from '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json' keycloak_1 | 2016-08-17T17:24:10.777277798Z 17:24:10,777 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 1062, SQLState: 23000 keycloak_1 | 2016-08-17T17:24:10.777402463Z 17:24:10,777 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) Duplicate entry 'master-admin' for key 'UK_RU8TT6T700S9V50BU18WS5HA6' keycloak_1 | 2016-08-17T17:24:10.778545355Z 17:24:10,778 INFO [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (ServerService Thread Pool -- 49) HHH000010: On release of batch it still contained JDBC statements keycloak_1 | 2016-08-17T17:24:10.784002565Z 17:24:10,783 ERROR [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0010: Failed to add user 'admin' to realm 'master': user with username exists Problem is that the admin login is now admin/admin which I set in the environment vars, not the original admin user password from the old installation. Once I'm in I see I have a completely empty database. I'm confused, Kevin Thorpe VP Enterprise Platform www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 17 August 2016 at 18:02, Jagannadha Rekala > wrote: There needs to be an admin user created while Keycloak being started. So, you need to pass the environment variables to the docker container. Without passing the environment variables Keycloak will not have an admin user unless you use the previous database of Keycloak that had admin user already. Try adding these two variables in your compose file and let us know. - KEYCLOAK_USER=admin - KEYCLOAK_PASSWORD=password-here Thanks, Jagan Rekala From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kevin Thorpe Sent: Wednesday, August 17, 2016 9:48 AM To: keycloak-user > Subject: [keycloak-user] Cannot log in as admin when using docker image 2.0.0 mysql I'm trying to use Keycloak 2.0.0 from the docker image using mysql and I can't log in once running. It all starts up ok and it creates the initial schema ok. When I try to log in to the admion console it can't find the admin user. What am I doing wrong? I thought it was my modifications to the image to add https that were wrong but it doesn't work from the published image anyway. lots snipped.... keycloak_1 | 2016-08-17T16:39:58.280453387Z 16:39:58,280 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.0.0.Final (WildFly Core 2.0.10.Final) started in 29551ms - Started 418 of 800 services (542 services are lazy, passive or on-demand) keycloak_1 | 2016-08-17T16:40:16.238260785Z 16:40:16,237 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.20.11.52, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://10.20.13.236:8080/auth/admin/master/console/, code_id=2bde62ed-9b9f-4620-b07f-39d4a282098c, username=admin docker-compose.yml is: keycloak: image: jboss/keycloak-mysql:2.0.0.Final # image: docker.pibenchmark.com/pi-keycloak:2.0.0-01 environment: MYSQL_PORT_3306_TCP_ADDR: mysql MYSQL_PORT_3306_TCP_PORT: 3306 MYSQL_USERNAME: keycloak MYSQL_PASSWORD: xxxxxx ports: - "8443:8443/tcp" - "8080:8080/tcp" links: - keycloak-db:mysql # tty: true # stdin_open: true keycloak-db: environment: MYSQL_ROOT_PASSWORD: yyyyyy MYSQL_DATABASE: keycloak MYSQL_USER: keycloak MYSQL_PASSWORD: xxxxxx image: mysql/mysql-server:5.6 volumes: - keycloak-test-db:/var/lib/mysql volume_driver: convoy Kevin Thorpe VP Enterprise Platform www.p-i.net | @PI_150 T: +44 (0)20 3005 6750 | F: +44(0)20 7730 2635 | T: +44 (0)808 204 0344 150 Buckingham Palace Road, London, SW1W 9TR, UK SAVE PAPER - THINK BEFORE YOU PRINT! ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/55a79df8/attachment-0001.html From pnalyvayko at agi.com Thu Aug 18 13:21:53 2016 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 18 Aug 2016 17:21:53 +0000 Subject: [keycloak-user] Database upgrade Message-ID: Hi, Is there an existing way to execute the keycloak database upgrade without actually starting the keycloak server? Thanks! --Peter From thomas.darimont at googlemail.com Thu Aug 18 14:15:49 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 18 Aug 2016 20:15:49 +0200 Subject: [keycloak-user] Database upgrade In-Reply-To: References: Message-ID: Hello Peter, https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSchema.md Cheers, Thomas 2016-08-18 19:21 GMT+02:00 Nalyvayko, Peter : > Hi, > Is there an existing way to execute the keycloak database upgrade without > actually starting the keycloak server? > Thanks! > --Peter > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/bf49cf43/attachment.html From filipelautert at gmail.com Thu Aug 18 14:33:09 2016 From: filipelautert at gmail.com (Filipe Lautert) Date: Thu, 18 Aug 2016 18:33:09 +0000 Subject: [keycloak-user] disable kerberos SSO when needed In-Reply-To: <68192f27-8c92-d0f7-fed4-f27aff9922cd@redhat.com> References: <0ABE2BE06E188B4FA117BC5D9D11ECCF50520805@sq9bmexpr03.MONAD.MONERIS.COM> <68192f27-8c92-d0f7-fed4-f27aff9922cd@redhat.com> Message-ID: Hello I've a similar case to this one, but instead of using an account page I use the ssl client certificate passed by Apache. I set up everything as the example you provided, but even if in my "Account Chooser Custom authenticator" I call AuthFlowContext.success() it is still showing me the username/password form from the next alternative flow. I worked around it creating a class called AlternativeUsernamePasswordFormFactory that extends UsernamePasswordFormFactory, and the only change that I did to it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative in Keycloak, it does what I want. So my questions are: am I missing something to mark my Authenticator as sufficient to end the flow and return to the client? if not, is there a reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE option, and can it be added to this class? I'm posting this again os this thread as Ray may face the same issue soon... Cheers filipe On Wed, Aug 17, 2016 at 6:38 PM Bill Burke wrote: > You would need to create a custom authenticator that is like an account > chooser page, i.e. two buttons one says "login to kerberos" the other says > "login to ldap". > > A custom flow would look like this: > > * Cookie Authenticator > * create an ALTERNATIVE sub flow > > * REQUIRED Account Chooser Custom authenticator page - if the kerberos > button is clicked, call AuthFlowContext.success() otherwise > AuthFLowContext.attempted(). Attempted will abort this alternative flow > * REQUIRED Built in Kerberos Authenticator > > * create another ALTERNATIVE sub flow > * REQUIRED built in username/password authenticator > > > On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote: > > Hello > > > > Right now our keycloak server was setup to do kerberos authentication with > ldap as backup, so in this case, the user will get them in automatically > > from the company domain when they hitting the URL, we have application > role definitions in the keycloak, if the user does not have the role > configured > > then we want to logout them back to the default key cloack login page and > let them try their LDAP user account. > > > > But because kerberos authentication is always on the top, so right after > we logout the user, the kerberos will let them in automatically > > > > right now we are using keycloak.logout from keycloak.js to logout user > > > > I am wondering what is the good practice to achieve this? > > > > Any suggestions are welcome > > > > thanks > > raymond > ------------------------------ > Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario > | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 > If you wish to unsubscribe from future updates from Moneris, please click > here > . > Please see the Moneris Privacy Policy here > . > > This e-mail may be privileged and/or confidential, and the sender does not > waive any related rights and obligations. Any distribution, use or copying > of this e-mail or the information it contains by other than an intended > recipient is unauthorized. If you received this e-mail in error, please > advise me (by return e-mail or otherwise) immediately. > ------------------------------ > Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario > | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 > Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, veuillez > cliquer ici > . > Veuillez consulter la Politique de confidentialit? de Moneris ici > . > > > Ce courriel peut contenir des renseignements confidentiels ou privil?gi?s, > et son exp?diteur ne renonce ? aucun droit ni ? aucune obligation connexe. > La distribution, l?utilisation ou la reproduction du pr?sent courriel ou > des renseignements qu?il contient par une personne autre que son > destinataire pr?vu sont interdites. Si vous avez re?u ce courriel par > erreur, veuillez m?en aviser imm?diatement (par retour de courriel ou > autrement). > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- filipe lautert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/e87177a5/attachment.html From pnalyvayko at agi.com Thu Aug 18 14:54:23 2016 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 18 Aug 2016 18:54:23 +0000 Subject: [keycloak-user] Database upgrade In-Reply-To: References: , Message-ID: Tom, thanks for the link. My use case: the dev team uses keycloak final 2.0.0 release distribution in their development environment. To start keycloak they run 'standalone.bat' as a part of their dev test bootstrap (not 'mvn -f ...-Pkeycloak-server) . Sometimes there is a need to run the keycloak database init/upgrade without actually starting the keycloak server, so it would be great to be able to achieve that by specifying, for example, an extra parameter to'standalone.bat', i.e: $ standalone.bat --init-database-only The above command would execute the database initialization/upgrade and immediately terminate. Does it make sense? The instructions in the link, I believe, were written for a slightly different use case. ________________________________________ From: Thomas Darimont [thomas.darimont at googlemail.com] Sent: Thursday, August 18, 2016 2:15 PM To: Nalyvayko, Peter Cc: keycloak-user Subject: Re: [keycloak-user] Database upgrade Hello Peter, https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSchema.md Cheers, Thomas 2016-08-18 19:21 GMT+02:00 Nalyvayko, Peter >: Hi, Is there an existing way to execute the keycloak database upgrade without actually starting the keycloak server? Thanks! --Peter _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Aug 18 15:10:13 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 18 Aug 2016 15:10:13 -0400 Subject: [keycloak-user] disable kerberos SSO when needed In-Reply-To: References: <0ABE2BE06E188B4FA117BC5D9D11ECCF50520805@sq9bmexpr03.MONAD.MONERIS.COM> <68192f27-8c92-d0f7-fed4-f27aff9922cd@redhat.com> Message-ID: <877b5f68-537d-d50e-9d96-3d34eadaac31@redhat.com> Filipe, wouldn't you just have your Client Cert Authenticator be alternative and just use the "Forms" sub-flow structure that exists in the built in "Browser" flow? On 8/18/16 2:33 PM, Filipe Lautert wrote: > Hello > > I've a similar case to this one, but instead of using an account page > I use the ssl client certificate passed by Apache. I set up everything > as the example you provided, but even if in my "Account Chooser Custom > authenticator" I call AuthFlowContext.success() it is still showing me > the username/password form from the next alternative flow. > > I worked around it creating a class called > AlternativeUsernamePasswordFormFactory that > extends UsernamePasswordFormFactory, and the only change that I did to > it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE > to the REQUIREMENT_CHOICES . Now, if I set this new auth type as > alternative in Keycloak, it does what I want. > > So my questions are: am I missing something to mark my Authenticator > as sufficient to end the flow and return to the client? if not, is > there a reason why UsernamePasswordFormFactory doesn't provide the > ALTERNATIVE option, and can it be added to this class? > > I'm posting this again os this thread as Ray may face the same issue > soon... > > Cheers > > filipe > > On Wed, Aug 17, 2016 at 6:38 PM Bill Burke > wrote: > > You would need to create a custom authenticator that is like an > account chooser page, i.e. two buttons one says "login to > kerberos" the other says "login to ldap". > > A custom flow would look like this: > > * Cookie Authenticator > > * create an ALTERNATIVE sub flow > > * REQUIRED Account Chooser Custom authenticator page - if the > kerberos button is clicked, call AuthFlowContext.success() > otherwise AuthFLowContext.attempted(). Attempted will abort this > alternative flow > > * REQUIRED Built in Kerberos Authenticator > > * create another ALTERNATIVE sub flow > > * REQUIRED built in username/password authenticator > > > On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote: >> >> Hello >> >> Right now our keycloak server was setup to do kerberos >> authentication with ldap as backup, so in this case, the user >> will get them in automatically >> >> from the company domain when they hitting the URL, we have >> application role definitions in the keycloak, if the user does >> not have the role configured >> >> then we want to logout them back to the default key cloack login >> page and let them try their LDAP user account. >> >> But because kerberos authentication is always on the top, so >> right after we logout the user, the kerberos will let them in >> automatically >> >> right now we are using keycloak.logout from keycloak.js to logout >> user >> >> I am wondering what is the good practice to achieve this? >> >> Any suggestions are welcome >> >> thanks >> >> raymond >> >> ------------------------------------------------------------------------ >> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto >> | Ontario | M8X 2X2 | Canada www.moneris.com >> 1-866-319-7450 >> If you wish to unsubscribe from future updates from Moneris, >> please click here >> . >> Please see the Moneris Privacy Policy here >> . >> >> >> This e-mail may be privileged and/or confidential, and the sender >> does not waive any related rights and obligations. Any >> distribution, use or copying of this e-mail or the information it >> contains by other than an intended recipient is unauthorized. If >> you received this e-mail in error, please advise me (by return >> e-mail or otherwise) immediately. >> ------------------------------------------------------------------------ >> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | >> Ontario | M8X 2X2 | Canada www.moneris.com >> 1-866-319-7450 >> Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, >> veuillez cliquer ici >> . >> Veuillez consulter la Politique de confidentialit? de Moneris ici >> . >> >> >> Ce courriel peut contenir des renseignements confidentiels ou >> privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? >> aucune obligation connexe. La distribution, l?utilisation ou la >> reproduction du pr?sent courriel ou des renseignements qu?il >> contient par une personne autre que son destinataire pr?vu sont >> interdites. Si vous avez re?u ce courriel par erreur, veuillez >> m?en aviser imm?diatement (par retour de courriel ou autrement). >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > filipe lautert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/a81ec11b/attachment.html From thomas.darimont at googlemail.com Thu Aug 18 16:30:24 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 18 Aug 2016 22:30:24 +0200 Subject: [keycloak-user] Database upgrade In-Reply-To: References: Message-ID: Hello Peter, if you're already on 2.0.0 then you could do the following. .. Download the latest keycloak-2.1.0.Final relase and extract it. Then just run the liquibase scripts within the keycloak-model-jpa-2.1.0.Final.jar from the classpath as shown below. This works because since version 1.9.1.Final until now (2.2.0..) the liquibase scripts only contain declarative changes (that have no deps on Keycloak classes), however earlier versions run custom migration code that requires a bunch of Keycloak application classes on the classpath. So this approach (currently) works but will require additional classpath / infrastructure changes once keycloak needs to perform some programmatic migration operations in future releases. In my test I used a database with very little data so I'd recommend that you try this on a database backup first :-) The following example is based on a database created by Keycloak version 1.9.1.Final that I want to upgrade to 2.1.0.Final. My current directory: tom at euler ~/dev/playgroud/keycloak/keycloak-2.1.0.Final # Configure PG JDBC Driver jar POSTGRES_JDBC_LIB=~/.m2/repository/org/postgresql/postgresql/9.4.1209.jre7/postgresql-9.4.1209.jre7.jar # Keycloak Deps KEYCLOAK_DEPS_LIB=modules/system/layers/base/org/jboss/logging/main/jboss-logging-3.3.0.Final.jar # Keycloak JPA Model jar contains the liquibase migration scripts KEYCLOAK_JPA_MODEL_LIB=modules/system/layers/keycloak/org/keycloak/keycloak-model-jpa/main/keycloak-model-jpa-2.1.0.Final.jar # Manually execute the database update java -jar modules/system/layers/keycloak/org/liquibase/main/liquibase-core-3.4.1.jar \ --driver=org.postgresql.Driver \ --classpath="$POSTGRES_JDBC_LIB:$KEYCLOAK_DEPS_LIB:$KEYCLOAK_JPA_MODEL_LIB" \ --changeLogFile=META-INF/jpa-changelog-master.xml \ --url="jdbc:postgresql://localhost:5432/keycloak_migration_test" \ --username=keycloak \ --password=keycloak \ --logLevel=debug \ update The migration logs were actually quite big so I pasted them here for reference: https://gist.github.com/thomasdarimont/4d24215681b395361abd6736fa8ce36c And yes, I could successfully start Keycloak 2.1.0 on the migrated database. With that said, I agree with you that it would be a good idea to provide a script that only performs the database migration to ease testing of new releases. Cheers, Thomas 2016-08-18 20:54 GMT+02:00 Nalyvayko, Peter : > Tom, thanks for the link. My use case: the dev team uses keycloak final > 2.0.0 release distribution in their development environment. > To start keycloak they run 'standalone.bat' as a part of their dev test > bootstrap (not 'mvn -f ...-Pkeycloak-server) . Sometimes there is a need to > run the keycloak database init/upgrade without actually starting the > keycloak server, so it would be great to be able to achieve that by > specifying, for example, an extra parameter to'standalone.bat', i.e: > > $ standalone.bat --init-database-only > > The above command would execute the database initialization/upgrade and > immediately terminate. Does it make sense? > > The instructions in the link, I believe, were written for a slightly > different use case. > > ________________________________________ > From: Thomas Darimont [thomas.darimont at googlemail.com] > Sent: Thursday, August 18, 2016 2:15 PM > To: Nalyvayko, Peter > Cc: keycloak-user > Subject: Re: [keycloak-user] Database upgrade > > Hello Peter, > > https://github.com/keycloak/keycloak/blob/master/misc/ > UpdatingDatabaseSchema.md > > Cheers, > Thomas > > 2016-08-18 19:21 GMT+02:00 Nalyvayko, Peter lyvayko at agi.com>>: > Hi, > Is there an existing way to execute the keycloak database upgrade without > actually starting the keycloak server? > Thanks! > --Peter > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/b953a2b5/attachment-0001.html From filipelautert at gmail.com Thu Aug 18 16:31:28 2016 From: filipelautert at gmail.com (Filipe Lautert) Date: Thu, 18 Aug 2016 20:31:28 +0000 Subject: [keycloak-user] disable kerberos SSO when needed In-Reply-To: <877b5f68-537d-d50e-9d96-3d34eadaac31@redhat.com> References: <0ABE2BE06E188B4FA117BC5D9D11ECCF50520805@sq9bmexpr03.MONAD.MONERIS.COM> <68192f27-8c92-d0f7-fed4-f27aff9922cd@redhat.com> <877b5f68-537d-d50e-9d96-3d34eadaac31@redhat.com> Message-ID: Hello Bill it worked, but slightly different from you suggestion - thanks for the help! For some reason when I put my authenticator inside a flow it was not working as alternative, but outside of it worked. So my flow had to be changed as below: * Cookie Authenticator * create an ALTERNATIVE sub flow * REQUIRED Add Execution (outisde of flow) as ALTERNATIVE Account Chooser Custom authenticator page - success call AuthFlowContext.success() otherwise AuthFLowContext.attempted(). * create ALTERNATIVE sub flow (Forms) * REQUIRED built in username/password authenticator Cheers filipe On Thu, Aug 18, 2016 at 4:10 PM Bill Burke wrote: > Filipe, wouldn't you just have your Client Cert Authenticator be > alternative and just use the "Forms" sub-flow structure that exists in the > built in "Browser" flow? > > On 8/18/16 2:33 PM, Filipe Lautert wrote: > > Hello > > I've a similar case to this one, but instead of using an account page I > use the ssl client certificate passed by Apache. I set up everything as the > example you provided, but even if in my "Account Chooser Custom > authenticator" I call AuthFlowContext.success() it is still showing me > the username/password form from the next alternative flow. > > I worked around it creating a class called AlternativeUsernamePasswordFormFactory > that extends UsernamePasswordFormFactory, and the only change that I did to > it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to > the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative > in Keycloak, it does what I want. > > So my questions are: am I missing something to mark my Authenticator as > sufficient to end the flow and return to the client? if not, is there a > reason why UsernamePasswordFormFactory doesn't provide the ALTERNATIVE > option, and can it be added to this class? > > I'm posting this again os this thread as Ray may face the same issue > soon... > > Cheers > > filipe > > On Wed, Aug 17, 2016 at 6:38 PM Bill Burke wrote: > >> You would need to create a custom authenticator that is like an account >> chooser page, i.e. two buttons one says "login to kerberos" the other says >> "login to ldap". >> >> A custom flow would look like this: >> >> * Cookie Authenticator >> * create an ALTERNATIVE sub flow >> >> * REQUIRED Account Chooser Custom authenticator page - if the kerberos >> button is clicked, call AuthFlowContext.success() otherwise >> AuthFLowContext.attempted(). Attempted will abort this alternative flow >> * REQUIRED Built in Kerberos Authenticator >> >> * create another ALTERNATIVE sub flow >> * REQUIRED built in username/password authenticator >> >> >> On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote: >> >> Hello >> >> >> >> Right now our keycloak server was setup to do kerberos authentication >> with ldap as backup, so in this case, the user will get them in >> automatically >> >> from the company domain when they hitting the URL, we have application >> role definitions in the keycloak, if the user does not have the role >> configured >> >> then we want to logout them back to the default key cloack login page and >> let them try their LDAP user account. >> >> >> >> But because kerberos authentication is always on the top, so right after >> we logout the user, the kerberos will let them in automatically >> >> >> >> right now we are using keycloak.logout from keycloak.js to logout user >> >> >> >> I am wondering what is the good practice to achieve this? >> >> >> >> Any suggestions are welcome >> >> >> >> thanks >> >> raymond >> ------------------------------ >> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | >> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 >> If you wish to unsubscribe from future updates from Moneris, please click >> here >> . >> Please see the Moneris Privacy Policy here >> . >> >> >> This e-mail may be privileged and/or confidential, and the sender does >> not waive any related rights and obligations. Any distribution, use or >> copying of this e-mail or the information it contains by other than an >> intended recipient is unauthorized. If you received this e-mail in error, >> please advise me (by return e-mail or otherwise) immediately. >> ------------------------------ >> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario >> | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 >> Si vous d?sirez enlever votre nom de la liste d?envoi de Moneris, >> veuillez cliquer ici >> . >> Veuillez consulter la Politique de confidentialit? de Moneris ici >> . >> >> >> Ce courriel peut contenir des renseignements confidentiels ou >> privil?gi?s, et son exp?diteur ne renonce ? aucun droit ni ? aucune >> obligation connexe. La distribution, l?utilisation ou la reproduction du >> pr?sent courriel ou des renseignements qu?il contient par une personne >> autre que son destinataire pr?vu sont interdites. Si vous avez re?u ce >> courriel par erreur, veuillez m?en aviser imm?diatement (par retour de >> courriel ou autrement). >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > filipe lautert > > > -- filipe lautert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/65750774/attachment.html From pnalyvayko at agi.com Thu Aug 18 16:48:10 2016 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Thu, 18 Aug 2016 20:48:10 +0000 Subject: [keycloak-user] Database upgrade In-Reply-To: References: , Message-ID: Nice, thanks Tom, appreciate it, I'll give it a try. Sincerely, Peter ________________________________________ From: Thomas Darimont [thomas.darimont at googlemail.com] Sent: Thursday, August 18, 2016 4:30 PM To: Nalyvayko, Peter Cc: keycloak-user Subject: Re: [keycloak-user] Database upgrade Hello Peter, if you're already on 2.0.0 then you could do the following. .. Download the latest keycloak-2.1.0.Final relase and extract it. Then just run the liquibase scripts within the keycloak-model-jpa-2.1.0.Final.jar from the classpath as shown below. This works because since version 1.9.1.Final until now (2.2.0..) the liquibase scripts only contain declarative changes (that have no deps on Keycloak classes), however earlier versions run custom migration code that requires a bunch of Keycloak application classes on the classpath. So this approach (currently) works but will require additional classpath / infrastructure changes once keycloak needs to perform some programmatic migration operations in future releases. In my test I used a database with very little data so I'd recommend that you try this on a database backup first :-) The following example is based on a database created by Keycloak version 1.9.1.Final that I want to upgrade to 2.1.0.Final. My current directory: tom at euler ~/dev/playgroud/keycloak/keycloak-2.1.0.Final # Configure PG JDBC Driver jar POSTGRES_JDBC_LIB=~/.m2/repository/org/postgresql/postgresql/9.4.1209.jre7/postgresql-9.4.1209.jre7.jar # Keycloak Deps KEYCLOAK_DEPS_LIB=modules/system/layers/base/org/jboss/logging/main/jboss-logging-3.3.0.Final.jar # Keycloak JPA Model jar contains the liquibase migration scripts KEYCLOAK_JPA_MODEL_LIB=modules/system/layers/keycloak/org/keycloak/keycloak-model-jpa/main/keycloak-model-jpa-2.1.0.Final.jar # Manually execute the database update java -jar modules/system/layers/keycloak/org/liquibase/main/liquibase-core-3.4.1.jar \ --driver=org.postgresql.Driver \ --classpath="$POSTGRES_JDBC_LIB:$KEYCLOAK_DEPS_LIB:$KEYCLOAK_JPA_MODEL_LIB" \ --changeLogFile=META-INF/jpa-changelog-master.xml \ --url="jdbc:postgresql://localhost:5432/keycloak_migration_test" \ --username=keycloak \ --password=keycloak \ --logLevel=debug \ update The migration logs were actually quite big so I pasted them here for reference: https://gist.github.com/thomasdarimont/4d24215681b395361abd6736fa8ce36c And yes, I could successfully start Keycloak 2.1.0 on the migrated database. With that said, I agree with you that it would be a good idea to provide a script that only performs the database migration to ease testing of new releases. Cheers, Thomas 2016-08-18 20:54 GMT+02:00 Nalyvayko, Peter >: Tom, thanks for the link. My use case: the dev team uses keycloak final 2.0.0 release distribution in their development environment. To start keycloak they run 'standalone.bat' as a part of their dev test bootstrap (not 'mvn -f ...-Pkeycloak-server) . Sometimes there is a need to run the keycloak database init/upgrade without actually starting the keycloak server, so it would be great to be able to achieve that by specifying, for example, an extra parameter to'standalone.bat', i.e: $ standalone.bat --init-database-only The above command would execute the database initialization/upgrade and immediately terminate. Does it make sense? The instructions in the link, I believe, were written for a slightly different use case. ________________________________________ From: Thomas Darimont [thomas.darimont at googlemail.com] Sent: Thursday, August 18, 2016 2:15 PM To: Nalyvayko, Peter Cc: keycloak-user Subject: Re: [keycloak-user] Database upgrade Hello Peter, https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSchema.md Cheers, Thomas 2016-08-18 19:21 GMT+02:00 Nalyvayko, Peter >>: Hi, Is there an existing way to execute the keycloak database upgrade without actually starting the keycloak server? Thanks! --Peter _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user From cjhenck at live.com Thu Aug 18 17:15:56 2016 From: cjhenck at live.com (Justin Henck) Date: Thu, 18 Aug 2016 17:15:56 -0400 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> Message-ID: Hi Pedro, Thanks for the suggestions, this is great. Out of curiosity, are we able to make Groups or Roles the owners of resources? I couldn?t find much documentation on the ?owner? function within the gitbooks at the moment. Thanks, Justin On 8/17/16, 6:25 PM, "Pedro Igor Silva" wrote: ----- Original Message ----- From: "Pedro Igor Silva" To: "Charles Henck" Cc: keycloak-user at lists.jboss.org Sent: Wednesday, August 17, 2016 6:38:01 PM Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Charles Henck" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, August 16, 2016 4:49:01 PM > Subject: [keycloak-user] Organization Based Accounts and Permissions > > > > Hello all, > > I?m working on an organization-based service and want to have > resource-specific permissions that are restricted by (from a user > perspective) organization-specific roles. Since I?m not familiar with the > specific terminology, I?m thinking of something similar to how GitHub > manages their permissions: > > > > - A single user can be a member of multiple organizations > > - A user can have a different roles with different organizations that grant > them access to all of an organization's resources If the organizations each represent a separated realm, you won't be able to share users. In Keycloak, an user belongs to a single realm. I think that with some creative naming for roles (and groups), you can get there. > > - A user can have access to a specific resource > > - That organization-specific role determines access to different organization > resources You can address these two by using our authorization services. Or even writing a plenty of "ifs" in your application based on the information carried by a token. I would suggest you to give a try to the authorization services :) For instance, let's say you have a "Organization A Resource". This resource is associated with a "Organization A Resource Permission". Here the "Organization A Resource" represents any resource in Organization A and "Organization A Resource Permission" represents all the policies you want to enforce to any resource that belongs to Organization A. In this case, you can apply different types of policies to these resources, for instance, only users with role "organization-a-role" are allowed. You may also have a "Charles Resource", which was created by your service using the Protection API. In this case, your service may specify that "Charles Resource" belongs to Charles (resource owner) and apply permissions/policies to this resource that define that only Charles is allowed to access. Going further, let's say that you want to give temporary access to your resource to someone. You may create a "Temporary Access Policy" that specifies which users (user-based policy) are allowed to access your resource. Another thing you can do is perform access decisions based on the actions that you can perform on your resource. Let's say that everybody can see your resource, but only the resource owner (you) can edit or delete it. I'm really thinking about pushing a new example application with a permission model similar to github, it will be fun :) > > > > Are there any best practices or patterns for this model? > > > > Thanks! > > Justin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From postmaster at lists.jboss.org Fri Aug 19 02:26:25 2016 From: postmaster at lists.jboss.org (The Post Office) Date: Fri, 19 Aug 2016 13:26:25 +0700 Subject: [keycloak-user] Report Message-ID: <201608190626.u7J6QWaR019362@lists01.dmz-a.mwc.hst.phx2.redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: transcript.zip Type: application/octet-stream Size: 28990 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/0aaea208/attachment-0001.obj From martine.gateau at altran.com Fri Aug 19 05:18:16 2016 From: martine.gateau at altran.com (GATEAU Martine) Date: Fri, 19 Aug 2016 09:18:16 +0000 Subject: [keycloak-user] Use of Keycloak account for web socket connexions Message-ID: Dear Sir or madam, We want to use keycloak for one project where we have Websocket communication between a mobile app and a server. We want to create user account, so as the users can login and be authenticated. Then, we will open a web socket and only a few or no HTTP messages will be exchanged between the App and the server. What will happen with the keycloak session? Is there a mean with web socket to let keycloak know that traffic exchanges have occurred without a HTTP message? Do you advise to have long session duration (for exemple 1 day) to avoid to frequent disconnexions? Thanks in advance for your answer Martine Gateau Systems Engineering Altran Connected Solutions, Orvault E-mail martine.gateau at altran.com Phone +33 2 40 67 61 64 [cid:image001.jpg at 01CFAB3A.122A03F0] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/85c1c699/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7794 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/85c1c699/attachment.png From psilva at redhat.com Fri Aug 19 07:34:07 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 19 Aug 2016 07:34:07 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> Message-ID: <1112037822.6055227.1471606447676.JavaMail.zimbra@redhat.com> Hi Justin, Right now, the owner is either the client application (resource server) or an user. Can you elaborate more on how making a group or role the owner of resources would help you ? Wouldn't be enough to just apply a role or group (still in progress) policy to your resources ? Regarding docs, I'm going to put more info about this topic. Regards. Pedro Igor ----- Original Message ----- From: "Justin Henck" To: "Pedro Igor Silva" Cc: keycloak-user at lists.jboss.org Sent: Thursday, August 18, 2016 6:15:56 PM Subject: Re: [keycloak-user] Organization Based Accounts and Permissions Hi Pedro, Thanks for the suggestions, this is great. Out of curiosity, are we able to make Groups or Roles the owners of resources? I couldn?t find much documentation on the ?owner? function within the gitbooks at the moment. Thanks, Justin On 8/17/16, 6:25 PM, "Pedro Igor Silva" wrote: ----- Original Message ----- From: "Pedro Igor Silva" To: "Charles Henck" Cc: keycloak-user at lists.jboss.org Sent: Wednesday, August 17, 2016 6:38:01 PM Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Charles Henck" > To: keycloak-user at lists.jboss.org > Sent: Tuesday, August 16, 2016 4:49:01 PM > Subject: [keycloak-user] Organization Based Accounts and Permissions > > > > Hello all, > > I?m working on an organization-based service and want to have > resource-specific permissions that are restricted by (from a user > perspective) organization-specific roles. Since I?m not familiar with the > specific terminology, I?m thinking of something similar to how GitHub > manages their permissions: > > > > - A single user can be a member of multiple organizations > > - A user can have a different roles with different organizations that grant > them access to all of an organization's resources If the organizations each represent a separated realm, you won't be able to share users. In Keycloak, an user belongs to a single realm. I think that with some creative naming for roles (and groups), you can get there. > > - A user can have access to a specific resource > > - That organization-specific role determines access to different organization > resources You can address these two by using our authorization services. Or even writing a plenty of "ifs" in your application based on the information carried by a token. I would suggest you to give a try to the authorization services :) For instance, let's say you have a "Organization A Resource". This resource is associated with a "Organization A Resource Permission". Here the "Organization A Resource" represents any resource in Organization A and "Organization A Resource Permission" represents all the policies you want to enforce to any resource that belongs to Organization A. In this case, you can apply different types of policies to these resources, for instance, only users with role "organization-a-role" are allowed. You may also have a "Charles Resource", which was created by your service using the Protection API. In this case, your service may specify that "Charles Resource" belongs to Charles (resource owner) and apply permissions/policies to this resource that define that only Charles is allowed to access. Going further, let's say that you want to give temporary access to your resource to someone. You may create a "Temporary Access Policy" that specifies which users (user-based policy) are allowed to access your resource. Another thing you can do is perform access decisions based on the actions that you can perform on your resource. Let's say that everybody can see your resource, but only the resource owner (you) can edit or delete it. I'm really thinking about pushing a new example application with a permission model similar to github, it will be fun :) > > > > Are there any best practices or patterns for this model? > > > > Thanks! > > Justin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Aug 19 08:24:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 19 Aug 2016 14:24:52 +0200 Subject: [keycloak-user] Database upgrade In-Reply-To: References: Message-ID: Funny coincidence I'm actually working on making it easier to allow manual update of the database. My current approach is that databaseSchema will be deprecated in favor of two new options: * migrationStrategy - valid values are vaildate, update and manual. Validate will just check it's up-to-date and stop the server if not. Update will automatically update. Manual will create an SQL file that can be used to manually initilze/migrate the db, then stop the server. * initializeEmpty - if true and the db is empty it will initialize the db no matter what the migration strategy is On 18 August 2016 at 22:48, Nalyvayko, Peter wrote: > Nice, thanks Tom, appreciate it, I'll give it a try. > Sincerely, > Peter > ________________________________________ > From: Thomas Darimont [thomas.darimont at googlemail.com] > Sent: Thursday, August 18, 2016 4:30 PM > To: Nalyvayko, Peter > Cc: keycloak-user > Subject: Re: [keycloak-user] Database upgrade > > Hello Peter, > > if you're already on 2.0.0 then you could do the following. .. > Download the latest keycloak-2.1.0.Final relase and extract it. > > Then just run the liquibase scripts within the keycloak-model-jpa-2.1.0.Final.jar > from the classpath as shown below. > This works because since version 1.9.1.Final until now (2.2.0..) the > liquibase scripts > only contain declarative changes (that have no deps on Keycloak classes), > however > earlier versions run custom migration code that requires a bunch of > Keycloak application classes on the classpath. > > So this approach (currently) works but will require additional classpath / > infrastructure changes > once keycloak needs to perform some programmatic migration operations in > future releases. > > In my test I used a database with very little data so I'd recommend that > you try this > on a database backup first :-) > > The following example is based on a database created by Keycloak version > 1.9.1.Final that > I want to upgrade to 2.1.0.Final. > > My current directory: > tom at euler ~/dev/playgroud/keycloak/keycloak-2.1.0.Final > > # Configure PG JDBC Driver jar > POSTGRES_JDBC_LIB=~/.m2/repository/org/postgresql/ > postgresql/9.4.1209.jre7/postgresql-9.4.1209.jre7.jar > # Keycloak Deps > KEYCLOAK_DEPS_LIB=modules/system/layers/base/org/jboss/ > logging/main/jboss-logging-3.3.0.Final.jar > # Keycloak JPA Model jar contains the liquibase migration scripts > KEYCLOAK_JPA_MODEL_LIB=modules/system/layers/keycloak/org/keycloak/ > keycloak-model-jpa/main/keycloak-model-jpa-2.1.0.Final.jar > > # Manually execute the database update > java -jar modules/system/layers/keycloak/org/liquibase/main/liquibase-core-3.4.1.jar > \ > --driver=org.postgresql.Driver \ > --classpath="$POSTGRES_JDBC_LIB:$KEYCLOAK_DEPS_LIB:$KEYCLOAK_JPA_MODEL_LIB" > \ > --changeLogFile=META-INF/jpa-changelog-master.xml \ > --url="jdbc:postgresql://localhost:5432/keycloak_migration_test" \ > --username=keycloak \ > --password=keycloak \ > --logLevel=debug \ > update > > The migration logs were actually quite big so I pasted them here for > reference: > https://gist.github.com/thomasdarimont/4d24215681b395361abd6736fa8ce36c > > And yes, I could successfully start Keycloak 2.1.0 on the migrated > database. > > With that said, I agree with you that it would be a good idea to provide a > script that only performs the database > migration to ease testing of new releases. > > > Cheers, > Thomas > > 2016-08-18 20:54 GMT+02:00 Nalyvayko, Peter lyvayko at agi.com>>: > Tom, thanks for the link. My use case: the dev team uses keycloak final > 2.0.0 release distribution in their development environment. > To start keycloak they run 'standalone.bat' as a part of their dev test > bootstrap (not 'mvn -f ...-Pkeycloak-server) . Sometimes there is a need to > run the keycloak database init/upgrade without actually starting the > keycloak server, so it would be great to be able to achieve that by > specifying, for example, an extra parameter to'standalone.bat', i.e: > > $ standalone.bat --init-database-only > > The above command would execute the database initialization/upgrade and > immediately terminate. Does it make sense? > > The instructions in the link, I believe, were written for a slightly > different use case. > > ________________________________________ > From: Thomas Darimont [thomas.darimont at googlemail.com thomas.darimont at googlemail.com>] > Sent: Thursday, August 18, 2016 2:15 PM > To: Nalyvayko, Peter > Cc: keycloak-user > Subject: Re: [keycloak-user] Database upgrade > > Hello Peter, > > https://github.com/keycloak/keycloak/blob/master/misc/ > UpdatingDatabaseSchema.md > > Cheers, > Thomas > > 2016-08-18 19:21 GMT+02:00 Nalyvayko, Peter lyvayko at agi.com>>>: > Hi, > Is there an existing way to execute the keycloak database upgrade without > actually starting the keycloak server? > Thanks! > --Peter > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > ycloak-user at lists.jboss.org>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/5382b86c/attachment-0001.html From ushanas.shastri at viteos.com Fri Aug 19 08:59:47 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Fri, 19 Aug 2016 12:59:47 +0000 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> Message-ID: <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> Classification: INTERNAL Hello, The requirement is that users can access either, neither or both, completely based on what their client role is. User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, User A has some permissions, but for Client Role 2, the permissions are different. So, we've created one permission for each resource/scope combination, and have created policies based on client role, and then we attach the user to the client role. All of this works perfectly, it's just that the entitlement API response is correct, but not ideal. I would want the response JSON authorization to state that for a given resource and scope is allowed for a set of client roles. The authorization settings are attached. I was unable to export the realm config (through the export feature on the command line). Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, August 18, 2016 5:55 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions Can you attach export your authorization settings ? Would like to understand better what you are doing. The realm config would also help. Also, your requirement is that an user can only access one resource or another, but never both ? ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Thursday, August 18, 2016 9:05:00 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Thank you! I have looked at both examples, and we tried to create resources as being types. Where we're stuck is that we need one additional parameterized context, which we thought we'd achieve by creating client roles. So, the idea is that scope based permissions apply for a given client role. There are no issues setting this up in KC, but the Entitlement API returns a representation that does not combine resource, scopes *and* client roles. It combines resources and scopes, but client roles are a separate list. The JSON (a part of it) looks like this "resource_access": { "servlet-authz-app": { "roles": [ "Setup1", "Setup2" ] } }, "authorization": { "permissions": [ { "scopes": [ "view" ], "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", "resource_set_name": "Account Setup" }, { "scopes": [ "view" ], "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", "resource_set_name": "Investor Setup" } ] } The way its setup, is that this user can do view scope for resource "Account Setup" for only client role "Setup1", and cannot do scope view for resource "Account Setup" for client role "Setup2". If the authorization property put relevant client roles inside permissions, it would do everything we needed. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Thursday, August 18, 2016 5:25 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" , "Charles Henck" > > Cc: keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 4:13:18 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > I don?t mean to hijack this thread, but I've had similar requirements, > and would love some advice. > > Do you create Resources based on Features (menus in an application) or > based on actual data. For e.g. if Bank Account Maintenance is a > feature that allows you to create/update bank account information, do > you create a Resource in KC for each bank account in the system, and > then give permissions/policies on it, or do you create one Bank > Account resource as indicative of the type Bank Account? > The idea is that you can do both: feature and/or resource. That is the reason behind our Protection API (based on UMA spec). It provides an API that allows client applications acting as a resource server (your service) to create "resources instances" whose owner could be an user. But nothing stops you to still have a typed resource (eg.: type Bank Account) and apply general permissions/policies to it. Take a look at that "authz/photoz" example application, there we try to demonstrate that. There you have a general purpose "Album Resource" and every time an user creates a new album it is also created a corresponding resource in the server. In this case, the new resource is going to inherit the permissions applied to the "Album Resource". For the feature-based resource scenario, you may take a look to "authz/servlet-authz-app". There we try to demonstrate how you can protect resources and actions/scopes in order to build, for instance, a dynamic menu with the permissions granted by the server. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- A non-text attachment was scrubbed... Name: Rec2-authz-config.json Type: application/octet-stream Size: 3455 bytes Desc: Rec2-authz-config.json Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/0484dc59/attachment.obj From psilva at redhat.com Fri Aug 19 09:11:09 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 19 Aug 2016 09:11:09 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> Message-ID: <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, completely > based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 > For Client Role 1, User A has some permissions, but for Client Role 2, the > permissions are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client role, > and then we attach the user to the client role. All of this works perfectly, > it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the realm > config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com > Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 > Cell : +91-9820225580 > Email : ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and Permissions > > Can you attach export your authorization settings ? Would like to understand > better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as being > types. > > Where we're stuck is that we need one additional parameterized context, which > we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API returns > a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource "Account > Setup" for only client role "Setup1", and cannot do scope view for resource > "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside permissions, > it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar requirements, > > and would love some advice. > > > > Do you create Resources based on Features (menus in an application) or > > based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, do > > you create a Resource in KC for each bank account in the system, and > > then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It provides > an API that allows client applications acting as a resource server (your > service) to create "resources instances" whose owner could be an user. But > nothing stops you to still have a typed resource (eg.: type Bank Account) > and apply general permissions/policies to it. Take a look at that > "authz/photoz" example application, there we try to demonstrate that. There > you have a general purpose "Album Resource" and every time an user creates a > new album it is also created a corresponding resource in the server. In this > case, the new resource is going to inherit the permissions applied to the > "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can protect > resources and actions/scopes in order to build, for instance, a dynamic menu > with the permissions granted by the server. > This message is for the named person's use only. It may contain confidential, > proprietary or legally privileged information. No confidentiality or > privilege is waived or lost by any mis-transmission. If you receive this > message in error, please immediately delete it and all copies of it from > your system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy any > part of this message if you are not the intended recipient. Viteos Capital > Market Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views expressed > in this message are those of the individual sender, except where the message > states otherwise and the sender is authorized to state them to be the views > of any such entity > This message is for the named person's use only. It may contain confidential, > proprietary or legally privileged information. No confidentiality or > privilege is waived or lost by any mis-transmission. If you receive this > message in error, please immediately delete it and all copies of it from > your system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy any > part of this message if you are not the intended recipient. Viteos Capital > Market Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views expressed > in this message are those of the individual sender, except where the message > states otherwise and the sender is authorized to state them to be the views > of any such entity > From ushanas.shastri at viteos.com Fri Aug 19 10:11:15 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Fri, 19 Aug 2016 14:11:15 +0000 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> References: <1771768436.5402397.1471472732212.JavaMail.zimbra@redhat.com> <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> Message-ID: <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> Classification: INTERNAL Hello, I agree with the idea that one should not know what access mechanisms are used. Let me explain my needs again, and maybe there's a way to model this in KC. - One user has access to multiple actions for the same Resource, but depending on some property of the Resource, the actions can vary. Resources All Actions possible on the Resource Employee Add, View, Edit Now there are multiple "Employee" , and one of the Employee properties is Employee Type. Now, I want to setup permissions that go as follows: User A can Add, View and Edit Employee where Employee Type is "Consultant" User A can only View Employee where Employee Type is "Temp" It's clear what Resource and Scope should be, but what do we model for Employee Type? We thought of Groups, but that's at a realm level, and not at a client level, so ended up using Client Role, i.e. we created client roles for each Employee Type. Maybe there's a better way, we could create scopes that were Consultant:Add instead of Add. This would increase the number of scopes, but the current structure would work for us. Thank you for looking into this. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 6:41 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, > completely based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, > User A has some permissions, but for Client Role 2, the permissions > are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client > role, and then we attach the user to the client role. All of this > works perfectly, it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the > realm config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > Can you attach export your authorization settings ? Would like to > understand better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as > being types. > > Where we're stuck is that we need one additional parameterized > context, which we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API > returns a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource > "Account Setup" for only client role "Setup1", and cannot do scope > view for resource "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside > permissions, it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar > > requirements, and would love some advice. > > > > Do you create Resources based on Features (menus in an application) > > or based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, > > do you create a Resource in KC for each bank account in the system, > > and then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It > provides an API that allows client applications acting as a resource > server (your > service) to create "resources instances" whose owner could be an user. > But nothing stops you to still have a typed resource (eg.: type Bank > Account) and apply general permissions/policies to it. Take a look at > that "authz/photoz" example application, there we try to demonstrate > that. There you have a general purpose "Album Resource" and every time > an user creates a new album it is also created a corresponding > resource in the server. In this case, the new resource is going to > inherit the permissions applied to the "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can > protect resources and actions/scopes in order to build, for instance, > a dynamic menu with the permissions granted by the server. > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entity This message is for the > named person's use only. It may contain confidential, proprietary or > legally privileged information. No confidentiality or privilege is > waived or lost by any mis-transmission. If you receive this message in > error, please immediately delete it and all copies of it from your > system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. Viteos > Capital Market Services Ltd.and any of its subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views > of any such entity > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From psilva at redhat.com Fri Aug 19 10:39:43 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 19 Aug 2016 10:39:43 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> References: <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> Message-ID: <1933230451.6122988.1471617583449.JavaMail.zimbra@redhat.com> As you said, you can solve that using employee type specific scopes. But yes, that would increase your scope list. I think you can achieve what you want by having a scope permission "Manage Employee Permission" for both add and edit scopes. For instance, a permission that apply two policies that must be satisfied: * Only Consultant Policy (Role-based mapping to Consultant type) * Not "Temp" Policy (Robe-based mapping to Temp type with "Logic" == "Negative") In theory, when evaluating the permission KC should give you a DENY for those scopes if you have both "Consultant" and "Temp" roles. If you have "Consultant" only, you can do everything. If you have only "Temp" you get a DENY as well. I've created three users (roles as client roles): - User A with Consultant role - User B with Temp role - User C with both Consultant and Temp roles I've attached an example based on what I understood from your description. There are other ways to achieve that too, but for now let's start with that. I'm using upstream version. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:11:15 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Hello, I agree with the idea that one should not know what access mechanisms are used. Let me explain my needs again, and maybe there's a way to model this in KC. - One user has access to multiple actions for the same Resource, but depending on some property of the Resource, the actions can vary. Resources All Actions possible on the Resource Employee Add, View, Edit Now there are multiple "Employee" , and one of the Employee properties is Employee Type. Now, I want to setup permissions that go as follows: User A can Add, View and Edit Employee where Employee Type is "Consultant" User A can only View Employee where Employee Type is "Temp" It's clear what Resource and Scope should be, but what do we model for Employee Type? We thought of Groups, but that's at a realm level, and not at a client level, so ended up using Client Role, i.e. we created client roles for each Employee Type. Maybe there's a better way, we could create scopes that were Consultant:Add instead of Add. This would increase the number of scopes, but the current structure would work for us. Thank you for looking into this. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 6:41 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, > completely based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, > User A has some permissions, but for Client Role 2, the permissions > are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client > role, and then we attach the user to the client role. All of this > works perfectly, it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the > realm config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > Can you attach export your authorization settings ? Would like to > understand better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as > being types. > > Where we're stuck is that we need one additional parameterized > context, which we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API > returns a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource > "Account Setup" for only client role "Setup1", and cannot do scope > view for resource "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside > permissions, it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar > > requirements, and would love some advice. > > > > Do you create Resources based on Features (menus in an application) > > or based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, > > do you create a Resource in KC for each bank account in the system, > > and then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It > provides an API that allows client applications acting as a resource > server (your > service) to create "resources instances" whose owner could be an user. > But nothing stops you to still have a typed resource (eg.: type Bank > Account) and apply general permissions/policies to it. Take a look at > that "authz/photoz" example application, there we try to demonstrate > that. There you have a general purpose "Album Resource" and every time > an user creates a new album it is also created a corresponding > resource in the server. In this case, the new resource is going to > inherit the permissions applied to the "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can > protect resources and actions/scopes in order to build, for instance, > a dynamic menu with the permissions granted by the server. > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entity This message is for the > named person's use only. It may contain confidential, proprietary or > legally privileged information. No confidentiality or privilege is > waived or lost by any mis-transmission. If you receive this message in > error, please immediately delete it and all copies of it from your > system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. Viteos > Capital Market Services Ltd.and any of its subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views > of any such entity > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity -------------- next part -------------- A non-text attachment was scrubbed... Name: employee-authz-service.json Type: application/json Size: 1796 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/072e9729/attachment.bin From ushanas.shastri at viteos.com Fri Aug 19 10:56:19 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Fri, 19 Aug 2016 14:56:19 +0000 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <1933230451.6122988.1471617583449.JavaMail.zimbra@redhat.com> References: <429db618511e488db82ba3c37209b2d7@vitblrex2013.viteos.com> <1793616169.5522096.1471521295431.JavaMail.zimbra@redhat.com> <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> <1933230451.6122988.1471617583449.JavaMail.zimbra@redhat.com> Message-ID: Classification: INTERNAL Thanks for the quick response. I'll try this out, but I have one question: Would this approach work well if we have more than just 2 types? For e.g., replace the Employee Type with Employee Level, and there can be multiple levels possible. Would then we need to create multiple negative logic policies? Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 8:10 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions As you said, you can solve that using employee type specific scopes. But yes, that would increase your scope list. I think you can achieve what you want by having a scope permission "Manage Employee Permission" for both add and edit scopes. For instance, a permission that apply two policies that must be satisfied: * Only Consultant Policy (Role-based mapping to Consultant type) * Not "Temp" Policy (Robe-based mapping to Temp type with "Logic" == "Negative") In theory, when evaluating the permission KC should give you a DENY for those scopes if you have both "Consultant" and "Temp" roles. If you have "Consultant" only, you can do everything. If you have only "Temp" you get a DENY as well. I've created three users (roles as client roles): - User A with Consultant role - User B with Temp role - User C with both Consultant and Temp roles I've attached an example based on what I understood from your description. There are other ways to achieve that too, but for now let's start with that. I'm using upstream version. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:11:15 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Hello, I agree with the idea that one should not know what access mechanisms are used. Let me explain my needs again, and maybe there's a way to model this in KC. - One user has access to multiple actions for the same Resource, but depending on some property of the Resource, the actions can vary. Resources All Actions possible on the Resource Employee Add, View, Edit Now there are multiple "Employee" , and one of the Employee properties is Employee Type. Now, I want to setup permissions that go as follows: User A can Add, View and Edit Employee where Employee Type is "Consultant" User A can only View Employee where Employee Type is "Temp" It's clear what Resource and Scope should be, but what do we model for Employee Type? We thought of Groups, but that's at a realm level, and not at a client level, so ended up using Client Role, i.e. we created client roles for each Employee Type. Maybe there's a better way, we could create scopes that were Consultant:Add instead of Add. This would increase the number of scopes, but the current structure would work for us. Thank you for looking into this. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 6:41 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, > completely based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, > User A has some permissions, but for Client Role 2, the permissions > are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client > role, and then we attach the user to the client role. All of this > works perfectly, it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the > realm config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > Can you attach export your authorization settings ? Would like to > understand better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as > being types. > > Where we're stuck is that we need one additional parameterized > context, which we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API > returns a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource > "Account Setup" for only client role "Setup1", and cannot do scope > view for resource "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside > permissions, it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar > > requirements, and would love some advice. > > > > Do you create Resources based on Features (menus in an application) > > or based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, > > do you create a Resource in KC for each bank account in the system, > > and then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It > provides an API that allows client applications acting as a resource > server (your > service) to create "resources instances" whose owner could be an user. > But nothing stops you to still have a typed resource (eg.: type Bank > Account) and apply general permissions/policies to it. Take a look at > that "authz/photoz" example application, there we try to demonstrate > that. There you have a general purpose "Album Resource" and every time > an user creates a new album it is also created a corresponding > resource in the server. In this case, the new resource is going to > inherit the permissions applied to the "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can > protect resources and actions/scopes in order to build, for instance, > a dynamic menu with the permissions granted by the server. > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entity This message is for the > named person's use only. It may contain confidential, proprietary or > legally privileged information. No confidentiality or privilege is > waived or lost by any mis-transmission. If you receive this message in > error, please immediately delete it and all copies of it from your > system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. Viteos > Capital Market Services Ltd.and any of its subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > Any views expressed in this message are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From nizar2yas at gmail.com Fri Aug 19 11:13:38 2016 From: nizar2yas at gmail.com (hasane has) Date: Fri, 19 Aug 2016 16:13:38 +0100 Subject: [keycloak-user] granting role to a user to add users Message-ID: Hi, I'm trying to add users pro grammatically, but Iget Forbidden error, what role(s) should a user have to do that and how to grant to a user that role, since ,for a realm and a client, its up to me to create roles (I read in the ref guide that user should have manage-users role to do that but how to grant that role) Cordially -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/8797293f/attachment.html From joe at joethielen.com Fri Aug 19 11:23:30 2016 From: joe at joethielen.com (Joe Thielen) Date: Fri, 19 Aug 2016 11:23:30 -0400 Subject: [keycloak-user] Newbie question about session last access time updating Message-ID: > > Date: Thu, 18 Aug 2016 06:06:08 +0200 > From: Stian Thorgersen > Subject: Re: [keycloak-user] Newbie question about session last access > time updating. > To: Joe Thielen > Cc: keycloak-user > Message-ID: > com> > Content-Type: text/plain; charset="utf-8" > > What you're doing works just fine and is the only way available at the > moment at least. It will have an impact on performance, both in terms of > latency for request in your app and also additional load on the KC server. > As long as you take that into consideration you should be fine. > > On 17 August 2016 at 17:30, Joe Thielen wrote: > > > Hello all. I am new to both Keycloak and OpenID Connect. Keycloak looks > > like a fantastic project and thanks to all who've put in work on it. > > > > I love that Keycloak can be set up to save events (login/logout/etc...). > > I love that there is a way to administratively log out user sessions. > All > > this is great. My question is, what is the proper procedure to update > the > > session's "Last Access" if I want it to be updated on every page request > by > > a user? In some cases I have strict application requirements where it's > > important to know exactly when the user last did something. So I can't > > just log them in and periodically do a refresh to keep the session going. > > I want to update the session every time the user does something (i.e., > > every page request or API request). > > > > Maybe this is overkill for most applications. Like I said, I'm new to > > both Keycloak and OpenID Connect. I've figured out how to do the > > authorization flow, request user info, and logout. And I think I've > > figured out how to update the session in such a manner that it does > update > > the last access time. However, I'm not sure I'm doing it correctly... > > > > Here is an example using curl of what I've been doing to keep the last > > access time updated: > > > > curl -s --data "grant_type=refresh_token&client_id=CLIENTID&client_ > > secret=CLIENTSECRET&refresh_token=REFRESHTOKEN" " > > https://HOSTNAME:8443/auth/realms/REALMNAME/protocol/ > openid-connect/token > > > > Am I incorrectly using the refresh token here? In reading up on the > flow, > > it seems like this should only be used periodically, like when the > > access_token expires. > > > > A positive side effect of this is that on every single request I'm > > checking to ensure the session hasn't been administratively logged out. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.jboss.org/pipermail/keycloak-user/ > attachments/20160818/956ac2dc/attachment-0001.html > Good to know, thank you Stian. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/790d0c8c/attachment.html From psilva at redhat.com Fri Aug 19 11:51:05 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 19 Aug 2016 11:51:05 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: References: <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> <1933230451.6122988.1471617583449.JavaMail.zimbra@redhat.com> Message-ID: <859173218.6139885.1471621864990.JavaMail.zimbra@redhat.com> Another way to achieve the same result is using a Javascript-based Policy. There you can mix different access control mechanisms and handle more complex rules. Another thing we can do is provide a way to configure an existing policy to a permissions and have it negated (that would avoid that additional policy). Currently, as you know, you have only a "Apply Policy" field. Maybe we can have something to change how a specific policy should be interpreted in the scope of that permission. Or maybe change Role Policy to specify that a role should not be granted in order to evaluate to a GRANT. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:56:19 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Thanks for the quick response. I'll try this out, but I have one question: Would this approach work well if we have more than just 2 types? For e.g., replace the Employee Type with Employee Level, and there can be multiple levels possible. Would then we need to create multiple negative logic policies? Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 8:10 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions As you said, you can solve that using employee type specific scopes. But yes, that would increase your scope list. I think you can achieve what you want by having a scope permission "Manage Employee Permission" for both add and edit scopes. For instance, a permission that apply two policies that must be satisfied: * Only Consultant Policy (Role-based mapping to Consultant type) * Not "Temp" Policy (Robe-based mapping to Temp type with "Logic" == "Negative") In theory, when evaluating the permission KC should give you a DENY for those scopes if you have both "Consultant" and "Temp" roles. If you have "Consultant" only, you can do everything. If you have only "Temp" you get a DENY as well. I've created three users (roles as client roles): - User A with Consultant role - User B with Temp role - User C with both Consultant and Temp roles I've attached an example based on what I understood from your description. There are other ways to achieve that too, but for now let's start with that. I'm using upstream version. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:11:15 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Hello, I agree with the idea that one should not know what access mechanisms are used. Let me explain my needs again, and maybe there's a way to model this in KC. - One user has access to multiple actions for the same Resource, but depending on some property of the Resource, the actions can vary. Resources All Actions possible on the Resource Employee Add, View, Edit Now there are multiple "Employee" , and one of the Employee properties is Employee Type. Now, I want to setup permissions that go as follows: User A can Add, View and Edit Employee where Employee Type is "Consultant" User A can only View Employee where Employee Type is "Temp" It's clear what Resource and Scope should be, but what do we model for Employee Type? We thought of Groups, but that's at a realm level, and not at a client level, so ended up using Client Role, i.e. we created client roles for each Employee Type. Maybe there's a better way, we could create scopes that were Consultant:Add instead of Add. This would increase the number of scopes, but the current structure would work for us. Thank you for looking into this. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 6:41 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, > completely based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, > User A has some permissions, but for Client Role 2, the permissions > are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client > role, and then we attach the user to the client role. All of this > works perfectly, it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the > realm config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > Can you attach export your authorization settings ? Would like to > understand better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as > being types. > > Where we're stuck is that we need one additional parameterized > context, which we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API > returns a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource > "Account Setup" for only client role "Setup1", and cannot do scope > view for resource "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside > permissions, it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar > > requirements, and would love some advice. > > > > Do you create Resources based on Features (menus in an application) > > or based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, > > do you create a Resource in KC for each bank account in the system, > > and then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It > provides an API that allows client applications acting as a resource > server (your > service) to create "resources instances" whose owner could be an user. > But nothing stops you to still have a typed resource (eg.: type Bank > Account) and apply general permissions/policies to it. Take a look at > that "authz/photoz" example application, there we try to demonstrate > that. There you have a general purpose "Album Resource" and every time > an user creates a new album it is also created a corresponding > resource in the server. In this case, the new resource is going to > inherit the permissions applied to the "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can > protect resources and actions/scopes in order to build, for instance, > a dynamic menu with the permissions granted by the server. > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entity This message is for the > named person's use only. It may contain confidential, proprietary or > legally privileged information. No confidentiality or privilege is > waived or lost by any mis-transmission. If you receive this message in > error, please immediately delete it and all copies of it from your > system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. Viteos > Capital Market Services Ltd.and any of its subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > Any views expressed in this message are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From psilva at redhat.com Fri Aug 19 11:57:15 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 19 Aug 2016 11:57:15 -0400 (EDT) Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: References: <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> <1933230451.6122988.1471617583449.JavaMail.zimbra@redhat.com> Message-ID: <984790657.6141768.1471622235259.JavaMail.zimbra@redhat.com> Another option would be to create a role policy containing all roles you want to exclude and configure it as a negative. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:56:19 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Thanks for the quick response. I'll try this out, but I have one question: Would this approach work well if we have more than just 2 types? For e.g., replace the Employee Type with Employee Level, and there can be multiple levels possible. Would then we need to create multiple negative logic policies? Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 8:10 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions As you said, you can solve that using employee type specific scopes. But yes, that would increase your scope list. I think you can achieve what you want by having a scope permission "Manage Employee Permission" for both add and edit scopes. For instance, a permission that apply two policies that must be satisfied: * Only Consultant Policy (Role-based mapping to Consultant type) * Not "Temp" Policy (Robe-based mapping to Temp type with "Logic" == "Negative") In theory, when evaluating the permission KC should give you a DENY for those scopes if you have both "Consultant" and "Temp" roles. If you have "Consultant" only, you can do everything. If you have only "Temp" you get a DENY as well. I've created three users (roles as client roles): - User A with Consultant role - User B with Temp role - User C with both Consultant and Temp roles I've attached an example based on what I understood from your description. There are other ways to achieve that too, but for now let's start with that. I'm using upstream version. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:11:15 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Hello, I agree with the idea that one should not know what access mechanisms are used. Let me explain my needs again, and maybe there's a way to model this in KC. - One user has access to multiple actions for the same Resource, but depending on some property of the Resource, the actions can vary. Resources All Actions possible on the Resource Employee Add, View, Edit Now there are multiple "Employee" , and one of the Employee properties is Employee Type. Now, I want to setup permissions that go as follows: User A can Add, View and Edit Employee where Employee Type is "Consultant" User A can only View Employee where Employee Type is "Temp" It's clear what Resource and Scope should be, but what do we model for Employee Type? We thought of Groups, but that's at a realm level, and not at a client level, so ended up using Client Role, i.e. we created client roles for each Employee Type. Maybe there's a better way, we could create scopes that were Consultant:Add instead of Add. This would increase the number of scopes, but the current structure would work for us. Thank you for looking into this. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 6:41 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, > completely based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, > User A has some permissions, but for Client Role 2, the permissions > are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client > role, and then we attach the user to the client role. All of this > works perfectly, it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the > realm config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > Can you attach export your authorization settings ? Would like to > understand better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as > being types. > > Where we're stuck is that we need one additional parameterized > context, which we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API > returns a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource > "Account Setup" for only client role "Setup1", and cannot do scope > view for resource "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside > permissions, it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar > > requirements, and would love some advice. > > > > Do you create Resources based on Features (menus in an application) > > or based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, > > do you create a Resource in KC for each bank account in the system, > > and then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It > provides an API that allows client applications acting as a resource > server (your > service) to create "resources instances" whose owner could be an user. > But nothing stops you to still have a typed resource (eg.: type Bank > Account) and apply general permissions/policies to it. Take a look at > that "authz/photoz" example application, there we try to demonstrate > that. There you have a general purpose "Album Resource" and every time > an user creates a new album it is also created a corresponding > resource in the server. In this case, the new resource is going to > inherit the permissions applied to the "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can > protect resources and actions/scopes in order to build, for instance, > a dynamic menu with the permissions granted by the server. > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entity This message is for the > named person's use only. It may contain confidential, proprietary or > legally privileged information. No confidentiality or privilege is > waived or lost by any mis-transmission. If you receive this message in > error, please immediately delete it and all copies of it from your > system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. Viteos > Capital Market Services Ltd.and any of its subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > Any views expressed in this message are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From ushanas.shastri at viteos.com Fri Aug 19 11:58:29 2016 From: ushanas.shastri at viteos.com (Ushanas Shastri) Date: Fri, 19 Aug 2016 15:58:29 +0000 Subject: [keycloak-user] Organization Based Accounts and Permissions In-Reply-To: <859173218.6139885.1471621864990.JavaMail.zimbra@redhat.com> References: <6dffa6196ee54b9cbdb9748e49c307f5@vitblrex2013.viteos.com> <1910541618.5536186.1471523115378.JavaMail.zimbra@redhat.com> <7503de7407014307a0ed82bc9ca59eb6@vitblrex2013.viteos.com> <1749236544.6084264.1471612269137.JavaMail.zimbra@redhat.com> <594e90d75ee1420c8ff0919710d86cf0@vitblrex2013.viteos.com> <1933230451.6122988.1471617583449.JavaMail.zimbra@redhat.com> <859173218.6139885.1471621864990.JavaMail.zimbra@redhat.com> Message-ID: <66701109b4bb4e5a90d5b85d2caefa1f@vitblrex2013.viteos.com> Classification: INTERNAL I did try using the javascript based policy with limited success. I added properties to the access token, and tried to use them in the evaluation context, but it didn?t get me there. I'll try again to see where it fails for me. I think creating multiple scopes (they will be created programmatically) will be worth trying. Thank you for the multiple ideas, will try them out and report back. Have a nice weekend! Regards, Ushanas. -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 9:21 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions Another way to achieve the same result is using a Javascript-based Policy. There you can mix different access control mechanisms and handle more complex rules. Another thing we can do is provide a way to configure an existing policy to a permissions and have it negated (that would avoid that additional policy). Currently, as you know, you have only a "Apply Policy" field. Maybe we can have something to change how a specific policy should be interpreted in the scope of that permission. Or maybe change Role Policy to specify that a role should not be granted in order to evaluate to a GRANT. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:56:19 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Thanks for the quick response. I'll try this out, but I have one question: Would this approach work well if we have more than just 2 types? For e.g., replace the Employee Type with Employee Level, and there can be multiple levels possible. Would then we need to create multiple negative logic policies? Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 8:10 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions As you said, you can solve that using employee type specific scopes. But yes, that would increase your scope list. I think you can achieve what you want by having a scope permission "Manage Employee Permission" for both add and edit scopes. For instance, a permission that apply two policies that must be satisfied: * Only Consultant Policy (Role-based mapping to Consultant type) * Not "Temp" Policy (Robe-based mapping to Temp type with "Logic" == "Negative") In theory, when evaluating the permission KC should give you a DENY for those scopes if you have both "Consultant" and "Temp" roles. If you have "Consultant" only, you can do everything. If you have only "Temp" you get a DENY as well. I've created three users (roles as client roles): - User A with Consultant role - User B with Temp role - User C with both Consultant and Temp roles I've attached an example based on what I understood from your description. There are other ways to achieve that too, but for now let's start with that. I'm using upstream version. ----- Original Message ----- From: "Ushanas Shastri" To: "Pedro Igor Silva" Cc: "Charles Henck" , keycloak-user at lists.jboss.org Sent: Friday, August 19, 2016 11:11:15 AM Subject: RE: [keycloak-user] Organization Based Accounts and Permissions Classification: INTERNAL Hello, I agree with the idea that one should not know what access mechanisms are used. Let me explain my needs again, and maybe there's a way to model this in KC. - One user has access to multiple actions for the same Resource, but depending on some property of the Resource, the actions can vary. Resources All Actions possible on the Resource Employee Add, View, Edit Now there are multiple "Employee" , and one of the Employee properties is Employee Type. Now, I want to setup permissions that go as follows: User A can Add, View and Edit Employee where Employee Type is "Consultant" User A can only View Employee where Employee Type is "Temp" It's clear what Resource and Scope should be, but what do we model for Employee Type? We thought of Groups, but that's at a realm level, and not at a client level, so ended up using Client Role, i.e. we created client roles for each Employee Type. Maybe there's a better way, we could create scopes that were Consultant:Add instead of Add. This would increase the number of scopes, but the current structure would work for us. Thank you for looking into this. Regards, Ushanas. Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : ushanas.shastri at viteos.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva at redhat.com] Sent: Friday, August 19, 2016 6:41 PM To: Ushanas Shastri Cc: Charles Henck; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Organization Based Accounts and Permissions ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Friday, August 19, 2016 9:59:47 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Hello, > > The requirement is that users can access either, neither or both, > completely based on what their client role is. > > User A is mapped to Client Role 1 and Client Role 2 For Client Role 1, > User A has some permissions, but for Client Role 2, the permissions > are different. So, we've created one permission for each > resource/scope combination, and have created policies based on client > role, and then we attach the user to the client role. All of this > works perfectly, it's just that the entitlement API response is correct, but not ideal. That is what I want to take a closer look. In theory, you don't need to know about the roles that granted access to a permission. The idea is the opposite, your application should not be aware about the access control mechanisms that were used. Instead, you should just rely on the resource/scopes that were granted, so you can manage permissions/policies as you want and avoid coupling. Please, give me some time to try out your config. Will try to look at it today. Thanks. > > I would want the response JSON authorization to state that for a given > resource and scope is allowed for a set of client roles. > > The authorization settings are attached. I was unable to export the > realm config (through the export feature on the command line). > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:55 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > Can you attach export your authorization settings ? Would like to > understand better what you are doing. The realm config would also help. > > Also, your requirement is that an user can only access one resource or > another, but never both ? > > ----- Original Message ----- > From: "Ushanas Shastri" > To: "Pedro Igor Silva" > Cc: "Charles Henck" , keycloak-user at lists.jboss.org > Sent: Thursday, August 18, 2016 9:05:00 AM > Subject: RE: [keycloak-user] Organization Based Accounts and > Permissions > > Classification: INTERNAL > Thank you! > > I have looked at both examples, and we tried to create resources as > being types. > > Where we're stuck is that we need one additional parameterized > context, which we thought we'd achieve by creating client roles. > > So, the idea is that scope based permissions apply for a given client role. > There are no issues setting this up in KC, but the Entitlement API > returns a representation that does not combine resource, scopes *and* client roles. > It combines resources and scopes, but client roles are a separate list. > > The JSON (a part of it) looks like this > > "resource_access": { > "servlet-authz-app": { > "roles": [ > "Setup1", > "Setup2" > ] > } > }, > "authorization": { > "permissions": [ > { > "scopes": [ > "view" > ], > "resource_set_id": "35750d56-d32a-4106-8b63-882e998ec545", > "resource_set_name": "Account Setup" > }, > { > "scopes": [ > "view" > ], > "resource_set_id": "11389916-6cac-41af-95f1-8409019a84b3", > "resource_set_name": "Investor Setup" > } > ] > } > > The way its setup, is that this user can do view scope for resource > "Account Setup" for only client role "Setup1", and cannot do scope > view for resource "Account Setup" for client role "Setup2". > > If the authorization property put relevant client roles inside > permissions, it would do everything we needed. > > > > Regards, Ushanas. > Viteos Fund Services Ltd | www.viteos.com Direct : +91-22-61082230 | > US : +1- > 888-821-7561 extn 240 Cell : +91-9820225580 Email : > ushanas.shastri at viteos.com > > -----Original Message----- > From: Pedro Igor Silva [mailto:psilva at redhat.com] > Sent: Thursday, August 18, 2016 5:25 PM > To: Ushanas Shastri > Cc: Charles Henck; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Organization Based Accounts and > Permissions > > ----- Original Message ----- > > From: "Ushanas Shastri" > > To: "Pedro Igor Silva" , "Charles Henck" > > > > Cc: keycloak-user at lists.jboss.org > > Sent: Thursday, August 18, 2016 4:13:18 AM > > Subject: RE: [keycloak-user] Organization Based Accounts and > > Permissions > > > > Classification: INTERNAL > > Hello, > > > > I don?t mean to hijack this thread, but I've had similar > > requirements, and would love some advice. > > > > Do you create Resources based on Features (menus in an application) > > or based on actual data. For e.g. if Bank Account Maintenance is a > > feature that allows you to create/update bank account information, > > do you create a Resource in KC for each bank account in the system, > > and then give permissions/policies on it, or do you create one Bank > > Account resource as indicative of the type Bank Account? > > > > The idea is that you can do both: feature and/or resource. > > That is the reason behind our Protection API (based on UMA spec). It > provides an API that allows client applications acting as a resource > server (your > service) to create "resources instances" whose owner could be an user. > But nothing stops you to still have a typed resource (eg.: type Bank > Account) and apply general permissions/policies to it. Take a look at > that "authz/photoz" example application, there we try to demonstrate > that. There you have a general purpose "Album Resource" and every time > an user creates a new album it is also created a corresponding > resource in the server. In this case, the new resource is going to > inherit the permissions applied to the "Album Resource". > > For the feature-based resource scenario, you may take a look to > "authz/servlet-authz-app". There we try to demonstrate how you can > protect resources and actions/scopes in order to build, for instance, > a dynamic menu with the permissions granted by the server. > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any > mis-transmission. If you receive this message in error, please > immediately delete it and all copies of it from your system, destroy > any hard copies of it and notify the sender. You must not, directly or > indirectly, use, disclose, distribute, print, or copy any part of this > message if you are not the intended recipient. Viteos Capital Market > Services Ltd.and any of its subsidiaries each reserve the right to > monitor all e-mail communications through its networks. Any views > expressed in this message are those of the individual sender, except > where the message states otherwise and the sender is authorized to > state them to be the views of any such entity This message is for the > named person's use only. It may contain confidential, proprietary or > legally privileged information. No confidentiality or privilege is > waived or lost by any mis-transmission. If you receive this message in > error, please immediately delete it and all copies of it from your > system, destroy any hard copies of it and notify the sender. You must > not, directly or indirectly, use, disclose, distribute, print, or copy > any part of this message if you are not the intended recipient. Viteos > Capital Market Services Ltd.and any of its subsidiaries each reserve > the right to monitor all e-mail communications through its networks. > Any views expressed in this message are those of the individual > sender, except where the message states otherwise and the sender is > authorized to state them to be the views of any such entity > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mis-transmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Viteos Capital Market Services Ltd.and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity From hcamp at muerte.net Fri Aug 19 12:47:07 2016 From: hcamp at muerte.net (Harold Campbell) Date: Fri, 19 Aug 2016 11:47:07 -0500 Subject: [keycloak-user] client config docs Message-ID: <1471625227.11180.6.camel@muerte.net> Am I terrible at searching, or do the new gitbook based docs not contain any documentation of the client side keycloak.json? I had to dig out the 1.8 docs to find something I was looking for. -- Harold Campbell A long-forgotten loved one will appear soon. Buy the negatives at any price. From ssilvert at redhat.com Fri Aug 19 13:08:07 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 19 Aug 2016 13:08:07 -0400 Subject: [keycloak-user] client config docs In-Reply-To: <1471625227.11180.6.camel@muerte.net> References: <1471625227.11180.6.camel@muerte.net> Message-ID: <57B73CF7.4020302@redhat.com> On 8/19/2016 12:47 PM, Harold Campbell wrote: > Am I terrible at searching, or do the new gitbook based docs not > contain any documentation of the client side keycloak.json? > > I had to dig out the 1.8 docs to find something I was looking for. > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html#_java_adapter_config From bruno at abstractj.org Fri Aug 19 13:36:41 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 19 Aug 2016 14:36:41 -0300 Subject: [keycloak-user] Error when adding users programmatically In-Reply-To: References: Message-ID: <20160819173641.GA22508@abstractj.org> Hi, I would try to remove the following lines: > .clientSecret("acce91b1-53ad-467e-8895-5ef8630a3295") > .clientId("Frontend") For example, running the code below, I don't get any errors. public class Test { public static void main(String ... args) { Keycloak kc = KeycloakBuilder.builder() .serverUrl("http://localhost:8080/auth") .realm("master") .username("admin") .password("admin") .clientId("admin-cli") .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) .build(); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("pass"); UserRepresentation user = new UserRepresentation(); user.setUsername("test"); user.setFirstName("First"); user.setLastName("Last"); user.setEnabled(true); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user); } } I hope it helps. On 2016-08-15, hasane has wrote: > Hi, > I'm trying to add a user pro grammatically to keycloak server like this : > Keycloak kc = KeycloakBuilder > .builder() > .serverUrl("http://localhost:8080/auth/") > .realm("myApp") > .username("admin") > .password("123") > .clientId("admin-cli") > .clientSecret("acce91b1-53ad-467e-8895-5ef8630a3295") > .clientId("Frontend") > .resteasyClient( > new ResteasyClientBuilder().connectionPoolSize(10) > .build()).build(); > CredentialRepresentation credential = new > CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setEnabled(true); > user.setCredentials(Arrays.asList(credential)); > kc.realm("myApp").users().create(user); > > but I get this error : > > > 15:46:51,412 WARN [org.jboss.resteasy.core.ExceptionHandler] (default > task-22) Failed executing POST /admin/realms/myApp/users: > org.keycloak.services.ForbiddenException > at > org.keycloak.services.resources.admin.RealmAuth.requireManage(RealmAuth.java:59) > at > org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:181) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:744) > > I think that the problem come from user role so I tried to grant the admin > role to that user but it doesn't work . > I'm working with keycloka 1.6 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From christopher.james.davies at gmail.com Sat Aug 20 03:52:16 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Sat, 20 Aug 2016 07:52:16 +0000 Subject: [keycloak-user] Refreshing Tokens Message-ID: I adding keycloak into a legacy application that uses GWT and Jetty. I have managed to get add Keycloak application using Spring-security. Because this is GWT I am doing the authorisation in the application myself. Sping just provides a way to get access to the KeycloakSecurityContext. The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed. Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly. I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed. Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160820/68919287/attachment.html From imbacen at gmail.com Sat Aug 20 11:44:03 2016 From: imbacen at gmail.com (cen) Date: Sat, 20 Aug 2016 17:44:03 +0200 Subject: [keycloak-user] Ionic with keycloak-js sample project Message-ID: <566cd31d-1b01-8e14-872f-5d3c74ea88b0@gmail.com> Hi I couldn't find a good sample project with keycloak-js and Ionic anywhere on the internet (there is a very basic example with Cordova on GitHub), so I decided to hack one on my own. In addition, I decided to modularize the starter Ionic tabs project and add ES6 support. The project initializes Keycloak adapter and adds an auth interceptor on $httpProvider for header injection. Hopefully this is useful for someone. Best regards, cen From imbacen at gmail.com Sat Aug 20 11:47:04 2016 From: imbacen at gmail.com (cen) Date: Sat, 20 Aug 2016 17:47:04 +0200 Subject: [keycloak-user] Ionic with keycloak-js sample project In-Reply-To: <566cd31d-1b01-8e14-872f-5d3c74ea88b0@gmail.com> References: <566cd31d-1b01-8e14-872f-5d3c74ea88b0@gmail.com> Message-ID: <6a95b330-7ab9-697f-632c-57d75b9c5f85@gmail.com> I guess it would help if I provided the link to the actual project.. https://github.com/cen1/ionic-babelify-es6-kc cen je 20. 08. 2016 ob 17:44 napisal: > Hi > > I couldn't find a good sample project with keycloak-js and Ionic > anywhere on the internet (there is a very basic example with Cordova > on GitHub), so I decided to hack one on my own. In addition, I decided > to modularize the starter Ionic tabs project and add ES6 support. The > project initializes Keycloak adapter and adds an auth interceptor on > $httpProvider for header injection. > > Hopefully this is useful for someone. > > > Best regards, cen > > From zmeng at appnexus.com Sun Aug 21 23:05:22 2016 From: zmeng at appnexus.com (Zhaohua Meng) Date: Mon, 22 Aug 2016 03:05:22 +0000 Subject: [keycloak-user] Login app not deployed on Keycloak? Message-ID: Hello gurus here, We are testing Keycloak 2.1.0 and want to know if it?s possible to use a browser login (including 2FA) app that?s not deployed on Keycloak? Thanks, Z.M -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160822/5b53d153/attachment-0001.html From postmaster at lists.jboss.org Mon Aug 22 01:22:34 2016 From: postmaster at lists.jboss.org (Post Office) Date: Mon, 22 Aug 2016 10:52:34 +0530 Subject: [keycloak-user] Delivery reports about your e-mail Message-ID: <201608220522.u7M5MYMF005260@lists01.dmz-a.mwc.hst.phx2.redhat.com> The original message was received at Mon, 22 Aug 2016 10:52:34 +0530 from 213.7.194.154 ----- The following addresses had permanent fatal errors ----- keycloak-user at lists.jboss.org ----- Transcript of session follows ----- ... while talking to host 135.76.87.185: 554 5.0.0 Service unavailable; [212.35.236.161] blocked using bl.spamcop.net, reason: Blocked Session aborted, reason: lost connection -------------- next part -------------- A non-text attachment was scrubbed... Name: text.zip Type: application/octet-stream Size: 29232 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160822/10426f4d/attachment-0001.obj From imbacen at gmail.com Mon Aug 22 04:03:38 2016 From: imbacen at gmail.com (cen) Date: Mon, 22 Aug 2016 10:03:38 +0200 Subject: [keycloak-user] Ionic with keycloak-js sample project In-Reply-To: References: <566cd31d-1b01-8e14-872f-5d3c74ea88b0@gmail.com> <6a95b330-7ab9-697f-632c-57d75b9c5f85@gmail.com> Message-ID: <96466e97-8f61-d6b0-21d6-00b343e7e83d@gmail.com> Hi, Putting it in a service is actually a good idea, didn't even think about it. I'll explore this option and update the project accordingly. Not sure if combining the interceptor with service in the same module is any good though. Interceptor can happily live on it's own since you don't ever need to interact with it through the service. Thanks for feedback, cen Sebastien Blanc je 22. 08. 2016 ob 09:44 napisal: > Really nice ! > > Have you seen the angular example > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app/src/main/webapp > ? > It's really similar to what you did but instead of putting the keycloak > object on the $rootscope, it creates a Auth angular Service on the fly. > > In the near future it would be nice to have a separate Angular module that > contains the auth interceptor, the auth service and maybe a set of > directives. > > Sebi > > > On Sat, Aug 20, 2016 at 5:47 PM, cen wrote: > >> I guess it would help if I provided the link to the actual project.. >> https://github.com/cen1/ionic-babelify-es6-kc >> >> >> cen je 20. 08. 2016 ob 17:44 napisal: >>> Hi >>> >>> I couldn't find a good sample project with keycloak-js and Ionic >>> anywhere on the internet (there is a very basic example with Cordova >>> on GitHub), so I decided to hack one on my own. In addition, I decided >>> to modularize the starter Ionic tabs project and add ES6 support. The >>> project initializes Keycloak adapter and adds an auth interceptor on >>> $httpProvider for header injection. >>> >>> Hopefully this is useful for someone. >>> >>> >>> Best regards, cen >>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From mposolda at redhat.com Mon Aug 22 04:21:56 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 22 Aug 2016 10:21:56 +0200 Subject: [keycloak-user] Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final In-Reply-To: References: <57A87FB8.5000308@redhat.com> <57A9CB0F.5020501@redhat.com> Message-ID: <57BAB624.2060202@redhat.com> Kevin, sorry for late response. I was on PTO. Could you please doublecheck if update from 1.7.0.Final to latest 2.1.0.Final docker image works fine for you? Thanks, Marek On 09/08/16 16:01, Kevin Thorpe wrote: > Not according to your base image: > [kevin at kev-c7-test pi-keycloak]$ docker run -ti --entrypoint /bin/bash > jboss/keycloak-mysql:2.0.0.Final -s > Unable to find image 'jboss/keycloak-mysql:2.0.0.Final' locally > 2.0.0.Final: Pulling from jboss/keycloak-mysql > a3ed95caeb02: Pull complete > da71393503ec: Pull complete > eb78add5bf3f: Pull complete > 046239789b53: Pull complete > 364eb6df56ec: Pull complete > 21beacec2ed4: Pull complete > b0c6b264da5a: Pull complete > 1cb268ec5855: Pull complete > 5400749767a0: Pull complete > 710ca18f9c2a: Pull complete > 76d4c31a5749: Pull complete > 4763ae5ce42d: Pull complete > 3929a1cda72b: Pull complete > 840a187f62cf: Pull complete > Digest: > sha256:cce1b09f3423851f72ee93c87d66d8de4663e7b231a2158cfbaef6846701c7ec > Status: Downloaded newer image for jboss/keycloak-mysql:2.0.0.Final > [jboss at ccef1862480f ~]$ vi > keycloak/standalone/configuration/standalone.xml > > > snipped out the infinispan config: > jndi-name="infinispan/Keycloak"> > > > > > > > > > > > > > > > > > > > > > *Kevin Thorpe* > VP Enterprise Platform > > www.p-i.net | @PI_150 > > *T: +44 (0)20 3005 6750 | F: > +44(0)20 7730 2635 | T: +44 (0)808 > 204 0344 * > *150 Buckingham Palace Road, London, SW1W 9TR, UK* > > > *SAVE PAPER - THINK BEFORE YOU PRINT!* > > ____________________________________________________________________ > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. If you > are not the intended recipient you are notified that disclosing, > copying, distributing or taking any action in reliance on the contents > of this information is strictly prohibited. > > > On 9 August 2016 at 13:22, Marek Posolda > wrote: > > Hmm... Actually I am not 100% sure what you did, but from the > error message, it's very clear that configuration of your > infinispan caches in standalone.xml is out-dated. In Keycloak 2.0 > it should look like this: > > jndi-name="infinispan/Keycloak"> > > > > > > > > > > > > Marek > > > > On 08/08/16 15:57, Kevin Thorpe wrote: >> Also, the standalone.xml is yours from the keycloak-mysql image >> with just the https-listener and our security-realm added using >> saxon/xslt in the same way as you deploy it >> >> >> >> *Kevin Thorpe* >> VP Enterprise Platform >> >> www.p-i.net | @PI_150 >> >> >> *T: +44 (0)20 3005 6750 | >> F: +44(0)20 7730 2635 | T: >> +44 (0)808 204 0344 * >> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >> >> >> *SAVE PAPER - THINK BEFORE YOU PRINT!* >> >> ____________________________________________________________________ >> >> This email and any files transmitted with it are confidential and >> intended solely for the use of the individual or entity to whom >> they are addressed. If you have received this email in error >> please notify the system manager. This message contains >> confidential information and is intended only for the individual >> named. If you are not the named addressee you should not >> disseminate, distribute or copy this e-mail. Please notify the >> sender immediately by e-mail if you have received this e-mail by >> mistake and delete this e-mail from your system. If you are not >> the intended recipient you are notified that disclosing, copying, >> distributing or taking any action in reliance on the contents of >> this information is strictly prohibited. >> >> >> On 8 August 2016 at 13:48, Marek Posolda > > wrote: >> >> From your logs, it seems the problem is related to migration >> infinispan caches. It looks that you don't have defined some >> of those caches in standalone.xml. >> >> Generally it's recommended to use Keycloak with >> keycloak-server distribution and upgrade process is like this: >> - You stop your Keycloak 1.7.0.Final server >> - You download the Keycloak-server 2.0.0.Final distribution >> and you just configure the DB ( datasource ) to point to same >> DB like previously was Keycloak 1.7.0 >> - You start Keycloak and liquibase make sure to upgrade your DB. >> >> Note that with this approach, you don't need to care about >> any changes, which was done in standalone.xml or >> keycloak-server.json or other files between Keycloak 1.7 or 2.0. >> >> Marek >> >> >> On 08/08/16 14:27, Shiva Saxena wrote: >>> Hi, >>> >>> You can try setting the "databaseSchema" to "update" in >>> "connectionsJpa". >>> >>> Here is the migration guide doc URL >>> >>> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/MigrationFromOlderVersions.html >>> >>> On Mon, Aug 8, 2016 at 4:47 PM, Kevin Thorpe >>> > wrote: >>> >>> Hi, >>> I'm having problems upgrading from 1.7.0.Final to >>> 2.0.0.Final. I'm using the Docker images on which we >>> build our own images to add https with our certs, our >>> theme and a small patch to match our LDAP configuration. >>> The new image of 2.0.0 works fine with a brand new >>> database but doesn't start up with the existing >>> database. Do I need to upgrade via an earlier release to >>> modify the db? >>> >>> I've attached the startup logs. I don't know enough to >>> see what's wrong. >>> >>> *Kevin Thorpe* >>> VP Enterprise Platform >>> >>> www.p-i.net | @PI_150 >>> >>> >>> *T: +44 (0)20 3005 6750 >>> | F: +44(0)20 >>> 7730 2635 | T: +44 >>> (0)808 204 0344 * >>> *150 Buckingham Palace Road, London, SW1W 9TR, UK* >>> >>> >>> *SAVE PAPER - THINK BEFORE YOU PRINT!* >>> >>> ____________________________________________________________________ >>> >>> This email and any files transmitted with it are >>> confidential and intended solely for the use of the >>> individual or entity to whom they are addressed. If you >>> have received this email in error please notify the >>> system manager. This message contains confidential >>> information and is intended only for the individual >>> named. If you are not the named addressee you should not >>> disseminate, distribute or copy this e-mail. Please >>> notify the sender immediately by e-mail if you have >>> received this e-mail by mistake and delete this e-mail >>> from your system. If you are not the intended recipient >>> you are notified that disclosing, copying, distributing >>> or taking any action in reliance on the contents of this >>> information is strictly prohibited. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> >>> >>> -- >>> Best Regards >>> *Shiva Saxena*** >>> *Blog | Linkedin >>> | StackOverflow >>> * >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160822/e033a59b/attachment-0001.html From sthorger at redhat.com Mon Aug 22 04:43:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 22 Aug 2016 10:43:53 +0200 Subject: [keycloak-user] Login app not deployed on Keycloak? In-Reply-To: References: Message-ID: If you're login app provides OpenID Connect or SAML then you can delegate authentication using identity brokering and a default provider. On 22 August 2016 at 05:05, Zhaohua Meng wrote: > Hello gurus here, > > > > We are testing Keycloak 2.1.0 and want to know if it?s possible to use a > browser login (including 2FA) app that?s not deployed on Keycloak? > > > > Thanks, > > Z.M > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160822/b11fc3d5/attachment.html From christian_hebert at hotmail.com Mon Aug 22 13:35:47 2016 From: christian_hebert at hotmail.com (Christian Hebert) Date: Mon, 22 Aug 2016 13:35:47 -0400 Subject: [keycloak-user] Help - Remote EJB Security Context Message-ID: Hello everyone! We have a few applications protected by keycloak deployed on two jboss servers (EAP 7). I'm trying to access an EJB from an application deployed on server A to an application deployed on server B. Following the basic example that comes with JBoss I've been able to do it by simply using the ApplicationRealm. My problem is that i have no identity on the remote server and I need to propagate the identity (and security context) from server A to server B. I can't figure the way to configure my EJBReceiver to use another realm. I keep receiving the following error : java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:RemoteApp, moduleName:RemoteAppEJB, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext at 717cef09 at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:798) at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:128) at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:186) at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) Is there anybody who can help me with this? Thanks alot ! Christian Hebert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160822/a43ef353/attachment.html From mposolda at redhat.com Mon Aug 22 13:43:55 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 22 Aug 2016 19:43:55 +0200 Subject: [keycloak-user] Signed JWT issue In-Reply-To: References: Message-ID: <57BB39DB.5080007@redhat.com> It seems that you're using some quite old adapter version on Tomcat side. Could you try to update to latest Keycloak adapter in your Tomcat as well? Marek On 12/08/16 09:44, abhishek raghav wrote: > Hi Team, > > Recently i ran into an issue where i am using signedJWT tokens as > client authentication mechnaism instead of client id/secret. > > My keyclok.json looks like this: > > "realm": "nginx", > "realm-public-key": > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB", > "auth-server-url": "http://192.168.99.100:31048/auth", > "ssl-required": "external", > "resource": "product-portal", > "enable-cors" : false, > "credentials": { > "jwt": { > "client-key-password": "changeit", > "client-keystore-file": "/keystore/keystore.jks", > "client-keystore-password": "changeit", > "client-key-alias": "product-portal", > "token-timeout": 10, > "client-keystore-type": "jks" > } > } > } > > > But when i am trying to deploy this app in my local tomcat, the app > doesnt deploy and failed. I saw my catalina.log file which tells this: > > 12-Aug-2016 07:13:09.400 SEVERE [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployWAR Error deploying web > applicatio > n archive /usr/local/tomcat/webapps/product-portal.war > java.lang.RuntimeException: > org.codehaus.jackson.map.JsonMappingException: Can not deserialize > instance of java.lang.String out of STA > RT_OBJECT token > at [Source: java.io.FileInputStream at 7d33dbab; line: 9, column: 5] > (through reference chain: org.keycloak.representations.adapters.conf > ig.AdapterConfig["credentials"]) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:104) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:93) > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:116) > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:65) > at > org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:165) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) > at > org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:940) > at > org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1816) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > at java.util.concurrent.FutureTask.run(FutureTask.java:262) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.codehaus.jackson.map.JsonMappingException: Can not > deserialize instance of java.lang.String out of START_OBJECT token > at [Source: java.io.FileInputStream at 7d33dbab; line: 9, column: 5] > (through reference chain: org.keycloak.representations.adapters.conf > ig.AdapterConfig["credentials"]) > at > org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163) > at > org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219) > at > org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:44) > at > org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:13) > at > org.codehaus.jackson.map.deser.std.MapDeserializer._readAndBind(MapDeserializer.java:319) > at > org.codehaus.jackson.map.deser.std.MapDeserializer.deserialize(MapDeserializer.java:249) > at > org.codehaus.jackson.map.deser.std.MapDeserializer.deserialize(MapDeserializer.java:33) > at > org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:299) > at > org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet(SettableBeanProperty.java:414) > at > org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:697) > ...... > > It shows problem in "credentials" property to deserilize. > > I am using Keycloak 2.0.0.Final and tomcat 8.0.36 version. > for keycloak I am using tomcat adapter for my app. > > Please help. > > > *- Best Regards* > Abhishek Raghav > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160822/a6886631/attachment.html From nizar2yas at gmail.com Tue Aug 23 04:57:59 2016 From: nizar2yas at gmail.com (hasane has) Date: Tue, 23 Aug 2016 09:57:59 +0100 Subject: [keycloak-user] getting currently connected user info( id) Message-ID: Hi, I have an app secured with keycloak 1.6.1 and I wish to know how to get the currently connected user informations-id- (programmatically) Cordially -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/23bf9f98/attachment-0001.html From paal.oliver at gmail.com Tue Aug 23 05:09:30 2016 From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=) Date: Tue, 23 Aug 2016 09:09:30 +0000 Subject: [keycloak-user] Running Keycloak in Jetty Message-ID: Anyone that have managed to run Keycloak in Jetty? Or anyone that have some pointers to where to start adapting the source to make it work? Thanks! -- P?l Oliver Kristiansen Cornix Consulting 92 22 60 41 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/f9ef646b/attachment.html From aman.jaiswal at arvindinternet.com Tue Aug 23 06:33:41 2016 From: aman.jaiswal at arvindinternet.com (Aman Jaiswal) Date: Tue, 23 Aug 2016 16:03:41 +0530 Subject: [keycloak-user] Getting Error when connecting local host to server DB Message-ID: Hi Team I am getting an error while connecting my local keycloak to DB which is on server. error is in attached file . please give me solution to resolve this issue.. -- Thanks, Aman Jaiswal -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/a87696fd/attachment-0001.html -------------- next part -------------- tech at tech-Inspiron-5558:~/keycloak-2.1.0.Final$ ./bin/standalone.sh ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/tech/keycloak-2.1.0.Final JAVA: java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 14:47:06,415 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.1.Final 14:47:06,601 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final 14:47:06,670 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting 14:47:07,808 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http) 14:47:07,828 INFO [org.xnio] (MSC service thread 1-4) XNIO version 3.3.4.Final 14:47:07,843 INFO [org.xnio.nio] (MSC service thread 1-4) XNIO NIO Implementation Version 3.3.4.Final 14:47:07,899 INFO [org.wildfly.extension.io] (ServerService Thread Pool -- 29) WFLYIO001: Worker 'default' has auto-configured to 8 core threads with 64 task threads based on your 4 available processors 14:47:07,902 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 30) WFLYCLINF0001: Activating Infinispan subsystem. 14:47:07,920 INFO [org.jboss.as.connector] (MSC service thread 1-2) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.3.2.Final) 14:47:07,983 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 26) WFLYJCA0005: Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1) 14:47:07,989 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-6) WFLYJCA0018: Started Driver service with driver-name = mysql 14:47:07,995 INFO [org.jboss.as.jsf] (ServerService Thread Pool -- 36) WFLYJSF0007: Activated the following JSF Implementations: [main] 14:47:07,997 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 26) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.3) 14:47:07,998 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2 14:47:08,021 INFO [org.jboss.as.naming] (ServerService Thread Pool -- 38) WFLYNAM0001: Activating Naming Subsystem 14:47:08,022 WARN [org.jboss.as.txn] (ServerService Thread Pool -- 43) WFLYTX0013: Node identifier property is set to the default value. Please make sure it is unique. 14:47:08,057 INFO [org.jboss.as.security] (ServerService Thread Pool -- 42) WFLYSEC0002: Activating Security Subsystem 14:47:08,058 INFO [org.jboss.remoting] (MSC service thread 1-1) JBoss Remoting version 4.0.18.Final 14:47:08,077 INFO [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003: Starting Naming Service 14:47:08,078 INFO [org.jboss.as.mail.extension] (MSC service thread 1-2) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default] 14:47:08,083 INFO [org.jboss.as.security] (MSC service thread 1-3) WFLYSEC0001: Current PicketBox version=4.9.4.Final 14:47:08,282 INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0003: Undertow 1.3.15.Final starting 14:47:08,289 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 44) WFLYUT0003: Undertow 1.3.15.Final starting 14:47:08,430 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 44) WFLYUT0014: Creating file handler for path '/home/tech/keycloak-2.1.0.Final/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]'] 14:47:08,457 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0012: Started server default-server. 14:47:08,470 INFO [org.jboss.as.ejb3] (MSC service thread 1-6) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 16 (per class), which is derived from the number of CPUs on this host. 14:47:08,471 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0018: Host default-host starting 14:47:08,474 INFO [org.jboss.as.ejb3] (MSC service thread 1-3) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 64 (per class), which is derived from thread worker pool sizing. 14:47:08,582 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:8080 14:47:08,707 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-8) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS] 14:47:08,713 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS] 14:47:08,913 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war") 14:47:09,052 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-1) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 14:47:09,053 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-5) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 14:47:09,053 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-7) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 14:47:09,053 INFO [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Mahou' 8.1.0.Final 14:47:09,425 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0002: Started loginFailures cache from keycloak container 14:47:09,428 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0002: Started sessions cache from keycloak container 14:47:09,427 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0002: Started realms cache from keycloak container 14:47:09,426 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started work cache from keycloak container 14:47:09,426 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0002: Started offlineSessions cache from keycloak container 14:47:09,433 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0002: Started users cache from keycloak container 14:47:10,106 INFO [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0001: Loading config from /home/tech/keycloak-2.1.0.Final/standalone/configuration/keycloak-server.json 14:47:15,752 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0002: Started userRevisions cache from keycloak container 14:47:15,760 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0002: Started realmRevisions cache from keycloak container 14:47:23,980 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Updating database. Using changelog META-INF/jpa-changelog-master.xml 14:48:25,489 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 14:48:25,539 INFO [org.hibernate.Version] (ServerService Thread Pool -- 49) HHH000412: Hibernate Core {5.0.7.Final} 14:48:25,540 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000206: hibernate.properties not found 14:48:25,541 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000021: Bytecode provider name : javassist 14:48:25,572 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 49) HCANN000001: Hibernate Commons Annotations {5.0.1.Final} 14:48:28,505 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 49) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect 14:48:28,524 INFO [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] (ServerService Thread Pool -- 49) HHH000423: Disabling contextual LOB creation as JDBC driver reported JDBC version [3] less than 4 14:48:28,531 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 49) Envers integration enabled? : true 14:48:29,003 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 49) HV000001: Hibernate Validator 5.2.3.Final 14:48:29,821 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 49) HHH000397: Using ASTQueryTranslatorFactory 14:52:08,901 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0348: Timeout after [300] seconds waiting for service container stability. Operation will roll back. Step that first updated the service container was 'add' at address '[ ("core-service" => "management"), ("management-interface" => "http-interface") ]' 14:52:13,905 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.server.DeployerChainAddHandler$FinalRuntimeStepHandler at 3de7a15 for operation {"operation" => "add-deployer-chains","address" => []} at address [] failed handling operation rollback -- java.util.concurrent.TimeoutException: java.util.concurrent.TimeoutException at org.jboss.as.controller.OperationContextImpl.waitForRemovals(OperationContextImpl.java:511) at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1369) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1328) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1301) at org.jboss.as.controller.AbstractOperationContext$Step.access$300(AbstractOperationContext.java:1185) at org.jboss.as.controller.AbstractOperationContext.executeResultHandlerPhase(AbstractOperationContext.java:767) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:644) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344) at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:485) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:387) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:349) at org.jboss.as.server.ServerService.boot(ServerService.java:392) at org.jboss.as.server.ServerService.boot(ServerService.java:365) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) 14:52:13,907 ERROR [org.jboss.as.controller.client] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.server.DeployerChainAddHandler$FinalRuntimeStepHandler at 3de7a15 for operation {"operation" => "add-deployer-chains","address" => []} at address [] failed handling operation rollback -- java.util.concurrent.TimeoutException 14:52:18,908 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler at 762cad33 for operation {"address" => [("core-service" => "management"),("security-realm" => "ApplicationRealm")],"operation" => "add","map-groups-to-roles" => undefined} at address [ ("core-service" => "management"), ("security-realm" => "ApplicationRealm") ] failed handling operation rollback -- java.util.concurrent.TimeoutException: java.util.concurrent.TimeoutException at org.jboss.as.controller.OperationContextImpl.waitForRemovals(OperationContextImpl.java:511) at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1369) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1328) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1311) at org.jboss.as.controller.AbstractOperationContext$Step.access$300(AbstractOperationContext.java:1185) at org.jboss.as.controller.AbstractOperationContext.executeResultHandlerPhase(AbstractOperationContext.java:767) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:644) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344) at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:485) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:387) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:349) at org.jboss.as.server.ServerService.boot(ServerService.java:392) at org.jboss.as.server.ServerService.boot(ServerService.java:365) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) 14:52:18,909 ERROR [org.jboss.as.controller.client] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler at 762cad33 for operation {"address" => [("core-service" => "management"),("security-realm" => "ApplicationRealm")],"operation" => "add","map-groups-to-roles" => undefined} at address [ ("core-service" => "management"), ("security-realm" => "ApplicationRealm") ] failed handling operation rollback -- java.util.concurrent.TimeoutException 14:52:23,909 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler at 762cad33 for operation {"address" => [("core-service" => "management"),("security-realm" => "ManagementRealm")],"operation" => "add","map-groups-to-roles" => false} at address [ ("core-service" => "management"), ("security-realm" => "ManagementRealm") ] failed handling operation rollback -- java.util.concurrent.TimeoutException: java.util.concurrent.TimeoutException at org.jboss.as.controller.OperationContextImpl.waitForRemovals(OperationContextImpl.java:511) at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1369) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1328) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1311) at org.jboss.as.controller.AbstractOperationContext$Step.access$300(AbstractOperationContext.java:1185) at org.jboss.as.controller.AbstractOperationContext.executeResultHandlerPhase(AbstractOperationContext.java:767) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:644) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344) at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:485) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:387) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:349) at org.jboss.as.server.ServerService.boot(ServerService.java:392) at org.jboss.as.server.ServerService.boot(ServerService.java:365) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) 14:52:23,910 ERROR [org.jboss.as.controller.client] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler at 762cad33 for operation {"address" => [("core-service" => "management"),("security-realm" => "ManagementRealm")],"operation" => "add","map-groups-to-roles" => false} at address [ ("core-service" => "management"), ("security-realm" => "ManagementRealm") ] failed handling operation rollback -- java.util.concurrent.TimeoutException 14:52:28,911 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.controller.AbstractControllerService$ModelControllerServiceInitializationBootStepHandler$1 at 6098044e for operation {"operation" => "boottime-controller-initializer-step","address" => []} at address [] failed handling operation rollback -- java.util.concurrent.TimeoutException: java.util.concurrent.TimeoutException at org.jboss.as.controller.OperationContextImpl.waitForRemovals(OperationContextImpl.java:511) at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1369) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1328) at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1311) at org.jboss.as.controller.AbstractOperationContext$Step.access$300(AbstractOperationContext.java:1185) at org.jboss.as.controller.AbstractOperationContext.executeResultHandlerPhase(AbstractOperationContext.java:767) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:644) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344) at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:485) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:387) at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:349) at org.jboss.as.server.ServerService.boot(ServerService.java:392) at org.jboss.as.server.ServerService.boot(ServerService.java:365) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299) at java.lang.Thread.run(Thread.java:745) 14:52:28,912 ERROR [org.jboss.as.controller.client] (Controller Boot Thread) WFLYCTL0190: Step handler org.jboss.as.controller.AbstractControllerService$ModelControllerServiceInitializationBootStepHandler$1 at 6098044e for operation {"operation" => "boottime-controller-initializer-step","address" => []} at address [] failed handling operation rollback -- java.util.concurrent.TimeoutException 14:52:28,913 ERROR [org.jboss.as.server] (ServerService Thread Pool -- 45) WFLYSRV0022: Deploy of deployment "keycloak-server.war" was rolled back with no failure message 14:52:28,926 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 14:52:28,933 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 28) IJ000615: Destroying active connection in pool: KeycloakDS (org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 701fdf12) 14:52:28,933 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 28) IJ000615: Destroying active connection in pool: KeycloakDS (org.jboss.jca.adapters.jdbc.local.LocalManagedConnection at 6d4fadd8) 14:52:28,935 WARN [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (ServerService Thread Pool -- 28) IJ030022: Lock owned during cleanup: ServerService Thread Pool -- 49: java.lang.Throwable: Lock owned during cleanup: ServerService Thread Pool -- 49 at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) at java.net.SocketInputStream.read(SocketInputStream.java:170) at java.net.SocketInputStream.read(SocketInputStream.java:141) at com.mysql.jdbc.util.ReadAheadInputStream.fill(ReadAheadInputStream.java:113) at com.mysql.jdbc.util.ReadAheadInputStream.readFromUnderlyingStreamIfNecessary(ReadAheadInputStream.java:160) at com.mysql.jdbc.util.ReadAheadInputStream.read(ReadAheadInputStream.java:188) at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2494) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2949) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2938) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3481) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1959) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2109) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2643) at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2077) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2362) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2280) at com.mysql.jdbc.PreparedStatement.executeUpdate(PreparedStatement.java:2265) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.collection.AbstractCollectionPersister.recreate(AbstractCollectionPersister.java:1313) at org.hibernate.action.internal.CollectionUpdateAction.execute(CollectionUpdateAction.java:80) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) at sun.reflect.GeneratedMethodAccessor310.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) at com.sun.proxy.$Proxy62.flush(Unknown Source) at org.keycloak.models.jpa.RoleAdapter.addCompositeRole(RoleAdapter.java:105) at org.keycloak.migration.migrators.MigrationUtils.addAdminRole(MigrationUtils.java:35) at org.keycloak.migration.migrators.MigrateTo2_0_0.migrateAuthorizationServices(MigrateTo2_0_0.java:39) at org.keycloak.migration.migrators.MigrateTo2_0_0.migrate(MigrateTo2_0_0.java:32) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:108) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:184) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:141) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:106) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:287) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:97) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) 14:52:29,019 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 0, SQLState: null 14:52:29,020 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 1db6144 14:52:29,048 ERROR [org.keycloak.services] (ServerService Thread Pool -- 49) KC-SERVICES0002: Failed to migrate datamodel: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy62.flush(Unknown Source) at org.keycloak.models.jpa.RoleAdapter.addCompositeRole(RoleAdapter.java:105) at org.keycloak.migration.migrators.MigrationUtils.addAdminRole(MigrationUtils.java:35) at org.keycloak.migration.migrators.MigrateTo2_0_0.migrateAuthorizationServices(MigrateTo2_0_0.java:39) at org.keycloak.migration.migrators.MigrateTo2_0_0.migrate(MigrateTo2_0_0.java:32) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:108) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:184) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:141) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:106) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:287) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:97) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) at sun.reflect.GeneratedMethodAccessor310.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ... 35 more Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:78) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.buildBatchStatement(AbstractBatchImpl.java:136) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.getBatchStatement(AbstractBatchImpl.java:125) at org.hibernate.persister.collection.AbstractCollectionPersister.recreate(AbstractCollectionPersister.java:1287) at org.hibernate.action.internal.CollectionUpdateAction.execute(CollectionUpdateAction.java:80) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) ... 39 more Caused by: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 1db6144 at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:444) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:87) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 50 more 14:52:29,050 ERROR [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 49) Database error during release lock: liquibase.exception.DatabaseException: liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 3689a0ee at liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1130) at org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.releaseLock(CustomLockService.java:184) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.releaseLock(LiquibaseDBLockProvider.java:121) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:108) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:287) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:97) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 3689a0ee at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:126) at liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcDatabase.java:1128) ... 29 more Caused by: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 3689a0ee at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) at org.jboss.jca.adapters.jdbc.WrappedConnection.getAutoCommit(WrappedConnection.java:802) at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:122) ... 30 more 14:52:29,060 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 49) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy62.flush(Unknown Source) at org.keycloak.models.jpa.RoleAdapter.addCompositeRole(RoleAdapter.java:105) at org.keycloak.migration.migrators.MigrationUtils.addAdminRole(MigrationUtils.java:35) at org.keycloak.migration.migrators.MigrateTo2_0_0.migrateAuthorizationServices(MigrateTo2_0_0.java:39) at org.keycloak.migration.migrators.MigrateTo2_0_0.migrate(MigrateTo2_0_0.java:32) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:108) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:184) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:141) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:106) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:287) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:97) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 19 more Caused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) at sun.reflect.GeneratedMethodAccessor310.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ... 35 more Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:78) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.buildBatchStatement(AbstractBatchImpl.java:136) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.getBatchStatement(AbstractBatchImpl.java:125) at org.hibernate.persister.collection.AbstractCollectionPersister.recreate(AbstractCollectionPersister.java:1287) at org.hibernate.action.internal.CollectionUpdateAction.execute(CollectionUpdateAction.java:80) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) ... 39 more Caused by: java.sql.SQLException: IJ031040: Connection is not associated with a managed connection: org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 1db6144 at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedConnection.java:164) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:444) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:87) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 50 more 14:52:29,068 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 14:52:29,077 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0008: Undertow HTTP listener default suspending 14:52:29,074 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 30) WFLYCLINF0003: Stopped work cache from keycloak container 14:52:29,079 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 127.0.0.1:8080 14:52:29,074 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 44) WFLYCLINF0003: Stopped loginFailures cache from keycloak container 14:52:29,065 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0019: Host default-host stopping 14:52:29,081 INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0004: Undertow 1.3.15.Final stopping 14:52:29,073 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 43) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container 14:52:29,073 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-5) WFLYJCA0019: Stopped Driver service with driver-name = h2 14:52:29,072 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 42) WFLYCLINF0003: Stopped users cache from keycloak container 14:52:29,072 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 49) WFLYCLINF0003: Stopped sessions cache from keycloak container 14:52:29,093 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 20188ms 14:52:29,098 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 36) WFLYCLINF0003: Stopped realms cache from keycloak container 14:52:29,112 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-3) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container 14:52:29,122 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-3) WFLYCLINF0003: Stopped userRevisions cache from keycloak container 14:52:29,494 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-8) WFLYJCA0019: Stopped Driver service with driver-name = mysql 14:52:29,504 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. 14:52:29,514 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested. 14:52:29,524 INFO [org.jboss.as] (MSC service thread 1-8) WFLYSRV0050: Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 6ms From sthorger at redhat.com Tue Aug 23 07:01:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 23 Aug 2016 13:01:24 +0200 Subject: [keycloak-user] Review Japanese translations Message-ID: We have a PR for Japanese translations, but I would like someone to review it prior to merging it. Is there any Japanese speakers out there that could review it for me? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/b23ca941/attachment.html From sthorger at redhat.com Tue Aug 23 07:03:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 23 Aug 2016 13:03:31 +0200 Subject: [keycloak-user] getting currently connected user info( id) In-Reply-To: References: Message-ID: Are you using our adapters? If not you'll need a lib or parse the token yourself. On 23 August 2016 at 10:57, hasane has wrote: > Hi, > I have an app secured with keycloak 1.6.1 and I wish to know how to get > the currently connected user informations-id- (programmatically) > Cordially > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/fa4efd84/attachment.html From zeus.arias at beeva.com Tue Aug 23 07:14:16 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Tue, 23 Aug 2016 13:14:16 +0200 Subject: [keycloak-user] Fwd: Question about LDAP Rol In-Reply-To: References: Message-ID: I have a keycloak server which has the LDAP configuration. This LDAP server has different roles than my application. So I would like to know if its possible and how I have to do for the keycloak server maps or translates the rol A to rol B. The rol B is used by my application. Greetings! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/80e9751e/attachment.html From dirk at dirkgomez.de Tue Aug 23 07:31:40 2016 From: dirk at dirkgomez.de (Dirk =?utf-8?b?R8OzbWV6?=) Date: Tue, 23 Aug 2016 13:31:40 +0200 Subject: [keycloak-user] Default username and password for Keycloak installation on OpenShift Message-ID: <20160823133140.Horde.z7M3qMtJskH9g-81FdkccVc@webmail.in-berlin.de> Hi list, I've installed Keycloak on a simple Openshift instance and now I don't which credentials to use on initial login, neither do I know how to create an initial account on Openshift. Somebody has done that successfully? Dirk From pavel.masloff at gmail.com Tue Aug 23 07:36:58 2016 From: pavel.masloff at gmail.com (Pavel Maslov) Date: Tue, 23 Aug 2016 13:36:58 +0200 Subject: [keycloak-user] Default username and password for Keycloak installation on OpenShift In-Reply-To: <20160823133140.Horde.z7M3qMtJskH9g-81FdkccVc@webmail.in-berlin.de> References: <20160823133140.Horde.z7M3qMtJskH9g-81FdkccVc@webmail.in-berlin.de> Message-ID: Hey Dirk, You can ssh to your machine and do: $ env | grep OPENSHIFT_KEYCLOAK_USERNAME $ env | grep OPENSHIFT_KEYCLOAK_PASSWORD Regards, Pavel Maslov, MS On Tue, Aug 23, 2016 at 1:31 PM, Dirk G?mez wrote: > Hi list, > > I've installed Keycloak on a simple Openshift instance and now I don't > which credentials to use on initial login, neither do I know how to > create an initial account on Openshift. Somebody has done that > successfully? > > Dirk > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/b7df8350/attachment.html From bruno at abstractj.org Tue Aug 23 08:13:12 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 23 Aug 2016 09:13:12 -0300 Subject: [keycloak-user] Fwd: Question about LDAP Rol In-Reply-To: References: Message-ID: <20160823121312.GA11276@abstractj.org> It seems to me that what need is a Role Mapper[1] [1] - https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/user-federation/ldap.html On 2016-08-23, Zeus Arias Lucero | BEEVA wrote: > I have a keycloak server which has the LDAP configuration. This LDAP server > has different roles than my application. So I would like to know if its > possible and how I have to do for the keycloak server maps or translates > the rol A to rol B. The rol B is used by my application. > > Greetings! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From campbellg at teds.com Tue Aug 23 10:03:16 2016 From: campbellg at teds.com (Glenn Campbell) Date: Tue, 23 Aug 2016 10:03:16 -0400 Subject: [keycloak-user] SAML IdP automatically link account Message-ID: I have a SAML IdP that is used only for authentication and a separate database that contains information about the users, including roles. I've set up the database in User Federation and the SAML IdP in Identity Providers. The problem I have is that when users log in they are prompted to link to an existing account. This is confusing for them because from their perspective the only account they know about is the one on the SAML IdP. Is it possible to configure this Identity Provider to be "trusted" so that the accounts are linked automatically? I started looking into creating a custom authenticator based on the documentation and the custom authenticator in the example code but I don't see what the necessary steps are to cause the automatic account linking. Any suggestions would be greatly appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/a7331a77/attachment.html From adr_gonzalez at yahoo.fr Tue Aug 23 12:44:46 2016 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Tue, 23 Aug 2016 16:44:46 +0000 (UTC) Subject: [keycloak-user] OAuth scopes in Keycloak References: <2010811414.31176051.1471970687005.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <2010811414.31176051.1471970687005.JavaMail.yahoo@mail.yahoo.com> Hello, I'm using Keycloak for the first time, so sorry if this is a newbie question. When I use keycloak, oauth scope attribute is never present in keycloak tokenEndpoint responses and in introspect responses. >From the specs, it scope attribute should be present when calling token and tokenIntrospect endpoint, but it's never returned by keycloak endpoints :?* token endpoint response - see [2] for a sample ?? from https://tools.ietf.org/html/rfc6749#section-5.1 ?? scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED?* token introspection see [3] for a sample ?? from https://tools.ietf.org/html/rfc7662#section-2.2?? scope OPTIONAL.? A JSON string containing a space-separated list of ????? scopes associated with this token, in the format described in ????? Section 3.3 of OAuth 2.0 [RFC6749]. ?? Oups... optional in the spec ??? what's the introspection use then ??? I know I can key roles from keycloak JWT AT (in realm_access.roles for instance), but it's not in OAuth specs and I would like to stick with the standard. Am I doing something wrong ? I'm using Keycloak with a Spring Boot application (using Spring OAuth library - I know there's a Spring keycloak adapter, but since my application uses others OIDC / OAuth provider I would like to stick with Spring OAuth), and since no scope attribute is present in the responses, I've receive no scope in my application. I've tested with a sample role hello.say.I created a realm role of the same name, and assigned it to me test user.I've made sure my application request this scope during authorization request. Here's my spring configuration (requesting a hello.say scope), more exactly :spring: profiles: keycloak security: oidc: client: expectedIssuer: http://localhost:8180/auth/realms/demo keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs oauth2: client: clientId: sample-resource-server clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765 scope: openid refreshToken hello.say access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth resource: serviceId: ${PREFIX:}resource tokenInfoUri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect Really sorry for the long mail Thanks for the help !Adrian [1] Sample token requestgrant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin [2] Sample token response (no scope attribute - whether my user has or no the hello.say role) :{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0aW9uLWNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"} [3] Sample token introspection response - there's no scope here : { ???"jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45", ???"exp":1471969404, ???"nbf":0, ???"iat":1471969104, ???"iss":"http://localhost:8180/auth/realms/demo", ???"aud":"sample-application-client", ???"sub":"368d8948-86db-437a-8669-19ab8b07a816", ???"typ":"Bearer", ???"azp":"sample-application-client", ???"auth_time":1471969104, ???"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67", ???"name":"test?test", ???"given_name":"test", ???"family_name":"test", ???"preferred_username":"test", ???"email":"adr_gonzalez at yahoo.fr", ???"acr":"1", ???"client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928", ???"allowed-origins":[ ??????"http://localhost:9999" ???], ???"realm_access":{ ??????"roles":[ ?????????"uma_authorization", ?????????"hello.say" ??????] ???}, ???"resource_access":{ ??????"account":{ ?????????"roles":[ ????????????"manage-account", ????????????"view-profile" ?????????] ??????} ???}, ???"client_id":"sample-application-client", ???"username":"test", ???"active":true } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/7f261844/attachment-0001.html From stephen.more at gmail.com Tue Aug 23 16:07:42 2016 From: stephen.more at gmail.com (Stephen More) Date: Tue, 23 Aug 2016 16:07:42 -0400 Subject: [keycloak-user] How can I access org.keycloak.KeycloakPrincipal without javax.servlet.http.HttpServletRequest Message-ID: I am familiar with the Apereo CAS Client, that project has an AssertionThreadLocalFilter that allows one to access the principal without having direct access to the web tier session. org.jasig.cas.client.validation.Assertion assertion = org.jasig.cas.client.util.AssertionHolder.getAssertion(); org.jasig.cas.client.authentication.AttributePrincipal principal = assertion.getPrincipal(); Does keycloak have a similar function to access the org.keycloak.KeycloakPrincipal without access to the HttpServletRequest ? -Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/7e2a9edd/attachment.html From john.bartko at drillinginfo.com Tue Aug 23 18:10:21 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Tue, 23 Aug 2016 17:10:21 -0500 Subject: [keycloak-user] User federation providers export/import Message-ID: Hello all, I am attempting export user federation providers and import them into a different Keycloak instance. The ldap example realm export *looks* like the web admin UI import can do what I need. After importing (step 3 in the example's readme ) there are still no user federation providers configured nor any indication of an error. Similarly, when doing an export at WildFly server boot on a Keycloak instance with user federation configured, I do not see any trace of the provider in the export. Partial import of clients works fine. Is this the right way to go about persisting realm configuration across deploys/environments? Thanks, -John Bartko -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160823/ef5ae596/attachment.html From hokuda at redhat.com Tue Aug 23 22:51:09 2016 From: hokuda at redhat.com (Hisanobu Okuda) Date: Wed, 24 Aug 2016 11:51:09 +0900 Subject: [keycloak-user] Review Japanese translations In-Reply-To: References: Message-ID: <1472007069.2143.1.camel@redhat.com> Stian, I can do that. Regards, Hisanobu On Tue, 2016-08-23 at 13:01 +0200, Stian Thorgersen wrote: > We have a PR for Japanese translations, but I would like someone to > review it prior to merging it. Is there any Japanese speakers out > there that could review it for me? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Aug 24 02:34:03 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 24 Aug 2016 08:34:03 +0200 Subject: [keycloak-user] User federation providers export/import In-Reply-To: References: Message-ID: <57BD3FDB.3010209@redhat.com> I am not 100% sure what exactly are you doing. Are you able to have LDAP example up and running if you exactly follow the steps in README https://github.com/keycloak/keycloak/blob/master/examples/ldap/README.md ? Or are you creating realm representation by hand? Instead of creating by hand, we have possibility for export/import, which is exactly for the use-case for migration between different envs - https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/export-import.html Marek On 24/08/16 00:10, John Bartko wrote: > Hello all, > > I am attempting export user federation providers and import them into > a different Keycloak instance. The ldap example realm export > *looks* > like the web admin UI import can do what I need. After importing (step > 3 in the example's readme > ) > there are still no user federation providers configured nor any > indication of an error. > > Similarly, when doing an export at WildFly server boot on a Keycloak > instance with user federation configured, I do not see any trace of > the provider in the export. > > Partial import of clients works fine. Is this the right way to go > about persisting realm configuration across deploys/environments? > > Thanks, > -John Bartko > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/5b930b31/attachment.html From mposolda at redhat.com Wed Aug 24 02:35:23 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 24 Aug 2016 08:35:23 +0200 Subject: [keycloak-user] User federation providers export/import In-Reply-To: <57BD3FDB.3010209@redhat.com> References: <57BD3FDB.3010209@redhat.com> Message-ID: <57BD402B.8090004@redhat.com> Btv. can't it be that you are exporting different realm that when you have ldap federationProvider configured? Marek On 24/08/16 08:34, Marek Posolda wrote: > I am not 100% sure what exactly are you doing. Are you able to have > LDAP example up and running if you exactly follow the steps in README > https://github.com/keycloak/keycloak/blob/master/examples/ldap/README.md ? > > Or are you creating realm representation by hand? Instead of creating > by hand, we have possibility for export/import, which is exactly for > the use-case for migration between different envs - > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/export-import.html > > > Marek > > On 24/08/16 00:10, John Bartko wrote: >> Hello all, >> >> I am attempting export user federation providers and import them into >> a different Keycloak instance. The ldap example realm export >> *looks* >> like the web admin UI import can do what I need. After importing >> (step 3 in the example's readme >> ) >> there are still no user federation providers configured nor any >> indication of an error. >> >> Similarly, when doing an export at WildFly server boot on a Keycloak >> instance with user federation configured, I do not see any trace of >> the provider in the export. >> >> Partial import of clients works fine. Is this the right way to go >> about persisting realm configuration across deploys/environments? >> >> Thanks, >> -John Bartko >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/ed7facbf/attachment.html From mposolda at redhat.com Wed Aug 24 04:38:38 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 24 Aug 2016 10:38:38 +0200 Subject: [keycloak-user] OAuth scopes in Keycloak In-Reply-To: <2010811414.31176051.1471970687005.JavaMail.yahoo@mail.yahoo.com> References: <2010811414.31176051.1471970687005.JavaMail.yahoo.ref@mail.yahoo.com> <2010811414.31176051.1471970687005.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57BD5D0E.3070002@redhat.com> Hi, we don't add "scope" to responses right now. Can you please create JIRA and link it with another JIRA https://issues.jboss.org/browse/KEYCLOAK-349 ? Thanks, Marek On 23/08/16 18:44, Adrian Gonzalez wrote: > Hello, > > I'm using Keycloak for the first time, so sorry if this is a newbie > question. > > When I use keycloak, oauth scope attribute is never present in > keycloak tokenEndpoint responses and in introspect responses. > > From the specs, it scope attribute should be present when calling > token and tokenIntrospect endpoint, but it's never returned by > keycloak endpoints : > * token endpoint response - see [2] for a sample > from https://tools.ietf.org/html/rfc6749#section-5.1 > scope OPTIONAL, if identical to the scope requested by the > client; otherwise, REQUIRED > * token introspection see [3] for a sample > from https://tools.ietf.org/html/rfc7662#section-2.2 > scope OPTIONAL. A JSON string containing a space-separated > list of > scopes associated with this token, in the format described in > Section 3.3 of OAuth 2.0 [RFC6749]. > Oups... optional in the spec ??? what's the introspection use then ??? > > I know I can key roles from keycloak JWT AT (in realm_access.roles for > instance), but it's not in OAuth specs and I would like to stick with > the standard. > > Am I doing something wrong ? > > I'm using Keycloak with a Spring Boot application (using Spring OAuth > library - I know there's a Spring keycloak adapter, but since my > application uses others OIDC / OAuth provider I would like to stick > with Spring OAuth), and since no scope attribute is present in the > responses, I've receive no scope in my application. > > I've tested with a sample role hello.say. > I created a realm role of the same name, and assigned it to me test user. > I've made sure my application request this scope during authorization > request. > > Here's my spring configuration (requesting a hello.say scope), more > exactly : > spring: profiles: keycloak > security: oidc: client: expectedIssuer: http://localhost:8180/auth/realms/demo > keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs > oauth2: client: clientId: sample-resource-server > clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765 > scope: openid refreshToken hello.say > access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token > user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth > resource: serviceId: ${PREFIX:}resource > tokenInfoUri: > http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect > > Really sorry for the long mail > > Thanks for the help ! > Adrian > > [1] Sample token request > grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin > > [2] Sample token response (no scope attribute - whether my user has or > no the hello.say role) : > {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0aW9uLWNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"} > > > > [3] Sample token introspection response - there's no scope here : > { > "jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45", > "exp":1471969404, > "nbf":0, > "iat":1471969104, > "iss":"http://localhost:8180/auth/realms/demo", > "aud":"sample-application-client", > "sub":"368d8948-86db-437a-8669-19ab8b07a816", > "typ":"Bearer", > "azp":"sample-application-client", > "auth_time":1471969104, > "session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67", > "name":"test test", > "given_name":"test", > "family_name":"test", > "preferred_username":"test", > "email":"adr_gonzalez at yahoo.fr", > "acr":"1", > "client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928", > "allowed-origins":[ > "http://localhost:9999" > ], > "realm_access":{ > "roles":[ > "uma_authorization", > "hello.say" > ] > }, > "resource_access":{ > "account":{ > "roles":[ > "manage-account", > "view-profile" > ] > } > }, > "client_id":"sample-application-client", > "username":"test", > "active":true > } > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/2ee2ed88/attachment-0001.html From mposolda at redhat.com Wed Aug 24 04:43:03 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 24 Aug 2016 10:43:03 +0200 Subject: [keycloak-user] How can I access org.keycloak.KeycloakPrincipal without javax.servlet.http.HttpServletRequest In-Reply-To: References: Message-ID: <57BD5E17.6020206@redhat.com> AFAIK we don't have support for that, but hopefully we can add adapter option, which will add KeycloakPrincipal to threadLocal. Might be useful for frameworks/apps where the access to servletRequest is not possible. Could you create JIRA? Which web framework are you using btv? Do you at least have possibility to add servletFilter, which will put the KEycloakPrincipal to threadLocal, so you can access that in your app? Marek On 23/08/16 22:07, Stephen More wrote: > I am familiar with the Apereo CAS Client, that project has an > AssertionThreadLocalFilter that allows one to access the principal > without having direct access to the web tier session. > > org.jasig.cas.client.validation.Assertion assertion = > org.jasig.cas.client.util.AssertionHolder.getAssertion(); > org.jasig.cas.client.authentication.AttributePrincipal principal = > assertion.getPrincipal(); > > > Does keycloak have a similar function to access the > org.keycloak.KeycloakPrincipal without access to the HttpServletRequest ? > > -Thanks > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/5333902b/attachment.html From deepakgarg.garg at gmail.com Wed Aug 24 05:00:36 2016 From: deepakgarg.garg at gmail.com (Deepak Garg) Date: Wed, 24 Aug 2016 14:30:36 +0530 Subject: [keycloak-user] Custom URL Message-ID: Hi, Is it possible to use and show the custom URL when user is redirected to keycloak server for authentication? We get the very long URL in the address bar of the browser. http://localhost:9090/auth/realms/relam-app-html5/protocol/openid-connect/auth?client_id=app-html5&redirect_uri=http%3A%2F%2Flocalhost%3A9091%2F&state=b407cd60-efe9-457c-8614-7054b13e3a79&response_type=code Can we also used the tiny URL? Thanks, Deepak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/2d09e276/attachment.html From adr_gonzalez at yahoo.fr Wed Aug 24 04:58:48 2016 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Wed, 24 Aug 2016 08:58:48 +0000 (UTC) Subject: [keycloak-user] OAuth scopes in Keycloak In-Reply-To: <57BD5D0E.3070002@redhat.com> References: <2010811414.31176051.1471970687005.JavaMail.yahoo.ref@mail.yahoo.com> <2010811414.31176051.1471970687005.JavaMail.yahoo@mail.yahoo.com> <57BD5D0E.3070002@redhat.com> Message-ID: <749096009.971869.1472029129010.JavaMail.yahoo@mail.yahoo.com> Thanks Marek for the anwser ! I created https://issues.jboss.org/browse/KEYCLOAK-3467 and linked it to 349.Do you know if you'll map OAuth scopes with keycloak roles when you'll implement those features ? Thanks once more ! Adrian De?: Marek Posolda ??: Adrian Gonzalez ; "keycloak-user at lists.jboss.org" Envoy? le : Mercredi 24 ao?t 2016 10h38 Objet?: Re: [keycloak-user] OAuth scopes in Keycloak Hi, we don't add "scope" to responses right now. Can you please create JIRA and link it with another JIRA https://issues.jboss.org/browse/KEYCLOAK-349 ? Thanks, Marek On 23/08/16 18:44, Adrian Gonzalez wrote: Hello, I'm using Keycloak for the first time, so sorry if this is a newbie question. When I use keycloak, oauth scope attribute is never present in keycloak tokenEndpoint responses and in introspect responses. From the specs, it scope attribute should be present when calling token and tokenIntrospect endpoint, but it's never returned by keycloak endpoints : ?* token endpoint response - see [2] for a sample ?? from https://tools.ietf.org/html/rfc6749#section-5.1 ?? scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED ?* token introspection see [3] for a sample ?? from https://tools.ietf.org/html/rfc7662#section-2.2 ?? scope OPTIONAL.? A JSON string containing a space-separated list of ????? scopes associated with this token, in the format described in ????? Section 3.3 of OAuth 2.0 [RFC6749]. ?? Oups... optional in the spec ??? what's the introspection use then ??? I know I can key roles from keycloak JWT AT (in realm_access.roles for instance), but it's not in OAuth specs and I would like to stick with the standard. Am I doing something wrong ? I'm using Keycloak with a Spring Boot application (using Spring OAuth library - I know there's a Spring keycloak adapter, but since my application uses others OIDC / OAuth provider I would like to stick with Spring OAuth), and since no scope attribute is present in the responses, I've receive no scope in my application. I've tested with a sample role hello.say. I created a realm role of the same name, and assigned it to me test user. I've made sure my application request this scope during authorization request. Here's my spring configuration (requesting a hello.say scope), more exactly : spring: profiles: keycloak security: oidc: client: expectedIssuer: http://localhost:8180/auth/realms/demo keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs oauth2: client: clientId: sample-resource-server clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765 scope: openid refreshToken hello.say access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth resource: serviceId: ${PREFIX:}resource tokenInfoUri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect Really sorry for the long mail Thanks for the help ! Adrian [1] Sample token request grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin [2] Sample token response (no scope attribute - whether my user has or no the hello.say role) : {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3! QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0a! W9uLWNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0O! jgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"} [3] Sample token introspection response - there's no scope here : { ???"jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45", ???"exp":1471969404, ???"nbf":0, ???"iat":1471969104, ???"iss":"http://localhost:8180/auth/realms/demo", ???"aud":"sample-application-client", ???"sub":"368d8948-86db-437a-8669-19ab8b07a816", ???"typ":"Bearer", ???"azp":"sample-application-client", ???"auth_time":1471969104, ???"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67", ???"name":"test?test", ???"given_name":"test", ???"family_name":"test", ???"preferred_username":"test", ???"email":"adr_gonzalez at yahoo.fr", ???"acr":"1", ???"client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928", ???"allowed-origins":[ ??????"http://localhost:9999" ???], ???"realm_access":{ ??????"roles":[ ?????????"uma_authorization", ?????????"hello.say" ??????] ???}, ???"resource_access":{ ??????"account":{ ?????????"roles":[ ????????????"manage-account", ????????????"view-profile" ?????????] ??????} ???}, ???"client_id":"sample-application-client", ???"username":"test", ???"active":true } _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/e1e18c6b/attachment-0001.html From mposolda at redhat.com Wed Aug 24 06:02:45 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 24 Aug 2016 12:02:45 +0200 Subject: [keycloak-user] OAuth scopes in Keycloak In-Reply-To: <749096009.971869.1472029129010.JavaMail.yahoo@mail.yahoo.com> References: <2010811414.31176051.1471970687005.JavaMail.yahoo.ref@mail.yahoo.com> <2010811414.31176051.1471970687005.JavaMail.yahoo@mail.yahoo.com> <57BD5D0E.3070002@redhat.com> <749096009.971869.1472029129010.JavaMail.yahoo@mail.yahoo.com> Message-ID: <57BD70C5.6070608@redhat.com> On 24/08/16 10:58, Adrian Gonzalez wrote: > Thanks Marek for the anwser ! > > I created https://issues.jboss.org/browse/KEYCLOAK-3467 and linked it > to 349. > Do you know if you'll map OAuth scopes with keycloak roles when you'll > implement those features ? We plan something more flexible. So for example, you will be able to configure that value "foo" of scope parameter means that you want roles "role1" + "role2" and protocolMappers "firstName" + "lastName" . Right now, we already have some limited support for scope parameter, where the value of scope parameter is mapped to exactly one role and it must match the role name (for realm roles. For client roles it's like "clientName/roleName" ). With your example below, if you will add realm role "hello.say" and configure it with "scope parameter required" to true, then this role will be used in token just if you use the scope parameter "hello.say" as you did. That should work already. Marek > > Thanks once more ! > Adrian > > ------------------------------------------------------------------------ > *De :* Marek Posolda > *? :* Adrian Gonzalez ; > "keycloak-user at lists.jboss.org" > *Envoy? le :* Mercredi 24 ao?t 2016 10h38 > *Objet :* Re: [keycloak-user] OAuth scopes in Keycloak > > Hi, > > we don't add "scope" to responses right now. Can you please create > JIRA and link it with another JIRA > https://issues.jboss.org/browse/KEYCLOAK-349 ? > > Thanks, > Marek > > On 23/08/16 18:44, Adrian Gonzalez wrote: >> Hello, >> >> I'm using Keycloak for the first time, so sorry if this is a newbie >> question. >> >> When I use keycloak, oauth scope attribute is never present in >> keycloak tokenEndpoint responses and in introspect responses. >> >> From the specs, it scope attribute should be present when calling >> token and tokenIntrospect endpoint, but it's never returned by >> keycloak endpoints : >> * token endpoint response - see [2] for a sample >> from https://tools.ietf.org/html/rfc6749#section-5.1 >> scope OPTIONAL, if identical to the scope requested by the >> client; otherwise, REQUIRED >> * token introspection see [3] for a sample >> from https://tools.ietf.org/html/rfc7662#section-2.2 >> scope OPTIONAL. A JSON string containing a space-separated >> list of >> scopes associated with this token, in the format described in >> Section 3.3 of OAuth 2.0 [RFC6749]. >> Oups... optional in the spec ??? what's the introspection use then ??? >> >> I know I can key roles from keycloak JWT AT (in realm_access.roles >> for instance), but it's not in OAuth specs and I would like to stick >> with the standard. >> >> Am I doing something wrong ? >> >> I'm using Keycloak with a Spring Boot application (using Spring OAuth >> library - I know there's a Spring keycloak adapter, but since my >> application uses others OIDC / OAuth provider I would like to stick >> with Spring OAuth), and since no scope attribute is present in the >> responses, I've receive no scope in my application. >> >> I've tested with a sample role hello.say. >> I created a realm role of the same name, and assigned it to me test user. >> I've made sure my application request this scope during authorization >> request. >> >> Here's my spring configuration (requesting a hello.say scope), more >> exactly : >> spring: profiles: keycloak >> security: oidc: client: expectedIssuer: >> http://localhost:8180/auth/realms/demo >> keyUri: >> http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs >> oauth2: client: clientId: sample-resource-server >> clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765 >> scope: openid refreshToken hello.say >> access-token-uri: >> http://localhost:8181/auth/realms/demo/protocol/openid-connect/token >> user-authorization-uri: >> http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth >> resource: serviceId: ${PREFIX:}resource >> tokenInfoUri: >> http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect >> >> Really sorry for the long mail >> >> Thanks for the help ! >> Adrian >> >> [1] Sample token request >> grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin >> >> [2] Sample token response (no scope attribute - whether my user has >> or no the hello.say role) : >> {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3! >> QgdGVzdCIs >> InByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0a! >> W9uLWNsaWV >> udCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0O! >> jgxODAvYXV >> 0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"} >> >> >> >> [3] Sample token introspection response - there's no scope here : >> { >> "jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45", >> "exp":1471969404, >> "nbf":0, >> "iat":1471969104, >> "iss":"http://localhost:8180/auth/realms/demo" >> , >> "aud":"sample-application-client", >> "sub":"368d8948-86db-437a-8669-19ab8b07a816", >> "typ":"Bearer", >> "azp":"sample-application-client", >> "auth_time":1471969104, >> "session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67", >> "name":"test test", >> "given_name":"test", >> "family_name":"test", >> "preferred_username":"test", >> "email":"adr_gonzalez at yahoo.fr" , >> "acr":"1", >> "client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928", >> "allowed-origins":[ >> "http://localhost:9999" >> ], >> "realm_access":{ >> "roles":[ >> "uma_authorization", >> "hello.say" >> ] >> }, >> "resource_access":{ >> "account":{ >> "roles":[ >> "manage-account", >> "view-profile" >> ] >> } >> }, >> "client_id":"sample-application-client", >> "username":"test", >> "active":true >> >> } >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/bb1e3c8c/attachment-0001.html From adr_gonzalez at yahoo.fr Wed Aug 24 09:07:34 2016 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Wed, 24 Aug 2016 13:07:34 +0000 (UTC) Subject: [keycloak-user] OAuth scopes in Keycloak In-Reply-To: <57BD70C5.6070608@redhat.com> References: <2010811414.31176051.1471970687005.JavaMail.yahoo.ref@mail.yahoo.com> <2010811414.31176051.1471970687005.JavaMail.yahoo@mail.yahoo.com> <57BD5D0E.3070002@redhat.com> <749096009.971869.1472029129010.JavaMail.yahoo@mail.yahoo.com> <57BD70C5.6070608@redhat.com> Message-ID: <953169201.31908882.1472044054146.JavaMail.yahoo@mail.yahoo.com> Thanks for the information Marek! De?: Marek Posolda ??: Adrian Gonzalez ; "keycloak-user at lists.jboss.org" Envoy? le : Mercredi 24 ao?t 2016 12h02 Objet?: Re: [keycloak-user] OAuth scopes in Keycloak On 24/08/16 10:58, Adrian Gonzalez wrote: Thanks Marek for the anwser ! I created https://issues.jboss.org/browse/KEYCLOAK-3467 and linked it to 349. Do you know if you'll map OAuth scopes with keycloak roles when you'll implement those features ? We plan something more flexible. So for example, you will be able to configure that value "foo" of scope parameter means that you want roles "role1" + "role2" and protocolMappers "firstName" + "lastName" . Right now, we already have some limited support for scope parameter, where the value of scope parameter is mapped to exactly one role and it must match the role name (for realm roles. For client roles it's like "clientName/roleName" ). With your example below, if you will add realm role "hello.say" and configure it with "scope parameter required" to true, then this role will be used in token just if you use the scope parameter "hello.say" as you did. That should work already. Marek Thanks once more ! Adrian De?: Marek Posolda ??: Adrian Gonzalez ; "keycloak-user at lists.jboss.org" Envoy? le : Mercredi 24 ao?t 2016 10h38 Objet?: Re: [keycloak-user] OAuth scopes in Keycloak Hi, we don't add "scope" to responses right now. Can you please create JIRA and link it with another JIRA https://issues.jboss.org/browse/KEYCLOAK-349 ? Thanks, Marek On 23/08/16 18:44, Adrian Gonzalez wrote: Hello, I'm using Keycloak for the first time, so sorry if this is a newbie question. When I use keycloak, oauth scope attribute is never present in keycloak tokenEndpoint responses and in introspect responses. From the specs, it scope attribute should be present when calling token and tokenIntrospect endpoint, but it's never returned by keycloak endpoints : ?* token endpoint response - see [2] for a sample ?? from https://tools.ietf.org/html/rfc6749#section-5.1 ?? scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED ?* token introspection see [3] for a sample ?? from https://tools.ietf.org/html/rfc7662#section-2.2 ?? scope OPTIONAL.? A JSON string containing a space-separated list of ????? scopes associated with this token, in the format described in ????? Section 3.3 of OAuth 2.0 [RFC6749]. ?? Oups... optional in the spec ??? what's the introspection use then ??? I know I can key roles from keycloak JWT AT (in realm_access.roles for instance), but it's not in OAuth specs and I would like to stick with the standard. Am I doing something wrong ? I'm using Keycloak with a Spring Boot application (using Spring OAuth library - I know there's a Spring keycloak adapter, but since my application uses others OIDC / OAuth provider I would like to stick with Spring OAuth), and since no scope attribute is present in the responses, I've receive no scope in my application. I've tested with a sample role hello.say. I created a realm role of the same name, and assigned it to me test user. I've made sure my application request this scope during authorization request. Here's my spring configuration (requesting a hello.say scope), more exactly : spring: profiles: keycloak security: oidc: client: expectedIssuer: http://localhost:8180/auth/realms/demo keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs oauth2: client: clientId: sample-resource-server clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765 scope: openid refreshToken hello.say access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth resource: serviceId: ${PREFIX:}resource tokenInfoUri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/introspect Really sorry for the long mail Thanks for the help ! Adrian [1] Sample token request grant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin [2] Sample token response (no scope attribute - whether my user has or no the hello.say role) : {"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19! fSwibmFtZSI6InRlc3! QgdGVzdCIs InByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiY! XpwIjoic2FtcGxlLWFwcGxpY2F0a! W9uLWNsaWV udCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc! 3MiOiJodHRwOi8vbG9jYWxob3N0O! jgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"} [3] Sample token introspection response - there's no scope here : { ???"jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45", ???"exp":1471969404, ???"nbf":0, ???"iat":1471969104, ???"iss":"http://localhost:8180/auth/realms/demo", ???"aud":"sample-application-client", ???"sub":"368d8948-86db-437a-8669-19ab8b07a816", ???"typ":"Bearer", ???"azp":"sample-application-client", ???"auth_time":1471969104, ???"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67", ???"name":"test?test", ???"given_name":"test", ???"family_name":"test", ???"preferred_username":"test", ???"email":"adr_gonzalez at yahoo.fr", ???"acr":"1", ???"client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928", ???"allowed-origins":[ ??????"http://localhost:9999" ???], ???"realm_access":{ ??????"roles":[ ?????????"uma_authorization", ?????????"hello.say" ??????] ???}, ???"resource_access":{ ??????"account":{ ?????????"roles":[ ????????????"manage-account", ????????????"view-profile" ?????????] ??????} ???}, ???"client_id":"sample-application-client", ???"username":"test", ???"active":true } _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/ae70bf4e/attachment-0001.html From bruno at abstractj.org Wed Aug 24 09:47:07 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 24 Aug 2016 10:47:07 -0300 Subject: [keycloak-user] Custom URL In-Reply-To: References: Message-ID: <20160824134707.GA29990@abstractj.org> I don't think that's possible, plus it poses the risk of potential phishing. On 2016-08-24, Deepak Garg wrote: > Hi, > > Is it possible to use and show the custom URL when user is redirected to > keycloak server for authentication? > > We get the very long URL in the address bar of the browser. > > http://localhost:9090/auth/realms/relam-app-html5/protocol/openid-connect/auth?client_id=app-html5&redirect_uri=http%3A%2F%2Flocalhost%3A9091%2F&state=b407cd60-efe9-457c-8614-7054b13e3a79&response_type=code > > > Can we also used the tiny URL? > > Thanks, > Deepak > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From stephen.more at gmail.com Wed Aug 24 10:18:26 2016 From: stephen.more at gmail.com (Stephen More) Date: Wed, 24 Aug 2016 10:18:26 -0400 Subject: [keycloak-user] How can I access org.keycloak.KeycloakPrincipal without javax.servlet.http.HttpServletRequest In-Reply-To: <57BD5E17.6020206@redhat.com> References: <57BD5E17.6020206@redhat.com> Message-ID: JIRA issue has been created: https://issues.jboss.org/browse/KEYCLOAK-3470 Yes, I have the ability to add Servlet Filters. On Wed, Aug 24, 2016 at 4:43 AM, Marek Posolda wrote: > AFAIK we don't have support for that, but hopefully we can add adapter > option, which will add KeycloakPrincipal to threadLocal. Might be useful > for frameworks/apps where the access to servletRequest is not possible. > Could you create JIRA? > > Which web framework are you using btv? Do you at least have possibility to > add servletFilter, which will put the KEycloakPrincipal to threadLocal, so > you can access that in your app? > > Marek > > > On 23/08/16 22:07, Stephen More wrote: > > I am familiar with the Apereo CAS Client, that project has an > AssertionThreadLocalFilter that allows one to access the principal without > having direct access to the web tier session. > > org.jasig.cas.client.validation.Assertion assertion = > org.jasig.cas.client.util.AssertionHolder.getAssertion(); > org.jasig.cas.client.authentication.AttributePrincipal principal = > assertion.getPrincipal(); > > > Does keycloak have a similar function to access the > org.keycloak.KeycloakPrincipal without access to the HttpServletRequest ? > > -Thanks > > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/b86244ab/attachment.html From mposolda at redhat.com Wed Aug 24 11:58:47 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 24 Aug 2016 17:58:47 +0200 Subject: [keycloak-user] How can I access org.keycloak.KeycloakPrincipal without javax.servlet.http.HttpServletRequest In-Reply-To: References: <57BD5E17.6020206@redhat.com> Message-ID: <57BDC437.5050309@redhat.com> On 24/08/16 16:18, Stephen More wrote: > JIRA issue has been created: https://issues.jboss.org/browse/KEYCLOAK-3470 Thanks > > > Yes, I have the ability to add Servlet Filters. Cool. So then you can do something like in the servlet filter: KeycloakPrincipal principal = (KeyclaokPrincipal) servletRequest.getPrincipal(); SomeThreadLocalHolder.set(principal); Marek > > On Wed, Aug 24, 2016 at 4:43 AM, Marek Posolda > wrote: > > AFAIK we don't have support for that, but hopefully we can add > adapter option, which will add KeycloakPrincipal to threadLocal. > Might be useful for frameworks/apps where the access to > servletRequest is not possible. Could you create JIRA? > > Which web framework are you using btv? Do you at least have > possibility to add servletFilter, which will put the > KEycloakPrincipal to threadLocal, so you can access that in your app? > > Marek > > > On 23/08/16 22:07, Stephen More wrote: >> I am familiar with the Apereo CAS Client, that project has an >> AssertionThreadLocalFilter that allows one to access the >> principal without having direct access to the web tier session. >> >> org.jasig.cas.client.validation.Assertion assertion = >> org.jasig.cas.client.util.AssertionHolder.getAssertion(); >> org.jasig.cas.client.authentication.AttributePrincipal principal >> = assertion.getPrincipal(); >> >> >> Does keycloak have a similar function to access the >> org.keycloak.KeycloakPrincipal without access to the >> HttpServletRequest ? >> >> -Thanks >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/909eb577/attachment.html From john.bartko at drillinginfo.com Wed Aug 24 14:43:14 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Wed, 24 Aug 2016 13:43:14 -0500 Subject: [keycloak-user] User federation providers export/import In-Reply-To: <57BD402B.8090004@redhat.com> References: <57BD3FDB.3010209@redhat.com> <57BD402B.8090004@redhat.com> Message-ID: Thank you for taking the time to respond. Let me see if I can outline steps to reproduce: 1. Run a DB and Keycloak container: docker run --name postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e POSTGRES_ROOT_PASSWORD=root_password -d postgres docker run --rm --name keycloak --link postgres:postgres -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=changeme jboss/keycloak-postgres 2. Log in to admin web UI and make both a client and a LDAP user federation provider. 3. Ctrl+C to stop the keycloak container 4. Start a container connected to the same database for export: mkdir /opt/keycloak_export chmod 0777 /opt/keycloak_export docker run --rm --name keycloak_exporter --link postgres:postgres -v /opt/keycloak_export:/opt/jboss/export jboss/keycloak-postgres -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/opt/jboss/export 5. Ctrl+C to stop the keycloak_exporter container. 6. Copy the realm export at /opt/keycloak_export/master-realm.json to your workstation. The export should contain a populated userFederationProviders key: jq '.userFederationProviders' /opt/keycloak_export/master-realm.json 7. Destroy the DB and start from a blank slate: docker rm -f postgres docker run --name postgres -e POSTGRES_DATABASE=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e POSTGRES_ROOT_PASSWORD=root_password -d postgres docker run --rm --name keycloak --link postgres:postgres -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=changeme jboss/keycloak-postgres 8. Log in to admin web UI and import the contents of master-realm.json 9. Result: the client is imported but the LDAP user federation provider is not. Is the import supposed to also pick up the user federation provider? Thanks, -John Bartko On Wed, Aug 24, 2016 at 1:35 AM, Marek Posolda wrote: > Btv. can't it be that you are exporting different realm that when you have > ldap federationProvider configured? > > Marek > > > On 24/08/16 08:34, Marek Posolda wrote: > > I am not 100% sure what exactly are you doing. Are you able to have LDAP > example up and running if you exactly follow the steps in README > > https://github.com/keycloak/keycloak/blob/master/examples/ldap/README.md ? > > Or are you creating realm representation by hand? Instead of creating by > hand, we have possibility for export/import, which is exactly for the > use-case for migration between different envs - > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.1/topics/export-import.html > > Marek > > On 24/08/16 00:10, John Bartko wrote: > > Hello all, > > I am attempting export user federation providers and import them into a > different Keycloak instance. The ldap example realm export > *looks* > like the web admin UI import can do what I need. After importing (step 3 > in the example's readme > ) > there are still no user federation providers configured nor any indication > of an error. > > Similarly, when doing an export at WildFly server boot on a Keycloak > instance with user federation configured, I do not see any trace of the > provider in the export. > > Partial import of clients works fine. Is this the right way to go about > persisting realm configuration across deploys/environments? > > Thanks, > -John Bartko > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/bb2b972d/attachment-0001.html From jblashka at redhat.com Wed Aug 24 17:16:41 2016 From: jblashka at redhat.com (Jared Blashka) Date: Wed, 24 Aug 2016 17:16:41 -0400 Subject: [keycloak-user] Persisting User Sessions in the DB? Message-ID: I'm not sure why I never noticed this before, but I was doing some investigation today and couldn't find any session information actually populated in the DB tables. Both USER_SESSION and CLIENT_SESSION were empty. After some digging in the code I saw that the only UserSesssionProvider implementation is the Infinispan-based one and it looks like the only type of user sessions that get persisted in the DB are offline sessions (via the JpaUserSessionPersisterProvider). Was there a particular reason a JpaUserSessionProvider doesn't exist? Background: We're aiming to have a highly available+resilient active-active multi-data center deployment of Keycloak. Ultimately, there should be no customer impact if a particular data center fails; there should be no IDP outage and they shouldn't have to log in again. We ran into issues with asynchronous user data replication earlier, which is why we're currently working on migrating our existing MariaDB cluster to use Galera (which has been looking pretty good so far) but it looks like we mistakenly assumed that this synchronous replication would also handle user session data. Not replicating user session data across data centers is also going to cause us problems (its already caused us problems actually) when it comes to the OAuth authorization code flow as well. Since that flow involves back-channel server communication we can't guarantee that the client server will communicate with the same data center the client authenticated at. If a client calls out to the "wrong" data center, the flow will fail. I can spend some time tomorrow investigating the performance when clustering infinispan across data centers, but I'm not particularly optimistic about the results. Any thoughts/comments on our problem? Jared -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160824/415453e8/attachment.html From sthorger at redhat.com Thu Aug 25 02:34:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 25 Aug 2016 08:34:02 +0200 Subject: [keycloak-user] Review Japanese translations In-Reply-To: <1472007069.2143.1.camel@redhat.com> References: <1472007069.2143.1.camel@redhat.com> Message-ID: Great, thanks. On 24 August 2016 at 04:51, Hisanobu Okuda wrote: > Stian, > > I can do that. > > Regards, > Hisanobu > > On Tue, 2016-08-23 at 13:01 +0200, Stian Thorgersen wrote: > > We have a PR for Japanese translations, but I would like someone to > > review it prior to merging it. Is there any Japanese speakers out > > there that could review it for me? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160825/f42f3f84/attachment.html From thomas_floodeenjr at mentor.com Thu Aug 25 08:55:56 2016 From: thomas_floodeenjr at mentor.com (Floodeenjr, Thomas) Date: Thu, 25 Aug 2016 12:55:56 +0000 Subject: [keycloak-user] Keycloak thick clients Message-ID: Greetings, It seems like Keycloak can solve many problems for web applications when authenticating from various sources. We are currently trying to authenticate using Kerberos with a thick client using remoting to a Wildfly server. Is there a Keycloak solution for Java applications that are thick (standalone) applications authenticating with a Wildlfy server? If there is not a Keycloak solution, do you know of another solution? We seem to find little or no information about non-web applications. Thanks, -Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160825/961e20e5/attachment.html From campbellg at teds.com Thu Aug 25 09:12:31 2016 From: campbellg at teds.com (Glenn Campbell) Date: Thu, 25 Aug 2016 09:12:31 -0400 Subject: [keycloak-user] SAML IdP automatically link account In-Reply-To: References: Message-ID: I still haven't gotten anywhere with this. Here's what I've tried so far: 1) modifying First Broker Login flow as follows - Review Profile - disabled Create User If Unique - alternative Handle Existing Account - alternative everything under Handle Existing Account that can be disabled I have disabled Result: I authenticate with the remote SAML server but my local Keycloak server displays an error screen saying "Invalid username or password". 2) created a custom authentication flow containing the following - Create User If Unique - alternative A custom authenticator class with an authenticate method that just calls the success method of the AuthenticationFlowContext. Result: I authenticate with the remote SAML server but my local Keycloak server displays an error screen saying "Invalid username or password". As always, any suggestions would be greatly appreciated. On Tue, Aug 23, 2016 at 9:49 AM, Glenn Campbell wrote: > I have a SAML IdP that is used only for authentication and a separate > database that contains information about the users, including roles. I've > set up the database in User Federation and the SAML IdP in Identity > Providers. > > The problem I have is that when users log in they are prompted to link to > an existing account. This is confusing for them because from their > perspective the only account they know about is the one on the SAML IdP. > > Is it possible to configure this Identity Provider to be "trusted" so that > the accounts are linked automatically? I started looking into creating a > custom authenticator based on the documentation and the custom > authenticator in the example code but I don't see what the necessary steps > are to cause the automatic account linking. > > Any suggestions would be greatly appreciated. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160825/fe273fc0/attachment.html From postmaster at lists.jboss.org Thu Aug 25 09:17:21 2016 From: postmaster at lists.jboss.org (MAILER-DAEMON) Date: Thu, 25 Aug 2016 18:47:21 +0530 Subject: [keycloak-user] Returned mail: Data format error Message-ID: <201608251319.u7PDJLjf001979@lists01.dmz-a.mwc.hst.phx2.redhat.com> The original message was received at Thu, 25 Aug 2016 18:47:21 +0530 from lists.jboss.org [182.180.48.197] ----- The following addresses had permanent fatal errors ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: file.zip Type: application/octet-stream Size: 29224 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160825/c0ecc651/attachment-0001.obj From sigbjorn at fifty-five.com Thu Aug 25 10:18:30 2016 From: sigbjorn at fifty-five.com (=?UTF-8?Q?Sigbj=C3=B8rn_Dybdahl?=) Date: Thu, 25 Aug 2016 16:18:30 +0200 Subject: [keycloak-user] SAML IdP automatically link account In-Reply-To: References: Message-ID: Hi Glenn, This seems familiar to what I implemented recently with a custom authenticator. That is, upon response from my trusted IdP the authenticate function does the following: 1. gets the BrokeredIdentityContext from the client session (check out AbstractIdpAuthenticator for an example of how it's done) 2. adding the values in the BrokeredIdentiyContext to the user (by creating a FederatedIdentityModel and adding it to the user) 3. setting the user to the AuthenticationFlowContext 4. calling success on the AuthenticationFlowContext Hopefully this will help you find what's not working with your implementation. Sigbj?rn On 25 August 2016 at 15:12, Glenn Campbell wrote: > I still haven't gotten anywhere with this. Here's what I've tried so far: > > 1) modifying First Broker Login flow as follows - > Review Profile - disabled > Create User If Unique - alternative > Handle Existing Account - alternative > everything under Handle Existing Account that can be disabled I have > disabled > > Result: I authenticate with the remote SAML server but my local Keycloak > server displays an error screen saying "Invalid username or password". > > > 2) created a custom authentication flow containing the following - > Create User If Unique - alternative > A custom authenticator class with an authenticate method that just calls > the success method of the AuthenticationFlowContext. > > Result: I authenticate with the remote SAML server but my local Keycloak > server displays an error screen saying "Invalid username or password". > > > As always, any suggestions would be greatly appreciated. > > On Tue, Aug 23, 2016 at 9:49 AM, Glenn Campbell > wrote: > >> I have a SAML IdP that is used only for authentication and a separate >> database that contains information about the users, including roles. I've >> set up the database in User Federation and the SAML IdP in Identity >> Providers. >> >> The problem I have is that when users log in they are prompted to link to >> an existing account. This is confusing for them because from their >> perspective the only account they know about is the one on the SAML IdP. >> >> Is it possible to configure this Identity Provider to be "trusted" so >> that the accounts are linked automatically? I started looking into creating >> a custom authenticator based on the documentation and the custom >> authenticator in the example code but I don't see what the necessary steps >> are to cause the automatic account linking. >> >> Any suggestions would be greatly appreciated. >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160825/be666a57/attachment.html From john.bartko at drillinginfo.com Thu Aug 25 18:01:15 2016 From: john.bartko at drillinginfo.com (John Bartko) Date: Thu, 25 Aug 2016 17:01:15 -0500 Subject: [keycloak-user] User federation providers export/import In-Reply-To: References: <57BD3FDB.3010209@redhat.com> <57BD402B.8090004@redhat.com> Message-ID: I see now I am doing it wrong, and should stop doing it wrong ;] The /admin/realms/{realm}/partialImport endpoint does not seem to accommodate importing user federation providers, but the runtime option -Dkeycloak.migration.action=import does. Great software! Thanks again. -John Bartko On Wed, Aug 24, 2016 at 1:43 PM, John Bartko wrote: > Thank you for taking the time to respond. Let me see if I can outline > steps to reproduce: > > > 1. Run a DB and Keycloak container: > > docker run --name postgres -e POSTGRES_DATABASE=keycloak -e > POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e > POSTGRES_ROOT_PASSWORD=root_password -d postgres > > docker run --rm --name keycloak --link postgres:postgres -p 8080:8080 > -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=changeme jboss/keycloak-postgres > > 2. Log in to admin web UI and make both a client and a LDAP user > federation provider. > > 3. Ctrl+C to stop the keycloak container > > 4. Start a container connected to the same database for export: > > mkdir /opt/keycloak_export > chmod 0777 /opt/keycloak_export > > docker run --rm --name keycloak_exporter --link postgres:postgres -v > /opt/keycloak_export:/opt/jboss/export jboss/keycloak-postgres > -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir > -Dkeycloak.migration.dir=/opt/jboss/export > > 5. Ctrl+C to stop the keycloak_exporter container. > > 6. Copy the realm export at /opt/keycloak_export/master-realm.json to > your workstation. The export should contain a populated > userFederationProviders key: > > jq '.userFederationProviders' /opt/keycloak_export/master-realm.json > > 7. Destroy the DB and start from a blank slate: > > docker rm -f postgres > > docker run --name postgres -e POSTGRES_DATABASE=keycloak -e > POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e > POSTGRES_ROOT_PASSWORD=root_password -d postgres > > docker run --rm --name keycloak --link postgres:postgres -p 8080:8080 > -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=changeme jboss/keycloak-postgres > > 8. Log in to admin web UI and import the contents of master-realm.json > > 9. Result: the client is imported but the LDAP user federation > provider is not. > > Is the import supposed to also pick up the user federation provider? > > Thanks, > -John Bartko > > On Wed, Aug 24, 2016 at 1:35 AM, Marek Posolda > wrote: > >> Btv. can't it be that you are exporting different realm that when you >> have ldap federationProvider configured? >> >> Marek >> >> >> On 24/08/16 08:34, Marek Posolda wrote: >> >> I am not 100% sure what exactly are you doing. Are you able to have LDAP >> example up and running if you exactly follow the steps in README >> >> https://github.com/keycloak/keycloak/blob/master/examples/ldap/README.md >> ? >> >> Or are you creating realm representation by hand? Instead of creating by >> hand, we have possibility for export/import, which is exactly for the >> use-case for migration between different envs - >> https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/v/2.1/topics/export-import.html >> >> Marek >> >> On 24/08/16 00:10, John Bartko wrote: >> >> Hello all, >> >> I am attempting export user federation providers and import them into a >> different Keycloak instance. The ldap example realm export >> *looks* >> like the web admin UI import can do what I need. After importing (step 3 >> in the example's readme >> ) >> there are still no user federation providers configured nor any indication >> of an error. >> >> Similarly, when doing an export at WildFly server boot on a Keycloak >> instance with user federation configured, I do not see any trace of the >> provider in the export. >> >> Partial import of clients works fine. Is this the right way to go about >> persisting realm configuration across deploys/environments? >> >> Thanks, >> -John Bartko >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160825/7b502c12/attachment.html From edouard.kaiser at gmail.com Thu Aug 25 21:02:32 2016 From: edouard.kaiser at gmail.com (Edouard Kaiser) Date: Fri, 26 Aug 2016 11:02:32 +1000 Subject: [keycloak-user] Authorization at Keycloak level Message-ID: Hi everyone, We discovered Keycloak very recently (pretty impressive tool by the way, congrats to the maintainers!), and we've been trying to configure a very simple authorization at the Keycloak level without success. Let me try to sum up what we are trying to achieve in our web-application. For a Keycloak Client, we would like to only allow the users with a particular Role to be able to login. We thought that to achieve this, we needed to do this: - Authorization enabled on the client - Create a new Role-Based policy ton a particular role - Create a Resource Permission to use the previously created Policy - Use this Resource Permission in the Default Resource of the Client We use openid-connect, and more specifically Google as the identity provider. By doing this, we thought that users without the role, trying to connect to our application through Keycloak, would be redirected to our application with an error of authentication, something like this in the redirection: /login/oauthVerify?client_name=OidcClient&error=unauthorized&error_description=You%20are%20not%20allowed%20to%20access%20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8 Instead, it's like Keycloak does not check the Authorization configuration, it redirects to our webapp with a proper authorization code. Then the application is able to fetch the JWT successfully form the Keycloak token endpoint. Did we miss something? Are we trying to solve our issue in the wrong way ? Thank you all for your help, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/55df41c6/attachment-0001.html From sthorger at redhat.com Fri Aug 26 05:05:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:05:51 +0200 Subject: [keycloak-user] granting role to a user to add users In-Reply-To: References: Message-ID: # Find user in admin console # Click on roles tab # If it's for the master realm select 'master-realm' client and click on manager-users and add selected # If it's for a different realm select 'realm-management' client and click on manager-users and add selected On 19 August 2016 at 17:13, hasane has wrote: > Hi, > I'm trying to add users pro grammatically, but Iget Forbidden error, what > role(s) should a user have to do that and how to grant to a user that role, > since ,for a realm and a client, its up to me to create roles > (I read in the ref guide that user should have manage-users role to do > that but how to grant that role) > Cordially > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/acb2c8c6/attachment.html From sthorger at redhat.com Fri Aug 26 05:06:52 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:06:52 +0200 Subject: [keycloak-user] client config docs In-Reply-To: <1471625227.11180.6.camel@muerte.net> References: <1471625227.11180.6.camel@muerte.net> Message-ID: Maybe a bit of both. Where did you look? Any suggestions on how we could have made it easier to find? On 19 August 2016 at 18:47, Harold Campbell wrote: > Am I terrible at searching, or do the new gitbook based docs not > contain any documentation of the client side keycloak.json? > > I had to dig out the 1.8 docs to find something I was looking for. > > -- > Harold Campbell > > A long-forgotten loved one will appear soon. > > Buy the negatives at any price. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/c362777d/attachment.html From sthorger at redhat.com Fri Aug 26 05:09:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:09:36 +0200 Subject: [keycloak-user] Refreshing Tokens In-Reply-To: References: Message-ID: If you're adding new roles the refresh token will continue to work, but won't get new roles. If you're removing roles the refresh token won't be permitted anymore. You don't need to re-login though. Just discard the refresh token, do the redirect dance to Keycloak again and you'll get a new client session under the existing user session so the user won't have to re-authenticate, but you'll have your new refresh token with updates roles. On 20 August 2016 at 09:52, Christopher Davies < christopher.james.davies at gmail.com> wrote: > I adding keycloak into a legacy application that uses GWT and Jetty. > I have managed to get add Keycloak application using Spring-security. > Because this is GWT I am doing the authorisation in the application myself. > Sping just provides a way to get access to the KeycloakSecurityContext. > > The issue I have is refreshing the token. I can get hold of a > RefreshableKeycloakSecurityContext instance > and use that to get a refresh token. What surprised me is that I cannot > refresh a token if the roles have changed. > Is this correct. I was hoping that the application could notice the role > changes and adapt itself on the fly. > > I do not want to have to logout to get the new roles it at all possible. > Is there something that I have overlooked that will allow > me to use the idToken to get a new accessToken given that the > authentication of the user is still valid, it is just the roles the user is > in that have changed. > > > Thanks > > Chris > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/159c7faf/attachment.html From sthorger at redhat.com Fri Aug 26 05:10:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:10:36 +0200 Subject: [keycloak-user] Help - Remote EJB Security Context In-Reply-To: References: Message-ID: I'd try the WildFly forum for JEE related issues On 22 August 2016 at 19:35, Christian Hebert wrote: > Hello everyone! > > We have a few applications protected by keycloak deployed on two jboss > servers (EAP 7). I'm trying to access an EJB from an application deployed > on server A to an application deployed on server B. > > Following the basic example that comes with JBoss I've been able to do it > by simply using the ApplicationRealm. My problem is that i have no > identity on the remote server and I need to propagate the identity (and > security context) from server A to server B. > > I can't figure the way to configure my EJBReceiver to use another realm. > > I keep receiving the following error : > > java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver > available for handling [appName:RemoteApp, moduleName:RemoteAppEJB, > distinctName:] combination for invocation context org.jboss.ejb.client. > EJBClientInvocationContext at 717cef09 > at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver( > EJBClientContext.java:798) > at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation( > ReceiverInterceptor.java:128) > at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest( > EJBClientInvocationContext.java:186) > at org.jboss.ejb.client.EJBInvocationHandler. > sendRequestWithPossibleRetries(EJBInvocationHandler.java:255) > > > Is there anybody who can help me with this? > > Thanks alot ! > > Christian Hebert > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/305ceaad/attachment.html From sthorger at redhat.com Fri Aug 26 05:13:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:13:55 +0200 Subject: [keycloak-user] Getting Error when connecting local host to server DB In-Reply-To: References: Message-ID: Looks like maybe you haven't setup the datasource correctly or there's some other configuration issue. Maybe try Googling for it? On 23 August 2016 at 12:33, Aman Jaiswal wrote: > Hi Team > > I am getting an error while connecting my local keycloak to DB which is on > server. > error is in attached file . please give me solution to resolve this > issue.. > -- > Thanks, > Aman Jaiswal > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/605fba72/attachment.html From sthorger at redhat.com Fri Aug 26 05:15:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:15:01 +0200 Subject: [keycloak-user] Default username and password for Keycloak installation on OpenShift In-Reply-To: References: <20160823133140.Horde.z7M3qMtJskH9g-81FdkccVc@webmail.in-berlin.de> Message-ID: On OpenShift there is a temporary admin user added when the instance is created. The username and password are shown in the details when the instance is created. On 23 August 2016 at 13:36, Pavel Maslov wrote: > Hey Dirk, > > You can ssh to your machine and do: > $ env | grep OPENSHIFT_KEYCLOAK_USERNAME > $ env | grep OPENSHIFT_KEYCLOAK_PASSWORD > > Regards, > Pavel Maslov, MS > > On Tue, Aug 23, 2016 at 1:31 PM, Dirk G?mez wrote: > >> Hi list, >> >> I've installed Keycloak on a simple Openshift instance and now I don't >> which credentials to use on initial login, neither do I know how to >> create an initial account on Openshift. Somebody has done that >> successfully? >> >> Dirk >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/d610e2cf/attachment-0001.html From sthorger at redhat.com Fri Aug 26 05:16:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 26 Aug 2016 11:16:50 +0200 Subject: [keycloak-user] Keycloak thick clients In-Reply-To: References: Message-ID: For a desktop application you have to options: * Embedded web-view - preferred option as it enables two factor auth, password recovery, social logins, etc, etc * Direct grant - obtain user credentials from the app itself and exchange for a token using the direct grant api On 25 August 2016 at 14:55, Floodeenjr, Thomas wrote: > Greetings, > > > > It seems like Keycloak can solve many problems for web applications when > authenticating from various sources. We are currently trying to > authenticate using Kerberos with a thick client using remoting to a Wildfly > server. Is there a Keycloak solution for Java applications that are thick > (standalone) applications authenticating with a Wildlfy server? If there is > not a Keycloak solution, do you know of another solution? We seem to find > little or no information about non-web applications. > > > > Thanks, > > -Tom > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/329216e7/attachment.html From postmaster at lists.jboss.org Fri Aug 26 05:51:10 2016 From: postmaster at lists.jboss.org (Automatic Email Delivery Software) Date: Fri, 26 Aug 2016 15:21:10 +0530 Subject: [keycloak-user] Returned mail: Data format error Message-ID: <201608260951.u7Q9pA7X022636@lists01.dmz-a.mwc.hst.phx2.redhat.com> The message was not delivered due to the following reason: Your message was not delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 1 days: Host 6.201.127.239 is not responding. The following recipients could not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. -------------- next part -------------- A non-text attachment was scrubbed... Name: transcript.zip Type: application/octet-stream Size: 29132 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/7808e6c5/attachment-0001.obj From tpearson at bkool.com Fri Aug 26 07:45:03 2016 From: tpearson at bkool.com (Tom Pearson) Date: Fri, 26 Aug 2016 13:45:03 +0200 Subject: [keycloak-user] Direct link to register page Message-ID: Hi, Is there a way to link straight to the register page without going through login first? I'm working on a Grails web app that uses a slightly modified version of the Keycloak Spring Security Adapter. Best regards, Tom -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/f186411c/attachment.html From psilva at redhat.com Fri Aug 26 08:43:53 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 26 Aug 2016 08:43:53 -0400 (EDT) Subject: [keycloak-user] Authorization at Keycloak level In-Reply-To: References: Message-ID: <2075962557.9521533.1472215433404.JavaMail.zimbra@redhat.com> Hello Edouard, Right now, policy enforcement is only performed on application-side. For that, you need to enable policy enforcement to your keyclok.json as follows: { "policy-enforcer": {} } For more details, please take a look at [1]. We don't enforce policies on server-side, at least for now. The user will always be able to log in and be redirect to your application with a code/token. @Stian already mentioned some ideas about a more deeper integrating between KC authentication and authorization services. But for now, what you want is not possible. [1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/enforcer/overview.html ----- Original Message ----- From: "Edouard Kaiser" To: keycloak-user at lists.jboss.org Sent: Thursday, August 25, 2016 10:02:32 PM Subject: [keycloak-user] Authorization at Keycloak level Hi everyone, We discovered Keycloak very recently (pretty impressive tool by the way, congrats to the maintainers!), and we've been trying to configure a very simple authorization at the Keycloak level without success. Let me try to sum up what we are trying to achieve in our web-application. For a Keycloak Client, we would like to only allow the users with a particular Role to be able to login. We thought that to achieve this, we needed to do this: - Authorization enabled on the client - Create a new Role-Based policy ton a particular role - Create a Resource Permission to use the previously created Policy - Use this Resource Permission in the Default Resource of the Client We use openid-connect, and more specifically Google as the identity provider. By doing this, we thought that users without the role, trying to connect to our application through Keycloak, would be redirected to our application with an error of authentication, something like this in the redirection: /login/oauthVerify?client_name=OidcClient&error=unauthorized&error_description=You%20are%20not%20allowed%20to%20access%20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8 Instead, it's like Keycloak does not check the Authorization configuration, it redirects to our webapp with a proper authorization code. Then the application is able to fetch the JWT successfully form the Keycloak token endpoint. Did we miss something? Are we trying to solve our issue in the wrong way ? Thank you all for your help, _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From campbellg at teds.com Fri Aug 26 09:54:56 2016 From: campbellg at teds.com (Glenn Campbell) Date: Fri, 26 Aug 2016 09:54:56 -0400 Subject: [keycloak-user] SAML IdP automatically link account In-Reply-To: References: Message-ID: Sigbj?rn, Thank you for your suggestions. They have been extremely helpful. I changed my custom authenticator to extend AbstractIdpAuthenticator and the code I put in the authenticateImpl method to get the behavior I want is almost trivial: UserModel existingUser = context.getSession().users().getUserByUsername(brokerContext.getModelUsername(), context.getRealm()); if (existingUser != null) { context.setUser(existingUser); context.success(); } else { context.failure(AuthenticationFlowError.UNKNOWN_USER); } } I suspect there is more I need to do in this method, such as the part you mention about the FederatedIdentityModel. I'm not sure what needs to be done with that. But your suggestions have got me moving in the right direction. Thanks again for your help. Glenn On Thu, Aug 25, 2016 at 10:18 AM, Sigbj?rn Dybdahl wrote: > Hi Glenn, > > This seems familiar to what I implemented recently with a custom > authenticator. That is, upon response from my trusted IdP the authenticate > function does the following: > > 1. gets the BrokeredIdentityContext from the client session (check > out AbstractIdpAuthenticator for an example of how it's done) > 2. adding the values in the BrokeredIdentiyContext to the user (by > creating a FederatedIdentityModel and adding it to the user) > 3. setting the user to the AuthenticationFlowContext > 4. calling success on the AuthenticationFlowContext > > Hopefully this will help you find what's not working with your > implementation. > > > Sigbj?rn > > On 25 August 2016 at 15:12, Glenn Campbell wrote: > >> I still haven't gotten anywhere with this. Here's what I've tried so far: >> >> 1) modifying First Broker Login flow as follows - >> Review Profile - disabled >> Create User If Unique - alternative >> Handle Existing Account - alternative >> everything under Handle Existing Account that can be disabled I have >> disabled >> >> Result: I authenticate with the remote SAML server but my local Keycloak >> server displays an error screen saying "Invalid username or password". >> >> >> 2) created a custom authentication flow containing the following - >> Create User If Unique - alternative >> A custom authenticator class with an authenticate method that just calls >> the success method of the AuthenticationFlowContext. >> >> Result: I authenticate with the remote SAML server but my local Keycloak >> server displays an error screen saying "Invalid username or password". >> >> >> As always, any suggestions would be greatly appreciated. >> >> On Tue, Aug 23, 2016 at 9:49 AM, Glenn Campbell >> wrote: >> >>> I have a SAML IdP that is used only for authentication and a separate >>> database that contains information about the users, including roles. I've >>> set up the database in User Federation and the SAML IdP in Identity >>> Providers. >>> >>> The problem I have is that when users log in they are prompted to link >>> to an existing account. This is confusing for them because from their >>> perspective the only account they know about is the one on the SAML IdP. >>> >>> Is it possible to configure this Identity Provider to be "trusted" so >>> that the accounts are linked automatically? I started looking into creating >>> a custom authenticator based on the documentation and the custom >>> authenticator in the example code but I don't see what the necessary steps >>> are to cause the automatic account linking. >>> >>> Any suggestions would be greatly appreciated. >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/0057c736/attachment.html From mclayton at redhat.com Fri Aug 26 11:48:12 2016 From: mclayton at redhat.com (Michael Clayton) Date: Fri, 26 Aug 2016 11:48:12 -0400 Subject: [keycloak-user] keycloak.js: sending cookies with keycloak.updateToken()? Message-ID: <20160826154812.dgklja3ywso3obug@t450s> Hi all, We have multiple keycloak nodes clustered behind a load balancer. On first request, the load balancer sticks users to a node by handing a cookie to the browser. Currently, when keycloak.js sends the updateToken() POST to the load balancer, it's a cross-origin call and thus the browser omits cookies. As a result, the load balancer doesn't know which keycloak node to route the request to. Here's my patch: https://github.com/mwcz/keycloak/commit/ec5289b5c8e6a8378167d4f14da682ef3a7ac344 By setting withCredentials = true, the browser will send cookies to our keycloak load balancer so we can be routed properly. I would be surprised if this was desired behavior in *all* cases, so a blanket "always send cookies". I'd be happy to create alternate patch where a configuration parameter dictates whether to send cookies. Thoughts/warnings/alternatives/pitfalls? Thanks! -- Michael Clayton Senior Software Engineer Red Hat Customer Portal From chairfield at gmail.com Fri Aug 26 14:03:55 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Fri, 26 Aug 2016 18:03:55 +0000 Subject: [keycloak-user] Breaking Change to Themes in 2.0/2.1? Message-ID: Hello Keycloak Users, We recently upgraded from 1.9.8 to 2.1.0 and love it (fixes a good number of issues we've been having), but it seems to have broken an important one: our themes! For all HTML input elements we've added (those backed by user properties), when we modify their value and save/POST, Keycloak returns an HTML document populated with the old values rather than the new. A refresh of the page is required for the new value to be returned/displayed, even though the first save is sufficient to save the new value on the user. One may reproduce this easily in 2.1.0 by adding the following code to the base theme's account.ftl file:

In an Incognito window, impersonate a user, update the Example input, and click save. Your new value is stored as an attribute on the user, but the value of the input is set to whatever it was before. Refresh your browser for the updated value to appear. Any thoughts as to why? Do we need to update our theme code somehow? Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160826/2c6ffd3e/attachment-0001.html From edouard.kaiser at gmail.com Fri Aug 26 23:05:14 2016 From: edouard.kaiser at gmail.com (Edouard Kaiser) Date: Sat, 27 Aug 2016 13:05:14 +1000 Subject: [keycloak-user] Authorization at Keycloak level In-Reply-To: <2075962557.9521533.1472215433404.JavaMail.zimbra@redhat.com> References: <2075962557.9521533.1472215433404.JavaMail.zimbra@redhat.com> Message-ID: Hi Pedro, Thank you very much for your answer. Unfortunately that's what I was afraid. The problem is, we don't have a classic Java/Servlet application, so we can't use any of the Keycloak adapter available. We might have to turn to another solution like Auth0.com which offers an integrated authorization plugin, unless we find the courage to write our own adapter. Cheers, 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva : > Hello Edouard, > > Right now, policy enforcement is only performed on application-side. For > that, you need to enable policy enforcement to your keyclok.json as follows: > > { > "policy-enforcer": {} > } > > For more details, please take a look at [1]. > > We don't enforce policies on server-side, at least for now. The user will > always be able to log in and be redirect to your application with a > code/token. > > @Stian already mentioned some ideas about a more deeper integrating > between KC authentication and authorization services. But for now, what you > want is not possible. > > [1] https://keycloak.gitbooks.io/authorization-services-guide/ > content/topics/enforcer/overview.html > > ----- Original Message ----- > From: "Edouard Kaiser" > To: keycloak-user at lists.jboss.org > Sent: Thursday, August 25, 2016 10:02:32 PM > Subject: [keycloak-user] Authorization at Keycloak level > > Hi everyone, > > We discovered Keycloak very recently (pretty impressive tool by the way, > congrats to the maintainers!), and we've been trying to configure a very > simple authorization at the Keycloak level without success. > > Let me try to sum up what we are trying to achieve in our web-application. > > For a Keycloak Client, we would like to only allow the users with a > particular Role to be able to login. > > We thought that to achieve this, we needed to do this: > - Authorization enabled on the client > - Create a new Role-Based policy ton a particular role > - Create a Resource Permission to use the previously created Policy > - Use this Resource Permission in the Default Resource of the Client > > We use openid-connect, and more specifically Google as the identity > provider. > > By doing this, we thought that users without the role, trying to connect > to our application through Keycloak, would be redirected to our application > with an error of authentication, something like this in the redirection: > > /login/oauthVerify?client_name=OidcClient&error=unauthorized&error_ > description=You%20are%20not%20allowed%20to%20access% > 20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8 > > Instead, it's like Keycloak does not check the Authorization > configuration, it redirects to our webapp with a proper authorization code. > Then the application is able to fetch the JWT successfully form the > Keycloak token endpoint. > > Did we miss something? Are we trying to solve our issue in the wrong way ? > > Thank you all for your help, > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160827/5b16239c/attachment.html From postmaster at lists.jboss.org Sat Aug 27 07:58:43 2016 From: postmaster at lists.jboss.org (Mail Administrator) Date: Sat, 27 Aug 2016 17:28:43 +0530 Subject: [keycloak-user] Returned mail: Data format error Message-ID: <201608271158.u7RBwrNP008023@lists01.dmz-a.mwc.hst.phx2.redhat.com> This message was not delivered due to the following reason: Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within 7 days: Server 31.29.182.151 is not responding. The following recipients could not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. -------------- next part -------------- A non-text attachment was scrubbed... Name: message.zip Type: application/octet-stream Size: 28984 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160827/6106a832/attachment-0001.obj From zeus.arias at beeva.com Mon Aug 29 03:41:23 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Mon, 29 Aug 2016 09:41:23 +0200 Subject: [keycloak-user] Fwd: Question about LDAP Rol In-Reply-To: <20160823121312.GA11276@abstractj.org> References: <20160823121312.GA11276@abstractj.org> Message-ID: Thank you for your help, I have other question. With the social login, is possible to know the origin? In the case of github, if the user belongs to the organization, is there any way to know? Greetings! 2016-08-23 14:13 GMT+02:00 Bruno Oliveira : > It seems to me that what need is a Role Mapper[1] > > [1] - https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/user-federation/ldap.html > > On 2016-08-23, Zeus Arias Lucero | BEEVA wrote: > > I have a keycloak server which has the LDAP configuration. This LDAP > server > > has different roles than my application. So I would like to know if its > > possible and how I have to do for the keycloak server maps or translates > > the rol A to rol B. The rol B is used by my application. > > > > Greetings! > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > > abstractj > PGP: 0x84DC9914 > -- Un saludo! *Zeus Arias * Grupo APIVersity. T?cnico de Sistemas. zeus.arias at bbva.com zeus.arias at beeva.com Aviso Legal: Este mensaje, su contenido y cualquier fichero transmitido con ?l, est? dirigido ?nicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la informaci?n contenida en ?l es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma v?a, as? como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su borrado de manera inmediata. Disclaimer: This message, its content and any file attached thereto is for the intended recipient only and is confidential. If you have received this e-mail in error or had access to it, you should note that the information in it is private and any use there of is unauthorized. In such an event please notify us by e-mail. Any reproduction of this e-mail by whatsoever means and any transmission or dissemination thereof to other persons is prohibited. It should be deleted immediately from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/2cb667c6/attachment.html From zeus.arias at beeva.com Mon Aug 29 05:10:47 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Mon, 29 Aug 2016 11:10:47 +0200 Subject: [keycloak-user] Keycloak - Identity providers and clients Message-ID: Is it possible to have different identity providers for each client on a realm or the identity providers are only realm-dependant? I would like for example to have github identity provider for one client and ldap for another, on the same realm, I have looked through the docs and the management console but no luck, before trying another thing just wanted to check im not mistaken. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/b1046b90/attachment.html From sthorger at redhat.com Mon Aug 29 06:42:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 12:42:05 +0200 Subject: [keycloak-user] Breaking Change to Themes in 2.0/2.1? In-Reply-To: References: Message-ID: Just tried this out with the address theme and there's indeed a bug. I can also see the following in the log: 12:41:26,385 WARN [org.keycloak.forms.account.freemarker.model.AccountBean] (default task-14) There are more values for attribute 'region' of user 'admin' . Will display just first value So something is definitively broken. Can you create a JIRA please? On 26 August 2016 at 20:03, Chris Hairfield wrote: > Hello Keycloak Users, > > We recently upgraded from 1.9.8 to 2.1.0 and love it (fixes a good number > of issues we've been having), but it seems to have broken an important one: > our themes! > > For all HTML input elements we've added (those backed by user properties), > when we modify their value and save/POST, Keycloak returns an HTML document > populated with the old values rather than the new. A refresh of the page is > required for the new value to be returned/displayed, even though the first > save is sufficient to save the new value on the user. > > One may reproduce this easily in 2.1.0 by adding the following code to the > base theme's account.ftl file: > >
>
> >
>
> name="user.attributes.example" value="${(account.attributes. > example!'')?html}"/> >
>
> > In an Incognito window, impersonate a user, update the Example input, and > click save. Your new value is stored as an attribute on the user, but the > value of the input is set to whatever it was before. Refresh your browser > for the updated value to appear. > > Any thoughts as to why? Do we need to update our theme code somehow? > > Thanks, > Chris > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/3e60301f/attachment.html From sthorger at redhat.com Mon Aug 29 06:45:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 12:45:11 +0200 Subject: [keycloak-user] keycloak.js: sending cookies with keycloak.updateToken()? In-Reply-To: <20160826154812.dgklja3ywso3obug@t450s> References: <20160826154812.dgklja3ywso3obug@t450s> Message-ID: Seems OK to me On 26 August 2016 at 17:48, Michael Clayton wrote: > Hi all, > > We have multiple keycloak nodes clustered behind a load balancer. On > first request, the load balancer sticks users to a node by handing a > cookie to the browser. Currently, when keycloak.js sends the > updateToken() POST to the load balancer, it's a cross-origin call and > thus the browser omits cookies. As a result, the load balancer doesn't > know which keycloak node to route the request to. > > Here's my patch: > > https://github.com/mwcz/keycloak/commit/ec5289b5c8e6a8378167d4f14da682 > ef3a7ac344 > > By setting withCredentials = true, the browser will send cookies to our > keycloak load balancer so we can be routed properly. > > I would be surprised if this was desired behavior in *all* cases, so a > blanket "always send cookies". I'd be happy to create alternate patch > where a configuration parameter dictates whether to send cookies. > > Thoughts/warnings/alternatives/pitfalls? > > Thanks! > > -- > Michael Clayton > Senior Software Engineer > Red Hat Customer Portal > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/d82bc23f/attachment.html From sthorger at redhat.com Mon Aug 29 06:46:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 12:46:20 +0200 Subject: [keycloak-user] Getting Error when connecting local host to server DB In-Reply-To: References: Message-ID: What time limit? On 26 August 2016 at 11:15, Aman Jaiswal wrote: > Hi Stian > > Hi I changed the time limit from 300 to 600 and it's work but I want to > know that why it is not working on 300 sec of default time ? > > On Fri, Aug 26, 2016 at 2:43 PM, Stian Thorgersen > wrote: > >> Looks like maybe you haven't setup the datasource correctly or there's >> some other configuration issue. Maybe try Googling for it? >> >> On 23 August 2016 at 12:33, Aman Jaiswal > > wrote: >> >>> Hi Team >>> >>> I am getting an error while connecting my local keycloak to DB which is >>> on server. >>> error is in attached file . please give me solution to resolve this >>> issue.. >>> -- >>> Thanks, >>> Aman Jaiswal >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/3a8ef492/attachment-0001.html From sthorger at redhat.com Mon Aug 29 06:59:17 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 12:59:17 +0200 Subject: [keycloak-user] Getting Error when connecting local host to server DB In-Reply-To: References: Message-ID: I'd say your DB is going pretty slow then. It takes me ~60 second to boot Keycloak here, which is well within the 300 second limit. Can't really answer why it's that slow as it's most likely your DB not behaving very well. On 29 August 2016 at 12:53, Aman Jaiswal wrote: > hi > I am talking about the time limit which is mention in the following error. > > ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) > > WFLYCTL0348: Timeout after [300] seconds waiting for service container stability. > > Operation will roll back. Step that first updated the service container was 'add' at address '[ > ("core-service" => "management"), > ("management-interface" => "http-interface") > ]' > > > On Mon, Aug 29, 2016 at 4:19 PM, Aman Jaiswal < > aman.jaiswal at arvindinternet.com> wrote: > >> hi >> >> time when keycloak is trying to connect the database which is on the >> server. >> >> On Mon, Aug 29, 2016 at 4:16 PM, Stian Thorgersen >> wrote: >> >>> What time limit? >>> >>> On 26 August 2016 at 11:15, Aman Jaiswal >> om> wrote: >>> >>>> Hi Stian >>>> >>>> Hi I changed the time limit from 300 to 600 and it's work but I want >>>> to know that why it is not working on 300 sec of default time ? >>>> >>>> On Fri, Aug 26, 2016 at 2:43 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> Looks like maybe you haven't setup the datasource correctly or there's >>>>> some other configuration issue. Maybe try Googling for it? >>>>> >>>>> On 23 August 2016 at 12:33, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> Hi Team >>>>>> >>>>>> I am getting an error while connecting my local keycloak to DB which >>>>>> is on server. >>>>>> error is in attached file . please give me solution to resolve this >>>>>> issue.. >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >> >> >> -- >> Thanks, >> Aman Jaiswal >> > > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/c700bf3d/attachment.html From sthorger at redhat.com Mon Aug 29 09:55:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 15:55:36 +0200 Subject: [keycloak-user] Authorization at Keycloak level In-Reply-To: References: <2075962557.9521533.1472215433404.JavaMail.zimbra@redhat.com> Message-ID: Pedro knows more about this, but the code required to do the checks should be pretty simple. What language and app type do you have? On 27 August 2016 at 05:05, Edouard Kaiser wrote: > Hi Pedro, > > Thank you very much for your answer. Unfortunately that's what I was > afraid. The problem is, we don't have a classic Java/Servlet application, > so we can't use any of the Keycloak adapter available. > > We might have to turn to another solution like Auth0.com which offers an > integrated authorization plugin, unless we find the courage to write our > own adapter. > > Cheers, > > 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva : > >> Hello Edouard, >> >> Right now, policy enforcement is only performed on application-side. For >> that, you need to enable policy enforcement to your keyclok.json as follows: >> >> { >> "policy-enforcer": {} >> } >> >> For more details, please take a look at [1]. >> >> We don't enforce policies on server-side, at least for now. The user will >> always be able to log in and be redirect to your application with a >> code/token. >> >> @Stian already mentioned some ideas about a more deeper integrating >> between KC authentication and authorization services. But for now, what you >> want is not possible. >> >> [1] https://keycloak.gitbooks.io/authorization-services-guide/co >> ntent/topics/enforcer/overview.html >> >> ----- Original Message ----- >> From: "Edouard Kaiser" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, August 25, 2016 10:02:32 PM >> Subject: [keycloak-user] Authorization at Keycloak level >> >> Hi everyone, >> >> We discovered Keycloak very recently (pretty impressive tool by the way, >> congrats to the maintainers!), and we've been trying to configure a very >> simple authorization at the Keycloak level without success. >> >> Let me try to sum up what we are trying to achieve in our web-application. >> >> For a Keycloak Client, we would like to only allow the users with a >> particular Role to be able to login. >> >> We thought that to achieve this, we needed to do this: >> - Authorization enabled on the client >> - Create a new Role-Based policy ton a particular role >> - Create a Resource Permission to use the previously created Policy >> - Use this Resource Permission in the Default Resource of the Client >> >> We use openid-connect, and more specifically Google as the identity >> provider. >> >> By doing this, we thought that users without the role, trying to connect >> to our application through Keycloak, would be redirected to our application >> with an error of authentication, something like this in the redirection: >> >> /login/oauthVerify?client_name=OidcClient&error=unauthorized >> &error_description=You%20are%20not%20allowed%20to%20access% >> 20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8 >> >> Instead, it's like Keycloak does not check the Authorization >> configuration, it redirects to our webapp with a proper authorization code. >> Then the application is able to fetch the JWT successfully form the >> Keycloak token endpoint. >> >> Did we miss something? Are we trying to solve our issue in the wrong way ? >> >> Thank you all for your help, >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/6784eaa9/attachment.html From sthorger at redhat.com Mon Aug 29 10:08:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 16:08:13 +0200 Subject: [keycloak-user] Persisting User Sessions in the DB? In-Reply-To: References: Message-ID: We had a JPA user session provider at some point, but dropped it mainly for performance reasons and the fact it was not very well implemented. Having to write to the database for every request (including token refresh) would not be very good for performance, especially not with db replication enabled. There might be the possibility of creating a hybrid or to reduce the amount of writes to the session, but that would probably be quite a bit of work to do. For authorization code flow we do have plans to figure out sticky sessions for that where both the requests from the browser and server-side applications ends up going to the same node. See https://issues.jboss.org/browse/KEYCLOAK-2352. On 24 August 2016 at 23:16, Jared Blashka wrote: > I'm not sure why I never noticed this before, but I was doing some > investigation today and couldn't find any session information actually > populated in the DB tables. Both USER_SESSION and CLIENT_SESSION were > empty. > > After some digging in the code I saw that the only UserSesssionProvider > implementation is the Infinispan-based one and it looks like the only type > of user sessions that get persisted in the DB are offline sessions (via the > JpaUserSessionPersisterProvider). > > Was there a particular reason a JpaUserSessionProvider doesn't exist? > > Background: We're aiming to have a highly available+resilient > active-active multi-data center deployment of Keycloak. Ultimately, there > should be no customer impact if a particular data center fails; there > should be no IDP outage and they shouldn't have to log in again. We ran > into issues with asynchronous user data replication earlier, which is why > we're currently working on migrating our existing MariaDB cluster to use > Galera (which has been looking pretty good so far) but it looks like we > mistakenly assumed that this synchronous replication would also handle user > session data. > > Not replicating user session data across data centers is also going to > cause us problems (its already caused us problems actually) when it comes > to the OAuth authorization code flow as well. Since that flow involves > back-channel server communication we can't guarantee that the client server > will communicate with the same data center the client authenticated at. If > a client calls out to the "wrong" data center, the flow will fail. > > I can spend some time tomorrow investigating the performance when > clustering infinispan across data centers, but I'm not particularly > optimistic about the results. > > Any thoughts/comments on our problem? > > > Jared > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/36ba5977/attachment-0001.html From sthorger at redhat.com Mon Aug 29 10:09:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 16:09:53 +0200 Subject: [keycloak-user] Keycloak - Identity providers and clients In-Reply-To: References: Message-ID: Identity providers are purely per-realm. I can't see how it would make any sense to have it per-client. Users authenticate to a SSO realm, not to an individual client. So if you decide to remove one provider for a particular client a user could just login through a different client first, then go back to the initial client. On 29 August 2016 at 11:10, Zeus Arias Lucero | BEEVA wrote: > Is it possible to have different identity providers for each client on a > realm or the identity providers are only realm-dependant? I would like for > example to have github identity provider for one client and ldap for > another, on the same realm, I have looked through the docs and the > management console but no luck, before trying another thing just wanted to > check im not mistaken. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/d4c259ef/attachment.html From sthorger at redhat.com Mon Aug 29 10:11:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 29 Aug 2016 16:11:08 +0200 Subject: [keycloak-user] User federation providers export/import In-Reply-To: References: <57BD3FDB.3010209@redhat.com> <57BD402B.8090004@redhat.com> Message-ID: Partial import should work for user federation providers as well. If it doesn't feel free to create a JIRA for it. On 26 August 2016 at 00:01, John Bartko wrote: > I see now I am doing it wrong, and should stop doing it wrong ;] The > /admin/realms/{realm}/partialImport endpoint does not seem to accommodate > importing user federation providers, but the runtime option > -Dkeycloak.migration.action=import does. > > Great software! > > Thanks again. > -John Bartko > > On Wed, Aug 24, 2016 at 1:43 PM, John Bartko > wrote: > >> Thank you for taking the time to respond. Let me see if I can outline >> steps to reproduce: >> >> >> 1. Run a DB and Keycloak container: >> >> docker run --name postgres -e POSTGRES_DATABASE=keycloak -e >> POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e >> POSTGRES_ROOT_PASSWORD=root_password -d postgres >> >> docker run --rm --name keycloak --link postgres:postgres -p 8080:8080 >> -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=changeme jboss/keycloak-postgres >> >> 2. Log in to admin web UI and make both a client and a LDAP user >> federation provider. >> >> 3. Ctrl+C to stop the keycloak container >> >> 4. Start a container connected to the same database for export: >> >> mkdir /opt/keycloak_export >> chmod 0777 /opt/keycloak_export >> >> docker run --rm --name keycloak_exporter --link postgres:postgres -v >> /opt/keycloak_export:/opt/jboss/export jboss/keycloak-postgres >> -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=dir >> -Dkeycloak.migration.dir=/opt/jboss/export >> >> 5. Ctrl+C to stop the keycloak_exporter container. >> >> 6. Copy the realm export at /opt/keycloak_export/master-realm.json to >> your workstation. The export should contain a populated >> userFederationProviders key: >> >> jq '.userFederationProviders' /opt/keycloak_export/master-realm.json >> >> 7. Destroy the DB and start from a blank slate: >> >> docker rm -f postgres >> >> docker run --name postgres -e POSTGRES_DATABASE=keycloak -e >> POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -e >> POSTGRES_ROOT_PASSWORD=root_password -d postgres >> >> docker run --rm --name keycloak --link postgres:postgres -p 8080:8080 >> -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=changeme jboss/keycloak-postgres >> >> 8. Log in to admin web UI and import the contents of master-realm.json >> >> 9. Result: the client is imported but the LDAP user federation >> provider is not. >> >> Is the import supposed to also pick up the user federation provider? >> >> Thanks, >> -John Bartko >> >> On Wed, Aug 24, 2016 at 1:35 AM, Marek Posolda >> wrote: >> >>> Btv. can't it be that you are exporting different realm that when you >>> have ldap federationProvider configured? >>> >>> Marek >>> >>> >>> On 24/08/16 08:34, Marek Posolda wrote: >>> >>> I am not 100% sure what exactly are you doing. Are you able to have LDAP >>> example up and running if you exactly follow the steps in README >>> >>> https://github.com/keycloak/keycloak/blob/master/examples/ldap/README.md >>> ? >>> >>> Or are you creating realm representation by hand? Instead of creating by >>> hand, we have possibility for export/import, which is exactly for the >>> use-case for migration between different envs - >>> https://keycloak.gitbooks.io/server-adminstration-guide/cont >>> ent/v/2.1/topics/export-import.html >>> >>> Marek >>> >>> On 24/08/16 00:10, John Bartko wrote: >>> >>> Hello all, >>> >>> I am attempting export user federation providers and import them into a >>> different Keycloak instance. The ldap example realm export >>> *looks* >>> like the web admin UI import can do what I need. After importing (step >>> 3 in the example's readme >>> ) >>> there are still no user federation providers configured nor any indication >>> of an error. >>> >>> Similarly, when doing an export at WildFly server boot on a Keycloak >>> instance with user federation configured, I do not see any trace of the >>> provider in the export. >>> >>> Partial import of clients works fine. Is this the right way to go about >>> persisting realm configuration across deploys/environments? >>> >>> Thanks, >>> -John Bartko >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/8c25968d/attachment.html From psilva at redhat.com Mon Aug 29 10:15:47 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 29 Aug 2016 10:15:47 -0400 (EDT) Subject: [keycloak-user] Authorization at Keycloak level In-Reply-To: References: <2075962557.9521533.1472215433404.JavaMail.zimbra@redhat.com> Message-ID: <1839976990.10488729.1472480147685.JavaMail.zimbra@redhat.com> +1. Like I said, right now our authz engine is not fully integrated with KC server. However, I think the requirement can be achieved by: - Authentication SPI. In this case, you don't necessarily need authz services but just check roles in your authenticator - Authentication SPI + AuthorizationProvider. I've never tested this (maybe is time to start looking at it), but in theory you should be able to obtain an AuthorizationProvider from KeycloakSession and use it to perform evaluations. For #2, I need to spend some time testing this scenario and documenting our Authorization API for those looking to use our authz engine when extending KC. ----- Original Message ----- From: "Stian Thorgersen" To: "Edouard Kaiser" Cc: "Pedro Igor Silva" , "keycloak-user" Sent: Monday, August 29, 2016 10:55:36 AM Subject: Re: [keycloak-user] Authorization at Keycloak level Pedro knows more about this, but the code required to do the checks should be pretty simple. What language and app type do you have? On 27 August 2016 at 05:05, Edouard Kaiser wrote: > Hi Pedro, > > Thank you very much for your answer. Unfortunately that's what I was > afraid. The problem is, we don't have a classic Java/Servlet application, > so we can't use any of the Keycloak adapter available. > > We might have to turn to another solution like Auth0.com which offers an > integrated authorization plugin, unless we find the courage to write our > own adapter. > > Cheers, > > 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva : > >> Hello Edouard, >> >> Right now, policy enforcement is only performed on application-side. For >> that, you need to enable policy enforcement to your keyclok.json as follows: >> >> { >> "policy-enforcer": {} >> } >> >> For more details, please take a look at [1]. >> >> We don't enforce policies on server-side, at least for now. The user will >> always be able to log in and be redirect to your application with a >> code/token. >> >> @Stian already mentioned some ideas about a more deeper integrating >> between KC authentication and authorization services. But for now, what you >> want is not possible. >> >> [1] https://keycloak.gitbooks.io/authorization-services-guide/co >> ntent/topics/enforcer/overview.html >> >> ----- Original Message ----- >> From: "Edouard Kaiser" >> To: keycloak-user at lists.jboss.org >> Sent: Thursday, August 25, 2016 10:02:32 PM >> Subject: [keycloak-user] Authorization at Keycloak level >> >> Hi everyone, >> >> We discovered Keycloak very recently (pretty impressive tool by the way, >> congrats to the maintainers!), and we've been trying to configure a very >> simple authorization at the Keycloak level without success. >> >> Let me try to sum up what we are trying to achieve in our web-application. >> >> For a Keycloak Client, we would like to only allow the users with a >> particular Role to be able to login. >> >> We thought that to achieve this, we needed to do this: >> - Authorization enabled on the client >> - Create a new Role-Based policy ton a particular role >> - Create a Resource Permission to use the previously created Policy >> - Use this Resource Permission in the Default Resource of the Client >> >> We use openid-connect, and more specifically Google as the identity >> provider. >> >> By doing this, we thought that users without the role, trying to connect >> to our application through Keycloak, would be redirected to our application >> with an error of authentication, something like this in the redirection: >> >> /login/oauthVerify?client_name=OidcClient&error=unauthorized >> &error_description=You%20are%20not%20allowed%20to%20access% >> 20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8 >> >> Instead, it's like Keycloak does not check the Authorization >> configuration, it redirects to our webapp with a proper authorization code. >> Then the application is able to fetch the JWT successfully form the >> Keycloak token endpoint. >> >> Did we miss something? Are we trying to solve our issue in the wrong way ? >> >> Thank you all for your help, >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From edouard.kaiser at gmail.com Mon Aug 29 10:18:37 2016 From: edouard.kaiser at gmail.com (Edouard Kaiser) Date: Tue, 30 Aug 2016 00:18:37 +1000 Subject: [keycloak-user] Authorization at Keycloak level In-Reply-To: <1839976990.10488729.1472480147685.JavaMail.zimbra@redhat.com> References: <2075962557.9521533.1472215433404.JavaMail.zimbra@redhat.com> <1839976990.10488729.1472480147685.JavaMail.zimbra@redhat.com> Message-ID: Hi Pedro, Thanks for the extra-information. >> Stian, we use Play Framework in Java 2016-08-30 0:15 GMT+10:00 Pedro Igor Silva : > +1. > > Like I said, right now our authz engine is not fully integrated with KC > server. However, I think the requirement can be achieved by: > > - Authentication SPI. In this case, you don't necessarily need authz > services but just check roles in your authenticator > - Authentication SPI + AuthorizationProvider. I've never tested this > (maybe is time to start looking at it), but in theory you should be able to > obtain an AuthorizationProvider from KeycloakSession and use it to perform > evaluations. > > For #2, I need to spend some time testing this scenario and documenting > our Authorization API for those looking to use our authz engine when > extending KC. > > ----- Original Message ----- > From: "Stian Thorgersen" > To: "Edouard Kaiser" > Cc: "Pedro Igor Silva" , "keycloak-user" < > keycloak-user at lists.jboss.org> > Sent: Monday, August 29, 2016 10:55:36 AM > Subject: Re: [keycloak-user] Authorization at Keycloak level > > Pedro knows more about this, but the code required to do the checks should > be pretty simple. What language and app type do you have? > > On 27 August 2016 at 05:05, Edouard Kaiser > wrote: > > > Hi Pedro, > > > > Thank you very much for your answer. Unfortunately that's what I was > > afraid. The problem is, we don't have a classic Java/Servlet application, > > so we can't use any of the Keycloak adapter available. > > > > We might have to turn to another solution like Auth0.com which offers an > > integrated authorization plugin, unless we find the courage to write our > > own adapter. > > > > Cheers, > > > > 2016-08-26 22:43 GMT+10:00 Pedro Igor Silva : > > > >> Hello Edouard, > >> > >> Right now, policy enforcement is only performed on application-side. For > >> that, you need to enable policy enforcement to your keyclok.json as > follows: > >> > >> { > >> "policy-enforcer": {} > >> } > >> > >> For more details, please take a look at [1]. > >> > >> We don't enforce policies on server-side, at least for now. The user > will > >> always be able to log in and be redirect to your application with a > >> code/token. > >> > >> @Stian already mentioned some ideas about a more deeper integrating > >> between KC authentication and authorization services. But for now, what > you > >> want is not possible. > >> > >> [1] https://keycloak.gitbooks.io/authorization-services-guide/co > >> ntent/topics/enforcer/overview.html > >> > >> ----- Original Message ----- > >> From: "Edouard Kaiser" > >> To: keycloak-user at lists.jboss.org > >> Sent: Thursday, August 25, 2016 10:02:32 PM > >> Subject: [keycloak-user] Authorization at Keycloak level > >> > >> Hi everyone, > >> > >> We discovered Keycloak very recently (pretty impressive tool by the way, > >> congrats to the maintainers!), and we've been trying to configure a very > >> simple authorization at the Keycloak level without success. > >> > >> Let me try to sum up what we are trying to achieve in our > web-application. > >> > >> For a Keycloak Client, we would like to only allow the users with a > >> particular Role to be able to login. > >> > >> We thought that to achieve this, we needed to do this: > >> - Authorization enabled on the client > >> - Create a new Role-Based policy ton a particular role > >> - Create a Resource Permission to use the previously created Policy > >> - Use this Resource Permission in the Default Resource of the Client > >> > >> We use openid-connect, and more specifically Google as the identity > >> provider. > >> > >> By doing this, we thought that users without the role, trying to connect > >> to our application through Keycloak, would be redirected to our > application > >> with an error of authentication, something like this in the redirection: > >> > >> /login/oauthVerify?client_name=OidcClient&error=unauthorized > >> &error_description=You%20are%20not%20allowed%20to%20access% > >> 20this%20application.&state=CrsA9f9bEzLWyjQfT5PN43MPxl_PfMgvXZDQrEzCHi8 > >> > >> Instead, it's like Keycloak does not check the Authorization > >> configuration, it redirects to our webapp with a proper authorization > code. > >> Then the application is able to fetch the JWT successfully form the > >> Keycloak token endpoint. > >> > >> Did we miss something? Are we trying to solve our issue in the wrong > way ? > >> > >> Thank you all for your help, > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/4729fa93/attachment-0001.html From zeus.arias at beeva.com Mon Aug 29 10:28:11 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Mon, 29 Aug 2016 16:28:11 +0200 Subject: [keycloak-user] Keycloak - Identity providers and clients In-Reply-To: References: Message-ID: Thank you for you help. Greetings 2016-08-29 16:09 GMT+02:00 Stian Thorgersen : > Identity providers are purely per-realm. I can't see how it would make any > sense to have it per-client. Users authenticate to a SSO realm, not to an > individual client. So if you decide to remove one provider for a particular > client a user could just login through a different client first, then go > back to the initial client. > > On 29 August 2016 at 11:10, Zeus Arias Lucero | BEEVA < > zeus.arias at beeva.com> wrote: > >> Is it possible to have different identity providers for each client on a >> realm or the identity providers are only realm-dependant? I would like for >> example to have github identity provider for one client and ldap for >> another, on the same realm, I have looked through the docs and the >> management console but no luck, before trying another thing just wanted to >> check im not mistaken. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/97fb7b32/attachment.html From jblashka at redhat.com Mon Aug 29 10:54:14 2016 From: jblashka at redhat.com (Jared Blashka) Date: Mon, 29 Aug 2016 10:54:14 -0400 Subject: [keycloak-user] Persisting User Sessions in the DB? In-Reply-To: References: Message-ID: Thanks for the link to that JIRA. I had seen it before and wanted to find it again before emailing the list but couldn't find it. I had some questions about the proposed solution. In the propsed solution, Keycloak creates a session cookie first visit the page and updated when the user first authenticates. How does the load balancer sitting in front of Keycloak understand which Keycloak host corresponds with a given session cookie? Our current load balancers set a sticky session cookie with a node name as the cookie value. Following up from that question, how would this solution work with multiple load balancer layers? We have a global load balancer that distributes traffic at a per data center level and then load balancers within each data center. Finally, it sounds like this solution would only work for clients that use the keycloak adapters? We're going to have to integrate with third-party vendors in the future and can't dictate how they write their applications. Even outside of that, we also have internal customers that own python/perl/rails applications and couldn't use a Keycloak adapter even if they wanted to because there aren't adapters available for those platforms yet. Jared On Mon, Aug 29, 2016 at 10:08 AM, Stian Thorgersen wrote: > We had a JPA user session provider at some point, but dropped it mainly > for performance reasons and the fact it was not very well implemented. > Having to write to the database for every request (including token refresh) > would not be very good for performance, especially not with db replication > enabled. There might be the possibility of creating a hybrid or to reduce > the amount of writes to the session, but that would probably be quite a bit > of work to do. > > For authorization code flow we do have plans to figure out sticky sessions > for that where both the requests from the browser and server-side > applications ends up going to the same node. See https://issues.jboss.org/ > browse/KEYCLOAK-2352. > > > > On 24 August 2016 at 23:16, Jared Blashka wrote: > >> I'm not sure why I never noticed this before, but I was doing some >> investigation today and couldn't find any session information actually >> populated in the DB tables. Both USER_SESSION and CLIENT_SESSION were >> empty. >> >> After some digging in the code I saw that the only UserSesssionProvider >> implementation is the Infinispan-based one and it looks like the only type >> of user sessions that get persisted in the DB are offline sessions (via the >> JpaUserSessionPersisterProvider). >> >> Was there a particular reason a JpaUserSessionProvider doesn't exist? >> >> Background: We're aiming to have a highly available+resilient >> active-active multi-data center deployment of Keycloak. Ultimately, there >> should be no customer impact if a particular data center fails; there >> should be no IDP outage and they shouldn't have to log in again. We ran >> into issues with asynchronous user data replication earlier, which is why >> we're currently working on migrating our existing MariaDB cluster to use >> Galera (which has been looking pretty good so far) but it looks like we >> mistakenly assumed that this synchronous replication would also handle user >> session data. >> >> Not replicating user session data across data centers is also going to >> cause us problems (its already caused us problems actually) when it comes >> to the OAuth authorization code flow as well. Since that flow involves >> back-channel server communication we can't guarantee that the client server >> will communicate with the same data center the client authenticated at. If >> a client calls out to the "wrong" data center, the flow will fail. >> >> I can spend some time tomorrow investigating the performance when >> clustering infinispan across data centers, but I'm not particularly >> optimistic about the results. >> >> Any thoughts/comments on our problem? >> >> >> Jared >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/80018b71/attachment.html From chairfield at gmail.com Mon Aug 29 11:16:02 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Mon, 29 Aug 2016 15:16:02 +0000 Subject: [keycloak-user] Breaking Change to Themes in 2.0/2.1? In-Reply-To: References: Message-ID: Gladly! https://issues.jboss.org/browse/KEYCLOAK-3494 How might you prioritize this one? On Mon, Aug 29, 2016 at 4:42 AM Stian Thorgersen wrote: > Just tried this out with the address theme and there's indeed a bug. I can > also see the following in the log: > > 12:41:26,385 WARN > [org.keycloak.forms.account.freemarker.model.AccountBean] (default > task-14) There are more values for attribute 'region' of user 'admin' . > Will display just first value > > So something is definitively broken. Can you create a JIRA please? > > On 26 August 2016 at 20:03, Chris Hairfield wrote: > >> Hello Keycloak Users, >> >> We recently upgraded from 1.9.8 to 2.1.0 and love it (fixes a good number >> of issues we've been having), but it seems to have broken an important one: >> our themes! >> >> For all HTML input elements we've added (those backed by user >> properties), when we modify their value and save/POST, Keycloak returns an >> HTML document populated with the old values rather than the new. A refresh >> of the page is required for the new value to be returned/displayed, even >> though the first save is sufficient to save the new value on the user. >> >> One may reproduce this easily in 2.1.0 by adding the following code to >> the base theme's account.ftl file: >> >>
>>
>> >>
>>
>> > name="user.attributes.example" >> value="${(account.attributes.example!'')?html}"/> >>
>>
>> >> In an Incognito window, impersonate a user, update the Example input, and >> click save. Your new value is stored as an attribute on the user, but the >> value of the input is set to whatever it was before. Refresh your browser >> for the updated value to appear. >> >> Any thoughts as to why? Do we need to update our theme code somehow? >> >> Thanks, >> Chris >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/f5808e76/attachment.html From info at flex-guse.de Mon Aug 29 13:36:25 2016 From: info at flex-guse.de (Christoph Guse) Date: Mon, 29 Aug 2016 19:36:25 +0200 Subject: [keycloak-user] Problems using Keycloak for SSO Message-ID: <57C47299.3000607@flex-guse.de> Hello all, I'm quite new to Keycloak, identitymanagement, Oauth2 and OpenID connect and I think I haven't understood all mechanisms yet. Currently I'm working on a proof of concept using Keycloak as Web-SSO service. In my poc I have - a Wiki application connected to Keycloak using SAML - a spring-boot application (csrf is disabled as the UI brings it's own csrf mechanism) using the community spring-boot adapter In both applications the login works using Keycloak, both applications work, resources can be loaded and so on. SSO works, after logging in into the spring-boot application the Wiki application can be openend in another browser window without having to reauthenticate. So far, so good. But in my poc I want to embed the spring-boot application into the Wiki application. Without authentication this works as the UI used in the spring-boot application uses a virtual DOM which can be created on a Wiki page. Unfortunately this does not work with authentication using Keycloak. After the login in the Wiki the Javascript in the Wikipage is not able to load the JS from the spring-boot application for the virtual DOM (HTTP 401, bearer token = "unknown"). I am wondering how Keycloak does the SSO as I was not able to see any parameter in the HTTP requests which are something like the Keycloak token ID. Can somebody explain - or give a hint where to find a detailed explanation - how the token handling is done so I can figure out if something is missing while accessing the spring-boot application? Thank you in advance, Christoph From glavoie at gmail.com Mon Aug 29 14:34:53 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Mon, 29 Aug 2016 14:34:53 -0400 Subject: [keycloak-user] Force the display of Keycloak login page when using "authenticate by default" external OIDC IdP Message-ID: Hi, we are currently using Keycloak as a broker to do the SAML authentication to an external service for us. Keycloak is configured to authenticate the user with an external IdP (our application) that is set with the "Authenticate by default" flag to ON. Is it possible to still force the display of the Keycloak login page, but only for some scenarios? We would like to have system integration users that don't exist in our application (not exposed to our customers), but would still be usable to access the external service (with proper roles). Thanks, Gabriel -- Gabriel Lavoie glavoie at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/2037f5ee/attachment.html From chairfield at gmail.com Mon Aug 29 18:42:36 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Mon, 29 Aug 2016 22:42:36 +0000 Subject: [keycloak-user] Bypass /identity page straight to linking to an Identity Provider? Message-ID: Hello, We're building a mobile app with Keycloak pages loaded in webviews and would like to link directly to the following: http://localhost:8080/auth/realms/athlinks/account/federated-identity-update?action=add&provider_id=google&stateChecker=T5kIjP9cZO3ObUCSM5P8i_O5YicSUcZlCu7aFK4y8P4 The problem is that stateChecker. We don't know how to obtain it. May we obtain it via API? I created a beautiful picture to illustrate. You may think of the left view as a native representation of the /auth/realms/athlinks/account/identity page. Does anyone know of any way to jump straight to the authorization page on the right? Thanks! Chris [image: desired-ux.jpg] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/27ba33f6/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: desired-ux.jpg Type: image/jpeg Size: 92006 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160829/27ba33f6/attachment-0001.jpg From adam.keily at adelaide.edu.au Tue Aug 30 00:17:43 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Tue, 30 Aug 2016 04:17:43 +0000 Subject: [keycloak-user] Realm Config Recommendations Message-ID: Hi, I'm new to keycloak and we're investigating using it within our University. In the first instance it would be used as a registration point for external users e.g. prospective students etc. They will either register via the form or using social IdP's in order to access various apps for these types of users. We want to remain open to using Keycloak for our internal (AD / LDAP) users to authenticate to these same apps as well as corporate applications. The tricky part comes where a prospective student (external identity) enrols and becomes a regular student (LDAP user). We would like them to continue to be recognised as a single identity and have their registered identities merged / linked with their new internal id. Hoping someone might be able to provide some guidance on the best way to go. There are a few ideas I've been testing. One is to have a single keycloak realm for user registration and configure LDAP as a user federation source. However this would seem to rule out linking the accounts? Another idea was to configure two realms (internal and external) and have the internal realm act as an IdP for the external realm. Another option is to create three realms, internal, external and combined. The combined realm is used for SSO for all apps and the internal and external realms are configured to be IdP's for the combined realm. I can't help but feel this is starting to get more complicated than is necessary. Any guidance or thoughts would be much appreciated. Regards Adam -- Adam Keily Risk & Security Services The University of Adelaide -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/706786a4/attachment.html From Christian.FREIMUELLER at frequentis.com Tue Aug 30 02:41:27 2016 From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian) Date: Tue, 30 Aug 2016 06:41:27 +0000 Subject: [keycloak-user] ClassNotFoundException when importing a resource server configuration JSON incl drools policy of 'photoz' example project Message-ID: Dear all, first of all - thanks for your effort for Keycloak - great product! I'm trying to do a POC for the authorization API in Keycloak and therefore I downloaded from the project's website the Demo distribution and tried to follow the readme instructions on the "photoz" example. The import of the realm was successful, but when I tried to load the resource server configuration JSON I received the following exception in the log file: Caused by: java.lang.ClassNotFoundException: org.apache.commons.codec.binary.Base64 from [Module "org.drools:main" from local module loader @1476ceae (finder: local module finder @1b4febf3 ( roots: D:\dev\software\keycloak\keycloak-demo-2.1.0.Final\keycloak\modules, D:\dev\software\keycloak\keycloak-demo-2.1.0.Final\keycloak\modules\system\layers\keycloak, D:\dev\software\keycloak\keycloak-demo-2.1.0.Final\keycloak\modules\system\layers\base ))] I was able to fix this issue by providing the following dependency entry in the drools module description for the commons-codec module at \keycloak\modules\system\add-ons\keycloak\org\drools\main\module.xml After this I could successfully import the "photoz-restful-api-authz-service.json" finally. Could it be that this entry is also missing in the source code at https://github.com/keycloak/keycloak/tree/master/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/drools/main/module.xml ? I also found a related JIRA "KEYCLOAK-3279 Possible error with Drools policies when running on Windows" entry but this was closed without code fix, I think. Can you verify this finding? Thanks, Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/a898dd3c/attachment.html From sthorger at redhat.com Tue Aug 30 03:34:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 30 Aug 2016 09:34:16 +0200 Subject: [keycloak-user] Getting Error when connecting local host to server DB In-Reply-To: References: Message-ID: Looks like there's something wrong in your standalone.xml. Did you use the standalone server distro? On 30 August 2016 at 09:15, Aman Jaiswal wrote: > Hi Stian > > I am getting an error while starting keycloak-2.1.0.Final server .... > error is mentions bellow > I am all ready added the file layers.conf with content "layers=keycloak" > > > ========================================================================= > > > > > > JBoss Bootstrap Environment > > > > > > JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final > > > > > > JAVA: java > > > > > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > > > > > ========================================================================= > > > > > > 05:54:22,401 INFO [org.jboss.modules] (main) JBoss Modules version > 1.5.1.Final > > 05:54:22,654 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final > > 05:54:22,743 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting > > 05:54:23,647 ERROR [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0055: Caught exception during boot: org.jboss.as.controller. > persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to > parse configuration > > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:131) [wildfly-controller-2.0.10. > Final.jar:2.0.10.Final] > > at org.jboss.as.server.ServerService.boot(ServerService.java:356) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > > at org.jboss.as.controller.AbstractControllerService$1. > run(AbstractControllerService.java:299) [wildfly-controller-2.0.10. > Final.jar:2.0.10.Final] > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_91] > > Caused by: javax.xml.stream.XMLStreamException: ParseError at > [row,col]:[285,5] > > Message: Unexpected element '{urn:jboss:domain:4.0}subsystem' > > at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108) > [staxmapper-1.2.0.Final.jar:1.2.0.Final] > > at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny( > XMLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1. > 2.0.Final] > > at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > > at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > > at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > > at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > > at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) > [wildfly-server-2.0.10.Final.jar:2.0.10.Final] > > at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) > [staxmapper-1.2.0.Final.jar:1.2.0.Final] > > at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) > [staxmapper-1.2.0.Final.jar:1.2.0.Final] > > at org.jboss.as.controller.persistence.XmlConfigurationPersister.load( > XmlConfigurationPersister.java:123) [wildfly-controller-2.0.10. > Final.jar:2.0.10.Final] > > ... 3 more > > > > > > 05:54:23,651 FATAL [org.jboss.as.server] (Controller Boot Thread) > WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. > See previous messages for details. > > 05:54:23,659 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested. > 05:54:23,683 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: > Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 18ms > > > > > On Mon, Aug 29, 2016 at 4:29 PM, Stian Thorgersen > wrote: > >> I'd say your DB is going pretty slow then. It takes me ~60 second to boot >> Keycloak here, which is well within the 300 second limit. Can't really >> answer why it's that slow as it's most likely your DB not behaving very >> well. >> >> On 29 August 2016 at 12:53, Aman Jaiswal > > wrote: >> >>> hi >>> I am talking about the time limit which is mention in the following >>> error. >>> >>> ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) >>> >>> WFLYCTL0348: Timeout after [300] seconds waiting for service container stability. >>> >>> Operation will roll back. Step that first updated the service container was 'add' at address '[ >>> ("core-service" => "management"), >>> ("management-interface" => "http-interface") >>> ]' >>> >>> >>> On Mon, Aug 29, 2016 at 4:19 PM, Aman Jaiswal < >>> aman.jaiswal at arvindinternet.com> wrote: >>> >>>> hi >>>> >>>> time when keycloak is trying to connect the database which is on the >>>> server. >>>> >>>> On Mon, Aug 29, 2016 at 4:16 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> What time limit? >>>>> >>>>> On 26 August 2016 at 11:15, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> Hi Stian >>>>>> >>>>>> Hi I changed the time limit from 300 to 600 and it's work but I >>>>>> want to know that why it is not working on 300 sec of default time ? >>>>>> >>>>>> On Fri, Aug 26, 2016 at 2:43 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> Looks like maybe you haven't setup the datasource correctly or >>>>>>> there's some other configuration issue. Maybe try Googling for it? >>>>>>> >>>>>>> On 23 August 2016 at 12:33, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> Hi Team >>>>>>>> >>>>>>>> I am getting an error while connecting my local keycloak to DB >>>>>>>> which is on server. >>>>>>>> error is in attached file . please give me solution to resolve this >>>>>>>> issue.. >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Aman Jaiswal >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/39228385/attachment-0001.html From vikyadav26 at gmail.com Tue Aug 30 05:15:57 2016 From: vikyadav26 at gmail.com (vik yadav) Date: Tue, 30 Aug 2016 14:45:57 +0530 Subject: [keycloak-user] KeyCloak Mobile Mapper missing mobile number. Message-ID: Hi In the KeyCloak configuration under User Federation i have defined a User Federation Mapper which has a mobileMapper which maps mobile number from LDAP under user Attribute in key Cloak. Below is the configutaion. UserFederation-->UserFederationMapper-->mobileMapper User Model Attribute=mobile LDAP Attribute=mobile Always Read Value From LDAP=true The mobile number is not coming in the attribute object automatically while the other attributes are coming automatically like email ID,name and userName in the attributes object under UserRepresentation How do i get mobile number automatically in the org.keycloak.representations .idm.UserRepresentation attributes object. Key Cloak Version is 2.1.0 final Regards, Vikash -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/24fc1cef/attachment.html From sheishere48 at gmail.com Tue Aug 30 05:51:07 2016 From: sheishere48 at gmail.com (sheishere b) Date: Tue, 30 Aug 2016 15:21:07 +0530 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login Message-ID: Hello, >From nodejs, I am trying to integrate with keycloak server. Have followed the steps mentioned in https://github.com/keycloak/keycloak-nodejs-connect But I need to use offline access to generate offline token as mentioned here, https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/sessions/offline.html How can this be done from nodejs? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/ca9cdfc9/attachment.html From sthorger at redhat.com Tue Aug 30 06:42:43 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 30 Aug 2016 12:42:43 +0200 Subject: [keycloak-user] Breaking Change to Themes in 2.0/2.1? In-Reply-To: References: Message-ID: Most likely it'll be fixed in 2.2.0.CR1, 2.3.0.CR1 at the latest. On 29 August 2016 at 17:16, Chris Hairfield wrote: > Gladly! https://issues.jboss.org/browse/KEYCLOAK-3494 > > How might you prioritize this one? > > On Mon, Aug 29, 2016 at 4:42 AM Stian Thorgersen > wrote: > >> Just tried this out with the address theme and there's indeed a bug. I >> can also see the following in the log: >> >> 12:41:26,385 WARN [org.keycloak.forms.account.freemarker.model.AccountBean] >> (default task-14) There are more values for attribute 'region' of user >> 'admin' . Will display just first value >> >> So something is definitively broken. Can you create a JIRA please? >> >> On 26 August 2016 at 20:03, Chris Hairfield wrote: >> >>> Hello Keycloak Users, >>> >>> We recently upgraded from 1.9.8 to 2.1.0 and love it (fixes a good >>> number of issues we've been having), but it seems to have broken an >>> important one: our themes! >>> >>> For all HTML input elements we've added (those backed by user >>> properties), when we modify their value and save/POST, Keycloak returns an >>> HTML document populated with the old values rather than the new. A refresh >>> of the page is required for the new value to be returned/displayed, even >>> though the first save is sufficient to save the new value on the user. >>> >>> One may reproduce this easily in 2.1.0 by adding the following code to >>> the base theme's account.ftl file: >>> >>>
>>>
>>> >>>
>>>
>>> >> name="user.attributes.example" value="${(account.attributes. >>> example!'')?html}"/> >>>
>>>
>>> >>> In an Incognito window, impersonate a user, update the Example input, >>> and click save. Your new value is stored as an attribute on the user, but >>> the value of the input is set to whatever it was before. Refresh your >>> browser for the updated value to appear. >>> >>> Any thoughts as to why? Do we need to update our theme code somehow? >>> >>> Thanks, >>> Chris >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/756d2697/attachment.html From christopher.james.davies at gmail.com Tue Aug 30 07:22:12 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Tue, 30 Aug 2016 11:22:12 +0000 Subject: [keycloak-user] Refreshing Tokens In-Reply-To: References: Message-ID: The redirect dance it a bit more complex as I am in a GWT application. However thanks for the feedback. In most cases redirecting to login page will be easy enough, it is just during editing that things may get tricky Chris On Fri, Aug 26, 2016 at 10:09 AM Stian Thorgersen wrote: > If you're adding new roles the refresh token will continue to work, but > won't get new roles. If you're removing roles the refresh token won't be > permitted anymore. > > You don't need to re-login though. Just discard the refresh token, do the > redirect dance to Keycloak again and you'll get a new client session under > the existing user session so the user won't have to re-authenticate, but > you'll have your new refresh token with updates roles. > > On 20 August 2016 at 09:52, Christopher Davies < > christopher.james.davies at gmail.com> wrote: > >> I adding keycloak into a legacy application that uses GWT and Jetty. >> I have managed to get add Keycloak application using Spring-security. >> Because this is GWT I am doing the authorisation in the application >> myself. >> Sping just provides a way to get access to the KeycloakSecurityContext. >> >> The issue I have is refreshing the token. I can get hold of >> a RefreshableKeycloakSecurityContext instance >> and use that to get a refresh token. What surprised me is that I cannot >> refresh a token if the roles have changed. >> Is this correct. I was hoping that the application could notice the role >> changes and adapt itself on the fly. >> >> I do not want to have to logout to get the new roles it at all possible. >> Is there something that I have overlooked that will allow >> me to use the idToken to get a new accessToken given that the >> authentication of the user is still valid, it is just the roles the user is >> in that have changed. >> >> >> Thanks >> >> Chris >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/51df41f1/attachment.html From christopher.james.davies at gmail.com Tue Aug 30 07:24:49 2016 From: christopher.james.davies at gmail.com (Christopher Davies) Date: Tue, 30 Aug 2016 11:24:49 +0000 Subject: [keycloak-user] Running Keycloak in Jetty In-Reply-To: References: Message-ID: We are using Spring security with our Jetty system. This is working fin so far. We can get hold of both the KeycloakAuthenticationToken and the RefreshableKeycloakSecurityContext This allows us to check the roles inside the Jetty WebApps and to request refesh of tokens Chris On Tue, Aug 23, 2016 at 10:10 AM P?l Oliver Kristiansen < paal.oliver at gmail.com> wrote: > Anyone that have managed to run Keycloak in Jetty? > Or anyone that have some pointers to where to start adapting the source to > make it work? > > Thanks! > -- > P?l Oliver Kristiansen > Cornix Consulting > 92 22 60 41 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/aaeb0071/attachment-0001.html From paal.oliver at gmail.com Tue Aug 30 07:29:16 2016 From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=) Date: Tue, 30 Aug 2016 11:29:16 +0000 Subject: [keycloak-user] Running Keycloak in Jetty In-Reply-To: References: Message-ID: Thanks Christopher! But what I'm referring to is to run the Keycloak server itself, in Jetty. It runs on Wildfly out of the box, but in order to support this in our current pipeline and setup, it would be dramatically simpler if it was a way to run it in Jetty, as a ordinary WAR. Technically I guess it should be possible, but I have had problems making it run properly. Thanks again! tir. 30. aug. 2016 kl. 13.25 skrev Christopher Davies < christopher.james.davies at gmail.com>: > We are using Spring security with our Jetty system. > This is working fin so far. We can get hold of both > the KeycloakAuthenticationToken and the RefreshableKeycloakSecurityContext > This allows us to check the roles inside the Jetty WebApps and to request > refesh of tokens > > > Chris > > > On Tue, Aug 23, 2016 at 10:10 AM P?l Oliver Kristiansen < > paal.oliver at gmail.com> wrote: > >> Anyone that have managed to run Keycloak in Jetty? >> Or anyone that have some pointers to where to start adapting the source >> to make it work? >> >> Thanks! >> -- >> P?l Oliver Kristiansen >> Cornix Consulting >> 92 22 60 41 >> > _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- P?l Oliver Kristiansen Cornix Consulting 92 22 60 41 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/f4f271cb/attachment.html From sthorger at redhat.com Tue Aug 30 07:52:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 30 Aug 2016 13:52:12 +0200 Subject: [keycloak-user] Running Keycloak in Jetty In-Reply-To: References: Message-ID: Technically everything is possible, but we leverage a number of features in WildFly that are not available in Jetty. You may get it to work with one particular release just to find that there are new and existing things to solve in the future. I would recommend spending your time on deploying the Keycloak standalone server distribution with your pipeline and setup rather than trying to get Keycloak server running in Jetty. I imagine it'll be less work and you won't get issues in the future if we add more dependencies on WildFly. On 30 August 2016 at 13:29, P?l Oliver Kristiansen wrote: > Thanks Christopher! > > But what I'm referring to is to run the Keycloak server itself, in Jetty. > It runs on Wildfly out of the box, but in order to support this in our > current pipeline and setup, it would be dramatically simpler if it was a > way to run it in Jetty, as a ordinary WAR. Technically I guess it should be > possible, but I have had problems making it run properly. > > Thanks again! > > tir. 30. aug. 2016 kl. 13.25 skrev Christopher Davies < > christopher.james.davies at gmail.com>: > >> We are using Spring security with our Jetty system. >> This is working fin so far. We can get hold of both the KeycloakAuthenticationToken >> and the RefreshableKeycloakSecurityContext >> This allows us to check the roles inside the Jetty WebApps and to request >> refesh of tokens >> >> >> Chris >> >> >> On Tue, Aug 23, 2016 at 10:10 AM P?l Oliver Kristiansen < >> paal.oliver at gmail.com> wrote: >> >>> Anyone that have managed to run Keycloak in Jetty? >>> Or anyone that have some pointers to where to start adapting the source >>> to make it work? >>> >>> Thanks! >>> -- >>> P?l Oliver Kristiansen >>> Cornix Consulting >>> 92 22 60 41 >>> >> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- > P?l Oliver Kristiansen > Cornix Consulting > 92 22 60 41 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/c4888b46/attachment.html From paal.oliver at gmail.com Tue Aug 30 08:01:05 2016 From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=) Date: Tue, 30 Aug 2016 12:01:05 +0000 Subject: [keycloak-user] Running Keycloak in Jetty In-Reply-To: References: Message-ID: Thanks Stian! We did in fact abandon the attempt to shoehorn it into Jetty and are now deploying using the provided Docker image. tir. 30. aug. 2016 kl. 13.52 skrev Stian Thorgersen : > Technically everything is possible, but we leverage a number of features > in WildFly that are not available in Jetty. You may get it to work with one > particular release just to find that there are new and existing things to > solve in the future. I would recommend spending your time on deploying the > Keycloak standalone server distribution with your pipeline and setup rather > than trying to get Keycloak server running in Jetty. I imagine it'll be > less work and you won't get issues in the future if we add more > dependencies on WildFly. > > On 30 August 2016 at 13:29, P?l Oliver Kristiansen > wrote: > >> Thanks Christopher! >> >> But what I'm referring to is to run the Keycloak server itself, in Jetty. >> It runs on Wildfly out of the box, but in order to support this in our >> current pipeline and setup, it would be dramatically simpler if it was a >> way to run it in Jetty, as a ordinary WAR. Technically I guess it should be >> possible, but I have had problems making it run properly. >> >> Thanks again! >> >> tir. 30. aug. 2016 kl. 13.25 skrev Christopher Davies < >> christopher.james.davies at gmail.com>: >> >>> We are using Spring security with our Jetty system. >>> This is working fin so far. We can get hold of both >>> the KeycloakAuthenticationToken and the RefreshableKeycloakSecurityContext >>> This allows us to check the roles inside the Jetty WebApps and to >>> request refesh of tokens >>> >>> >>> Chris >>> >>> >>> On Tue, Aug 23, 2016 at 10:10 AM P?l Oliver Kristiansen < >>> paal.oliver at gmail.com> wrote: >>> >>>> Anyone that have managed to run Keycloak in Jetty? >>>> Or anyone that have some pointers to where to start adapting the source >>>> to make it work? >>>> >>>> Thanks! >>>> -- >>>> P?l Oliver Kristiansen >>>> Cornix Consulting >>>> 92 22 60 41 >>>> >>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -- >> P?l Oliver Kristiansen >> Cornix Consulting >> 92 22 60 41 >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- P?l Oliver Kristiansen Cornix Consulting 92 22 60 41 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/7882e571/attachment.html From christian_hebert at hotmail.com Tue Aug 30 16:09:16 2016 From: christian_hebert at hotmail.com (Christian Hebert) Date: Tue, 30 Aug 2016 16:09:16 -0400 Subject: [keycloak-user] How to secure web services (ejb modules) with keycloak Message-ID: Hello! We have some applications without UI who expose web services. Actually, it's EJBs with the @Webservice annotation. Those EJBs are packaged into an EAR file as EJB modules for deployment. In other applications, we usually add the keycloak-saml.xml file into the war module but, since those applications do not have war module, how could we secure those web services with keycloak? Thanks, Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160830/68c699b5/attachment-0001.html From sthorger at redhat.com Wed Aug 31 01:42:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Aug 2016 07:42:22 +0200 Subject: [keycloak-user] Refreshing Tokens In-Reply-To: References: Message-ID: Use an embedded web view and problem solved ;) On 30 August 2016 at 13:22, Christopher Davies < christopher.james.davies at gmail.com> wrote: > The redirect dance it a bit more complex as I am in a GWT application. > However thanks for the feedback. > In most cases redirecting to login page will be easy enough, it is just > during editing that things may get tricky > > Chris > > On Fri, Aug 26, 2016 at 10:09 AM Stian Thorgersen > wrote: > >> If you're adding new roles the refresh token will continue to work, but >> won't get new roles. If you're removing roles the refresh token won't be >> permitted anymore. >> >> You don't need to re-login though. Just discard the refresh token, do the >> redirect dance to Keycloak again and you'll get a new client session under >> the existing user session so the user won't have to re-authenticate, but >> you'll have your new refresh token with updates roles. >> >> On 20 August 2016 at 09:52, Christopher Davies > gmail.com> wrote: >> >>> I adding keycloak into a legacy application that uses GWT and Jetty. >>> I have managed to get add Keycloak application using Spring-security. >>> Because this is GWT I am doing the authorisation in the application >>> myself. >>> Sping just provides a way to get access to the KeycloakSecurityContext. >>> >>> The issue I have is refreshing the token. I can get hold of a >>> RefreshableKeycloakSecurityContext instance >>> and use that to get a refresh token. What surprised me is that I cannot >>> refresh a token if the roles have changed. >>> Is this correct. I was hoping that the application could notice the role >>> changes and adapt itself on the fly. >>> >>> I do not want to have to logout to get the new roles it at all possible. >>> Is there something that I have overlooked that will allow >>> me to use the idToken to get a new accessToken given that the >>> authentication of the user is still valid, it is just the roles the user is >>> in that have changed. >>> >>> >>> Thanks >>> >>> Chris >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/f63c6103/attachment.html From padmaka.jw at gmail.com Wed Aug 31 01:43:06 2016 From: padmaka.jw at gmail.com (Padmaka Wijayagoonawardena) Date: Wed, 31 Aug 2016 11:13:06 +0530 Subject: [keycloak-user] User cache doesn't get updated Message-ID: Hi, I'm using Keycloak 1.9.0.Final and mysql as the DB. I have written a custom social identity provider. This social identity provider uses a custom user attribute mapper that i have written. The user attribute mapper will map a custom attribute coming from the openId connect userinfo endpoint to a Keycloak role. I have overridden the updateBrokeredUser method in the AbstractJsonUserAttributeMapper class to update the brokered user when the user logs in using the social identity provider. The complete flow works well, however it seems like there is a caching issue. I update the user role via the updateBrokeredMethod but it does not get reflected in the user roles immediately. However, when I update the cache it works fine. Thanks, Padmaka -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/b674caa7/attachment.html From sthorger at redhat.com Wed Aug 31 01:54:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Aug 2016 07:54:46 +0200 Subject: [keycloak-user] Persisting User Sessions in the DB? In-Reply-To: References: Message-ID: On 29 August 2016 at 16:54, Jared Blashka wrote: > Thanks for the link to that JIRA. I had seen it before and wanted to find > it again before emailing the list but couldn't find it. > > I had some questions about the proposed solution. > What's described in the issue is just an initial brain dump and we haven't looked into it in much detail yet. Feedback and suggestions are most welcome :) > > In the propsed solution, Keycloak creates a session cookie first visit the > page and updated when the user first authenticates. How does the load > balancer sitting in front of Keycloak understand which Keycloak host > corresponds with a given session cookie? Our current load balancers set a > sticky session cookie with a node name as the cookie value. > Not sure - If Keycloak creates the cookie the name should most likely be configurable (maybe even the value?!). If the LB creates the cookie we'd need an option to make Keycloak pick that up instead of creating its own. > > Following up from that question, how would this solution work with > multiple load balancer layers? We have a global load balancer that > distributes traffic at a per data center level and then load balancers > within each data center. > Not sure - would that normally have two separate cookies? > > Finally, it sounds like this solution would only work for clients that use > the keycloak adapters? We're going to have to integrate with third-party > vendors in the future and can't dictate how they write their applications. > Even outside of that, we also have internal customers that own > python/perl/rails applications and couldn't use a Keycloak adapter even if > they wanted to because there aren't adapters available for those platforms > yet. > Pretty sure there's no standard way of doing this as there's nothing in the code-token or refresh-token requests that can be used. An alternative mechanism I had in mind was that we'd allow Keycloak servers to talk to each-other to delegate requests to another node. Would that work? > > Jared > > On Mon, Aug 29, 2016 at 10:08 AM, Stian Thorgersen > wrote: > >> We had a JPA user session provider at some point, but dropped it mainly >> for performance reasons and the fact it was not very well implemented. >> Having to write to the database for every request (including token refresh) >> would not be very good for performance, especially not with db replication >> enabled. There might be the possibility of creating a hybrid or to reduce >> the amount of writes to the session, but that would probably be quite a bit >> of work to do. >> >> For authorization code flow we do have plans to figure out sticky >> sessions for that where both the requests from the browser and server-side >> applications ends up going to the same node. See >> https://issues.jboss.org/browse/KEYCLOAK-2352. >> >> >> >> On 24 August 2016 at 23:16, Jared Blashka wrote: >> >>> I'm not sure why I never noticed this before, but I was doing some >>> investigation today and couldn't find any session information actually >>> populated in the DB tables. Both USER_SESSION and CLIENT_SESSION were >>> empty. >>> >>> After some digging in the code I saw that the only UserSesssionProvider >>> implementation is the Infinispan-based one and it looks like the only type >>> of user sessions that get persisted in the DB are offline sessions (via the >>> JpaUserSessionPersisterProvider). >>> >>> Was there a particular reason a JpaUserSessionProvider doesn't exist? >>> >>> Background: We're aiming to have a highly available+resilient >>> active-active multi-data center deployment of Keycloak. Ultimately, there >>> should be no customer impact if a particular data center fails; there >>> should be no IDP outage and they shouldn't have to log in again. We ran >>> into issues with asynchronous user data replication earlier, which is why >>> we're currently working on migrating our existing MariaDB cluster to use >>> Galera (which has been looking pretty good so far) but it looks like we >>> mistakenly assumed that this synchronous replication would also handle user >>> session data. >>> >>> Not replicating user session data across data centers is also going to >>> cause us problems (its already caused us problems actually) when it comes >>> to the OAuth authorization code flow as well. Since that flow involves >>> back-channel server communication we can't guarantee that the client server >>> will communicate with the same data center the client authenticated at. If >>> a client calls out to the "wrong" data center, the flow will fail. >>> >>> I can spend some time tomorrow investigating the performance when >>> clustering infinispan across data centers, but I'm not particularly >>> optimistic about the results. >>> >>> Any thoughts/comments on our problem? >>> >>> >>> Jared >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/2c3b9c4f/attachment.html From sthorger at redhat.com Wed Aug 31 02:03:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Aug 2016 08:03:25 +0200 Subject: [keycloak-user] Getting Error when connecting local host to server DB In-Reply-To: References: Message-ID: [Adding list back] In that case it's most likely you've made some mistakes. Try using the standalone server dist and add your changes one at a time to find out what it is that's breaking it. On 30 August 2016 at 09:36, Aman Jaiswal wrote: > I am using standalone-ha.xml with some changes . > > On Tue, Aug 30, 2016 at 1:04 PM, Stian Thorgersen > wrote: > >> Looks like there's something wrong in your standalone.xml. Did you use >> the standalone server distro? >> >> On 30 August 2016 at 09:15, Aman Jaiswal > > wrote: >> >>> Hi Stian >>> >>> I am getting an error while starting keycloak-2.1.0.Final server .... >>> error is mentions bellow >>> I am all ready added the file layers.conf with content "layers=keycloak" >>> >>> >>> ============================================================ >>> ============= >>> >>> >>> >>> >>> >>> JBoss Bootstrap Environment >>> >>> >>> >>> >>> >>> JBOSS_HOME: /home/ubuntu/keycloak/keycloak-2.1.0.Final >>> >>> >>> >>> >>> >>> JAVA: java >>> >>> >>> >>> >>> >>> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M >>> -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true >>> -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true >>> >>> >>> >>> >>> >>> ============================================================ >>> ============= >>> >>> >>> >>> >>> >>> 05:54:22,401 INFO [org.jboss.modules] (main) JBoss Modules version >>> 1.5.1.Final >>> >>> 05:54:22,654 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final >>> >>> 05:54:22,743 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: >>> Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) starting >>> >>> 05:54:23,647 ERROR [org.jboss.as.server] (Controller Boot Thread) >>> WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persis >>> tence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse >>> configuration >>> >>> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >>> r.load(XmlConfigurationPersister.java:131) >>> [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.as.server.ServerService.boot(ServerService.java:356) >>> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.as.controller.AbstractControllerService$1.run(Abst >>> ractControllerService.java:299) [wildfly-controller-2.0.10.Fin >>> al.jar:2.0.10.Final] >>> >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_91] >>> >>> Caused by: javax.xml.stream.XMLStreamException: ParseError at >>> [row,col]:[285,5] >>> >>> Message: Unexpected element '{urn:jboss:domain:4.0}subsystem' >>> >>> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:108) >>> [staxmapper-1.2.0.Final.jar:1.2.0.Final] >>> >>> at org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(X >>> MLExtendedStreamReaderImpl.java:69) [staxmapper-1.2.0.Final.jar:1. >>> 2.0.Final] >>> >>> at org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546) >>> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242) >>> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141) >>> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103) >>> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49) >>> [wildfly-server-2.0.10.Final.jar:2.0.10.Final] >>> >>> at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110) >>> [staxmapper-1.2.0.Final.jar:1.2.0.Final] >>> >>> at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69) >>> [staxmapper-1.2.0.Final.jar:1.2.0.Final] >>> >>> at org.jboss.as.controller.persistence.XmlConfigurationPersiste >>> r.load(XmlConfigurationPersister.java:123) >>> [wildfly-controller-2.0.10.Final.jar:2.0.10.Final] >>> >>> ... 3 more >>> >>> >>> >>> >>> >>> 05:54:23,651 FATAL [org.jboss.as.server] (Controller Boot Thread) >>> WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. >>> See previous messages for details. >>> >>> 05:54:23,659 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server >>> shutdown has been requested. >>> 05:54:23,683 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: >>> Keycloak 2.1.0.Final (WildFly Core 2.0.10.Final) stopped in 18ms >>> >>> >>> >>> >>> On Mon, Aug 29, 2016 at 4:29 PM, Stian Thorgersen >>> wrote: >>> >>>> I'd say your DB is going pretty slow then. It takes me ~60 second to >>>> boot Keycloak here, which is well within the 300 second limit. Can't really >>>> answer why it's that slow as it's most likely your DB not behaving very >>>> well. >>>> >>>> On 29 August 2016 at 12:53, Aman Jaiswal >>> om> wrote: >>>> >>>>> hi >>>>> I am talking about the time limit which is mention in the following >>>>> error. >>>>> >>>>> ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) >>>>> >>>>> WFLYCTL0348: Timeout after [300] seconds waiting for service container stability. >>>>> >>>>> Operation will roll back. Step that first updated the service container was 'add' at address '[ >>>>> ("core-service" => "management"), >>>>> ("management-interface" => "http-interface") >>>>> ]' >>>>> >>>>> >>>>> On Mon, Aug 29, 2016 at 4:19 PM, Aman Jaiswal < >>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>> >>>>>> hi >>>>>> >>>>>> time when keycloak is trying to connect the database which is on the >>>>>> server. >>>>>> >>>>>> On Mon, Aug 29, 2016 at 4:16 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> What time limit? >>>>>>> >>>>>>> On 26 August 2016 at 11:15, Aman Jaiswal < >>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>> >>>>>>>> Hi Stian >>>>>>>> >>>>>>>> Hi I changed the time limit from 300 to 600 and it's work but I >>>>>>>> want to know that why it is not working on 300 sec of default time ? >>>>>>>> >>>>>>>> On Fri, Aug 26, 2016 at 2:43 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> Looks like maybe you haven't setup the datasource correctly or >>>>>>>>> there's some other configuration issue. Maybe try Googling for it? >>>>>>>>> >>>>>>>>> On 23 August 2016 at 12:33, Aman Jaiswal < >>>>>>>>> aman.jaiswal at arvindinternet.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Team >>>>>>>>>> >>>>>>>>>> I am getting an error while connecting my local keycloak to DB >>>>>>>>>> which is on server. >>>>>>>>>> error is in attached file . please give me solution to resolve >>>>>>>>>> this issue.. >>>>>>>>>> -- >>>>>>>>>> Thanks, >>>>>>>>>> Aman Jaiswal >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Aman Jaiswal >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aman Jaiswal >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks, >>>>> Aman Jaiswal >>>>> >>>> >>>> >>> >>> >>> -- >>> Thanks, >>> Aman Jaiswal >>> >> >> > > > -- > Thanks, > Aman Jaiswal > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/ee8871cf/attachment-0001.html From sthorger at redhat.com Wed Aug 31 02:04:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Aug 2016 08:04:45 +0200 Subject: [keycloak-user] User cache doesn't get updated In-Reply-To: References: Message-ID: There's been a number of fixes around caching since 1.9.0.Final. We no longer provide support for 1.9.0.Final, please upgrade to 2.1.0.Final and see if your issues are resolved. On 31 August 2016 at 07:43, Padmaka Wijayagoonawardena wrote: > Hi, > > I'm using Keycloak 1.9.0.Final and mysql as the DB. I have written a > custom social identity provider. This social identity provider uses a > custom user attribute mapper that i have written. The user attribute mapper > will map a custom attribute coming from the openId connect userinfo > endpoint to a Keycloak role. I have overridden the updateBrokeredUser > method in the AbstractJsonUserAttributeMapper class to update the > brokered user when the user logs in using the social identity provider. > > The complete flow works well, however it seems like there is a caching > issue. I update the user role via the updateBrokeredMethod but it does not > get reflected in the user roles immediately. > However, when I update the cache it works fine. > > Thanks, > Padmaka > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/93ca6433/attachment.html From padmaka.jw at gmail.com Wed Aug 31 02:22:56 2016 From: padmaka.jw at gmail.com (Padmaka Wijayagoonawardena) Date: Wed, 31 Aug 2016 11:52:56 +0530 Subject: [keycloak-user] User cache doesn't get updated In-Reply-To: References: Message-ID: Ok thanks, well do that and revert back On Wed, Aug 31, 2016 at 11:34 AM, Stian Thorgersen wrote: > There's been a number of fixes around caching since 1.9.0.Final. We no > longer provide support for 1.9.0.Final, please upgrade to 2.1.0.Final and > see if your issues are resolved. > > On 31 August 2016 at 07:43, Padmaka Wijayagoonawardena < > padmaka.jw at gmail.com> wrote: > >> Hi, >> >> I'm using Keycloak 1.9.0.Final and mysql as the DB. I have written a >> custom social identity provider. This social identity provider uses a >> custom user attribute mapper that i have written. The user attribute mapper >> will map a custom attribute coming from the openId connect userinfo >> endpoint to a Keycloak role. I have overridden the updateBrokeredUser >> method in the AbstractJsonUserAttributeMapper class to update the >> brokered user when the user logs in using the social identity provider. >> >> The complete flow works well, however it seems like there is a caching >> issue. I update the user role via the updateBrokeredMethod but it does not >> get reflected in the user roles immediately. >> However, when I update the cache it works fine. >> >> Thanks, >> Padmaka >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/7d143fb0/attachment.html From zeus.arias at beeva.com Wed Aug 31 02:52:10 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Wed, 31 Aug 2016 08:52:10 +0200 Subject: [keycloak-user] Question about social login Message-ID: Hi! I have a question. With the social login, is possible to know the origin? In the case of github, if the user belongs to the organization, is there any way to know? Greetings! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/b5680e7d/attachment.html From mposolda at redhat.com Wed Aug 31 03:02:49 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 31 Aug 2016 09:02:49 +0200 Subject: [keycloak-user] Direct link to register page In-Reply-To: References: Message-ID: <57C68119.4070503@redhat.com> Yes, as long as you use the "registrations" instead of "auth" in the end of login ( AuthorizationEndpoint ) URL. For example "http://localhost:8081/auth/realms/master/protocol/openid-connect/registrations" instead of "http://localhost:8081/auth/realms/master/protocol/openid-connect/auth" . The keycloak.js adapter has some builtin support for it. See the "js-console" example, which is showing it. Other adapters won't have support for it AFAIK, so you may need to construct/replace the URL snippet in the end by yourself. Marek On 26/08/16 13:45, Tom Pearson wrote: > Hi, > > Is there a way to link straight to the register page without going > through login first? I'm working on a Grails web app that uses a > slightly modified version of the Keycloak Spring Security Adapter. > > Best regards, > Tom > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/eac3ad91/attachment.html From mposolda at redhat.com Wed Aug 31 03:11:42 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 31 Aug 2016 09:11:42 +0200 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: Message-ID: <57C6832E.6080108@redhat.com> It depends if keycloak-nodejs adapter has some nice support for "inject" the custom value of scope parameter into the initial Keycloak login ( AuthorizationEndpoint ) URL. Our java adapter has support for it, as it "forwards" the value of scope parameter from the secured URL to the Keycloak login URL. For example if you open "http://localhost:/yourapp/secured?scope=offline_access", the adapter forwards the "scope=offline_access" to the Keycloak. Our keycloak.js adapter also has support for adding custom scope. However not really sure about keycloak-nodejs-connect. Maybe either someone more familiar with keycloak nodeJS adapter will reply. Or you can try to dig yourself and eventually create JIRA (or even better send PR) for adding the missing functionality. Marek On 30/08/16 11:51, sheishere b wrote: > Hello, > > From nodejs, I am trying to integrate with keycloak server. > Have followed the steps mentioned in > https://github.com/keycloak/keycloak-nodejs-connect > But I need to use offline access to generate offline token as > mentioned here, > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/sessions/offline.html > > How can this be done from nodejs? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/40a0e88b/attachment.html From mposolda at redhat.com Wed Aug 31 03:16:29 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 31 Aug 2016 09:16:29 +0200 Subject: [keycloak-user] Question about social login In-Reply-To: References: Message-ID: <57C6844D.4020608@redhat.com> If user was "registered" to Keycloak through Github, then his Keycloak user account will be "linked" with Github. You can see the social links (aka. federated identities) in admin console for any particular user. User himself can see them also in account management. Finally our event SPI has an event, which is triggered after registration through social is finished, so you can write an EventListener to listen to this event and immediately do something once user "john" was registered with usage of github social provider. Marek On 31/08/16 08:52, Zeus Arias Lucero | BEEVA wrote: > Hi! > > I have a question. > > With the social login, is possible to know the origin? In the case of > github, if the user belongs to the organization, is there any way to know? > > Greetings! > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/acc35563/attachment-0001.html From sthorger at redhat.com Wed Aug 31 03:43:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 31 Aug 2016 09:43:16 +0200 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: <57C6832E.6080108@redhat.com> References: <57C6832E.6080108@redhat.com> Message-ID: Do we support offline_access param in Node.js adapter? On 31 August 2016 at 09:11, Marek Posolda wrote: > It depends if keycloak-nodejs adapter has some nice support for "inject" > the custom value of scope parameter into the initial Keycloak login ( > AuthorizationEndpoint ) URL. > > Our java adapter has support for it, as it "forwards" the value of scope > parameter from the secured URL to the Keycloak login URL. For example if > you open "http://localhost:/yourapp/secured?scope=offline_access" > , the adapter > forwards the "scope=offline_access" to the Keycloak. Our keycloak.js > adapter also has support for adding custom scope. However not really sure > about keycloak-nodejs-connect. > > Maybe either someone more familiar with keycloak nodeJS adapter will > reply. Or you can try to dig yourself and eventually create JIRA (or even > better send PR) for adding the missing functionality. > > Marek > > > On 30/08/16 11:51, sheishere b wrote: > > Hello, > > From nodejs, I am trying to integrate with keycloak server. > Have followed the steps mentioned in > > https://github.com/keycloak/keycloak-nodejs-connect > But I need to use offline access to generate offline token as mentioned > here, https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.1/topics/sessions/offline.html > How can this be done from nodejs? > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/687d1313/attachment.html From sblanc at redhat.com Wed Aug 31 04:33:15 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 31 Aug 2016 10:33:15 +0200 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: <57C6832E.6080108@redhat.com> Message-ID: I just made some tests and looked at the nodejs adapter code, it doesn't look like it supports offline_access since it's hardcoded to "scope=openid" ( https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#L304 ). Fix would be quite simple since we have access to the original url query parameters through the redirectUrl parameter of the function. I can create a jira for this. On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen wrote: > Do we support offline_access param in Node.js adapter? > > On 31 August 2016 at 09:11, Marek Posolda wrote: > >> It depends if keycloak-nodejs adapter has some nice support for "inject" >> the custom value of scope parameter into the initial Keycloak login ( >> AuthorizationEndpoint ) URL. >> >> Our java adapter has support for it, as it "forwards" the value of scope >> parameter from the secured URL to the Keycloak login URL. For example if >> you open "http://localhost:/yourapp/secured?scope=offline_access" >> , the adapter >> forwards the "scope=offline_access" to the Keycloak. Our keycloak.js >> adapter also has support for adding custom scope. However not really sure >> about keycloak-nodejs-connect. >> >> Maybe either someone more familiar with keycloak nodeJS adapter will >> reply. Or you can try to dig yourself and eventually create JIRA (or even >> better send PR) for adding the missing functionality. >> >> Marek >> >> >> On 30/08/16 11:51, sheishere b wrote: >> >> Hello, >> >> From nodejs, I am trying to integrate with keycloak server. >> Have followed the steps mentioned in >> >> https://github.com/keycloak/keycloak-nodejs-connect >> But I need to use offline access to generate offline token as mentioned >> here, https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/v/2.1/topics/sessions/offline.html >> How can this be done from nodejs? >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/339d52b6/attachment.html From sheishere48 at gmail.com Wed Aug 31 05:09:21 2016 From: sheishere48 at gmail.com (sheishere b) Date: Wed, 31 Aug 2016 14:39:21 +0530 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: <57C6832E.6080108@redhat.com> Message-ID: Ok, thanks. It would be great if you could create jira & share the information. On Wed, Aug 31, 2016 at 2:03 PM, Sebastien Blanc wrote: > I just made some tests and looked at the nodejs adapter code, it doesn't > look like it supports offline_access since it's hardcoded to "scope=openid" > ( https://github.com/keycloak/keycloak-nodejs-connect/blob/ > master/index.js#L304 ). > > Fix would be quite simple since we have access to the original url query > parameters through the redirectUrl parameter of the function. > > I can create a jira for this. > > > > On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen > wrote: > >> Do we support offline_access param in Node.js adapter? >> >> On 31 August 2016 at 09:11, Marek Posolda wrote: >> >>> It depends if keycloak-nodejs adapter has some nice support for "inject" >>> the custom value of scope parameter into the initial Keycloak login ( >>> AuthorizationEndpoint ) URL. >>> >>> Our java adapter has support for it, as it "forwards" the value of scope >>> parameter from the secured URL to the Keycloak login URL. For example if >>> you open "http://localhost:/yourapp/secured?scope=offline_access" >>> , the adapter >>> forwards the "scope=offline_access" to the Keycloak. Our keycloak.js >>> adapter also has support for adding custom scope. However not really sure >>> about keycloak-nodejs-connect. >>> >>> Maybe either someone more familiar with keycloak nodeJS adapter will >>> reply. Or you can try to dig yourself and eventually create JIRA (or even >>> better send PR) for adding the missing functionality. >>> >>> Marek >>> >>> >>> On 30/08/16 11:51, sheishere b wrote: >>> >>> Hello, >>> >>> From nodejs, I am trying to integrate with keycloak server. >>> Have followed the steps mentioned in >>> >>> https://github.com/keycloak/keycloak-nodejs-connect >>> But I need to use offline access to generate offline token as mentioned >>> here, https://keycloak.gitbooks.io/server-adminstration-guide/cont >>> ent/v/2.1/topics/sessions/offline.html >>> How can this be done from nodejs? >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/e804ac8f/attachment-0001.html From William.Drescher at celum.com Wed Aug 31 05:49:12 2016 From: William.Drescher at celum.com (William Drescher [CELUM]) Date: Wed, 31 Aug 2016 09:49:12 +0000 Subject: [keycloak-user] Adding user from Java: Password credential not working Message-ID: <80ececf5710a40b68719ec47d7ca8aac@EMEA-LNZ-EX01.werk3.local> Hi userlist, I'm attempting to create a user in java in the way described here, from a java application and using the keycloak standalone server http://www.first8.nl/blog/programmatically-adding-users-in-keycloak/ Specifically CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user); The user is created correctly no errors either java side or in the output from the standalone server and all data seems to be correct however when attempting to login with the user the credentials are incorrect. I've tried changing the password manually on the keycloak server and the login is then possible. Am I missing something or is this a bug? Thanks, Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/f9318e4a/attachment.html From nizar2yas at gmail.com Wed Aug 31 06:25:46 2016 From: nizar2yas at gmail.com (yassine yas) Date: Wed, 31 Aug 2016 11:25:46 +0100 Subject: [keycloak-user] user logout Message-ID: Hi, when an authenticated user try to logout (using the sign out from auth/realms/*{realName}*/account/) I get this error : Invalid redirect uri here is the uri of the page that shows the pb: http://10.129.3.27/auth/realms/*{realName}* /protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F10.129.3.27%2Fauth%2Frealms%2F *{realName}*%2Faccount%2F (the *{realName}* is the same ) how can I change the log out redirect uri cordially -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/f686efda/attachment.html From sheishere48 at gmail.com Wed Aug 31 06:39:04 2016 From: sheishere48 at gmail.com (sheishere b) Date: Wed, 31 Aug 2016 16:09:04 +0530 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: <57C6832E.6080108@redhat.com> Message-ID: Is there some workaround ? Is it possible to override the login url & replace "scope=openid" to "scope=offline" ? On Wed, Aug 31, 2016 at 2:39 PM, sheishere b wrote: > Ok, thanks. > It would be great if you could create jira & share the information. > > On Wed, Aug 31, 2016 at 2:03 PM, Sebastien Blanc > wrote: > >> I just made some tests and looked at the nodejs adapter code, it doesn't >> look like it supports offline_access since it's hardcoded to "scope=openid" >> ( https://github.com/keycloak/keycloak-nodejs-connect/blob/mas >> ter/index.js#L304 ). >> >> Fix would be quite simple since we have access to the original url query >> parameters through the redirectUrl parameter of the function. >> >> I can create a jira for this. >> >> >> >> On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen >> wrote: >> >>> Do we support offline_access param in Node.js adapter? >>> >>> On 31 August 2016 at 09:11, Marek Posolda wrote: >>> >>>> It depends if keycloak-nodejs adapter has some nice support for >>>> "inject" the custom value of scope parameter into the initial Keycloak >>>> login ( AuthorizationEndpoint ) URL. >>>> >>>> Our java adapter has support for it, as it "forwards" the value of >>>> scope parameter from the secured URL to the Keycloak login URL. For example >>>> if you open "http://localhost:/yourapp/secured?scope=offline_access" >>>> , the adapter >>>> forwards the "scope=offline_access" to the Keycloak. Our keycloak.js >>>> adapter also has support for adding custom scope. However not really sure >>>> about keycloak-nodejs-connect. >>>> >>>> Maybe either someone more familiar with keycloak nodeJS adapter will >>>> reply. Or you can try to dig yourself and eventually create JIRA (or even >>>> better send PR) for adding the missing functionality. >>>> >>>> Marek >>>> >>>> >>>> On 30/08/16 11:51, sheishere b wrote: >>>> >>>> Hello, >>>> >>>> From nodejs, I am trying to integrate with keycloak server. >>>> Have followed the steps mentioned in >>>> >>>> https://github.com/keycloak/keycloak-nodejs-connect >>>> But I need to use offline access to generate offline token as mentioned >>>> here, https://keycloak.gitbooks.io/server-adminstration-guide/cont >>>> ent/v/2.1/topics/sessions/offline.html >>>> How can this be done from nodejs? >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/22a8f6c9/attachment-0001.html From sblanc at redhat.com Wed Aug 31 06:43:29 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 31 Aug 2016 12:43:29 +0200 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: <57C6832E.6080108@redhat.com> Message-ID: Well yes there is an ugly workaround :) , in your node_modules/keycloak-connnect/index.js at line 304 , you can replace openid with offline_access On Wed, Aug 31, 2016 at 12:39 PM, sheishere b wrote: > Is there some workaround ? Is it possible to override the login url & > replace "scope=openid" to "scope=offline" ? > > On Wed, Aug 31, 2016 at 2:39 PM, sheishere b > wrote: > >> Ok, thanks. >> It would be great if you could create jira & share the information. >> >> On Wed, Aug 31, 2016 at 2:03 PM, Sebastien Blanc >> wrote: >> >>> I just made some tests and looked at the nodejs adapter code, it doesn't >>> look like it supports offline_access since it's hardcoded to "scope=openid" >>> ( https://github.com/keycloak/keycloak-nodejs-connect/blob/mas >>> ter/index.js#L304 ). >>> >>> Fix would be quite simple since we have access to the original url query >>> parameters through the redirectUrl parameter of the function. >>> >>> I can create a jira for this. >>> >>> >>> >>> On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen >>> wrote: >>> >>>> Do we support offline_access param in Node.js adapter? >>>> >>>> On 31 August 2016 at 09:11, Marek Posolda wrote: >>>> >>>>> It depends if keycloak-nodejs adapter has some nice support for >>>>> "inject" the custom value of scope parameter into the initial Keycloak >>>>> login ( AuthorizationEndpoint ) URL. >>>>> >>>>> Our java adapter has support for it, as it "forwards" the value of >>>>> scope parameter from the secured URL to the Keycloak login URL. For example >>>>> if you open "http://localhost:/yourapp/secured?scope=offline_access" >>>>> , the adapter >>>>> forwards the "scope=offline_access" to the Keycloak. Our keycloak.js >>>>> adapter also has support for adding custom scope. However not really sure >>>>> about keycloak-nodejs-connect. >>>>> >>>>> Maybe either someone more familiar with keycloak nodeJS adapter will >>>>> reply. Or you can try to dig yourself and eventually create JIRA (or even >>>>> better send PR) for adding the missing functionality. >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 30/08/16 11:51, sheishere b wrote: >>>>> >>>>> Hello, >>>>> >>>>> From nodejs, I am trying to integrate with keycloak server. >>>>> Have followed the steps mentioned in >>>>> >>>>> https://github.com/keycloak/keycloak-nodejs-connect >>>>> But I need to use offline access to generate offline token as >>>>> mentioned here, https://keycloak.gitbooks.io/s >>>>> erver-adminstration-guide/content/v/2.1/topics/sessions/offline.html >>>>> How can this be done from nodejs? >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/c4347432/attachment.html From sascha.brose at adesso.ch Wed Aug 31 07:09:36 2016 From: sascha.brose at adesso.ch (Brose, Sascha) Date: Wed, 31 Aug 2016 11:09:36 +0000 Subject: [keycloak-user] Adding user from Java: Password credential not working Message-ID: <1b713271c9b1465e91383fbeec76e2d7@EX2013-DB02.adesso.local> Hi Will As far as I remember I had problems with that too. Therefore, I create users in two steps at the moment. First I create the user and afterwards I set password. This works for me to set the password after user was created: ... UserResource userRes = getUserResById(client, realm, keycloakUserId); // load created user CredentialRepresentation credentialRep = new CredentialRepresentation(); credentialRep.setType(PASSWORD); credentialRep.setValue(password); credentialRep.setTemporary(temporary); userRes.resetPassword(credentialRep); ... Best, Sascha -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von keycloak-user-request at lists.jboss.org Gesendet: Mittwoch, 31. August 2016 12:39 An: keycloak-user at lists.jboss.org Betreff: keycloak-user Digest, Vol 32, Issue 148 Send keycloak-user mailing list submissions to keycloak-user at lists.jboss.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.jboss.org/mailman/listinfo/keycloak-user or, via email, send a message with subject or body 'help' to keycloak-user-request at lists.jboss.org You can reach the person managing the list at keycloak-user-owner at lists.jboss.org When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..." Today's Topics: 1. Adding user from Java: Password credential not working (William Drescher [CELUM]) 2. user logout (yassine yas) 3. Re: how to set 'scope=offline_access' in keycloak-nodejs-connect during login (sheishere b) ---------------------------------------------------------------------- Message: 1 Date: Wed, 31 Aug 2016 09:49:12 +0000 From: "William Drescher [CELUM]" Subject: [keycloak-user] Adding user from Java: Password credential not working To: "keycloak-user at lists.jboss.org" Message-ID: <80ececf5710a40b68719ec47d7ca8aac at EMEA-LNZ-EX01.werk3.local> Content-Type: text/plain; charset="us-ascii" Hi userlist, I'm attempting to create a user in java in the way described here, from a java application and using the keycloak standalone server http://www.first8.nl/blog/programmatically-adding-users-in-keycloak/ Specifically CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user); The user is created correctly no errors either java side or in the output from the standalone server and all data seems to be correct however when attempting to login with the user the credentials are incorrect. I've tried changing the password manually on the keycloak server and the login is then possible. Am I missing something or is this a bug? Thanks, Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/f9318e4a/attachment-0001.html ------------------------------ Message: 2 Date: Wed, 31 Aug 2016 11:25:46 +0100 From: yassine yas Subject: [keycloak-user] user logout To: keycloak-user at lists.jboss.org Message-ID: Content-Type: text/plain; charset="utf-8" Hi, when an authenticated user try to logout (using the sign out from auth/realms/*{realName}*/account/) I get this error : Invalid redirect uri here is the uri of the page that shows the pb: http://10.129.3.27/auth/realms/*{realName}* /protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F10.129.3.27%2Fauth%2Frealms%2F *{realName}*%2Faccount%2F (the *{realName}* is the same ) how can I change the log out redirect uri cordially -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/f686efda/attachment-0001.html ------------------------------ Message: 3 Date: Wed, 31 Aug 2016 16:09:04 +0530 From: sheishere b Subject: Re: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login To: Sebastien Blanc Cc: Bruno Oliveira da Silva , keycloak-user Message-ID: Content-Type: text/plain; charset="utf-8" Is there some workaround ? Is it possible to override the login url & replace "scope=openid" to "scope=offline" ? On Wed, Aug 31, 2016 at 2:39 PM, sheishere b wrote: > Ok, thanks. > It would be great if you could create jira & share the information. > > On Wed, Aug 31, 2016 at 2:03 PM, Sebastien Blanc > wrote: > >> I just made some tests and looked at the nodejs adapter code, it >> doesn't look like it supports offline_access since it's hardcoded to "scope=openid" >> ( https://github.com/keycloak/keycloak-nodejs-connect/blob/mas >> ter/index.js#L304 ). >> >> Fix would be quite simple since we have access to the original url >> query parameters through the redirectUrl parameter of the function. >> >> I can create a jira for this. >> >> >> >> On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen >> >> wrote: >> >>> Do we support offline_access param in Node.js adapter? >>> >>> On 31 August 2016 at 09:11, Marek Posolda wrote: >>> >>>> It depends if keycloak-nodejs adapter has some nice support for >>>> "inject" the custom value of scope parameter into the initial >>>> Keycloak login ( AuthorizationEndpoint ) URL. >>>> >>>> Our java adapter has support for it, as it "forwards" the value of >>>> scope parameter from the secured URL to the Keycloak login URL. For >>>> example if you open "http://localhost:/yourapp/secured?scope=offline_access" >>>> , the >>>> adapter forwards the "scope=offline_access" to the Keycloak. Our >>>> keycloak.js adapter also has support for adding custom scope. >>>> However not really sure about keycloak-nodejs-connect. >>>> >>>> Maybe either someone more familiar with keycloak nodeJS adapter >>>> will reply. Or you can try to dig yourself and eventually create >>>> JIRA (or even better send PR) for adding the missing functionality. >>>> >>>> Marek >>>> >>>> >>>> On 30/08/16 11:51, sheishere b wrote: >>>> >>>> Hello, >>>> >>>> From nodejs, I am trying to integrate with keycloak server. >>>> Have followed the steps mentioned in >>>> >>>> https://github.com/keycloak/keycloak-nodejs-connect >>>> But I need to use offline access to generate offline token as >>>> mentioned here, >>>> https://keycloak.gitbooks.io/server-adminstration-guide/cont >>>> ent/v/2.1/topics/sessions/offline.html >>>> How can this be done from nodejs? >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing >>>> listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/li >>>> stinfo/keycloak-user >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/22a8f6c9/attachment.html ------------------------------ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user End of keycloak-user Digest, Vol 32, Issue 148 ********************************************** From mposolda at redhat.com Wed Aug 31 08:18:59 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 31 Aug 2016 14:18:59 +0200 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: <57C6832E.6080108@redhat.com> Message-ID: <57C6CB33.2000601@redhat.com> Just one small thing to clarify. Maybe you're already aware for it (Sorry for spaming then ) :-) The "scope=openid" should be always there per OIDC specification. So if you want to add "offline_access" or other scope value, the parameter should be like "scope=openid offline_access" (encoded value is "openid%20offline_access" ). Marek On 31/08/16 12:43, Sebastien Blanc wrote: > Well yes there is an ugly workaround :) , in your > node_modules/keycloak-connnect/index.js at line 304 , you can replace > openid with offline_access > > On Wed, Aug 31, 2016 at 12:39 PM, sheishere b > wrote: > > Is there some workaround ? Is it possible to override the login > url & replace "scope=openid" to "scope=offline" ? > > On Wed, Aug 31, 2016 at 2:39 PM, sheishere b > > wrote: > > Ok, thanks. > It would be great if you could create jira & share the > information. > > On Wed, Aug 31, 2016 at 2:03 PM, Sebastien Blanc > > wrote: > > I just made some tests and looked at the nodejs adapter > code, it doesn't look like it supports offline_access > since it's hardcoded to "scope=openid" ( > https://github.com/keycloak/keycloak-nodejs-connect/blob/master/index.js#L304 > > ). > > Fix would be quite simple since we have access to the > original url query parameters through the redirectUrl > parameter of the function. > > I can create a jira for this. > > > > On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen > > wrote: > > Do we support offline_access param in Node.js adapter? > > On 31 August 2016 at 09:11, Marek Posolda > > wrote: > > It depends if keycloak-nodejs adapter has some > nice support for "inject" the custom value of > scope parameter into the initial Keycloak login ( > AuthorizationEndpoint ) URL. > > Our java adapter has support for it, as it > "forwards" the value of scope parameter from the > secured URL to the Keycloak login URL. For example > if you open > "http://localhost:/yourapp/secured?scope=offline_access" > , > the adapter forwards the "scope=offline_access" to > the Keycloak. Our keycloak.js adapter also has > support for adding custom scope. However not > really sure about keycloak-nodejs-connect. > > Maybe either someone more familiar with keycloak > nodeJS adapter will reply. Or you can try to dig > yourself and eventually create JIRA (or even > better send PR) for adding the missing functionality. > > Marek > > > On 30/08/16 11:51, sheishere b wrote: >> Hello, >> >> From nodejs, I am trying to integrate with >> keycloak server. >> Have followed the steps mentioned in >> https://github.com/keycloak/keycloak-nodejs-connect >> >> >> But I need to use offline access to generate >> offline token as mentioned here, >> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/sessions/offline.html >> >> >> How can this be done from nodejs? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/72306612/attachment-0001.html From William.Drescher at celum.com Wed Aug 31 08:42:19 2016 From: William.Drescher at celum.com (William Drescher [CELUM]) Date: Wed, 31 Aug 2016 12:42:19 +0000 Subject: [keycloak-user] Workaround works Message-ID: Thanks Sascha works like a charm, In case it helps someone else this is a simple version of working code (using this as temporary code to set up an initial user, normally would suggest a cleaner way to get the userId from keycloak but search works fine for now): UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); kc.realm("master").users().create(user); kc.realm("master").users().search("testUser", 0, 1).forEach( UserResource userResource = kc.realm("master").users().get(user.getId()); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); credential.setTemporary(true); userResource.resetPassword(credential); ) Will -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/609ef176/attachment.html From bruno at abstractj.org Wed Aug 31 08:43:44 2016 From: bruno at abstractj.org (Bruno Oliveira da Silva) Date: Wed, 31 Aug 2016 09:43:44 -0300 Subject: [keycloak-user] how to set 'scope=offline_access' in keycloak-nodejs-connect during login In-Reply-To: References: <57C6832E.6080108@redhat.com> Message-ID: <20160831124344.GA11489@abstractj.org> The best thing to do is to fix it, any workaround will just mess with OIDC certification. On 2016-08-31, Sebastien Blanc wrote: > Well yes there is an ugly workaround :) , in your > node_modules/keycloak-connnect/index.js at line 304 , you can replace > openid with offline_access > > On Wed, Aug 31, 2016 at 12:39 PM, sheishere b wrote: > > > Is there some workaround ? Is it possible to override the login url & > > replace "scope=openid" to "scope=offline" ? > > > > On Wed, Aug 31, 2016 at 2:39 PM, sheishere b > > wrote: > > > >> Ok, thanks. > >> It would be great if you could create jira & share the information. > >> > >> On Wed, Aug 31, 2016 at 2:03 PM, Sebastien Blanc > >> wrote: > >> > >>> I just made some tests and looked at the nodejs adapter code, it doesn't > >>> look like it supports offline_access since it's hardcoded to "scope=openid" > >>> ( https://github.com/keycloak/keycloak-nodejs-connect/blob/mas > >>> ter/index.js#L304 ). > >>> > >>> Fix would be quite simple since we have access to the original url query > >>> parameters through the redirectUrl parameter of the function. > >>> > >>> I can create a jira for this. > >>> > >>> > >>> > >>> On Wed, Aug 31, 2016 at 9:43 AM, Stian Thorgersen > >>> wrote: > >>> > >>>> Do we support offline_access param in Node.js adapter? > >>>> > >>>> On 31 August 2016 at 09:11, Marek Posolda wrote: > >>>> > >>>>> It depends if keycloak-nodejs adapter has some nice support for > >>>>> "inject" the custom value of scope parameter into the initial Keycloak > >>>>> login ( AuthorizationEndpoint ) URL. > >>>>> > >>>>> Our java adapter has support for it, as it "forwards" the value of > >>>>> scope parameter from the secured URL to the Keycloak login URL. For example > >>>>> if you open "http://localhost:/yourapp/secured?scope=offline_access" > >>>>> , the adapter > >>>>> forwards the "scope=offline_access" to the Keycloak. Our keycloak.js > >>>>> adapter also has support for adding custom scope. However not really sure > >>>>> about keycloak-nodejs-connect. > >>>>> > >>>>> Maybe either someone more familiar with keycloak nodeJS adapter will > >>>>> reply. Or you can try to dig yourself and eventually create JIRA (or even > >>>>> better send PR) for adding the missing functionality. > >>>>> > >>>>> Marek > >>>>> > >>>>> > >>>>> On 30/08/16 11:51, sheishere b wrote: > >>>>> > >>>>> Hello, > >>>>> > >>>>> From nodejs, I am trying to integrate with keycloak server. > >>>>> Have followed the steps mentioned in > >>>>> > >>>>> https://github.com/keycloak/keycloak-nodejs-connect > >>>>> But I need to use offline access to generate offline token as > >>>>> mentioned here, https://keycloak.gitbooks.io/s > >>>>> erver-adminstration-guide/content/v/2.1/topics/sessions/offline.html > >>>>> How can this be done from nodejs? > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> > > -- abstractj PGP: 0x84DC9914 From nizar2yas at gmail.com Wed Aug 31 09:26:30 2016 From: nizar2yas at gmail.com (yassine yas) Date: Wed, 31 Aug 2016 14:26:30 +0100 Subject: [keycloak-user] user credential and role pro grammatically Message-ID: Hi, I'm creating users programmatically from my java code,but the users credential and roles are note "persisted" (I think), when the user try to authenticate he get *Invalid username or password (*even if he is visible in the admin console), If I define (from the admin console) a passe Word for the user and use it he can access his account, but here come the 2 problem, even if I give him the right (role) to use a resource he gets forbidden. here is the code that I use to define users credential and role : * CredentialRepresentation credential = new CredentialRepresentation();* * credential.setType(CredentialRepresentation.PASSWORD); * * credential.setValue("123"); * * user.setCredentials(Arrays.asList(credential)); * * user.setRealmRoles(Arrays.asList("guest")); * Cordially -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/ec84aa48/attachment-0001.html From lingvisa at gmail.com Wed Aug 31 13:53:20 2016 From: lingvisa at gmail.com (Ling) Date: Wed, 31 Aug 2016 10:53:20 -0700 Subject: [keycloak-user] How to integrate or make use of KeyCloak user database in my own application? Message-ID: Hi, All: So far I have been playing with KeyCloak and been able to set it up and running the customer-portal example successfully. Now I need to actually use it in my application, and I am not totally sure whether KeyCloak is the thing that I am looking for, but I believe my need is just a common use case and hopefully KeyCloak is the right software that I am looking for.. When a user comes to my website, he registers and makes a post. Both the post and the user information is stored into databases, and the link between the user and post, i.e. who made which post? So I have two tables in my database: Post(id, post) and User(id,name), and another table UserPost(PostID, UserID) to store linking information. This is all fine in my own database. But now when KeyCloak comes into play, the user first registers in KeyCloak server and user information are stored in its own database there, which seems unrelated to the database (Post and User) in my application. I don't want to duplicate two User databases in two servers, right? Even if I can tolerate the duplication, how to make the connection between KeyCloak database and my application database? I am using JBoss, Hibernate/JPA in my application. Maybe I am missing something in the way how to connect KeyCloak with my own application. Is there any tutorial or documentation that I can read? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/8dd897a5/attachment.html From chairfield at gmail.com Wed Aug 31 19:04:06 2016 From: chairfield at gmail.com (Chris Hairfield) Date: Wed, 31 Aug 2016 23:04:06 +0000 Subject: [keycloak-user] Why is email required when joining via Google? Message-ID: Hello, I'm attempting to register via the Google OAuth link. Keycloak routes me to Google where I authorize my app. Then I'm returned to Keycloak. Why am I asked to input my email (below)? Keycloak requests the email scope and Google is an email provider. Why is my Google email not automatically stored at the email of this new account? I even have Trust Email on for Google. Chris [image: keycloak-q.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/10f5241f/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak-q.png Type: image/png Size: 24501 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160831/10f5241f/attachment-0001.png