From amaeztu at tesicnor.com Thu Dec 1 01:08:25 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Thu, 01 Dec 2016 07:08:25 +0100 Subject: [keycloak-user] How to set account management as welcome page In-Reply-To: References: Message-ID: <7sggflj5afed49138dvrjpt5.1480572387240@email.android.com> Hello byte, I think an application end user is not meant to visit the keycloak root page, so this step makes sense only for sys admins, IMO. While being a sys admin, you could load the account management page directly by its URL, without the need of going to the root page first, so I don't see very much inconvenience on that, actually. Regards Nire Sony Xperia? telefonotik bidalita ---- Byte Flinger igorleak idatzi du ---- >It seems one is expected to put in place some sort of welcome page in >keycloak, the one that is under /auth (Which by default has an admin page >link and few others to the keycloak website). > >I'd be pretty happy to just setting the account management page as the >default landing welcome page and letting admins go to the admin page >directly if they want to. Is there any way of doing that, making the app >redirect to the account management page if you go to the keycloak app root >address without having a 2 step process where the user first goes to a >welcome page and then clicks a link from there to the account management >page? >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Thu Dec 1 02:26:54 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 1 Dec 2016 07:26:54 +0000 Subject: [keycloak-user] Clarification regarding authentication flows Message-ID: Hi, What type of the authentication flow used for the realm REST API authentication? The browser flow? What type of the authentication flow used to obtain the access token? https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/admin-rest-api.html The Direct Grant Flow? Regards, Michael From byteflinger at gmail.com Thu Dec 1 02:30:55 2016 From: byteflinger at gmail.com (Byte Flinger) Date: Thu, 01 Dec 2016 07:30:55 +0000 Subject: [keycloak-user] How to set account management as welcome page In-Reply-To: <7sggflj5afed49138dvrjpt5.1480572387240@email.android.com> References: <7sggflj5afed49138dvrjpt5.1480572387240@email.android.com> Message-ID: Hi Maybe that's the way it is meant to work. Since most users going to keycloak won't be admins I was hoping to have it take you to the account management directly so the user can simply type "keycloak.mydomain.com". Maybe I should map some other dns like user.mydomain.com to the account management page instead. Thanks for the input. If it is at all possible to do what I wrote in the original email I'd still like to know how but I think I have a better understanding of the issue. On Thu, 1 Dec 2016, 07:08 Amaeztu, wrote: > Hello byte, > > I think an application end user is not meant to visit the keycloak root > page, so this step makes sense only for sys admins, IMO. > > While being a sys admin, you could load the account management page > directly by its URL, without the need of going to the root page first, so I > don't see very much inconvenience on that, actually. > > Regards > > Nire Sony Xperia? telefonotik bidalita > > > ---- Byte Flinger igorleak idatzi du ---- > > It seems one is expected to put in place some sort of welcome page in > keycloak, the one that is under /auth (Which by default has an admin page > link and few others to the keycloak website). > > I'd be pretty happy to just setting the account management page as the > default landing welcome page and letting admins go to the admin page > directly if they want to. Is there any way of doing that, making the app > redirect to the account management page if you go to the keycloak app root > address without having a 2 step process where the user first goes to a > welcome page and then clicks a link from there to the account management > page? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From amaeztu at tesicnor.com Thu Dec 1 02:34:02 2016 From: amaeztu at tesicnor.com (Aritz Maeztu) Date: Thu, 1 Dec 2016 08:34:02 +0100 Subject: [keycloak-user] How to set account management as welcome page In-Reply-To: References: <7sggflj5afed49138dvrjpt5.1480572387240@email.android.com> Message-ID: <60156289-8c82-f8d6-9a51-fc053b0c5493@tesicnor.com> Hello, Don't know if it's possible, even I don't think so, but that could be answered by some member of the development team. As you said, if you specifically want have some other url showing the account management page, just put a proxy in front of keycloak and make it proxy-pass to the destination page. Regards 01/12/2016 8:30(e)an, Byte Flinger igorleak idatzi zuen: > > Hi > > Maybe that's the way it is meant to work. Since most users going to > keycloak won't be admins I was hoping to have it take you to the > account management directly so the user can simply type > "keycloak.mydomain.com ". > > Maybe I should map some other dns like user.mydomain.com > to the account management page instead. > > Thanks for the input. If it is at all possible to do what I wrote in > the original email I'd still like to know how but I think I have a > better understanding of the issue. > > > On Thu, 1 Dec 2016, 07:08 Amaeztu, > wrote: > > Hello byte, > > I think an application end user is not meant to visit the keycloak > root page, so this step makes sense only for sys admins, IMO. > > While being a sys admin, you could load the account management > page directly by its URL, without the need of going to the root > page first, so I don't see very much inconvenience on that, actually. > > Regards > > Nire Sony Xperia? telefonotik bidalita > > > > ---- Byte Flinger igorleak idatzi du ---- > > It seems one is expected to put in place some sort of welcome page in > keycloak, the one that is under /auth (Which by default has an > admin page > link and few others to the keycloak website). > > I'd be pretty happy to just setting the account management page as the > default landing welcome page and letting admins go to the admin page > directly if they want to. Is there any way of doing that, making > the app > redirect to the account management page if you go to the keycloak > app root > address without having a 2 step process where the user first goes to a > welcome page and then clicks a link from there to the account > management > page? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Aritz Maeztu Ota?o Departamento Desarrollo de Software Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretar?a: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos. From byteflinger at gmail.com Thu Dec 1 02:41:52 2016 From: byteflinger at gmail.com (Byte Flinger) Date: Thu, 01 Dec 2016 07:41:52 +0000 Subject: [keycloak-user] Not able to create user if firstName is read-only Message-ID: I have setup a keycloak with a PostgreSQL db and also included ldap as user federation. I tried setting the firstName (mapped to cn attribute) to read-only but I realised that if one does that, you cannot create a user, trying to add a new user fails. I expected that setting the attribute read-only meant the user is not able to change it on the account management page however an admin should be able to do so (at least when creating the user since that makes for a broken flow as you have to make it writable before creating a new user and than back to read-only again every time). Is this a bug? I have not tested registration but suspect that it won't work either. From Dimitrios.Gkazgkas at tangoservices.lu Thu Dec 1 03:50:31 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Thu, 1 Dec 2016 08:50:31 +0000 Subject: [keycloak-user] multiple ldap servers (failover) In-Reply-To: References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu> <6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com> <6308da08-9f12-d162-3ede-05908b6f1fad@merit.unu.edu> <1480365935048-1668.post@n6.nabble.com> Message-ID: Thank you. We will try to use the same Workaround. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of lists Sent: 28 November 2016 21:53 To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] multiple ldap servers (failover) Hi, I did not file an issue, but instead worked around it, by using HAproxy on the keycloak server: - make keycloak talk to haproxy on ldaps://localhost:636 - make haproxy connect to our three ldap backend servers. As I am using this on most of our other servers as well, so it actually makes our config more standard, plus: haproxy keeps a log of backend servers coming up and going down, so you know at all times what is going on. Perhaps this solution works for you too. Best, MJ On 28-11-2016 21:45, dimitrios.gkazgkas wrote: > Hello what is the status of this issue ? > > Cause i can confirm during a network outage when one LDAP went down > (the first one configured in the connection URL) the Keycloak server hanged. > > > > -- > View this message in context: > http://keycloak-user.88327.x6.nabble.com/keycloak-user-multiple-ldap-s > ervers-failover-tp1567p1668.html Sent from the keycloak-user mailing > list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer From mstrukel at redhat.com Thu Dec 1 06:18:34 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 1 Dec 2016 12:18:34 +0100 Subject: [keycloak-user] Creating an user by rest api In-Reply-To: References: Message-ID: Your URL doesn't look right. It should be more like: http://localhost:8080/ auth/admin/realms/servlet-authz/users But then if you want to do this from shell via curl you need to first obtain authentication token. For example, take a look at: http://lists.jboss.org/pipermail/keycloak-user/2016-July/006793.html There is Admin CLI coming soon that will simplify this a lot. On Wed, Nov 30, 2016 at 5:28 PM, Celso Agra wrote: > Hi all, > > I'm configuring keycloak to perform some actions with rest api. I'm trying > to create an user using the register action (like register page), but when > I call the rest api: > > curl -H "Accept: application/json" -H "Content-Type:application/json" -X > > POST -d "{'username' : 'bburke', 'enabled': true, 'email' : ' > > bburke at redhat.com', 'firstName': 'Bill', 'lastName': 'Burke', > > 'credentials' : [{ 'type' : 'password', 'value' : 'password' } ], > > 'realmRoles': [ 'user', 'offline_access' ], 'clientRoles': {'account': [ > > 'manage-account' ] } }" > > http://localhost:8080/admin/realms/servlet-authz/users > > > I got an 404 error. Would be possible to create an user just using the rest > API? > > Thank you. > > best regards, > > Celso Agra. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From celso.agra at gmail.com Thu Dec 1 07:09:21 2016 From: celso.agra at gmail.com (Celso Agra) Date: Thu, 1 Dec 2016 09:09:21 -0300 Subject: [keycloak-user] Creating an user by rest api In-Reply-To: References: Message-ID: I understand. I was looking for something to simulate the register page action. So users can register themselves without being authenticated. An Admin CLI will be useful for me. That's a great news! Thanks for your help! 2016-12-01 8:18 GMT-03:00 Marko Strukelj : > Your URL doesn't look right. It should be more like: > http://localhost:8080/auth/admin/realms/servlet-authz/users > > > But then if you want to do this from shell via curl you need to first > obtain authentication token. For example, take a look at: > http://lists.jboss.org/pipermail/keycloak-user/2016-July/006793.html > > There is Admin CLI coming soon that will simplify this a lot. > > On Wed, Nov 30, 2016 at 5:28 PM, Celso Agra wrote: > >> Hi all, >> >> I'm configuring keycloak to perform some actions with rest api. I'm trying >> to create an user using the register action (like register page), but when >> I call the rest api: >> >> curl -H "Accept: application/json" -H "Content-Type:application/json" -X >> > POST -d "{'username' : 'bburke', 'enabled': true, 'email' : ' >> > bburke at redhat.com', 'firstName': 'Bill', 'lastName': 'Burke', >> > 'credentials' : [{ 'type' : 'password', 'value' : 'password' } ], >> > 'realmRoles': [ 'user', 'offline_access' ], 'clientRoles': {'account': >> [ >> > 'manage-account' ] } }" >> > http://localhost:8080/admin/realms/servlet-authz/users >> >> >> I got an 404 error. Would be possible to create an user just using the >> rest >> API? >> >> Thank you. >> >> best regards, >> >> Celso Agra. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- --- *Celso Agra* From ushanas at gmail.com Thu Dec 1 07:48:01 2016 From: ushanas at gmail.com (Ushanas Shastri) Date: Thu, 1 Dec 2016 18:18:01 +0530 Subject: [keycloak-user] Authorization services are inefficient in Evaluation UI and in Evaluation API. In-Reply-To: References: Message-ID: Hello, We have an instance of KeyCloak, setup with SQL Server as the database. For authorization, we have about 58 resources, 450 scopes and around 500 scope based permissions. We face the following issues: a. In the Evaluation UI in the administration console, all drop downs for resources, scopes etc. are all populated on page load. In each drop down, on inspecting the network tab, it appears that for populating drop downs, the amount of data returned is much more than what the drop downs need. For e.g. Scopes drop down should contain data only for the 9 scopes, but the service returns all resources and permissions as well, I think. This makes the page load extremely slow. b. When we evaluate a permission via API or via the evaluation UI, it takes several minutes to check permissions for one resource and scope, which is pretty slow. c. All Administrative UI pages, such as list of resources, scopes and permissions get slower as we add more. There isn't any paging on any of them, and they load all content on page load. We have tried to replace SQL Server with MongoDB but have not seen any major improvements. Is there a way to make evaluation API faster? I believe the administration UI issues will require code changes. Should I file a JIRA? Regards, Ushanas. From ushanas at gmail.com Thu Dec 1 09:01:26 2016 From: ushanas at gmail.com (Ushanas Shastri) Date: Thu, 1 Dec 2016 19:31:26 +0530 Subject: [keycloak-user] KeyCloak requires a restart when it loses SQL connection. In-Reply-To: References: Message-ID: Hello, We have KeyCloak setup with SQL Server. Whenever we restart SQL Server service, KeyCloak does not work anymore until it is restarted too. Is this expected behavior? Ideally, KeyCloak should automatically connect once the server is up? Regards, Ushanas. From bburke at redhat.com Thu Dec 1 09:08:21 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 1 Dec 2016 09:08:21 -0500 Subject: [keycloak-user] Not able to create user if firstName is read-only In-Reply-To: References: Message-ID: On 12/1/16 2:41 AM, Byte Flinger wrote: > I have setup a keycloak with a PostgreSQL db and also included ldap as user > federation. I tried setting the firstName (mapped to cn attribute) to > read-only but I realised that if one does that, you cannot create a user, > trying to add a new user fails. Fails where? in registration screen? Or admin console? > I expected that setting the attribute read-only meant the user is not able > to change it on the account management page however an admin should be able > to do so (at least when creating the user since that makes for a broken > flow as you have to make it writable before creating a new user and than > back to read-only again every time). Read only means that you can't edit ldap. It will instead update local import. > Is this a bug? I have not tested registration but suspect that it won't > work either. Looks like a "feature" to me. Bill From Tomas.GRMAN at orange.com Thu Dec 1 09:12:19 2016 From: Tomas.GRMAN at orange.com (GRMAN, Tomas) Date: Thu, 1 Dec 2016 14:12:19 +0000 Subject: [keycloak-user] Keycloak impersonate Message-ID: Hi Marek, is it possible to disable (or completely remove) Keycloak impersonate function? I understand, that it is a nice feature for troubleshooting, but in our case (for one security sensitive app) it represents a big issue, cause admin can access sensitive data as impersonated user. I found that it is possible to manage that using dedicated role (impersonation), but in our case it is not sufficient. (it could be added directly in database I guess). Thanks for any advice. Tomas From chris.savory at edlogics.com Thu Dec 1 10:08:12 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Thu, 1 Dec 2016 15:08:12 +0000 Subject: [keycloak-user] Does refreshing the token extend the session? In-Reply-To: References: <2D96A84A-E0D9-4945-A098-5D56D3D1CDFD@edlogics.com> Message-ID: Bill, When a token refresh is performed or a new token is generated via a ?check-sso? is the SSO Session extended? If not, how can we extend the SSO Session from an Angular client using the JS adapter? -- Christopher Savory Software Engineer | EdLogics www.edlogics.com On 11/29/16, 7:12 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Bill Burke" wrote: There is an idle timeout and a max session lifespan and an access token timeout. I don't think we check the max session lifespan when generating a token, so an access token might be active for access token timeout + max session lifespan. On 11/29/16 6:36 PM, Chris Stephens wrote: > We have an angular app and are using the keycloak js adapter. We refresh the token if it expires within 5 seconds. We also refresh the token every 15 minutes. Our users can jump in and out of our angular app. When they come back in the initialization logic goes to the key cloak server to make sure they are logged in. What our QA team is telling us is after 2-3 hours of clicking on the site the user is no longer logged in, but some of the calls with bearer tokens still go through. We need to know if refreshing the token or doing the 'check-sso' extends the session. > > > Christopher Stephens > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Dec 1 10:16:57 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 1 Dec 2016 10:16:57 -0500 Subject: [keycloak-user] Does refreshing the token extend the session? In-Reply-To: References: <2D96A84A-E0D9-4945-A098-5D56D3D1CDFD@edlogics.com> Message-ID: The idle timeout is refreshed whenever a token refresh is executed (or whenever a successful SAML or OIDC login request happens). The max timeout of the session is static though and never changing. On 12/1/16 10:08 AM, Chris Savory wrote: > Bill, > > When a token refresh is performed or a new token is generated via a ?check-sso? is the SSO Session extended? If not, how can we extend the SSO Session from an Angular client using the JS adapter? > > -- > Christopher Savory > Software Engineer | EdLogics > www.edlogics.com > > > > > On 11/29/16, 7:12 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Bill Burke" wrote: > > There is an idle timeout and a max session lifespan and an access token > timeout. I don't think we check the max session lifespan when > generating a token, so an access token might be active for access token > timeout + max session lifespan. > > > On 11/29/16 6:36 PM, Chris Stephens wrote: > > We have an angular app and are using the keycloak js adapter. We refresh the token if it expires within 5 seconds. We also refresh the token every 15 minutes. Our users can jump in and out of our angular app. When they come back in the initialization logic goes to the key cloak server to make sure they are logged in. What our QA team is telling us is after 2-3 hours of clicking on the site the user is no longer logged in, but some of the calls with bearer tokens still go through. We need to know if refreshing the token or doing the 'check-sso' extends the session. > > > > > > Christopher Stephens > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Thu Dec 1 10:19:33 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 1 Dec 2016 10:19:33 -0500 Subject: [keycloak-user] KeyCloak requires a restart when it loses SQL connection. In-Reply-To: References: Message-ID: <9fdd0c19-20ae-893e-b1da-af8792028204@redhat.com> This is a Wildfly/JBoss issue so check Wildfly/JBoss manual. There should be settings on datasource configuration to handle this scenario. On 12/1/16 9:01 AM, Ushanas Shastri wrote: > Hello, > > We have KeyCloak setup with SQL Server. > > Whenever we restart SQL Server service, KeyCloak does not work anymore > until it is restarted too. Is this expected behavior? > > Ideally, KeyCloak should automatically connect once the server is up? > > Regards, Ushanas. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From RLaghuvaram at contractor.lb.com Thu Dec 1 10:38:54 2016 From: RLaghuvaram at contractor.lb.com (Laghuvaram, Raghu) Date: Thu, 1 Dec 2016 15:38:54 +0000 Subject: [keycloak-user] Validate Token on IDP Message-ID: I am trying to validate the token(Access Token) using the URL /auth/realms//protocol/openid-connect/validate?access_token= but I am getting 404 all the time. I am using 2.3.0 Final, is the token validate URL still valid? Thanks, Raghu. ________________________________ Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices. From tecnologia at growingup.com.co Thu Dec 1 10:47:29 2016 From: tecnologia at growingup.com.co (tecnologia at growingup.com.co) Date: Thu, 1 Dec 2016 10:47:29 -0500 Subject: [keycloak-user] How i can use keycloak-admin-client in Apache Tomcat Message-ID: <001d01d24bea$3a35f1d0$aea1d570$@growingup.com.co> Hello, How i can use keycloak-admin-client in Apache TomEE 7.0.2? Below the specifications: Apache TomEE 7.0.2 -> Apache Tomcat 8.5.6 JAX-RS - Apache CXF (I understand that resteasy is needed) JAX-WS - Apache CXF keycloak-admin-client ?Does it only work on a wildfly server? From thomas.darimont at googlemail.com Thu Dec 1 11:22:29 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 1 Dec 2016 17:22:29 +0100 Subject: [keycloak-user] KeyCloak requires a restart when it loses SQL connection. In-Reply-To: <9fdd0c19-20ae-893e-b1da-af8792028204@redhat.com> References: <9fdd0c19-20ae-893e-b1da-af8792028204@redhat.com> Message-ID: Hello, the following jboss-cli script fragment works for me (for postgres): echo SETUP: Configure Keycloak Datasource KeycloakDS /subsystem=datasources/data-source=KeycloakDS/:remove data-source add --jndi-name=java:jboss/datasources/KeycloakDS --name=KeycloakDS --connection-url=${env.JDBC_URL} --driver-name=${env.JDBC_DRIVERNAME:postgres} --user-name=${env.JDBC_USER:keycloak} --password=${env.JDBC_PASSWORD:keycloak} /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=min-pool-size,value=5) /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=20) /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=background-validation,value=true) /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=check-valid-connection-sql,value="select 1") /subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=background-validation-millis,value=120000) Cheers, Thomas 2016-12-01 16:19 GMT+01:00 Bill Burke : > This is a Wildfly/JBoss issue so check Wildfly/JBoss manual. There > should be settings on datasource configuration to handle this scenario. > > > On 12/1/16 9:01 AM, Ushanas Shastri wrote: > > Hello, > > > > We have KeyCloak setup with SQL Server. > > > > Whenever we restart SQL Server service, KeyCloak does not work anymore > > until it is restarted too. Is this expected behavior? > > > > Ideally, KeyCloak should automatically connect once the server is up? > > > > Regards, Ushanas. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From tecnologia at growingup.com.co Thu Dec 1 11:03:46 2016 From: tecnologia at growingup.com.co (tecnologia at growingup.com.co) Date: Thu, 1 Dec 2016 11:03:46 -0500 Subject: [keycloak-user] How i can use keycloak-admin-client in Apache Tomcat In-Reply-To: <001d01d24bea$3a35f1d0$aea1d570$@growingup.com.co> References: <001d01d24bea$3a35f1d0$aea1d570$@growingup.com.co> Message-ID: <002901d24bec$80091690$801b43b0$@growingup.com.co> Additional info: Dependencies added to my project: org.keycloak keycloak-admin-client 2.4.0.Final org.jboss.resteasy resteasy-jaxrs 3.0.19.Final org.jboss.resteasy resteasy-client 3.0.19.Final org.jboss.resteasy resteasy-jackson2-provider 3.0.19.Final When i test Keycloak connection: String authServer = UriUtils.getOrigin("http://localhost:8080") + "/auth"; Keycloak keycloak = Keycloak.getInstance(authServer, "example", "examples-admin-client", "password", "examples-admin-client", "password"); ClientsResource clients = keycloak.realm("example").clients(); An exception is thrown: Dec 01, 2016 10:50:32 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [Faces Servlet] in context with path [/sis] threw exception [Error processing webservice request] with root cause java.lang.NullPointerException at org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke(CxfRsHttpListener.java:251) at org.apache.tomee.webservices.CXFJAXRSFilter.doFilter(CXFJAXRSFilter.java:94) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) -----Mensaje original----- De: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] En nombre de tecnologia at growingup.com.co Enviado el: jueves, 01 de diciembre de 2016 10:47 Para: 'keycloak-user' Asunto: [keycloak-user] How i can use keycloak-admin-client in Apache Tomcat Hello, How i can use keycloak-admin-client in Apache TomEE 7.0.2? Below the specifications: Apache TomEE 7.0.2 -> Apache Tomcat 8.5.6 JAX-RS - Apache CXF (I understand that resteasy is needed) JAX-WS - Apache CXF keycloak-admin-client ?Does it only work on a wildfly server? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From nsrikar at yahoo.com Thu Dec 1 13:23:06 2016 From: nsrikar at yahoo.com (Srikar Nuvvula) Date: Thu, 1 Dec 2016 18:23:06 +0000 (UTC) Subject: [keycloak-user] Social Login Fails References: <541291552.4545132.1480616586095.ref@mail.yahoo.com> Message-ID: <541291552.4545132.1480616586095@mail.yahoo.com> Hi, I am new to using keycloak. ?I am trying to get social login work with my angularjs app but I am having issues that I can't see to get over. Here are steps I followed but login failed. 1. Setup facebook auth provider in keycloak2. Created client id with public type in keyclock3. Setup an app in facebook and populated redirect url which is (http://localhost:8080/auth/realms/faceauth/broker/facebook/endpoint)4. Extracted clientid and secrect from facebook app and populated it on facebook id provider in keycloak?5. Using keycloack js adapter I invoked the login call (uses the following code) ***************************************************************************// on every request, authenticate user firstangular.element(document).ready(() => { window._keycloak = window._keycloak = Keycloak('keycloak/keycloak.json');//new Keycloak({ url: 'http://localhost:8080/auth', realm: 'faceauth', clientId: 'facedemo' }); window._keycloak.init({ onLoad: 'login-required' }) .success((authenticated) => { if(authenticated) { window._keycloak.loadUserProfile().success(function(profile){ angular.bootstrap(document, ['keycloak-tutorial']); // manually bootstrap Angular }); } else { window.location.reload(); } }) .error(function () { alert("auth failed") //window.location.reload(); });});********************************************************************************6. I am presented facebook login when I key in the details and login the control comes back to my app on localhost but goes into error block and displays "auth failed" message.? I don't know what's happening. ?I don't have any more error information to debug. ?What's the best way to understand what's going on? ?Please help. Thanks much From tsdgcc2087 at outlook.com Thu Dec 1 14:31:32 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Thu, 1 Dec 2016 19:31:32 +0000 Subject: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter Message-ID: I have a suite of spring applications that are using keycloak for authentication. I'm using the Keycloak spring security adapter and have my successfully secured the endpoints that I want to. I have situations where I need Application A to make a call to a secured endpoint on Application B. I am able to do this client to client communication by using the KeycloakRestTemplate but only when a user calls Application A with a valid token. Application A also has a process that will call Application B without user interaction. When this is done I get an error "java.lang.IllegalStateException: Cannot set authorization header because there is no authenticated principal". This makes sense since I don't have a valid user token. Application A and Application B use the same client in keycloak and it is set to be a confidential client. I have tried it with and without having service accounts enabled. Some questions I have are: 1. How do I have applications (not users) call a secured REST endpoint? 2. Do the provided keycloak adapters (like the spring security adapter) provide this functionality? 3. Do I need an additional client account to do this? 4. Are there any libraries that handle refreshing these tokens or automatically obtaining one if it doesn't exist? I see lots of examples on how a user can access a secured service, but not much on an application accessing a secured service. From mariopeck41 at gmail.com Thu Dec 1 15:44:49 2016 From: mariopeck41 at gmail.com (Mario Peck) Date: Thu, 1 Dec 2016 15:44:49 -0500 Subject: [keycloak-user] Keycloak Even when user is authenticated Message-ID: I am working on a web application (war) that uses keycloak for authentication/roles. The application is running on Wildfly 10. Using the wildfly keycloak adapter. I need to listen/detect when a user is authenticated by keycloak. There is some work the application must perform when a user is logged in for the first time. Is there some event (Observable message) , or some type of listener that I can register to get notified of this? (when a user is authenticated). Thanks to any tips/help Mario From michael.anthon at infoview.com.au Thu Dec 1 16:08:27 2016 From: michael.anthon at infoview.com.au (Michael Anthon) Date: Thu, 1 Dec 2016 21:08:27 +0000 Subject: [keycloak-user] 2.4.0 Unable to register new user when LDAP is enabled Message-ID: We have recently upgraded to 2.4.0 and are currently unable to create new users while LDAP is enabled. Stack trace below. The LDAP provider is configured with "Sync Registrations" turned off but this option seems to be ignored? Any advice on this would be appreciated. Thanks, Michael 20:30:20,205 ERROR [io.undertow.request] (default task-6) UT005023: Exception handling request to /auth/admin/realms/identify/users: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalStateException: Registration is not supported by this ldap server at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Registration is not supported by thi at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProv at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.ja at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCac at org.keycloak.models.UserFederationManager.addUser(UserFederationManag at org.keycloak.services.resources.admin.UsersResource.createUser(UsersR at sun.reflect.GeneratedMethodAccessor795.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl. at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa ... 37 more From spoore at redhat.com Thu Dec 1 16:21:23 2016 From: spoore at redhat.com (Scott Poore) Date: Thu, 1 Dec 2016 16:21:23 -0500 (EST) Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <800519605.1431576.1480623977232.JavaMail.zimbra@redhat.com> Message-ID: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> Hi, I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using the SSSD Provider. I am following the Server Administration Guide but, I'm hitting some error. I'm not sure if it's a bug or a configuration issue on my part. This is the link I was following: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html The difference in setup though is that I'm not using the docker image. Instead I'm using a separate FreeIPA Master server that I have setup as a separate VM. I have confirmed that SSSD-DBUS is working: [root at idp ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:testuser method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 serial=17 reply_serial=2 array [ string "ipausers" ] For the SP, I setup a basic Apache setup with mod_auth_mellon using keycloak-httpd-client-install \ --client-originate-method registration \ --keycloak-server-url https://idp.keycloak.test:8443 \ --keycloak-admin-username admin \ --keycloak-admin-password PASSWORD \ --app-name testapp \ --keycloak-realm test_realm \ --mellon-root mroot \ --mellon-protected-locations "/mroot/private" \ --force When I try to login to the SP, it redirects as expected to the Keycloak server and waits for a while before returning: Internal Server Error >From the httpd access log I can see: 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" >From the admin console, I can see what appears to be an active session for the client. >From the Keycloak server.log I can see: 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active! 2016-12-01 14:14:31,578 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCo mpletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4] 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f fffc0a87abf:7c36d3eb:58406454:81e 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) ARJUNA012077: Abort called on already aborted atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25) RESTEASY002025: Unknown exception while executing POST /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc eption: javax.transaction.RollbackException: ARJUNA016102: The transaction is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e Leaving out the traceback for brevity. I can send that if needed/wanted. When I logout the session and set SSSD debug_level to 9 and restart sssd, keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can provide the SSSD logs if it helps. So, how do I go about troubleshooting this issue? Are there any steps missing from the SSSD Provider doc? Thanks, Scott -- Scott Poore Principal Quality Assurance Engineer Red Hat, Inc. From bburke at redhat.com Thu Dec 1 16:35:31 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 1 Dec 2016 16:35:31 -0500 Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> Message-ID: Can you run your example without SSSD? Isolate the problem to make sure that its not an SP configuration issue first. As far as SSSD setup goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in. On 12/1/16 4:21 PM, Scott Poore wrote: > Hi, > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using the SSSD Provider. I am following the Server Administration Guide but, I'm hitting some error. I'm not sure if it's a bug or a configuration issue on my part. > > This is the link I was following: > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > The difference in setup though is that I'm not using the docker image. Instead I'm using a separate FreeIPA Master server that I have setup as a separate VM. I have confirmed that SSSD-DBUS is working: > > [root at idp ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 serial=17 reply_serial=2 > array [ > string "ipausers" > ] > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > keycloak-httpd-client-install \ > --client-originate-method registration \ > --keycloak-server-url https://idp.keycloak.test:8443 \ > --keycloak-admin-username admin \ > --keycloak-admin-password PASSWORD \ > --app-name testapp \ > --keycloak-realm test_realm \ > --mellon-root mroot \ > --mellon-protected-locations "/mroot/private" \ > --force > > When I try to login to the SP, it redirects as expected to the Keycloak server and waits for a while before returning: > > Internal Server Error > > >From the httpd access log I can see: > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > >From the admin console, I can see what appears to be an active session for the client. > > >From the Keycloak server.log I can see: > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active! > 2016-12-01 14:14:31,578 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > mpletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4] > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f > fffc0a87abf:7c36d3eb:58406454:81e > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) ARJUNA012077: Abort called on already aborted atomic action 0:ffffc0a87abf:7c36d3eb:58406454:81e > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25) RESTEASY002025: Unknown exception while executing POST /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > eption: javax.transaction.RollbackException: ARJUNA016102: The transaction is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > Leaving out the traceback for brevity. I can send that if needed/wanted. > > > When I logout the session and set SSSD debug_level to 9 and restart sssd, keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can provide the SSSD logs if it helps. > > > So, how do I go about troubleshooting this issue? Are there any steps missing from the SSSD Provider doc? > > Thanks, > Scott > > > > > From sblanc at redhat.com Thu Dec 1 16:45:16 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 1 Dec 2016 22:45:16 +0100 Subject: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter In-Reply-To: References: Message-ID: (including mailing list) On Thu, Dec 1, 2016 at 8:31 PM, Matt H wrote: > I have a suite of spring applications that are using keycloak for > authentication. I'm using the Keycloak spring security adapter and have my > successfully secured the endpoints that I want to. I have situations where > I need Application A to make a call to a secured endpoint on Application > B. I am able to do this client to client communication by using the > KeycloakRestTemplate but only when a user calls Application A with a valid > token. > > > Application A also has a process that will call Application B without user > interaction. When this is done I get an error "java.lang.IllegalStateException: > Cannot set authorization header because there is no authenticated > principal". This makes sense since I don't have a valid user token. > > > Application A and Application B use the same client in keycloak and it is > set to be a confidential client. I have tried it with and without having > service accounts enabled. > When you say "with service accounts enabled", have you followed all the instructions from here https://keycloak.gitbooks.io/ server-adminstration-guide/content/topics/clients/oidc/service-accounts.html , meaning also calling the /{server-root-usualy-auth}/ realms/{realm-name}/protocol/openid-connect/token endpoint in order to retrieve a valid token ? > > > Some questions I have are: > > 1. How do I have applications (not users) call a secured REST endpoint? > > 2. Do the provided keycloak adapters (like the spring security adapter) > provide this functionality? > > 3. Do I need an additional client account to do this? > > 4. Are there any libraries that handle refreshing these tokens or > automatically obtaining one if it doesn't exist? > > > I see lots of examples on how a user can access a secured service, but not > much on an application accessing a secured service. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From tsdgcc2087 at outlook.com Thu Dec 1 16:58:42 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Thu, 1 Dec 2016 21:58:42 +0000 Subject: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter In-Reply-To: References: , Message-ID: Yes, I was looking at that guide. I knew how to go to the keycloak token endpoint and get a token. I wasn't sure if this is the way it needed to be done, or if It could be done through the provided adapters. When the adapters are already being used, and it knows of your client and secret already, it seemed like a lot of overhead to go out to keycloak some other way and make sure that token is not expired (along with re-issuing a token logic), then make the call. If this is the required way, that's fine. ________________________________ From: Sebastien Blanc Sent: Thursday, December 1, 2016 3:45 PM To: Matt H Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter (including mailing list) On Thu, Dec 1, 2016 at 8:31 PM, Matt H > wrote: I have a suite of spring applications that are using keycloak for authentication. I'm using the Keycloak spring security adapter and have my successfully secured the endpoints that I want to. I have situations where I need Application A to make a call to a secured endpoint on Application B. I am able to do this client to client communication by using the KeycloakRestTemplate but only when a user calls Application A with a valid token. Application A also has a process that will call Application B without user interaction. When this is done I get an error "java.lang.IllegalStateException: Cannot set authorization header because there is no authenticated principal". This makes sense since I don't have a valid user token. Application A and Application B use the same client in keycloak and it is set to be a confidential client. I have tried it with and without having service accounts enabled. When you say "with service accounts enabled", have you followed all the instructions from here https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/oidc/service-accounts.html , meaning also calling the /{server-root-usualy-auth}/realms/{realm-name}/protocol/openid-connect/token endpoint in order to retrieve a valid token ? Some questions I have are: 1. How do I have applications (not users) call a secured REST endpoint? 2. Do the provided keycloak adapters (like the spring security adapter) provide this functionality? 3. Do I need an additional client account to do this? 4. Are there any libraries that handle refreshing these tokens or automatically obtaining one if it doesn't exist? I see lots of examples on how a user can access a secured service, but not much on an application accessing a secured service. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From spoore at redhat.com Thu Dec 1 20:29:16 2016 From: spoore at redhat.com (Scott Poore) Date: Thu, 1 Dec 2016 20:29:16 -0500 (EST) Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> Message-ID: <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Thursday, December 1, 2016 3:35:31 PM > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > Can you run your example without SSSD? Isolate the problem to make sure > that its not an SP configuration issue first. As far as SSSD setup > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in. I tried adding a user to the existing setup from the admin console and I see an error and then I see this in the server.log: Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active. I can't delete the sssd provider though because of this bug: https://issues.jboss.org/browse/KEYCLOAK-3902 I started over fresh without the SSSD Provider setup. It does appear that I'm not able to even authenticate as a user created from the admin console. I've bumped logging up to info on both Keycloak and httpd on the SP but, I still don't see much there. Any suggestion on where to go from here? Thanks, Scott > > > On 12/1/16 4:21 PM, Scott Poore wrote: > > Hi, > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using > > the SSSD Provider. I am following the Server Administration Guide but, > > I'm hitting some error. I'm not sure if it's a bug or a configuration > > issue on my part. > > > > This is the link I was following: > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > > > The difference in setup though is that I'm not using the docker image. > > Instead I'm using a separate FreeIPA Master server that I have setup as a > > separate VM. I have confirmed that SSSD-DBUS is working: > > > > [root at idp ~]# dbus-send --print-reply --system > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 > > serial=17 reply_serial=2 > > array [ > > string "ipausers" > > ] > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > > > keycloak-httpd-client-install \ > > --client-originate-method registration \ > > --keycloak-server-url https://idp.keycloak.test:8443 \ > > --keycloak-admin-username admin \ > > --keycloak-admin-password PASSWORD \ > > --app-name testapp \ > > --keycloak-realm test_realm \ > > --mellon-root mroot \ > > --mellon-protected-locations "/mroot/private" \ > > --force > > > > When I try to login to the SP, it redirects as expected to the Keycloak > > server and waits for a while before returning: > > > > Internal Server Error > > > > >From the httpd access log I can see: > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > >From the admin console, I can see what appears to be an active session for > > >the client. > > > > >From the Keycloak server.log I can see: > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active! > > 2016-12-01 14:14:31,578 WARN > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > > mpletion called by a background thread; delaying afterCompletion processing > > until the original thread can handle it. [status=4] > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f > > fffc0a87abf:7c36d3eb:58406454:81e > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) > > ARJUNA012077: Abort called on already aborted atomic action > > 0:ffffc0a87abf:7c36d3eb:58406454:81e > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] > > (default task-25) RESTEASY002025: Unknown exception while executing POST > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > > eption: javax.transaction.RollbackException: ARJUNA016102: The transaction > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > Leaving out the traceback for brevity. I can send that if needed/wanted. > > > > > > When I logout the session and set SSSD debug_level to 9 and restart sssd, > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can > > provide the SSSD logs if it helps. > > > > > > So, how do I go about troubleshooting this issue? Are there any steps > > missing from the SSSD Provider doc? > > > > Thanks, > > Scott > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 00:13:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 06:13:45 +0100 Subject: [keycloak-user] Issue Configuring HTTP Reverse Proxy to Keycloak In-Reply-To: References: Message-ID: Do you preserve the original Host header or does your proxy replace it? On 9 November 2016 at 20:58, Colin Ritchie wrote: > Hello, > > I am having trouble getting keycloak to work behind a reverse proxy. > > I have installed Keycloak on the same server as our existing web > application running in Tomcat, with keycloak listening on 8081 and Tomcat > listening on 8080. I have configured an HTTP reverse proxy in Tomcat > using https://github.com/mitre/HTTP-Proxy-Servlet. I am forwarding /auth > to the reverse proxy, which in turns connects to keycloak ( > http://localhost:8081/auth). > > When I visit "http://localhost:8080/auth", the first page in this scenario > works: the "Welcome to Keycloak" page appears. But when I click on the > "Administration Console" link, the first redirect works, to > "/auth/admin/master/console". But it then quickly redirects the browser > directly to the keycloak port: > > http://localhost:*8081*/auth/realms/master/protocol/openid- > connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F% > 2Flocalhost%3A8080%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F& > state=a36dd30e-6268-4545-9a4f-a397169917b6&nonce=79d7099d- > 10df-471f-96e9-b13a8da17b55&response_mode=fragment& > response_type=code&scope= > openid > > The reverse proxy sets the X-Forwarded-For and X-Forwarded-Proto headers. > And I have configured keycloak according to https://keycloak.gitbooks. > io/server-installation-and-configuration/content/topics/ > clustering/load-balancer.html, setting the proxy-address-forwarding > attribute. > > I am also seeing, on the final redirected page, the error "Invalid > parameter: redirect_uri". > > Any help would be very appreciated. > > -- > *Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:07:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:07:47 +0100 Subject: [keycloak-user] Token introspection In-Reply-To: References: Message-ID: Yes, but the client to do token introspection needs to be a confidential client On 22 November 2016 at 14:11, venito camelas wrote: > Is it possible to have an app making token introspection requests for > tokens not issued for it? I'll try to explain: > > Keycloak issues tokens to be used in a specific Resource server, the RS > then validates the token (self contained info or token introspection > endpoint). The situation is something like this: > > 1 3 > --------------- KK--------------- > | | > | 2 | > Client ----------------------------- RS > > 1 - Client gets token to use with RS > 2 - Client uses token to make a request to RS > 3 - RS makes a token introspection request > > > Now, I want to add a router in the middle, I'd like the router to make the > token introspection request (with the token issued for the RS) and then > allow to go to the RS if everything is ok: > > > 1 > --------------- KK--------------- > | | | > | 3| | > | 2 | 4 | > Client ---------Router---------- RS > > 1 - Client gets token to use with RS > 2 - Client uses token to make a request to RS > 3 - Router intercepts the request and validates token (expiration and stuff > like that) > 4 - If validation is ok, the router allows the request to go to the RS, the > RS then validates scopes and specific stuff. > > > Thank you > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:09:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:09:08 +0100 Subject: [keycloak-user] Keycloak - force session revalidation (update?) In-Reply-To: References: Message-ID: As the user is already logged-in just do a redirect to login screen to obtain a new token. This will be more or less invisible to the user. On 25 November 2016 at 08:42, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > Hi, > > In our case, when customer pays for subscription, we add subscription > number and additional role to his account in KC. During this process > customer is logged in, is there a way to smoothly update his session > details, to include new role (without logout/login) ? > > We use Java adapter to secure our webapp. Is there a way to update > Keycloak Context from java (API call?) > > Kind Regards, > > Mariusz Chru?cielewski > > software engineer > > mariusz at info.nl | LinkedIn com/in/mariusz-chruscielewski> | +31 (0)20 530 9113 > > info.nl > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:10:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:10:20 +0100 Subject: [keycloak-user] Keycloak user registration In-Reply-To: <58382dbf.01a8630a.a5994.2025@mx.google.com> References: <5836bfea.c241620a.c2fa9.c175@mx.google.com> <58382dbf.01a8630a.a5994.2025@mx.google.com> Message-ID: The user can just visit the login screen again to have the verify email re-sent On 25 November 2016 at 13:25, JAYAPRIYA ATHEESAN < jayapriya.atheesan at gmail.com> wrote: > Keeping the list in loop. > > So how can we proceed with his? > > > > Wont we be able to verify or use that user id again? > > > > > > Will the user who we created and missed to verify within 60mins will be > invalid always.. Isn't there anyways by which we can re verify the user? > > > > Thanks, > > Jayapriya Atheesan > > > > From: JAYAPRIYA ATHEESAN [mailto:jayapriya.atheesan at gmail.com] > Sent: Friday, November 25, 2016 5:48 PM > To: 'abhishek raghav' > Subject: RE: [keycloak-user] Keycloak user registration > > > > So how can we proceed with his? > > > > Wont we be able to verify or use that user id again? > > > > Thanks, > > Jayapriya Atheesan > > > > From: abhishek raghav [mailto:abhi.raghav007 at gmail.com] > Sent: Friday, November 25, 2016 2:09 AM > To: JAYAPRIYA ATHEESAN > Subject: Re: [keycloak-user] Keycloak user registration > > > > > 785dcb113a471a962e2f > 748b73f9be3c/d1f2b524aafcb7088af912ac8a7123fa/ > 9864e6ea0b421de33cfa6f5cd7bdf4 > 11/9efab2399c7c560b34de477b9aa0a465/ufo.gif> > > In your use case you are trying to verify the email of the registered user > through a link. Since a link is already generated by keycloak as a required > user action and sent to the user's email id that means the user is already > created in keycloak. > > > > So you can not create that user again with the same email id. > > via Newton Mail > 1.1&source=email_fo > oter_2> > > > > On Thu, Nov 24, 2016 at 3:54 PM, JAYAPRIYA ATHEESAN > wrote: > > Hi Team, > > > > If I don't verify the email id which I signed up with keycloak and if the > email verification link is expired, how to proceed about it. > > If I try to signup using the same email Id, I get an error saying mail id > already exists. > > Do we have any solution for this issue? > > > > Thanks, > > Jayapriya Atheesan > > > > > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:11:12 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:11:12 +0100 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: References: Message-ID: It's impossible with the SSSD integration as SSSD is currently read-only. You can however use FreeIPA as a backend with a LDAP user federation provider instead. On 27 November 2016 at 17:56, James James wrote: > Hello, > > > I want to be able to create user in the FreeIPA backend from keycloak > registration portal .. is it possible ? For me it' impossible but I just > want to be sure. > > http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/user-federation/sssd.html > > Regards. > > James Regis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:12:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:12:15 +0100 Subject: [keycloak-user] How to configure Keycloak in case of Reverse Proxy with NAT? In-Reply-To: References: Message-ID: See https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html On 28 November 2016 at 05:34, Michael Furman wrote: > Hi all, > I need to configure Keycloak to work behind Reverse Proxy with Network > Address Translation > I have servers that have the external IP to access from a browser and > internal IP for inter process access. > Also, it is not possible to access from internal IPs to external IPs. > > Therefore, the following configuration should be returned upon the call of > http:///auth/realms/master/.well-known/openid-configuration< > http://%3cexternal%20IP%3e/auth/realms/master/.well- > known/openid-configuration>: > > "issuer":"http:///auth/realms/master %3cexternal%20IP%3e/auth/realms/master>", > "authorization_endpoint":"http:///auth/realms/master/ > protocol/openid-connect/auth auth/realms/master/protocol/openid-connect/auth>", > "token_endpoint":"http:///auth/realms/master/ > protocol/openid-connect/token auth/realms/master/protocol/openid-connect/token>", > "userinfo_endpoint":"http:///auth/realms/master/ > protocol/openid-connect/userinfo 20IP%3e/auth/realms/master/protocol/openid-connect/userinfo>", > "jwks_uri":"http:///auth/realms/master/ > protocol/openid-connect/certs auth/realms/master/protocol/openid-connect/certs>", > "end_session_endpoint":"http:///auth/realms/master/ > protocol/openid-connect/logout 20IP%3e/auth/realms/master/protocol/openid-connect/logout>", > "check_session_iframe":"http:///auth/realms/master/ > protocol/openid-connect/login-status-iframe.html 3cexternal%20IP%3e/auth/realms/master/protocol/openid- > connect/login-status-iframe.html>", > "token_introspection_endpoint":"http:///auth/realms/master/ > protocol/openid-connect/token/introspect 20IP%3e/auth/realms/master/protocol/openid-connect/token/introspect>", > > Will happy for any insights. > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:13:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:13:33 +0100 Subject: [keycloak-user] Session timeouts for SPA + bearer backend In-Reply-To: References: Message-ID: Sounds like your access token is expired. You need to refresh it. See the docs for the JavaScript adapter and examples, specifically updateToken function. On 28 November 2016 at 10:33, Andy Yar wrote: > Hello, > I'm having a problem with my SPA Anuglar based application. > > TD;DR > > The app's session seems to be valid (cookies) although requests to backend > fail since its token has expired - openid-connect/token = HTTP 400 > (Refreshing token: token expired). > > ========================= > > The app itself is protected with keycloak.js (Access Type: public + > Standard Flow: ON + login_required) and the backend is built with Spring > Security adapter (Access Type: bearer-only). > > Everything works fine until I leave the app idle for some time and then > resume using it (requesting from backend). When I do so, the backend starts > to respond with an eror as its session had timed out - openid-connect/token > returns 400. Although, obviously, the session for the app itself hadn't > expired yet. > > As far as I know, there is for instance a KEYCLOAK_SESSION cookie which is > checked periodically by keycloak.js. When I remove the cookie manually, it > gets checked and the app gets redirected to its login screen. > > KC version used is 2.2.1.Final. My realm token settings: > * Revoke Refresh Token: OFF > * SSO Session Idle: 30mins > * SSO Session Max: 6days > * Offline Session Idle: 30days > * Access Token Lifespan: 15mins > * ditto for Implicit Flow: 18mins > > How should I set my app/token settings up to solve this? Should I just > force my client to relog as soon as Refreshing token: token expired? Don't > know what is the proper way to handle this... > > Thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:15:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:15:37 +0100 Subject: [keycloak-user] Access Token and email address In-Reply-To: References: Message-ID: You can remove it on a per-client basis by changing protocol mappers for the client. I think you can use a setting on the protocol mapper to make it require a scope param to view it, but not 100% sure. At the very least you'd be able to write a custom protocol mapper to do it. In the future we plan better support for scope including the ability to define custom scopes. On 28 November 2016 at 12:59, Guus der Kinderen wrote: > Hello, > > Is it possible to withhold the email address of a user from a token (unless > a specific claim/role is granted)? > > Regards, > > Guus > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:24:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:24:11 +0100 Subject: [keycloak-user] Resource server implementation best practices? In-Reply-To: References: Message-ID: Simplest would be to use roles, not scope, as Keycloak supports roles well, but has less support for scope. On the endpoint side it depends on what you are implementing it in. If it's JEE it's probably easiest to do one endpoint per-role. In general it's probably easier to have that pattern in any case. Devil is in the details though and I imagine any approach has pros/cons and you'll need to decide what works best for your case. On 28 November 2016 at 13:12, Guus der Kinderen wrote: > Hello, > > When implementing one or more services that, based on an access token, > expose data related to the user that's identified in the access token, is > there a "best practice" in regards to handling the available scopes? > > I'm debating between having one resource server that exposes all data to > which the token grants access to, versus have a resource server "per > claim", that either returns data, or an error code, based on the presence > of a particular scope within the access token. > > Is there a common approach / best practice that covers this? > > Regards, > > Guus > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:26:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:26:30 +0100 Subject: [keycloak-user] Is there a way to include a link within an error message resource? In-Reply-To: <76d1b01d24981$18c30ad0$4a492070$@edlogics.com> References: <76d1b01d24981$18c30ad0$4a492070$@edlogics.com> Message-ID: When the invalidCodeMessage is displayed we don't have the details about what the user wants to do. This should improve in the future (in 3.x at some point hopefully). On 28 November 2016 at 15:09, Ben Quirk wrote: > My scenario: A user requests a password reset but their link expires. When > they click the link, they're shown an error message that comes from the > message property: "invalidCodeMessage". > > Is it possible to include a new password reset link here so they can easily > request a new one? > > I figured could do this in the template, however it looks like error.tpl is > used for all errors and the message is being rendered with > "${message.summary}" so I can't easily pass a message parameter through via > the template. > > Thanks in advance, > > Ben Quirk > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Dec 2 01:27:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 07:27:34 +0100 Subject: [keycloak-user] Accessing JGroups ports in Docker keycloak-ha-postgres In-Reply-To: References: Message-ID: Nice work, but I'm not sure I want to merge this. It's hard to test and maintain so we need to limit the amount of variations of the Docker images. On 29 November 2016 at 10:31, Staffan wrote: > After lots of experimentation, I found keycloak-mysql to be more useful > than keycloak-ha-postgres for HA in Kubernetes. See > https://github.com/jboss-dockerfiles/keycloak/pull/62 > > There is some more background in the JGroups mailing list thread "Expose > JGroups ports in Docker keycloak-ha-postgres". > > /Staffan > > On Tue, Nov 8, 2016 at 11:29 AM, Staffan wrote: > > > Hi, > > > > I've tried in different docker environments (compose, kubernetes, > > standalone) to get a HA setup running using https://hub.docker.com/r/ > > jboss/keycloak-ha-postgres/. > > > > Keycloak nodes start all right, but are unaware of each other. Curiously > I > > fail to reach the JGroups ports from any other container or host system. > > > > When I try -Djboss.bind.address.private=0.0.0.0 there's an error during > > startup: > > > > MSC000001: Failed to start service jboss.jgroups.channel.ee: > > org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee > : > > java.security.PrivilegedActionException: java.net.BindException: [UDP] / > > 0.0.0.0 is not a valid address on any local network interface > > at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start( > > ChannelBuilder.java:80) > > Caused by: java.security.PrivilegedActionException: > > java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any > > local network interface > > at org.wildfly.security.manager.WildFlySecurityManager.doChecked( > > WildFlySecurityManager.java:640) > > Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address > > on any local network interface > > at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522) > > > > ... or if I switch to stack="tcp" in the jgroups subsystem: > > > > MSC000001: Failed to start service jboss.jgroups.channel.ee: > > org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee > : > > java.security.PrivilegedActionException: java.net.BindException: [TCP] / > > 0.0.0.0 is not a valid address on any local network interface > > > > I guess this is a generic Wildfly topic, but I'm curious how the official > > Keycloak docker containers are tested. In a docker context, the only two > > interfaces I can bind to are 0.0.0.0 and 127.0.0.1. > > > > regards > > Staffan Olsson > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Fri Dec 2 02:04:16 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 2 Dec 2016 08:04:16 +0100 Subject: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter In-Reply-To: References: Message-ID: There is one way you can leverage the adapter for this , is using this method : ClientCredentialsProviderUtils.setClientCredentials(deployment, reqHeaders, reqParams); This way, you don't have to worry about passing your credentials. But it's worth thinking on how we can enhance the developer experience in this area, if you have some ideas feels free to share them and I will also open a ticket to track this. On Thu, Dec 1, 2016 at 10:58 PM, Matt H wrote: > Yes, I was looking at that guide. I knew how to go to the keycloak token > endpoint and get a token. I wasn't sure if this is the way it needed to be > done, or if It could be done through the provided adapters. > > > When the adapters are already being used, and it knows of your client and > secret already, it seemed like a lot of overhead to go out to keycloak some > other way and make sure that token is not expired (along with re-issuing a > token logic), then make the call. If this is the required way, that's fine. > > ------------------------------ > *From:* Sebastien Blanc > *Sent:* Thursday, December 1, 2016 3:45 PM > *To:* Matt H > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] How to access secured REST endpoint from > keycloak-spring-security-adapter > > (including mailing list) > > On Thu, Dec 1, 2016 at 8:31 PM, Matt H wrote: > >> I have a suite of spring applications that are using keycloak for >> authentication. I'm using the Keycloak spring security adapter and have my >> successfully secured the endpoints that I want to. I have situations where >> I need Application A to make a call to a secured endpoint on Application >> B. I am able to do this client to client communication by using the >> KeycloakRestTemplate but only when a user calls Application A with a valid >> token. >> >> >> Application A also has a process that will call Application B without >> user interaction. When this is done I get an error >> "java.lang.IllegalStateException: Cannot set authorization header >> because there is no authenticated principal". This makes sense since I >> don't have a valid user token. >> >> >> Application A and Application B use the same client in keycloak and it is >> set to be a confidential client. I have tried it with and without having >> service accounts enabled. >> > When you say "with service accounts enabled", have you followed all the > instructions from here https://keycloak.gitbooks.io/s > erver-adminstration-guide/content/topics/clients/oidc/servic > e-accounts.html , meaning also calling the /{server-root-usualy-auth}/rea > lms/{realm-name}/protocol/openid-connect/token endpoint in order to > retrieve a valid token ? > >> >> >> Some questions I have are: >> >> 1. How do I have applications (not users) call a secured REST endpoint? >> >> 2. Do the provided keycloak adapters (like the spring security adapter) >> provide this functionality? >> >> 3. Do I need an additional client account to do this? >> >> 4. Are there any libraries that handle refreshing these tokens or >> automatically obtaining one if it doesn't exist? >> >> >> I see lots of examples on how a user can access a secured service, but >> not much on an application accessing a secured service. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sblanc at redhat.com Fri Dec 2 02:09:00 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 2 Dec 2016 08:09:00 +0100 Subject: [keycloak-user] Social Login Fails In-Reply-To: <541291552.4545132.1480616586095@mail.yahoo.com> References: <541291552.4545132.1480616586095.ref@mail.yahoo.com> <541291552.4545132.1480616586095@mail.yahoo.com> Message-ID: Is there any stacktrace in the server log ? You could also switch on the events in the admin console, they might give you more info about the failure. On Thu, Dec 1, 2016 at 7:23 PM, Srikar Nuvvula wrote: > Hi, > I am new to using keycloak. I am trying to get social login work with my > angularjs app but I am having issues that I can't see to get over. Here are > steps I followed but login failed. > 1. Setup facebook auth provider in keycloak2. Created client id with > public type in keyclock3. Setup an app in facebook and populated redirect > url which is (http://localhost:8080/auth/realms/faceauth/broker/ > facebook/endpoint)4. Extracted clientid and secrect from facebook app and > populated it on facebook id provider in keycloak 5. Using keycloack js > adapter I invoked the login call (uses the following code) > ***************************************************************************// > on every request, authenticate user firstangular.element(document).ready(() > => { window._keycloak = window._keycloak = Keycloak('keycloak/keycloak.json');//new > Keycloak({ url: 'http://localhost:8080/auth', realm: 'faceauth', > clientId: 'facedemo' }); window._keycloak.init({ onLoad: 'login-required' > }) .success((authenticated) => { if(authenticated) { window._keycloak. > loadUserProfile().success(function(profile){ > angular.bootstrap(document, ['keycloak-tutorial']); // manually bootstrap > Angular }); } else { window.location.reload(); } }) .error(function > () { alert("auth failed") //window.location.reload(); > });});********************************************************************************6. > I am presented facebook login when I key in the details and login the > control comes back to my app on localhost but goes into error block and > displays "auth failed" message. > I don't know what's happening. I don't have any more error information to > debug. What's the best way to understand what's going on? Please help. > Thanks much > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Fri Dec 2 02:41:48 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Dec 2016 05:41:48 -0200 Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> Message-ID: <20161202074148.GA27820@abstractj.org> Hi Scott, sorry for the late response. >From what I noticed, dbus-send works for you right? But I feel like the user running Keycloak process does not have access to /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true? If yes, check if user running Keycloak is listed into sssd.conf 'allowed_uids' section. I saw that you managed to run dbus-send, but worth to ask. Is the user running dbus-send, the same starting Keycloak server process? I included a very simple check to make sure that Windows users don't see the SSSD Federation provider listed ? If the user running Keycloak does not have reading rights over /etc/sssd. For troubleshooting some of these issues (because from time to time, I mess up with my environment), I have this docker image[1]. Speaking about KEYCLOAK-3902, I already fixed it. I will just include the integration tests to reproduce this scenario. [1] - https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests On 2016-12-01, Scott Poore wrote: > > > ----- Original Message ----- > > From: "Bill Burke" > > To: keycloak-user at lists.jboss.org > > Sent: Thursday, December 1, 2016 3:35:31 PM > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > Can you run your example without SSSD? Isolate the problem to make sure > > that its not an SP configuration issue first. As far as SSSD setup > > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes in. > > I tried adding a user to the existing setup from the admin console and I see an error and then I see this in the server.log: > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to retrieve user's attributes. Check if SSSD service is active. > > I can't delete the sssd provider though because of this bug: > > https://issues.jboss.org/browse/KEYCLOAK-3902 > > I started over fresh without the SSSD Provider setup. It does appear that I'm not able to even authenticate as a user created from the admin console. > > I've bumped logging up to info on both Keycloak and httpd on the SP but, I still don't see much there. Any suggestion on where to go from here? > > Thanks, > Scott > > > > > > > > On 12/1/16 4:21 PM, Scott Poore wrote: > > > Hi, > > > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration using > > > the SSSD Provider. I am following the Server Administration Guide but, > > > I'm hitting some error. I'm not sure if it's a bug or a configuration > > > issue on my part. > > > > > > This is the link I was following: > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > > > > > The difference in setup though is that I'm not using the docker image. > > > Instead I'm using a separate FreeIPA Master server that I have setup as a > > > separate VM. I have confirmed that SSSD-DBUS is working: > > > > > > [root at idp ~]# dbus-send --print-reply --system > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 > > > serial=17 reply_serial=2 > > > array [ > > > string "ipausers" > > > ] > > > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > > > > > keycloak-httpd-client-install \ > > > --client-originate-method registration \ > > > --keycloak-server-url https://idp.keycloak.test:8443 \ > > > --keycloak-admin-username admin \ > > > --keycloak-admin-password PASSWORD \ > > > --app-name testapp \ > > > --keycloak-realm test_realm \ > > > --mellon-root mroot \ > > > --mellon-protected-locations "/mroot/private" \ > > > --force > > > > > > When I try to login to the SP, it redirects as expected to the Keycloak > > > server and waits for a while before returning: > > > > > > Internal Server Error > > > > > > >From the httpd access log I can see: > > > > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > >From the admin console, I can see what appears to be an active session for > > > >the client. > > > > > > >From the Keycloak server.log I can see: > > > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction Reaper > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active! > > > 2016-12-01 14:14:31,578 WARN > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > > > mpletion called by a background thread; delaying afterCompletion processing > > > until the original thread can handle it. [status=4] > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction Reaper > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f > > > fffc0a87abf:7c36d3eb:58406454:81e > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) > > > ARJUNA012077: Abort called on already aborted atomic action > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] > > > (default task-25) RESTEASY002025: Unknown exception while executing POST > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > > > eption: javax.transaction.RollbackException: ARJUNA016102: The transaction > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > Leaving out the traceback for brevity. I can send that if needed/wanted. > > > > > > > > > When I logout the session and set SSSD debug_level to 9 and restart sssd, > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. I can > > > provide the SSSD logs if it helps. > > > > > > > > > So, how do I go about troubleshooting this issue? Are there any steps > > > missing from the SSSD Provider doc? > > > > > > Thanks, > > > Scott > > > > > > > > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From sblanc at redhat.com Fri Dec 2 02:57:10 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 2 Dec 2016 08:57:10 +0100 Subject: [keycloak-user] Keycloak Even when user is authenticated In-Reply-To: References: Message-ID: AFAIK there is nothing out of the box in the adapter for that but here some ideas : - You could write your custom Event Listener on the KC side that sends : * a rest request to your application, (like a github hook) * publish on a JMS queue You can take a look at the documentation/examples on how to implement the event SPI. For the WF Adapter, I think it would be nice if it could publish some CDI events, I will open a ticket for that. On Thu, Dec 1, 2016 at 9:44 PM, Mario Peck wrote: > I am working on a web application (war) that uses keycloak for > authentication/roles. > The application is running on Wildfly 10. Using the wildfly keycloak > adapter. > I need to listen/detect when a user is authenticated by keycloak. There is > some work the application must perform when a user is logged in for the > first time. > Is there some event (Observable message) , or some type of listener that I > can register to get notified of this? (when a user is authenticated). > Thanks to any tips/help > Mario > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Edgar at info.nl Fri Dec 2 03:04:36 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Fri, 2 Dec 2016 08:04:36 +0000 Subject: [keycloak-user] Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?) Message-ID: <69CC0F70-911C-41A9-B4F0-EF1A61D91D6A@info.nl> hi, Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following behaviour: 1/ create a new user in Keycloak from the Keycloak admin UI 2/ set a password in the Credentials tab and leave the ?Temporary? flag set to on 3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls) the users?s userAccountControl attribute is now set to 546. This means: 'Disabled, Password Not Required? 4/ when the user attempts to log in she gets an error message saying that the account is inactive; also the ?User Enabled? flag in Keycloak now suddenly changes from enabled to disabled This is the process we used to follow in Keycloak 2.0.0.Final to create users but it stopped working in 2.3.0.Final. After having spent quite some time tracking the issue down we found out that it was the ?Temporary? flag in de Credentials tab that causes this issue. When we set this flag to false (i.e. not a temporary password) we see that in AD the userAccountControl attribute is set to its normal value 512 as we would expect. Now the user can log in normally. Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not find a JIRA issue regarding this change. PS: we are confused about the ?Temporary? flag in any case. Exactly what is it meant for? The fact that a user needs to change her password on first login does not seem to be controlled by this flag in any case but rather by the Required User Action with value ?Change password?? cheers, Edgar From sblanc at redhat.com Fri Dec 2 03:12:03 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 2 Dec 2016 09:12:03 +0100 Subject: [keycloak-user] How i can use keycloak-admin-client in Apache Tomcat In-Reply-To: <002901d24bec$80091690$801b43b0$@growingup.com.co> References: <001d01d24bea$3a35f1d0$aea1d570$@growingup.com.co> <002901d24bec$80091690$801b43b0$@growingup.com.co> Message-ID: The admin client is just a wrapper around Resteasy client so it should be pretty agnostic of the application server. Is that the complete stacktrace ? Do you have maybe simple app on github to share ? On Thu, Dec 1, 2016 at 5:03 PM, wrote: > Additional info: > > Dependencies added to my project: > > > org.keycloak > keycloak-admin-client > 2.4.0.Final > > > > org.jboss.resteasy > resteasy-jaxrs > 3.0.19.Final > > > > org.jboss.resteasy > resteasy-client > 3.0.19.Final > > > > org.jboss.resteasy > resteasy-jackson2- > provider > 3.0.19.Final > > > > When i test Keycloak connection: > > String authServer = UriUtils.getOrigin("http://localhost:8080") + "/auth"; > > Keycloak keycloak = Keycloak.getInstance(authServer, "example", > "examples-admin-client", "password", "examples-admin-client", "password"); > ClientsResource clients = keycloak.realm("example").clients(); > > > An exception is thrown: > > Dec 01, 2016 10:50:32 AM org.apache.catalina.core.StandardWrapperValve > invoke > SEVERE: Servlet.service() for servlet [Faces Servlet] in context with path > [/sis] threw exception [Error processing webservice request] with root cause > java.lang.NullPointerException > at org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke( > CxfRsHttpListener.java:251) > at org.apache.tomee.webservices.CXFJAXRSFilter.doFilter( > CXFJAXRSFilter.java:94) > at org.apache.catalina.core.ApplicationFilterChain. > internalDoFilter(ApplicationFilterChain.java:192) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:165) > at org.apache.tomcat.websocket.server.WsFilter.doFilter( > WsFilter.java:52) > > > > -----Mensaje original----- > De: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] En nombre de tecnologia at growingup.com.co > Enviado el: jueves, 01 de diciembre de 2016 10:47 > Para: 'keycloak-user' > Asunto: [keycloak-user] How i can use keycloak-admin-client in Apache > Tomcat > > Hello, > > How i can use keycloak-admin-client in Apache TomEE 7.0.2? > > Below the specifications: > > > Apache TomEE 7.0.2 -> Apache Tomcat 8.5.6 > > JAX-RS - Apache CXF (I understand that resteasy is needed) > > JAX-WS - Apache CXF > > > > keycloak-admin-client ?Does it only work on a wildfly server? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Fri Dec 2 05:03:13 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 2 Dec 2016 11:03:13 +0100 Subject: [keycloak-user] Keycloak impersonate In-Reply-To: References: Message-ID: Hi Tomas, you're right. It is currently managed just by the impersonation role. So you can just remove this role entirely. Also you need to make sure that local admin (who is not supposed to be able to impersonate) doesn't have permission to re-create the role back and assign himself to this role. We don't have anything other like "Disable impersonation" switch. Btv. if your local-admin has access to the database, then he has access to everything anyway. He can just update the "disable-impersonation" switch and re-enable it back (in case that we will have such switch). He can also read the privateKey of particular realm and manually create accessToken from it and impersonate as the user with the token. Marek On 01/12/16 15:12, GRMAN, Tomas wrote: > > Hi Marek, is it possible to disable (or completely remove) Keycloak > impersonate function? > > I understand, that it is a nice feature for troubleshooting, but in > our case (for one security sensitive app) it represents a big issue, > cause admin can access sensitive data as impersonated user. > > I found that it is possible to manage that using dedicated role > (impersonation), but in our case it is not sufficient. (it could be > added directly in database I guess). > > Thanks for any advice. > > Tomas > From zeus.arias at beeva.com Fri Dec 2 05:20:09 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Fri, 2 Dec 2016 11:20:09 +0100 Subject: [keycloak-user] CORS setup Message-ID: Hi, Is it possible to configure cors? Which are the steps? My config client is (json): { "realm": "name", "realm-public-key": "...", "auth-server-url": "https://example:8443/auth", "ssl-required": "all", "resource": "name", "enable-cors": true, "cors-allowed-methods": "GET, HEAD, OPTIONS", "cors-allowed-headers": "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headersl", "credentials": { "secret": "...." }, "principal-attribute": "preferred_username" } And error the application is: XMLHttpRequest cannot load https://keycloak_url:8443/auth/realms/name/protocol/open?gin&state=1%2token&login=true&scope=openid. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://url_app' is therefore not allowed access. The Keycloak Response Header is: Cache-Control:no-store, must-revalidate, max-age=0 Connection:keep-alive Content-Length:5257 Content-Security-Policy:frame-src 'self' Content-Type:text/html;charset=utf-8 Date:Fri, 02 Dec 2016 09:37:15 GMT Server:WildFly/10 Set-Cookie:KC_RESTART=COOKIE; Version=1; Path=/auth/realms/name; Secure; HttpOnly X-Content-Type-Options:nosniff X-Frame-Options:SAMEORIGIN X-Powered-By:Undertow/1 Do I have to modify the file standalone.xml? From bruno at abstractj.org Fri Dec 2 05:25:11 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 02 Dec 2016 10:25:11 +0000 Subject: [keycloak-user] CORS setup In-Reply-To: References: Message-ID: Yes, take a look at the examples https://github.com/keycloak/keycloak/tree/master/examples/cors. On Fri, Dec 2, 2016 at 8:20 AM Zeus Arias Lucero | BEEVA < zeus.arias at beeva.com> wrote: > Hi, > > Is it possible to configure cors? Which are the steps? > > My config client is (json): > > { > "realm": "name", > "realm-public-key": "...", > "auth-server-url": "https://example:8443/auth", > "ssl-required": "all", > "resource": "name", > "enable-cors": true, > "cors-allowed-methods": "GET, HEAD, OPTIONS", > "cors-allowed-headers": "Origin, Accept, X-Requested-With, Content-Type, > Access-Control-Request-Method, Access-Control-Request-Headersl", > "credentials": { > "secret": "...." > }, > "principal-attribute": "preferred_username" > } > > > And error the application is: > > XMLHttpRequest cannot load > https://keycloak_url:8443/auth/realms/name/protocol/open > ?gin&state=1%2token&login=true&scope=openid. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'https://url_app' is therefore not allowed access. > > The Keycloak Response Header is: > > Cache-Control:no-store, must-revalidate, max-age=0 > Connection:keep-alive > Content-Length:5257 > Content-Security-Policy:frame-src 'self' > Content-Type:text/html;charset=utf-8 > Date:Fri, 02 Dec 2016 09:37:15 GMT > Server:WildFly/10 > Set-Cookie:KC_RESTART=COOKIE; Version=1; Path=/auth/realms/name; Secure; > HttpOnly > X-Content-Type-Options:nosniff > X-Frame-Options:SAMEORIGIN > X-Powered-By:Undertow/1 > > Do I have to modify the file standalone.xml? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Dec 2 05:28:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 2 Dec 2016 11:28:04 +0100 Subject: [keycloak-user] Considering removing Mongo support Message-ID: All, We are considering removing Mongo support from Keycloak in 3.x. The reasons behind it is that there are a fair few issues in the current implementation, especially around consistency due to lack of transaction support in Mongo and often we update multiple documents. In many cases we rely on transactions to rollback to prevent partial updates, but this obviously doesn't work in Mongo. With the fact that Mongo is already partially broken and the constant maintenance involved we're considering removing it and rather focus purely on the relational database back-end. Another point to make is that we are not considering supporting Mongo in the supported version of Keycloak (Red Hat Single Sign-On). So we are never able to provide the same level of care and attention to it as we can for relational databases. If we do decide to remove it we would make sure we provide a seamless and easy option to migrate from Mongo to a relational database! I would like to gather some feedback from the community before doing anything. So please vote on the following Doodle: http://doodle.com/poll/nnimebpkx774ppus Also, comments to this thread is more than welcome! I'll end with a comment - Time spent by core developer on maintaining Mongo could be better spent on awesome new features, testing and bug fixing! From thomas.darimont at googlemail.com Fri Dec 2 05:45:36 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 2 Dec 2016 11:45:36 +0100 Subject: [keycloak-user] Keycloak Even when user is authenticated In-Reply-To: References: Message-ID: Hello, I wrote a Keycloak JMS event forwarder extension a while ago that does this. It sends JMS text messages for various keycloak events in json format that look like this: { "eventId" : "0f97dcaf-f682-44c4-9165-3ba79f05b0e2", "instanceName" : "23496 at tom:192.168.99.1", "realmId" : "acme-dev-local", "userId" : "a9c18800-1289-4ffb-9621-35af0eb7cd8a", "type" : "USER", "timestamp" : 1480675080396, "contextId" : "USER", "contextAction" : "LOGIN", "contextData" : { }, "auditInfo" : { //who did the action? (if user did it himself same as userInfo) "realmId" : "acme-dev-local", "clientId" : "account", "ipAddress" : "192.168.99.1", "userId" : "a9c18800-1289-4ffb-9621-35af0eb7cd8a", "username" : "tom" }, "userInfo" : { // info of the user involved "userId" : "a9c18800-1289-4ffb-9621-35af0eb7cd8a", "realmId" : "acme-dev-local", "emailVerified" : false, "enabled" : true, "username" : "tom", "email" : "tom at localhost", "firstname" : "Thomas Richard", "lastname" : "Darimont", "creationDateTime" : 1470147844598, "attributes" : { "locale" : [ "de" ] } } } One can enable in the events configuration in the admin console once the extension is configured in keycloak. You can find on older version of the extension here: https://github.com/jugsaar/visit-yajug-20161023-keycloak You can find more information about how to configure custom SPI extensions here: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.4/topics/providers.html Cheers, Thomas 2016-12-02 8:57 GMT+01:00 Sebastien Blanc : > AFAIK there is nothing out of the box in the adapter for that but here some > ideas : > > - You could write your custom Event Listener on the KC side that sends : > * a rest request to your application, (like a github hook) > * publish on a JMS queue > You can take a look at the documentation/examples on how to implement the > event SPI. > > For the WF Adapter, I think it would be nice if it could publish some CDI > events, I will open a ticket for that. > > > > On Thu, Dec 1, 2016 at 9:44 PM, Mario Peck wrote: > > > I am working on a web application (war) that uses keycloak for > > authentication/roles. > > The application is running on Wildfly 10. Using the wildfly keycloak > > adapter. > > I need to listen/detect when a user is authenticated by keycloak. There > is > > some work the application must perform when a user is logged in for the > > first time. > > Is there some event (Observable message) , or some type of listener that > I > > can register to get notified of this? (when a user is authenticated). > > Thanks to any tips/help > > Mario > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From josepharowe at gmail.com Fri Dec 2 06:08:38 2016 From: josepharowe at gmail.com (Joe Rowe) Date: Fri, 02 Dec 2016 11:08:38 +0000 Subject: [keycloak-user] Hard code redirect_uri on timeout? Message-ID: Hi, I am working on a jsf application which uses Keycloak for authorisation and am having an issue regarding session timeouts. Specifically, when a user's session times out Keycloak captures the uri they were visiting at timeout and redirects back to it upon the user logging back in from the timeout. This causes an issue in which session scoped backing beans holding view data are empty, and on some pages this can cause exceptions. Is it possible to modify the redirect uri configuration to disregard the page the user was on and instead always redirect to the index of the application any time the user's session is interrupted? I have tried various options in the realm and client settings but without luck, and have not found a similar question in the archives. Many thanks, Joe From bruno at abstractj.org Fri Dec 2 07:32:57 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Dec 2016 10:32:57 -0200 Subject: [keycloak-user] 2.4.0 Unable to register new user when LDAP is enabled In-Reply-To: References: Message-ID: <20161202123257.GA19799@abstractj.org> Hi Michael, I tried to reproduce your issue with our LDAP example[1]. But couldn't see any exception. Do you have the steps to reproduce? Do you have the logs from your LDAP server? [1] - https://github.com/keycloak/keycloak/tree/master/examples/ldap On 2016-12-01, Michael Anthon wrote: > We have recently upgraded to 2.4.0 and are currently unable to create new users while LDAP is enabled. Stack trace below. > > The LDAP provider is configured with "Sync Registrations" turned off but this option seems to be ignored? > > Any advice on this would be appreciated. > > Thanks, > Michael > > > 20:30:20,205 ERROR [io.undertow.request] (default task-6) UT005023: Exception handling request to /auth/admin/realms/identify/users: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalStateException: Registration is not supported by this ldap server > at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.IllegalStateException: Registration is not supported by thi > at org.keycloak.storage.ldap.LDAPStorageProvider.addUser(LDAPStorageProv > at org.keycloak.storage.UserStorageManager.addUser(UserStorageManager.ja > at org.keycloak.models.cache.infinispan.UserCacheSession.addUser(UserCac > at org.keycloak.models.UserFederationManager.addUser(UserFederationManag > at org.keycloak.services.resources.admin.UsersResource.createUser(UsersR > at sun.reflect.GeneratedMethodAccessor795.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > at java.lang.reflect.Method.invoke(Method.java:497) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl. > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa > ... 37 more > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From lists at merit.unu.edu Fri Dec 2 07:42:44 2016 From: lists at merit.unu.edu (mj) Date: Fri, 2 Dec 2016 13:42:44 +0100 Subject: [keycloak-user] "convert OID to names" Message-ID: <0b8c8c76-b00a-262e-3fed-9039945a6371@merit.unu.edu> Hi, Trying to use keycloak as an IdP, saml2, and my application tells me: "When using SimpleSAMLphp, make sure the convert OID to names by modifying your metadata/saml20-idp-hosted.php to contain something like this: > 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri', > 'authproc' => array( > 100 => array('class' => 'core:AttributeMap', 'oid2name'), > ), Could anyone give a pointer how to make keycloak use names instead of OID? MJ From michael_furman at hotmail.com Fri Dec 2 10:13:35 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Fri, 2 Dec 2016 15:13:35 +0000 Subject: [keycloak-user] Clarification regarding authentication flows In-Reply-To: References: Message-ID: Can anybody help? Regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Thursday, December 1, 2016 9:26 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Clarification regarding authentication flows Hi, What type of the authentication flow used for the realm REST API authentication? The browser flow? What type of the authentication flow used to obtain the access token? https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/admin-rest-api.html The Direct Grant Flow? Regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From tsdgcc2087 at outlook.com Fri Dec 2 11:58:20 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Fri, 2 Dec 2016 16:58:20 +0000 Subject: [keycloak-user] Clarification regarding authentication flows In-Reply-To: References: , Message-ID: I'm not following exactly. Where are you setting/changing the flows? This REST API is to make changes in Keycloak like you would do through the UI. If that is what you want to do, you would make a POST like the example shows with the required entries in the form. By default, the realm Master is there and so is the client_id admin-cli. The only thing that should change in their example is the username and password. For this you use the same username and password you would access the Admin UI with. If that all worked, you would receive an access token back to make those admin calls. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Friday, December 2, 2016 9:13 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Clarification regarding authentication flows Can anybody help? Regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Thursday, December 1, 2016 9:26 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Clarification regarding authentication flows Hi, What type of the authentication flow used for the realm REST API authentication? The browser flow? What type of the authentication flow used to obtain the access token? https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/admin-rest-api.html The Direct Grant Flow? Regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Fri Dec 2 13:01:28 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Fri, 2 Dec 2016 18:01:28 +0000 Subject: [keycloak-user] Clarification regarding authentication flows In-Reply-To: References: , , Message-ID: Hi Matt, The authentication flows are configured here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html I guess that when I access REST API the request uses the Browser flow but I will happy for the confirmation. In addition, when I access this API http://localhost:8080/auth/realms/master/protocol/openid-connect/token what flow is used? The browser flow? The Direct Grant Flow? Regards, Michael ________________________________ From: Matt H Sent: Friday, December 2, 2016 6:16 PM To: Michael Furman; keycloak-user at lists.jboss.org Subject: Re: Clarification regarding authentication flows I'm not following exactly. Where are you setting/changing the flows? This REST API is to make changes in Keycloak like you would do through the UI. If that is what you want to do, you would make a POST like the example shows with the required entries in the form. By default, the realm Master is there and so is the client_id admin-cli. The only thing that should change in their example is the username and password. For this you use the same username and password you would access the Admin UI with. If that all worked, you would receive an access token back to make those amdin calls. ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Friday, December 2, 2016 9:13 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Clarification regarding authentication flows Can anybody help? Regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Thursday, December 1, 2016 9:26 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Clarification regarding authentication flows Hi, What type of the authentication flow used for the realm REST API authentication? The browser flow? What type of the authentication flow used to obtain the access token? https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/admin-rest-api.html The Direct Grant Flow? Regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... keycloak-user Info Page - JBoss Developer keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From spoore at redhat.com Fri Dec 2 13:11:21 2016 From: spoore at redhat.com (Scott Poore) Date: Fri, 2 Dec 2016 13:11:21 -0500 (EST) Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <20161202074148.GA27820@abstractj.org> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> <20161202074148.GA27820@abstractj.org> Message-ID: <665165290.1639602.1480702281468.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bruno Oliveira" > To: "Scott Poore" > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > Sent: Friday, December 2, 2016 1:41:48 AM > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > Hi Scott, sorry for the late response. > > From what I noticed, dbus-send works for you right? But I feel like the > user running Keycloak process does not have access to > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true? Yes, that's one problem. I was running keycloak as keycloak user but dbus-send as root. I also found where I had the wrong ownership on a java keystore file for running https. > > If yes, check if user running Keycloak is listed into sssd.conf > 'allowed_uids' > section. I saw that you managed to run dbus-send, but worth to ask. > Is the user running dbus-send, the same starting Keycloak server process? That I was fixing. I just wasn't testing dbus-send as keycloak user. > > I included a very simple check to make sure that Windows users don't see the > SSSD > Federation provider listed ? If the user running Keycloak does not have > reading rights over /etc/sssd. By default /etc/sssd is 700 so no one but root can read that. Should I just be running keycloak as root? (FYI, that's what I'm trying now). > > For troubleshooting some of these issues (because from time to time, I > mess up with my environment), I have this docker image[1]. > > Speaking about KEYCLOAK-3902, I already fixed it. I will just include > the integration tests to reproduce this scenario. I saw that it was at least scheduled to be fixed. Wasn't sure if the fix was complete. So, what about my last issue where I cannot seem to authenticate as a normal user I created in the realm from the Keycloak admin console? FYI, I'm trying to set this up on Fedora 24 if that makes any difference. [root at idp ~]# rpm -q java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64 [root at sp1 ~]# rpm -q httpd mod_auth_mellon httpd-2.4.23-4.fc24.x86_64 mod_auth_mellon-0.12.0-2.fc24.x86_64 I also re-installed the client manually using mellon_create_metadata.sh and importing the metadata file from the admin console. I see the same thing so I don't think keycloak-httpd-client-install set up anything in a way to cause this. It looks like it takes almost 12 minutes for something to time out when I try accessing the SP from my browser. started: 11:53:55 by the clock on my desktop ended: ~12:05:42 by the clock on my desktop Not sure if that helps at all but, thought I'd actually document it in case it does help. When it does finally time out is when I see the "Internal Server Error". And the location bar is pointing to the keycloak and does not seem to have been redirected back to the SP. Does any of that sound familar? Thanks, Scott > > [1] - > https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests > > On 2016-12-01, Scott Poore wrote: > > > > > > ----- Original Message ----- > > > From: "Bill Burke" > > > To: keycloak-user at lists.jboss.org > > > Sent: Thursday, December 1, 2016 3:35:31 PM > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > > > Can you run your example without SSSD? Isolate the problem to make sure > > > that its not an SP configuration issue first. As far as SSSD setup > > > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes > > > in. > > > > I tried adding a user to the existing setup from the admin console and I > > see an error and then I see this in the server.log: > > > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to > > retrieve user's attributes. Check if SSSD service is active. > > > > I can't delete the sssd provider though because of this bug: > > > > https://issues.jboss.org/browse/KEYCLOAK-3902 > > > > I started over fresh without the SSSD Provider setup. It does appear that > > I'm not able to even authenticate as a user created from the admin > > console. > > > > I've bumped logging up to info on both Keycloak and httpd on the SP but, I > > still don't see much there. Any suggestion on where to go from here? > > > > Thanks, > > Scott > > > > > > > > > > > > > On 12/1/16 4:21 PM, Scott Poore wrote: > > > > Hi, > > > > > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration > > > > using > > > > the SSSD Provider. I am following the Server Administration Guide but, > > > > I'm hitting some error. I'm not sure if it's a bug or a configuration > > > > issue on my part. > > > > > > > > This is the link I was following: > > > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > > > > > > > The difference in setup though is that I'm not using the docker image. > > > > Instead I'm using a separate FreeIPA Master server that I have setup as > > > > a > > > > separate VM. I have confirmed that SSSD-DBUS is working: > > > > > > > > [root at idp ~]# dbus-send --print-reply --system > > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe > > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > > > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 > > > > serial=17 reply_serial=2 > > > > array [ > > > > string "ipausers" > > > > ] > > > > > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > > > > > > > keycloak-httpd-client-install \ > > > > --client-originate-method registration \ > > > > --keycloak-server-url https://idp.keycloak.test:8443 \ > > > > --keycloak-admin-username admin \ > > > > --keycloak-admin-password PASSWORD \ > > > > --app-name testapp \ > > > > --keycloak-realm test_realm \ > > > > --mellon-root mroot \ > > > > --mellon-protected-locations "/mroot/private" \ > > > > --force > > > > > > > > When I try to login to the SP, it redirects as expected to the Keycloak > > > > server and waits for a while before returning: > > > > > > > > Internal Server Error > > > > > > > > >From the httpd access log I can see: > > > > > > > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > AppleWebKit/537.36 > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET > > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > AppleWebKit/537.36 > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > > > >From the admin console, I can see what appears to be an active session > > > > >for > > > > >the client. > > > > > > > > >From the Keycloak server.log I can see: > > > > > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction > > > > Reaper > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active! > > > > 2016-12-01 14:14:31,578 WARN > > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] > > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > > > > mpletion called by a background thread; delaying afterCompletion > > > > processing > > > > until the original thread can handle it. [status=4] > > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction > > > > Reaper > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker > > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f > > > > fffc0a87abf:7c36d3eb:58406454:81e > > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) > > > > ARJUNA012077: Abort called on already aborted atomic action > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] > > > > (default task-25) RESTEASY002025: Unknown exception while executing > > > > POST > > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > > > > eption: javax.transaction.RollbackException: ARJUNA016102: The > > > > transaction > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > > > Leaving out the traceback for brevity. I can send that if > > > > needed/wanted. > > > > > > > > > > > > When I logout the session and set SSSD debug_level to 9 and restart > > > > sssd, > > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. I > > > > can > > > > provide the SSSD logs if it helps. > > > > > > > > > > > > So, how do I go about troubleshooting this issue? Are there any steps > > > > missing from the SSSD Provider doc? > > > > > > > > Thanks, > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > PGP: 0x84DC9914 > From sblanc at redhat.com Fri Dec 2 13:28:30 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 2 Dec 2016 19:28:30 +0100 Subject: [keycloak-user] How to access secured REST endpoint from keycloak-spring-security-adapter In-Reply-To: References: Message-ID: On Fri, Dec 2, 2016 at 3:31 PM, Matt H wrote: > Where does the KeycloakDeployment come from? I looked through the service > account example that uses the method below, but it only shows how to get it > from an HttpServlet which still comes from a user interaction. > I haven't tried it but in KeycloakWebSecurityConfigurerAdapter that you probably subclass in your app to configure the security there is an adapterDeploymentContext() method and from the returned context you can get the KeycloakDeployment object. > > One idea could be to extend the KeycloakRestTemplate to allow for a flag > to use service accounts then obtain a token for it. > > > Another idea would be to have another class that could be autowired (I'm > using Spring) that takes care of getting a service account access token, > storing it, and refreshing it if it expires. It would need to read the > keycloak.json (or the same properties that are set for it) to get the > client and secret. > These are really great suggestions and will make sure to add them in the ticket, thx. > > > ------------------------------ > *From:* Sebastien Blanc > *Sent:* Friday, December 2, 2016 1:04 AM > > *To:* Matt H > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] How to access secured REST endpoint from > keycloak-spring-security-adapter > > There is one way you can leverage the adapter for this , is using this > method : > > ClientCredentialsProviderUtils.setClientCredentials(deployment, > reqHeaders, reqParams); > > This way, you don't have to worry about passing your credentials. But it's > worth thinking on how we can enhance the developer experience in this area, > if you have some ideas feels free to share them and I will also open a > ticket to track this. > > > > On Thu, Dec 1, 2016 at 10:58 PM, Matt H wrote: > >> Yes, I was looking at that guide. I knew how to go to the keycloak token >> endpoint and get a token. I wasn't sure if this is the way it needed to be >> done, or if It could be done through the provided adapters. >> >> >> When the adapters are already being used, and it knows of your client and >> secret already, it seemed like a lot of overhead to go out to keycloak some >> other way and make sure that token is not expired (along with re-issuing a >> token logic), then make the call. If this is the required way, that's fine. >> >> ------------------------------ >> *From:* Sebastien Blanc >> *Sent:* Thursday, December 1, 2016 3:45 PM >> *To:* Matt H >> *Cc:* keycloak-user at lists.jboss.org >> *Subject:* Re: [keycloak-user] How to access secured REST endpoint from >> keycloak-spring-security-adapter >> >> (including mailing list) >> >> On Thu, Dec 1, 2016 at 8:31 PM, Matt H wrote: >> >>> I have a suite of spring applications that are using keycloak for >>> authentication. I'm using the Keycloak spring security adapter and have my >>> successfully secured the endpoints that I want to. I have situations where >>> I need Application A to make a call to a secured endpoint on Application >>> B. I am able to do this client to client communication by using the >>> KeycloakRestTemplate but only when a user calls Application A with a valid >>> token. >>> >>> >>> Application A also has a process that will call Application B without >>> user interaction. When this is done I get an error >>> "java.lang.IllegalStateException: Cannot set authorization header >>> because there is no authenticated principal". This makes sense since I >>> don't have a valid user token. >>> >>> >>> Application A and Application B use the same client in keycloak and it >>> is set to be a confidential client. I have tried it with and without >>> having service accounts enabled. >>> >> When you say "with service accounts enabled", have you followed all the >> instructions from here https://keycloak.gitbooks.io/s >> erver-adminstration-guide/content/topics/clients/oidc/servic >> e-accounts.html , meaning also calling the >> /{server-root-usualy-auth}/realms/{realm-name}/protocol/openid-connect/token >> endpoint in order to retrieve a valid token ? >> >>> >>> >>> Some questions I have are: >>> >>> 1. How do I have applications (not users) call a secured REST endpoint? >>> >>> 2. Do the provided keycloak adapters (like the spring security adapter) >>> provide this functionality? >>> >>> 3. Do I need an additional client account to do this? >>> >>> 4. Are there any libraries that handle refreshing these tokens or >>> automatically obtaining one if it doesn't exist? >>> >>> >>> I see lots of examples on how a user can access a secured service, but >>> not much on an application accessing a secured service. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From bruno at abstractj.org Fri Dec 2 13:37:32 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 2 Dec 2016 16:37:32 -0200 Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <665165290.1639602.1480702281468.JavaMail.zimbra@redhat.com> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> <20161202074148.GA27820@abstractj.org> <665165290.1639602.1480702281468.JavaMail.zimbra@redhat.com> Message-ID: <20161202183732.GA10860@abstractj.org> On 2016-12-02, Scott Poore wrote: > > > ----- Original Message ----- > > From: "Bruno Oliveira" > > To: "Scott Poore" > > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > > Sent: Friday, December 2, 2016 1:41:48 AM > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > Hi Scott, sorry for the late response. > > > > From what I noticed, dbus-send works for you right? But I feel like the > > user running Keycloak process does not have access to > > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true? > > Yes, that's one problem. I was running keycloak as keycloak user but dbus-send as root. I also found where I had the wrong ownership on a java keystore file for running https. > > > > > If yes, check if user running Keycloak is listed into sssd.conf > > 'allowed_uids' > > section. I saw that you managed to run dbus-send, but worth to ask. > > Is the user running dbus-send, the same starting Keycloak server process? > > That I was fixing. I just wasn't testing dbus-send as keycloak user. > > > > > I included a very simple check to make sure that Windows users don't see the > > SSSD > > Federation provider listed ? If the user running Keycloak does not have > > reading rights over /etc/sssd. > > By default /etc/sssd is 700 so no one but root can read that. Should I just be running keycloak as root? (FYI, that's what I'm trying now). Do what for now, or add reading permissions to this folder to isolate the problem. > > > > > For troubleshooting some of these issues (because from time to time, I > > mess up with my environment), I have this docker image[1]. > > > > Speaking about KEYCLOAK-3902, I already fixed it. I will just include > > the integration tests to reproduce this scenario. > > I saw that it was at least scheduled to be fixed. Wasn't sure if the fix was complete. > > So, what about my last issue where I cannot seem to authenticate as a normal user I created in the realm from the Keycloak admin console? What you have at your logs? Have you installed jna and libunix RPMs? > > FYI, I'm trying to set this up on Fedora 24 if that makes any difference. > > [root at idp ~]# rpm -q java-1.8.0-openjdk > java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64 > > [root at sp1 ~]# rpm -q httpd mod_auth_mellon > httpd-2.4.23-4.fc24.x86_64 > mod_auth_mellon-0.12.0-2.fc24.x86_64 > > > I also re-installed the client manually using mellon_create_metadata.sh and importing the metadata file from the admin console. I see the same thing so I don't think keycloak-httpd-client-install set up anything in a way to cause this. > > It looks like it takes almost 12 minutes for something to time out when I try accessing the SP from my browser. > > started: 11:53:55 by the clock on my desktop > ended: ~12:05:42 by the clock on my desktop > > Not sure if that helps at all but, thought I'd actually document it in case it does help. > > When it does finally time out is when I see the "Internal Server Error". And the location bar is pointing to the keycloak and does not seem to have been redirected back to the SP. > > Does any of that sound familar? > > Thanks, > Scott > > > > > [1] - > > https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests > > > > On 2016-12-01, Scott Poore wrote: > > > > > > > > > ----- Original Message ----- > > > > From: "Bill Burke" > > > > To: keycloak-user at lists.jboss.org > > > > Sent: Thursday, December 1, 2016 3:35:31 PM > > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > > > > > Can you run your example without SSSD? Isolate the problem to make sure > > > > that its not an SP configuration issue first. As far as SSSD setup > > > > goes, you're gonna have to talk to Bruno about that. Hopefully he chimes > > > > in. > > > > > > I tried adding a user to the existing setup from the admin console and I > > > see an error and then I see this in the server.log: > > > > > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to > > > retrieve user's attributes. Check if SSSD service is active. > > > > > > I can't delete the sssd provider though because of this bug: > > > > > > https://issues.jboss.org/browse/KEYCLOAK-3902 > > > > > > I started over fresh without the SSSD Provider setup. It does appear that > > > I'm not able to even authenticate as a user created from the admin > > > console. > > > > > > I've bumped logging up to info on both Keycloak and httpd on the SP but, I > > > still don't see much there. Any suggestion on where to go from here? > > > > > > Thanks, > > > Scott > > > > > > > > > > > > > > > > > > On 12/1/16 4:21 PM, Scott Poore wrote: > > > > > Hi, > > > > > > > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA integration > > > > > using > > > > > the SSSD Provider. I am following the Server Administration Guide but, > > > > > I'm hitting some error. I'm not sure if it's a bug or a configuration > > > > > issue on my part. > > > > > > > > > > This is the link I was following: > > > > > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > > > > > > > > > The difference in setup though is that I'm not using the docker image. > > > > > Instead I'm using a separate FreeIPA Master server that I have setup as > > > > > a > > > > > separate VM. I have confirmed that SSSD-DBUS is working: > > > > > > > > > > [root at idp ~]# dbus-send --print-reply --system > > > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe > > > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > > > > > method return time=1480625438.634684 sender=:1.26 -> destination=:1.29 > > > > > serial=17 reply_serial=2 > > > > > array [ > > > > > string "ipausers" > > > > > ] > > > > > > > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > > > > > > > > > keycloak-httpd-client-install \ > > > > > --client-originate-method registration \ > > > > > --keycloak-server-url https://idp.keycloak.test:8443 \ > > > > > --keycloak-admin-username admin \ > > > > > --keycloak-admin-password PASSWORD \ > > > > > --app-name testapp \ > > > > > --keycloak-realm test_realm \ > > > > > --mellon-root mroot \ > > > > > --mellon-protected-locations "/mroot/private" \ > > > > > --force > > > > > > > > > > When I try to login to the SP, it redirects as expected to the Keycloak > > > > > server and waits for a while before returning: > > > > > > > > > > Internal Server Error > > > > > > > > > > >From the httpd access log I can see: > > > > > > > > > > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private > > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > > AppleWebKit/537.36 > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET > > > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm > > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > > AppleWebKit/537.36 > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > > > > > >From the admin console, I can see what appears to be an active session > > > > > >for > > > > > >the client. > > > > > > > > > > >From the Keycloak server.log I can see: > > > > > > > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction > > > > > Reaper > > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads active! > > > > > 2016-12-01 14:14:31,578 WARN > > > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] > > > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > > > > > mpletion called by a background thread; delaying afterCompletion > > > > > processing > > > > > until the original thread can handle it. [status=4] > > > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction > > > > > Reaper > > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker > > > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:f > > > > > fffc0a87abf:7c36d3eb:58406454:81e > > > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default task-25) > > > > > ARJUNA012077: Abort called on already aborted atomic action > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > 2016-12-01 14:15:50,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] > > > > > (default task-25) RESTEASY002025: Unknown exception while executing > > > > > POST > > > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > > > > > eption: javax.transaction.RollbackException: ARJUNA016102: The > > > > > transaction > > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > > > > > Leaving out the traceback for brevity. I can send that if > > > > > needed/wanted. > > > > > > > > > > > > > > > When I logout the session and set SSSD debug_level to 9 and restart > > > > > sssd, > > > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. I > > > > > can > > > > > provide the SSSD logs if it helps. > > > > > > > > > > > > > > > So, how do I go about troubleshooting this issue? Are there any steps > > > > > missing from the SSSD Provider doc? > > > > > > > > > > Thanks, > > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From spoore at redhat.com Fri Dec 2 14:37:52 2016 From: spoore at redhat.com (Scott Poore) Date: Fri, 2 Dec 2016 14:37:52 -0500 (EST) Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <20161202183732.GA10860@abstractj.org> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> <20161202074148.GA27820@abstractj.org> <665165290.1639602.1480702281468.JavaMail.zimbra@redhat.com> <20161202183732.GA10860@abstractj.org> Message-ID: <613488450.1715844.1480707472611.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bruno Oliveira" > To: "Scott Poore" > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > Sent: Friday, December 2, 2016 12:37:32 PM > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > On 2016-12-02, Scott Poore wrote: > > > > > > ----- Original Message ----- > > > From: "Bruno Oliveira" > > > To: "Scott Poore" > > > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > > > Sent: Friday, December 2, 2016 1:41:48 AM > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > > > Hi Scott, sorry for the late response. > > > > > > From what I noticed, dbus-send works for you right? But I feel like the > > > user running Keycloak process does not have access to > > > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true? > > > > Yes, that's one problem. I was running keycloak as keycloak user but > > dbus-send as root. I also found where I had the wrong ownership on a java > > keystore file for running https. > > > > > > > > If yes, check if user running Keycloak is listed into sssd.conf > > > 'allowed_uids' > > > section. I saw that you managed to run dbus-send, but worth to ask. > > > Is the user running dbus-send, the same starting Keycloak server process? > > > > That I was fixing. I just wasn't testing dbus-send as keycloak user. > > > > > > > > I included a very simple check to make sure that Windows users don't see > > > the > > > SSSD > > > Federation provider listed ? If the user running Keycloak does not have > > > reading rights over /etc/sssd. > > > > By default /etc/sssd is 700 so no one but root can read that. Should I > > just be running keycloak as root? (FYI, that's what I'm trying now). > > Do what for now, or add reading permissions to this folder to isolate > the problem. > > > > > > > > > For troubleshooting some of these issues (because from time to time, I > > > mess up with my environment), I have this docker image[1]. > > > > > > Speaking about KEYCLOAK-3902, I already fixed it. I will just include > > > the integration tests to reproduce this scenario. > > > > I saw that it was at least scheduled to be fixed. Wasn't sure if the fix > > was complete. > > > > So, what about my last issue where I cannot seem to authenticate as a > > normal user I created in the realm from the Keycloak admin console? > > What you have at your logs? Have you installed jna and libunix RPMs? I opened a ticket to post logs too. I wasn't sure if you wanted those posted to the mailing list. https://issues.jboss.org/browse/KEYCLOAK-4019 In the ticket I also tried to post detailed description of my setup in the "Steps to Reproduce". Maybe that will show what I was doing wrong. I have not yet installed the jna or libunix RPMs in my current setup. My previous setup had them before I tried starting over to try to cut out all SSSD Provider related possible issues. So, I'm trying now with a clean install without using the SSSD Provider. But, it is still an ipa client so sssd was running. Do I still need jna and libunix installed if I'm not using SSSD? Should I also change the subject of the email to better reflect my current issue? Or we'll get back the SSSD in this thread when my other issue is resolved? Thanks for all the help. Scott > > > > > FYI, I'm trying to set this up on Fedora 24 if that makes any difference. > > > > [root at idp ~]# rpm -q java-1.8.0-openjdk > > java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64 > > > > [root at sp1 ~]# rpm -q httpd mod_auth_mellon > > httpd-2.4.23-4.fc24.x86_64 > > mod_auth_mellon-0.12.0-2.fc24.x86_64 > > > > > > I also re-installed the client manually using mellon_create_metadata.sh and > > importing the metadata file from the admin console. I see the same thing > > so I don't think keycloak-httpd-client-install set up anything in a way to > > cause this. > > > > It looks like it takes almost 12 minutes for something to time out when I > > try accessing the SP from my browser. > > > > started: 11:53:55 by the clock on my desktop > > ended: ~12:05:42 by the clock on my desktop > > > > Not sure if that helps at all but, thought I'd actually document it in case > > it does help. > > > > When it does finally time out is when I see the "Internal Server Error". > > And the location bar is pointing to the keycloak and does not seem to > > have been redirected back to the SP. > > > > Does any of that sound familar? > > > > Thanks, > > Scott > > > > > > > > [1] - > > > https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests > > > > > > On 2016-12-01, Scott Poore wrote: > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Bill Burke" > > > > > To: keycloak-user at lists.jboss.org > > > > > Sent: Thursday, December 1, 2016 3:35:31 PM > > > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for > > > > > FreeIPA > > > > > > > > > > Can you run your example without SSSD? Isolate the problem to make > > > > > sure > > > > > that its not an SP configuration issue first. As far as SSSD setup > > > > > goes, you're gonna have to talk to Bruno about that. Hopefully he > > > > > chimes > > > > > in. > > > > > > > > I tried adding a user to the existing setup from the admin console and > > > > I > > > > see an error and then I see this in the server.log: > > > > > > > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to > > > > retrieve user's attributes. Check if SSSD service is active. > > > > > > > > I can't delete the sssd provider though because of this bug: > > > > > > > > https://issues.jboss.org/browse/KEYCLOAK-3902 > > > > > > > > I started over fresh without the SSSD Provider setup. It does appear > > > > that > > > > I'm not able to even authenticate as a user created from the admin > > > > console. > > > > > > > > I've bumped logging up to info on both Keycloak and httpd on the SP > > > > but, I > > > > still don't see much there. Any suggestion on where to go from here? > > > > > > > > Thanks, > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > On 12/1/16 4:21 PM, Scott Poore wrote: > > > > > > Hi, > > > > > > > > > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA > > > > > > integration > > > > > > using > > > > > > the SSSD Provider. I am following the Server Administration Guide > > > > > > but, > > > > > > I'm hitting some error. I'm not sure if it's a bug or a > > > > > > configuration > > > > > > issue on my part. > > > > > > > > > > > > This is the link I was following: > > > > > > > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > > > > > > > > > > > The difference in setup though is that I'm not using the docker > > > > > > image. > > > > > > Instead I'm using a separate FreeIPA Master server that I have > > > > > > setup as > > > > > > a > > > > > > separate VM. I have confirmed that SSSD-DBUS is working: > > > > > > > > > > > > [root at idp ~]# dbus-send --print-reply --system > > > > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe > > > > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > > > > > > method return time=1480625438.634684 sender=:1.26 -> > > > > > > destination=:1.29 > > > > > > serial=17 reply_serial=2 > > > > > > array [ > > > > > > string "ipausers" > > > > > > ] > > > > > > > > > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > > > > > > > > > > > keycloak-httpd-client-install \ > > > > > > --client-originate-method registration \ > > > > > > --keycloak-server-url https://idp.keycloak.test:8443 \ > > > > > > --keycloak-admin-username admin \ > > > > > > --keycloak-admin-password PASSWORD \ > > > > > > --app-name testapp \ > > > > > > --keycloak-realm test_realm \ > > > > > > --mellon-root mroot \ > > > > > > --mellon-protected-locations "/mroot/private" \ > > > > > > --force > > > > > > > > > > > > When I try to login to the SP, it redirects as expected to the > > > > > > Keycloak > > > > > > server and waits for a while before returning: > > > > > > > > > > > > Internal Server Error > > > > > > > > > > > > >From the httpd access log I can see: > > > > > > > > > > > > > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private > > > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > > > AppleWebKit/537.36 > > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET > > > > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm > > > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > > > AppleWebKit/537.36 > > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > > > > > > > >From the admin console, I can see what appears to be an active > > > > > > >session > > > > > > >for > > > > > > >the client. > > > > > > > > > > > > >From the Keycloak server.log I can see: > > > > > > > > > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction > > > > > > Reaper > > > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action > > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads > > > > > > active! > > > > > > 2016-12-01 14:14:31,578 WARN > > > > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] > > > > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > > > > > > mpletion called by a background thread; delaying afterCompletion > > > > > > processing > > > > > > until the original thread can handle it. [status=4] > > > > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction > > > > > > Reaper > > > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker > > > > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX > > > > > > 0:f > > > > > > fffc0a87abf:7c36d3eb:58406454:81e > > > > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default > > > > > > task-25) > > > > > > ARJUNA012077: Abort called on already aborted atomic action > > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > 2016-12-01 14:15:50,620 ERROR > > > > > > [org.jboss.resteasy.resteasy_jaxrs.i18n] > > > > > > (default task-25) RESTEASY002025: Unknown exception while executing > > > > > > POST > > > > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > > > > > > eption: javax.transaction.RollbackException: ARJUNA016102: The > > > > > > transaction > > > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > > > > > > > Leaving out the traceback for brevity. I can send that if > > > > > > needed/wanted. > > > > > > > > > > > > > > > > > > When I logout the session and set SSSD debug_level to 9 and restart > > > > > > sssd, > > > > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. > > > > > > I > > > > > > can > > > > > > provide the SSSD logs if it helps. > > > > > > > > > > > > > > > > > > So, how do I go about troubleshooting this issue? Are there any > > > > > > steps > > > > > > missing from the SSSD Provider doc? > > > > > > > > > > > > Thanks, > > > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > > > > > abstractj > > > PGP: 0x84DC9914 > > > > > -- > > abstractj > PGP: 0x84DC9914 > From schwartzbj17 at gmail.com Fri Dec 2 15:09:03 2016 From: schwartzbj17 at gmail.com (Brian Schwartz) Date: Fri, 2 Dec 2016 14:09:03 -0600 Subject: [keycloak-user] Spring boot and spring security adapters In-Reply-To: References: Message-ID: I'm using keycloak 2.3.0.final spring boot and spring security adapters. The spring security adapter requires a keycloak.json file to be in web-inf but i don't have that or web.xml. How do I change where the keycloak adapter looks for keycloak.json? From tsdgcc2087 at outlook.com Fri Dec 2 15:29:33 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Fri, 2 Dec 2016 20:29:33 +0000 Subject: [keycloak-user] Spring boot and spring security adapters In-Reply-To: References: , Message-ID: Since you are using Spring Boot, I'm going to assume you have a properties file. Just have the file in your classpath and you can set the following property. keycloak.configurationFile: classpath:keycloak.json If you don't have a properties file, you can just set it manually: System.setProperty("keycloak.configurationFile", "classpath:keycloak.json"); ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Brian Schwartz Sent: Friday, December 2, 2016 2:09 PM To: keycloak-user Subject: [keycloak-user] Spring boot and spring security adapters I'm using keycloak 2.3.0.final spring boot and spring security adapters. The spring security adapter requires a keycloak.json file to be in web-inf but i don't have that or web.xml. How do I change where the keycloak adapter looks for keycloak.json? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From schwartzbj17 at gmail.com Fri Dec 2 15:49:46 2016 From: schwartzbj17 at gmail.com (Brian Schwartz) Date: Fri, 2 Dec 2016 14:49:46 -0600 Subject: [keycloak-user] Spring boot and spring security adapters In-Reply-To: References: Message-ID: When i do that i get error org.springframework.boot.bind.RelaxedBindingNotWritablePropertyException: Failed to bind 'keycloak.configurationFile' from 'applicationConfig: [classpath:/application.properties]' to 'configurationFile' property on 'org.keycloak.adapters.springboot.KeycloakSpringBootProperties' On Dec 2, 2016 2:30 PM, "Matt H" wrote: Since you are using Spring Boot, I'm going to assume you have a properties file. Just have the file in your classpath and you can set the following property. keycloak.configurationFile: classpath:keycloak.json If you don't have a properties file, you can just set it manually: System.setProperty("keycloak.configurationFile", "classpath:keycloak.json"); ------------------------------ *From:* keycloak-user-bounces at lists.jboss.org on behalf of Brian Schwartz *Sent:* Friday, December 2, 2016 2:09 PM *To:* keycloak-user *Subject:* [keycloak-user] Spring boot and spring security adapters I'm using keycloak 2.3.0.final spring boot and spring security adapters. The spring security adapter requires a keycloak.json file to be in web-inf but i don't have that or web.xml. How do I change where the keycloak adapter looks for keycloak.json? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From bburke at redhat.com Fri Dec 2 20:09:48 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 2 Dec 2016 20:09:48 -0500 Subject: [keycloak-user] User Storage SPI docs Message-ID: <28559c87-0712-badd-f4fc-f85f82ffa15d@redhat.com> see here: https://keycloak.gitbooks.io/server-developer-guide/content/v/master/topics/user-storage.html 1st iteration complete. From byteflinger at gmail.com Sat Dec 3 04:09:15 2016 From: byteflinger at gmail.com (Byte Flinger) Date: Sat, 03 Dec 2016 09:09:15 +0000 Subject: [keycloak-user] Considering removing Mongo support In-Reply-To: References: Message-ID: Does that mean that the only supported backends would be SQL databases? I have recently started to look into Keycloak and I was thinking that Mongodb support was nice for scalability as it can be sharded, something SQL dbs cannot. Wouldn't that mean giving up on scalability for large deployments? Are there plans to support any other more scalable type of database such as Cassandra? On Fri, 2 Dec 2016, 11:30 Stian Thorgersen, wrote: > All, > > We are considering removing Mongo support from Keycloak in 3.x. The reasons > behind it is that there are a fair few issues in the current > implementation, especially around consistency due to lack of transaction > support in Mongo and often we update multiple documents. In many cases we > rely on transactions to rollback to prevent partial updates, but this > obviously doesn't work in Mongo. > > With the fact that Mongo is already partially broken and the constant > maintenance involved we're considering removing it and rather focus purely > on the relational database back-end. > > Another point to make is that we are not considering supporting Mongo in > the supported version of Keycloak (Red Hat Single Sign-On). So we are never > able to provide the same level of care and attention to it as we can for > relational databases. > > If we do decide to remove it we would make sure we provide a seamless and > easy option to migrate from Mongo to a relational database! > > I would like to gather some feedback from the community before doing > anything. So please vote on the following Doodle: > > http://doodle.com/poll/nnimebpkx774ppus > > Also, comments to this thread is more than welcome! > > I'll end with a comment - Time spent by core developer on maintaining Mongo > could be better spent on awesome new features, testing and bug fixing! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jreg2k at gmail.com Sun Dec 4 08:46:20 2016 From: jreg2k at gmail.com (James James) Date: Sun, 4 Dec 2016 14:46:20 +0100 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: References: Message-ID: Thank for your answer. If i use freeipa as LDAP backend for keycloak, users who will register from the keycloak UI will be created in Freeipa to ? In my previous tests, every user I have created from the keycloak UI wasn't created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my settings were bad. I can send some logs to help me troubleshooting. Regards. 2016-12-02 7:11 GMT+01:00 Stian Thorgersen : > It's impossible with the SSSD integration as SSSD is currently read-only. > You can however use FreeIPA as a backend with a LDAP user federation > provider instead. > > On 27 November 2016 at 17:56, James James wrote: > >> Hello, >> >> >> I want to be able to create user in the FreeIPA backend from keycloak >> registration portal .. is it possible ? For me it' impossible but I just >> want to be sure. >> >> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html >> >> https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/topics/user-federation/sssd.html >> >> Regards. >> >> James Regis >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From marc.boorshtein at tremolosecurity.com Sun Dec 4 10:55:20 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Sun, 04 Dec 2016 15:55:20 +0000 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: References: Message-ID: The only way to create users in freeipa is to use their web API. The only provisioning system I know of that does this is our own project openunison. Here's the code for working g with the freeipa web services if you are interested : https://github.com/TremoloSecurity/OpenUnison/blob/master/unison/unison-services-freeipa/src/main/java/com/tremolosecurity/unison/freeipa/FreeIPATarget.java On Sun, Dec 4, 2016, 8:48 AM James James wrote: > Thank for your answer. > > If i use freeipa as LDAP backend for keycloak, users who will register from > the keycloak UI will be created in Freeipa to ? > > In my previous tests, every user I have created from the keycloak UI wasn't > created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my > settings were bad. > > I can send some logs to help me troubleshooting. > > Regards. > > 2016-12-02 7:11 GMT+01:00 Stian Thorgersen : > > > It's impossible with the SSSD integration as SSSD is currently read-only. > > You can however use FreeIPA as a backend with a LDAP user federation > > provider instead. > > > > On 27 November 2016 at 17:56, James James wrote: > > > >> Hello, > >> > >> > >> I want to be able to create user in the FreeIPA backend from keycloak > >> registration portal .. is it possible ? For me it' impossible but I > just > >> want to be sure. > >> > >> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html > >> > >> https://keycloak.gitbooks.io/server-adminstration-guide/cont > >> ent/topics/user-federation/sssd.html > >> > >> Regards. > >> > >> James Regis > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity From bburke at redhat.com Sun Dec 4 12:04:48 2016 From: bburke at redhat.com (Bill Burke) Date: Sun, 4 Dec 2016 12:04:48 -0500 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: References: Message-ID: <402a244e-5503-f9c9-41e0-f95ec2f303d6@redhat.com> Their LDAP front-end doesn't support writes? On 12/4/16 10:55 AM, Marc Boorshtein wrote: > The only way to create users in freeipa is to use their web API. The only > provisioning system I know of that does this is our own project openunison. > Here's the code for working g with the freeipa web services if you are > interested : > > https://github.com/TremoloSecurity/OpenUnison/blob/master/unison/unison-services-freeipa/src/main/java/com/tremolosecurity/unison/freeipa/FreeIPATarget.java > > On Sun, Dec 4, 2016, 8:48 AM James James wrote: > >> Thank for your answer. >> >> If i use freeipa as LDAP backend for keycloak, users who will register from >> the keycloak UI will be created in Freeipa to ? >> >> In my previous tests, every user I have created from the keycloak UI wasn't >> created in the FreeIPA. I was using FreeIPA as LDAP backend. Maybe my >> settings were bad. >> >> I can send some logs to help me troubleshooting. >> >> Regards. >> >> 2016-12-02 7:11 GMT+01:00 Stian Thorgersen : >> >>> It's impossible with the SSSD integration as SSSD is currently read-only. >>> You can however use FreeIPA as a backend with a LDAP user federation >>> provider instead. >>> >>> On 27 November 2016 at 17:56, James James wrote: >>> >>>> Hello, >>>> >>>> >>>> I want to be able to create user in the FreeIPA backend from keycloak >>>> registration portal .. is it possible ? For me it' impossible but I >> just >>>> want to be sure. >>>> >>>> http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html >>>> >>>> https://keycloak.gitbooks.io/server-adminstration-guide/cont >>>> ent/topics/user-federation/sssd.html >>>> >>>> Regards. >>>> >>>> James Regis >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> From marc.boorshtein at tremolosecurity.com Sun Dec 4 13:58:38 2016 From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein) Date: Sun, 04 Dec 2016 18:58:38 +0000 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: <402a244e-5503-f9c9-41e0-f95ec2f303d6@redhat.com> References: <402a244e-5503-f9c9-41e0-f95ec2f303d6@redhat.com> Message-ID: > > Their LDAP front-end doesn't support writes? FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to store its objects. For the most part you can use the LDAP interface for reads but for writes different rules apply because a single "user" can be comprised of multiple objects across the DIT. As an example, if you create a user via LDAP you can probably authenticate via LDAP but you won't be able to via kerberose. Also, if you provision an sshkey via LDAP it won't work. The only way to reliably create users and add users to groups is through the FreeIPA web services, for supported attributes. Not all attributes can be provisioned via the webservices. Only if its visible in the webui. Otherwise you need to provision via LDAP. So as an example, carLicense can be provisioned via the web services but I think roomNumber or departmentNumber (I'd need to double check) are NOT supported unless you extend the webui (there's a way to do it if you google it). -- Marc Boorshtein CTO Tremolo Security marc.boorshtein at tremolosecurity.com (703) 828-4902 Twitter - @mlbiam / @tremolosecurity From Tomas.GRMAN at orange.com Mon Dec 5 03:45:40 2016 From: Tomas.GRMAN at orange.com (GRMAN, Tomas) Date: Mon, 5 Dec 2016 08:45:40 +0000 Subject: [keycloak-user] Keycloak impersonate In-Reply-To: References: Message-ID: Hi Marek, Thanks for info. Tomas From: Marek Posolda [mailto:mposolda at redhat.com] Sent: 2. decembra 2016 11:03 To: GRMAN, Tomas ; keycloak-user at lists.jboss.org Cc: STEFKA, Peter (ext.) Subject: Re: Keycloak impersonate Hi Tomas, you're right. It is currently managed just by the impersonation role. So you can just remove this role entirely. Also you need to make sure that local admin (who is not supposed to be able to impersonate) doesn't have permission to re-create the role back and assign himself to this role. We don't have anything other like "Disable impersonation" switch. Btv. if your local-admin has access to the database, then he has access to everything anyway. He can just update the "disable-impersonation" switch and re-enable it back (in case that we will have such switch). He can also read the privateKey of particular realm and manually create accessToken from it and impersonate as the user with the token. Marek On 01/12/16 15:12, GRMAN, Tomas wrote: Hi Marek, is it possible to disable (or completely remove) Keycloak impersonate function? I understand, that it is a nice feature for troubleshooting, but in our case (for one security sensitive app) it represents a big issue, cause admin can access sensitive data as impersonated user. I found that it is possible to manage that using dedicated role (impersonation), but in our case it is not sufficient. (it could be added directly in database I guess). Thanks for any advice. Tomas From michael_furman at hotmail.com Mon Dec 5 03:57:33 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Mon, 5 Dec 2016 08:57:33 +0000 Subject: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP) In-Reply-To: References: , Message-ID: Dear Keycloak people, Please find below the suggestion that will allow easiest integration of Keycloak behind HTTPS reverse proxy. I suggest to add to the Keycloak configuration the new property - the client URL. Then, the Keycloak will use the property when generating tokens or metadata (instead of to rely on incoming HTTP request). This will allow to use Keycloak over HTTP and to use SSL only in reverse proxy. Additional suggestion will allow to configure Keycloak to work behind Reverse Proxy with Network Address Translation (NAT) (I have asked the question here http://lists.jboss.org/pipermail/keycloak-user/2016-November/008454.html). I suggest to add to the Keycloak configuration the additional new property - the internal client URL. Then Keycloak will use the property in org.keycloak.protocol.oidc.OIDCWellKnownProvider and will create the well-known configuration with internal and external IPs. Clients will use the well-known configuration and will be able to connect to Keycloak without any problems. What do you say about the suggestions? If you think it is good I will happy to implement and test it during our integration with Keycloak. Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Gabriel Lavoie Sent: Wednesday, November 30, 2016 6:33 PM To: Andrey Saroul Cc: keycloak-user Subject: Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP) Hi Andrew, The answer is "it depends". When generating tokens or metadata, Keycloak uses the scheme://hostname:port/ that was used to access it to fill the different issuers/URLs. The same values must match in the client JSON file so the client can validate the source of the token. At the client level, this could be handled by having a custom translation step over the configuration that accept both schemes and match it to the issuer, not something that Keycloak seems to support natively last time I checked. Doing SSO through multiple aliases always has this sort of issues. This is usually something that should be avoided. Can you keep Keycloak HTTPs and your application HTTP in your internal network? Gabriel 2016-11-25 8:08 GMT-05:00 Andrey Saroul : > We have an idea to isolate our application in our internal network so that > all communication in that network can go by HTTP. > So we've set up a public nginx server, witch is responsible for > establishing https connections. > Public nginx server forwards requests to another nginx server in secured > internal network, witch is in turn accesses Keycloak and WildFly by HTTP. > But this configuration is not working because of invalid redirect issue. > In our client's json file we have to define auth-server-url with HTTPS > scheme. When we try to specify HTTP Keycloak no longer works. > So my question: is it possible to make things work by HTTP in internal > private network and HTTPS only remain for public access. > Any guidance will be appreciated. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... > -- Gabriel Lavoie glavoie at gmail.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From andrey.saroul at gmail.com Mon Dec 5 04:14:02 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Mon, 5 Dec 2016 12:14:02 +0300 Subject: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP) In-Reply-To: References: Message-ID: That's exact feature which I've been looking for. That will solve our problem with reverse proxy. I defenetly vote for this feature to be implemented! 2016-12-05 11:57 GMT+03:00 Michael Furman : > Dear Keycloak people, > > Please find below the suggestion that will allow easiest integration of > Keycloak behind HTTPS reverse proxy. > > I suggest to add to the Keycloak configuration the new property ? the > client URL. > > Then, the Keycloak will use the property when generating tokens or > metadata (instead of to rely on incoming HTTP request). > > This will allow to use Keycloak over HTTP and to use SSL only in reverse > proxy. > > Additional suggestion will allow to configure Keycloak to work behind > Reverse Proxy with Network Address Translation (NAT) (I have asked the > question here http://lists.jboss.org/pipermail/keycloak-user/2016- > November/008454.html). > > I suggest to add to the Keycloak configuration the additional new property > ? the internal client URL. > > Then Keycloak will use the property in org.keycloak.protocol.oidc.OIDCWellKnownProvider > and will create the well-known configuration with internal and external IPs. > > Clients will use the well-known configuration and will be able to connect > to Keycloak without any problems. > > What do you say about the suggestions? > > If you think it is good I will happy to implement and test it during our > integration with Keycloak. > > Best regards, > > Michael > > > ------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Gabriel Lavoie < > glavoie at gmail.com> > *Sent:* Wednesday, November 30, 2016 6:33 PM > *To:* Andrey Saroul > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies > (HTTPS -> HTTP) > > Hi Andrew, > The answer is "it depends". When generating tokens or metadata, > Keycloak uses the scheme://hostname:port/ that was used to access it to > fill the different issuers/URLs. The same values must match in the client > JSON file so the client can validate the source of the token. > > At the client level, this could be handled by having a custom translation > step over the configuration that accept both schemes and match it to the > issuer, not something that Keycloak seems to support natively last time I > checked. > > Doing SSO through multiple aliases always has this sort of issues. This is > usually something that should be avoided. Can you keep Keycloak HTTPs and > your application HTTP in your internal network? > > Gabriel > > 2016-11-25 8:08 GMT-05:00 Andrey Saroul : > > > We have an idea to isolate our application in our internal network so > that > > all communication in that network can go by HTTP. > > So we've set up a public nginx server, witch is responsible for > > establishing https connections. > > Public nginx server forwards requests to another nginx server in secured > > internal network, witch is in turn accesses Keycloak and WildFly by HTTP. > > But this configuration is not working because of invalid redirect issue. > > In our client's json file we have to define auth-server-url with HTTPS > > scheme. When we try to specify HTTP Keycloak no longer works. > > So my question: is it possible to make things work by HTTP in internal > > private network and HTTPS only remain for public access. > > Any guidance will be appreciated. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer > > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > > > > -- > Gabriel Lavoie > glavoie at gmail.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer > > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > From fabian.eriksson at gi-de.com Mon Dec 5 04:28:11 2016 From: fabian.eriksson at gi-de.com (Eriksson Fabian) Date: Mon, 5 Dec 2016 09:28:11 +0000 Subject: [keycloak-user] Custom entity mapping to User entity Message-ID: Hello! We are currently looking for an authentication/authorization/access management provider to use for our applications and we happily stumbled upon Keycloak. As of this moment we are looking into if Keycloak fits all of our requirements and if it doesn't how we can modify it to fit our needs. So; we need to add our own entities to Keycloak (which we've seen is possible) but we also have to map some of these entities to the already existing User entity and in the end, have it included inside the ID token. If this is possible, could you maybe give us a short description of how to do this, that would be much appreciated Best Regards Fabian Eriksson From eduard.matuszak at worldline.com Mon Dec 5 05:48:02 2016 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Mon, 5 Dec 2016 10:48:02 +0000 Subject: [keycloak-user] Limit amount of active sessions Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E87995@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello Is it possible to limit the amount of active sessions a user can have? It would be appropriate for some of our use cases to restrict the maximum amount of sessions to 1 where in case of a repeated direct access login the token of the (still) active session should be returned or alternatively additional logins should be rejected if an active token is on-hand. Best regards, Eduard Matuszak From celso.agra at gmail.com Mon Dec 5 05:48:15 2016 From: celso.agra at gmail.com (Celso Agra) Date: Mon, 5 Dec 2016 07:48:15 -0300 Subject: [keycloak-user] synchronize Users in old database with keycloak Database Message-ID: Hi all, My question is about, how Can I synchronize my old database that contains users from another system with keycloak (kc). I'm trying to migrate my authentication software (legacy) to keycloak, but I'd like to keep the old users syncronized with the kc database. If I use Service Provider Interfaces (spi), I'll keep all users updated from keycloak info. But What about the reverse path? Is there a way to update keycloak with users from another database? Thank you. Best regards, Celso Agra From ruiwp_93 at hotmail.com Mon Dec 5 06:08:18 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 5 Dec 2016 04:08:18 -0700 (MST) Subject: [keycloak-user] Still active token after logout Message-ID: <1480936098431-1766.post@n6.nabble.com> Hello, I am trying to log out of my application through keycloak but when I call the logout function for a certain user it does delete the user session in keycloak but somehow the token is still active and I can access the information. I have set a base and admin url as the absolute path to my application which is hosted in a server. Did I set this the right way? If so, what is the problem? By the way, if I set a root and base URL I get the path duplicated in the clients page. Best Regards, Rui Neves -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html Sent from the keycloak-user mailing list archive at Nabble.com. From bruno at abstractj.org Mon Dec 5 06:08:14 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 5 Dec 2016 09:08:14 -0200 Subject: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA In-Reply-To: <613488450.1715844.1480707472611.JavaMail.zimbra@redhat.com> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> <20161202074148.GA27820@abstractj.org> <665165290.1639602.1480702281468.JavaMail.zimbra@redhat.com> <20161202183732.GA10860@abstractj.org> <613488450.1715844.1480707472611.JavaMail.zimbra@redhat.com> Message-ID: <20161205110814.GB10860@abstractj.org> On 2016-12-02, Scott Poore wrote: > > > ----- Original Message ----- > > From: "Bruno Oliveira" > > To: "Scott Poore" > > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > > Sent: Friday, December 2, 2016 12:37:32 PM > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > On 2016-12-02, Scott Poore wrote: > > > > > > > > > ----- Original Message ----- > > > > From: "Bruno Oliveira" > > > > To: "Scott Poore" > > > > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > > > > Sent: Friday, December 2, 2016 1:41:48 AM > > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > > > > > > > Hi Scott, sorry for the late response. > > > > > > > > From what I noticed, dbus-send works for you right? But I feel like the > > > > user running Keycloak process does not have access to > > > > /etc/sssd/sssd.conf, or is not the same running dbus-send. Is that true? > > > > > > Yes, that's one problem. I was running keycloak as keycloak user but > > > dbus-send as root. I also found where I had the wrong ownership on a java > > > keystore file for running https. > > > > > > > > > > > If yes, check if user running Keycloak is listed into sssd.conf > > > > 'allowed_uids' > > > > section. I saw that you managed to run dbus-send, but worth to ask. > > > > Is the user running dbus-send, the same starting Keycloak server process? > > > > > > That I was fixing. I just wasn't testing dbus-send as keycloak user. > > > > > > > > > > > I included a very simple check to make sure that Windows users don't see > > > > the > > > > SSSD > > > > Federation provider listed ? If the user running Keycloak does not have > > > > reading rights over /etc/sssd. > > > > > > By default /etc/sssd is 700 so no one but root can read that. Should I > > > just be running keycloak as root? (FYI, that's what I'm trying now). > > > > Do what for now, or add reading permissions to this folder to isolate > > the problem. > > > > > > > > > > > > > For troubleshooting some of these issues (because from time to time, I > > > > mess up with my environment), I have this docker image[1]. > > > > > > > > Speaking about KEYCLOAK-3902, I already fixed it. I will just include > > > > the integration tests to reproduce this scenario. > > > > > > I saw that it was at least scheduled to be fixed. Wasn't sure if the fix > > > was complete. > > > > > > So, what about my last issue where I cannot seem to authenticate as a > > > normal user I created in the realm from the Keycloak admin console? > > > > What you have at your logs? Have you installed jna and libunix RPMs? > > I opened a ticket to post logs too. I wasn't sure if you wanted those posted to the mailing list. > > https://issues.jboss.org/browse/KEYCLOAK-4019 > > In the ticket I also tried to post detailed description of my setup in the "Steps to Reproduce". Maybe that will show what I was doing wrong. > > I have not yet installed the jna or libunix RPMs in my current setup. My previous setup had them before I tried starting over to try to cut out all SSSD Provider related possible issues. So, I'm trying now with a clean install without using the SSSD Provider. But, it is still an ipa client so sssd was running. Do I still need jna and libunix installed if I'm not using SSSD? You only need JNA and libunix if you would like to enable SSSD Federation provider, other than that, ignore it. > > Should I also change the subject of the email to better reflect my current issue? Or we'll get back the SSSD in this thread when my other issue is resolved? I can be wrong. But looking at the description of your issue, it seems like more related with SAML2 setup, than SSSD federation provider setup. > > Thanks for all the help. > Scott > > > > > > > > > FYI, I'm trying to set this up on Fedora 24 if that makes any difference. > > > > > > [root at idp ~]# rpm -q java-1.8.0-openjdk > > > java-1.8.0-openjdk-1.8.0.111-3.b16.fc24.x86_64 > > > > > > [root at sp1 ~]# rpm -q httpd mod_auth_mellon > > > httpd-2.4.23-4.fc24.x86_64 > > > mod_auth_mellon-0.12.0-2.fc24.x86_64 > > > > > > > > > I also re-installed the client manually using mellon_create_metadata.sh and > > > importing the metadata file from the admin console. I see the same thing > > > so I don't think keycloak-httpd-client-install set up anything in a way to > > > cause this. > > > > > > It looks like it takes almost 12 minutes for something to time out when I > > > try accessing the SP from my browser. > > > > > > started: 11:53:55 by the clock on my desktop > > > ended: ~12:05:42 by the clock on my desktop > > > > > > Not sure if that helps at all but, thought I'd actually document it in case > > > it does help. > > > > > > When it does finally time out is when I see the "Internal Server Error". > > > And the location bar is pointing to the keycloak and does not seem to > > > have been redirected back to the SP. > > > > > > Does any of that sound familar? > > > > > > Thanks, > > > Scott > > > > > > > > > > > [1] - > > > > https://github.com/keycloak/keycloak-test-docker-images/tree/master/keycloak-sssd-integration-tests > > > > > > > > On 2016-12-01, Scott Poore wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Bill Burke" > > > > > > To: keycloak-user at lists.jboss.org > > > > > > Sent: Thursday, December 1, 2016 3:35:31 PM > > > > > > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for > > > > > > FreeIPA > > > > > > > > > > > > Can you run your example without SSSD? Isolate the problem to make > > > > > > sure > > > > > > that its not an SP configuration issue first. As far as SSSD setup > > > > > > goes, you're gonna have to talk to Bruno about that. Hopefully he > > > > > > chimes > > > > > > in. > > > > > > > > > > I tried adding a user to the existing setup from the admin console and > > > > > I > > > > > see an error and then I see this in the server.log: > > > > > > > > > > Caused by: org.keycloak.federation.sssd.api.SSSDException: Failed to > > > > > retrieve user's attributes. Check if SSSD service is active. > > > > > > > > > > I can't delete the sssd provider though because of this bug: > > > > > > > > > > https://issues.jboss.org/browse/KEYCLOAK-3902 > > > > > > > > > > I started over fresh without the SSSD Provider setup. It does appear > > > > > that > > > > > I'm not able to even authenticate as a user created from the admin > > > > > console. > > > > > > > > > > I've bumped logging up to info on both Keycloak and httpd on the SP > > > > > but, I > > > > > still don't see much there. Any suggestion on where to go from here? > > > > > > > > > > Thanks, > > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 12/1/16 4:21 PM, Scott Poore wrote: > > > > > > > Hi, > > > > > > > > > > > > > > I am trying to setup Keycloak version 2.4.0 with FreeIPA > > > > > > > integration > > > > > > > using > > > > > > > the SSSD Provider. I am following the Server Administration Guide > > > > > > > but, > > > > > > > I'm hitting some error. I'm not sure if it's a bug or a > > > > > > > configuration > > > > > > > issue on my part. > > > > > > > > > > > > > > This is the link I was following: > > > > > > > > > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/user-federation/sssd.html > > > > > > > > > > > > > > The difference in setup though is that I'm not using the docker > > > > > > > image. > > > > > > > Instead I'm using a separate FreeIPA Master server that I have > > > > > > > setup as > > > > > > > a > > > > > > > separate VM. I have confirmed that SSSD-DBUS is working: > > > > > > > > > > > > > > [root at idp ~]# dbus-send --print-reply --system > > > > > > > --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe > > > > > > > org.freedesktop.sssd.infopipe.GetUserGroups string:testuser > > > > > > > method return time=1480625438.634684 sender=:1.26 -> > > > > > > > destination=:1.29 > > > > > > > serial=17 reply_serial=2 > > > > > > > array [ > > > > > > > string "ipausers" > > > > > > > ] > > > > > > > > > > > > > > For the SP, I setup a basic Apache setup with mod_auth_mellon using > > > > > > > > > > > > > > keycloak-httpd-client-install \ > > > > > > > --client-originate-method registration \ > > > > > > > --keycloak-server-url https://idp.keycloak.test:8443 \ > > > > > > > --keycloak-admin-username admin \ > > > > > > > --keycloak-admin-password PASSWORD \ > > > > > > > --app-name testapp \ > > > > > > > --keycloak-realm test_realm \ > > > > > > > --mellon-root mroot \ > > > > > > > --mellon-protected-locations "/mroot/private" \ > > > > > > > --force > > > > > > > > > > > > > > When I try to login to the SP, it redirects as expected to the > > > > > > > Keycloak > > > > > > > server and waits for a while before returning: > > > > > > > > > > > > > > Internal Server Error > > > > > > > > > > > > > > >From the httpd access log I can see: > > > > > > > > > > > > > > > > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET /mroot/private > > > > > > > HTTP/1.1" 303 384 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > > > > AppleWebKit/537.36 > > > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > > 192.168.122.1 - - [01/Dec/2016:14:07:04 -0600] "GET > > > > > > > /mroot/mellon/login?ReturnTo=http%3A%2F%2Fsp1.keycloak.test%2Fmroot%2Fprivate&IdP=https%3A%2F%2Fidp.keycloak.test%3A8443%2Fauth%2Frealms%2Ftest_realm > > > > > > > HTTP/1.1" 303 1320 "-" "Mozilla/5.0 (X11; Linux x86_64) > > > > > > > AppleWebKit/537.36 > > > > > > > (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36" > > > > > > > > > > > > > > >From the admin console, I can see what appears to be an active > > > > > > > >session > > > > > > > >for > > > > > > > >the client. > > > > > > > > > > > > > > >From the Keycloak server.log I can see: > > > > > > > > > > > > > > 2016-12-01 14:14:31,576 WARN [com.arjuna.ats.arjuna] (Transaction > > > > > > > Reaper > > > > > > > Worker 0) ARJUNA012108: CheckedAction::check - atomic action > > > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e aborting with 1 threads > > > > > > > active! > > > > > > > 2016-12-01 14:14:31,578 WARN > > > > > > > [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] > > > > > > > (Transaction Reaper Worker 0) HHH000451: Transaction afterCo > > > > > > > mpletion called by a background thread; delaying afterCompletion > > > > > > > processing > > > > > > > until the original thread can handle it. [status=4] > > > > > > > 2016-12-01 14:14:31,579 WARN [com.arjuna.ats.arjuna] (Transaction > > > > > > > Reaper > > > > > > > Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker > > > > > > > Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX > > > > > > > 0:f > > > > > > > fffc0a87abf:7c36d3eb:58406454:81e > > > > > > > 2016-12-01 14:15:50,617 WARN [com.arjuna.ats.arjuna] (default > > > > > > > task-25) > > > > > > > ARJUNA012077: Abort called on already aborted atomic action > > > > > > > 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > > 2016-12-01 14:15:50,620 ERROR > > > > > > > [org.jboss.resteasy.resteasy_jaxrs.i18n] > > > > > > > (default task-25) RESTEASY002025: Unknown exception while executing > > > > > > > POST > > > > > > > /realms/test_realm/login-actions/authenticate: java.lang.RuntimeExc > > > > > > > eption: javax.transaction.RollbackException: ARJUNA016102: The > > > > > > > transaction > > > > > > > is not active! Uid is 0:ffffc0a87abf:7c36d3eb:58406454:81e > > > > > > > > > > > > > > Leaving out the traceback for brevity. I can send that if > > > > > > > needed/wanted. > > > > > > > > > > > > > > > > > > > > > When I logout the session and set SSSD debug_level to 9 and restart > > > > > > > sssd, > > > > > > > keycloak, and httpd (on the SP), I do see SSSD looking up the user. > > > > > > > I > > > > > > > can > > > > > > > provide the SSSD logs if it helps. > > > > > > > > > > > > > > > > > > > > > So, how do I go about troubleshooting this issue? Are there any > > > > > > > steps > > > > > > > missing from the SSSD Provider doc? > > > > > > > > > > > > > > Thanks, > > > > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > > > > > > > abstractj > > > > PGP: 0x84DC9914 > > > > > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From mposolda at redhat.com Mon Dec 5 06:25:53 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 12:25:53 +0100 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: References: <402a244e-5503-f9c9-41e0-f95ec2f303d6@redhat.com> Message-ID: Yeah, that's my experience too. I've did the Keycloak integration with FreeIPA through LDAP FederationProvider a long time ago with the docker image [1] . The update of simple attributes of existing users worked (eg. If I updated firstName of the user "john" in Keycloak, it was propagated through the LDAP FederationProvider to the FreeIPA LDAP and was updated correctly). However registration of new users from Keycloak doesn't work . I assumed the SSSD interface will be able to register new users from Keycloak as well? Marek [1] https://github.com/mposolda/keycloak-freeipa-docker On 04/12/16 19:58, Marc Boorshtein wrote: >> Their LDAP front-end doesn't support writes? > > FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to > store its objects. For the most part you can use the LDAP interface for > reads but for writes different rules apply because a single "user" can be > comprised of multiple objects across the DIT. As an example, if you create > a user via LDAP you can probably authenticate via LDAP but you won't be > able to via kerberose. Also, if you provision an sshkey via LDAP it won't > work. > > The only way to reliably create users and add users to groups is through > the FreeIPA web services, for supported attributes. Not all attributes can > be provisioned via the webservices. Only if its visible in the webui. > Otherwise you need to provision via LDAP. So as an example, carLicense can > be provisioned via the web services but I think roomNumber or > departmentNumber (I'd need to double check) are NOT supported unless you > extend the webui (there's a way to do it if you google it). From mposolda at redhat.com Mon Dec 5 06:27:45 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 12:27:45 +0100 Subject: [keycloak-user] Limit amount of active sessions In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723E87995@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> References: <61D077C6283D454FAFD06F6AC4AB74D723E87995@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: Not yet. You can create custom Authenticator implementation to handle this. See docs and examples for Authentication SPI for more details. Marek On 05/12/16 11:48, Matuszak, Eduard wrote: > Hello > > Is it possible to limit the amount of active sessions a user can have? It would be appropriate for some of our use cases to restrict the maximum amount of sessions to 1 where in case of a repeated direct access login the token of the (still) active session should be returned or alternatively additional logins should be rejected if an active token is on-hand. > > Best regards, Eduard Matuszak > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Dec 5 06:30:31 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 12:30:31 +0100 Subject: [keycloak-user] Still active token after logout In-Reply-To: <1480936098431-1766.post@n6.nabble.com> References: <1480936098431-1766.post@n6.nabble.com> Message-ID: <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> If you set the "root URL" then all the other URLs must be relative to that URL. So if you rather prefer to set absolute paths in your other URLs, then don't set any "Root URL" at all. See the tooltip in admin console. Marek On 05/12/16 12:08, ruiwp13 wrote: > Hello, > > I am trying to log out of my application through keycloak but when I call > the logout function for a certain user it does delete the user session in > keycloak but somehow the token is still active and I can access the > information. I have set a base and admin url as the absolute path to my > application which is hosted in a server. Did I set this the right way? If > so, what is the problem? > By the way, if I set a root and base URL I get the path duplicated in the > clients page. > > Best Regards, > Rui Neves > > > > -- > View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Dec 5 06:32:59 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 12:32:59 +0100 Subject: [keycloak-user] synchronize Users in old database with keycloak Database In-Reply-To: References: Message-ID: On 05/12/16 11:48, Celso Agra wrote: > Hi all, > > My question is about, how Can I synchronize my old database that contains > users from another system with keycloak (kc). > > I'm trying to migrate my authentication software (legacy) to keycloak, but > I'd like to keep the old users syncronized with the kc database. > > If I use Service Provider Interfaces (spi), I'll keep all users updated > from keycloak info. But What about the reverse path? Is there a way to > update keycloak with users from another database? Yes. For example if you have Keycloak configured with LDAP userStorage provider and you add some user directly to your LDAP server, the Keycloak will see this new user automatically. See docs and examples for userStorage/userFederation for more details. (The docs is work in progress though). Marek > > Thank you. > > Best regards, > > Celso Agra > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Dec 5 06:35:31 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 12:35:31 +0100 Subject: [keycloak-user] Custom entity mapping to User entity In-Reply-To: References: Message-ID: <97dcfb99-b66c-4c96-7212-5e2b059e600d@redhat.com> If you already have some existing entity (which means that you have some existing DB with your entities), then it's probably best to write your own userStorage provider. See docs and examples for more details (The docs is work in progress though) Marek On 05/12/16 10:28, Eriksson Fabian wrote: > Hello! > > We are currently looking for an authentication/authorization/access management provider to use for our applications and we happily stumbled upon Keycloak. As of this moment we are looking into if Keycloak fits all of our requirements and if it doesn't how we can modify it to fit our needs. > > So; we need to add our own entities to Keycloak (which we've seen is possible) but we also have to map some of these entities to the already existing User entity and in the end, have it included inside the ID token. > > If this is possible, could you maybe give us a short description of how to do this, that would be much appreciated > > Best Regards > Fabian Eriksson > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ruiwp_93 at hotmail.com Mon Dec 5 07:31:42 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 5 Dec 2016 05:31:42 -0700 (MST) Subject: [keycloak-user] Still active token after logout In-Reply-To: <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> References: <1480936098431-1766.post@n6.nabble.com> <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> Message-ID: <1480941102558-1773.post@n6.nabble.com> Thank you very much for your answer Marek. Yes, I have set all to absolute paths. I only have the admin and base URLs defined. Basically what it happens is that, if I push a not before revocation for all tokens it communicates with my jersey server and it invalidates all tokens immediatly and I get 401 when I make a new request. But, when I make a logout through the admin-client library, it ends the session in keycloak but the token is still active in jersey. So, I think it is communicating with the server as the revocation works properly and when I change the admin URL and try the revocation again the tokens remain active. Is there any chance that this is a problem in the logout function? I am using the version 2.1.0 Final and I am logging out like this: kc.realm({realm}).users().get({user_id}).logout(); Best Regards, Rui Neves Marek Posolda wrote > If you set the "root URL" then all the other URLs must be relative to > that URL. So if you rather prefer to set absolute paths in your other > URLs, then don't set any "Root URL" at all. See the tooltip in admin > console. > > Marek > > On 05/12/16 12:08, ruiwp13 wrote: >> Hello, >> >> I am trying to log out of my application through keycloak but when I call >> the logout function for a certain user it does delete the user session in >> keycloak but somehow the token is still active and I can access the >> information. I have set a base and admin url as the absolute path to my >> application which is hosted in a server. Did I set this the right way? If >> so, what is the problem? >> By the way, if I set a root and base URL I get the path duplicated in the >> clients page. >> >> Best Regards, >> Rui Neves >> >> >> >> -- >> View this message in context: >> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1773.html Sent from the keycloak-user mailing list archive at Nabble.com. From fabian.eriksson at gi-de.com Mon Dec 5 08:04:34 2016 From: fabian.eriksson at gi-de.com (Eriksson Fabian) Date: Mon, 5 Dec 2016 13:04:34 +0000 Subject: [keycloak-user] Custom entity mapping to User entity In-Reply-To: <97dcfb99-b66c-4c96-7212-5e2b059e600d@redhat.com> References: <97dcfb99-b66c-4c96-7212-5e2b059e600d@redhat.com> Message-ID: Thank you for replying Marek! We don't have an existing DB with our entities, but in order to fill the requirements for older applications we have we need to add custom entities to Keycloak which have to be linked to the User entity (just like the Group entities). Are these custom mappings something you support or would you still recommend creating our own User Provider? Best Regards Fabian Eriksson -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: den 5 december 2016 12:36 To: Eriksson Fabian; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Custom entity mapping to User entity If you already have some existing entity (which means that you have some existing DB with your entities), then it's probably best to write your own userStorage provider. See docs and examples for more details (The docs is work in progress though) Marek On 05/12/16 10:28, Eriksson Fabian wrote: > Hello! > > We are currently looking for an authentication/authorization/access management provider to use for our applications and we happily stumbled upon Keycloak. As of this moment we are looking into if Keycloak fits all of our requirements and if it doesn't how we can modify it to fit our needs. > > So; we need to add our own entities to Keycloak (which we've seen is possible) but we also have to map some of these entities to the already existing User entity and in the end, have it included inside the ID token. > > If this is possible, could you maybe give us a short description of > how to do this, that would be much appreciated > > Best Regards > Fabian Eriksson > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Mon Dec 5 08:25:13 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 5 Dec 2016 14:25:13 +0100 Subject: [keycloak-user] Spring boot and spring security adapters In-Reply-To: References: Message-ID: For Spring Boot you can directly write the keycloak config in the application.properties file, look at the documentation : https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-boot-adapter.html On Fri, Dec 2, 2016 at 9:09 PM, Brian Schwartz wrote: > I'm using keycloak 2.3.0.final spring boot and spring security adapters. > The spring security adapter requires a keycloak.json file to be in web-inf > but i don't have that or web.xml. How do I change where the keycloak > adapter looks for keycloak.json? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From schwartzbj17 at gmail.com Mon Dec 5 08:37:43 2016 From: schwartzbj17 at gmail.com (Brian Schwartz) Date: Mon, 5 Dec 2016 07:37:43 -0600 Subject: [keycloak-user] Spring boot and spring security adapters In-Reply-To: References: Message-ID: Not if you're also using spring security adapter. I figured out my issue. Can't use spring boot adapter and spring security adapter together. Removed spring boot adapter and added keycloak.json file location property to the application.properties file. Now it works. Thanks all. On Dec 5, 2016 7:25 AM, "Sebastien Blanc" wrote: > For Spring Boot you can directly write the keycloak config in the > application.properties file, look at the documentation : > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/topics/oidc/java/spring-boot-adapter.html > > > > On Fri, Dec 2, 2016 at 9:09 PM, Brian Schwartz > wrote: > >> I'm using keycloak 2.3.0.final spring boot and spring security adapters. >> The spring security adapter requires a keycloak.json file to be in web-inf >> but i don't have that or web.xml. How do I change where the keycloak >> adapter looks for keycloak.json? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From bruno at abstractj.org Mon Dec 5 08:39:14 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 5 Dec 2016 11:39:14 -0200 Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend In-Reply-To: References: <402a244e-5503-f9c9-41e0-f95ec2f303d6@redhat.com> Message-ID: <20161205133913.GA18150@abstractj.org> On 2016-12-05, Marek Posolda wrote: > Yeah, that's my experience too. I've did the Keycloak integration with > FreeIPA through LDAP FederationProvider a long time ago with the docker > image [1] . > > The update of simple attributes of existing users worked (eg. If I > updated firstName of the user "john" in Keycloak, it was propagated > through the LDAP FederationProvider to the FreeIPA LDAP and was updated > correctly). > > However registration of new users from Keycloak doesn't work . I assumed > the SSSD interface will be able to register new users from Keycloak as well? I don't think so. SSSD interface is read-only and the addition of a registration interface is unlikely to happen on SSSD. Today to manage or change users, unfortunatelly all you can do is to go through IPA interface. There's a mention to ipa help permission, but I haven't tried yet. > > Marek > > [1] https://github.com/mposolda/keycloak-freeipa-docker > > On 04/12/16 19:58, Marc Boorshtein wrote: > >> Their LDAP front-end doesn't support writes? > > > > FreeIPA doesn't have an "LDAP front-end", it relies on the 389 directory to > > store its objects. For the most part you can use the LDAP interface for > > reads but for writes different rules apply because a single "user" can be > > comprised of multiple objects across the DIT. As an example, if you create > > a user via LDAP you can probably authenticate via LDAP but you won't be > > able to via kerberose. Also, if you provision an sshkey via LDAP it won't > > work. > > > > The only way to reliably create users and add users to groups is through > > the FreeIPA web services, for supported attributes. Not all attributes can > > be provisioned via the webservices. Only if its visible in the webui. > > Otherwise you need to provision via LDAP. So as an example, carLicense can > > be provisioned via the web services but I think roomNumber or > > departmentNumber (I'd need to double check) are NOT supported unless you > > extend the webui (there's a way to do it if you google it). > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From spoore at redhat.com Mon Dec 5 08:42:32 2016 From: spoore at redhat.com (Scott Poore) Date: Mon, 5 Dec 2016 08:42:32 -0500 (EST) Subject: [keycloak-user] Keycloak 2.4 SAML2 login issue In-Reply-To: <20161205110814.GB10860@abstractj.org> References: <1277361515.1442339.1480627283517.JavaMail.zimbra@redhat.com> <1232646860.1512196.1480642156076.JavaMail.zimbra@redhat.com> <20161202074148.GA27820@abstractj.org> <665165290.1639602.1480702281468.JavaMail.zimbra@redhat.com> <20161202183732.GA10860@abstractj.org> <613488450.1715844.1480707472611.JavaMail.zimbra@redhat.com> <20161205110814.GB10860@abstractj.org> Message-ID: <1826965361.2017490.1480945352396.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bruno Oliveira" > To: "Scott Poore" > Cc: "Bill Burke" , keycloak-user at lists.jboss.org > Sent: Monday, December 5, 2016 5:08:14 AM > Subject: Re: [keycloak-user] Keycloak 2.4 SSSD Provider setup for FreeIPA > > On 2016-12-02, Scott Poore wrote: ... > > > From: "Bruno Oliveira" ... > > > On 2016-12-02, Scott Poore wrote: ... > > > > So, what about my last issue where I cannot seem to authenticate as a > > > > normal user I created in the realm from the Keycloak admin console? > > > > > > What you have at your logs? Have you installed jna and libunix RPMs? > > > > I opened a ticket to post logs too. I wasn't sure if you wanted those > > posted to the mailing list. > > > > https://issues.jboss.org/browse/KEYCLOAK-4019 > > > > In the ticket I also tried to post detailed description of my setup in the > > "Steps to Reproduce". Maybe that will show what I was doing wrong. > > > > I have not yet installed the jna or libunix RPMs in my current setup. My > > previous setup had them before I tried starting over to try to cut out all > > SSSD Provider related possible issues. So, I'm trying now with a clean > > install without using the SSSD Provider. But, it is still an ipa client > > so sssd was running. Do I still need jna and libunix installed if I'm not > > using SSSD? > > You only need JNA and libunix if you would like to enable SSSD > Federation provider, other than that, ignore it. > > > > > Should I also change the subject of the email to better reflect my current > > issue? Or we'll get back the SSSD in this thread when my other issue is > > resolved? > > I can be wrong. But looking at the description of your issue, it seems > like more related with SAML2 setup, than SSSD federation provider setup. > Ok, I changed the subject to try to better match the issue. Are you able to tell from my logs I posted to the ticket why is the login timing out? Thanks, Scott From mposolda at redhat.com Mon Dec 5 09:57:15 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 15:57:15 +0100 Subject: [keycloak-user] Still active token after logout In-Reply-To: <1480941102558-1773.post@n6.nabble.com> References: <1480936098431-1766.post@n6.nabble.com> <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> <1480941102558-1773.post@n6.nabble.com> Message-ID: <4dc91cdf-e27e-69c1-c03d-926790b29824@redhat.com> Could you see something in the log if you enable logging for category "org.keycloak.services.managers.ResourceAdminManager" ? On 05/12/16 13:31, ruiwp13 wrote: > Thank you very much for your answer Marek. > Yes, I have set all to absolute paths. > I only have the admin and base URLs defined. Basically what it happens is > that, if I push a not before revocation for all tokens it communicates with > my jersey server and it invalidates all tokens immediatly and I get 401 when > I make a new request. But, when I make a logout through the admin-client > library, it ends the session in keycloak but the token is still active in > jersey. So, I think it is communicating with the server as the revocation > works properly and when I change the admin URL and try the revocation again > the tokens remain active. Is there any chance that this is a problem in the > logout function? I am using the version 2.1.0 Final and I am logging out > like this: > > kc.realm({realm}).users().get({user_id}).logout(); > > Best Regards, > Rui Neves > > > Marek Posolda wrote >> If you set the "root URL" then all the other URLs must be relative to >> that URL. So if you rather prefer to set absolute paths in your other >> URLs, then don't set any "Root URL" at all. See the tooltip in admin >> console. >> >> Marek >> >> On 05/12/16 12:08, ruiwp13 wrote: >>> Hello, >>> >>> I am trying to log out of my application through keycloak but when I call >>> the logout function for a certain user it does delete the user session in >>> keycloak but somehow the token is still active and I can access the >>> information. I have set a base and admin url as the absolute path to my >>> application which is hosted in a server. Did I set this the right way? If >>> so, what is the problem? >>> By the way, if I set a root and base URL I get the path duplicated in the >>> clients page. >>> >>> Best Regards, >>> Rui Neves >>> >>> >>> >>> -- >>> View this message in context: >>> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html >>> Sent from the keycloak-user mailing list archive at Nabble.com. >>> _______________________________________________ >>> keycloak-user mailing list >>> >> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1773.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Dec 5 09:59:35 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Dec 2016 15:59:35 +0100 Subject: [keycloak-user] Custom entity mapping to User entity In-Reply-To: References: <97dcfb99-b66c-4c96-7212-5e2b059e600d@redhat.com> Message-ID: <5d8735fd-16ff-7d41-0057-b79d833ac5a2@redhat.com> Ah, so it' "User" entity from Keycloak DB, not your own? Yes, that is supported. See docs [1] and example [2] . [1] https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/extensions.html [2] https://github.com/keycloak/keycloak/tree/master/examples/providers/domain-extension Marek On 05/12/16 14:04, Eriksson Fabian wrote: > Thank you for replying Marek! > > We don't have an existing DB with our entities, but in order to fill the requirements for older applications we have we need to add custom entities to Keycloak which have to be linked to the User entity (just like the Group entities). Are these custom mappings something you support or would you still recommend creating our own User Provider? > > Best Regards > Fabian Eriksson > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: den 5 december 2016 12:36 > To: Eriksson Fabian; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Custom entity mapping to User entity > > If you already have some existing entity (which means that you have some existing DB with your entities), then it's probably best to write your own userStorage provider. See docs and examples for more details (The docs is work in progress though) > > Marek > > On 05/12/16 10:28, Eriksson Fabian wrote: >> Hello! >> >> We are currently looking for an authentication/authorization/access management provider to use for our applications and we happily stumbled upon Keycloak. As of this moment we are looking into if Keycloak fits all of our requirements and if it doesn't how we can modify it to fit our needs. >> >> So; we need to add our own entities to Keycloak (which we've seen is possible) but we also have to map some of these entities to the already existing User entity and in the end, have it included inside the ID token. >> >> If this is possible, could you maybe give us a short description of >> how to do this, that would be much appreciated >> >> Best Regards >> Fabian Eriksson >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ruiwp_93 at hotmail.com Mon Dec 5 10:09:02 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 5 Dec 2016 08:09:02 -0700 (MST) Subject: [keycloak-user] Still active token after logout In-Reply-To: <4dc91cdf-e27e-69c1-c03d-926790b29824@redhat.com> References: <1480936098431-1766.post@n6.nabble.com> <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> <1480941102558-1773.post@n6.nabble.com> <4dc91cdf-e27e-69c1-c03d-926790b29824@redhat.com> Message-ID: <1480950542695-1781.post@n6.nabble.com> How can I do it? I don't have the package org.keycloak.services Marek Posolda wrote > Could you see something in the log if you enable logging for category > "org.keycloak.services.managers.ResourceAdminManager" ? > > On 05/12/16 13:31, ruiwp13 wrote: >> Thank you very much for your answer Marek. >> Yes, I have set all to absolute paths. >> I only have the admin and base URLs defined. Basically what it happens is >> that, if I push a not before revocation for all tokens it communicates >> with >> my jersey server and it invalidates all tokens immediatly and I get 401 >> when >> I make a new request. But, when I make a logout through the admin-client >> library, it ends the session in keycloak but the token is still active in >> jersey. So, I think it is communicating with the server as the revocation >> works properly and when I change the admin URL and try the revocation >> again >> the tokens remain active. Is there any chance that this is a problem in >> the >> logout function? I am using the version 2.1.0 Final and I am logging out >> like this: >> >> kc.realm({realm}).users().get({user_id}).logout(); >> >> Best Regards, >> Rui Neves >> >> >> Marek Posolda wrote >>> If you set the "root URL" then all the other URLs must be relative to >>> that URL. So if you rather prefer to set absolute paths in your other >>> URLs, then don't set any "Root URL" at all. See the tooltip in admin >>> console. >>> >>> Marek >>> >>> On 05/12/16 12:08, ruiwp13 wrote: >>>> Hello, >>>> >>>> I am trying to log out of my application through keycloak but when I >>>> call >>>> the logout function for a certain user it does delete the user session >>>> in >>>> keycloak but somehow the token is still active and I can access the >>>> information. I have set a base and admin url as the absolute path to my >>>> application which is hosted in a server. Did I set this the right way? >>>> If >>>> so, what is the problem? >>>> By the way, if I set a root and base URL I get the path duplicated in >>>> the >>>> clients page. >>>> >>>> Best Regards, >>>> Rui Neves >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html >>>> Sent from the keycloak-user mailing list archive at Nabble.com. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> >>> keycloak-user at .jboss >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> -- >> View this message in context: >> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1773.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1781.html Sent from the keycloak-user mailing list archive at Nabble.com. From bburke at redhat.com Mon Dec 5 10:28:08 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 5 Dec 2016 10:28:08 -0500 Subject: [keycloak-user] Custom entity mapping to User entity In-Reply-To: References: Message-ID: <4c270b3b-82f1-5811-6db4-d02ae4754daa@redhat.com> https://keycloak.gitbooks.io/server-developer-guide/content/v/master/topics/user-storage.html should be usable in 2.4.0. 2.5.0 has a few minor changes. On 12/5/16 4:28 AM, Eriksson Fabian wrote: > Hello! > > We are currently looking for an authentication/authorization/access management provider to use for our applications and we happily stumbled upon Keycloak. As of this moment we are looking into if Keycloak fits all of our requirements and if it doesn't how we can modify it to fit our needs. > > So; we need to add our own entities to Keycloak (which we've seen is possible) but we also have to map some of these entities to the already existing User entity and in the end, have it included inside the ID token. > > If this is possible, could you maybe give us a short description of how to do this, that would be much appreciated > > Best Regards > Fabian Eriksson > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Dec 5 10:30:19 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 5 Dec 2016 10:30:19 -0500 Subject: [keycloak-user] synchronize Users in old database with keycloak Database In-Reply-To: References: Message-ID: https://keycloak.gitbooks.io/server-developer-guide/content/v/master/topics/user-storage.html see ImportSynchronization interface On 12/5/16 5:48 AM, Celso Agra wrote: > Hi all, > > My question is about, how Can I synchronize my old database that contains > users from another system with keycloak (kc). > > I'm trying to migrate my authentication software (legacy) to keycloak, but > I'd like to keep the old users syncronized with the kc database. > > If I use Service Provider Interfaces (spi), I'll keep all users updated > from keycloak info. But What about the reverse path? Is there a way to > update keycloak with users from another database? > > Thank you. > > Best regards, > > Celso Agra > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Mon Dec 5 11:04:38 2016 From: lists at merit.unu.edu (lists) Date: Mon, 5 Dec 2016 17:04:38 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration Message-ID: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> Hi, We have connected keycloak to our active directory (samba4-based) and selected the "MSAD account controls" under mappings. I thought this would give us access to dialogues like "Your password is about to expire in X days. Would you like to change it now?" or "You need to change your password after your first logon", etc. This does not seem to happen here. Is there anything else we need to do to get this functionality? MJ From georgijsr at scandiweb.com Mon Dec 5 11:11:46 2016 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Mon, 5 Dec 2016 18:11:46 +0200 Subject: [keycloak-user] Keycloak - Managing multiple values from a single attribute from FreeIPA. Message-ID: Hello everyone! Is it possible to display multiple values from "ipaSshPubKey" attribute from FreeIPA in Keycloak user account portal? For example: User account in FreeIPA has 3 SSH public keys stored as values in "ipaSshPubKey" attribute. Is it possible to fetch these 3 SSH public keys and display them in user account portal? The main goal I want to achieve, is for users, who have multiple SSH public keys in FreeIPA user accounts, to be able to manage them from Keycloak user portal. -- From lists at merit.unu.edu Mon Dec 5 12:13:36 2016 From: lists at merit.unu.edu (lists) Date: Mon, 5 Dec 2016 18:13:36 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration In-Reply-To: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> References: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> Message-ID: <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> More specific info, and some examples. This is on keycloak 2.3.0.Final, and I have configured the AD as a WRITABLE source. On 5-12-2016 17:04, lists wrote: > This does not seem to happen here. Is there anything else we need to do > to get this functionality? Setting the accountflag "user must change password at next logon" in ADUC gets imported into the keycloak's "Update-Password" flag. Good. However, when the "Update-Password"-flag is set, that user can no longer authenticate in keycloak at all, because of "Invalid Username or Password". Not expected..? Also my test account will expire in 5 days. But keycloak does not generate a warning like "You need to change your password in X days". I'm simply granted access. So, then for some more testing: Removing the "User must change password at next logon" in ADUC, sync AD into keycloak, and logging directly into the 'account' client on https://keycloak.company.com/auth/realms/domain/account: Access granted, now let's do some editing: - I can edit my first and lastname & changes are synced back to AD - I can edit email address, save, but the change is NOT synced back to AD (and afterwards I can no longer edit my email back, because "User with username 'test' already exists in Keycloak. It conflicts with LDAP user with email 'test at company.com') Keycloak still only lists ONE user, searching for 'test'. Then finally, trying to change a password gives an error: > Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com] Are the above things working for others, or am I hitting some keycloak bugs here? MJ From bruno at abstractj.org Mon Dec 5 12:40:39 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 5 Dec 2016 15:40:39 -0200 Subject: [keycloak-user] Keycloak - Managing multiple values from a single attribute from FreeIPA. In-Reply-To: References: Message-ID: <20161205174039.GA8204@abstractj.org> Hi, at the moment we do not support such thing. From my pov, managing SSH keys seems a bit out of context for Keycloak and also an overlapping with IPA Web UI. On 2016-12-05, Georgijs Radovs wrote: > Hello everyone! > > Is it possible to display multiple values from "ipaSshPubKey" attribute > from FreeIPA in Keycloak user account portal? > > For example: > > User account in FreeIPA has 3 SSH public keys stored as values in > "ipaSshPubKey" attribute. > > Is it possible to fetch these 3 SSH public keys and display them in user > account portal? > > The main goal I want to achieve, is for users, who have multiple SSH > public keys in FreeIPA user accounts, to be able to manage them from > Keycloak user portal. > > > -- > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From abhi.raghav007 at gmail.com Mon Dec 5 14:49:00 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Tue, 6 Dec 2016 01:19:00 +0530 Subject: [keycloak-user] Considering removing Mongo support In-Reply-To: References: Message-ID: Hey Stian, As mongoDB may not be supported by keycloak from 3.x onwards, which RDBMS you would suggest/recommend going further so that we can pro actively start looking into it. Those who are alreaady using relational databases, please share your experiences with different DBs on keycloak. Thanks Abhishek *- Best Regards* Abhishek Raghav On Fri, Dec 2, 2016 at 3:58 PM, Stian Thorgersen wrote: > All, > > We are considering removing Mongo support from Keycloak in 3.x. The reasons > behind it is that there are a fair few issues in the current > implementation, especially around consistency due to lack of transaction > support in Mongo and often we update multiple documents. In many cases we > rely on transactions to rollback to prevent partial updates, but this > obviously doesn't work in Mongo. > > With the fact that Mongo is already partially broken and the constant > maintenance involved we're considering removing it and rather focus purely > on the relational database back-end. > > Another point to make is that we are not considering supporting Mongo in > the supported version of Keycloak (Red Hat Single Sign-On). So we are never > able to provide the same level of care and attention to it as we can for > relational databases. > > If we do decide to remove it we would make sure we provide a seamless and > easy option to migrate from Mongo to a relational database! > > I would like to gather some feedback from the community before doing > anything. So please vote on the following Doodle: > > http://doodle.com/poll/nnimebpkx774ppus > > Also, comments to this thread is more than welcome! > > I'll end with a comment - Time spent by core developer on maintaining Mongo > could be better spent on awesome new features, testing and bug fixing! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Mon Dec 5 15:02:21 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 5 Dec 2016 21:02:21 +0100 Subject: [keycloak-user] Keycloak VS Gluu Message-ID: Hello group, I just stumbled upon the gluu IdM solution and wondered whether someone on this mailing-list has already compared gluu with Keycloak. https://www.gluu.org/gluu-server/overview/ Cheers, Thomas From roger.turnau at pwc.com Mon Dec 5 15:37:46 2016 From: roger.turnau at pwc.com (Roger Turnau (US - Advisory)) Date: Mon, 5 Dec 2016 15:37:46 -0500 Subject: [keycloak-user] Considering removing Mongo support In-Reply-To: References: Message-ID: I'd like to second Abishek's question. Long-term, I'd like to see support for some scalable NoSQL solution -- with a slight preference for Cassandra. Right now, I'm setting up database support for a client who prefers MS SQL Server. Would love to know if there are any major headaches or issues with any of the more popular relational databases. Thanks, Roger Trunau On Mon, Dec 5, 2016 at 2:49 PM, abhishek raghav wrote: > Hey Stian, > > As mongoDB may not be supported by keycloak from 3.x onwards, which RDBMS > you would suggest/recommend going further so that we can pro actively start > looking into it. > > Those who are alreaady using relational databases, please share your > experiences with different DBs on keycloak. > > > Thanks > Abhishek > > > > > > *- Best Regards* > Abhishek Raghav > > > > > > > > On Fri, Dec 2, 2016 at 3:58 PM, Stian Thorgersen > wrote: > > > All, > > > > We are considering removing Mongo support from Keycloak in 3.x. The > reasons > > behind it is that there are a fair few issues in the current > > implementation, especially around consistency due to lack of transaction > > support in Mongo and often we update multiple documents. In many cases we > > rely on transactions to rollback to prevent partial updates, but this > > obviously doesn't work in Mongo. > > > > With the fact that Mongo is already partially broken and the constant > > maintenance involved we're considering removing it and rather focus > purely > > on the relational database back-end. > > > > Another point to make is that we are not considering supporting Mongo in > > the supported version of Keycloak (Red Hat Single Sign-On). So we are > never > > able to provide the same level of care and attention to it as we can for > > relational databases. > > > > If we do decide to remove it we would make sure we provide a seamless and > > easy option to migrate from Mongo to a relational database! > > > > I would like to gather some feedback from the community before doing > > anything. So please vote on the following Doodle: > > > > http://doodle.com/poll/nnimebpkx774ppus > > > > Also, comments to this thread is more than welcome! > > > > I'll end with a comment - Time spent by core developer on maintaining > Mongo > > could be better spent on awesome new features, testing and bug fixing! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- *Roger Turnau* PwC | Manager - Advisory Financial Services Mobile: 850-228-2006 Email: roger.turnau at pwc.com PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. From roger.turnau at pwc.com Mon Dec 5 21:42:50 2016 From: roger.turnau at pwc.com (Roger Turnau (US - Advisory)) Date: Mon, 5 Dec 2016 21:42:50 -0500 Subject: [keycloak-user] Weird Behavior When Importing from UI Message-ID: Hi, I just noticed some weird behavior when attempting to import from the UI. I exported my current H2 database using the following command: standalone.bat -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=c:\opt\keycloak\keycloak-data.json There are two realms in the resulting file -- master and one I have created. >From the command line, I can import and export just fine. When I try to import the second realm from the Keycloak UI, however, I can't see that realm in the upper left side drop-down. I confirmed in the database that the realm was imported, but there doesn't appear to be any way to navigate to it. Is this a known issue? I wasn't able to find anything in JIRA. Thanks, -- *Roger Turnau* PwC | Manager - Advisory Financial Services ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. From mposolda at redhat.com Tue Dec 6 03:22:40 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Dec 2016 09:22:40 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration In-Reply-To: <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> References: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> Message-ID: <7796540e-ebfd-323f-da85-7ceef4910dd7@redhat.com> We are testing with MSAD and that should work. We don't test with ADUC. Marek On 05/12/16 18:13, lists wrote: > More specific info, and some examples. This is on keycloak 2.3.0.Final, > and I have configured the AD as a WRITABLE source. > > On 5-12-2016 17:04, lists wrote: >> This does not seem to happen here. Is there anything else we need to do >> to get this functionality? > Setting the accountflag "user must change password at next logon" in > ADUC gets imported into the keycloak's "Update-Password" flag. Good. > > However, when the "Update-Password"-flag is set, that user can no longer > authenticate in keycloak at all, because of "Invalid Username or > Password". Not expected..? > > Also my test account will expire in 5 days. But keycloak does not > generate a warning like "You need to change your password in X days". > I'm simply granted access. > > So, then for some more testing: > Removing the "User must change password at next logon" in ADUC, sync AD > into keycloak, and logging directly into the 'account' client on > https://keycloak.company.com/auth/realms/domain/account: > > Access granted, now let's do some editing: > > - I can edit my first and lastname & changes are synced back to AD > > - I can edit email address, save, but the change is NOT synced back to > AD (and afterwards I can no longer edit my email back, because "User > with username 'test' already exists in Keycloak. It conflicts with LDAP > user with email 'test at company.com') > Keycloak still only lists ONE user, searching for 'test'. > > Then finally, trying to change a password gives an error: >> Could not modify attribute for DN [CN=ted t. test,CN=Users,DC=samba,DC=company,DC=com] > Are the above things working for others, or am I hitting some keycloak > bugs here? > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Dec 6 03:24:46 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Dec 2016 09:24:46 +0100 Subject: [keycloak-user] Weird Behavior When Importing from UI In-Reply-To: References: Message-ID: <273263ca-0fd6-9ebe-8d2c-0f9c40b8d9ce@redhat.com> Import from the UI works just for the file containing single realm. In other words, if you exported all the realms through the command line, then you should also import it back through the command line as stated in the docs. Marek On 06/12/16 03:42, Roger Turnau (US - Advisory) wrote: > Hi, > > I just noticed some weird behavior when attempting to import from the UI. I > exported my current H2 database using the following command: > > standalone.bat -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=c:\opt\keycloak\keycloak-data.json > > There are two realms in the resulting file -- master and one I have created. > > >From the command line, I can import and export just fine. When I try to > import the second realm from the Keycloak UI, however, I can't see that > realm in the upper left side drop-down. I confirmed in the database that > the realm was imported, but there doesn't appear to be any way to navigate > to it. > > Is this a known issue? I wasn't able to find anything in JIRA. > > Thanks, > From mposolda at redhat.com Tue Dec 6 03:26:01 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Dec 2016 09:26:01 +0100 Subject: [keycloak-user] Still active token after logout In-Reply-To: <1480950542695-1781.post@n6.nabble.com> References: <1480936098431-1766.post@n6.nabble.com> <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> <1480941102558-1773.post@n6.nabble.com> <4dc91cdf-e27e-69c1-c03d-926790b29824@redhat.com> <1480950542695-1781.post@n6.nabble.com> Message-ID: On 05/12/16 16:09, ruiwp13 wrote: > How can I do it? > I don't have the package org.keycloak.services This is configured in logging subsystem in standalone.xml . You can try to Google for "Wildfly logging" for more details. Marek > > > Marek Posolda wrote >> Could you see something in the log if you enable logging for category >> "org.keycloak.services.managers.ResourceAdminManager" ? >> >> On 05/12/16 13:31, ruiwp13 wrote: >>> Thank you very much for your answer Marek. >>> Yes, I have set all to absolute paths. >>> I only have the admin and base URLs defined. Basically what it happens is >>> that, if I push a not before revocation for all tokens it communicates >>> with >>> my jersey server and it invalidates all tokens immediatly and I get 401 >>> when >>> I make a new request. But, when I make a logout through the admin-client >>> library, it ends the session in keycloak but the token is still active in >>> jersey. So, I think it is communicating with the server as the revocation >>> works properly and when I change the admin URL and try the revocation >>> again >>> the tokens remain active. Is there any chance that this is a problem in >>> the >>> logout function? I am using the version 2.1.0 Final and I am logging out >>> like this: >>> >>> kc.realm({realm}).users().get({user_id}).logout(); >>> >>> Best Regards, >>> Rui Neves >>> >>> >>> Marek Posolda wrote >>>> If you set the "root URL" then all the other URLs must be relative to >>>> that URL. So if you rather prefer to set absolute paths in your other >>>> URLs, then don't set any "Root URL" at all. See the tooltip in admin >>>> console. >>>> >>>> Marek >>>> >>>> On 05/12/16 12:08, ruiwp13 wrote: >>>>> Hello, >>>>> >>>>> I am trying to log out of my application through keycloak but when I >>>>> call >>>>> the logout function for a certain user it does delete the user session >>>>> in >>>>> keycloak but somehow the token is still active and I can access the >>>>> information. I have set a base and admin url as the absolute path to my >>>>> application which is hosted in a server. Did I set this the right way? >>>>> If >>>>> so, what is the problem? >>>>> By the way, if I set a root and base URL I get the path duplicated in >>>>> the >>>>> clients page. >>>>> >>>>> Best Regards, >>>>> Rui Neves >>>>> >>>>> >>>>> >>>>> -- >>>>> View this message in context: >>>>> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html >>>>> Sent from the keycloak-user mailing list archive at Nabble.com. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> >>>> keycloak-user at .jboss >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at .jboss >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> -- >>> View this message in context: >>> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1773.html >>> Sent from the keycloak-user mailing list archive at Nabble.com. >>> _______________________________________________ >>> keycloak-user mailing list >>> >> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1781.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Tue Dec 6 04:23:29 2016 From: lists at merit.unu.edu (lists) Date: Tue, 6 Dec 2016 10:23:29 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration In-Reply-To: <7796540e-ebfd-323f-da85-7ceef4910dd7@redhat.com> References: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> <7796540e-ebfd-323f-da85-7ceef4910dd7@redhat.com> Message-ID: <7f7418b3-5206-2224-986f-10a6668b0446@merit.unu.edu> Hi, On 6-12-2016 9:22, Marek Posolda wrote: > We are testing with MSAD and that should work. We don't test with ADUC. I'm not sure I understand... You're testing with MSAD (="Micro Soft Active Directory"?) and not ADUC ("Active Directory Users and Computers") the default microsoft tool to add/edit users in an active directory environment? MJ From mposolda at redhat.com Tue Dec 6 04:41:08 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 6 Dec 2016 10:41:08 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration In-Reply-To: <7f7418b3-5206-2224-986f-10a6668b0446@merit.unu.edu> References: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> <7796540e-ebfd-323f-da85-7ceef4910dd7@redhat.com> <7f7418b3-5206-2224-986f-10a6668b0446@merit.unu.edu> Message-ID: We are testing with MSAD as an LDAP server and we use just the LDAP connection from Keycloak to CRUD users (and other data). I personally never saw the ADUC tool. It seems it is just something like user-friendly frontend editory, but the actual user data are saved in MSAD server, right? So is it using MSAD under the hood? Few other comments: - The bug you reported related to email might be already fixed in latest master. See https://issues.jboss.org/browse/KEYCLOAK-4028 . You can either re-test with latest master and/or wait for the 2.5.0.CR1 - The dialog like "You need to change your password in X days" - we don't have any support for it and we don't plan it ATM. However in case that user authenticates into Keycloak with his MSAD password, which is already expired, we allow the authentication, but user must immediatelly change his password (Required action "Update Password" is added to him and he is then required by Keycloak to update his password. Updated password is then propagated to MSAD). Marek On 06/12/16 10:23, lists wrote: > Hi, > > On 6-12-2016 9:22, Marek Posolda wrote: >> We are testing with MSAD and that should work. We don't test with ADUC. > > I'm not sure I understand... You're testing with MSAD (="Micro Soft > Active Directory"?) and not ADUC ("Active Directory Users and > Computers") the default microsoft tool to add/edit users in an active > directory environment? > > MJ From lists at merit.unu.edu Tue Dec 6 05:07:50 2016 From: lists at merit.unu.edu (lists) Date: Tue, 6 Dec 2016 11:07:50 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration In-Reply-To: References: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> <7796540e-ebfd-323f-da85-7ceef4910dd7@redhat.com> <7f7418b3-5206-2224-986f-10a6668b0446@merit.unu.edu> Message-ID: <1c00e538-0499-811c-db25-8b798ab11ada@merit.unu.edu> Hi Marek, Thanks for the info. On 6-12-2016 10:41, Marek Posolda wrote: > We are testing with MSAD as an LDAP server and we use just the LDAP > connection from Keycloak to CRUD users (and other data). I personally > never saw the ADUC tool. It seems it is just something like > user-friendly frontend editory, but the actual user data are saved in > MSAD server, right? So is it using MSAD under the hood? Exactly. It's the most regular, standard way to access MSAD to edit the accounts it contains. :-) We are running a samba4 AD, but we're still using the default MS tools to maintain the AD. > - The bug you reported related to email might be already fixed in latest > master. See https://issues.jboss.org/browse/KEYCLOAK-4028 . You can > either re-test with latest master and/or wait for the 2.5.0.CR1 Yep, will do. > - The dialog like "You need to change your password in X days" - we > don't have any support for it and we don't plan it ATM. However in case > that user authenticates into Keycloak with his MSAD password, which is > already expired, we allow the authentication, but user must immediatelly > change his password (Required action "Update Password" is added to him > and he is then required by Keycloak to update his password. Updated > password is then propagated to MSAD). Right. I'll try that. Is there also support for password age? Like: every half year a user should change his password? Could be done using the Pwd-Last-Set attribute in MSAD. (https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx) Reason we ask: In a regular MSAD domain, with windows workstations logging on, you can set those policies, and a workstation will prompt the user that his password will expire in X days, and he needs to change it. However, we have many remote users, who only use various web logons, and who never logon locally on a domain joined windows workstation. For these users, we currently have no way to make them change their passwords regularly. If keycloak could check Pwd-Last-Set, and start prompting the user to change it when it's older then X months/weeks, we would have a unified password policy for *all* users, local and remote. It's a gap in functionality in MSAD, that no tool offers in the case of ldap-based web access. MJ From ruiwp_93 at hotmail.com Tue Dec 6 05:20:00 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Tue, 6 Dec 2016 03:20:00 -0700 (MST) Subject: [keycloak-user] Still active token after logout In-Reply-To: References: <1480936098431-1766.post@n6.nabble.com> <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> <1480941102558-1773.post@n6.nabble.com> <4dc91cdf-e27e-69c1-c03d-926790b29824@redhat.com> <1480950542695-1781.post@n6.nabble.com> Message-ID: <1481019600541-1798.post@n6.nabble.com> Hey Marek, I get this on the log: "[org.keycloak.services.managers.ResourceAdminManager] (default task-7) Cant logout {0}: no logged adapter sessions" the first time I call the logout function. If I call the logout function again (the session in keycloak has ended the first time) I get: "[org.keycloak.events] (default task-10) type=LOGOUT_ERROR, realmId={realm}, clientId={clientname}, userId=null, ... " Best Regards Marek Posolda wrote > On 05/12/16 16:09, ruiwp13 wrote: >> How can I do it? >> I don't have the package org.keycloak.services > This is configured in logging subsystem in standalone.xml . You can try > to Google for "Wildfly logging" for more details. > > Marek >> >> >> Marek Posolda wrote >>> Could you see something in the log if you enable logging for category >>> "org.keycloak.services.managers.ResourceAdminManager" ? >>> >>> On 05/12/16 13:31, ruiwp13 wrote: >>>> Thank you very much for your answer Marek. >>>> Yes, I have set all to absolute paths. >>>> I only have the admin and base URLs defined. Basically what it happens >>>> is >>>> that, if I push a not before revocation for all tokens it communicates >>>> with >>>> my jersey server and it invalidates all tokens immediatly and I get 401 >>>> when >>>> I make a new request. But, when I make a logout through the >>>> admin-client >>>> library, it ends the session in keycloak but the token is still active >>>> in >>>> jersey. So, I think it is communicating with the server as the >>>> revocation >>>> works properly and when I change the admin URL and try the revocation >>>> again >>>> the tokens remain active. Is there any chance that this is a problem in >>>> the >>>> logout function? I am using the version 2.1.0 Final and I am logging >>>> out >>>> like this: >>>> >>>> kc.realm({realm}).users().get({user_id}).logout(); >>>> >>>> Best Regards, >>>> Rui Neves >>>> >>>> >>>> Marek Posolda wrote >>>>> If you set the "root URL" then all the other URLs must be relative to >>>>> that URL. So if you rather prefer to set absolute paths in your other >>>>> URLs, then don't set any "Root URL" at all. See the tooltip in admin >>>>> console. >>>>> >>>>> Marek >>>>> >>>>> On 05/12/16 12:08, ruiwp13 wrote: >>>>>> Hello, >>>>>> >>>>>> I am trying to log out of my application through keycloak but when I >>>>>> call >>>>>> the logout function for a certain user it does delete the user >>>>>> session >>>>>> in >>>>>> keycloak but somehow the token is still active and I can access the >>>>>> information. I have set a base and admin url as the absolute path to >>>>>> my >>>>>> application which is hosted in a server. Did I set this the right >>>>>> way? >>>>>> If >>>>>> so, what is the problem? >>>>>> By the way, if I set a root and base URL I get the path duplicated in >>>>>> the >>>>>> clients page. >>>>>> >>>>>> Best Regards, >>>>>> Rui Neves >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> View this message in context: >>>>>> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766.html >>>>>> Sent from the keycloak-user mailing list archive at Nabble.com. >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> >>>>> keycloak-user at .jboss >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at .jboss >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> -- >>>> View this message in context: >>>> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1773.html >>>> Sent from the keycloak-user mailing list archive at Nabble.com. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> >>> keycloak-user at .jboss >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> -- >> View this message in context: >> http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1781.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1798.html Sent from the keycloak-user mailing list archive at Nabble.com. From lists at merit.unu.edu Tue Dec 6 05:21:07 2016 From: lists at merit.unu.edu (lists) Date: Tue, 6 Dec 2016 11:21:07 +0100 Subject: [keycloak-user] active directory | change password after first login and account expiration In-Reply-To: <1c00e538-0499-811c-db25-8b798ab11ada@merit.unu.edu> References: <62409975-8000-cbcb-88ea-68ccba0237b4@merit.unu.edu> <42c372a8-07dc-47cc-e27a-c108ac74c80f@merit.unu.edu> <7796540e-ebfd-323f-da85-7ceef4910dd7@redhat.com> <7f7418b3-5206-2224-986f-10a6668b0446@merit.unu.edu> <1c00e538-0499-811c-db25-8b798ab11ada@merit.unu.edu> Message-ID: <7ae5f14c-96d0-7e2c-63bd-8e013882c291@merit.unu.edu> Hi, > Is there also support for password age? Like: every half year a user > should change his password? Could be done using the Pwd-Last-Set > attribute in MSAD. > (https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx) Correct link: https://msdn.microsoft.com/en-us/library/ms679430.aspx Searching jira, i found some more MSAD related issues. Seems we're also hitting this bug, in the case of users changing their own password: https://issues.jboss.org/browse/KEYCLOAK-2333 Last update on that bug: "Provisionally set to 2.5.0.CR1 to investigate effort required." Is it already decided/clear if end-users changing their own MSAD passwords will work in keycloak 2.5.0? MJ From dan at ren.no Tue Dec 6 05:35:33 2016 From: dan at ren.no (=?iso-8859-1?Q?Dan_=D8sterberg?=) Date: Tue, 6 Dec 2016 10:35:33 +0000 Subject: [keycloak-user] Login multiple times Message-ID: Hi, It's possible (and sometimes likely) to have multiple browser tabs or windows showing the login screen for the same realm. This could for example happen after working with different systems in different tabs, and then timing out the whole SSO session. If the user then logs in from both / all tabs, then the last login will seemingly win, destroy all the other sessions (rather than all of them contributing to the same session). This implies that the other tabs will not have a valid session, and e.g. fetching a new access token will fail. Is this a bug, a limitation, or is it intentional? And what's the recommended approach for dealing with this issue? ~Dan From tsdgcc2087 at outlook.com Tue Dec 6 09:05:37 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Tue, 6 Dec 2016 14:05:37 +0000 Subject: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json Message-ID: When using the Spring Security Adapter, is it possible to set properties for the values and not use the keycloak.json file? Having the credentials.secret value stored in clear text is not an option for me. I already have a way to encrypt values and read them in my application, I just need to decrypt this value and set it. The only alternative I have is to dynamically generate the keycloak.json file at the start of my app, then set the property keycloak.configurationFile with this location. Also, when reading the Securing Applications and Services guide, it states that the value for realm-public-key is OPTIONAL and should not be set since Keycloak rotates keys. However if the value is set, the adapter will not download the key. This seems like a good idea, but having keycloak generate the json file with this value seems bad. Most clients would just take the file that is generated by the keycloak UI then add it to their application without knowing this. Matt From chris.savory at edlogics.com Tue Dec 6 09:23:17 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 6 Dec 2016 14:23:17 +0000 Subject: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json In-Reply-To: References: Message-ID: You could use the KeycloakConfigResolver. It?s meant for multi-tenant scenarios, but you could just configure one (or many) Keycloak realms via that java object. -- Christopher Savory Software Engineer | EdLogics www.edlogics.com On 12/6/16, 8:05 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Matt H" wrote: When using the Spring Security Adapter, is it possible to set properties for the values and not use the keycloak.json file? Having the credentials.secret value stored in clear text is not an option for me. I already have a way to encrypt values and read them in my application, I just need to decrypt this value and set it. The only alternative I have is to dynamically generate the keycloak.json file at the start of my app, then set the property keycloak.configurationFile with this location. Also, when reading the Securing Applications and Services guide, it states that the value for realm-public-key is OPTIONAL and should not be set since Keycloak rotates keys. However if the value is set, the adapter will not download the key. This seems like a good idea, but having keycloak generate the json file with this value seems bad. Most clients would just take the file that is generated by the keycloak UI then add it to their application without knowing this. Matt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From tsdgcc2087 at outlook.com Tue Dec 6 09:31:04 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Tue, 6 Dec 2016 14:31:04 +0000 Subject: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json In-Reply-To: References: , Message-ID: I saw that, but that looked like a way to specify different json configs depending on paths. Was there a way in there to actually build the json? ________________________________ From: Chris Savory Sent: Tuesday, December 6, 2016 8:23 AM To: Matt H; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json You could use the KeycloakConfigResolver. It's meant for multi-tenant scenarios, but you could just configure one (or many) Keycloak realms via that java object. -- Christopher Savory Software Engineer | EdLogics www.edlogics.com EdLogics | Taking consumer health education & ... www.edlogics.com EdLogics provides consumers with a broad array of consumer friendly education resources using a multimedia gamified approach and pairs it with unique incentives and ... EdLogics | Taking consumer health education & ... www.edlogics.com EdLogics provides consumers with a broad array of consumer friendly education resources using a multimedia gamified approach and pairs it with unique incentives and ... EdLogics | Taking consumer health education & ... www.edlogics.com EdLogics provides consumers with a broad array of consumer friendly education resources using a multimedia gamified approach and pairs it with unique incentives and ... EdLogics | LinkedIn www.linkedin.com Learn about working at EdLogics. Join LinkedIn today for free. See who you know at EdLogics, leverage your professional network, and get hired. [https://pbs.twimg.com/profile_images/603589032249937921/wcMtivPt_400x400.jpg] EdLogics (@EdLogics) | Twitter twitter.com The latest Tweets from EdLogics (@EdLogics). Empowering individuals through improved health literacy On 12/6/16, 8:05 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Matt H" wrote: When using the Spring Security Adapter, is it possible to set properties for the values and not use the keycloak.json file? Having the credentials.secret value stored in clear text is not an option for me. I already have a way to encrypt values and read them in my application, I just need to decrypt this value and set it. The only alternative I have is to dynamically generate the keycloak.json file at the start of my app, then set the property keycloak.configurationFile with this location. Also, when reading the Securing Applications and Services guide, it states that the value for realm-public-key is OPTIONAL and should not be set since Keycloak rotates keys. However if the value is set, the adapter will not download the key. This seems like a good idea, but having keycloak generate the json file with this value seems bad. Most clients would just take the file that is generated by the keycloak UI then add it to their application without knowing this. Matt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rjvduijn at gmail.com Tue Dec 6 09:40:24 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Tue, 06 Dec 2016 14:40:24 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request Message-ID: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} From chris.savory at edlogics.com Tue Dec 6 09:51:28 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 6 Dec 2016 14:51:28 +0000 Subject: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json In-Reply-To: References: Message-ID: <501CAB14-3789-4BB1-843E-E420BA5D1875@edlogics.com> You just need to supply an input stream to KeycloakDeploymentBuilder.build, which will provide you a KeycloakDeployment object. The source of that input stream can be anything you want. I?m not aware of any way to generate the JSON file that is supplied by Keycloak. If you look at KeycloakDeploymentBuilder they are just using a simple Jackson ObjectMapper readValue. So, if you wanted to generate the JSON yourself, you could just reverse that and do a writeValue on a AdapterConfig object. -- Christopher Savory Software Engineer | EdLogics From: Matt H Date: Tuesday, December 6, 2016 at 8:31 AM To: Chris Savory , "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json I saw that, but that looked like a way to specify different json configs depending on paths. ?Was there a way in there to actually build the json? ________________________________________ From: Chris Savory Sent: Tuesday, December 6, 2016 8:23 AM To: Matt H; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Spring Security Adapter - setting properties vs keycloak.json ? You could use the KeycloakConfigResolver.? It?s meant for multi-tenant scenarios, but you could just configure one (or many) Keycloak realms via that java object. -- Christopher Savory Software Engineer | EdLogics www.edlogics.com EdLogics | Taking consumer health education & ... www.edlogics.com EdLogics provides consumers with a broad array of consumer friendly education resources using a multimedia gamified approach and pairs it with unique incentives and ... EdLogics | Taking consumer health education & ... www.edlogics.com EdLogics provides consumers with a broad array of consumer friendly education resources using a multimedia gamified approach and pairs it with unique incentives and ... ? ? EdLogics | Taking consumer health education & ... www.edlogics.com EdLogics provides consumers with a broad array of consumer friendly education resources using a multimedia gamified approach and pairs it with unique incentives and ... ? EdLogics | LinkedIn www.linkedin.com Learn about working at EdLogics. Join LinkedIn today for free. See who you know at EdLogics, leverage your professional network, and get hired. EdLogics (@EdLogics) | Twitter twitter.com The latest Tweets from EdLogics (@EdLogics). Empowering individuals through improved health literacy On 12/6/16, 8:05 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Matt H" wrote: ??? When using the Spring Security Adapter, is it possible to set properties for the values and not use the keycloak.json file?? Having the credentials.secret value stored in clear text is not an option for me.? I already have a way to encrypt values and read them in my application, I just need to decrypt this value and set it.? The only alternative I have is to dynamically generate the keycloak.json file at the start of my app, then set the property keycloak.configurationFile with this location. ??? ??? ??? Also, when reading the Securing Applications and Services guide, it states that the value for realm-public-key is OPTIONAL and should not be set since Keycloak rotates keys.? However if the value is set, the adapter will not download the key.? This seems like a good idea, but having keycloak generate the json file with this value seems bad.? Most clients would just take the file that is generated by the keycloak UI then add it to their application without knowing this. ??? ??? ??? Matt ??? _______________________________________________ ??? keycloak-user mailing list ??? keycloak-user at lists.jboss.org ??? https://lists.jboss.org/mailman/listinfo/keycloak-user ??? From RLaghuvaram at contractor.lb.com Tue Dec 6 11:11:19 2016 From: RLaghuvaram at contractor.lb.com (Laghuvaram, Raghu) Date: Tue, 6 Dec 2016 16:11:19 +0000 Subject: [keycloak-user] ServletFilter Adapter Cookie Token Store Message-ID: I see that cookie token-store would not be supported until 2.x as per the comments in https://issues.jboss.org/browse/KEYCLOAK-2662, Is it fixed in any of the recent versions? It seems like its not working in 2.3.0 Final. Thanks, Raghu ________________________________ Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices. From keycloaklist at ulise.de Tue Dec 6 14:41:46 2016 From: keycloaklist at ulise.de (Uli SE) Date: Tue, 6 Dec 2016 20:41:46 +0100 Subject: [keycloak-user] login form action wron protocol Message-ID: <94c3dc2b-f607-864c-8589-bfef101f9baf@ulise.de> Hi, I?m setting up a new keycloak 2.3.0. It?s behind a apache proxy which terminates ssl. My only problem is, that in the login-form the action has the wrong protocol (http instead of https) It has the correct hostname, and my apache is forwarding all necessary headers correctly (I think). In
url.loginAction is perfectly build, bus has the wrong protocol. If I overwrite this in the browser, everything works perfect. Could you please tell me, which option will setup this uri correctly? Many thanks, Uli From byteflinger at gmail.com Tue Dec 6 18:05:41 2016 From: byteflinger at gmail.com (Byte Flinger) Date: Tue, 06 Dec 2016 23:05:41 +0000 Subject: [keycloak-user] Password policy not enforced? Message-ID: I have setup keycloak with the default realm and an openldap server. I have then set a certain password policy and set an action on the user's that they need to change password when they login the next time however when they login and change their passwords they are able to set a password which does not comply with the password policy. Anybodu ran into this issue? Is this a known bug maybe? From sumitdas66 at gmail.com Wed Dec 7 02:36:23 2016 From: sumitdas66 at gmail.com (Sumit Das) Date: Wed, 7 Dec 2016 13:06:23 +0530 Subject: [keycloak-user] Issue with Client Role Mapping on Keycloak 2.4.0 when integrating with ApacheDS Message-ID: Hi I am trying to create a mapper named *"Client-Role-Mapper"* of type *"role-ldap-mapper"* for a specified client *"Test Application"* that is present in my Realm. The Client role *(cn=Test_User)* is already present on my ApacheDS ldap server on a *DN: ou=TestRoles,dc=keycloak,dc=org*. But on the *"Client ID" dropdown list, none of my clients are being shown*. The *only option* that is displayed is *"Select one"*. I am not able to solve this issue. Your earliest response is appreciated. Regards -- *Sumit Das* *Mobile No.- +91-9986872466 * From psilva at redhat.com Wed Dec 7 06:47:18 2016 From: psilva at redhat.com (Pedro Igor) Date: Wed, 07 Dec 2016 09:47:18 -0200 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: Message-ID: Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rjvduijn at gmail.com Wed Dec 7 09:00:56 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Wed, 07 Dec 2016 14:00:56 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: Message-ID: Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { "error": "invalid_client", "error_description": "Bearer-only not allowed" } This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { "realm": "development", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth", "ssl-required": "external", "resource": "backend-client", "use-resource-role-mappings": true, "credentials": { "secret": "SECRETHERE" }, "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : > Do you get anything in server logs ? It may be related with invalid client > credentials. > > On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: > I'm creating a POC application using playframework and angular. The > frontend will be protected using the keycloak javascript adapter and the > backend rest services will be a bearer-only application. > > Without the policies turned on in the keycloak.json everything goes well. > But when I turn the policies by adding "policy-enforcer": { } on for the > rest services, I get an 400 Bad Request response from the Keycloak server > during initialization. > After some debugging I noticed it had to do with the initialization of the > PolicyEnforcer which attempts to call the following server keycloak > endpoint: > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > > Below you will find the stacktrace and request and response objects. > Hope someone can point me in the right direction. For instance how to > configure keycloak logging to get some more details on what the reason for > the 400 bad request is. > Many many thanks! > /Richard > > > > *Stacktrace*: > > at > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) > > at > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) > > at > org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) > > at > org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) > > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) > > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) > > at > security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) > at com.google.inject.AbstractModule.configure(AbstractModule.java:62) > ... many google guice calls ... > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) > > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) > > > > *Request object*: > > builder = {RequestBuilder at 12557} > method = "POST" > charset = {UTF_8 at 12563} "UTF-8" > version = null > uri = {URI at 12564} " > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > " > headergroup = {HeaderGroup at 12565} "[Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" > entity = null > parameters = {LinkedList at 12566} size = 1 > 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" > config = null > > *Response object*: > > HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: > Undertow/1, > Server: WildFly/10, Content-Type: application/json, Content-Length: 72, > Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780 > response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: > keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780" > h = {CloseableHttpResponseProxy at 12583} > original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request > [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, > Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 > 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" > statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" > ver = {HttpVersion at 12586} "HTTP/1.1" > code = 400 > reasonPhrase = "Bad Request" > entity = {BasicManagedEntity at 12555} > reasonCatalog = {EnglishReasonPhraseCatalog at 12588} > locale = {Locale at 12589} "en_US" > headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, > X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 > GMT]" > params = {ClientParamsStack at 12591} > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From rjvduijn at gmail.com Wed Dec 7 09:04:55 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Wed, 07 Dec 2016 14:04:55 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: Message-ID: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : > Somehow I do not get any logs in keycloak server.log. I've attempted to > change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you > can give me a pointer to which logger I should change to see the correct > logs show up. > > Besides that I've done some debugging using Postman as well. Using the > following request I get the message: > { > "error": "invalid_client", > "error_description": "Bearer-only not allowed" > } > > This is weird to me as the keycloak.json file states that I am connecting > to a bearer-only client. > > Hope this helps to clarify it for you. > My keycloak.json configuration file looks like this: > > { > "realm": "development", > "bearer-only": true, > "auth-server-url": "http://127.0.0.1:8080/auth", > "ssl-required": "external", > "resource": "backend-client", > "use-resource-role-mappings": true, > "credentials": { > "secret": "SECRETHERE" > }, > "policy-enforcer": {} > } > > Hope this helps to clarify some of your questions. > /Richard > > Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : > > Do you get anything in server logs ? It may be related with invalid client > credentials. > > On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: > I'm creating a POC application using playframework and angular. The > frontend will be protected using the keycloak javascript adapter and the > backend rest services will be a bearer-only application. > > Without the policies turned on in the keycloak.json everything goes well. > But when I turn the policies by adding "policy-enforcer": { } on for the > rest services, I get an 400 Bad Request response from the Keycloak server > during initialization. > After some debugging I noticed it had to do with the initialization of the > PolicyEnforcer which attempts to call the following server keycloak > endpoint: > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > > Below you will find the stacktrace and request and response objects. > Hope someone can point me in the right direction. For instance how to > configure keycloak logging to get some more details on what the reason for > the 400 bad request is. > Many many thanks! > /Richard > > > > *Stacktrace*: > > at > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) > > at > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) > > at > org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) > > at > org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) > > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) > > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) > > at > security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) > at com.google.inject.AbstractModule.configure(AbstractModule.java:62) > ... many google guice calls ... > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) > > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) > > > > *Request object*: > > builder = {RequestBuilder at 12557} > method = "POST" > charset = {UTF_8 at 12563} "UTF-8" > version = null > uri = {URI at 12564} " > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > " > headergroup = {HeaderGroup at 12565} "[Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" > entity = null > parameters = {LinkedList at 12566} size = 1 > 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" > config = null > > *Response object*: > > HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: > Undertow/1, > Server: WildFly/10, Content-Type: application/json, Content-Length: 72, > Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780 > response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: > keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780" > h = {CloseableHttpResponseProxy at 12583} > original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request > [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, > Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 > 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" > statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" > ver = {HttpVersion at 12586} "HTTP/1.1" > code = 400 > reasonPhrase = "Bad Request" > entity = {BasicManagedEntity at 12555} > reasonCatalog = {EnglishReasonPhraseCatalog at 12588} > locale = {Locale at 12589} "en_US" > headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, > X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 > GMT]" > params = {ClientParamsStack at 12591} > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From bburke at redhat.com Wed Dec 7 09:25:11 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 7 Dec 2016 09:25:11 -0500 Subject: [keycloak-user] Password policy not enforced? In-Reply-To: References: Message-ID: <6a7482d4-7097-f68d-6b54-f4d3c57077f2@redhat.com> Our password policy currently only works with keycloak stored passwords. On 12/6/16 6:05 PM, Byte Flinger wrote: > I have setup keycloak with the default realm and an openldap server. > > I have then set a certain password policy and set an action on the user's > that they need to change password when they login the next time however > when they login and change their passwords they are able to set a password > which does not comply with the password policy. > > Anybodu ran into this issue? Is this a known bug maybe? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From known.michael at gmail.com Wed Dec 7 09:39:20 2016 From: known.michael at gmail.com (Known Michael) Date: Wed, 7 Dec 2016 16:39:20 +0200 Subject: [keycloak-user] Questions about realms Message-ID: Hey, Questions about realms: Should we use the default master realm or create our own realm? What is better? From bburke at redhat.com Wed Dec 7 09:52:13 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 7 Dec 2016 09:52:13 -0500 Subject: [keycloak-user] Password policy not enforced? In-Reply-To: <6a7482d4-7097-f68d-6b54-f4d3c57077f2@redhat.com> References: <6a7482d4-7097-f68d-6b54-f4d3c57077f2@redhat.com> Message-ID: <043a2447-35a8-558c-5bc8-4915c3cf8d9f@redhat.com> https://issues.jboss.org/browse/KEYCLOAK-4052 On 12/7/16 9:25 AM, Bill Burke wrote: > Our password policy currently only works with keycloak stored passwords. > > > On 12/6/16 6:05 PM, Byte Flinger wrote: >> I have setup keycloak with the default realm and an openldap server. >> >> I have then set a certain password policy and set an action on the user's >> that they need to change password when they login the next time however >> when they login and change their passwords they are able to set a password >> which does not comply with the password policy. >> >> Anybodu ran into this issue? Is this a known bug maybe? >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Wed Dec 7 09:53:29 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 7 Dec 2016 15:53:29 +0100 Subject: [keycloak-user] Questions about realms In-Reply-To: References: Message-ID: Hi ! Create your own, look at the doc : https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/realms/master.html "It is recommended that you do not use the *master* realm to manage the users and applications in your organization. Keep the *master* realm as a place for *super* admins to create and manage the realms in your system. This keeps things clean and organized." On Wed, Dec 7, 2016 at 3:39 PM, Known Michael wrote: > Hey, > > Questions about realms: > > Should we use the default master realm or create our own realm? > What is better? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Wed Dec 7 09:58:18 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 7 Dec 2016 15:58:18 +0100 Subject: [keycloak-user] Spring boot and spring security adapters In-Reply-To: References: Message-ID: If you add this in your SecurityConfig : @Bean public KeycloakConfigResolver KeycloakConfigResolver(){ return new KeycloakSpringBootConfigResolver(); } You should be able to use the springboot adpater and spring security adapters at the same time and use application.properties to define your keycloak configurations properties (and you don;t need a keycloak.json anymore) . On Mon, Dec 5, 2016 at 2:37 PM, Brian Schwartz wrote: > Not if you're also using spring security adapter. I figured out my > issue. Can't use spring boot adapter and spring security adapter > together. Removed spring boot adapter and added keycloak.json file > location property to the application.properties file. Now it works. > > Thanks all. > > On Dec 5, 2016 7:25 AM, "Sebastien Blanc" wrote: > >> For Spring Boot you can directly write the keycloak config in the >> application.properties file, look at the documentation : >> https://keycloak.gitbooks.io/securing-client-applications-gu >> ide/content/topics/oidc/java/spring-boot-adapter.html >> >> >> >> On Fri, Dec 2, 2016 at 9:09 PM, Brian Schwartz >> wrote: >> >>> I'm using keycloak 2.3.0.final spring boot and spring security adapters. >>> The spring security adapter requires a keycloak.json file to be in >>> web-inf >>> but i don't have that or web.xml. How do I change where the keycloak >>> adapter looks for keycloak.json? >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> From i.pop at centurylink.net Wed Dec 7 11:03:18 2016 From: i.pop at centurylink.net (i.pop at centurylink.net) Date: Wed, 7 Dec 2016 11:03:18 -0500 (EST) Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables In-Reply-To: <82f34357-86a0-2703-5496-a2dad5c4fcec@redhat.com> Message-ID: <173158186.42294417.1481126598876.JavaMail.root@centurylink.net> Thank you for your message. However, if I set parameter "Offline Session Idle" to 30 min, I am getting a replication timeout exception associated with the periodic cleaner scheduler service [Server:server-one] 09:24:54,979 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for slaveServer:server-two [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [Server:server-one] at java.lang.Thread.run(Thread.java:745) This exception is thrown with a periodicity of 15 min. I have found a previous reference to such exception in your "keycloak-user" customer inquiries http://lists.jboss.org/pipermail/keycloak-user/2016-July/006892.html It looks like there was a bug in your KC software. Have you fixed this bug in your later KC releases since July 2016? Or, it may be a miss-configuration in my domain clustered configuration( I use your KC-2.1.0.Final release) ? Thanks, Ioan ----- Original Message ----- From: "Marek Posolda" To: "i pop" , "keycloak-user" Sent: Friday, November 25, 2016 3:20:18 AM Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables It seems you are using offline tokens for some of your application right? There is periodic cleaner, which will remove the records from the expired offline sessions. But timeout for the offline sessions is 30 days by default. Also the time of "last refresh" is currently updated in DB every time when you restart the server (in case that you have single-server without cluster). In other words, if you restart the server at least once every 30 days, the table will keep growing. It is probably something we can improve... Feel free to create JIRA. Until that, your possibilities are: - Decrease the timeout to shorter value than 30 days (can be done in admin console) - Ensure the server is not restarted within 30 days, so the outdated sessions can be cleared. - Use cluster with 2 nodes or more and ensure that at least 1 node is always online. Marek On 24/11/16 20:11, i.pop at centurylink.net wrote: > Hi, > Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up? > > > Thanks, > Ioan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mariusz at info.nl Wed Dec 7 11:32:56 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Wed, 7 Dec 2016 16:32:56 +0000 Subject: [keycloak-user] Facebook login + Remember me Message-ID: Hi, is it possible to set remember me cookie and identity cookie from Keycloak when we use Facebook Login Provider? I did debug, and I found that in AuthenticationManager.java#createLoginCookie check: if(session.isRememberMe()) returns false. Is there a way to setup this somewhere (remember all facebook logins?) I tried to create my own custom Authenticator but I can't set remember me from there. Is there any way to build that? Thanks in advance Mariusz Chru?cielewski From Raanan.Gonen at nice.com Wed Dec 7 14:19:10 2016 From: Raanan.Gonen at nice.com (Raanan Gonen) Date: Wed, 7 Dec 2016 19:19:10 +0000 Subject: [keycloak-user] Multi Tenant Keycloak Scale Message-ID: Hi, We are using Keycloak 1.7 for multi tenant environment where each tenant is a realm. We have a cluster of 4 Keycloak servers and we see severe performance degradation when we are using about 200 Realms with 200 users each. Is that the expected behavior of Keycloak? Are there known issues with such an amount of realms in Keycloak 1.7? What should we do to be able to work with much more realms (we need about 2000)? Thanks, Raanan From schwartzbj17 at gmail.com Wed Dec 7 15:09:15 2016 From: schwartzbj17 at gmail.com (Brian Schwartz) Date: Wed, 7 Dec 2016 14:09:15 -0600 Subject: [keycloak-user] Export In-Reply-To: References: Message-ID: Is the keycloak export functionality broken since the last couple of versions? https://keycloak.gitbooks.io/server-adminstration-guide/ content/v/2.4/topics/export-import.html I run this command: ./standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file= demokeycloak.json I get this error: 14:00:33,664 INFO [org.keycloak.exportimport.singlefile.SingleFileExportProvider] (ServerService Thread Pool -- 48) Exporting model into file /Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json 14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested. 14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 48) MSC000001: Failed to start service jboss.undertow.deployment. default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication( javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter. call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication( javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl. construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory. createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment. createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start( ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet. ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation. proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security. RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation. proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$ DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet( ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start( DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.NullPointerException at org.keycloak.models.utils.ModelToRepresentation$2. compare(ModelToRepresentation.java:431) at org.keycloak.models.utils.ModelToRepresentation$2. compare(ModelToRepresentation.java:428) at java.util.TimSort.countRunAndMakeAscending( TimSort.java:356) at java.util.TimSort.sort(TimSort.java:220) at java.util.Arrays.sort(Arrays.java:1512) at java.util.ArrayList.sort(ArrayList.java:1454) at java.util.Collections.sort(Collections.java:175) at org.keycloak.models.utils.ModelToRepresentation. exportAuthenticationFlows(ModelToRepresentation.java:428) at org.keycloak.models.utils.ModelToRepresentation. toRepresentation(ModelToRepresentation.java:372) at org.keycloak.exportimport.util.ExportUtils.exportRealm( ExportUtils.java:87) at org.keycloak.exportimport.singlefile. SingleFileExportProvider$1.runExportImportTask( SingleFileExportProvider.java:65) at org.keycloak.exportimport.util.ExportImportSessionTask. run(ExportImportSessionTask.java:35) at org.keycloak.models.utils.KeycloakModelUtils. runJobInTransaction(KeycloakModelUtils.java:236) at org.keycloak.exportimport.singlefile. SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58) at org.keycloak.exportimport.ExportImportManager.runExport( ExportImportManager.java:102) at org.keycloak.services.resources.KeycloakApplication. (KeycloakApplication.java:149) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance( NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorI mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor. newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl. construct(ConstructorInjectorImpl.java:150) ... 19 more This has not worked for me since version 2.1.0. I?m currently using version 2.4.0.Final. Thanks From patrickruhkopf at gmail.com Wed Dec 7 15:10:18 2016 From: patrickruhkopf at gmail.com (Patrick Ruhkopf) Date: Wed, 7 Dec 2016 15:10:18 -0500 Subject: [keycloak-user] SSO to the AWS Management Console via SAML Message-ID: Hi, Is it possible to use Keycloak SAML for SSO to AWS, as described here: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_ providers_enable-console-saml.html If so, is there documentation regarding how to set this up? Perhaps similar to the following guide which uses Shibboleth? https://aws.amazon.com/blogs/ security/how-to-use-shibboleth-for-single-sign-on- to-the-aws-management-console/ Thanks, -- Patrick From glavoie at gmail.com Wed Dec 7 18:47:44 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Wed, 7 Dec 2016 18:47:44 -0500 Subject: [keycloak-user] Multi Tenant Keycloak Scale In-Reply-To: References: Message-ID: Hi Raanan, we've hit many issues on our side with a large number of realms and took some time to study and fix them. I suggest you to have a look at this thread in the dev ML: http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008439.html I have 5 pull requests that were submitted, 2 merged and 3 still pending for the 3.x release. For now, we're running an in-house Keycloak build with those fixes. There could still be some areas that are not covered by my pull requests that we haven't hit yet. Gabriel 2016-12-07 14:19 GMT-05:00 Raanan Gonen : > Hi, > > We are using Keycloak 1.7 for multi tenant environment where each tenant > is a realm. > We have a cluster of 4 Keycloak servers and we see severe performance > degradation when we are using about 200 Realms with 200 users each. > Is that the expected behavior of Keycloak? > Are there known issues with such an amount of realms in Keycloak 1.7? > What should we do to be able to work with much more realms (we need about > 2000)? > > Thanks, > Raanan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Gabriel Lavoie glavoie at gmail.com From psilva at redhat.com Wed Dec 7 19:11:59 2016 From: psilva at redhat.com (Pedro Igor) Date: Wed, 07 Dec 2016 22:11:59 -0200 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: Message-ID: Hi Richard, In your first message, it seems the token endpoint is?http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here?you are using a realm "local.development". In your last message with the postman request, you are using a token endpoint like this?/auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json. Would that be a misconfiguration or just a typo ? Besides, what happens when you send that postman request to the server ? Are you able to get a AT ? This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows. If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server. Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ? Thanks. Pedro Igor On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 [http://127.0.0.1:8080] Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { "error": "invalid_client", "error_description": "Bearer-only not allowed" } This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { "realm": "development", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth [http://127.0.0.1:8080/auth]", "ssl-required": "external", "resource": "backend-client", "use-resource-role-mappings": true, "credentials": { "secret": "SECRETHERE" }, "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user] From bruno at abstractj.org Wed Dec 7 20:47:03 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 7 Dec 2016 23:47:03 -0200 Subject: [keycloak-user] Multi Tenant Keycloak Scale In-Reply-To: References: Message-ID: Does the same happens with the latest release 2.4.0? On Wed, Dec 7, 2016 at 5:19 PM, Raanan Gonen wrote: > Hi, > > We are using Keycloak 1.7 for multi tenant environment where each tenant is a realm. > We have a cluster of 4 Keycloak servers and we see severe performance degradation when we are using about 200 Realms with 200 users each. > Is that the expected behavior of Keycloak? > Are there known issues with such an amount of realms in Keycloak 1.7? > What should we do to be able to work with much more realms (we need about 2000)? > > Thanks, > Raanan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From teknodjs at gmail.com Thu Dec 8 01:31:00 2016 From: teknodjs at gmail.com (Padmaka Wijaygoonawardena) Date: Thu, 8 Dec 2016 12:01:00 +0530 Subject: [keycloak-user] Performance lag in client role creation and retrieval In-Reply-To: References: Message-ID: Hi, I've tried Keycloak 2.4.0.Final with the same setup as above regarding the performance issue. For creating a role and assign role there is a good performance improvement. However, after the 2.4.0 upgrade, for the 'get client role by role name' endpoint it is taking around 15s on average. Earlier there wasn't this much of a performance lag. In the database I have around 30000 client roles and around 10000 roles per client. Please note that I have a MySQL DB, and a two node cluster. Any advice or fix would be highly appreciated. Thanks in advance. I have commented on the related ticket as well [1] [1] - https://issues.jboss.org/browse/KEYCLOAK-3863 On Fri, Nov 4, 2016 at 3:48 PM, Padmaka Wijaygoonawardena < teknodjs at gmail.com> wrote: > Hi, > > Thanks for replying I created a ticket here [1]. > > Cheers, > Padmaka > > [1] - https://issues.jboss.org/browse/KEYCLOAK-3863 > > On Fri, Nov 4, 2016 at 11:01 AM, Stian Thorgersen > wrote: > >> We're actually currently looking at some issues around this. Please >> create a JIRA and we'll make sure your case is checked as well. >> >> Hopefully this will be solved in the upcoming 2.4 release. >> >> On 3 November 2016 at 12:16, Padmaka Wijaygoonawardena < >> teknodjs at gmail.com> wrote: >> >>> Hi, >>> >>> I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm >>> using has 2 Keycloak nodes and around 4000 client roles for one client. >>> the >>> process I go through for adding is as follows: >>> >>> >>> 1. GET call to check whether the role already exists. (takes around >>> 2000ms) >>> 2. POST call to create the new client role. (takes around 10000ms) >>> 3. GET call to get the newly created client role(Since the create role >>> call doesn't send the full client role in the response body). (takes >>> around >>> 10000ms) >>> >>> The Keycloak version I used earlier was 1.9.0 with that version this >>> process worked fine with one call taking around 700ms on average. >>> >>> So as shown above this is a huge performance lag. With further >>> investigation I found the following points >>> >>> >>> 1. When using only one Keycloak node this problem doesn't appear. >>> Therefore it should be some issue with infinispan cache. >>> 2. When I remove the get calls and only send the create calls then the >>> calls return in 2000ms in average. >>> 3. This lag only appears when executing a get role call soon after >>> creating a client role. >>> >>> I double checked the changes for 2.3.0 [1] since there is nothing said >>> about cache or related issues I raised this issue. >>> >>> Any advice or fix would be highly appreciated. Thanks in advance. >>> >>> [1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html >>> >>> Cheers, >>> Padmaka. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From georgijsr at scandiweb.com Thu Dec 8 03:43:12 2016 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Thu, 8 Dec 2016 10:43:12 +0200 Subject: [keycloak-user] SSO to the AWS Management Console via SAML In-Reply-To: References: Message-ID: <8e6d8df8-a35f-adfa-6429-92dea41e845e@scandiweb.com> Hi! Yes it is possible. Here are the steps you need to do to: 1. Get saml-metadata.xml from Amazon AWS - https://signin.aws.amazon.com/static/saml-metadata.xml 2. Go to Keycloak realm, go to "Clients" 3. Create new SAML client, import Amazon AWS saml-metadata.xml 4. In Client settings, set "Base URL" to "/auth/realms/*your realm name*/protocol/saml/clients/amazon-aws 5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws 6. Save 7. Go to "Installation" tab in Client settings 8. Select "SAML Metadata IDPSSO Descriptor" format 9. Create SAML Identity provider in Amazon AWS IAM, import "SAML Metadata IDPSSO Descriptor" xml file in Amazon AWS 10. Create SAML IAM roles in Amazon AWS, to be used by users logging in from Keycloak. 11. Recreate these IAM roles in Keycloak, in this format "arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS account name*:saml-provider/*Keycloak server FQDN*", and assign them to users or groups 12. Also, set Mappers for "Session Name", "Session Duration" and "Session Role" in Keycloak Amazon AWS client settings. On 2016.12.07. 22:10, Patrick Ruhkopf wrote: > Hi, > > Is it possible to use Keycloak SAML for SSO to AWS, as described here: > http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_ > providers_enable-console-saml.html > > If so, is there documentation regarding how to set this up? Perhaps similar > to the following guide which uses Shibboleth? https://aws.amazon.com/blogs/ > security/how-to-use-shibboleth-for-single-sign-on- > to-the-aws-management-console/ > > Thanks, > -- From sblanc at redhat.com Thu Dec 8 04:00:04 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 8 Dec 2016 10:00:04 +0100 Subject: [keycloak-user] SSO to the AWS Management Console via SAML In-Reply-To: <8e6d8df8-a35f-adfa-6429-92dea41e845e@scandiweb.com> References: <8e6d8df8-a35f-adfa-6429-92dea41e845e@scandiweb.com> Message-ID: Thanks for these instructions, I think we could that to our docs. On Thu, Dec 8, 2016 at 9:43 AM, Georgijs Radovs wrote: > Hi! > > Yes it is possible. > > Here are the steps you need to do to: > > 1. Get saml-metadata.xml from Amazon AWS - > https://signin.aws.amazon.com/static/saml-metadata.xml > > 2. Go to Keycloak realm, go to "Clients" > > 3. Create new SAML client, import Amazon AWS saml-metadata.xml > > 4. In Client settings, set "Base URL" to "/auth/realms/*your realm > name*/protocol/saml/clients/amazon-aws > > 5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws > > 6. Save > > 7. Go to "Installation" tab in Client settings > > 8. Select "SAML Metadata IDPSSO Descriptor" format > > 9. Create SAML Identity provider in Amazon AWS IAM, import "SAML > Metadata IDPSSO Descriptor" xml file in Amazon AWS > > 10. Create SAML IAM roles in Amazon AWS, to be used by users logging in > from Keycloak. > > 11. Recreate these IAM roles in Keycloak, in this format > "arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS > account name*:saml-provider/*Keycloak server FQDN*", and assign them to > users or groups > > 12. Also, set Mappers for "Session Name", "Session Duration" and > "Session Role" in Keycloak Amazon AWS client settings. > > On 2016.12.07. 22:10, Patrick Ruhkopf wrote: > > Hi, > > > > Is it possible to use Keycloak SAML for SSO to AWS, as described here: > > http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_ > > providers_enable-console-saml.html > > > > If so, is there documentation regarding how to set this up? Perhaps > similar > > to the following guide which uses Shibboleth? > https://aws.amazon.com/blogs/ > > security/how-to-use-shibboleth-for-single-sign-on- > > to-the-aws-management-console/ > > > > Thanks, > > > > > -- > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rjvduijn at gmail.com Thu Dec 8 04:06:27 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Thu, 08 Dec 2016 09:06:27 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: Message-ID: Hi Pedro, Thank you for the reply. Fist I'll answer your questions, then I'll clarify my setup a bit more. Please find attached my realm config file as well. - The realm name was a typo. In the meantime I've reconfigured my realm to ensure the '.' char was not messing up. Turned out not to be the case. - I'm not able to retrieve an AT from keycloak for the backend-client (which is set to bearer-only). With the given Postman request I just get the 400 bad request error and accompanying message. - I've followed the getting started guid up to securing the jboss servlet. I've stopped there as I wanted to use a keycloak distribution in combination with a PlayFramework application (for which there is no adapter available yet). I've followed the steps from this post to get the bearerToken approach working. Using the *AdapterRSATokenVerifier* class I was able to verify the bearerToken received from the javascript frontend. What I basically have is a filter that intercepts the frontend requests, picks up the bearerToken and checks it's validity. If valid the resource is accessible otherwise the user receives an error. The next step was to include policies in the setup. Setting up the adapter for the playFramework was a bit difficult as there is no real documentation on that subject, only example implementations like the ones for spring security and jetty. But before getting to the complex logic I've added the policy-enforcer: {} line in the keycloak.json config file for the backend-client. This json is then loaded and used in *KeycloakDeploymentBuilder.build(keycloakConfig)*. This is the point where it fails, as the config contains the policy-enforcer line, the PolicyEnforcer class is initialized, which in turn attempts to retrieve the AT from keycloak. Is there some flaw in my reasoning? 1. The javascript frontend authenticates itself using the keycloak.js adapter. It adds the accessToken to the Authorization header for the rest-client to pickup 2. The rest client (my backend-client) verifies the bearerToken using the AdapterRSATokenVerifier 3. Then the rest client checks the authorization using the folliwing lines of code: *final PolicyEnforcer policyEnforcer = keycloakDeployment.getPolicyEnforcer();BearerTokenPolicyEnforcer bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer);* *final AuthorizationContext authorizationContext = bearerTokenPolicyEnforcer.authorize(facade);* Hope this clarifies it a bit. I've attached my realm configuration json file. By the way I'm using keycloak 2.4.0-Final. Many many thanks for your help! If this approach is valid I'm hapy to contribute my code to the community for others to work with. /Richard Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : > Hi Richard, > > In your first message, it seems the token endpoint is > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here > you are using a realm "local.development". > > In your last message with the postman request, you are using a token > endpoint like this /auth/realms/development/protocol/openid-connect/token. > Where the realm is "development", the same you have used in keycloak.json. > > Would that be a misconfiguration or just a typo ? > > Besides, what happens when you send that postman request to the server ? > Are you able to get a AT ? > > This is pretty much what the enforcer does during initialization, obtain a > AT before querying the Protection API for protected resources. And is what > your stack trace shows. > > If you are not able to obtain a token using the postman request, it > probably means you have something wrong with your realm/client > configuration on the server. > > Last question, are you able to run any of our authorization examples ? Or > even successfully follow our Getting Started guide ? > > Thanks. > Pedro Igor > > On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: > Forgot to include the postman request.. here it is: > > POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 > Host: 127.0.0.1:8080 > Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl > Cache-Control: no-cache > Content-Type: application/x-www-form-urlencoded > > grant_type=client_credentials > > /Richard > > Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : > > Somehow I do not get any logs in keycloak server.log. I've attempted to > change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you > can give me a pointer to which logger I should change to see the correct > logs show up. > > Besides that I've done some debugging using Postman as well. Using the > following request I get the message: > { > "error": "invalid_client", > "error_description": "Bearer-only not allowed" > } > > This is weird to me as the keycloak.json file states that I am connecting > to a bearer-only client. > > Hope this helps to clarify it for you. > My keycloak.json configuration file looks like this: > > { > "realm": "development", > "bearer-only": true, > "auth-server-url": "http://127.0.0.1:8080/auth", > "ssl-required": "external", > "resource": "backend-client", > "use-resource-role-mappings": true, > "credentials": { > "secret": "SECRETHERE" > }, > "policy-enforcer": {} > } > > Hope this helps to clarify some of your questions. > /Richard > > Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : > > Do you get anything in server logs ? It may be related with invalid client > credentials. > > On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: > I'm creating a POC application using playframework and angular. The > frontend will be protected using the keycloak javascript adapter and the > backend rest services will be a bearer-only application. > > Without the policies turned on in the keycloak.json everything goes well. > But when I turn the policies by adding "policy-enforcer": { } on for the > rest services, I get an 400 Bad Request response from the Keycloak server > during initialization. > After some debugging I noticed it had to do with the initialization of the > PolicyEnforcer which attempts to call the following server keycloak > endpoint: > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > > Below you will find the stacktrace and request and response objects. > Hope someone can point me in the right direction. For instance how to > configure keycloak logging to get some more details on what the reason for > the 400 bad request is. > Many many thanks! > /Richard > > > > *Stacktrace*: > > at > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) > > at > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) > > at > org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) > > at > org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) > > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) > > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) > > at > security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) > at com.google.inject.AbstractModule.configure(AbstractModule.java:62) > ... many google guice calls ... > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) > > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) > > > > *Request object*: > > builder = {RequestBuilder at 12557} > method = "POST" > charset = {UTF_8 at 12563} "UTF-8" > version = null > uri = {URI at 12564} " > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > " > headergroup = {HeaderGroup at 12565} "[Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" > entity = null > parameters = {LinkedList at 12566} size = 1 > 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" > config = null > > *Response object*: > > HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: > Undertow/1, > Server: WildFly/10, Content-Type: application/json, Content-Length: 72, > Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780 > response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: > keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780" > h = {CloseableHttpResponseProxy at 12583} > original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request > [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, > Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 > 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" > statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" > ver = {HttpVersion at 12586} "HTTP/1.1" > code = 400 > reasonPhrase = "Bad Request" > entity = {BasicManagedEntity at 12555} > reasonCatalog = {EnglishReasonPhraseCatalog at 12588} > locale = {Locale at 12589} "en_US" > headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, > X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 > GMT]" > params = {ClientParamsStack at 12591} > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From rjvduijn at gmail.com Thu Dec 8 04:36:35 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Thu, 08 Dec 2016 09:36:35 +0000 Subject: [keycloak-user] Check ownership of resource with keycloak Authorization Message-ID: I'm investigating the possibility of securing my application with keycloak using both Authentication and Authorization. I was wondering if I can check ownership of a resource (i.e. a picture in a database) with keycloak policies. I see there is an example in the documentation using a Drools Policy which checks the ownership of the resource, but that is limited to the client being the owner of the resource. What i'd like to accomplish is to see if userA has access to documentA. Can the drools engine query a database to fetch the required dataField or is there another approach for this to be done? Thanks for any pointers... /Richard From mposolda at redhat.com Thu Dec 8 06:03:39 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 8 Dec 2016 12:03:39 +0100 Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables In-Reply-To: <173158186.42294417.1481126598876.JavaMail.root@centurylink.net> References: <173158186.42294417.1481126598876.JavaMail.root@centurylink.net> Message-ID: Yes, there were some related fixes though. Can you try to upgrade to latest 2.4.0.Final and see if it helps? Thanks, Marek On 07/12/16 17:03, i.pop at centurylink.net wrote: > Thank you for your message. However, if I set parameter "Offline Session Idle" to 30 min, I am getting a replication timeout exception associated with the periodic cleaner scheduler service > [Server:server-one] 09:24:54,979 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for slaveServer:server-two > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) > [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [Server:server-one] at java.lang.Thread.run(Thread.java:745) > > This exception is thrown with a periodicity of 15 min. > I have found a previous reference to such exception in your "keycloak-user" customer inquiries > http://lists.jboss.org/pipermail/keycloak-user/2016-July/006892.html > > It looks like there was a bug in your KC software. Have you fixed this bug in your later KC releases since July 2016? Or, it may be a miss-configuration in my domain clustered configuration( I use your KC-2.1.0.Final release) ? > Thanks, > Ioan > > ----- Original Message ----- > From: "Marek Posolda" > To: "i pop" , "keycloak-user" > Sent: Friday, November 25, 2016 3:20:18 AM > Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables > > It seems you are using offline tokens for some of your application > right? There is periodic cleaner, which will remove the records from the > expired offline sessions. But timeout for the offline sessions is 30 > days by default. Also the time of "last refresh" is currently updated in > DB every time when you restart the server (in case that you have > single-server without cluster). > > In other words, if you restart the server at least once every 30 days, > the table will keep growing. It is probably something we can improve... > Feel free to create JIRA. > > Until that, your possibilities are: > - Decrease the timeout to shorter value than 30 days (can be done in > admin console) > - Ensure the server is not restarted within 30 days, so the outdated > sessions can be cleared. > - Use cluster with 2 nodes or more and ensure that at least 1 node is > always online. > > Marek > > On 24/11/16 20:11, i.pop at centurylink.net wrote: >> Hi, >> Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up? >> >> >> Thanks, >> Ioan >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From bruno at abstractj.org Thu Dec 8 06:35:04 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 8 Dec 2016 09:35:04 -0200 Subject: [keycloak-user] Export In-Reply-To: References: Message-ID: <20161208113504.GE17975@abstractj.org> Hi Brian, do you have the steps to reproduce the issue? I never had such problem. On 2016-12-07, Brian Schwartz wrote: > Is the keycloak export functionality broken since the last couple of > versions? > > > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.4/topics/export-import.html > > > > I run this command: > > ./standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file= > demokeycloak.json > > > > I get this error: > > > > 14:00:33,664 INFO > [org.keycloak.exportimport.singlefile.SingleFileExportProvider] > (ServerService Thread Pool -- 48) Exporting model into file > /Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json > > 14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > shutdown has been requested. > > 14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > service thread 1-4) WFLYJCA0010: Unbound data source > [java:jboss/datasources/KeycloakDS] > > 14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 48) MSC000001: Failed to start service jboss.undertow.deployment. > default-server.default-host./auth: org.jboss.msc.service.StartException in > service jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > construct(ConstructorInjectorImpl.java:162) > > at org.jboss.resteasy.spi.ResteasyProviderFactory. > createProviderInstance(ResteasyProviderFactory.java:2209) > > at org.jboss.resteasy.spi.ResteasyDeployment. > createApplication(ResteasyDeployment.java:299) > > at org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:240) > > at org.jboss.resteasy.plugins.server.servlet. > ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > > at org.jboss.resteasy.plugins.server.servlet. > HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > at io.undertow.servlet.core.LifecyleInterceptorInvocation. > proceed(LifecyleInterceptorInvocation.java:117) > > at org.wildfly.extension.undertow.security. > RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > at io.undertow.servlet.core.LifecyleInterceptorInvocation. > proceed(LifecyleInterceptorInvocation.java:103) > > at io.undertow.servlet.core.ManagedServlet$ > DefaultInstanceStrategy.start(ManagedServlet.java:231) > > at io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:132) > > at io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:526) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > > at org.wildfly.extension.undertow.deployment. > UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > ... 6 more > > Caused by: java.lang.NullPointerException > > at org.keycloak.models.utils.ModelToRepresentation$2. > compare(ModelToRepresentation.java:431) > > at org.keycloak.models.utils.ModelToRepresentation$2. > compare(ModelToRepresentation.java:428) > > at java.util.TimSort.countRunAndMakeAscending( > TimSort.java:356) > > at java.util.TimSort.sort(TimSort.java:220) > > at java.util.Arrays.sort(Arrays.java:1512) > > at java.util.ArrayList.sort(ArrayList.java:1454) > > at java.util.Collections.sort(Collections.java:175) > > at org.keycloak.models.utils.ModelToRepresentation. > exportAuthenticationFlows(ModelToRepresentation.java:428) > > at org.keycloak.models.utils.ModelToRepresentation. > toRepresentation(ModelToRepresentation.java:372) > > at org.keycloak.exportimport.util.ExportUtils.exportRealm( > ExportUtils.java:87) > > at org.keycloak.exportimport.singlefile. > SingleFileExportProvider$1.runExportImportTask( > SingleFileExportProvider.java:65) > > at org.keycloak.exportimport.util.ExportImportSessionTask. > run(ExportImportSessionTask.java:35) > > at org.keycloak.models.utils.KeycloakModelUtils. > runJobInTransaction(KeycloakModelUtils.java:236) > > at org.keycloak.exportimport.singlefile. > SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58) > > at org.keycloak.exportimport.ExportImportManager.runExport( > ExportImportManager.java:102) > > at org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:149) > > at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > > at sun.reflect.DelegatingConstructorAccessorI > mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > at java.lang.reflect.Constructor. > newInstance(Constructor.java:423) > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > construct(ConstructorInjectorImpl.java:150) > > ... 19 more > > > > > > This has not worked for me since version 2.1.0. > > I?m currently using version 2.4.0.Final. > > > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From psilva at redhat.com Thu Dec 8 06:36:37 2016 From: psilva at redhat.com (Pedro Igor) Date: Thu, 08 Dec 2016 09:36:37 -0200 Subject: [keycloak-user] Check ownership of resource with keycloak Authorization In-Reply-To: References: Message-ID: <10ec5f71-0f79-4cc5-bd54-31ad0478268e@getmailbird.com> Hi Richard, Resources always have an owner set. By default, the owner is the resource server itself. When creating a resource via Protection API (only RS can do that) you are free to set the owner. That is exactly what we do in that Photoz example, where the owner is actually the user whom created an album from the application. Once you set the owner as your user (you can use the user id or something else that you need to match the user later) you can use not only Drools policy, but also JavaScript policies. Take a look on our Evaluation API [1]. From there you can obtain a Resource instance from Evaluation.getPermission, which returns an object holding both the resource and the permission being evaluated. Once you obtain the resource, you can obtain the owner from the resource and do your check. Note that the policy will probably match the subject of the access token (represented in the Evaluation API as an Identity) with the owner field of a resource. The Identity usually represents the user that the client is acting on behalf and that previously authenticated in Keycloak. [1]?https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html Regards. Pedro Igor On 12/8/2016 7:37:29 AM, Richard van Duijn wrote: I'm investigating the possibility of securing my application with keycloak using both Authentication and Authorization. I was wondering if I can check ownership of a resource (i.e. a picture in a database) with keycloak policies. I see there is an example in the documentation using a Drools Policy which checks the ownership of the resource, but that is limited to the client being the owner of the resource. What i'd like to accomplish is to see if userA has access to documentA. Can the drools engine query a database to fetch the required dataField or is there another approach for this to be done? Thanks for any pointers... /Richard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Raanan.Gonen at nice.com Thu Dec 8 06:42:57 2016 From: Raanan.Gonen at nice.com (Raanan Gonen) Date: Thu, 8 Dec 2016 11:42:57 +0000 Subject: [keycloak-user] Multi Tenant Keycloak Scale In-Reply-To: References: Message-ID: We will have to check this. Unfortunately, our performance system has KC 1.7 -----Original Message----- From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: ?????, 08 ????? 2016 03:47 To: Raanan Gonen Cc: keycloak-user at lists.jboss.org; Vadim Ilyasov ; Itay Even-Hen ; Yuvraj Sawant Subject: Re: [keycloak-user] Multi Tenant Keycloak Scale Does the same happens with the latest release 2.4.0? On Wed, Dec 7, 2016 at 5:19 PM, Raanan Gonen wrote: > Hi, > > We are using Keycloak 1.7 for multi tenant environment where each tenant is a realm. > We have a cluster of 4 Keycloak servers and we see severe performance degradation when we are using about 200 Realms with 200 users each. > Is that the expected behavior of Keycloak? > Are there known issues with such an amount of realms in Keycloak 1.7? > What should we do to be able to work with much more realms (we need about 2000)? > > Thanks, > Raanan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From Raanan.Gonen at nice.com Thu Dec 8 06:45:17 2016 From: Raanan.Gonen at nice.com (Raanan Gonen) Date: Thu, 8 Dec 2016 11:45:17 +0000 Subject: [keycloak-user] Multi Tenant Keycloak Scale In-Reply-To: References: Message-ID: Thank you Gabriel for the detailed response! May I ask how many KC servers are using for the 500-600 tenants setup? Regards, Raanan From: Gabriel Lavoie [mailto:glavoie at gmail.com] Sent: ??? ?, 08 ????? 2016 01:48 To: Raanan Gonen Cc: keycloak-user at lists.jboss.org; Vadim Ilyasov ; Itay Even-Hen ; Yuvraj Sawant Subject: Re: [keycloak-user] Multi Tenant Keycloak Scale Hi Raanan, we've hit many issues on our side with a large number of realms and took some time to study and fix them. I suggest you to have a look at this thread in the dev ML: http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008439.html I have 5 pull requests that were submitted, 2 merged and 3 still pending for the 3.x release. For now, we're running an in-house Keycloak build with those fixes. There could still be some areas that are not covered by my pull requests that we haven't hit yet. Gabriel 2016-12-07 14:19 GMT-05:00 Raanan Gonen >: Hi, We are using Keycloak 1.7 for multi tenant environment where each tenant is a realm. We have a cluster of 4 Keycloak servers and we see severe performance degradation when we are using about 200 Realms with 200 users each. Is that the expected behavior of Keycloak? Are there known issues with such an amount of realms in Keycloak 1.7? What should we do to be able to work with much more realms (we need about 2000)? Thanks, Raanan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Gabriel Lavoie glavoie at gmail.com From psilva at redhat.com Thu Dec 8 07:05:23 2016 From: psilva at redhat.com (Pedro Igor) Date: Thu, 08 Dec 2016 10:05:23 -0200 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: Message-ID: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: Hi Pedro, Thank you for the reply. Fist I'll answer your questions, then I'll clarify my setup a bit more. Please find attached my realm config file as well. * The realm name was a typo. In the meantime I've reconfigured my realm to ensure the '.' char was not messing up. Turned out not to be the case. * I'm not able to retrieve an AT from keycloak for the backend-client (which is set to bearer-only). With the given Postman request I just get the 400 bad request error and accompanying message. Pedro Igor:?I was able to get an AT after importing your realm and sending the same postman request. Now I'm confused :) The client is backend-client, correct ? * I've followed the getting started guid up to securing the jboss servlet. I've stopped there as I wanted to use a keycloak distribution in combination with a PlayFramework application (for which there is no adapter available yet).? I've followed the steps from this [http://bandrzejczak.com/blog/2015/11/22/single-sign-on-with-keycloak-in-a-sigle-page-application-part-1-slash-2-angular-dot-js/]?post to get the bearerToken approach working. Using the?AdapterRSATokenVerifier class I was able to verify the bearerToken received from the javascript frontend. What I basically have is a filter that intercepts the frontend requests, picks up the bearerToken and checks it's validity. If valid the resource is accessible otherwise the user receives an error. The next step was to include policies in the setup. Setting up the adapter for the playFramework was a bit difficult as there is no real documentation on that subject, only example implementations like the ones for spring security and jetty. But before getting to the complex logic I've added the policy-enforcer: {} line in the keycloak.json config file for the backend-client. This json is then loaded and used in KeycloakDeploymentBuilder.build(keycloakConfig). This is the point where it fails, as the config contains the policy-enforcer line, the PolicyEnforcer class is initialized, which in turn attempts to retrieve the AT from keycloak.? Is there some flaw in my reasoning? * The javascript frontend authenticates itself using the keycloak.js adapter. It adds the accessToken to the Authorization header for the rest-client to pickup * The rest client (my backend-client) verifies the bearerToken using the AdapterRSATokenVerifier * Then the rest client checks the authorization using the folliwing lines of code: final PolicyEnforcer policyEnforcer = keycloakDeployment.getPolicyEnforcer(); BearerTokenPolicyEnforcer bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer); final AuthorizationContext authorizationContext = bearerTokenPolicyEnforcer.authorize(facade); Pedro Igor:?It looks correct. Although it seems you are not even reaching the line above where permissions are actually enforced. Besides, make sure you have all bearer token validations in place based on other adapters we have. You are almost there. You just need to figure out why you can't obtain an AT from the server even if using postman, curl, etc. I think that if you solve this, you will get everything working (or hit some new issue after this one :)). Hope this clarifies it a bit. I've attached my realm configuration json file. By the way I'm using keycloak 2.4.0-Final.? Many many thanks for your help! If this approach is valid I'm hapy to contribute my code to the community for others to work with.? /Richard Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : Hi Richard, In your first message, it seems the token endpoint is?http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here]?you are using a realm "local.development". In your last message with the postman request, you are using a token endpoint like this?/auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json. Would that be a misconfiguration or just a typo ? Besides, what happens when you send that postman request to the server ? Are you able to get a AT ? This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows. If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server. Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ? Thanks. Pedro Igor On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 [http://127.0.0.1:8080] Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials?? /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { ? ? "error": "invalid_client", ? ? "error_description": "Bearer-only not allowed" }? This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { ? "realm": "development", ? "bearer-only": true, ? "auth-server-url": "http://127.0.0.1:8080/auth [http://127.0.0.1:8080/auth]", ? "ssl-required": "external", ? "resource": "backend-client", ? "use-resource-role-mappings": true, ? "credentials": { ? ? "secret": "SECRETHERE" ? }, ? "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user] From georgijsr at scandiweb.com Thu Dec 8 07:22:23 2016 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Thu, 8 Dec 2016 14:22:23 +0200 Subject: [keycloak-user] SSO to the AWS Management Console via SAML In-Reply-To: References: <8e6d8df8-a35f-adfa-6429-92dea41e845e@scandiweb.com> Message-ID: <916b6a21-e710-a3aa-8e44-a9f50e08369a@scandiweb.com> Glad to be of some help ) Also, I've wrote a more detailed tutorial on this: https://medium.com/@georgijsr/sign-in-to-amazon-aws-using-saml-protocol-and-keycloak-as-identity-provider-e3798387de99#.qph0zd3hb On 2016.12.08. 11:00, Sebastien Blanc wrote: > Thanks for these instructions, I think we could that to our docs. > > On Thu, Dec 8, 2016 at 9:43 AM, Georgijs Radovs > > wrote: > > Hi! > > Yes it is possible. > > Here are the steps you need to do to: > > 1. Get saml-metadata.xml from Amazon AWS - > https://signin.aws.amazon.com/static/saml-metadata.xml > > > 2. Go to Keycloak realm, go to "Clients" > > 3. Create new SAML client, import Amazon AWS saml-metadata.xml > > 4. In Client settings, set "Base URL" to "/auth/realms/*your realm > name*/protocol/saml/clients/amazon-aws > > 5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws > > 6. Save > > 7. Go to "Installation" tab in Client settings > > 8. Select "SAML Metadata IDPSSO Descriptor" format > > 9. Create SAML Identity provider in Amazon AWS IAM, import "SAML > Metadata IDPSSO Descriptor" xml file in Amazon AWS > > 10. Create SAML IAM roles in Amazon AWS, to be used by users > logging in > from Keycloak. > > 11. Recreate these IAM roles in Keycloak, in this format > "arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS > account name*:saml-provider/*Keycloak server FQDN*", and assign > them to > users or groups > > 12. Also, set Mappers for "Session Name", "Session Duration" and > "Session Role" in Keycloak Amazon AWS client settings. > > On 2016.12.07. 22 :10, Patrick Ruhkopf wrote: > > Hi, > > > > Is it possible to use Keycloak SAML for SSO to AWS, as described > here: > > http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_ > > > providers_enable-console-saml.html > > > > If so, is there documentation regarding how to set this up? > Perhaps similar > > to the following guide which uses Shibboleth? > https://aws.amazon.com/blogs/ > > security/how-to-use-shibboleth-for-single-sign-on- > > to-the-aws-management-console/ > > > > Thanks, > > > > > -- > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- From mposolda at redhat.com Thu Dec 8 07:28:32 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 8 Dec 2016 13:28:32 +0100 Subject: [keycloak-user] Facebook login + Remember me In-Reply-To: References: Message-ID: RememberMe is used just for the Keycloak own login form. I can see the possibility that: - You will create authenticator implementation, which will setup some cookie once you successfully login with Facebook. You will need to use this authenticator in post-broker login flow, which will be setup for Facebook. - Then you will create another authenticator implementation, which will be used in "browser" flow instead before the login form is shown. This authenticator will check for the existence of the cookie above and automatically redirects to Facebook if present. Marek On 07/12/16 17:32, Mariusz Chruscielewski - Info.nl wrote: > Hi, is it possible to set remember me cookie and identity cookie from Keycloak when we use Facebook Login Provider? > > I did debug, and I found that in AuthenticationManager.java#createLoginCookie check: > > if(session.isRememberMe()) returns false. > > Is there a way to setup this somewhere (remember all facebook logins?) > > I tried to create my own custom Authenticator but I can't set remember me from there. Is there any way to build that? > > Thanks in advance > Mariusz Chru?cielewski > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mariusz at info.nl Thu Dec 8 07:32:22 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Thu, 8 Dec 2016 12:32:22 +0000 Subject: [keycloak-user] Facebook login + Remember me In-Reply-To: References: Message-ID: Thanks for your answer, I will try to implement that. Regards Mariusz -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: donderdag 8 december 2016 13:29 To: Mariusz Chruscielewski - Info.nl ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Facebook login + Remember me RememberMe is used just for the Keycloak own login form. I can see the possibility that: - You will create authenticator implementation, which will setup some cookie once you successfully login with Facebook. You will need to use this authenticator in post-broker login flow, which will be setup for Facebook. - Then you will create another authenticator implementation, which will be used in "browser" flow instead before the login form is shown. This authenticator will check for the existence of the cookie above and automatically redirects to Facebook if present. Marek On 07/12/16 17:32, Mariusz Chruscielewski - Info.nl wrote: > Hi, is it possible to set remember me cookie and identity cookie from Keycloak when we use Facebook Login Provider? > > I did debug, and I found that in AuthenticationManager.java#createLoginCookie check: > > if(session.isRememberMe()) returns false. > > Is there a way to setup this somewhere (remember all facebook logins?) > > I tried to create my own custom Authenticator but I can't set remember me from there. Is there any way to build that? > > Thanks in advance > Mariusz Chru?cielewski > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rjvduijn at gmail.com Thu Dec 8 07:49:22 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Thu, 08 Dec 2016 12:49:22 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> Message-ID: You've got me confused as well.. haha No I'm not reaching the lines using the policyEnforcer. The error occurs earlier in the process. Could you perhaps explain what you send in the postman request. What is put in it the request is the following: *requestHeaders.put("Authorization", BasicAuthHelper.createHeader(Configuration.this.clientId, secret));* with the clientId being: *backend-client* and the secret being: *6ce718ad-2ab1-42ff-bf01-35a03eab3aee* resulting in the header: *Authorization : Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl* Other than that I do not have any clues what is wrong. The AT request is generated during startup of my backend server. So I do not yet have any frontend rest calls containing a bearerToken comming in. My assumption is that I can initialize the keycloakDeployment once for my entire application and then use it for each call comming in. Am I correct? My guess now is that this assumption is wrong. /Richard Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : > On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: > Hi Pedro, > Thank you for the reply. > > Fist I'll answer your questions, then I'll clarify my setup a bit more. > Please find attached my realm config file as well. > > > - The realm name was a typo. In the meantime I've reconfigured my > realm to ensure the '.' char was not messing up. Turned out not to be the > case. > - I'm not able to retrieve an AT from keycloak for the backend-client > (which is set to bearer-only). With the given Postman request I just get > the 400 bad request error and accompanying message. > > *Pedro Igor:* I was able to get an AT after importing your realm and > sending the same postman request. Now I'm confused :) The client is > backend-client, correct ? > > > - I've followed the getting started guid up to securing the jboss > servlet. I've stopped there as I wanted to use a keycloak distribution in > combination with a PlayFramework application (for which there is no adapter > available yet). > > I've followed the steps from this > post > to get the bearerToken approach working. Using the > *AdapterRSATokenVerifier* class I was able to verify the bearerToken > received from the javascript frontend. What I basically have is a filter > that intercepts the frontend requests, picks up the bearerToken and checks > it's validity. If valid the resource is accessible otherwise the user > receives an error. > > > The next step was to include policies in the setup. Setting up the adapter > for the playFramework was a bit difficult as there is no real documentation > on that subject, only example implementations like the ones for spring > security and jetty. But before getting to the complex logic I've added the > policy-enforcer: {} line in the keycloak.json config file for the > backend-client. This json is then loaded and used in > *KeycloakDeploymentBuilder.build(keycloakConfig)*. This is the point > where it fails, as the config contains the policy-enforcer line, the > PolicyEnforcer class is initialized, which in turn attempts to retrieve the > AT from keycloak. > > Is there some flaw in my reasoning? > > 1. The javascript frontend authenticates itself using the keycloak.js > adapter. It adds the accessToken to the Authorization header for the > rest-client to pickup > 2. The rest client (my backend-client) verifies the bearerToken using > the AdapterRSATokenVerifier > 3. Then the rest client checks the authorization using the folliwing > lines of code: > > > *final PolicyEnforcer policyEnforcer = > keycloakDeployment.getPolicyEnforcer();BearerTokenPolicyEnforcer > bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer);* > *final AuthorizationContext authorizationContext = > bearerTokenPolicyEnforcer.authorize(facade);* > > *Pedro Igor:* It looks correct. Although it seems you are not even > reaching the line above where permissions are actually enforced. Besides, > make sure you have all bearer token validations in place based on other > adapters we have. > > You are almost there. You just need to figure out why you can't obtain an > AT from the server even if using postman, curl, etc. I think that if you > solve this, you will get everything working (or hit some new issue after > this one :)). > > > Hope this clarifies it a bit. I've attached my realm configuration json > file. By the way I'm using keycloak 2.4.0-Final. > Many many thanks for your help! > > If this approach is valid I'm hapy to contribute my code to the community > for others to work with. > /Richard > > Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : > > Hi Richard, > > In your first message, it seems the token endpoint is > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here > you are using a realm "local.development". > > In your last message with the postman request, you are using a token > endpoint like this /auth/realms/development/protocol/openid-connect/token. > Where the realm is "development", the same you have used in keycloak.json. > > Would that be a misconfiguration or just a typo ? > > Besides, what happens when you send that postman request to the server ? > Are you able to get a AT ? > > This is pretty much what the enforcer does during initialization, obtain a > AT before querying the Protection API for protected resources. And is what > your stack trace shows. > > If you are not able to obtain a token using the postman request, it > probably means you have something wrong with your realm/client > configuration on the server. > > Last question, are you able to run any of our authorization examples ? Or > even successfully follow our Getting Started guide ? > > Thanks. > Pedro Igor > > On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: > Forgot to include the postman request.. here it is: > > POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 > Host: 127.0.0.1:8080 > Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl > Cache-Control: no-cache > Content-Type: application/x-www-form-urlencoded > > grant_type=client_credentials > > /Richard > > Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : > > Somehow I do not get any logs in keycloak server.log. I've attempted to > change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you > can give me a pointer to which logger I should change to see the correct > logs show up. > > Besides that I've done some debugging using Postman as well. Using the > following request I get the message: > { > "error": "invalid_client", > "error_description": "Bearer-only not allowed" > } > > This is weird to me as the keycloak.json file states that I am connecting > to a bearer-only client. > > Hope this helps to clarify it for you. > My keycloak.json configuration file looks like this: > > { > "realm": "development", > "bearer-only": true, > "auth-server-url": "http://127.0.0.1:8080/auth", > "ssl-required": "external", > "resource": "backend-client", > "use-resource-role-mappings": true, > "credentials": { > "secret": "SECRETHERE" > }, > "policy-enforcer": {} > } > > Hope this helps to clarify some of your questions. > /Richard > > Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : > > Do you get anything in server logs ? It may be related with invalid client > credentials. > > On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: > I'm creating a POC application using playframework and angular. The > frontend will be protected using the keycloak javascript adapter and the > backend rest services will be a bearer-only application. > > Without the policies turned on in the keycloak.json everything goes well. > But when I turn the policies by adding "policy-enforcer": { } on for the > rest services, I get an 400 Bad Request response from the Keycloak server > during initialization. > After some debugging I noticed it had to do with the initialization of the > PolicyEnforcer which attempts to call the following server keycloak > endpoint: > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > > Below you will find the stacktrace and request and response objects. > Hope someone can point me in the right direction. For instance how to > configure keycloak logging to get some more details on what the reason for > the 400 bad request is. > Many many thanks! > /Richard > > > > *Stacktrace*: > > at > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) > > at > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) > > at > org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) > > at > org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) > > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) > > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) > > at > security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) > at com.google.inject.AbstractModule.configure(AbstractModule.java:62) > ... many google guice calls ... > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) > > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) > > > > *Request object*: > > builder = {RequestBuilder at 12557} > method = "POST" > charset = {UTF_8 at 12563} "UTF-8" > version = null > uri = {URI at 12564} " > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > " > headergroup = {HeaderGroup at 12565} "[Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" > entity = null > parameters = {LinkedList at 12566} size = 1 > 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" > config = null > > *Response object*: > > HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: > Undertow/1, > Server: WildFly/10, Content-Type: application/json, Content-Length: 72, > Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780 > response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: > keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780" > h = {CloseableHttpResponseProxy at 12583} > original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request > [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, > Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 > 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" > statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" > ver = {HttpVersion at 12586} "HTTP/1.1" > code = 400 > reasonPhrase = "Bad Request" > entity = {BasicManagedEntity at 12555} > reasonCatalog = {EnglishReasonPhraseCatalog at 12588} > locale = {Locale at 12589} "en_US" > headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, > X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 > GMT]" > params = {ClientParamsStack at 12591} > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From glavoie at gmail.com Thu Dec 8 08:06:21 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Thu, 8 Dec 2016 08:06:21 -0500 Subject: [keycloak-user] Multi Tenant Keycloak Scale In-Reply-To: References: Message-ID: Hi Raanan, we only have two nodes, but our authentication scenarios are currently limited. Most of our issues were with admin login (large number of sub-roles in the composite admin role), administration (slow realm creation) and node restart with that number of realms. In what cases are you experiencing the issues? Do you have a lot of roles/composite roles in your realms? Also, regarding an upgrade to 2.4.0. Some of the upgrade code is not Liquibase, but Java code working with the model to migrate data. With 500 realms I had a very difficult time to upgrade to 2.4.0 without hacking the code (peformance fixes I've submitted) and configuration. Other than the code fixes, Keycloak recently started to use JTA to manage the transactions which added a transaction timeout variable which is at 4 or 5 minutes by default I think. There is also the WildFly startup timeout that I've hit. I had to increase both to 2 hours to be able to upgrade without the code fixes. Much lower with the code fixes, but I don't have a specific time in mind as I haven't re-tested this recently. Gabriel 2016-12-08 6:45 GMT-05:00 Raanan Gonen : > Thank you Gabriel for the detailed response! > > May I ask how many KC servers are using for the 500-600 tenants setup? > > > > Regards, > > Raanan > > > > *From:* Gabriel Lavoie [mailto:glavoie at gmail.com] > *Sent:* ??? ?, 08 ????? 2016 01:48 > *To:* Raanan Gonen > *Cc:* keycloak-user at lists.jboss.org; Vadim Ilyasov ; > Itay Even-Hen ; Yuvraj Sawant < > Yuvraj.Sawant at nice.com> > *Subject:* Re: [keycloak-user] Multi Tenant Keycloak Scale > > > > Hi Raanan, > > we've hit many issues on our side with a large number of realms and > took some time to study and fix them. I suggest you to have a look at this > thread in the dev ML: > > > > http://lists.jboss.org/pipermail/keycloak-dev/2016-November/008439.html > > > > I have 5 pull requests that were submitted, 2 merged and 3 still pending > for the 3.x release. For now, we're running an in-house Keycloak build with > those fixes. > > > > There could still be some areas that are not covered by my pull requests > that we haven't hit yet. > > > > Gabriel > > > > 2016-12-07 14:19 GMT-05:00 Raanan Gonen : > > Hi, > > We are using Keycloak 1.7 for multi tenant environment where each tenant > is a realm. > We have a cluster of 4 Keycloak servers and we see severe performance > degradation when we are using about 200 Realms with 200 users each. > Is that the expected behavior of Keycloak? > Are there known issues with such an amount of realms in Keycloak 1.7? > What should we do to be able to work with much more realms (we need about > 2000)? > > Thanks, > Raanan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > Gabriel Lavoie > glavoie at gmail.com > -- Gabriel Lavoie glavoie at gmail.com From mposolda at redhat.com Thu Dec 8 09:03:24 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 8 Dec 2016 15:03:24 +0100 Subject: [keycloak-user] Issue with Client Role Mapping on Keycloak 2.4.0 when integrating with ApacheDS In-Reply-To: References: Message-ID: <9afe8c72-c0ff-ded3-dcb2-2c03640e62d7@redhat.com> Just fixed in latest master and will be in 2.5.0.CR1. Thanks for reporting this. Marek On 07/12/16 08:36, Sumit Das wrote: > Hi > > I am trying to create a mapper named *"Client-Role-Mapper"* of type > *"role-ldap-mapper"* for a specified client *"Test Application"* that is > present in my Realm. The Client role *(cn=Test_User)* is already present on > my ApacheDS ldap server on a *DN: ou=TestRoles,dc=keycloak,dc=org*. But on > the *"Client ID" dropdown list, none of my clients are being shown*. The *only > option* that is displayed is *"Select one"*. > > I am not able to solve this issue. Your earliest response is appreciated. > > Regards > From schwartzbj17 at gmail.com Thu Dec 8 10:12:37 2016 From: schwartzbj17 at gmail.com (Brian Schwartz) Date: Thu, 8 Dec 2016 09:12:37 -0600 Subject: [keycloak-user] Export In-Reply-To: <20161208113504.GE17975@abstractj.org> References: <20161208113504.GE17975@abstractj.org> Message-ID: The command I ran to get the error is below. Before that, I downloaded a fresh copy of keycloak 2.4.0.final standalone, started it up, and entered my configuration. I have one realm other than the master. It used identity brokering oidc 1.0. I have one simple public oidc client. On Dec 8, 2016 5:35 AM, "Bruno Oliveira" wrote: > Hi Brian, do you have the steps to reproduce the issue? I never had such > problem. > > On 2016-12-07, Brian Schwartz wrote: > > Is the keycloak export functionality broken since the last couple of > > versions? > > > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/ > > content/v/2.4/topics/export-import.html > > > > > > > > I run this command: > > > > ./standalone.sh -Dkeycloak.migration.action=export > > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file= > > demokeycloak.json > > > > > > > > I get this error: > > > > > > > > 14:00:33,664 INFO > > [org.keycloak.exportimport.singlefile.SingleFileExportProvider] > > (ServerService Thread Pool -- 48) Exporting model into file > > /Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json > > > > 14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > > shutdown has been requested. > > > > 14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > > service thread 1-4) WFLYJCA0010: Unbound data source > > [java:jboss/datasources/KeycloakDS] > > > > 14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread > Pool > > -- 48) MSC000001: Failed to start service jboss.undertow.deployment. > > default-server.default-host./auth: org.jboss.msc.service.StartException > in > > service jboss.undertow.deployment.default-server.default-host./auth: > > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > > org.keycloak.services.resources.KeycloakApplication( > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > > > at org.wildfly.extension.undertow.deployment. > > UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > > > > at java.util.concurrent.Executors$RunnableAdapter. > > call(Executors.java:511) > > > > at java.util.concurrent.FutureTask.run(FutureTask. > java:266) > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > > ThreadPoolExecutor.java:1142) > > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > > ThreadPoolExecutor.java:617) > > > > at java.lang.Thread.run(Thread.java:745) > > > > at org.jboss.threads.JBossThread. > run(JBossThread.java:320) > > > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct > > public org.keycloak.services.resources.KeycloakApplication( > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > > construct(ConstructorInjectorImpl.java:162) > > > > at org.jboss.resteasy.spi.ResteasyProviderFactory. > > createProviderInstance(ResteasyProviderFactory.java:2209) > > > > at org.jboss.resteasy.spi.ResteasyDeployment. > > createApplication(ResteasyDeployment.java:299) > > > > at org.jboss.resteasy.spi.ResteasyDeployment.start( > > ResteasyDeployment.java:240) > > > > at org.jboss.resteasy.plugins.server.servlet. > > ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > > > > at org.jboss.resteasy.plugins.server.servlet. > > HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > > > at io.undertow.servlet.core. > LifecyleInterceptorInvocation. > > proceed(LifecyleInterceptorInvocation.java:117) > > > > at org.wildfly.extension.undertow.security. > > RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > > > at io.undertow.servlet.core. > LifecyleInterceptorInvocation. > > proceed(LifecyleInterceptorInvocation.java:103) > > > > at io.undertow.servlet.core.ManagedServlet$ > > DefaultInstanceStrategy.start(ManagedServlet.java:231) > > > > at io.undertow.servlet.core. > ManagedServlet.createServlet( > > ManagedServlet.java:132) > > > > at io.undertow.servlet.core.DeploymentManagerImpl.start( > > DeploymentManagerImpl.java:526) > > > > at org.wildfly.extension.undertow.deployment. > > UndertowDeploymentService.startContext(UndertowDeploymentService. > java:101) > > > > at org.wildfly.extension.undertow.deployment. > > UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > > > ... 6 more > > > > Caused by: java.lang.NullPointerException > > > > at org.keycloak.models.utils.ModelToRepresentation$2. > > compare(ModelToRepresentation.java:431) > > > > at org.keycloak.models.utils.ModelToRepresentation$2. > > compare(ModelToRepresentation.java:428) > > > > at java.util.TimSort.countRunAndMakeAscending( > > TimSort.java:356) > > > > at java.util.TimSort.sort(TimSort.java:220) > > > > at java.util.Arrays.sort(Arrays.java:1512) > > > > at java.util.ArrayList.sort(ArrayList.java:1454) > > > > at java.util.Collections.sort(Collections.java:175) > > > > at org.keycloak.models.utils.ModelToRepresentation. > > exportAuthenticationFlows(ModelToRepresentation.java:428) > > > > at org.keycloak.models.utils.ModelToRepresentation. > > toRepresentation(ModelToRepresentation.java:372) > > > > at org.keycloak.exportimport. > util.ExportUtils.exportRealm( > > ExportUtils.java:87) > > > > at org.keycloak.exportimport.singlefile. > > SingleFileExportProvider$1.runExportImportTask( > > SingleFileExportProvider.java:65) > > > > at org.keycloak.exportimport. > util.ExportImportSessionTask. > > run(ExportImportSessionTask.java:35) > > > > at org.keycloak.models.utils.KeycloakModelUtils. > > runJobInTransaction(KeycloakModelUtils.java:236) > > > > at org.keycloak.exportimport.singlefile. > > SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58) > > > > at org.keycloak.exportimport. > ExportImportManager.runExport( > > ExportImportManager.java:102) > > > > at org.keycloak.services.resources.KeycloakApplication. > > (KeycloakApplication.java:149) > > > > at > > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > > Method) > > > > at sun.reflect.NativeConstructorAccessorImpl. > newInstance( > > NativeConstructorAccessorImpl.java:62) > > > > at sun.reflect.DelegatingConstructorAccessorI > > mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > > > at java.lang.reflect.Constructor. > > newInstance(Constructor.java:423) > > > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > > construct(ConstructorInjectorImpl.java:150) > > > > ... 19 more > > > > > > > > > > > > This has not worked for me since version 2.1.0. > > > > I?m currently using version 2.4.0.Final. > > > > > > > > Thanks > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > PGP: 0x84DC9914 > From gerbermichi at me.com Thu Dec 8 12:54:09 2016 From: gerbermichi at me.com (Michael Gerber) Date: Thu, 08 Dec 2016 18:54:09 +0100 Subject: [keycloak-user] =?utf-8?q?Hi=2C__I=E2=80=99ve_got_the_following_e?= =?utf-8?q?rror=3A_Bearer_realm=3D=22app=22=2C_error=3D=22invalid=5Ftoken?= =?utf-8?q?=22=2C_error=5Fdescription=3D=22Token_audience_doesn=27t_match_?= =?utf-8?q?domain=2E_Token_issuer_is_http=3A//192=2E168=2E2=2E3=3A30306/au?= =?utf-8?q?th/realms/app=2C_but_URL_from_configuration_is_http=3A//keycloa?= =?utf-8?q?k-service=3A8080/auth/realms/app=E2=80=9D__Is_there_a_way_to_di?= =?utf-8?q?sable_domain_verification=3F__kind_regards_Michael?= Message-ID: <0C1D87E6-D6F2-47C4-B0A7-A5438BCD2C57@me.com> Hi, I?ve got the following error: Bearer realm="app", error="invalid_token", error_description="Token audience doesn't match domain. Token issuer is http://192.168.2.3:30306/auth/realms/app, but URL from configuration is http://keycloak-service:8080/auth/realms/app? Is there a way to disable domain verification? kind regards Michael From rjvduijn at gmail.com Thu Dec 8 14:46:08 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Thu, 08 Dec 2016 19:46:08 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> Message-ID: Pedro, I've imported the json file myself and I was able to fetch the AT with postman and things work now. The only difference I see in the server configuration is that I had confired the backend-client with Access-Type 'Bearer-only', which (after the import) is now 'Confidential'.. In my perception i had to configure the backend-client with a bearer-only access-type as it does do any logins just as the 'bearer-only:true' flag in the adapter config json. Am I mistaken here? Well at least I can continue now. but still this seems a bit odd to me. Thank you again for your great help! It is much appreciated! /Richard Op do 8 dec. 2016 om 13:49 schreef Richard van Duijn : > You've got me confused as well.. haha > > No I'm not reaching the lines using the policyEnforcer. The error occurs > earlier in the process. > > Could you perhaps explain what you send in the postman request. > What is put in it the request is the following: > > > *requestHeaders.put("Authorization", > BasicAuthHelper.createHeader(Configuration.this.clientId, secret));* > with the clientId being: *backend-client* and the secret being: > *6ce718ad-2ab1-42ff-bf01-35a03eab3aee* > resulting in the header: *Authorization : Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl* > > Other than that I do not have any clues what is wrong. > > The AT request is generated during startup of my backend server. So I do > not yet have any frontend rest calls containing a bearerToken comming in. > My assumption is that I can initialize the keycloakDeployment once for my > entire application and then use it for each call comming in. Am I correct? > My guess now is that this assumption is wrong. > > /Richard > > > Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : > > On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: > Hi Pedro, > Thank you for the reply. > > Fist I'll answer your questions, then I'll clarify my setup a bit more. > Please find attached my realm config file as well. > > > - The realm name was a typo. In the meantime I've reconfigured my > realm to ensure the '.' char was not messing up. Turned out not to be the > case. > - I'm not able to retrieve an AT from keycloak for the backend-client > (which is set to bearer-only). With the given Postman request I just get > the 400 bad request error and accompanying message. > > *Pedro Igor:* I was able to get an AT after importing your realm and > sending the same postman request. Now I'm confused :) The client is > backend-client, correct ? > > > - I've followed the getting started guid up to securing the jboss > servlet. I've stopped there as I wanted to use a keycloak distribution in > combination with a PlayFramework application (for which there is no adapter > available yet). > > I've followed the steps from this > post > to get the bearerToken approach working. Using the > *AdapterRSATokenVerifier* class I was able to verify the bearerToken > received from the javascript frontend. What I basically have is a filter > that intercepts the frontend requests, picks up the bearerToken and checks > it's validity. If valid the resource is accessible otherwise the user > receives an error. > > > The next step was to include policies in the setup. Setting up the adapter > for the playFramework was a bit difficult as there is no real documentation > on that subject, only example implementations like the ones for spring > security and jetty. But before getting to the complex logic I've added the > policy-enforcer: {} line in the keycloak.json config file for the > backend-client. This json is then loaded and used in > *KeycloakDeploymentBuilder.build(keycloakConfig)*. This is the point > where it fails, as the config contains the policy-enforcer line, the > PolicyEnforcer class is initialized, which in turn attempts to retrieve the > AT from keycloak. > > Is there some flaw in my reasoning? > > 1. The javascript frontend authenticates itself using the keycloak.js > adapter. It adds the accessToken to the Authorization header for the > rest-client to pickup > 2. The rest client (my backend-client) verifies the bearerToken using > the AdapterRSATokenVerifier > 3. Then the rest client checks the authorization using the folliwing > lines of code: > > > *final PolicyEnforcer policyEnforcer = > keycloakDeployment.getPolicyEnforcer();BearerTokenPolicyEnforcer > bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer);* > *final AuthorizationContext authorizationContext = > bearerTokenPolicyEnforcer.authorize(facade);* > > *Pedro Igor:* It looks correct. Although it seems you are not even > reaching the line above where permissions are actually enforced. Besides, > make sure you have all bearer token validations in place based on other > adapters we have. > > You are almost there. You just need to figure out why you can't obtain an > AT from the server even if using postman, curl, etc. I think that if you > solve this, you will get everything working (or hit some new issue after > this one :)). > > > Hope this clarifies it a bit. I've attached my realm configuration json > file. By the way I'm using keycloak 2.4.0-Final. > Many many thanks for your help! > > If this approach is valid I'm hapy to contribute my code to the community > for others to work with. > /Richard > > Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : > > Hi Richard, > > In your first message, it seems the token endpoint is > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here > you are using a realm "local.development". > > In your last message with the postman request, you are using a token > endpoint like this /auth/realms/development/protocol/openid-connect/token. > Where the realm is "development", the same you have used in keycloak.json. > > Would that be a misconfiguration or just a typo ? > > Besides, what happens when you send that postman request to the server ? > Are you able to get a AT ? > > This is pretty much what the enforcer does during initialization, obtain a > AT before querying the Protection API for protected resources. And is what > your stack trace shows. > > If you are not able to obtain a token using the postman request, it > probably means you have something wrong with your realm/client > configuration on the server. > > Last question, are you able to run any of our authorization examples ? Or > even successfully follow our Getting Started guide ? > > Thanks. > Pedro Igor > > On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: > Forgot to include the postman request.. here it is: > > POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 > Host: 127.0.0.1:8080 > Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl > Cache-Control: no-cache > Content-Type: application/x-www-form-urlencoded > > grant_type=client_credentials > > /Richard > > Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : > > Somehow I do not get any logs in keycloak server.log. I've attempted to > change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you > can give me a pointer to which logger I should change to see the correct > logs show up. > > Besides that I've done some debugging using Postman as well. Using the > following request I get the message: > { > "error": "invalid_client", > "error_description": "Bearer-only not allowed" > } > > This is weird to me as the keycloak.json file states that I am connecting > to a bearer-only client. > > Hope this helps to clarify it for you. > My keycloak.json configuration file looks like this: > > { > "realm": "development", > "bearer-only": true, > "auth-server-url": "http://127.0.0.1:8080/auth", > "ssl-required": "external", > "resource": "backend-client", > "use-resource-role-mappings": true, > "credentials": { > "secret": "SECRETHERE" > }, > "policy-enforcer": {} > } > > Hope this helps to clarify some of your questions. > /Richard > > Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : > > Do you get anything in server logs ? It may be related with invalid client > credentials. > > On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: > I'm creating a POC application using playframework and angular. The > frontend will be protected using the keycloak javascript adapter and the > backend rest services will be a bearer-only application. > > Without the policies turned on in the keycloak.json everything goes well. > But when I turn the policies by adding "policy-enforcer": { } on for the > rest services, I get an 400 Bad Request response from the Keycloak server > during initialization. > After some debugging I noticed it had to do with the initialization of the > PolicyEnforcer which attempts to call the following server keycloak > endpoint: > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > > Below you will find the stacktrace and request and response objects. > Hope someone can point me in the right direction. For instance how to > configure keycloak logging to get some more details on what the reason for > the 400 bad request is. > Many many thanks! > /Richard > > > > *Stacktrace*: > > at > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) > > at > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) > > at > org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) > > at > org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) > > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) > > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) > > at > security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) > at com.google.inject.AbstractModule.configure(AbstractModule.java:62) > ... many google guice calls ... > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) > > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) > > > > *Request object*: > > builder = {RequestBuilder at 12557} > method = "POST" > charset = {UTF_8 at 12563} "UTF-8" > version = null > uri = {URI at 12564} " > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > " > headergroup = {HeaderGroup at 12565} "[Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" > entity = null > parameters = {LinkedList at 12566} size = 1 > 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" > config = null > > *Response object*: > > HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: > Undertow/1, > Server: WildFly/10, Content-Type: application/json, Content-Length: 72, > Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780 > response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: > keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780" > h = {CloseableHttpResponseProxy at 12583} > original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request > [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, > Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 > 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" > statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" > ver = {HttpVersion at 12586} "HTTP/1.1" > code = 400 > reasonPhrase = "Bad Request" > entity = {BasicManagedEntity at 12555} > reasonCatalog = {EnglishReasonPhraseCatalog at 12588} > locale = {Locale at 12589} "en_US" > headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, > X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 > GMT]" > params = {ClientParamsStack at 12591} > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From psilva at redhat.com Thu Dec 8 15:11:44 2016 From: psilva at redhat.com (Pedro Igor) Date: Thu, 08 Dec 2016 18:11:44 -0200 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> Message-ID: <9d368281-dd22-43a5-a216-254524e8e269@getmailbird.com> Yeah, I missed that part too :) Clients marked as bearer-only are not allowed to access the token endpoint. However, you can still use bearer-only in your keycloak.json (adapter config) to indicate that only requests with a bearer token are allowed to access your resource server (backend-client). Regards. Pedro Igor On 12/8/2016 5:46:25 PM, Richard van Duijn wrote: Pedro, I've imported the json file myself and I was able to fetch the AT with postman and things work now. The only difference I see in the server configuration is that I had confired the backend-client with Access-Type 'Bearer-only', which (after the import) is now 'Confidential'.. In my perception i had to configure the backend-client with a bearer-only access-type as it does do any logins just as the 'bearer-only:true' flag in the adapter config json. Am I mistaken here? Well at least I can continue now. but still this seems a bit odd to me. Thank you again for your great help! It is much appreciated! /Richard Op do 8 dec. 2016 om 13:49 schreef Richard van Duijn : You've got me confused as well.. haha No I'm not reaching the lines using the policyEnforcer. The error occurs earlier in the process. Could you perhaps explain what you send in the postman request. What is put in it the request is the following: requestHeaders.put("Authorization", BasicAuthHelper.createHeader(Configuration.this.clientId, secret)); with the clientId being: backend-client and the secret being: 6ce718ad-2ab1-42ff-bf01-35a03eab3aee resulting in the header: Authorization : Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Other than that I do not have any clues what is wrong. The AT request is generated during startup of my backend server. So I do not yet have any frontend rest calls containing a bearerToken comming in. My assumption is that I can initialize the keycloakDeployment once for my entire application and then use it for each call comming in. Am I correct? My guess now is that this assumption is wrong. /Richard Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: Hi Pedro, Thank you for the reply. Fist I'll answer your questions, then I'll clarify my setup a bit more. Please find attached my realm config file as well. * The realm name was a typo. In the meantime I've reconfigured my realm to ensure the '.' char was not messing up. Turned out not to be the case. * I'm not able to retrieve an AT from keycloak for the backend-client (which is set to bearer-only). With the given Postman request I just get the 400 bad request error and accompanying message. Pedro Igor: I was able to get an AT after importing your realm and sending the same postman request. Now I'm confused :) The client is backend-client, correct ? * I've followed the getting started guid up to securing the jboss servlet. I've stopped there as I wanted to use a keycloak distribution in combination with a PlayFramework application (for which there is no adapter available yet). I've followed the steps from this [http://bandrzejczak.com/blog/2015/11/22/single-sign-on-with-keycloak-in-a-sigle-page-application-part-1-slash-2-angular-dot-js/] post to get the bearerToken approach working. Using the AdapterRSATokenVerifier class I was able to verify the bearerToken received from the javascript frontend. What I basically have is a filter that intercepts the frontend requests, picks up the bearerToken and checks it's validity. If valid the resource is accessible otherwise the user receives an error. The next step was to include policies in the setup. Setting up the adapter for the playFramework was a bit difficult as there is no real documentation on that subject, only example implementations like the ones for spring security and jetty. But before getting to the complex logic I've added the policy-enforcer: {} line in the keycloak.json config file for the backend-client. This json is then loaded and used in KeycloakDeploymentBuilder.build(keycloakConfig). This is the point where it fails, as the config contains the policy-enforcer line, the PolicyEnforcer class is initialized, which in turn attempts to retrieve the AT from keycloak. Is there some flaw in my reasoning? * The javascript frontend authenticates itself using the keycloak.js adapter. It adds the accessToken to the Authorization header for the rest-client to pickup * The rest client (my backend-client) verifies the bearerToken using the AdapterRSATokenVerifier * Then the rest client checks the authorization using the folliwing lines of code: final PolicyEnforcer policyEnforcer = keycloakDeployment.getPolicyEnforcer(); BearerTokenPolicyEnforcer bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer); final AuthorizationContext authorizationContext = bearerTokenPolicyEnforcer.authorize(facade); Pedro Igor: It looks correct. Although it seems you are not even reaching the line above where permissions are actually enforced. Besides, make sure you have all bearer token validations in place based on other adapters we have. You are almost there. You just need to figure out why you can't obtain an AT from the server even if using postman, curl, etc. I think that if you solve this, you will get everything working (or hit some new issue after this one :)). Hope this clarifies it a bit. I've attached my realm configuration json file. By the way I'm using keycloak 2.4.0-Final. Many many thanks for your help! If this approach is valid I'm hapy to contribute my code to the community for others to work with. /Richard Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : Hi Richard, In your first message, it seems the token endpoint is http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here] you are using a realm "local.development". In your last message with the postman request, you are using a token endpoint like this /auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json. Would that be a misconfiguration or just a typo ? Besides, what happens when you send that postman request to the server ? Are you able to get a AT ? This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows. If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server. Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ? Thanks. Pedro Igor On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 [http://127.0.0.1:8080] Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { "error": "invalid_client", "error_description": "Bearer-only not allowed" } This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { "realm": "development", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth [http://127.0.0.1:8080/auth]", "ssl-required": "external", "resource": "backend-client", "use-resource-role-mappings": true, "credentials": { "secret": "SECRETHERE" }, "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user] From jarekala at axway.com Thu Dec 8 16:23:30 2016 From: jarekala at axway.com (Jagannadha Rekala) Date: Thu, 8 Dec 2016 21:23:30 +0000 Subject: [keycloak-user] Issue with Keycloak startup in AWS as a docker Message-ID: Hello, We are running Keycloak (database: Oracle 12c) on AWS as a docker in EC2 instance. Keycloak deployment is successful via the cloud formation but the startup failed with Keycloak receiving the TERM signal. We have amazon-agent along with Keycloak's docker to spin a new container of Keycloak. Amazon-agent agent starts a new Keycloak container within a minute. The second time startup of Keycloak fails as well with a different error (where is is not able to create a new table while the name already exists - ORA-00955). This is happening in random. Sometimes the Keycloak instance at the first time starts well, without any issues. I have attached the logs of Keycloak container starting first time after deployment and the second time the amazon-agent spins up a new container. Keep in mind that the logs are bottom-up, watch from the bottom to up for a sequence. Ultimately, from the logs we understood that it is trying to create the tables the second time but those tables already existing. Please let us know if you have encounter this kind of issue or any pointers where the issue could be why the first time the container receives a TERM signal and why the second time it cannot overwrite the tables while migration strategy mentioned as update in the standalone.xml. Any help would be appreciated. Thanks, Jagan Rekala From rysiek at occrp.org Thu Dec 8 18:49:59 2016 From: rysiek at occrp.org (Rashiq) Date: Fri, 09 Dec 2016 00:49:59 +0100 Subject: [keycloak-user] Roles in OIDC tokens Message-ID: <4290815.J5LtNdMR65@lapuntu> Hi all, I am trying to understand how Keycloak and OpenID Connect work, and the thing that I am stumbling on right now is: are user (realm and client) roles -- assuming "Scope Param Required" on a given role is "off", and "Full Scope Allowed" on a client is "on" -- automagically included in the token, or do we have to explicitly add a (realm/client) role mapper each time we add a new client? >From my reading of the docs it seems that the roles should be automagically included: "The access token is digitally signed by the realm and contains access information (like user role mappings) that the application can use to determine what resources the user is allowed to access on the application." -- https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/ topics/sso-protocols/oidc.html ...but that does not seem to be the case in our testing set-up. Am I missing something? -- Pozdravi, rashiq From rysiek at occrp.org Thu Dec 8 19:00:59 2016 From: rysiek at occrp.org (Rashiq) Date: Fri, 09 Dec 2016 01:00:59 +0100 Subject: [keycloak-user] Groups/Roles/Clients best practices Message-ID: <2622191.438ei8fhVi@lapuntu> Hi all, first a little introduction. I am currently tasked with deploying Keycloak as an SSO solution for a middle-sized NGO. Keycloak seems like a perfect solution for us, with capabilities to scale and support more elaborate set-ups as we grow and new needs arise. We will have a few thousand users in there, with varying access levels to different tools we use. And we need to make our setup as simple as possible (so that it's manageable) -- but not simpler. We are also going to have several clients -- software that we want to authenticate against our Keycloak instance. Each of these will have certain resources available only to certain groups of users. For example, a discussion forum might have certain topics locked and available only to certain groups; or a data storage solution might have a certain set of data only available to a certain group of users. Now, most of the time, if a user is a member of a particular group, they get access to all resources locked to this particular group in each of these clients. However, we do have use-cases where a user should have access to a group-locked resource in client A, but not in client B (while keeping access to the more generally available resources in both clients). This gets complicated fast, and we'd like to ask if there are any best practices we could look into and follow? Right now my thinking is to have client roles related to each of the sets of locked-down resources; then a realm-wide composite role getting all of the client roles together for easier management of the most common use-case; then a group to easily manage users who get the composite realm role (and thus, all the client roles). This way we could manage the most common use-case easily, but if there's a user who should have access only to the particular locked-down resources in *some* of the clients, we can also grant these more granularly. The actual software that authenticates/authorizes against Keycloak would only have to look for the client role, and wouldn't have to care about the realm role or the group, or anything else. Does this make sense? Perhaps we're missing some obvious solution, or perhaps we're making some wrong assumptions somewhere. Any suggestions much appreciated! -- Pozdravi, rashiq From juandiego83 at gmail.com Thu Dec 8 19:48:57 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Thu, 8 Dec 2016 19:48:57 -0500 Subject: [keycloak-user] Enabling a public rest service Message-ID: Hi, Maybe I am looking at this the wrong way. I have 2 web pages on separate domains. One page is public, so you don't need to log and the other is private and you need a user and a password. Both should connect to my Rest API. I am using java and wildfly 10 for my back end, and Angularjs for my frontend. In my private web page I dont have any problems connecting to my backend. In my public page I am getting cors error and I kind of know why it happens but I do not know how to solve it. I created this in my web.xml ramonapublic /listaPublica /listaPublica/* ramona / usuarios ramonapublic is the public rest service. If I use curl I get this and I have no problem, curl http://ramona.localdomain:8080/ramona-backend/listaPublica -X POST -H 'ramonaclient.localdomain', I get this [{"codigo":1006,"titulo":"Avengers2.mp4","paths3":"archivos/1006/","nombreArchivo":"Avengers2.mp4","tamano":13977910,"bitrate":null,"duracion":null,"hash":null,"mimeType":"video/mp4","fechaSubida":1480518881829,"tipoArchivo": .............. If I use firefox or chrome I get this XMLHttpRequest cannot load http://localhost:8080/ramona-backend/listaPublica. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://ramonaclient.localdomain' is therefore not allowed access. For what I can tell the browsers are blocking the response because there is no Access-Control. (This only happens with my public page, my private page with keycloak works perfect) So for what I can tell is that listaPublic is being called in the backend but because it is a public security constrain that is not using keycloaks tokens it is not getting a proper header. If I add this to my JaxRxActivator private Set singletons = new HashSet(); private Set> classes = new HashSet>(); public JaxRsActivator() { // no instance is created, just class is listed classes.add(PublicPlaylistRest.class); CorsFilter corsFilter = new CorsFilter(); corsFilter.getAllowedOrigins().add("http://ramonaclient.localdomain "); corsFilter.setAllowedHeaders("Content-Type"); singletons.add(corsFilter); } @Override public Set> getClasses() { return classes; } @Override public Set getSingletons() { return singletons; } It works on the public side but it messes up the headers on the private side so I cannot use this. It interferes with keycloaks own cors. From sblanc at redhat.com Fri Dec 9 03:48:38 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 9 Dec 2016 09:48:38 +0100 Subject: [keycloak-user] Enabling a public rest service In-Reply-To: References: Message-ID: Hi, Yes mixing public resources + protected resources + CORS can be painful indeed. We need to enhance dev experience on this point. But this should work : you implement a ContainerResponseFilter that only applies for your public resources, so it won't mess with KC own CORS stuff : import javax.ws.rs.ext.Provider; import javax.ws.rs.container.ContainerResponseFilter; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; @Provider public class NewCrossOriginResourceSharingFilter implements ContainerResponseFilter { @Override public void filter(ContainerRequestContext request, ContainerResponseContext response) { if(request.getUriInfo().getPath().equals("/listaPublica ")){ response.getHeaders().putSingle("Access-Control-Allow-Origin", "*"); response.getHeaders().putSingle("Access-Control-Expose-Headers", "Location"); response.getHeaders().putSingle("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); response.getHeaders() .putSingle("Access-Control-Allow-Headers", "Content-Type, User-Agent, X-Requested-With, X-Requested-By, Cache-Control"); response.getHeaders().putSingle("Access-Control-Allow-Credentials", "true"); } } } I just did the test myself and it should work. On Fri, Dec 9, 2016 at 1:48 AM, Juan Diego wrote: > Hi, > > Maybe I am looking at this the wrong way. I have 2 web pages on separate > domains. One page is public, so you don't need to log and the other is > private and you need a user and a password. > Both should connect to my Rest API. > I am using java and wildfly 10 for my back end, and Angularjs for my > frontend. In my private web page I dont have any problems connecting to my > backend. > > In my public page I am getting cors error and I kind of know why it happens > but I do not know how to solve it. > > > I created this in my web.xml > > > > ramonapublic > /listaPublica > /listaPublica/* > > > > > > ramona > / > > > usuarios > > > > > ramonapublic is the public rest service. If I use curl I get this and I > have no problem, > curl http://ramona.localdomain:8080/ramona-backend/listaPublica -X POST > -H > 'ramonaclient.localdomain', > > I get this > > [{"codigo":1006,"titulo":"Avengers2.mp4","paths3":"archivos/1006/"," > nombreArchivo":"Avengers2.mp4","tamano":13977910,"bitrate": > null,"duracion":null,"hash":null,"mimeType":"video/mp4"," > fechaSubida":1480518881829,"tipoArchivo": > .............. > > If I use firefox or chrome I get this > > XMLHttpRequest cannot load http://localhost:8080/ramona- > backend/listaPublica. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://ramonaclient.localdomain' is therefore not > allowed > access. > > For what I can tell the browsers are blocking the response because there > is no Access-Control. (This only happens with my public page, my private > page with keycloak works perfect) > > > So for what I can tell is that listaPublic is being called in the backend > but because it is a public security constrain that is not using keycloaks > tokens it is not getting a proper header. > > If I add this to my JaxRxActivator > > private Set singletons = new HashSet(); > private Set> classes = new HashSet>(); > > public JaxRsActivator() { > // no instance is created, just class is listed > classes.add(PublicPlaylistRest.class); > > > CorsFilter corsFilter = new CorsFilter(); > corsFilter.getAllowedOrigins().add("http://ramonaclient. > localdomain > "); > corsFilter.setAllowedHeaders("Content-Type"); > singletons.add(corsFilter); > } > > @Override > public Set> getClasses() { > return classes; > } > > @Override > public Set getSingletons() { > return singletons; > } > > It works on the public side but it messes up the headers on the private > side so I cannot use this. It interferes with keycloaks own cors. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Fri Dec 9 04:06:25 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Fri, 9 Dec 2016 09:06:25 +0000 Subject: [keycloak-user] Is LDAP Bind Credential encrypted in the database? Message-ID: Hi all, Is LDAP Bind Credential encrypted in the database? What algorithm is used? How can I encrypt the configuration of the custom authenticator (https://keycloak.gitbooks.io/server-developer-guide/content/v/2.4/topics/auth-spi.html)? Best regards, Michael From sblanc at redhat.com Fri Dec 9 04:55:40 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 9 Dec 2016 10:55:40 +0100 Subject: [keycloak-user] Roles in OIDC tokens In-Reply-To: <4290815.J5LtNdMR65@lapuntu> References: <4290815.J5LtNdMR65@lapuntu> Message-ID: As you said on IRC you only get those back if you explicitly create the mapping, correct ? So for some reasons "Full Scope Allowed" and "Scope Param Require=off" are ignored ... Does anyone have an idea of what could happen here ? I'm clueless on this one. Maybe you also elaborate a bit on the setup (the composite role containing client roles etc ...) and the fact you are using a python oauth2 lib ? Sebi On Fri, Dec 9, 2016 at 12:49 AM, Rashiq wrote: > Hi all, > > I am trying to understand how Keycloak and OpenID Connect work, and the > thing > that I am stumbling on right now is: are user (realm and client) roles -- > assuming "Scope Param Required" on a given role is "off", and "Full Scope > Allowed" on a client is "on" -- automagically included in the token, or do > we > have to explicitly add a (realm/client) role mapper each time we add a new > client? > > >From my reading of the docs it seems that the roles should be > automagically > included: > > "The access token is digitally signed by the realm and contains access > information (like user role mappings) that the application can use to > determine what resources the user is allowed to access on the > application." > -- https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/ > topics/sso-protocols/oidc.html > > ...but that does not seem to be the case in our testing set-up. Am I > missing > something? > > -- > Pozdravi, > rashiq > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bruno at abstractj.org Fri Dec 9 05:22:50 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 9 Dec 2016 08:22:50 -0200 Subject: [keycloak-user] Is LDAP Bind Credential encrypted in the database? In-Reply-To: References: Message-ID: <20161209102250.GA26362@abstractj.org> Hi Michael, On 2016-12-09, Michael Furman wrote: > Hi all, > Is LDAP Bind Credential encrypted in the database? > What algorithm is used? Take a look at https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/threat/password-db-compromised.html > How can I encrypt the configuration of the custom authenticator (https://keycloak.gitbooks.io/server-developer-guide/content/v/2.4/topics/auth-spi.html)? It might be possible by implementing a custom authenticator SPI. TBH I never tried. Although, I don't see the real motivation behind it. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From rysiek at occrp.org Fri Dec 9 05:34:41 2016 From: rysiek at occrp.org (Rashiq) Date: Fri, 09 Dec 2016 11:34:41 +0100 Subject: [keycloak-user] Is LDAP Bind Credential encrypted in the database? In-Reply-To: <20161209102250.GA26362@abstractj.org> References: <20161209102250.GA26362@abstractj.org> Message-ID: <6867548.e9CkSgQdYf@lapuntu> Hi, Dnia pi?tek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze: > On 2016-12-09, Michael Furman wrote: > > Hi all, > > Is LDAP Bind Credential encrypted in the database? > > What algorithm is used? > > Take a look at > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre > at/password-db-compromised.html I think the question was not about hashing Keycloak user passwords, but about encrypting the password used to bind keycloak to the LDAP server configured as an Identity Provider for Keycloak. Is that correct, Michael? In such case, the password cannot be hashed (as Keycloak has to have access to it to provide it to the LDAP server upon connecting). My *guess* is that the bind password could be encrypted, but database compromise would nonetheless let a potential attacker get to the password (if in no other way, by setting up their own Keycloak instance and using the db for it). There's no way around it, I think -- Keycloak has to have access to the clear- text LDAP password, one way or another, to bind to the LDAP server. -- Pozdravi, rashiq From rysiek at occrp.org Fri Dec 9 05:35:55 2016 From: rysiek at occrp.org (Rashiq) Date: Fri, 09 Dec 2016 11:35:55 +0100 Subject: [keycloak-user] Roles in OIDC tokens In-Reply-To: References: <4290815.J5LtNdMR65@lapuntu> Message-ID: <1560850.XrECaQP5lT@lapuntu> Hi, Dnia pi?tek, 9 grudnia 2016 10:55:40 CET Sebastien Blanc pisze: > As you said on IRC you only get those back if you explicitly create the > mapping, correct ? Yes, that is correct. If I create a User Client Role Mapping for a client I get the client roles of the user; if I create a User Realm Role Mapping for a client, I get user's realm roles. Otherwise I do not seem to get any roles, even if in Keycloak I can verify that the user does have them. > So for some reasons "Full Scope Allowed" and "Scope Param Require=off" are > ignored ... I don't know, I tried putting "realm", "realms", and "profile" in the scope (with "openid" always there) when authorizing. Perhaps I should try putting something else there? > Does anyone have an idea of what could happen here ? I'm clueless on this > one. > > Maybe you also elaborate a bit on the setup (the composite role containing > client roles etc ...) Sure. We have certain groups that span across all our clients (like, say, "employees"), but also certain groups (say, "project_x") that we want limited to certain clients. As far as I understand (admittedly, not that well!) Keycloak, the sanest way to do this is to: 1. Have client roles for each of the groups. Each client gets a client role like "employee" or "project_x"; these are verified/looked at by the clients to determine who has access to which resources. 2. Have composite realm roles that "contain" all the related client roles. So we would have a composite realm role "realm_employee", which would be configured to "contain" the "employee" role from each and every client; and a "realm_project_x" role that would "contain" role "project_x" only from those clients that are needed in Project X; or, we could have a very specific composite realm role that would "contain" certain client roles in certain clients, if we have a user that should have very specific/non-standard mix of privileges on certain resources in certain clients. 3. Have a group (like "Employees" or "ProjectX") used to manage which users get the composite realm roles. More in-depth description of our set-up is given in a separate thread on this list, too[1]. I would love feedback on whether or not this set-up makes any sense, if there are ways to improve upon it, or do it in a better way. [1] http://lists.jboss.org/pipermail/keycloak-user/2016-December/008645.html > and the fact you are using a python oauth2 lib ? I am currently testing this with https://openidconnect.net/, authing against our testing realm; if anyone wants to help with testing, I can provide testing credentials. -- Pozdravi, rashiq From mariusz at info.nl Fri Dec 9 05:42:13 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Fri, 9 Dec 2016 10:42:13 +0000 Subject: [keycloak-user] Facebook login + Remember me In-Reply-To: References: Message-ID: Hi Marek, one additional question. You mentioned "redirect to Facebook", is there any way to redirect to facebook keycloak flow? Like when I detect that cookie exist, to run facebook authentication flow and let KC do the rest in standard way? Thanks Mariusz -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Mariusz Chruscielewski - Info.nl Sent: donderdag 8 december 2016 13:32 To: Marek Posolda ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Facebook login + Remember me This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing Thanks for your answer, I will try to implement that. Regards Mariusz -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: donderdag 8 december 2016 13:29 To: Mariusz Chruscielewski - Info.nl ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Facebook login + Remember me RememberMe is used just for the Keycloak own login form. I can see the possibility that: - You will create authenticator implementation, which will setup some cookie once you successfully login with Facebook. You will need to use this authenticator in post-broker login flow, which will be setup for Facebook. - Then you will create another authenticator implementation, which will be used in "browser" flow instead before the login form is shown. This authenticator will check for the existence of the cookie above and automatically redirects to Facebook if present. Marek On 07/12/16 17:32, Mariusz Chruscielewski - Info.nl wrote: > Hi, is it possible to set remember me cookie and identity cookie from Keycloak when we use Facebook Login Provider? > > I did debug, and I found that in AuthenticationManager.java#createLoginCookie check: > > if(session.isRememberMe()) returns false. > > Is there a way to setup this somewhere (remember all facebook logins?) > > I tried to create my own custom Authenticator but I can't set remember me from there. Is there any way to build that? > > Thanks in advance > Mariusz Chru?cielewski > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Fri Dec 9 06:02:22 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 9 Dec 2016 09:02:22 -0200 Subject: [keycloak-user] Is LDAP Bind Credential encrypted in the database? In-Reply-To: <6867548.e9CkSgQdYf@lapuntu> References: <20161209102250.GA26362@abstractj.org> <6867548.e9CkSgQdYf@lapuntu> Message-ID: <20161209110222.GB26362@abstractj.org> On 2016-12-09, Rashiq wrote: > Hi, > > Dnia pi?tek, 9 grudnia 2016 08:22:50 CET Bruno Oliveira pisze: > > On 2016-12-09, Michael Furman wrote: > > > Hi all, > > > Is LDAP Bind Credential encrypted in the database? > > > What algorithm is used? > > > > Take a look at > > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/thre > > at/password-db-compromised.html > > I think the question was not about hashing Keycloak user passwords, but about > encrypting the password used to bind keycloak to the LDAP server configured as > an Identity Provider for Keycloak. Is that correct, Michael? My bad. > > In such case, the password cannot be hashed (as Keycloak has to have access to > it to provide it to the LDAP server upon connecting). You're totally correct. > > My *guess* is that the bind password could be encrypted, but database > compromise would nonetheless let a potential attacker get to the password (if > in no other way, by setting up their own Keycloak instance and using the db > for it). Yes, if the database is compromised, they keys will be too. Which makes the encryption of LDAP credential pointless today. We have a Jira which I believe cover this scenario[1]. [1] - https://issues.jboss.org/browse/KEYCLOAK-3205 > > There's no way around it, I think -- Keycloak has to have access to the clear- > text LDAP password, one way or another, to bind to the LDAP server. > > -- > Pozdravi, > rashiq > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From abhi.raghav007 at gmail.com Fri Dec 9 06:06:51 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 9 Dec 2016 16:36:51 +0530 Subject: [keycloak-user] Exception while executing example security question required action Message-ID: Hi I have implemented the example security question authenticator custom authenticator independently. I am able to register it as a required action. But when I am trying to login with the user for whom I set it as a required action, I am facing this exception at run time. my pom.xml is also attached. 16:16:49,916 ERROR [io.undertow.request] (default task-25) UT005023: Exception handling request to /auth/realms/DCI/login-actions/required-action: org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.keycloak.authentication.RequiredActionContext.form()Lorg/keycloak/login/LoginFormsProvider; at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NoSuchMethodError: org.keycloak.authentication.RequiredActionContext.form()Lorg/keycloak/login/LoginFormsProvider; at com.dci.examples.providers.events.SecretQuestionRequiredAction.requiredActionChallenge(SecretQuestionRequiredAction.java:40) at org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:619) at org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:542) at org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:464) at org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299) at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:860) at org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:853) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more pom.xml : Authenticator Example 4.0.0 SampleAuthenticator-listener-provider org.keycloak 2.5.0.Final-SNAPSHOT jar org.keycloak keycloak-authentication-api 1.0-beta-3 org.keycloak keycloak-services 1.8.1.Final org.keycloak keycloak-server-spi 2.4.0.Final org.keycloak keycloak-core 2.4.0.Final org.json json 20140107 org.jboss.resteasy resteasy-client 3.0.6.Final provided javax javaee-web-api 6.0 provided SampleAuthenticator-listener-provider org.apache.maven.plugins maven-compiler-plugin 1.8 1.8 org.wildfly.plugins wildfly-maven-plugin false From mposolda at redhat.com Fri Dec 9 06:50:58 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Dec 2016 12:50:58 +0100 Subject: [keycloak-user] Facebook login + Remember me In-Reply-To: References: Message-ID: Yes, by "redirect to Facebook" I meant the flow like: - Redirect will be done by your Keycloak authenticator to the Facebook - Once Facebook authenticates, it returns back to Keycloak and Keycloak will establish userSession based on the identityProvider Facebook login - Keycloak will redirect back to the application Basically what will happen, should be the same like when user clicks on the button "Login with Facebook" on Keycloak login form. The only difference is, that user won't need to click, but it will happen automatically. You can take a look at IdentityProviderAuthenticator.redirect, which is similar and is doing automatic redirect to identityProvider based on the "kc_idp_hint" parameter. Your Authenticator will probably do the same though, it will just use the cookie, not the "kc_idp_hint" parameter. Marek On 09/12/16 11:42, Mariusz Chruscielewski - Info.nl wrote: > Hi Marek, one additional question. > > You mentioned "redirect to Facebook", is there any way to redirect to facebook keycloak flow? Like when I detect that cookie exist, to run facebook authentication flow and let KC do the rest in standard way? > > Thanks > Mariusz > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Mariusz Chruscielewski - Info.nl > Sent: donderdag 8 december 2016 13:32 > To: Marek Posolda ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Facebook login + Remember me > > This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing > > Thanks for your answer, I will try to implement that. > > Regards > Mariusz > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: donderdag 8 december 2016 13:29 > To: Mariusz Chruscielewski - Info.nl ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Facebook login + Remember me > > RememberMe is used just for the Keycloak own login form. > > I can see the possibility that: > - You will create authenticator implementation, which will setup some cookie once you successfully login with Facebook. You will need to use this authenticator in post-broker login flow, which will be setup for Facebook. > > - Then you will create another authenticator implementation, which will be used in "browser" flow instead before the login form is shown. This authenticator will check for the existence of the cookie above and automatically redirects to Facebook if present. > > Marek > > > On 07/12/16 17:32, Mariusz Chruscielewski - Info.nl wrote: >> Hi, is it possible to set remember me cookie and identity cookie from Keycloak when we use Facebook Login Provider? >> >> I did debug, and I found that in AuthenticationManager.java#createLoginCookie check: >> >> if(session.isRememberMe()) returns false. >> >> Is there a way to setup this somewhere (remember all facebook logins?) >> >> I tried to create my own custom Authenticator but I can't set remember me from there. Is there any way to build that? >> >> Thanks in advance >> Mariusz Chru?cielewski >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From RLewis at carbonite.com Fri Dec 9 08:07:22 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Fri, 9 Dec 2016 13:07:22 +0000 Subject: [keycloak-user] Using Keycloak with Microsoft Azure Active Directory Message-ID: I am attempting to use Microsoft Azure Active Directory with Keycloak. It is not working correctly. Here is how I have it configured: OpenID Connect V1.0 Enabled: On Store Tokens: On Store Tokens Readable: On Trust Email: On Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize Token URL: https://login.microsoftonline.com/common/oauth2/token Logout URL: Backchannel Logout: Off User Info URL: First Login Flow: First Broker Login It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address. Is there something I have configured incorrectly? I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory. Thank you, Reed Lewis From pulgupta at redhat.com Fri Dec 9 08:11:58 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Fri, 9 Dec 2016 18:41:58 +0530 Subject: [keycloak-user] Error while loading the application Message-ID: Hi All, We are using Keycloak SAML adapters to authenticate our applications with Keyclaok. The setup was working fine and the applications were able to authenticate the users. However since today we are getting the below error while loading the application and this is resulting in a black page for the client. Can you please check in case anyone has seen this issue before. Is this related to java versions as I have not changed anything in the environments recently. 2016-12-09 08:08:08,875 [ajp-/10.7.24.224:8009-2] ERROR [org.apache.catalina.connector] JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.AbstractMethodError: javax.xml.transform.TransformerFactory.setFeature(Ljava/lang/String;Z)V at __redirected.__TransformerFactory.setFeature(__TransformerFactory.java:161) at org.keycloak.saml.common.util.TransformerUtil.getTransformerFactory(TransformerUtil.java:113) at org.keycloak.saml.common.util.TransformerUtil.getTransformer(TransformerUtil.java:81) at org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString(DocumentUtil.java:238) at org.keycloak.saml.common.util.DocumentUtil.asString(DocumentUtil.java:454) at org.keycloak.saml.processing.core.util.XMLSignatureUtil.sign(XMLSignatureUtil.java:340) at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.sign(SAML2Signature.java:143) at org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.signSAMLDocument(SAML2Signature.java:160) at org.keycloak.saml.BaseSAML2BindingBuilder.signDocument(BaseSAML2BindingBuilder.java:266) at org.keycloak.saml.BaseSAML2BindingBuilder$BasePostBindingBuilder.(BaseSAML2BindingBuilder.java:145) at org.keycloak.saml.BaseSAML2BindingBuilder.postBinding(BaseSAML2BindingBuilder.java:208) at org.keycloak.adapters.saml.SamlUtil.sendSaml(SamlUtil.java:38) at org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler$5.sendAuthnRequest(AbstractSamlAuthenticationHandler.java:463) at org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:60) at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247) at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222) at org.keycloak.adapters.saml.jbossweb.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:41) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465) at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) at org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:384) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) at com.redhat.container.redirect.RedirectToInternalValve.invoke(RedirectToInternalValve.java:61) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:745) -- Thanks, Pulkit AMS From ruiwp_93 at hotmail.com Fri Dec 9 08:16:14 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Fri, 9 Dec 2016 06:16:14 -0700 (MST) Subject: [keycloak-user] Still active token after logout In-Reply-To: <1481019600541-1798.post@n6.nabble.com> References: <1480936098431-1766.post@n6.nabble.com> <9569cbe3-9242-8ee6-5871-1d5e8275ce5a@redhat.com> <1480941102558-1773.post@n6.nabble.com> <4dc91cdf-e27e-69c1-c03d-926790b29824@redhat.com> <1480950542695-1781.post@n6.nabble.com> <1481019600541-1798.post@n6.nabble.com> Message-ID: <1481289374333-1863.post@n6.nabble.com> So, no more help for this? Best Regards -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Still-active-token-after-logout-tp1766p1863.html Sent from the keycloak-user mailing list archive at Nabble.com. From lists at merit.unu.edu Fri Dec 9 08:43:12 2016 From: lists at merit.unu.edu (mj) Date: Fri, 9 Dec 2016 14:43:12 +0100 Subject: [keycloak-user] have keycloak validate a SAML uid / token combination Message-ID: <85ab4c86-06f3-e9ff-c78d-419f7eb37d9a@merit.unu.edu> Hi, Is it possible to configure keycloak to validate SAML obtained uid / token? I have an application authenticate via SAML on keycloak. The result is an authenticated user with a uid and a token. (log string of characters) Can I, in a different process, check with keycloak that this uid/token is still a valid combination? What kind of client (if any) would I have to configure in keycloak to do this? MJ From keith.hudson at hudzinga.com Fri Dec 9 11:10:00 2016 From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com) Date: Fri, 9 Dec 2016 11:10:00 -0500 (EST) Subject: [keycloak-user] Enabling a public rest service In-Reply-To: References: Message-ID: <1481299800.289111204@apps.rackspace.com> I apologize if I'm misunderstanding the question here but we currently handle this with the @SecurityDomain annotation on our services. The private services that have the security managed by Keycloak are annotated with: @SecurityDomain("keycloak") Our "public" services do not have a security domain associated with them. This approach works fine. Again, if I'm missing something in your scenario/question, disregard. -----Original Message----- From: "Sebastien Blanc" Sent: Friday, December 9, 2016 3:48am To: "Juan Diego" Cc: "keycloak-user" Subject: Re: [keycloak-user] Enabling a public rest service Hi, Yes mixing public resources + protected resources + CORS can be painful indeed. We need to enhance dev experience on this point. But this should work : you implement a ContainerResponseFilter that only applies for your public resources, so it won't mess with KC own CORS stuff : import javax.ws.rs.ext.Provider; import javax.ws.rs.container.ContainerResponseFilter; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerResponseContext; @Provider public class NewCrossOriginResourceSharingFilter implements ContainerResponseFilter { @Override public void filter(ContainerRequestContext request, ContainerResponseContext response) { if(request.getUriInfo().getPath().equals("/listaPublica ")){ response.getHeaders().putSingle("Access-Control-Allow-Origin", "*"); response.getHeaders().putSingle("Access-Control-Expose-Headers", "Location"); response.getHeaders().putSingle("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); response.getHeaders() .putSingle("Access-Control-Allow-Headers", "Content-Type, User-Agent, X-Requested-With, X-Requested-By, Cache-Control"); response.getHeaders().putSingle("Access-Control-Allow-Credentials", "true"); } } } I just did the test myself and it should work. On Fri, Dec 9, 2016 at 1:48 AM, Juan Diego wrote: > Hi, > > Maybe I am looking at this the wrong way. I have 2 web pages on separate > domains. One page is public, so you don't need to log and the other is > private and you need a user and a password. > Both should connect to my Rest API. > I am using java and wildfly 10 for my back end, and Angularjs for my > frontend. In my private web page I dont have any problems connecting to my > backend. > > In my public page I am getting cors error and I kind of know why it happens > but I do not know how to solve it. > > > I created this in my web.xml > > > > ramonapublic > /listaPublica > /listaPublica/* > > > > > > ramona > / > > > usuarios > > > > > ramonapublic is the public rest service. If I use curl I get this and I > have no problem, > curl http://ramona.localdomain:8080/ramona-backend/listaPublica -X POST > -H > 'ramonaclient.localdomain', > > I get this > > [{"codigo":1006,"titulo":"Avengers2.mp4","paths3":"archivos/1006/"," > nombreArchivo":"Avengers2.mp4","tamano":13977910,"bitrate": > null,"duracion":null,"hash":null,"mimeType":"video/mp4"," > fechaSubida":1480518881829,"tipoArchivo": > .............. > > If I use firefox or chrome I get this > > XMLHttpRequest cannot load http://localhost:8080/ramona- > backend/listaPublica. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://ramonaclient.localdomain' is therefore not > allowed > access. > > For what I can tell the browsers are blocking the response because there > is no Access-Control. (This only happens with my public page, my private > page with keycloak works perfect) > > > So for what I can tell is that listaPublic is being called in the backend > but because it is a public security constrain that is not using keycloaks > tokens it is not getting a proper header. > > If I add this to my JaxRxActivator > > private Set singletons = new HashSet(); > private Set> classes = new HashSet>(); > > public JaxRsActivator() { > // no instance is created, just class is listed > classes.add(PublicPlaylistRest.class); > > > CorsFilter corsFilter = new CorsFilter(); > corsFilter.getAllowedOrigins().add("http://ramonaclient. > localdomain > "); > corsFilter.setAllowedHeaders("Content-Type"); > singletons.add(corsFilter); > } > > @Override > public Set> getClasses() { > return classes; > } > > @Override > public Set getSingletons() { > return singletons; > } > > It works on the public side but it messes up the headers on the private > side so I cannot use this. It interferes with keycloaks own cors. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mariusz at info.nl Fri Dec 9 11:17:25 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Fri, 9 Dec 2016 16:17:25 +0000 Subject: [keycloak-user] How to check if keycloak has been restarted since last visit Message-ID: Hi, Is there a way to check, if Keycloak has been restarted since last visit? Some unique ID that is created when keycloak starts and doesn't change until you restart keycloak. I would like to use it to verify if cookie has been created by "this" keycloak instance, or keycloak instance before restart. Kind Regards, Mariusz Chru?cielewski software engineer mariusz at info.nl | LinkedIn | +31 (0)20 530 9113 info.nl Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 From RLewis at carbonite.com Fri Dec 9 11:17:32 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Fri, 9 Dec 2016 16:17:32 +0000 Subject: [keycloak-user] Keycloak connecting to Microsoft Azure Active Directory? Message-ID: I am attempting to use Microsoft Azure Active Directory with Keycloak. It is not working correctly. Here is how I have it configured: OpenID Connect V1.0 Enabled: On Store Tokens: On Store Tokens Readable: On Trust Email: On Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize Token URL: https://login.microsoftonline.com/common/oauth2/token Logout URL: Backchannel Logout: Off User Info URL: First Login Flow: First Broker Login It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it only has the first and last name, but no email address. Is there something I have configured incorrectly? I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory. Thank you, Reed Lewis From ssilvert at redhat.com Fri Dec 9 12:14:41 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 09 Dec 2016 12:14:41 -0500 Subject: [keycloak-user] How to check if keycloak has been restarted since last visit In-Reply-To: References: Message-ID: <584AE681.7000606@redhat.com> You could read the server start time and the unique id of the server. To get those two values you can issue the following jboss-cli commands: /:read-attribute(name=uuid) /core-service=platform-mbean/type=runtime/:read-attribute(name=start-time) On 12/9/2016 11:17 AM, Mariusz Chruscielewski - Info.nl wrote: > Hi, > > Is there a way to check, if Keycloak has been restarted since last visit? Some unique ID that is created when keycloak starts and doesn't change until you restart keycloak. I would like to use it to verify if cookie has been created by "this" keycloak instance, or keycloak instance before restart. > > Kind Regards, > > Mariusz Chru?cielewski > > software engineer > > mariusz at info.nl | LinkedIn | +31 (0)20 530 9113 > > info.nl > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mariusz at info.nl Fri Dec 9 13:30:57 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Fri, 9 Dec 2016 18:30:57 +0000 Subject: [keycloak-user] How to check if keycloak has been restarted since last visit In-Reply-To: <584AE681.7000606@redhat.com> References: <584AE681.7000606@redhat.com> Message-ID: Thanks for answer Stan, but I was looking for something I can use in java inside keycloak (authenticator, event, etc). Regards Mariusz -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stan Silvert Sent: vrijdag 9 december 2016 18:15 To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to check if keycloak has been restarted since last visit You could read the server start time and the unique id of the server. To get those two values you can issue the following jboss-cli commands: /:read-attribute(name=uuid) /core-service=platform-mbean/type=runtime/:read-attribute(name=start-time) On 12/9/2016 11:17 AM, Mariusz Chruscielewski - Info.nl wrote: > Hi, > > Is there a way to check, if Keycloak has been restarted since last visit? Some unique ID that is created when keycloak starts and doesn't change until you restart keycloak. I would like to use it to verify if cookie has been created by "this" keycloak instance, or keycloak instance before restart. > > Kind Regards, > > Mariusz Chru?cielewski > > software engineer > > mariusz at info.nl | LinkedIn | +31 (0)20 530 9113 > > info.nl > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From RLewis at carbonite.com Fri Dec 9 14:14:41 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Fri, 9 Dec 2016 19:14:41 +0000 Subject: [keycloak-user] This is merely a test message to see if my messages are coming through Message-ID: <148295E2-CCCD-4BD0-96D6-E61540D2ACF6@carbonite.com> I have sent a couple of messages to the mailing list, but have not gotten them back. Just seeing if this one comes back. Thank you. Reed From i.pop at centurylink.net Fri Dec 9 14:55:53 2016 From: i.pop at centurylink.net (i.pop at centurylink.net) Date: Fri, 9 Dec 2016 14:55:53 -0500 (EST) Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables In-Reply-To: Message-ID: <633868448.44734085.1481313353596.JavaMail.root@centurylink.net> Thank you Marek for your response. Unfortunately, this bug still exists in the KC-2.4.0.Final release, as well(I have 1.25 M offline-user&client sessions in my 2-tables): [Server:server-one] 13:48:49,541 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for r720xd-14:server-two [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [Server:server-one] at java.lang.Thread.run(Thread.java:745) Any piece of advice, please? Thanks, Ioan ----- Original Message ----- From: "Marek Posolda" To: "i pop" Cc: "keycloak-user" Sent: Thursday, December 8, 2016 5:03:39 AM Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables Yes, there were some related fixes though. Can you try to upgrade to latest 2.4.0.Final and see if it helps? Thanks, Marek On 07/12/16 17:03, i.pop at centurylink.net wrote: > Thank you for your message. However, if I set parameter "Offline Session Idle" to 30 min, I am getting a replication timeout exception associated with the periodic cleaner scheduler service > [Server:server-one] 09:24:54,979 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for slaveServer:server-two > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) > [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [Server:server-one] at java.lang.Thread.run(Thread.java:745) > > This exception is thrown with a periodicity of 15 min. > I have found a previous reference to such exception in your "keycloak-user" customer inquiries > http://lists.jboss.org/pipermail/keycloak-user/2016-July/006892.html > > It looks like there was a bug in your KC software. Have you fixed this bug in your later KC releases since July 2016? Or, it may be a miss-configuration in my domain clustered configuration( I use your KC-2.1.0.Final release) ? > Thanks, > Ioan > > ----- Original Message ----- > From: "Marek Posolda" > To: "i pop" , "keycloak-user" > Sent: Friday, November 25, 2016 3:20:18 AM > Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables > > It seems you are using offline tokens for some of your application > right? There is periodic cleaner, which will remove the records from the > expired offline sessions. But timeout for the offline sessions is 30 > days by default. Also the time of "last refresh" is currently updated in > DB every time when you restart the server (in case that you have > single-server without cluster). > > In other words, if you restart the server at least once every 30 days, > the table will keep growing. It is probably something we can improve... > Feel free to create JIRA. > > Until that, your possibilities are: > - Decrease the timeout to shorter value than 30 days (can be done in > admin console) > - Ensure the server is not restarted within 30 days, so the outdated > sessions can be cleared. > - Use cluster with 2 nodes or more and ensure that at least 1 node is > always online. > > Marek > > On 24/11/16 20:11, i.pop at centurylink.net wrote: >> Hi, >> Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up? >> >> >> Thanks, >> Ioan >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Fri Dec 9 16:46:40 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 9 Dec 2016 22:46:40 +0100 Subject: [keycloak-user] How to check if keycloak has been restarted since last visit In-Reply-To: References: <584AE681.7000606@redhat.com> Message-ID: Hello, ManagementFactory.getRuntimeMXBean().getStartTime() should do the job. Cheers, Thomas 2016-12-09 19:30 GMT+01:00 Mariusz Chruscielewski - Info.nl : > Thanks for answer Stan, but I was looking for something I can use in java > inside keycloak (authenticator, event, etc). > > Regards > Mariusz > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Stan Silvert > Sent: vrijdag 9 december 2016 18:15 > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to check if keycloak has been restarted > since last visit > > You could read the server start time and the unique id of the server. > To get those two values you can issue the following jboss-cli commands: > /:read-attribute(name=uuid) > /core-service=platform-mbean/type=runtime/:read-attribute(name=start-time) > > > On 12/9/2016 11:17 AM, Mariusz Chruscielewski - Info.nl wrote: > > Hi, > > > > Is there a way to check, if Keycloak has been restarted since last > visit? Some unique ID that is created when keycloak starts and doesn't > change until you restart keycloak. I would like to use it to verify if > cookie has been created by "this" keycloak instance, or keycloak instance > before restart. > > > > Kind Regards, > > > > Mariusz Chru?cielewski > > > > software engineer > > > > mariusz at info.nl | LinkedIn< > https://www.linkedin.com/in/mariusz-chruscielewski> | +31 (0)20 530 9113 > > > > > info.nl > > > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From haimv at perfectomobile.com Sun Dec 11 10:33:11 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Sun, 11 Dec 2016 15:33:11 +0000 Subject: [keycloak-user] Keycloak admin client API connection timeout Message-ID: Hi, We are using keycloak admin client API for various user management operations - most are create and update user and password. In the Keycloak getInstance method we can't specify the connection pool size or timeout - see below, can you please advise what is the connection default timeout ? And is there any way to change it (pool size or timeout) ? public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId) { return new Keycloak(serverUrl, realm, username, password, clientId, (String)null, "password", (ResteasyClient)null); } Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, ResteasyClient resteasyClient) { this.config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType); this.client = resteasyClient != null?resteasyClient:(new ResteasyClientBuilder()).connectionPoolSize(10).build(); this.tokenManager = new TokenManager(this.config, this.client); this.target = this.client.target(this.config.getServerUrl()); this.target.register(new BearerAuthFilter(this.tokenManager)); } Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From bburke at redhat.com Sun Dec 11 11:24:58 2016 From: bburke at redhat.com (Bill Burke) Date: Sun, 11 Dec 2016 11:24:58 -0500 Subject: [keycloak-user] Keycloak admin client API connection timeout In-Reply-To: References: Message-ID: <105dba7f-28a9-1619-0083-60e606650a4b@redhat.com> Read the resteasy docs. You can set the timeout in ResteasyClient. I forget how. On 12/11/16 10:33 AM, Haim Vana wrote: > Hi, > > We are using keycloak admin client API for various user management operations - most are create and update user and password. > > In the Keycloak getInstance method we can't specify the connection pool size or timeout - see below, can you please advise what is the connection default timeout ? > > And is there any way to change it (pool size or timeout) ? > > > > public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId) { > return new Keycloak(serverUrl, realm, username, password, clientId, (String)null, "password", (ResteasyClient)null); > } > > > Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, ResteasyClient resteasyClient) { > this.config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType); > this.client = resteasyClient != null?resteasyClient:(new ResteasyClientBuilder()).connectionPoolSize(10).build(); > this.tokenManager = new TokenManager(this.config, this.client); > this.target = this.client.target(this.config.getServerUrl()); > this.target.register(new BearerAuthFilter(this.tokenManager)); > } > > > > Thanks, > Haim. > > The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From guus.der.kinderen at gmail.com Sun Dec 11 13:21:06 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Sun, 11 Dec 2016 18:21:06 +0000 Subject: [keycloak-user] Adding role to existing users Message-ID: What options are available when one would need to add one or two new roles to every pre-existing user of a realm? The existing user base can be pretty large any thousands of users), which makes a one-user-at-a-time approach sound inefficient. - Guus From mposolda at redhat.com Mon Dec 12 03:15:57 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 12 Dec 2016 09:15:57 +0100 Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables In-Reply-To: <633868448.44734085.1481313353596.JavaMail.root@centurylink.net> References: <633868448.44734085.1481313353596.JavaMail.root@centurylink.net> Message-ID: <31544fa3-6bd0-1bb8-d41f-be2df6e738bf@redhat.com> Could you create JIRA and set fix version to 3.0 ? We plan to do some refactoring for userSessions in next release and better handling of this usecase can be added as part of it too IMO. I think that each periodic cleaner (ClearExpiredUserSessions task) will just lookup the sessions, which are saved on the particular server and will cleanup just those. Currently cleaner tries to lookup for all sessions within whole cluster, which probably has some communication overhead. Fact is, that we didn't yet try to test with 1.25 M sessions. The workaround for you can be to add your own implementation of UserSessionProvider.removeExpired and handle it somehow by yourself until we add our solution. The easier workaround may be to shorten offline tokens timeout in admin console from 30 days to something shorter (eg. 1 day?) as then the count of offline sessions probably won't grow so much. This is an option just if you have an opportunity to cleanup your DB session tables first and restart cluster. When all 1.25M sessions are already in infinispan cluster, the exceptions will be always thrown. Marek On 09/12/16 20:55, i.pop at centurylink.net wrote: > Thank you Marek for your response. > Unfortunately, this bug still exists in the KC-2.4.0.Final release, as well(I have 1.25 M offline-user&client sessions in my 2-tables): > [Server:server-one] 13:48:49,541 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for r720xd-14:server-two > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) > [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [Server:server-one] at java.lang.Thread.run(Thread.java:745) > > Any piece of advice, please? > Thanks, > Ioan > ----- Original Message ----- > From: "Marek Posolda" > To: "i pop" > Cc: "keycloak-user" > Sent: Thursday, December 8, 2016 5:03:39 AM > Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables > > Yes, there were some related fixes though. Can you try to upgrade to > latest 2.4.0.Final and see if it helps? > > Thanks, > Marek > > On 07/12/16 17:03, i.pop at centurylink.net wrote: >> Thank you for your message. However, if I set parameter "Offline Session Idle" to 30 min, I am getting a replication timeout exception associated with the periodic cleaner scheduler service >> [Server:server-one] 09:24:54,979 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for slaveServer:server-two >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) >> [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >> [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [Server:server-one] at java.lang.Thread.run(Thread.java:745) >> >> This exception is thrown with a periodicity of 15 min. >> I have found a previous reference to such exception in your "keycloak-user" customer inquiries >> http://lists.jboss.org/pipermail/keycloak-user/2016-July/006892.html >> >> It looks like there was a bug in your KC software. Have you fixed this bug in your later KC releases since July 2016? Or, it may be a miss-configuration in my domain clustered configuration( I use your KC-2.1.0.Final release) ? >> Thanks, >> Ioan >> >> ----- Original Message ----- >> From: "Marek Posolda" >> To: "i pop" , "keycloak-user" >> Sent: Friday, November 25, 2016 3:20:18 AM >> Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables >> >> It seems you are using offline tokens for some of your application >> right? There is periodic cleaner, which will remove the records from the >> expired offline sessions. But timeout for the offline sessions is 30 >> days by default. Also the time of "last refresh" is currently updated in >> DB every time when you restart the server (in case that you have >> single-server without cluster). >> >> In other words, if you restart the server at least once every 30 days, >> the table will keep growing. It is probably something we can improve... >> Feel free to create JIRA. >> >> Until that, your possibilities are: >> - Decrease the timeout to shorter value than 30 days (can be done in >> admin console) >> - Ensure the server is not restarted within 30 days, so the outdated >> sessions can be cleared. >> - Use cluster with 2 nodes or more and ensure that at least 1 node is >> always online. >> >> Marek >> >> On 24/11/16 20:11, i.pop at centurylink.net wrote: >>> Hi, >>> Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up? >>> >>> >>> Thanks, >>> Ioan >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user From pala.ondra at gmail.com Mon Dec 12 04:46:35 2016 From: pala.ondra at gmail.com (Ondra Pala) Date: Mon, 12 Dec 2016 10:46:35 +0100 Subject: [keycloak-user] Spring boot + keycloak Message-ID: Hello We use this example: https://github.com/foo4u/keycloak-spring-demo (for Spring boot and Keycloak) I have keycloak.json(realm in this file exists) file in my WEB-INF folder, but when I run my application, I get exception: java.lang.RuntimeException: Must set 'realm' in config Full stack of this exception: java.lang.RuntimeException: Must set 'realm' in config at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:53) ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:183) ~[keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410) [tomcat-embed-core-8.5.5.jar:8.5.5] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.5.jar:8.5.5] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_101] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_101] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.5.jar:8.5.5] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101] Our configuration of security looks like: /** * Application security configuration. * * * @author Scott Rossillo */ @Configuration @EnableWebSecurity @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .authenticationProvider(keycloakAuthenticationProvider()); } @Autowired public KeycloakClientRequestFactory keycloakClientRequestFactory; @Bean public CacheControlHandlerInterceptor cacheControlHandlerInterceptor() { return new CacheControlHandlerInterceptor(); } @Bean public FilterRegistrationBean keycloakAuthenticationProcessingFilterRegistrationBean( KeycloakAuthenticationProcessingFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } @Bean public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean( KeycloakPreAuthActionsFilter filter) { FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter); registrationBean.setEnabled(false); return registrationBean; } @Bean @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE) public KeycloakRestTemplate keycloakRestTemplate() { return new KeycloakRestTemplate(keycloakClientRequestFactory); } @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Override protected void configure(HttpSecurity http) throws Exception { System.out.println("config"); super.configure(http); http .authorizeRequests() .antMatchers("/*").denyAll(); } } Can you please tell me, where it could by mistake. Thanks for your answer and time. Ondrej Pala From sblanc at redhat.com Mon Dec 12 04:54:53 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 12 Dec 2016 10:54:53 +0100 Subject: [keycloak-user] Spring boot + keycloak In-Reply-To: References: Message-ID: Hi, Did you also added the SpringBoot Keycloak Adapter ? In this case it will look for the configuration in application.properties but on the other side the Spring Security won't work, so you have 2 options : - Remove the SpringBoot adapter - Or tell the SpringSecurity it has to use the SpringBoot Config resolver. Add this in your SecurityConfig class : @Bean public KeycloakConfigResolver KeycloakConfigResolver(){ return new KeycloakSpringBootConfigResolver(); } FYI We have a ticket to make this integration seamless https://issues.jboss.org/browse/KEYCLOAK-4054?filter=12329075 On Mon, Dec 12, 2016 at 10:46 AM, Ondra Pala wrote: > Hello We use this example: https://github.com/foo4u/keycloak-spring-demo > (for Spring boot and Keycloak) > > I have keycloak.json(realm in this file exists) file in my WEB-INF folder, > but when I run my application, I get exception: > > java.lang.RuntimeException: Must set 'realm' in config > > Full stack of this exception: > > java.lang.RuntimeException: Must set 'realm' in config > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild( > KeycloakDeploymentBuilder.java:53) > > ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build( > KeycloakDeploymentBuilder.java:152) > > ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] > at > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve( > KeycloakSpringBootConfigResolver.java:37) > > ~[keycloak-spring-boot-adapter-2.4.0.Final.jar:2.4.0.Final] > at > org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment( > AdapterDeploymentContext.java:88) > > ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] > at > org.keycloak.adapters.PreAuthActionsHandler.preflightCors( > PreAuthActionsHandler.java:107) > > ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] > at > org.keycloak.adapters.PreAuthActionsHandler.handleRequest( > PreAuthActionsHandler.java:79) > > ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke( > AbstractKeycloakAuthenticatorValve.java:183) > > ~[keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] > at > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:140) > > ~[tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:79) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:87) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:349) > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784) > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.coyote.AbstractProcessorLight.process( > AbstractProcessorLight.java:66) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process( > AbstractProtocol.java:802) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1410) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > org.apache.tomcat.util.net.SocketProcessorBase.run( > SocketProcessorBase.java:49) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > [na:1.8.0_101] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > [na:1.8.0_101] > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > > [tomcat-embed-core-8.5.5.jar:8.5.5] > at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101] > > Our configuration of security looks like: > > /** > * Application security configuration. > * > * > * @author Scott Rossillo > */ > @Configuration > @EnableWebSecurity > @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) > public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter > { > > @Autowired > public void configureGlobal(AuthenticationManagerBuilder auth) > throws Exception { > auth > .authenticationProvider(keycloakAuthenticationProvider()); > } > > @Autowired > public KeycloakClientRequestFactory keycloakClientRequestFactory; > > @Bean > public CacheControlHandlerInterceptor > cacheControlHandlerInterceptor() { > return new CacheControlHandlerInterceptor(); > } > > > @Bean > public FilterRegistrationBean > keycloakAuthenticationProcessingFilterRegistrationBean( > KeycloakAuthenticationProcessingFilter filter) { > FilterRegistrationBean registrationBean = new > FilterRegistrationBean(filter); > registrationBean.setEnabled(false); > return registrationBean; > } > > @Bean > public FilterRegistrationBean > keycloakPreAuthActionsFilterRegistrationBean( > KeycloakPreAuthActionsFilter filter) { > FilterRegistrationBean registrationBean = new > FilterRegistrationBean(filter); > registrationBean.setEnabled(false); > return registrationBean; > } > > > @Bean > @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE) > public KeycloakRestTemplate keycloakRestTemplate() { > return new KeycloakRestTemplate(keycloakClientRequestFactory); > } > > @Bean > @Override > protected SessionAuthenticationStrategy > sessionAuthenticationStrategy() { > return new RegisterSessionAuthenticationStrategy(new > SessionRegistryImpl()); > } > > @Override > protected void configure(HttpSecurity http) throws Exception > { > System.out.println("config"); > super.configure(http); > http > .authorizeRequests() > .antMatchers("/*").denyAll(); > } > > } > > > Can you please tell me, where it could by mistake. > > Thanks for your answer and time. > > Ondrej Pala > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From haimv at perfectomobile.com Mon Dec 12 04:57:22 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Mon, 12 Dec 2016 09:57:22 +0000 Subject: [keycloak-user] Keycloak admin client API connection timeout In-Reply-To: <105dba7f-28a9-1619-0083-60e606650a4b@redhat.com> References: <105dba7f-28a9-1619-0083-60e606650a4b@redhat.com> Message-ID: That's the problem - the rest easy client is not exposed in the admin client I can't get it. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Sunday, December 11, 2016 6:25 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak admin client API connection timeout Read the resteasy docs. You can set the timeout in ResteasyClient. I forget how. On 12/11/16 10:33 AM, Haim Vana wrote: > Hi, > > We are using keycloak admin client API for various user management operations - most are create and update user and password. > > In the Keycloak getInstance method we can't specify the connection pool size or timeout - see below, can you please advise what is the connection default timeout ? > > And is there any way to change it (pool size or timeout) ? > > > > public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId) { > return new Keycloak(serverUrl, realm, username, password, clientId, (String)null, "password", (ResteasyClient)null); > } > > > Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, ResteasyClient resteasyClient) { > this.config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType); > this.client = resteasyClient != null?resteasyClient:(new ResteasyClientBuilder()).connectionPoolSize(10).build(); > this.tokenManager = new TokenManager(this.config, this.client); > this.target = this.client.target(this.config.getServerUrl()); > this.target.register(new BearerAuthFilter(this.tokenManager)); > } > > > > Thanks, > Haim. > > The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7C3c6d0c74cc254992112008d421e26a07%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=rcVfAcyVcR2Pz7pw2IboPdmuHh7Pbm1kFixzmni2%2BAc%3D&reserved=0 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7C3c6d0c74cc254992112008d421e26a07%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=rcVfAcyVcR2Pz7pw2IboPdmuHh7Pbm1kFixzmni2%2BAc%3D&reserved=0 The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From sblanc at redhat.com Mon Dec 12 08:40:00 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 12 Dec 2016 14:40:00 +0100 Subject: [keycloak-user] Adding role to existing users In-Reply-To: References: Message-ID: I'm afraid there is no out of the box solution. I see 2 options : - custom SQL query to add the role to the users, - creating a group , sql query to add allusers to this group and add the role to the group, so next time you add again a new role, all the users from the group will have it. On Sun, Dec 11, 2016 at 7:21 PM, Guus der Kinderen < guus.der.kinderen at gmail.com> wrote: > What options are available when one would need to add one or two new roles > to every pre-existing user of a realm? The existing user base can be pretty > large any thousands of users), which makes a one-user-at-a-time approach > sound inefficient. > > - Guus > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From corinnekrych at gmail.com Mon Dec 12 09:27:05 2016 From: corinnekrych at gmail.com (Corinne Krych) Date: Mon, 12 Dec 2016 15:27:05 +0100 Subject: [keycloak-user] SAML and nodejs adapter Message-ID: Hello Bruno, Sebi & KC team, I'd like to know how I could configure Keycloak to be a SAML 2.0 provider on a nodejs environment. Looking in the demo folder, I can see a Wildfly java based example [1] using keycloak-saml.xml [2] I couldn't find a nodejs adapter in the gitbook [3]. how could I do similar demo but with a nodejs app? ++ Corinne [1] https://github.com/keycloak/keycloak/tree/master/examples/saml [2] https://github.com/keycloak/keycloak/blob/master/ examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml [3] https://keycloak.gitbooks.io/securing-client-applications-guide/content/ topics/saml/saml-overview.html From glavoie at gmail.com Mon Dec 12 09:29:52 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Mon, 12 Dec 2016 09:29:52 -0500 Subject: [keycloak-user] Keycloak admin client API connection timeout In-Reply-To: References: <105dba7f-28a9-1619-0083-60e606650a4b@redhat.com> Message-ID: Haim, have a look at KeycloakBuilder. It can be used to create a Keycloak instance with a custom ResteasyClient. Gabriel 2016-12-12 4:57 GMT-05:00 Haim Vana : > That's the problem - the rest easy client is not exposed in the admin > client I can't get it. > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Bill Burke > Sent: Sunday, December 11, 2016 6:25 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak admin client API connection timeout > > Read the resteasy docs. You can set the timeout in ResteasyClient. I > forget how. > > > On 12/11/16 10:33 AM, Haim Vana wrote: > > Hi, > > > > We are using keycloak admin client API for various user management > operations - most are create and update user and password. > > > > In the Keycloak getInstance method we can't specify the connection pool > size or timeout - see below, can you please advise what is the connection > default timeout ? > > > > And is there any way to change it (pool size or timeout) ? > > > > > > > > public static Keycloak getInstance(String serverUrl, String realm, > String username, String password, String clientId) { > > return new Keycloak(serverUrl, realm, username, password, clientId, > (String)null, "password", (ResteasyClient)null); > > } > > > > > > Keycloak(String serverUrl, String realm, String username, String > password, String clientId, String clientSecret, String grantType, > ResteasyClient resteasyClient) { > > this.config = new Config(serverUrl, realm, username, password, > clientId, clientSecret, grantType); > > this.client = resteasyClient != null?resteasyClient:(new > ResteasyClientBuilder()).connectionPoolSize(10).build(); > > this.tokenManager = new TokenManager(this.config, this.client); > > this.target = this.client.target(this.config.getServerUrl()); > > this.target.register(new BearerAuthFilter(this.tokenManager)); > > } > > > > > > > > Thanks, > > Haim. > > > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://emea01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo% > 2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com% > 7C3c6d0c74cc254992112008d421e26a07%7Cceb4c662d6994e7da0bd272619a4 > 6977%7C1&sdata=rcVfAcyVcR2Pz7pw2IboPdmuHh7Pbm1kFixzmni2%2BAc%3D&reserved=0 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://emea01.safelinks.protection.outlook.com/?url= > https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo% > 2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com% > 7C3c6d0c74cc254992112008d421e26a07%7Cceb4c662d6994e7da0bd272619a4 > 6977%7C1&sdata=rcVfAcyVcR2Pz7pw2IboPdmuHh7Pbm1kFixzmni2%2BAc%3D&reserved=0 > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Gabriel Lavoie glavoie at gmail.com From haimv at perfectomobile.com Mon Dec 12 09:44:52 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Mon, 12 Dec 2016 14:44:52 +0000 Subject: [keycloak-user] Keycloak admin client API connection timeout In-Reply-To: References: <105dba7f-28a9-1619-0083-60e606650a4b@redhat.com> Message-ID: Great - thanks, that exactly what I was looking for ? From: Gabriel Lavoie [mailto:glavoie at gmail.com] Sent: Monday, December 12, 2016 4:30 PM To: Haim Vana Cc: Bill Burke ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak admin client API connection timeout Haim, have a look at KeycloakBuilder. It can be used to create a Keycloak instance with a custom ResteasyClient. Gabriel 2016-12-12 4:57 GMT-05:00 Haim Vana >: That's the problem - the rest easy client is not exposed in the admin client I can't get it. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke Sent: Sunday, December 11, 2016 6:25 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak admin client API connection timeout Read the resteasy docs. You can set the timeout in ResteasyClient. I forget how. On 12/11/16 10:33 AM, Haim Vana wrote: > Hi, > > We are using keycloak admin client API for various user management operations - most are create and update user and password. > > In the Keycloak getInstance method we can't specify the connection pool size or timeout - see below, can you please advise what is the connection default timeout ? > > And is there any way to change it (pool size or timeout) ? > > > > public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId) { > return new Keycloak(serverUrl, realm, username, password, clientId, (String)null, "password", (ResteasyClient)null); > } > > > Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, ResteasyClient resteasyClient) { > this.config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType); > this.client = resteasyClient != null?resteasyClient:(new ResteasyClientBuilder()).connectionPoolSize(10).build(); > this.tokenManager = new TokenManager(this.config, this.client); > this.target = this.client.target(this.config.getServerUrl()); > this.target.register(new BearerAuthFilter(this.tokenManager)); > } > > > > Thanks, > Haim. > > The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7C3c6d0c74cc254992112008d421e26a07%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=rcVfAcyVcR2Pz7pw2IboPdmuHh7Pbm1kFixzmni2%2BAc%3D&reserved=0 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=01%7C01%7Chaimv%40perfectomobile.com%7C3c6d0c74cc254992112008d421e26a07%7Cceb4c662d6994e7da0bd272619a46977%7C1&sdata=rcVfAcyVcR2Pz7pw2IboPdmuHh7Pbm1kFixzmni2%2BAc%3D&reserved=0 The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Gabriel Lavoie glavoie at gmail.com The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From i.pop at centurylink.net Mon Dec 12 10:36:16 2016 From: i.pop at centurylink.net (i.pop at centurylink.net) Date: Mon, 12 Dec 2016 10:36:16 -0500 (EST) Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables In-Reply-To: <31544fa3-6bd0-1bb8-d41f-be2df6e738bf@redhat.com> Message-ID: <1747984928.47038476.1481556976406.JavaMail.root@centurylink.net> I have created a JIRA: KEYCLOAK-4066 Thanks, Ioan ----- Original Message ----- From: "Marek Posolda" To: "i pop" Cc: "keycloak-user" Sent: Monday, December 12, 2016 2:15:57 AM Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables Could you create JIRA and set fix version to 3.0 ? We plan to do some refactoring for userSessions in next release and better handling of this usecase can be added as part of it too IMO. I think that each periodic cleaner (ClearExpiredUserSessions task) will just lookup the sessions, which are saved on the particular server and will cleanup just those. Currently cleaner tries to lookup for all sessions within whole cluster, which probably has some communication overhead. Fact is, that we didn't yet try to test with 1.25 M sessions. The workaround for you can be to add your own implementation of UserSessionProvider.removeExpired and handle it somehow by yourself until we add our solution. The easier workaround may be to shorten offline tokens timeout in admin console from 30 days to something shorter (eg. 1 day?) as then the count of offline sessions probably won't grow so much. This is an option just if you have an opportunity to cleanup your DB session tables first and restart cluster. When all 1.25M sessions are already in infinispan cluster, the exceptions will be always thrown. Marek On 09/12/16 20:55, i.pop at centurylink.net wrote: > Thank you Marek for your response. > Unfortunately, this bug still exists in the KC-2.4.0.Final release, as well(I have 1.25 M offline-user&client sessions in my 2-tables): > [Server:server-one] 13:48:49,541 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for r720xd-14:server-two > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) > [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [Server:server-one] at java.lang.Thread.run(Thread.java:745) > > Any piece of advice, please? > Thanks, > Ioan > ----- Original Message ----- > From: "Marek Posolda" > To: "i pop" > Cc: "keycloak-user" > Sent: Thursday, December 8, 2016 5:03:39 AM > Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables > > Yes, there were some related fixes though. Can you try to upgrade to > latest 2.4.0.Final and see if it helps? > > Thanks, > Marek > > On 07/12/16 17:03, i.pop at centurylink.net wrote: >> Thank you for your message. However, if I set parameter "Offline Session Idle" to 30 min, I am getting a replication timeout exception associated with the periodic cleaner scheduler service >> [Server:server-one] 09:24:54,979 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredUserSessions: org.infinispan.util.concurrent.TimeoutException: Replication timeout for slaveServer:server-two >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:765) >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$72(JGroupsTransport.java:599) >> [Server:server-one] at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> [Server:server-one] at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> [Server:server-one] at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> [Server:server-one] at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >> [Server:server-one] at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >> [Server:server-one] at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> [Server:server-one] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> [Server:server-one] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [Server:server-one] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [Server:server-one] at java.lang.Thread.run(Thread.java:745) >> >> This exception is thrown with a periodicity of 15 min. >> I have found a previous reference to such exception in your "keycloak-user" customer inquiries >> http://lists.jboss.org/pipermail/keycloak-user/2016-July/006892.html >> >> It looks like there was a bug in your KC software. Have you fixed this bug in your later KC releases since July 2016? Or, it may be a miss-configuration in my domain clustered configuration( I use your KC-2.1.0.Final release) ? >> Thanks, >> Ioan >> >> ----- Original Message ----- >> From: "Marek Posolda" >> To: "i pop" , "keycloak-user" >> Sent: Friday, November 25, 2016 3:20:18 AM >> Subject: Re: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION tables >> >> It seems you are using offline tokens for some of your application >> right? There is periodic cleaner, which will remove the records from the >> expired offline sessions. But timeout for the offline sessions is 30 >> days by default. Also the time of "last refresh" is currently updated in >> DB every time when you restart the server (in case that you have >> single-server without cluster). >> >> In other words, if you restart the server at least once every 30 days, >> the table will keep growing. It is probably something we can improve... >> Feel free to create JIRA. >> >> Until that, your possibilities are: >> - Decrease the timeout to shorter value than 30 days (can be done in >> admin console) >> - Ensure the server is not restarted within 30 days, so the outdated >> sessions can be cleared. >> - Use cluster with 2 nodes or more and ensure that at least 1 node is >> always online. >> >> Marek >> >> On 24/11/16 20:11, i.pop at centurylink.net wrote: >>> Hi, >>> Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up? >>> >>> >>> Thanks, >>> Ioan >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Dec 12 12:02:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Dec 2016 18:02:09 +0100 Subject: [keycloak-user] Keycloak VS Gluu In-Reply-To: References: Message-ID: Keycloak is much much better ;) On 5 December 2016 at 21:02, Thomas Darimont wrote: > Hello group, > > I just stumbled upon the gluu IdM solution and wondered whether someone > on this mailing-list has already compared gluu with Keycloak. > > https://www.gluu.org/gluu-server/overview/ > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bruno at abstractj.org Mon Dec 12 13:43:54 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Dec 2016 16:43:54 -0200 Subject: [keycloak-user] [keycloak-dev] SAML and nodejs adapter In-Reply-To: References: Message-ID: <20161212184354.GA9601@abstractj.org> Moving this thread to keycloak-user. Hi Corinne, today we don't have a Node.js adapter for SAML. This is the first time that someone asks for SAML on Node.js. Maybe you could try passport-saml[1] or file a Jira as a feature request. [1] - https://github.com/bergie/passport-saml On 2016-12-12, Corinne Krych wrote: > Hello Bruno, Sebi & KC team, > > I'd like to know how I could configure Keycloak to be a SAML 2.0 provider > on a nodejs environment. > Looking in the demo folder, I can see a Wildfly java based example [1] > using keycloak-saml.xml [2] > I couldn't find a nodejs adapter in the gitbook [3]. > how could I do similar demo but with a nodejs app? > > ++ > Corinne > [1] https://github.com/keycloak/keycloak/tree/master/examples/saml > [2] > https://github.com/keycloak/keycloak/blob/master/examples/saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml > > [3] > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/saml/saml-overview.html > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev -- abstractj PGP: 0x84DC9914 From bruno at abstractj.org Mon Dec 12 14:04:49 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Dec 2016 17:04:49 -0200 Subject: [keycloak-user] Error while loading the application In-Reply-To: References: Message-ID: <20161212190449.GB9601@abstractj.org> What google told me was that is the problem[1]. But you said that nothing has changed, which is odd. If you restart the server everything returns back to normal? Do you have any idea about the steps to reproduce this issue? [1] - http://stackoverflow.com/questions/18493541/invalid-jaxp-api-when-unmarshaling-jaxb On 2016-12-09, Pulkit Gupta wrote: > Hi All, > > We are using Keycloak SAML adapters to authenticate our applications with > Keyclaok. > The setup was working fine and the applications were able to authenticate > the users. > > However since today we are getting the below error while loading the > application and this is resulting in a black page for the client. > > Can you please check in case anyone has seen this issue before. Is this > related to java versions as I have not changed anything in the environments > recently. > > 2016-12-09 08:08:08,875 [ajp-/10.7.24.224:8009-2] ERROR > [org.apache.catalina.connector] JBWEB001018: An exception or error occurred > in the container during the request processing: > java.lang.AbstractMethodError: > javax.xml.transform.TransformerFactory.setFeature(Ljava/lang/String;Z)V > at > __redirected.__TransformerFactory.setFeature(__TransformerFactory.java:161) > at > org.keycloak.saml.common.util.TransformerUtil.getTransformerFactory(TransformerUtil.java:113) > at > org.keycloak.saml.common.util.TransformerUtil.getTransformer(TransformerUtil.java:81) > at > org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString(DocumentUtil.java:238) > at > org.keycloak.saml.common.util.DocumentUtil.asString(DocumentUtil.java:454) > at > org.keycloak.saml.processing.core.util.XMLSignatureUtil.sign(XMLSignatureUtil.java:340) > at > org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.sign(SAML2Signature.java:143) > at > org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.signSAMLDocument(SAML2Signature.java:160) > at > org.keycloak.saml.BaseSAML2BindingBuilder.signDocument(BaseSAML2BindingBuilder.java:266) > at > org.keycloak.saml.BaseSAML2BindingBuilder$BasePostBindingBuilder.(BaseSAML2BindingBuilder.java:145) > at > org.keycloak.saml.BaseSAML2BindingBuilder.postBinding(BaseSAML2BindingBuilder.java:208) > at org.keycloak.adapters.saml.SamlUtil.sendSaml(SamlUtil.java:38) > at > org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler$5.sendAuthnRequest(AbstractSamlAuthenticationHandler.java:463) > at > org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:60) > at > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247) > at > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222) > at > org.keycloak.adapters.saml.jbossweb.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:41) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465) > at > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184) > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > at > org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:384) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) > at > com.redhat.container.redirect.RedirectToInternalValve.invoke(RedirectToInternalValve.java:61) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > at > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > at java.lang.Thread.run(Thread.java:745) > > > -- > Thanks, > Pulkit > AMS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From bruno at abstractj.org Mon Dec 12 14:09:24 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Dec 2016 17:09:24 -0200 Subject: [keycloak-user] Exception while executing example security question required action In-Reply-To: References: Message-ID: <20161212190924.GC9601@abstractj.org> Why you have keycloak-services using 1.8.1 version while other dependencies have 2.4.0 Final? Have you tried to change it? See: org.keycloak keycloak-services 2.4.0.Final On 2016-12-09, abhishek raghav wrote: > Hi > > I have implemented the example security question authenticator custom > authenticator independently. I am able to register it as a required action. > But when I am trying to login with the user for whom I set it as a > required action, I am facing this exception at run time. my pom.xml is also > attached. > > 16:16:49,916 ERROR [io.undertow.request] (default task-25) UT005023: > Exception handling request to > /auth/realms/DCI/login-actions/required-action: > org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: > org.keycloak.authentication.RequiredActionContext.form()Lorg/keycloak/login/LoginFormsProvider; > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NoSuchMethodError: > org.keycloak.authentication.RequiredActionContext.form()Lorg/keycloak/login/LoginFormsProvider; > at > com.dci.examples.providers.events.SecretQuestionRequiredAction.requiredActionChallenge(SecretQuestionRequiredAction.java:40) > at > org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:619) > at > org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:542) > at > org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:464) > at > org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299) > at > org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:860) > at > org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:853) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > > pom.xml : > > > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/maven-v4_0_0.xsd"> > Authenticator Example > > 4.0.0 > > SampleAuthenticator-listener-provider > org.keycloak > 2.5.0.Final-SNAPSHOT > jar > > > > > org.keycloak > keycloak-authentication-api > 1.0-beta-3 > > > org.keycloak > keycloak-services > 1.8.1.Final > > > > > org.keycloak > keycloak-server-spi > 2.4.0.Final > > > > org.keycloak > keycloak-core > 2.4.0.Final > > > org.json > json > 20140107 > > > org.jboss.resteasy > resteasy-client > 3.0.6.Final > provided > > > javax > javaee-web-api > 6.0 > provided > > > > > > > > SampleAuthenticator-listener-provider > > > org.apache.maven.plugins > maven-compiler-plugin > > 1.8 > 1.8 > > > > org.wildfly.plugins > wildfly-maven-plugin > > false > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From bruno at abstractj.org Mon Dec 12 14:30:31 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 12 Dec 2016 17:30:31 -0200 Subject: [keycloak-user] Validate Token on IDP In-Reply-To: References: Message-ID: <20161212193031.GD9601@abstractj.org> Hi, I believe you can do this using token introspection[1]. Also, some months ago Thomas posted this utility script[2] (maybe it helps). [1] - https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.2/topics/service/protection/token-introspection.html [2] - http://lists.jboss.org/pipermail/keycloak-user/2016-April/005869.html On 2016-12-01, Laghuvaram, Raghu wrote: > I am trying to validate the token(Access Token) using the URL /auth/realms//protocol/openid-connect/validate?access_token= but I am getting 404 all the time. I am using 2.3.0 Final, is the token validate URL still valid? > > > Thanks, > Raghu. > > > ________________________________ > > Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From corinnekrych at gmail.com Tue Dec 13 02:35:53 2016 From: corinnekrych at gmail.com (Corinne Krych) Date: Tue, 13 Dec 2016 08:35:53 +0100 Subject: [keycloak-user] [keycloak-dev] SAML and nodejs adapter In-Reply-To: <20161212184354.GA9601@abstractj.org> References: <20161212184354.GA9601@abstractj.org> Message-ID: Thanks Bruno for your answer. What could be the alternative flow (hybrid OAuth/SAML) I could use with Keyclaok? Is Keyclaok implementing flow like [1]? How could I achieve an external IdP (SAML based with LDAP) working with KC service resource (using keycloak-connect for nodejs based protected resource)? ++ Corinne [1] https://tools.ietf.org/html/rfc7521 On 12 December 2016 at 19:43, Bruno Oliveira wrote: > Moving this thread to keycloak-user. > > Hi Corinne, today we don't have a Node.js adapter for SAML. This is the > first time that someone asks for SAML on Node.js. > > Maybe you could try passport-saml[1] or file a Jira as a feature > request. > > > [1] - https://github.com/bergie/passport-saml > > On 2016-12-12, Corinne Krych wrote: > > Hello Bruno, Sebi & KC team, > > > > I'd like to know how I could configure Keycloak to be a SAML 2.0 provider > > on a nodejs environment. > > Looking in the demo folder, I can see a Wildfly java based example [1] > > using keycloak-saml.xml [2] > > I couldn't find a nodejs adapter in the gitbook [3]. > > how could I do similar demo but with a nodejs app? > > > > ++ > > Corinne > > [1] https://github.com/keycloak/keycloak/tree/master/examples/saml > > [2] > > https://github.com/keycloak/keycloak/blob/master/examples/ > saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml > > > > [3] > > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/topics/saml/saml-overview.html > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > -- > > abstractj > PGP: 0x84DC9914 > From jeroen_koek at hotmail.com Tue Dec 13 03:26:47 2016 From: jeroen_koek at hotmail.com (Jeroen Koek) Date: Tue, 13 Dec 2016 08:26:47 +0000 Subject: [keycloak-user] Keycloak 2.3.0 Logout on multiple war's In-Reply-To: References: , Message-ID: Hi, I have deployed multiple wars on jboss eap 6.4. The war's are running on different url's and are using the same keycloak client ('Athlon'). If I'm logged in I'm able to navigate to the different applications and seemless start a java session; I see multiple JSESSIONID's. If I logout on one of the wars (session logout) I'm still able to access the other applications to my surprise; e.g. the SSO is not working. I have configured the admin url to the root of the applications server ("/") where I have one of the application running. However the adapter is not invalidating all other sessions (for the other applications); I can still navigate to one of the other applications ("/app" for instance). I have now created a for loop where I'm logging out all applications manually (/logout). My mind is telling me that I'm doing something completely wrong. Am I right? Regards, Jeroen. From michael_furman at hotmail.com Tue Dec 13 05:12:49 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 13 Dec 2016 10:12:49 +0000 Subject: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. Message-ID: Hi all, I try to access from SpringSecurity adapter over HTTPS without success. When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost: https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid Then I get this error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid Same error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid Finally I can see the login page. What wrong in my configurations? Any help will be appreciated. Best regards, Michael From aidan at ontologyengineering.org Tue Dec 13 05:17:50 2016 From: aidan at ontologyengineering.org (Aidan Delaney) Date: Tue, 13 Dec 2016 10:17:50 +0000 Subject: [keycloak-user] Minimal complete example Message-ID: <1481624270.4200.18.camel@ontologyengineering.org> Dear all, ????????I'm trying to put together a keycloak example that executes on a `mvn wildfly:run` and I'd appreciate some help.??My assumptions are that I can: ????1. package both an example app and keycloak-server up in an EAR, ????2. make the EAR depend on keycloak-server-overlay and keycloak- wildfly-adapter-dist ????3. provide configuration similar to keycloak-examples- 2.4.0.Final/preconfigured-demo ????4. execute a `wildfly:run` to see a small demo. I fully appreciate that keycloak should not be run in the above manner. ?That the keycloak server _should_ be separated from the demo application.??However, I'm using this as a hands-on demo for undergraduate students and, thereafter, high-school students.??As such, ?I want to make the initial example as straightforward to run as possible.??In these situations, running keycloak-standalone and executing the example app leads to inevitable complications.??Moreover, ?I don't have access to Docker or Vagrant in the teaching environment. I'm running into a few issues which I can work through.??But I'm wondering if it's possible to come up with such an example of if I'm barking up the wrong tree? --? Dr Aidan Delaney Principal Lecturer Computing, Engineering & Maths University of Brighton @aidandelaney From sblanc at redhat.com Tue Dec 13 05:23:33 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 13 Dec 2016 11:23:33 +0100 Subject: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. In-Reply-To: References: Message-ID: What is the difference between your example 2 and example 3 ? On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman wrote: > Hi all, > I try to access from SpringSecurity adapter over HTTPS without success. > When I try to access to IDP over HTTPS the redirect_uri is replaced to > localhost: > > https://192.168.110.2:8443/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081% > 2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f- > ba1e3eae8084&login=true&scope=openid > > Then I get this error in UI: > WE'RE SORRY ... > Invalid parameter: redirect_uri > > Similar, when I try to access to IDP over HTTP, the redirect_uri is > replaced to localhost: > http://192.168.110.2:9080/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081% > 2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6- > 07d0a7f4bc99&login=true&scope=openid > > Same error in UI: > WE'RE SORRY ... > Invalid parameter: redirect_uri > > Only if I access from SpringSecurity adapter over HTTP the redirect_uri > has correct value and it works: > http://192.168.110.2:9080/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081% > 2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2- > c882c9625479&login=true&scope=openid > > Finally I can see the login page. > What wrong in my configurations? > Any help will be appreciated. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Tue Dec 13 05:33:58 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 13 Dec 2016 11:33:58 +0100 Subject: [keycloak-user] Minimal complete example In-Reply-To: <1481624270.4200.18.camel@ontologyengineering.org> References: <1481624270.4200.18.camel@ontologyengineering.org> Message-ID: Well the example distribution[1] is the easiest to achieve this : You have a wildfly server with Keycloak overlay and you just 'mvn wildfly:run' the examples that will also be deployed into this application server. And why do you want an EAR ? [1] https://downloads.jboss.org/keycloak/2.4.0.Final/keycloak-examples-2.4.0.Final.zip On Tue, Dec 13, 2016 at 11:17 AM, Aidan Delaney < aidan at ontologyengineering.org> wrote: > Dear all, > I'm trying to put together a keycloak example that executes on > a `mvn wildfly:run` and I'd appreciate some help. My assumptions are > that I can: > > 1. package both an example app and keycloak-server up in an EAR, > 2. make the EAR depend on keycloak-server-overlay and keycloak- > wildfly-adapter-dist > 3. provide configuration similar to keycloak-examples- > 2.4.0.Final/preconfigured-demo > 4. execute a `wildfly:run` to see a small demo. > > I fully appreciate that keycloak should not be run in the above manner. > That the keycloak server _should_ be separated from the demo > application. However, I'm using this as a hands-on demo for > undergraduate students and, thereafter, high-school students. As such, > I want to make the initial example as straightforward to run as > possible. In these situations, running keycloak-standalone and > executing the example app leads to inevitable complications. Moreover, > I don't have access to Docker or Vagrant in the teaching environment. > > I'm running into a few issues which I can work through. But I'm > wondering if it's possible to come up with such an example of if I'm > barking up the wrong tree? > > -- > Dr Aidan Delaney > Principal Lecturer > Computing, Engineering & Maths > University of Brighton > > @aidandelaney > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Tue Dec 13 05:44:12 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 13 Dec 2016 10:44:12 +0000 Subject: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. In-Reply-To: References: , Message-ID: Example 2: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTP Example 3: SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP) IDP is over HTTP BTW, Example 1: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTPS ________________________________ From: Sebastien Blanc Sent: Tuesday, December 13, 2016 12:23 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. What is the difference between your example 2 and example 3 ? On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman > wrote: Hi all, I try to access from SpringSecurity adapter over HTTPS without success. When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost: https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid Then I get this error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid Same error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid Finally I can see the login page. What wrong in my configurations? Any help will be appreciated. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From aidan at ontologyengineering.org Tue Dec 13 05:53:18 2016 From: aidan at ontologyengineering.org (Aidan Delaney) Date: Tue, 13 Dec 2016 10:53:18 +0000 Subject: [keycloak-user] Minimal complete example In-Reply-To: References: <1481624270.4200.18.camel@ontologyengineering.org> Message-ID: <1481626398.4200.21.camel@ontologyengineering.org> Sebastien, You're right.??It doesn't have to be an EAR.??What I'm looking to have is the right demo workflow. For example, if you? $ cd keycloak-examples-2.4.0.Final/preconfigured-demo $ mvn wildfly:run? you get a? ``` org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./customer- portal:? java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown authentication mechanism KEYCLOAK ``` which is because the wildfly keycloak adaptor isn't available Adding? ```xml ? org.keycloak ? keycloak-wildfly-adapter ? 2.4.0.Final ``` to the client-app `pom.xml` leads to a? ``` 10:45:16,948 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 21) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./customer- portal:? org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./customer- portal:? java.lang.NoClassDefFoundError: org/keycloak/adapters/KeycloakDeploymentBuilder ????????at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.r un(UndertowDeploymentService.java:85) ????????... ``` which I can then get from somewhere else....I'll chase it eventually. What I'm trying to do is have an example that pulls down all it's own dependencies so that students don't have to get the keycloak-overlay or ?do anything other than have Maven available to them. Again, I appreciate that this isn't how you'd normally go about running Keycloak and I appreciate your help with this. --? Dr Aidan Delaney Principal Lecturer Computing, Engineering & Maths University of Brighton @aidandelaney From michael_furman at hotmail.com Tue Dec 13 05:56:01 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 13 Dec 2016 10:56:01 +0000 Subject: [keycloak-user] How to configure what claim will be used as the user name in SpringSecurity adapter? Message-ID: Hi all, I want to configure the claim preferred_username will be used as the user name after SpringSecurity adapter authentication. How can I configure it? Any help will be appreciated. Best regards, Michael From sblanc at redhat.com Tue Dec 13 06:12:43 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 13 Dec 2016 12:12:43 +0100 Subject: [keycloak-user] Minimal complete example In-Reply-To: <1481626398.4200.21.camel@ontologyengineering.org> References: <1481624270.4200.18.camel@ontologyengineering.org> <1481626398.4200.21.camel@ontologyengineering.org> Message-ID: But have you downloaded the districution zip that contains a wildfly server that contains the keycloak server overlay and the adapters already configured ? Just go to keycloak-examples-2.4.0.Final/keycloak , run './standalone.xml' and you have a 2 in 1 :) , you can deploy directly there your examples, nothing else is needed. On Tue, Dec 13, 2016 at 11:53 AM, Aidan Delaney < aidan at ontologyengineering.org> wrote: > Sebastien, > > You're right. It doesn't have to be an EAR. What I'm looking to have > is the right demo workflow. > > For example, if you > > $ cd keycloak-examples-2.4.0.Final/preconfigured-demo > $ mvn wildfly:run > > you get a > > ``` > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./customer- > portal: > java.lang.RuntimeException: java.lang.RuntimeException: UT010039: > Unknown authentication mechanism KEYCLOAK > ``` > > which is because the wildfly keycloak adaptor isn't available > > Adding > > ```xml > > org.keycloak > keycloak-wildfly-adapter > 2.4.0.Final > > ``` > to the client-app `pom.xml` leads to a > > ``` > 10:45:16,948 ERROR [org.jboss.msc.service.fail] (ServerService Thread > Pool -- 21) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./customer- > portal: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./customer- > portal: > java.lang.NoClassDefFoundError: > org/keycloak/adapters/KeycloakDeploymentBuilder > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.r > un(UndertowDeploymentService.java:85) > ... > ``` > > which I can then get from somewhere else....I'll chase it eventually. > > What I'm trying to do is have an example that pulls down all it's own > dependencies so that students don't have to get the keycloak-overlay or > do anything other than have Maven available to them. > > Again, I appreciate that this isn't how you'd normally go about running > Keycloak and I appreciate your help with this. > > -- > Dr Aidan Delaney > Principal Lecturer > Computing, Engineering & Maths > University of Brighton > > @aidandelaney > From michael_furman at hotmail.com Tue Dec 13 06:17:02 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 13 Dec 2016 11:17:02 +0000 Subject: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. In-Reply-To: Message-ID: Hi, Important clarification: The HTTPS handshake is by Apache httpd server that is also reverse proxy for Tomcat. Tomcat is located on the same ip. SpringSecurity RP is deployed in Tomcat. Best regards On Dec 13, 2016 12:44 PM, Michael Furman wrote: Example 2: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTP Example 3: SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP) IDP is over HTTP BTW, Example 1: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTPS ________________________________ From: Sebastien Blanc Sent: Tuesday, December 13, 2016 12:23 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. What is the difference between your example 2 and example 3 ? On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman > wrote: Hi all, I try to access from SpringSecurity adapter over HTTPS without success. When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost: https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid Then I get this error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid Same error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid Finally I can see the login page. What wrong in my configurations? Any help will be appreciated. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Tue Dec 13 06:17:36 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 13 Dec 2016 12:17:36 +0100 Subject: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. In-Reply-To: References: Message-ID: And I assume you are setting ssl-required in the keycloak.json ? On Tue, Dec 13, 2016 at 11:44 AM, Michael Furman wrote: > Example 2: > > SpringSecurity adapter RP is over HTTPS (the client configuration in IDP > configured also HTTPS) > > IDP is over HTTP > > > > Example 3: > > SpringSecurity adapter RP is over HTTP (the client configuration in IDP > configured also HTTP) > > IDP is over HTTP > > > > BTW, > > Example 1: > > SpringSecurity adapter RP is over HTTPS (the client configuration in IDP > configured also HTTPS) > > IDP is over HTTPS > > > > ------------------------------ > *From:* Sebastien Blanc > *Sent:* Tuesday, December 13, 2016 12:23 PM > *To:* Michael Furman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP > from SpringSecurity adapter over HTTPS. > > What is the difference between your example 2 and example 3 ? > > On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman < > michael_furman at hotmail.com> wrote: > >> Hi all, >> I try to access from SpringSecurity adapter over HTTPS without success. >> When I try to access to IDP over HTTPS the redirect_uri is replaced to >> localhost: >> >> https://192.168.110.2:8443/auth/realms/master/protocol/openi >> d-connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp% >> 2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084 >> &login=true&scope=openid >> >> Then I get this error in UI: >> WE'RE SORRY ... >> Invalid parameter: redirect_uri >> >> Similar, when I try to access to IDP over HTTP, the redirect_uri is >> replaced to localhost: >> http://192.168.110.2:9080/auth/realms/master/protocol/openid >> -connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp% >> 2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99 >> &login=true&scope=openid >> >> Same error in UI: >> WE'RE SORRY ... >> Invalid parameter: redirect_uri >> >> Only if I access from SpringSecurity adapter over HTTP the redirect_uri >> has correct value and it works: >> http://192.168.110.2:9080/auth/realms/master/protocol/openid >> -connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso% >> 2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479& >> login=true&scope=openid >> >> Finally I can see the login page. >> What wrong in my configurations? >> Any help will be appreciated. >> Best regards, >> Michael >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sblanc at redhat.com Tue Dec 13 06:31:34 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 13 Dec 2016 12:31:34 +0100 Subject: [keycloak-user] How to configure what claim will be used as the user name in SpringSecurity adapter? In-Reply-To: References: Message-ID: Isn't this already the case ? If you go to your client settings and look at the mappers you can see that username has the token claim name "preferred_username" On Tue, Dec 13, 2016 at 11:56 AM, Michael Furman wrote: > Hi all, > I want to configure the claim preferred_username will be used as the user > name after SpringSecurity adapter authentication. > How can I configure it? > Any help will be appreciated. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Tue Dec 13 07:13:12 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 13 Dec 2016 12:13:12 +0000 Subject: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. In-Reply-To: References: , Message-ID: HI Sebastien, The problem is not related to HTTPS but to the reverse proxy When I access to SpringSecurity adapter RP over HTTP but behind the Apache HTTPD reverse proxy (the client configuration in IDP configured also HTTP) the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836&login=true&scope=openid Then, I get the error WE'RE SORRY ... Invalid parameter: redirect_uri What should I configure to allow to work with proxy? Any help will be appreciated. Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Tuesday, December 13, 2016 1:17 PM To: Sebastien Blanc Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. Hi, Important clarification: The HTTPS handshake is by Apache httpd server that is also reverse proxy for Tomcat. Tomcat is located on the same ip. SpringSecurity RP is deployed in Tomcat. Best regards On Dec 13, 2016 12:44 PM, Michael Furman wrote: Example 2: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTP Example 3: SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP) IDP is over HTTP BTW, Example 1: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTPS ________________________________ From: Sebastien Blanc Sent: Tuesday, December 13, 2016 12:23 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. What is the difference between your example 2 and example 3 ? On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman > wrote: Hi all, I try to access from SpringSecurity adapter over HTTPS without success. When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost: https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid Then I get this error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid Same error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid Finally I can see the login page. What wrong in my configurations? Any help will be appreciated. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From rjvduijn at gmail.com Tue Dec 13 07:35:04 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Tue, 13 Dec 2016 12:35:04 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: <9d368281-dd22-43a5-a216-254524e8e269@getmailbird.com> References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> <9d368281-dd22-43a5-a216-254524e8e269@getmailbird.com> Message-ID: Thank you for clarifying that! Much appreciated! I'm progressing with my adapter. Using the Photoz example I can login and authorize requests going to the photoz-restfull-api (which in my case is my play application). But one resource refuses to load for non-admin users. Namely the /album/create resource returns an Unauthorized. I will try to elaborate on what I am currently doing. Hopefully someone can point me the error. 1. The javascript frontend application calls the /photoz-rest-api/album/create resource using a post with the bearerToken received from the login. 2. Then my PlayFramework controller Action is intercepted and the bearerToken is verified using the: AdapterRSATokenVerifier.verifyToken() method. 3. If succceful the KeycloakAdapterPolicyEnforcer is used to authorize my request using the photoz policies. 4. This returns 401 in case of the user Alice, and is accepted in case of Admin. What I do no understand is that the Policy Evaluator in the admin console results in a PERMIT in case of Alice accessing the album resource with scope 'Create'. But the KeycloakAdapterPolicyEnforcer tells Alice is Unauthorized. Am I missing a vital point in the process? The entitlements I have for Alice are the following (which clearly states the user is allowed to create on the album resource): *{* * "jti": "6fa19f41-f720-4285-965f-e4373544346c",* * "exp": 1481632355,* * "nbf": 0,* * "iat": 1481632055,* * "iss": "http://127.0.0.1:8080/auth/realms/photoz ",* * "aud": "photoz-html5-client",* * "sub": "85e9868e-262e-4290-8a23-93f8392cffd7",* * "typ": "Bearer",* * "azp": "photoz-html5-client",* * "nonce": "55b16f6b-5af9-40de-871e-ab8712bd1f57",* * "auth_time": 1481631352,* * "session_state": "73453cd9-01df-4124-a9ca-585352c0e040",* * "name": "Alice In Chains",* * "given_name": "Alice",* * "family_name": "In Chains",* * "preferred_username": "alice",* * "email": "alice at keycloak.org ",* * "acr": "0",* * "client_session": "2e16eade-c3a2-40ae-b766-3bac6b89d4d4",* * "allowed-origins": [* * "*"* * ],* * "realm_access": {* * "roles": [* * "uma_authorization",* * "user"* * ]* * },* * "resource_access": {* * "photoz-restful-api": {* * "roles": [* * "manage-albums"* * ]* * }* * },* * "authorization": {* * "permissions": [* * {* * "scopes": [* * "urn:photoz.com:scopes:album:view",* * "urn:photoz.com:scopes:album:create"* * ],* * "resource_set_id": "71996b0c-48c1-44c9-8fda-d0ba46b451b7",* * "resource_set_name": "Album Resource"* * },* * {* * "scopes": [* * "urn:photoz.com:scopes:profile:view"* * ],* * "resource_set_id": "0236b990-40dd-4bf3-9a49-25bc3bc6273c",* * "resource_set_name": "User Profile Resource"* * }* * ]* * }* *}* /Richard Op do 8 dec. 2016 om 21:11 schreef Pedro Igor : Yeah, I missed that part too :) Clients marked as bearer-only are not allowed to access the token endpoint. However, you can still use bearer-only in your keycloak.json (adapter config) to indicate that only requests with a bearer token are allowed to access your resource server (backend-client). Regards. Pedro Igor On 12/8/2016 5:46:25 PM, Richard van Duijn wrote: Pedro, I've imported the json file myself and I was able to fetch the AT with postman and things work now. The only difference I see in the server configuration is that I had confired the backend-client with Access-Type 'Bearer-only', which (after the import) is now 'Confidential'.. In my perception i had to configure the backend-client with a bearer-only access-type as it does do any logins just as the 'bearer-only:true' flag in the adapter config json. Am I mistaken here? Well at least I can continue now. but still this seems a bit odd to me. Thank you again for your great help! It is much appreciated! /Richard Op do 8 dec. 2016 om 13:49 schreef Richard van Duijn : You've got me confused as well.. haha No I'm not reaching the lines using the policyEnforcer. The error occurs earlier in the process. Could you perhaps explain what you send in the postman request. What is put in it the request is the following: *requestHeaders.put("Authorization", BasicAuthHelper.createHeader(Configuration.this.clientId, secret));* with the clientId being: *backend-client* and the secret being: *6ce718ad-2ab1-42ff-bf01-35a03eab3aee* resulting in the header: *Authorization : Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl* Other than that I do not have any clues what is wrong. The AT request is generated during startup of my backend server. So I do not yet have any frontend rest calls containing a bearerToken comming in. My assumption is that I can initialize the keycloakDeployment once for my entire application and then use it for each call comming in. Am I correct? My guess now is that this assumption is wrong. /Richard Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: Hi Pedro, Thank you for the reply. Fist I'll answer your questions, then I'll clarify my setup a bit more. Please find attached my realm config file as well. - The realm name was a typo. In the meantime I've reconfigured my realm to ensure the '.' char was not messing up. Turned out not to be the case. - I'm not able to retrieve an AT from keycloak for the backend-client (which is set to bearer-only). With the given Postman request I just get the 400 bad request error and accompanying message. *Pedro Igor:* I was able to get an AT after importing your realm and sending the same postman request. Now I'm confused :) The client is backend-client, correct ? - I've followed the getting started guid up to securing the jboss servlet. I've stopped there as I wanted to use a keycloak distribution in combination with a PlayFramework application (for which there is no adapter available yet). I've followed the steps from this post to get the bearerToken approach working. Using the *AdapterRSATokenVerifier* class I was able to verify the bearerToken received from the javascript frontend. What I basically have is a filter that intercepts the frontend requests, picks up the bearerToken and checks it's validity. If valid the resource is accessible otherwise the user receives an error. The next step was to include policies in the setup. Setting up the adapter for the playFramework was a bit difficult as there is no real documentation on that subject, only example implementations like the ones for spring security and jetty. But before getting to the complex logic I've added the policy-enforcer: {} line in the keycloak.json config file for the backend-client. This json is then loaded and used in *KeycloakDeploymentBuilder.build(keycloakConfig)*. This is the point where it fails, as the config contains the policy-enforcer line, the PolicyEnforcer class is initialized, which in turn attempts to retrieve the AT from keycloak. Is there some flaw in my reasoning? 1. The javascript frontend authenticates itself using the keycloak.js adapter. It adds the accessToken to the Authorization header for the rest-client to pickup 2. The rest client (my backend-client) verifies the bearerToken using the AdapterRSATokenVerifier 3. Then the rest client checks the authorization using the folliwing lines of code: *final PolicyEnforcer policyEnforcer = keycloakDeployment.getPolicyEnforcer();BearerTokenPolicyEnforcer bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer);* *final AuthorizationContext authorizationContext = bearerTokenPolicyEnforcer.authorize(facade);* *Pedro Igor:* It looks correct. Although it seems you are not even reaching the line above where permissions are actually enforced. Besides, make sure you have all bearer token validations in place based on other adapters we have. You are almost there. You just need to figure out why you can't obtain an AT from the server even if using postman, curl, etc. I think that if you solve this, you will get everything working (or hit some new issue after this one :)). Hope this clarifies it a bit. I've attached my realm configuration json file. By the way I'm using keycloak 2.4.0-Final. Many many thanks for your help! If this approach is valid I'm hapy to contribute my code to the community for others to work with. /Richard Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : Hi Richard, In your first message, it seems the token endpoint is http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here you are using a realm "local.development". In your last message with the postman request, you are using a token endpoint like this /auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json. Would that be a misconfiguration or just a typo ? Besides, what happens when you send that postman request to the server ? Are you able to get a AT ? This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows. If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server. Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ? Thanks. Pedro Igor On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { "error": "invalid_client", "error_description": "Bearer-only not allowed" } This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { "realm": "development", "bearer-only": true, "auth-server-url": "http://127.0.0.1:8080/auth", "ssl-required": "external", "resource": "backend-client", "use-resource-role-mappings": true, "credentials": { "secret": "SECRETHERE" }, "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Tue Dec 13 08:16:53 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 13 Dec 2016 14:16:53 +0100 Subject: [keycloak-user] Spring boot + keycloak In-Reply-To: References: Message-ID: I can still not reproduce it, could you file a jira ticket please ? On Tue, Dec 13, 2016 at 8:47 AM, Ondra Pala wrote: > Wildfly in version:2.0.10.Final > > 2016-12-12 17:12 GMT+01:00 Sebastien Blanc : > >> Do you have many a simple project that you can share with us on github >> (your modified version of https://github.com/foo4u/keycloak-spring-demo >> for instance) ? >> >> And can you also say which version of Wildfly you are using ? >> >> >> >> On Mon, Dec 12, 2016 at 3:48 PM, Ondra Pala wrote: >> >>> War in Wildfly ... >>> >>> 2016-12-12 15:45 GMT+01:00 Sebastien Blanc : >>> >>>> Are you running your Spring Boot app standalone or do you deploy a war >>>> in Wildfly/EAP ? >>>> >>>> On Mon, Dec 12, 2016 at 3:43 PM, Ondra Pala >>>> wrote: >>>> >>>>> Thanks you are right, but now I get exception: >>>>> >>>>> There was an unexpected error (type=Internal Server Error, status=500). >>>>> loader constraint violation in interface itable initialization: when >>>>> resolving method "org.keycloak.adapters.springs >>>>> ecurity.facade.SimpleHttpFacade.getRequest()Lorg/keycloak/ad >>>>> apters/spi/HttpFacade$Request;" the class loader (instance of >>>>> org/jboss/modules/ModuleClassLoader) of the current class, >>>>> org/keycloak/adapters/springsecurity/facade/SimpleHttpFacade, and the >>>>> class loader (instance of org/jboss/modules/ModuleClassLoader) for >>>>> interface org/keycloak/adapters/spi/HttpFacade have different Class >>>>> objects for the type org/keycloak/adapters/spi/HttpFacade$Request >>>>> used in the signature >>>>> >>>>> >>>>> >>>>> 2016-12-12 13:54 GMT+01:00 Sebastien Blanc : >>>>> >>>>>> But have you moved your keycloak config to applciation.properties >>>>>> instead of using keycloak.json ? If you want to keep the keycloak.json, >>>>>> just remove the SpringBoot Keycloak adapter dependency and it should be >>>>>> also good. >>>>>> >>>>>> On Mon, Dec 12, 2016 at 12:38 PM, Ondra Pala >>>>>> wrote: >>>>>> >>>>>>> My pom.xml file looks like: >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.springframework.boot >>>>>>> spring-boot-starter-thymeleaf >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.springframework.boot >>>>>>> spring-boot-devtools >>>>>>> true >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.springframework.boot >>>>>>> spring-boot-starter-tomcat >>>>>>> provided >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.springframework.boot >>>>>>> spring-boot-starter-security >>>>>>> >>>>>>> >>>>>>> org.springframework.boot >>>>>>> spring-boot-starter-actuator >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.springframework.security >>>>>>> spring-security-ldap >>>>>>> >>>>>>> >>>>>>> org.apache.directory.server >>>>>>> apacheds-server-jndi >>>>>>> ${apacheds.version} >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.slf4j >>>>>>> log4j-over-slf4j >>>>>>> >>>>>>> >>>>>>> org.slf4j >>>>>>> jul-to-slf4j >>>>>>> >>>>>>> >>>>>>> org.slf4j >>>>>>> jcl-over-slf4j >>>>>>> >>>>>>> >>>>>>> org.slf4j >>>>>>> slf4j-api >>>>>>> >>>>>>> >>>>>>> org.springframework >>>>>>> spring-web >>>>>>> >>>>>>> >>>>>>> com.fasterxml.jackson.core >>>>>>> jackson-databind >>>>>>> >>>>>>> >>>>>>> >>>>>>> org.keycloak >>>>>>> keycloak-spring-security-adapter >>>>>>> 2.4.0.Final >>>>>>> >>>>>>> >>>>>>> org.keycloak >>>>>>> keycloak-spring-boot-adapter >>>>>>> 2.4.0.Final >>>>>>> >>>>>>> >>>>>>> org.keycloak >>>>>>> keycloak-tomcat8-adapter >>>>>>> 2.4.0.Final >>>>>>> >>>>>>> >>>>>>> net.rossillo.mvc.cache >>>>>>> spring-mvc-cache-control >>>>>>> 1.1.1-RELEASE >>>>>>> >>>>>>> >>>>>>> org.keycloak >>>>>>> keycloak-common >>>>>>> 2.4.0.Final >>>>>>> >>>>>>> >>>>>>> >>>>>>> I add KeycloakConfigResolver bean from org.keycloak.adapters but I >>>>>>> still get the same exception. >>>>>>> >>>>>>> Thanks very much for your answer. >>>>>>> >>>>>>> Ondra >>>>>>> >>>>>>> >>>>>>> 2016-12-12 12:17 GMT+01:00 Ondra Pala : >>>>>>> >>>>>>>> Hello, thanks for you answer. Are you mean >>>>>>>> remove keycloak-spring-boot-adapter? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> 2016-12-12 10:54 GMT+01:00 Sebastien Blanc : >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> Did you also added the SpringBoot Keycloak Adapter ? In this case >>>>>>>>> it will look for the configuration in application.properties but on the >>>>>>>>> other side the Spring Security won't work, so you have 2 options : >>>>>>>>> - Remove the SpringBoot adapter >>>>>>>>> - Or tell the SpringSecurity it has to use the SpringBoot Config >>>>>>>>> resolver. Add this in your SecurityConfig class : >>>>>>>>> >>>>>>>>> @Bean >>>>>>>>> public KeycloakConfigResolver KeycloakConfigResolver(){ >>>>>>>>> return new KeycloakSpringBootConfigResolver(); >>>>>>>>> } >>>>>>>>> FYI We have a ticket to make this integration seamless >>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-4054?filter=12329075 >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Dec 12, 2016 at 10:46 AM, Ondra Pala >>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> Hello We use this example: https://github.com/foo4u/keycl >>>>>>>>>> oak-spring-demo >>>>>>>>>> (for Spring boot and Keycloak) >>>>>>>>>> >>>>>>>>>> I have keycloak.json(realm in this file exists) file in my >>>>>>>>>> WEB-INF folder, >>>>>>>>>> but when I run my application, I get exception: >>>>>>>>>> >>>>>>>>>> java.lang.RuntimeException: Must set 'realm' in config >>>>>>>>>> >>>>>>>>>> Full stack of this exception: >>>>>>>>>> >>>>>>>>>> java.lang.RuntimeException: Must set 'realm' in config >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuil >>>>>>>>>> d(KeycloakDeploymentBuilder.java:53) >>>>>>>>>> >>>>>>>>>> ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.KeycloakDeploymentBuilder.build(Keyclo >>>>>>>>>> akDeploymentBuilder.java:152) >>>>>>>>>> >>>>>>>>>> ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.springboot.KeycloakSpringBootConfigRes >>>>>>>>>> olver.resolve(KeycloakSpringBootConfigResolver.java:37) >>>>>>>>>> >>>>>>>>>> ~[keycloak-spring-boot-adapter-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.AdapterDeploymentContext.resolveDeploy >>>>>>>>>> ment(AdapterDeploymentContext.java:88) >>>>>>>>>> >>>>>>>>>> ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.PreAuthActionsHandler.preflightCors(Pr >>>>>>>>>> eAuthActionsHandler.java:107) >>>>>>>>>> >>>>>>>>>> ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.PreAuthActionsHandler.handleRequest(Pr >>>>>>>>>> eAuthActionsHandler.java:79) >>>>>>>>>> >>>>>>>>>> ~[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >>>>>>>>>> lve.invoke(AbstractKeycloakAuthenticatorValve.java:183) >>>>>>>>>> >>>>>>>>>> ~[keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHo >>>>>>>>>> stValve.java:140) >>>>>>>>>> >>>>>>>>>> ~[tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >>>>>>>>>> rtValve.java:79) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(Standard >>>>>>>>>> EngineValve.java:87) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >>>>>>>>>> apter.java:349) >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.http11.Http11Processor.service(Http11Proce >>>>>>>>>> ssor.java:784) >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.AbstractProcessorLight.process(AbstractPro >>>>>>>>>> cessorLight.java:66) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process >>>>>>>>>> (AbstractProtocol.java:802) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >>>>>>>>>> (NioEndpoint.java:1410) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketPro >>>>>>>>>> cessorBase.java:49) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>>>>>>>> Executor.java:1142) >>>>>>>>>> >>>>>>>>>> [na:1.8.0_101] >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>>>>>>>> lExecutor.java:617) >>>>>>>>>> >>>>>>>>>> [na:1.8.0_101] >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.r >>>>>>>>>> un(TaskThread.java:61) >>>>>>>>>> >>>>>>>>>> [tomcat-embed-core-8.5.5.jar:8.5.5] >>>>>>>>>> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101] >>>>>>>>>> >>>>>>>>>> Our configuration of security looks like: >>>>>>>>>> >>>>>>>>>> /** >>>>>>>>>> * Application security configuration. >>>>>>>>>> * >>>>>>>>>> * >>>>>>>>>> * @author Scott Rossillo >>>>>>>>>> */ >>>>>>>>>> @Configuration >>>>>>>>>> @EnableWebSecurity >>>>>>>>>> @ComponentScan(basePackageClasses = >>>>>>>>>> KeycloakSecurityComponents.class) >>>>>>>>>> public class SecurityConfig extends KeycloakWebSecurityConfigurerA >>>>>>>>>> dapter >>>>>>>>>> { >>>>>>>>>> >>>>>>>>>> @Autowired >>>>>>>>>> public void configureGlobal(AuthenticationManagerBuilder >>>>>>>>>> auth) >>>>>>>>>> throws Exception { >>>>>>>>>> auth >>>>>>>>>> .authenticationProvider(keycloakAuthenticationProvider()); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> @Autowired >>>>>>>>>> public KeycloakClientRequestFactory >>>>>>>>>> keycloakClientRequestFactory; >>>>>>>>>> >>>>>>>>>> @Bean >>>>>>>>>> public CacheControlHandlerInterceptor >>>>>>>>>> cacheControlHandlerInterceptor() { >>>>>>>>>> return new CacheControlHandlerInterceptor(); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> @Bean >>>>>>>>>> public FilterRegistrationBean >>>>>>>>>> keycloakAuthenticationProcessingFilterRegistrationBean( >>>>>>>>>> KeycloakAuthenticationProcessingFilter filter) { >>>>>>>>>> FilterRegistrationBean registrationBean = new >>>>>>>>>> FilterRegistrationBean(filter); >>>>>>>>>> registrationBean.setEnabled(false); >>>>>>>>>> return registrationBean; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> @Bean >>>>>>>>>> public FilterRegistrationBean >>>>>>>>>> keycloakPreAuthActionsFilterRegistrationBean( >>>>>>>>>> KeycloakPreAuthActionsFilter filter) { >>>>>>>>>> FilterRegistrationBean registrationBean = new >>>>>>>>>> FilterRegistrationBean(filter); >>>>>>>>>> registrationBean.setEnabled(false); >>>>>>>>>> return registrationBean; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> @Bean >>>>>>>>>> @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE) >>>>>>>>>> public KeycloakRestTemplate keycloakRestTemplate() { >>>>>>>>>> return new KeycloakRestTemplate(keycloakC >>>>>>>>>> lientRequestFactory); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> @Bean >>>>>>>>>> @Override >>>>>>>>>> protected SessionAuthenticationStrategy >>>>>>>>>> sessionAuthenticationStrategy() { >>>>>>>>>> return new RegisterSessionAuthenticationStrategy(new >>>>>>>>>> SessionRegistryImpl()); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> @Override >>>>>>>>>> protected void configure(HttpSecurity http) throws Exception >>>>>>>>>> { >>>>>>>>>> System.out.println("config"); >>>>>>>>>> super.configure(http); >>>>>>>>>> http >>>>>>>>>> .authorizeRequests() >>>>>>>>>> .antMatchers("/*").denyAll(); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Can you please tell me, where it could by mistake. >>>>>>>>>> >>>>>>>>>> Thanks for your answer and time. >>>>>>>>>> >>>>>>>>>> Ondrej Pala >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From psilva at redhat.com Tue Dec 13 08:17:29 2016 From: psilva at redhat.com (Pedro Igor) Date: Tue, 13 Dec 2016 11:17:29 -0200 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> <9d368281-dd22-43a5-a216-254524e8e269@getmailbird.com> Message-ID: <04fc1cf1-243b-42ed-b631-62b9b582c9f6@getmailbird.com> It could be related with your policy-enforcer config in keycloak.json. There you can associate a scope with a specific HTTP method for a given path, maybe this is causing the 401. If you have everything set correctly, the only thing we can do is debug and check what is happening. I don't think this smells like a bug because the same scenario works with our tests + photoz app example. But better debug your play adapter and see what may be causing this, to make sure. On 12/13/2016 10:35:21 AM, Richard van Duijn wrote: Thank you for clarifying that! Much appreciated! I'm progressing with my adapter. Using the Photoz example I can login and authorize requests going to the photoz-restfull-api (which in my case is my play application). But one resource refuses to load for non-admin users. Namely the /album/create resource returns an Unauthorized. I will try to elaborate on what I am currently doing. Hopefully someone can point me the error. * The javascript frontend application calls the /photoz-rest-api/album/create resource using a post with the bearerToken received from the login. * Then my PlayFramework controller Action is intercepted and the bearerToken is verified using the:?AdapterRSATokenVerifier.verifyToken() method. * If succceful the KeycloakAdapterPolicyEnforcer is used to authorize my request using the photoz policies. * This returns 401 in case of the user Alice, and is accepted in case of Admin. What I do no understand is that the Policy Evaluator in the admin console results in a PERMIT in case of Alice accessing the album resource with scope 'Create'. But the KeycloakAdapterPolicyEnforcer tells Alice is Unauthorized. Am I missing a vital point in the process? The entitlements I have for Alice are the following (which clearly states the user is allowed to create on the album resource):? { ?"jti": "6fa19f41-f720-4285-965f-e4373544346c", ? "exp": 1481632355, ? "nbf": 0, ? "iat": 1481632055, ? "iss": "http://127.0.0.1:8080/auth/realms/photoz [http://127.0.0.1:8080/auth/realms/photoz]", ? "aud": "photoz-html5-client", ? "sub": "85e9868e-262e-4290-8a23-93f8392cffd7", ? "typ": "Bearer", ? "azp": "photoz-html5-client", ? "nonce": "55b16f6b-5af9-40de-871e-ab8712bd1f57", ? "auth_time": 1481631352, ? "session_state": "73453cd9-01df-4124-a9ca-585352c0e040", ? "name": "Alice In Chains", ? "given_name": "Alice", ? "family_name": "In Chains", ? "preferred_username": "alice", ? "email": "alice at keycloak.org [mailto:alice at keycloak.org]", ? "acr": "0", ? "client_session": "2e16eade-c3a2-40ae-b766-3bac6b89d4d4", ? "allowed-origins": [ ? ? "*" ? ], ? "realm_access": { ? ? "roles": [ ? ? ? "uma_authorization", ? ? ? "user" ? ? ] ? }, ? "resource_access": { ? ? "photoz-restful-api": { ? ? ? "roles": [ ? ? ? ? "manage-albums" ? ? ? ] ? ? } ? }, ? "authorization": { ? ? "permissions": [ ? ? ? { ? ? ? ? "scopes": [ ? ? ? ? ? "urn:photoz.com:scopes:album:view", ? ? ? ? ? "urn:photoz.com:scopes:album:create" ? ? ? ? ], ? ? ? ? "resource_set_id": "71996b0c-48c1-44c9-8fda-d0ba46b451b7", ? ? ? ? "resource_set_name": "Album Resource" ? ? ? }, ? ? ? { ? ? ? ? "scopes": [ ? ? ? ? ? "urn:photoz.com:scopes:profile:view" ? ? ? ? ], ? ? ? ? "resource_set_id": "0236b990-40dd-4bf3-9a49-25bc3bc6273c", ? ? ? ? "resource_set_name": "User Profile Resource" ? ? ? } ? ? ] ? } } /Richard Op do 8 dec. 2016 om 21:11 schreef Pedro Igor : Yeah, I missed that part too :) Clients marked as bearer-only are not allowed to access the token endpoint. However, you can still use bearer-only in your keycloak.json (adapter config) to indicate that only requests with a bearer token are allowed to access your resource server (backend-client). Regards. Pedro Igor On 12/8/2016 5:46:25 PM, Richard van Duijn wrote: Pedro, I've imported the json file myself and I was able to fetch the AT with postman and things work now. The only difference I see in the server configuration is that I had confired the backend-client with Access-Type 'Bearer-only', which (after the import) is now 'Confidential'..? In my perception i had to configure the backend-client with a bearer-only access-type as it does do any logins just as the 'bearer-only:true' flag in the adapter config json. Am I mistaken here? Well at least I can continue now. but still this seems a bit odd to me. Thank you again for your great help! It is much appreciated! /Richard? Op do 8 dec. 2016 om 13:49 schreef Richard van Duijn : You've got me confused as well.. haha No I'm not reaching the lines using the policyEnforcer. The error occurs earlier in the process. Could you perhaps explain what you send in the postman request. What is put in it the request is the following:? requestHeaders.put("Authorization", BasicAuthHelper.createHeader(Configuration.this.clientId, secret)); with the clientId being: backend-client and the secret being: 6ce718ad-2ab1-42ff-bf01-35a03eab3aee? resulting in the header: Authorization : Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Other than that I do not have any clues what is wrong.? The AT request is generated during startup of my backend server. So I do not yet have any frontend rest calls containing a bearerToken comming in. My assumption is that I can initialize the keycloakDeployment once for my entire application and then use it for each call comming in. Am I correct? My guess now is that this assumption is wrong.? /Richard? Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: Hi Pedro, Thank you for the reply. Fist I'll answer your questions, then I'll clarify my setup a bit more. Please find attached my realm config file as well. * The realm name was a typo. In the meantime I've reconfigured my realm to ensure the '.' char was not messing up. Turned out not to be the case. * I'm not able to retrieve an AT from keycloak for the backend-client (which is set to bearer-only). With the given Postman request I just get the 400 bad request error and accompanying message. Pedro Igor:?I was able to get an AT after importing your realm and sending the same postman request. Now I'm confused :) The client is backend-client, correct ? * I've followed the getting started guid up to securing the jboss servlet. I've stopped there as I wanted to use a keycloak distribution in combination with a PlayFramework application (for which there is no adapter available yet).? I've followed the steps from this [http://bandrzejczak.com/blog/2015/11/22/single-sign-on-with-keycloak-in-a-sigle-page-application-part-1-slash-2-angular-dot-js/]?post to get the bearerToken approach working. Using the?AdapterRSATokenVerifier class I was able to verify the bearerToken received from the javascript frontend. What I basically have is a filter that intercepts the frontend requests, picks up the bearerToken and checks it's validity. If valid the resource is accessible otherwise the user receives an error. The next step was to include policies in the setup. Setting up the adapter for the playFramework was a bit difficult as there is no real documentation on that subject, only example implementations like the ones for spring security and jetty. But before getting to the complex logic I've added the policy-enforcer: {} line in the keycloak.json config file for the backend-client. This json is then loaded and used in KeycloakDeploymentBuilder.build(keycloakConfig). This is the point where it fails, as the config contains the policy-enforcer line, the PolicyEnforcer class is initialized, which in turn attempts to retrieve the AT from keycloak.? Is there some flaw in my reasoning? * The javascript frontend authenticates itself using the keycloak.js adapter. It adds the accessToken to the Authorization header for the rest-client to pickup * The rest client (my backend-client) verifies the bearerToken using the AdapterRSATokenVerifier * Then the rest client checks the authorization using the folliwing lines of code: final PolicyEnforcer policyEnforcer = keycloakDeployment.getPolicyEnforcer(); BearerTokenPolicyEnforcer bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer); final AuthorizationContext authorizationContext = bearerTokenPolicyEnforcer.authorize(facade); Pedro Igor:?It looks correct. Although it seems you are not even reaching the line above where permissions are actually enforced. Besides, make sure you have all bearer token validations in place based on other adapters we have. You are almost there. You just need to figure out why you can't obtain an AT from the server even if using postman, curl, etc. I think that if you solve this, you will get everything working (or hit some new issue after this one :)). Hope this clarifies it a bit. I've attached my realm configuration json file. By the way I'm using keycloak 2.4.0-Final.? Many many thanks for your help! If this approach is valid I'm hapy to contribute my code to the community for others to work with.? /Richard Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : Hi Richard, In your first message, it seems the token endpoint is?http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here]?you are using a realm "local.development". In your last message with the postman request, you are using a token endpoint like this?/auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json. Would that be a misconfiguration or just a typo ? Besides, what happens when you send that postman request to the server ? Are you able to get a AT ? This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows. If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server. Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ? Thanks. Pedro Igor On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 [http://127.0.0.1:8080] Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials?? /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { ? ? "error": "invalid_client", ? ? "error_description": "Bearer-only not allowed" }? This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { ? "realm": "development", ? "bearer-only": true, ? "auth-server-url": "http://127.0.0.1:8080/auth [http://127.0.0.1:8080/auth]", ? "ssl-required": "external", ? "resource": "backend-client", ? "use-resource-role-mappings": true, ? "credentials": { ? ? "secret": "SECRETHERE" ? }, ? "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user] From rjvduijn at gmail.com Tue Dec 13 08:35:33 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Tue, 13 Dec 2016 13:35:33 +0000 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: <04fc1cf1-243b-42ed-b631-62b9b582c9f6@getmailbird.com> References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> <9d368281-dd22-43a5-a216-254524e8e269@getmailbird.com> <04fc1cf1-243b-42ed-b631-62b9b582c9f6@getmailbird.com> Message-ID: Ok, thanks. That did the trick. I was under de assumption that if left blank, the policy-enforcer would be correctly configured from keycloak itself. But I now understand we need to specify more specific resource actions in this keycloak.json file. Other quick question: Why is it that when fetching all entitlements from the frontend javascript with the call: this.authorization.entitlement('photoz-restful-api').then(function(rpt) { console.log('Entitlements loaded...%o', JSON.stringify(jwt_decode(rpt), null, ' ')); }); Succeeds, and doing the same call from the backend using the configred Authz client as in the AuthorizationClientExample.java I get an Bad Request response from keycloak. private static void obtainAllEntitlements() { // create a new instance based on the configuration defined in keycloak-authz.json AuthzClient authzClient = AuthzClient.create(); // obtian a Entitlement API Token in order to get access to the Entitlement API. // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement String eat = getEntitlementAPIToken(authzClient); // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user EntitlementResponse response = authzClient.entitlement(eat).getAll("hello-world-authz-service"); String rpt = response.getRpt(); System.out.println("You got a RPT: " + rpt); // now you can use the RPT to access protected resources on the resource server } Is this configuration as well? Thanks! Op di 13 dec. 2016 om 14:17 schreef Pedro Igor : > It could be related with your policy-enforcer config in keycloak.json. > There you can associate a scope with a specific HTTP method for a given > path, maybe this is causing the 401. > > If you have everything set correctly, the only thing we can do is debug > and check what is happening. I don't think this smells like a bug because > the same scenario works with our tests + photoz app example. But better > debug your play adapter and see what may be causing this, to make sure. > > On 12/13/2016 10:35:21 AM, Richard van Duijn wrote: > Thank you for clarifying that! Much appreciated! > I'm progressing with my adapter. Using the Photoz example I can login and > authorize requests going to the photoz-restfull-api (which in my case is my > play application). > But one resource refuses to load for non-admin users. Namely the > /album/create resource returns an Unauthorized. I will try to elaborate on > what I am currently doing. Hopefully someone can point me the error. > > > 1. The javascript frontend application calls the > /photoz-rest-api/album/create resource using a post with the bearerToken > received from the login. > 2. Then my PlayFramework controller Action is intercepted and the > bearerToken is verified using the: AdapterRSATokenVerifier.verifyToken() > method. > 3. If succceful the KeycloakAdapterPolicyEnforcer is used to authorize > my request using the photoz policies. > 4. This returns 401 in case of the user Alice, and is accepted in case > of Admin. > > What I do no understand is that the Policy Evaluator in the admin console > results in a PERMIT in case of Alice accessing the album resource with > scope 'Create'. But the KeycloakAdapterPolicyEnforcer tells Alice is > Unauthorized. Am I missing a vital point in the process? > > The entitlements I have for Alice are the following (which clearly states > the user is allowed to create on the album resource): > *{* > * "jti": "6fa19f41-f720-4285-965f-e4373544346c",* > * "exp": 1481632355,* > * "nbf": 0,* > * "iat": 1481632055,* > * "iss": "http://127.0.0.1:8080/auth/realms/photoz > ",* > * "aud": "photoz-html5-client",* > * "sub": "85e9868e-262e-4290-8a23-93f8392cffd7",* > * "typ": "Bearer",* > * "azp": "photoz-html5-client",* > * "nonce": "55b16f6b-5af9-40de-871e-ab8712bd1f57",* > * "auth_time": 1481631352,* > * "session_state": "73453cd9-01df-4124-a9ca-585352c0e040",* > * "name": "Alice In Chains",* > * "given_name": "Alice",* > * "family_name": "In Chains",* > * "preferred_username": "alice",* > * "email": "alice at keycloak.org ",* > * "acr": "0",* > * "client_session": "2e16eade-c3a2-40ae-b766-3bac6b89d4d4",* > * "allowed-origins": [* > * "*"* > * ],* > * "realm_access": {* > * "roles": [* > * "uma_authorization",* > * "user"* > * ]* > * },* > * "resource_access": {* > * "photoz-restful-api": {* > * "roles": [* > * "manage-albums"* > * ]* > * }* > * },* > * "authorization": {* > * "permissions": [* > * {* > * "scopes": [* > * "urn:photoz.com:scopes:album:view",* > * "urn:photoz.com:scopes:album:create"* > * ],* > * "resource_set_id": "71996b0c-48c1-44c9-8fda-d0ba46b451b7",* > * "resource_set_name": "Album Resource"* > * },* > * {* > * "scopes": [* > * "urn:photoz.com:scopes:profile:view"* > * ],* > * "resource_set_id": "0236b990-40dd-4bf3-9a49-25bc3bc6273c",* > * "resource_set_name": "User Profile Resource"* > * }* > * ]* > * }* > *}* > > /Richard > > > > Op do 8 dec. 2016 om 21:11 schreef Pedro Igor : > > Yeah, I missed that part too :) > > Clients marked as bearer-only are not allowed to access the token > endpoint. However, you can still use bearer-only in your keycloak.json > (adapter config) to indicate that only requests with a bearer token are > allowed to access your resource server (backend-client). > > Regards. > Pedro Igor > > On 12/8/2016 5:46:25 PM, Richard van Duijn wrote: > Pedro, > I've imported the json file myself and I was able to fetch the AT with > postman and things work now. The only difference I see in the server > configuration is that I had confired the backend-client with Access-Type > 'Bearer-only', which (after the import) is now 'Confidential'.. > > In my perception i had to configure the backend-client with a bearer-only > access-type as it does do any logins just as the 'bearer-only:true' flag in > the adapter config json. > Am I mistaken here? > Well at least I can continue now. but still this seems a bit odd to me. > Thank you again for your great help! It is much appreciated! > /Richard > > Op do 8 dec. 2016 om 13:49 schreef Richard van Duijn : > > You've got me confused as well.. haha > > No I'm not reaching the lines using the policyEnforcer. The error occurs > earlier in the process. > > Could you perhaps explain what you send in the postman request. > What is put in it the request is the following: > > > *requestHeaders.put("Authorization", > BasicAuthHelper.createHeader(Configuration.this.clientId, secret));* > with the clientId being: *backend-client* and the secret being: > *6ce718ad-2ab1-42ff-bf01-35a03eab3aee* > resulting in the header: *Authorization : Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl* > > Other than that I do not have any clues what is wrong. > > The AT request is generated during startup of my backend server. So I do > not yet have any frontend rest calls containing a bearerToken comming in. > My assumption is that I can initialize the keycloakDeployment once for my > entire application and then use it for each call comming in. Am I correct? > My guess now is that this assumption is wrong. > > /Richard > > > Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : > > On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: > Hi Pedro, > Thank you for the reply. > > Fist I'll answer your questions, then I'll clarify my setup a bit more. > Please find attached my realm config file as well. > > > - The realm name was a typo. In the meantime I've reconfigured my > realm to ensure the '.' char was not messing up. Turned out not to be the > case. > - I'm not able to retrieve an AT from keycloak for the backend-client > (which is set to bearer-only). With the given Postman request I just get > the 400 bad request error and accompanying message. > > *Pedro Igor:* I was able to get an AT after importing your realm and > sending the same postman request. Now I'm confused :) The client is > backend-client, correct ? > > > - I've followed the getting started guid up to securing the jboss > servlet. I've stopped there as I wanted to use a keycloak distribution in > combination with a PlayFramework application (for which there is no adapter > available yet). > > I've followed the steps from this > post > to get the bearerToken approach working. Using the > *AdapterRSATokenVerifier* class I was able to verify the bearerToken > received from the javascript frontend. What I basically have is a filter > that intercepts the frontend requests, picks up the bearerToken and checks > it's validity. If valid the resource is accessible otherwise the user > receives an error. > > > The next step was to include policies in the setup. Setting up the adapter > for the playFramework was a bit difficult as there is no real documentation > on that subject, only example implementations like the ones for spring > security and jetty. But before getting to the complex logic I've added the > policy-enforcer: {} line in the keycloak.json config file for the > backend-client. This json is then loaded and used in > *KeycloakDeploymentBuilder.build(keycloakConfig)*. This is the point > where it fails, as the config contains the policy-enforcer line, the > PolicyEnforcer class is initialized, which in turn attempts to retrieve the > AT from keycloak. > > Is there some flaw in my reasoning? > > 1. The javascript frontend authenticates itself using the keycloak.js > adapter. It adds the accessToken to the Authorization header for the > rest-client to pickup > 2. The rest client (my backend-client) verifies the bearerToken using > the AdapterRSATokenVerifier > 3. Then the rest client checks the authorization using the folliwing > lines of code: > > > *final PolicyEnforcer policyEnforcer = > keycloakDeployment.getPolicyEnforcer();BearerTokenPolicyEnforcer > bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer);* > *final AuthorizationContext authorizationContext = > bearerTokenPolicyEnforcer.authorize(facade);* > > *Pedro Igor:* It looks correct. Although it seems you are not even > reaching the line above where permissions are actually enforced. Besides, > make sure you have all bearer token validations in place based on other > adapters we have. > > You are almost there. You just need to figure out why you can't obtain an > AT from the server even if using postman, curl, etc. I think that if you > solve this, you will get everything working (or hit some new issue after > this one :)). > > > Hope this clarifies it a bit. I've attached my realm configuration json > file. By the way I'm using keycloak 2.4.0-Final. > Many many thanks for your help! > > If this approach is valid I'm hapy to contribute my code to the community > for others to work with. > /Richard > > Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : > > Hi Richard, > > In your first message, it seems the token endpoint is > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here > you are using a realm "local.development". > > In your last message with the postman request, you are using a token > endpoint like this /auth/realms/development/protocol/openid-connect/token. > Where the realm is "development", the same you have used in keycloak.json. > > Would that be a misconfiguration or just a typo ? > > Besides, what happens when you send that postman request to the server ? > Are you able to get a AT ? > > This is pretty much what the enforcer does during initialization, obtain a > AT before querying the Protection API for protected resources. And is what > your stack trace shows. > > If you are not able to obtain a token using the postman request, it > probably means you have something wrong with your realm/client > configuration on the server. > > Last question, are you able to run any of our authorization examples ? Or > even successfully follow our Getting Started guide ? > > Thanks. > Pedro Igor > > On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: > Forgot to include the postman request.. here it is: > > POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 > Host: 127.0.0.1:8080 > Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl > Cache-Control: no-cache > Content-Type: application/x-www-form-urlencoded > > grant_type=client_credentials > > /Richard > > Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : > > Somehow I do not get any logs in keycloak server.log. I've attempted to > change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you > can give me a pointer to which logger I should change to see the correct > logs show up. > > Besides that I've done some debugging using Postman as well. Using the > following request I get the message: > { > "error": "invalid_client", > "error_description": "Bearer-only not allowed" > } > > This is weird to me as the keycloak.json file states that I am connecting > to a bearer-only client. > > Hope this helps to clarify it for you. > My keycloak.json configuration file looks like this: > > { > "realm": "development", > "bearer-only": true, > "auth-server-url": "http://127.0.0.1:8080/auth", > "ssl-required": "external", > "resource": "backend-client", > "use-resource-role-mappings": true, > "credentials": { > "secret": "SECRETHERE" > }, > "policy-enforcer": {} > } > > Hope this helps to clarify some of your questions. > /Richard > > Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : > > Do you get anything in server logs ? It may be related with invalid client > credentials. > > On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: > I'm creating a POC application using playframework and angular. The > frontend will be protected using the keycloak javascript adapter and the > backend rest services will be a bearer-only application. > > Without the policies turned on in the keycloak.json everything goes well. > But when I turn the policies by adding "policy-enforcer": { } on for the > rest services, I get an 400 Bad Request response from the Keycloak server > during initialization. > After some debugging I noticed it had to do with the initialization of the > PolicyEnforcer which attempts to call the following server keycloak > endpoint: > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > > Below you will find the stacktrace and request and response objects. > Hope someone can point me in the right direction. For instance how to > configure keycloak logging to get some more details on what the reason for > the 400 bad request is. > Many many thanks! > /Richard > > > > *Stacktrace*: > > at > org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) > > at > org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) > > at > org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) > > at > org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) > > at > > org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) > > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) > > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) > > at > security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) > at com.google.inject.AbstractModule.configure(AbstractModule.java:62) > ... many google guice calls ... > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) > > at > play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) > > > > *Request object*: > > builder = {RequestBuilder at 12557} > method = "POST" > charset = {UTF_8 at 12563} "UTF-8" > version = null > uri = {URI at 12564} " > > http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token > " > headergroup = {HeaderGroup at 12565} "[Authorization: Basic > YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" > entity = null > parameters = {LinkedList at 12566} size = 1 > 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" > config = null > > *Response object*: > > HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: > Undertow/1, > Server: WildFly/10, Content-Type: application/json, Content-Length: 72, > Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780 > response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: > keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] > org.apache.http.conn.BasicManagedEntity at 1f8d1780" > h = {CloseableHttpResponseProxy at 12583} > original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request > [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, > Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 > 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" > statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" > ver = {HttpVersion at 12586} "HTTP/1.1" > code = 400 > reasonPhrase = "Bad Request" > entity = {BasicManagedEntity at 12555} > reasonCatalog = {EnglishReasonPhraseCatalog at 12588} > locale = {Locale at 12589} "en_US" > headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, > X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: > application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 > GMT]" > params = {ClientParamsStack at 12591} > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From michael_furman at hotmail.com Tue Dec 13 08:36:25 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 13 Dec 2016 13:36:25 +0000 Subject: [keycloak-user] How to configure what claim will be used as the user name in SpringSecurity adapter? In-Reply-To: References: , Message-ID: Works perfect! Thanks! ________________________________ From: Sebastien Blanc Sent: Tuesday, December 13, 2016 2:48 PM To: Michael Furman Subject: Re: [keycloak-user] How to configure what claim will be used as the user name in SpringSecurity adapter? Ok I found the answer in older thread on this list (thx Thomas ;) ) : try adding: "principal-attribute": "preferred_username" to your keycloak.json. On Tue, Dec 13, 2016 at 1:33 PM, Michael Furman > wrote: HI Sebastien, It is correct, the client settings mapper on IDP maps the username to the token claim name "preferred_username". But after the SpringSecurity adapter authentication the SpringSecurity holds KeycloakAuthenticationToken while its principal name is equal to the claim with the name "sub" (it value is like e9cd6db8-378f-445e-8c83-265d439e3381). What should I do on the SpringSecurity adapter side to allow to take the value from the claim "preferred_username"? Any help will be appreciated. Best regards, Michael ________________________________ From: Sebastien Blanc > Sent: Tuesday, December 13, 2016 1:31 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to configure what claim will be used as the user name in SpringSecurity adapter? Isn't this already the case ? If you go to your client settings and look at the mappers you can see that username has the token claim name "preferred_username" On Tue, Dec 13, 2016 at 11:56 AM, Michael Furman > wrote: Hi all, I want to configure the claim preferred_username will be used as the user name after SpringSecurity adapter authentication. How can I configure it? Any help will be appreciated. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Tue Dec 13 08:42:12 2016 From: lists at merit.unu.edu (lists) Date: Tue, 13 Dec 2016 14:42:12 +0100 Subject: [keycloak-user] chrome on windows Message-ID: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> Hi, Somehow, when using keycloak SAML auth on our application, chrome on windows is presenting us a basic http popup logon window. In that case, the URL looks like: > https://keycloak.company.com/auth/realms/testrealm/protocol/saml?SAMLRequest=fVHJbsIwEP2VyPfEOCk0sUgkIKVC6oJK1UMvlZWYYsmxU8%2B4y9%2FXCUKiPXB9M2%2FeMnMQne... We have to cancel that popup, to end up in the regular keycloak login page. The URL then becomes: > https://keycloak.company.com/auth/realms/testrealm/login-actions/authenticate?code=lmCA9w6F-KuQAefH1Iq5mDpBznYOjP2JE3ZnooeL9Uc.e01284fe-0ad4-4efb-8314-f... Since this only happens on chrome on windows, I thought that this perhaps was a kerberos-auth going wrong. So i disabled kerberos, but it keeps happening. Using other browsers, we end up in the regular second /login-actions/ logon screen straight away. The chrome popup is also NOT useable: if we provide a valid username/password, we will NOT become authenticated, but we end up in the "WE'RE SORRY... Unexpected error when handling authentication request to identity provider." Can anyone explain this? (keycloak 2.3.0) MJ From bruno at abstractj.org Tue Dec 13 09:41:34 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 13 Dec 2016 12:41:34 -0200 Subject: [keycloak-user] Export In-Reply-To: References: <20161208113504.GE17975@abstractj.org> Message-ID: <20161213144134.GB13218@abstractj.org> That's odd, I could not reproduce your issue. What I did was: - Export: bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=myrealm.json - Import: bin/standalone.sh -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=myrealm.json I'm attaching my json file to make sure we're talking about the same thing. On 2016-12-08, Brian Schwartz wrote: > The command I ran to get the error is below. Before that, I downloaded a > fresh copy of keycloak 2.4.0.final standalone, started it up, and entered > my configuration. I have one realm other than the master. It used > identity brokering oidc 1.0. I have one simple public oidc client. > > On Dec 8, 2016 5:35 AM, "Bruno Oliveira" wrote: > > > Hi Brian, do you have the steps to reproduce the issue? I never had such > > problem. > > > > On 2016-12-07, Brian Schwartz wrote: > > > Is the keycloak export functionality broken since the last couple of > > > versions? > > > > > > > > > > > > https://keycloak.gitbooks.io/server-adminstration-guide/ > > > content/v/2.4/topics/export-import.html > > > > > > > > > > > > I run this command: > > > > > > ./standalone.sh -Dkeycloak.migration.action=export > > > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file= > > > demokeycloak.json > > > > > > > > > > > > I get this error: > > > > > > > > > > > > 14:00:33,664 INFO > > > [org.keycloak.exportimport.singlefile.SingleFileExportProvider] > > > (ServerService Thread Pool -- 48) Exporting model into file > > > /Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json > > > > > > 14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server > > > shutdown has been requested. > > > > > > 14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC > > > service thread 1-4) WFLYJCA0010: Unbound data source > > > [java:jboss/datasources/KeycloakDS] > > > > > > 14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread > > Pool > > > -- 48) MSC000001: Failed to start service jboss.undertow.deployment. > > > default-server.default-host./auth: org.jboss.msc.service.StartException > > in > > > service jboss.undertow.deployment.default-server.default-host./auth: > > > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > > > org.keycloak.services.resources.KeycloakApplication( > > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > > > > > at org.wildfly.extension.undertow.deployment. > > > UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > > > > > > at java.util.concurrent.Executors$RunnableAdapter. > > > call(Executors.java:511) > > > > > > at java.util.concurrent.FutureTask.run(FutureTask. > > java:266) > > > > > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > > > ThreadPoolExecutor.java:1142) > > > > > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > > > ThreadPoolExecutor.java:617) > > > > > > at java.lang.Thread.run(Thread.java:745) > > > > > > at org.jboss.threads.JBossThread. > > run(JBossThread.java:320) > > > > > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > > construct > > > public org.keycloak.services.resources.KeycloakApplication( > > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > > > > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > > > construct(ConstructorInjectorImpl.java:162) > > > > > > at org.jboss.resteasy.spi.ResteasyProviderFactory. > > > createProviderInstance(ResteasyProviderFactory.java:2209) > > > > > > at org.jboss.resteasy.spi.ResteasyDeployment. > > > createApplication(ResteasyDeployment.java:299) > > > > > > at org.jboss.resteasy.spi.ResteasyDeployment.start( > > > ResteasyDeployment.java:240) > > > > > > at org.jboss.resteasy.plugins.server.servlet. > > > ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > > > > > > at org.jboss.resteasy.plugins.server.servlet. > > > HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > > > > > at io.undertow.servlet.core. > > LifecyleInterceptorInvocation. > > > proceed(LifecyleInterceptorInvocation.java:117) > > > > > > at org.wildfly.extension.undertow.security. > > > RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > > > > > at io.undertow.servlet.core. > > LifecyleInterceptorInvocation. > > > proceed(LifecyleInterceptorInvocation.java:103) > > > > > > at io.undertow.servlet.core.ManagedServlet$ > > > DefaultInstanceStrategy.start(ManagedServlet.java:231) > > > > > > at io.undertow.servlet.core. > > ManagedServlet.createServlet( > > > ManagedServlet.java:132) > > > > > > at io.undertow.servlet.core.DeploymentManagerImpl.start( > > > DeploymentManagerImpl.java:526) > > > > > > at org.wildfly.extension.undertow.deployment. > > > UndertowDeploymentService.startContext(UndertowDeploymentService. > > java:101) > > > > > > at org.wildfly.extension.undertow.deployment. > > > UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > > > > > ... 6 more > > > > > > Caused by: java.lang.NullPointerException > > > > > > at org.keycloak.models.utils.ModelToRepresentation$2. > > > compare(ModelToRepresentation.java:431) > > > > > > at org.keycloak.models.utils.ModelToRepresentation$2. > > > compare(ModelToRepresentation.java:428) > > > > > > at java.util.TimSort.countRunAndMakeAscending( > > > TimSort.java:356) > > > > > > at java.util.TimSort.sort(TimSort.java:220) > > > > > > at java.util.Arrays.sort(Arrays.java:1512) > > > > > > at java.util.ArrayList.sort(ArrayList.java:1454) > > > > > > at java.util.Collections.sort(Collections.java:175) > > > > > > at org.keycloak.models.utils.ModelToRepresentation. > > > exportAuthenticationFlows(ModelToRepresentation.java:428) > > > > > > at org.keycloak.models.utils.ModelToRepresentation. > > > toRepresentation(ModelToRepresentation.java:372) > > > > > > at org.keycloak.exportimport. > > util.ExportUtils.exportRealm( > > > ExportUtils.java:87) > > > > > > at org.keycloak.exportimport.singlefile. > > > SingleFileExportProvider$1.runExportImportTask( > > > SingleFileExportProvider.java:65) > > > > > > at org.keycloak.exportimport. > > util.ExportImportSessionTask. > > > run(ExportImportSessionTask.java:35) > > > > > > at org.keycloak.models.utils.KeycloakModelUtils. > > > runJobInTransaction(KeycloakModelUtils.java:236) > > > > > > at org.keycloak.exportimport.singlefile. > > > SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58) > > > > > > at org.keycloak.exportimport. > > ExportImportManager.runExport( > > > ExportImportManager.java:102) > > > > > > at org.keycloak.services.resources.KeycloakApplication. > > > (KeycloakApplication.java:149) > > > > > > at > > > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > > > Method) > > > > > > at sun.reflect.NativeConstructorAccessorImpl. > > newInstance( > > > NativeConstructorAccessorImpl.java:62) > > > > > > at sun.reflect.DelegatingConstructorAccessorI > > > mpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > > > > > at java.lang.reflect.Constructor. > > > newInstance(Constructor.java:423) > > > > > > at org.jboss.resteasy.core.ConstructorInjectorImpl. > > > construct(ConstructorInjectorImpl.java:150) > > > > > > ... 19 more > > > > > > > > > > > > > > > > > > This has not worked for me since version 2.1.0. > > > > > > I?m currently using version 2.4.0.Final. > > > > > > > > > > > > Thanks > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From mposolda at redhat.com Tue Dec 13 15:20:53 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Dec 2016 21:20:53 +0100 Subject: [keycloak-user] Keycloak 2.3.0 Logout on multiple war's In-Reply-To: References: Message-ID: <5b872502-f931-29ac-7ab1-2ab7b8b33d4c@redhat.com> On 13/12/16 09:26, Jeroen Koek wrote: > Hi, > > I have deployed multiple wars on jboss eap 6.4. > The war's are running on different url's and are using the same keycloak client ('Athlon'). > > If I'm logged in I'm able to navigate to the different applications and seemless start a java session; I see multiple JSESSIONID's. > > If I logout on one of the wars (session logout) I'm still able to access the other applications to my surprise; e.g. the SSO is not working. > > I have configured the admin url to the root of the applications server ("/") where I have one of the application running. > However the adapter is not invalidating all other sessions (for the other applications); I can still navigate to one of the other applications ("/app" for instance). > > I have now created a for loop where I'm logging out all applications manually (/logout). > > My mind is telling me that I'm doing something completely wrong. > > Am I right? Yes, seems that your mind is correct :) It is supposed that every WAR will have it's own Keycloak client. Then single-sign-out will work as expected. Because for example when you have application "war1" on context "/war1" and "war2" on context "/war2", the Keycloak needs to be able to send single-sign-out request to both those URL. With all the WARs and single Keycloak client, this can't work. Take a look at our examples and especially the most basic "demo" example. Marek > > Regards, > > Jeroen. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Dec 13 15:23:28 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Dec 2016 21:23:28 +0100 Subject: [keycloak-user] chrome on windows In-Reply-To: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> References: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> Message-ID: On 13/12/16 14:42, lists wrote: > Hi, > > Somehow, when using keycloak SAML auth on our application, chrome on > windows is presenting us a basic http popup logon window. > In that case, the URL looks like: >> https://keycloak.company.com/auth/realms/testrealm/protocol/saml?SAMLRequest=fVHJbsIwEP2VyPfEOCk0sUgkIKVC6oJK1UMvlZWYYsmxU8%2B4y9%2FXCUKiPXB9M2%2FeMnMQne... > We have to cancel that popup, to end up in the regular keycloak login page. > The URL then becomes: >> https://keycloak.company.com/auth/realms/testrealm/login-actions/authenticate?code=lmCA9w6F-KuQAefH1Iq5mDpBznYOjP2JE3ZnooeL9Uc.e01284fe-0ad4-4efb-8314-f... > Since this only happens on chrome on windows, I thought that this > perhaps was a kerberos-auth going wrong. So i disabled kerberos, but it > keeps happening. Depends what exactly means "I disabled kerberos" ? Did you switch the SPNEGO authenticator in the "Browser" authenticationFlow of your realm to DISABLED? Marek > > Using other browsers, we end up in the regular second /login-actions/ > logon screen straight away. > > The chrome popup is also NOT useable: if we provide a valid > username/password, we will NOT become authenticated, but we end up in > the "WE'RE SORRY... Unexpected error when handling authentication > request to identity provider." > > Can anyone explain this? (keycloak 2.3.0) > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Tue Dec 13 15:43:54 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 13 Dec 2016 20:43:54 +0000 Subject: [keycloak-user] Keycloak Memory Settings Message-ID: <03DA883C-6719-482F-A433-86D23BD91319@edlogics.com> We are using RH SSO 7.0 and I am performing a loadtest for our site. Currently I?m stuck at going above 200 virtual users because keycloak gets to slow at that point and the long running login threads on our site begin to bog down the rest of the site functions. Currently we are using SSO Standalone, and are planning to run in cluster mode as soon as we upgrade to 7.0.2 because of the cluster bug. https://access.redhat.com/solutions/2427361 While our operations guys are working on getting the cluster functionality working, I wanted to verify the memory settings on our standalone instance are optimized and that there wasn?t something we could do there as well. Here are the current startup settings. JAVA_OPTS: -server -verbose:gc -Xloggc:"/opt/eap/standalone/log/gc.log" -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.logmanager,jdk.nashorn.api -Djava.awt.headless=true -Xbootclasspath/p:/opt/eap/jboss-modules.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.0.3.Final-redhat-1.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/javax.json-1.0.4.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/jboss-logmanager-ext-1.0.0.Alpha2-redhat-1.jar -Djava.util.logging.manager=org.jboss.logmanager.LogManager -javaagent:/opt/eap/jolokia.jar=port=8778,protocol=https,caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,clientPrincipal=cn=system:master-proxy,useSslClientAuthentication=true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false -Djava.security.egd=file:/dev/./urandom I?m not sure where all these settings came from as the guy that set it up is no longer here. We are running SSO inside a docker container inside of OpenShift OpenShift Master: v1.2.1 Kubernetes Master: v1.2.0-36-g4a3f9c5 -- Christopher Savory Software Engineer | EdLogics From RLaghuvaram at contractor.lb.com Tue Dec 13 16:55:42 2016 From: RLaghuvaram at contractor.lb.com (Laghuvaram, Raghu) Date: Tue, 13 Dec 2016 21:55:42 +0000 Subject: [keycloak-user] Direct link to registration with Java ServletFilter Adapter Message-ID: I am looking for a direct link to registration from my application, I am using Java Servlet Filter Adapter with Cookie tokenstore, is that even achievable? Thanks, Raghu ________________________________ Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices. From java at neposoft.com Tue Dec 13 17:51:13 2016 From: java at neposoft.com (java_os) Date: Tue, 13 Dec 2016 17:51:13 -0500 Subject: [keycloak-user] Spring sec - roles - how? Message-ID: Hi All, I put up this question a while back and now back to it since no answer, this time with some hope. I have this SPA (keycloak.js) calling into Rest api bearer protected by KC - all good. I use KC brokering, so on the Idp side ADFS . User logs in against idp, where in ADFS is configured with a claim that acts as a role. On SPA I can map out that claim from the token. The rest api is protected by kc spring sec. I want (and this is what I do not know) to configure spring sec to react when the call is made to a specific rest endpoint when the user does not have a specific role (returning 401). How can I do this spring sec way - how can I configure spring sec to say check at runtime the users's role for a specific endpoint and deny access to the resource. The big un-known to me is: how does KC client role (which is some static config) relates to the runtime user's role coming from Idp. Anyone has done this - am sure this is a common use case. Whoever knows this please share. Thank you and appreciate it. From michael_furman at hotmail.com Tue Dec 13 23:08:31 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 14 Dec 2016 04:08:31 +0000 Subject: [keycloak-user] =?windows-1252?q?Confirmation_that_all_requests_t?= =?windows-1252?q?o_keycloak_starting_with_=93auth=94?= Message-ID: Hi, We try to create a reverse proxy for IDP and we will happy for the confirmation that all requests to keycloak IDP starting with ?auth? Best regards, Michael From sthorger at redhat.com Wed Dec 14 00:27:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:27:31 +0100 Subject: [keycloak-user] =?utf-8?q?Confirmation_that_all_requests_to_keycl?= =?utf-8?q?oak_starting_with_=E2=80=9Cauth=E2=80=9D?= In-Reply-To: References: Message-ID: Yes, as long as you don't change the context path for Keycloak (it's configurable in standalone.xml). On 14 December 2016 at 05:08, Michael Furman wrote: > Hi, > > We try to create a reverse proxy for IDP and we will happy for the > confirmation that all requests to keycloak IDP starting with ?auth? > > Best regards, > > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:30:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:30:55 +0100 Subject: [keycloak-user] Keycloak Memory Settings In-Reply-To: <03DA883C-6719-482F-A433-86D23BD91319@edlogics.com> References: <03DA883C-6719-482F-A433-86D23BD91319@edlogics.com> Message-ID: For RH-SSO it would be better to raise a support ticket rather than asking here. On 13 December 2016 at 21:43, Chris Savory wrote: > We are using RH SSO 7.0 and I am performing a loadtest for our site. > Currently I?m stuck at going above 200 virtual users because keycloak gets > to slow at that point and the long running login threads on our site begin > to bog down the rest of the site functions. > > Currently we are using SSO Standalone, and are planning to run in cluster > mode as soon as we upgrade to 7.0.2 because of the cluster bug. > https://access.redhat.com/solutions/2427361 > > While our operations guys are working on getting the cluster functionality > working, I wanted to verify the memory settings on our standalone instance > are optimized and that there wasn?t something we could do there as well. > Here are the current startup settings. > > JAVA_OPTS: -server -verbose:gc -Xloggc:"/opt/eap/standalone/log/gc.log" > -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation > -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading > -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m > -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs= > org.jboss.logmanager,jdk.nashorn.api -Djava.awt.headless=true > -Xbootclasspath/p:/opt/eap/jboss-modules.jar:/opt/eap/ > modules/system/layers/base/org/jboss/logmanager/main/ > jboss-logmanager-2.0.3.Final-redhat-1.jar:/opt/eap/modules/ > system/layers/base/org/jboss/logmanager/ext/main/javax. > json-1.0.4.jar:/opt/eap/modules/system/layers/base/ > org/jboss/logmanager/ext/main/jboss-logmanager-ext-1.0.0.Alpha2-redhat-1.jar > -Djava.util.logging.manager=org.jboss.logmanager.LogManager > -javaagent:/opt/eap/jolokia.jar=port=8778,protocol=https, > caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt, > clientPrincipal=cn=system:master-proxy,useSslClientAuthentication= > true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false > -Djava.security.egd=file:/dev/./urandom > > I?m not sure where all these settings came from as the guy that set it up > is no longer here. > > We are running SSO inside a docker container inside of OpenShift > > OpenShift Master: v1.2.1 > Kubernetes Master: v1.2.0-36-g4a3f9c5 > > -- > Christopher Savory > Software Engineer | EdLogics > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Dec 14 00:32:48 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:32:48 +0100 Subject: [keycloak-user] Considering removing Mongo support In-Reply-To: References: Message-ID: You can't go wrong with Oracle (other than price obviously) and PostgreSQL is a good database as well. That's my 2 cents at least, but then again I'm not a db guru ;) On 3 December 2016 at 10:09, Byte Flinger wrote: > Does that mean that the only supported backends would be SQL databases? I > have recently started to look into Keycloak and I was thinking that Mongodb > support was nice for scalability as it can be sharded, something SQL dbs > cannot. Wouldn't that mean giving up on scalability for large deployments? > > Are there plans to support any other more scalable type of database such > as Cassandra? > > On Fri, 2 Dec 2016, 11:30 Stian Thorgersen, wrote: > >> All, >> >> We are considering removing Mongo support from Keycloak in 3.x. The >> reasons >> behind it is that there are a fair few issues in the current >> implementation, especially around consistency due to lack of transaction >> support in Mongo and often we update multiple documents. In many cases we >> rely on transactions to rollback to prevent partial updates, but this >> obviously doesn't work in Mongo. >> >> With the fact that Mongo is already partially broken and the constant >> maintenance involved we're considering removing it and rather focus purely >> on the relational database back-end. >> >> Another point to make is that we are not considering supporting Mongo in >> the supported version of Keycloak (Red Hat Single Sign-On). So we are >> never >> able to provide the same level of care and attention to it as we can for >> relational databases. >> >> If we do decide to remove it we would make sure we provide a seamless and >> easy option to migrate from Mongo to a relational database! >> >> I would like to gather some feedback from the community before doing >> anything. So please vote on the following Doodle: >> >> http://doodle.com/poll/nnimebpkx774ppus >> >> Also, comments to this thread is more than welcome! >> >> I'll end with a comment - Time spent by core developer on maintaining >> Mongo >> could be better spent on awesome new features, testing and bug fixing! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From sthorger at redhat.com Wed Dec 14 00:38:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:38:03 +0100 Subject: [keycloak-user] Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?) In-Reply-To: <69CC0F70-911C-41A9-B4F0-EF1A61D91D6A@info.nl> References: <69CC0F70-911C-41A9-B4F0-EF1A61D91D6A@info.nl> Message-ID: Seems like a bug to me - can you create a JIRA please? On 2 December 2016 at 09:04, Edgar Vonk - Info.nl wrote: > hi, > > Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the > following behaviour: > > 1/ create a new user in Keycloak from the Keycloak admin UI > 2/ set a password in the Credentials tab and leave the ?Temporary? flag > set to on > 3/ if you look in Active Directory (we use an LDAP provider with MSAD > account controls) the users?s userAccountControl attribute is now set to > 546. This means: 'Disabled, Password Not Required? > 4/ when the user attempts to log in she gets an error message saying that > the account is inactive; also the ?User Enabled? flag in Keycloak now > suddenly changes from enabled to disabled > > This is the process we used to follow in Keycloak 2.0.0.Final to create > users but it stopped working in 2.3.0.Final. > > After having spent quite some time tracking the issue down we found out > that it was the ?Temporary? flag in de Credentials tab that causes this > issue. When we set this flag to false (i.e. not a temporary password) we > see that in AD the userAccountControl attribute is set to its normal value > 512 as we would expect. Now the user can log in normally. > > Is this a bug introduced after 2.0.0.Final or a desired change in > behaviour? I could not find a JIRA issue regarding this change. > > PS: we are confused about the ?Temporary? flag in any case. Exactly what > is it meant for? The fact that a user needs to change her password on first > login does not seem to be controlled by this flag in any case but rather by > the Required User Action with value ?Change password?? > > cheers, > > Edgar > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Dec 14 00:39:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:39:55 +0100 Subject: [keycloak-user] Hard code redirect_uri on timeout? In-Reply-To: References: Message-ID: Pretty sure that's not possible at the moment. Maybe you could do it with a servlet filter? On 2 December 2016 at 12:08, Joe Rowe wrote: > Hi, > > I am working on a jsf application which uses Keycloak for authorisation and > am having an issue regarding session timeouts. Specifically, when a user's > session times out Keycloak captures the uri they were visiting at timeout > and redirects back to it upon the user logging back in from the timeout. > > This causes an issue in which session scoped backing beans holding view > data are empty, and on some pages this can cause exceptions. > > Is it possible to modify the redirect uri configuration to disregard the > page the user was on and instead always redirect to the index of the > application any time the user's session is interrupted? > > I have tried various options in the realm and client settings but without > luck, and have not found a similar question in the archives. > > Many thanks, > Joe > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:42:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:42:01 +0100 Subject: [keycloak-user] Clarification regarding authentication flows In-Reply-To: References: Message-ID: Browser flow is used for redirect based flow (regular oauth) while direct grant flow is used for resource owner credential grant flow. On 2 December 2016 at 19:01, Michael Furman wrote: > Hi Matt, > > The authentication flows are configured here: > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/authentication/flows.html > > > I guess that when I access REST API the request uses the Browser flow but > I will happy for the confirmation. > > > In addition, when I access this API http://localhost:8080/auth/ > realms/master/protocol/openid-connect/token > > what flow is used? > > The browser flow? > > The Direct Grant Flow? > > Regards, > > Michael > > > ________________________________ > From: Matt H > Sent: Friday, December 2, 2016 6:16 PM > To: Michael Furman; keycloak-user at lists.jboss.org > Subject: Re: Clarification regarding authentication flows > > > I'm not following exactly. Where are you setting/changing the flows? > > > This REST API is to make changes in Keycloak like you would do through the > UI. If that is what you want to do, you would make a POST like the example > shows with the required entries in the form. > > > By default, the realm Master is there and so is the client_id admin-cli. > The only thing that should change in their example is the username and > password. For this you use the same username and password you would access > the Admin UI with. > > > If that all worked, you would receive an access token back to make those > amdin calls. > > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org jboss.org> on behalf of Michael Furman > Sent: Friday, December 2, 2016 9:13 AM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Clarification regarding authentication flows > > Can anybody help? > > Regards, > Michael > > > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org jboss.org> on behalf of Michael Furman > Sent: Thursday, December 1, 2016 9:26 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Clarification regarding authentication flows > > Hi, > What type of the authentication flow used for the realm REST API > authentication? > The browser flow? > What type of the authentication flow used to obtain the access token? > https://keycloak.gitbooks.io/server-developer-guide/ > content/v/2.3/topics/admin-rest-api.html > > The Direct Grant Flow? > Regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:44:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:44:06 +0100 Subject: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP) In-Reply-To: References: Message-ID: This is not required for reverse proxy and would also prevent the ability to have multiple endpoints for the same server. If the reverse proxy and Keycloak is configured correctly it will use the correct URL as seen by the reverse proxy. On 5 December 2016 at 10:14, Andrey Saroul wrote: > That's exact feature which I've been looking for. > That will solve our problem with reverse proxy. > I defenetly vote for this feature to be implemented! > > 2016-12-05 11:57 GMT+03:00 Michael Furman : > >> Dear Keycloak people, >> >> Please find below the suggestion that will allow easiest integration of >> Keycloak behind HTTPS reverse proxy. >> >> I suggest to add to the Keycloak configuration the new property ? the >> client URL. >> >> Then, the Keycloak will use the property when generating tokens or >> metadata (instead of to rely on incoming HTTP request). >> >> This will allow to use Keycloak over HTTP and to use SSL only in reverse >> proxy. >> >> Additional suggestion will allow to configure Keycloak to work behind >> Reverse Proxy with Network Address Translation (NAT) (I have asked the >> question here http://lists.jboss.org/piperma >> il/keycloak-user/2016-November/008454.html). >> >> I suggest to add to the Keycloak configuration the additional new >> property ? the internal client URL. >> >> Then Keycloak will use the property in org.keycloak.protocol.oidc.OIDCWellKnownProvider >> and will create the well-known configuration with internal and external IPs. >> >> Clients will use the well-known configuration and will be able to connect >> to Keycloak without any problems. >> >> What do you say about the suggestions? >> >> If you think it is good I will happy to implement and test it during our >> integration with Keycloak. >> >> Best regards, >> >> Michael >> >> >> ------------------------------ >> *From:* keycloak-user-bounces at lists.jboss.org < >> keycloak-user-bounces at lists.jboss.org> on behalf of Gabriel Lavoie < >> glavoie at gmail.com> >> *Sent:* Wednesday, November 30, 2016 6:33 PM >> *To:* Andrey Saroul >> *Cc:* keycloak-user >> *Subject:* Re: [keycloak-user] Keycloak behind 2 Nginx reverse proxies >> (HTTPS -> HTTP) >> >> Hi Andrew, >> The answer is "it depends". When generating tokens or metadata, >> Keycloak uses the scheme://hostname:port/ that was used to access it to >> fill the different issuers/URLs. The same values must match in the client >> JSON file so the client can validate the source of the token. >> >> At the client level, this could be handled by having a custom translation >> step over the configuration that accept both schemes and match it to the >> issuer, not something that Keycloak seems to support natively last time I >> checked. >> >> Doing SSO through multiple aliases always has this sort of issues. This is >> usually something that should be avoided. Can you keep Keycloak HTTPs and >> your application HTTP in your internal network? >> >> Gabriel >> >> 2016-11-25 8:08 GMT-05:00 Andrey Saroul : >> >> > We have an idea to isolate our application in our internal network so >> that >> > all communication in that network can go by HTTP. >> > So we've set up a public nginx server, witch is responsible for >> > establishing https connections. >> > Public nginx server forwards requests to another nginx server in secured >> > internal network, witch is in turn accesses Keycloak and WildFly by >> HTTP. >> > But this configuration is not working because of invalid redirect issue. >> > In our client's json file we have to define auth-server-url with HTTPS >> > scheme. When we try to specify HTTP Keycloak no longer works. >> > So my question: is it possible to make things work by HTTP in internal >> > private network and HTTPS only remain for public access. >> > Any guidance will be appreciated. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> keycloak-user Info Page - JBoss Developer >> >> lists.jboss.org >> To see the collection of prior postings to the list, visit the >> keycloak-user Archives. Using keycloak-user: To post a message to all the >> list members ... >> >> > >> >> >> >> -- >> Gabriel Lavoie >> glavoie at gmail.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> keycloak-user Info Page - JBoss Developer >> >> lists.jboss.org >> To see the collection of prior postings to the list, visit the >> keycloak-user Archives. Using keycloak-user: To post a message to all the >> list members ... >> >> > From sthorger at redhat.com Wed Dec 14 00:46:42 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:46:42 +0100 Subject: [keycloak-user] Login multiple times In-Reply-To: References: Message-ID: I'd say it's a limitation, but something we can probably improve on in 3.x as we're planning to create a separate login session that is used during authentication. This would be backed by a cookie that would make sure the current flow would be shared cross multiple tabs. Could you create a JIRA enhancement request for this please? On 6 December 2016 at 11:35, Dan ?sterberg wrote: > Hi, > > It's possible (and sometimes likely) to have multiple browser tabs or > windows showing the login screen for the same realm. This could for example > happen after working with different systems in different tabs, and then > timing out the whole SSO session. If the user then logs in from both / all > tabs, then the last login will seemingly win, destroy all the other > sessions (rather than all of them contributing to the same session). This > implies that the other tabs will not have a valid session, and e.g. > fetching a new access token will fail. > > Is this a bug, a limitation, or is it intentional? And what's the > recommended approach for dealing with this issue? > > ~Dan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:47:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:47:51 +0100 Subject: [keycloak-user] ServletFilter Adapter Cookie Token Store In-Reply-To: References: Message-ID: Cookie token store is supported by the regular adapters, but not the servlet filter afaik On 6 December 2016 at 17:11, Laghuvaram, Raghu < RLaghuvaram at contractor.lb.com> wrote: > I see that cookie token-store would not be supported until 2.x as per the > comments in https://issues.jboss.org/browse/KEYCLOAK-2662, Is it fixed in > any of the recent versions? It seems like its not working in 2.3.0 Final. > > Thanks, > Raghu > > > ________________________________ > > Notice: This communication may contain privileged and/or confidential > information. If you are not the intended recipient, please notify the > sender by email, and immediately delete the message and any attachments > without copying or disclosing them. LB may, for any reason, intercept, > access, use, and disclose any information that is communicated by or > through, or which is stored on, its networks, applications, services, and > devices. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:49:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:49:32 +0100 Subject: [keycloak-user] login form action wron protocol In-Reply-To: <94c3dc2b-f607-864c-8589-bfef101f9baf@ulise.de> References: <94c3dc2b-f607-864c-8589-bfef101f9baf@ulise.de> Message-ID: Check out https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html, specifically "Enable HTTPS/SSL with a Reverse Proxy" it covers this. On 6 December 2016 at 20:41, Uli SE wrote: > > Hi, > > I?m setting up a new keycloak 2.3.0. It?s behind a apache proxy which > terminates ssl. > > My only problem is, that in the login-form the action has the wrong > protocol (http instead of https) It has the correct hostname, and my > apache is forwarding all necessary headers correctly (I think). > > In > > method="post"> > > url.loginAction is perfectly build, bus has the wrong protocol. > > If I overwrite this in the browser, everything works perfect. Could you > please tell me, which option will setup this uri correctly? > > Many thanks, > > Uli > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Dec 14 00:50:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:50:39 +0100 Subject: [keycloak-user] Questions about realms In-Reply-To: References: Message-ID: I don't think it's that black/white and it depends on your needs ;) On 7 December 2016 at 15:53, Sebastien Blanc wrote: > Hi ! > > Create your own, look at the doc : > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/realms/master.html > "It is recommended that you do not use the *master* realm to manage the > users and applications in your organization. Keep the *master* realm as a > place for *super* admins to create and manage the realms in your system. > This keeps things clean and organized." > > > > On Wed, Dec 7, 2016 at 3:39 PM, Known Michael > wrote: > > > Hey, > > > > Questions about realms: > > > > Should we use the default master realm or create our own realm? > > What is better? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:51:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:51:38 +0100 Subject: [keycloak-user] Performance lag in client role creation and retrieval In-Reply-To: References: Message-ID: As Marek commented on the issue can you please create another JIRA for your issues on 2.4? On 8 December 2016 at 07:31, Padmaka Wijaygoonawardena wrote: > Hi, > > I've tried Keycloak 2.4.0.Final with the same setup as above regarding the > performance issue. For creating a role and assign role there is a good > performance improvement. > > However, after the 2.4.0 upgrade, for the 'get client role by role name' > endpoint it is taking around 15s on average. Earlier there wasn't this much > of a performance lag. In the database I have around 30000 client roles and > around 10000 roles per client. > > Please note that I have a MySQL DB, and a two node cluster. > > Any advice or fix would be highly appreciated. Thanks in advance. > > I have commented on the related ticket as well [1] > > [1] - https://issues.jboss.org/browse/KEYCLOAK-3863 > > On Fri, Nov 4, 2016 at 3:48 PM, Padmaka Wijaygoonawardena < > teknodjs at gmail.com> wrote: > >> Hi, >> >> Thanks for replying I created a ticket here [1]. >> >> Cheers, >> Padmaka >> >> [1] - https://issues.jboss.org/browse/KEYCLOAK-3863 >> >> On Fri, Nov 4, 2016 at 11:01 AM, Stian Thorgersen >> wrote: >> >>> We're actually currently looking at some issues around this. Please >>> create a JIRA and we'll make sure your case is checked as well. >>> >>> Hopefully this will be solved in the upcoming 2.4 release. >>> >>> On 3 November 2016 at 12:16, Padmaka Wijaygoonawardena < >>> teknodjs at gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm >>>> using has 2 Keycloak nodes and around 4000 client roles for one client. >>>> the >>>> process I go through for adding is as follows: >>>> >>>> >>>> 1. GET call to check whether the role already exists. (takes around >>>> 2000ms) >>>> 2. POST call to create the new client role. (takes around 10000ms) >>>> 3. GET call to get the newly created client role(Since the create >>>> role >>>> call doesn't send the full client role in the response body). (takes >>>> around >>>> 10000ms) >>>> >>>> The Keycloak version I used earlier was 1.9.0 with that version this >>>> process worked fine with one call taking around 700ms on average. >>>> >>>> So as shown above this is a huge performance lag. With further >>>> investigation I found the following points >>>> >>>> >>>> 1. When using only one Keycloak node this problem doesn't appear. >>>> Therefore it should be some issue with infinispan cache. >>>> 2. When I remove the get calls and only send the create calls then >>>> the >>>> calls return in 2000ms in average. >>>> 3. This lag only appears when executing a get role call soon after >>>> creating a client role. >>>> >>>> I double checked the changes for 2.3.0 [1] since there is nothing said >>>> about cache or related issues I raised this issue. >>>> >>>> Any advice or fix would be highly appreciated. Thanks in advance. >>>> >>>> [1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html >>>> >>>> Cheers, >>>> Padmaka. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From sthorger at redhat.com Wed Dec 14 00:53:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:53:57 +0100 Subject: [keycloak-user] Issue with Keycloak startup in AWS as a docker In-Reply-To: References: Message-ID: Hi, the attachments has been removed from the list so we can't see your log. Could you just copy/paste the error you're seeing? On 8 December 2016 at 22:23, Jagannadha Rekala wrote: > Hello, > > > We are running Keycloak (database: Oracle 12c) on AWS as a docker in EC2 > instance. Keycloak deployment is successful via the cloud formation but the > startup failed with Keycloak receiving the TERM signal. We have > amazon-agent along with Keycloak's docker to spin a new container of > Keycloak. Amazon-agent agent starts a new Keycloak container within a > minute. The second time startup of Keycloak fails as well with a different > error (where is is not able to create a new table while the name already > exists - ORA-00955). > > > This is happening in random. Sometimes the Keycloak instance at the first > time starts well, without any issues. I have attached the logs of Keycloak > container starting first time after deployment and the second time the > amazon-agent spins up a new container. Keep in mind that the logs are > bottom-up, watch from the bottom to up for a sequence. Ultimately, from the > logs we understood that it is trying to create the tables the second time > but those tables already existing. > > > Please let us know if you have encounter this kind of issue or any > pointers where the issue could be why the first time the container receives > a TERM signal and why the second time it cannot overwrite the tables while > migration strategy mentioned as update in the standalone.xml. Any help > would be appreciated. > > > Thanks, > > Jagan Rekala > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 00:55:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 06:55:51 +0100 Subject: [keycloak-user] Using Keycloak with Microsoft Azure Active Directory In-Reply-To: References: Message-ID: So the issue is that you're missing the email address? You probably just need to tweak the scope setting on the provider (try adding email) On 9 December 2016 at 14:07, Reed Lewis wrote: > I am attempting to use Microsoft Azure Active Directory with Keycloak. > > It is not working correctly. > > Here is how I have it configured: > > OpenID Connect V1.0 > > Enabled: On > Store Tokens: On > Store Tokens Readable: On > Trust Email: On > Authorization URL: https://login.microsoftonline. > com/common/oauth2/authorize > Token URL: https://login.microsoftonline.com/common/oauth2/token > Logout URL: > Backchannel Logout: Off > User Info URL: > First Login Flow: First Broker Login > > It directs me to the Microsoft page to login correctly, but when it comes > back to keycloak, it either only has the first and last name, but no email > address. > > Is there something I have configured incorrectly? > > I also tried to use the built in Microsoft connector, but that does not > work with Azure Active Directory. > > Thank you, > > Reed Lewis > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 01:00:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 07:00:00 +0100 Subject: [keycloak-user] chrome on windows In-Reply-To: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> References: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> Message-ID: Strange - this should not happen. Do you have steps to reproduce? Please create a JIRA if you do and also include a screenshot. On 13 December 2016 at 14:42, lists wrote: > Hi, > > Somehow, when using keycloak SAML auth on our application, chrome on > windows is presenting us a basic http popup logon window. > In that case, the URL looks like: > > https://keycloak.company.com/auth/realms/testrealm/ > protocol/saml?SAMLRequest=fVHJbsIwEP2VyPfEOCk0sUgkIKVC6o > JK1UMvlZWYYsmxU8%2B4y9%2FXCUKiPXB9M2%2FeMnMQne... > > We have to cancel that popup, to end up in the regular keycloak login page. > The URL then becomes: > > https://keycloak.company.com/auth/realms/testrealm/login- > actions/authenticate?code=lmCA9w6F-KuQAefH1Iq5mDpBznYOjP2JE3Znooe > L9Uc.e01284fe-0ad4-4efb-8314-f... > > Since this only happens on chrome on windows, I thought that this > perhaps was a kerberos-auth going wrong. So i disabled kerberos, but it > keeps happening. > > Using other browsers, we end up in the regular second /login-actions/ > logon screen straight away. > > The chrome popup is also NOT useable: if we provide a valid > username/password, we will NOT become authenticated, but we end up in > the "WE'RE SORRY... Unexpected error when handling authentication > request to identity provider." > > Can anyone explain this? (keycloak 2.3.0) > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 01:00:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 07:00:44 +0100 Subject: [keycloak-user] Direct link to registration with Java ServletFilter Adapter In-Reply-To: References: Message-ID: You can just replace ../auth with ../register in the login URL and you'll get the registration screen instead of login screen. On 13 December 2016 at 22:55, Laghuvaram, Raghu < RLaghuvaram at contractor.lb.com> wrote: > I am looking for a direct link to registration from my application, I am > using Java Servlet Filter Adapter with Cookie tokenstore, is that even > achievable? > > > Thanks, > Raghu > > ________________________________ > > Notice: This communication may contain privileged and/or confidential > information. If you are not the intended recipient, please notify the > sender by email, and immediately delete the message and any attachments > without copying or disclosing them. LB may, for any reason, intercept, > access, use, and disclose any information that is communicated by or > through, or which is stored on, its networks, applications, services, and > devices. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Wed Dec 14 01:43:52 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 14 Dec 2016 07:43:52 +0100 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: References: Message-ID: Is this not working ? http.authorizeRequests().antMatchers("/products*").hasRole("MY_MAPPED_LDAP_ROLE") ? On Tue, Dec 13, 2016 at 11:51 PM, java_os wrote: > Hi All, > I put up this question a while back and now back to it since no answer, > this time with some hope. > I have this SPA (keycloak.js) calling into Rest api bearer protected by KC > - all good. > I use KC brokering, so on the Idp side ADFS . User logs in against idp, > where in ADFS is configured with a claim that acts as a role. On SPA I can > map out that claim from the token. > The rest api is protected by kc spring sec. I want (and this is what I do > not know) to configure spring sec to react when the call is made to a > specific rest endpoint when the user does not have a specific role > (returning 401). > How can I do this spring sec way - how can I configure spring sec to say > check at runtime the users's role for a specific endpoint and deny access > to the resource. > The big un-known to me is: how does KC client role (which is some static > config) relates to the runtime user's role coming from Idp. > Anyone has done this - am sure this is a common use case. > Whoever knows this please share. > Thank you and appreciate it. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Wed Dec 14 01:59:54 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 14 Dec 2016 06:59:54 +0000 Subject: [keycloak-user] How Basic Authentication is implemented for Java adapters? Message-ID: Hi, We need to implement authentication for our REST APIs. The issue is not simple since same APIs used for UI and for the CLI clients. CLI clients access REST API using Basic Authentication. For UI we want to access REST APIs after OIDC authentication. Therefore we need to achieve the following: * If a request comes without any authentication the server should respond with HTTP 401. * If a request comes with the Basic Authentication header it is authenticated. * If a request comes with Keycloak cookies it is authenticated (and HTTP 401 is not appear). Is it possible to do it? I will happy to clarify how Basic Authentication is implemented for Keycloak Java adapters. I found the enable-basic-auth configuration here: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html Java Adapters Config | Securing Applications and Services ... keycloak.gitbooks.io Each Java adapter supported by Keycloak can be configured by a simple JSON file. This is what one might look like: { Questions: 1. Will Keycloak Java adapter prompt with HTTP 401 if a request without any authentication? (we can not allow OIDC redirection in this case) 2. What happens a request comes with Basic Authentication header it is authenticated? How Keycloak Java adapter validates the user name and password? 3. What happens a request comes with Keycloak cookies? Best regards, Michael From michael_furman at hotmail.com Wed Dec 14 02:07:21 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 14 Dec 2016 07:07:21 +0000 Subject: [keycloak-user] How Basic Authentication is implemented for Java adapters? In-Reply-To: References: Message-ID: We use SpringSecurity adapter ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Wednesday, December 14, 2016 8:59 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] How Basic Authentication is implemented for Java adapters? Hi, We need to implement authentication for our REST APIs. The issue is not simple since same APIs used for UI and for the CLI clients. CLI clients access REST API using Basic Authentication. For UI we want to access REST APIs after OIDC authentication. Therefore we need to achieve the following: * If a request comes without any authentication the server should respond with HTTP 401. * If a request comes with the Basic Authentication header it is authenticated. * If a request comes with Keycloak cookies it is authenticated (and HTTP 401 is not appear). Is it possible to do it? I will happy to clarify how Basic Authentication is implemented for Keycloak Java adapters. I found the enable-basic-auth configuration here: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html Questions: 1. Will Keycloak Java adapter prompt with HTTP 401 if a request without any authentication? (we can not allow OIDC redirection in this case) 2. What happens a request comes with Basic Authentication header it is authenticated? How Keycloak Java adapter validates the user name and password? 3. What happens a request comes with Keycloak cookies? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From cmoullia at redhat.com Wed Dec 14 02:17:54 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Wed, 14 Dec 2016 08:17:54 +0100 Subject: [keycloak-user] Client secret not provided in request Message-ID: Hi, Why do I get this error when I issue tthis curl request to get a token curl -sk -X POST https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token -d grant_type=password -d username=admin -d password=admin -d client_id=demoapp {"error_description":"Client secret not provided in request","error":"unauthorized_client"} Keycloak Version : 1.9.8 client_id: demoapp Do I have to set another filed instead of username/password & grant_type=password ? Regards, Charles From sthorger at redhat.com Wed Dec 14 02:27:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 08:27:35 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: Error message is pretty self explanatory here - you're missing the client secret On 14 December 2016 at 08:17, Charles Moulliard wrote: > Hi, > > Why do I get this error when I issue tthis curl request to get a token > > curl -sk -X POST > https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/ > realms/master/protocol/openid-connect/token > -d grant_type=password -d username=admin -d password=admin -d > client_id=demoapp > > {"error_description":"Client secret not provided in > request","error":"unauthorized_client"} > > Keycloak Version : 1.9.8 > client_id: demoapp > > Do I have to set another filed instead of username/password & > grant_type=password ? > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Wed Dec 14 02:38:04 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 14 Dec 2016 08:38:04 +0100 Subject: [keycloak-user] How Basic Authentication is implemented for Java adapters? In-Reply-To: References: Message-ID: Not sure SpringSec adapter supports basic auth, I need to check this out. Why do you need basic auth ? Is that just for your CLI client so it can log in ? Why don't you setup a CLI client in the KC console that has direct grant enabled ?? That would make the things easier, your CLI request a token to KC and the use it to make the API calls. On Wed, Dec 14, 2016 at 8:07 AM, Michael Furman wrote: > > We use SpringSecurity adapter > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org jboss.org> on behalf of Michael Furman > Sent: Wednesday, December 14, 2016 8:59 AM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] How Basic Authentication is implemented for Java > adapters? > > Hi, > We need to implement authentication for our REST APIs. > The issue is not simple since same APIs used for UI and for the CLI > clients. > CLI clients access REST API using Basic Authentication. > For UI we want to access REST APIs after OIDC authentication. > Therefore we need to achieve the following: > > * If a request comes without any authentication the server should > respond with HTTP 401. > * If a request comes with the Basic Authentication header it is > authenticated. > * If a request comes with Keycloak cookies it is authenticated (and > HTTP 401 is not appear). > Is it possible to do it? > I will happy to clarify how Basic Authentication is implemented for > Keycloak Java adapters. > I found the enable-basic-auth configuration here: > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/topics/oidc/java/java-adapter-config.html > > Questions: > > 1. Will Keycloak Java adapter prompt with HTTP 401 if a request without > any authentication? > (we can not allow OIDC redirection in this case) > 2. What happens a request comes with Basic Authentication header it is > authenticated? > How Keycloak Java adapter validates the user name and password? > > 3. What happens a request comes with Keycloak cookies? > > > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From cmoullia at redhat.com Wed Dec 14 02:48:31 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Wed, 14 Dec 2016 08:48:31 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: How do I provide the client secret within the curl request ? An example would be great ;-) On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen wrote: > Error message is pretty self explanatory here - you're missing the client > secret > > On 14 December 2016 at 08:17, Charles Moulliard > wrote: > >> Hi, >> >> Why do I get this error when I issue tthis curl request to get a token >> >> curl -sk -X POST >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re >> alms/master/protocol/openid-connect/token >> -d >> >> grant_type=password -d username=admin -d password=admin -d >> client_id=demoapp >> >> {"error_description":"Client secret not provided in >> request","error":"unauthorized_client"} >> >> Keycloak Version : 1.9.8 >> client_id: demoapp >> >> Do I have to set another filed instead of username/password & >> grant_type=password ? >> >> Regards, >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sblanc at redhat.com Wed Dec 14 02:54:00 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 14 Dec 2016 08:54:00 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: I guess "-d client_secret=my_secret" ? ;) On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard wrote: > How do I provide the client secret within the curl request ? An example > would be great ;-) > > On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen > wrote: > > > Error message is pretty self explanatory here - you're missing the client > > secret > > > > On 14 December 2016 at 08:17, Charles Moulliard > > wrote: > > > >> Hi, > >> > >> Why do I get this error when I issue tthis curl request to get a token > >> > >> curl -sk -X POST > >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re > >> alms/master/protocol/openid-connect/token > >> -d > >> realms/master/protocol/openid-connect/token-d> > >> grant_type=password -d username=admin -d password=admin -d > >> client_id=demoapp > >> > >> {"error_description":"Client secret not provided in > >> request","error":"unauthorized_client"} > >> > >> Keycloak Version : 1.9.8 > >> client_id: demoapp > >> > >> Do I have to set another filed instead of username/password & > >> grant_type=password ? > >> > >> Regards, > >> > >> Charles > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 14 02:56:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 08:56:06 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: Your guess is correct. Or you can also use the much more complicated way of using basic auth header for client id and secret, but let's not get into that ;) On 14 December 2016 at 08:54, Sebastien Blanc wrote: > I guess "-d client_secret=my_secret" ? ;) > > On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard > wrote: > >> How do I provide the client secret within the curl request ? An example >> would be great ;-) >> >> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen >> wrote: >> >> > Error message is pretty self explanatory here - you're missing the >> client >> > secret >> > >> > On 14 December 2016 at 08:17, Charles Moulliard >> > wrote: >> > >> >> Hi, >> >> >> >> Why do I get this error when I issue tthis curl request to get a token >> >> >> >> curl -sk -X POST >> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re >> >> alms/master/protocol/openid-connect/token >> >> -d >> >> > ealms/master/protocol/openid-connect/token-d> >> >> grant_type=password -d username=admin -d password=admin -d >> >> client_id=demoapp >> >> >> >> {"error_description":"Client secret not provided in >> >> request","error":"unauthorized_client"} >> >> >> >> Keycloak Version : 1.9.8 >> >> client_id: demoapp >> >> >> >> Do I have to set another filed instead of username/password & >> >> grant_type=password ? >> >> >> >> Regards, >> >> >> >> Charles >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From Edgar at info.nl Wed Dec 14 03:35:15 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 14 Dec 2016 08:35:15 +0000 Subject: [keycloak-user] Retrieve number of times users have logged in? Message-ID: <7C3A82AC-0463-4C99-A40F-34C9E6BBC20C@info.nl> hi, It is possible somehow to get the stats about the number of times users have logged into/authenticated from Keycloak somehow? Maybe from the database? Or is this information not stored? cheers From sthorger at redhat.com Wed Dec 14 04:55:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 10:55:35 +0100 Subject: [keycloak-user] Retrieve number of times users have logged in? In-Reply-To: <7C3A82AC-0463-4C99-A40F-34C9E6BBC20C@info.nl> References: <7C3A82AC-0463-4C99-A40F-34C9E6BBC20C@info.nl> Message-ID: If you enable login events you can use the admin rest endpoints to retrieve all login events for a particular user. Beyond that you'd have to either create a custom rest provider that provides the data as you want or query the db directly (the events table is pretty simple). On 14 December 2016 at 09:35, Edgar Vonk - Info.nl wrote: > hi, > > It is possible somehow to get the stats about the number of times users > have logged into/authenticated from Keycloak somehow? Maybe from the > database? Or is this information not stored? > > cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Wed Dec 14 05:32:31 2016 From: psilva at redhat.com (Pedro Igor) Date: Wed, 14 Dec 2016 08:32:31 -0200 Subject: [keycloak-user] Keycloak adapter with policies returns bad request In-Reply-To: References: <11f7bccd-323f-4b5a-a257-255ba2e36131@getmailbird.com> <9d368281-dd22-43a5-a216-254524e8e269@getmailbird.com> <04fc1cf1-243b-42ed-b631-62b9b582c9f6@getmailbird.com> Message-ID: <53e8385e-9bd4-4dc3-a2e3-2ede9cfea95a@getmailbird.com> On 12/13/2016 11:35:49 AM, Richard van Duijn wrote: Ok, thanks. That did the trick. I was under de assumption that if left blank, the policy-enforcer would be correctly configured from keycloak itself. But I now understand we need to specify more specific resource actions in this keycloak.json file. Pedro Igor:?When left blank, the enforcer loads all resources from the server and perform access decisions based on the path you defined for each of them. That means you must have a resource with /api/resource URL if your application is serving any request at that path (or pattern). For REST APIs, you usually want to have your paths configured in keycloak.json in order to define which scopes are associated with a given HTTP method. Other quick question: Why is it that when fetching all entitlements from the frontend javascript with the call: this.authorization.entitlement('photoz-restful-api').then(function(rpt) { console.log('Entitlements loaded...%o', JSON.stringify(jwt_decode(rpt), null, ' ')); }); Succeeds, and doing the same call from the backend using the configred Authz client as in the AuthorizationClientExample.java I get an Bad Request response from keycloak.? private static void obtainAllEntitlements() { // create a new instance based on the configuration defined in keycloak-authz.json AuthzClient authzClient = AuthzClient.create(); // obtian a Entitlement API Token in order to get access to the Entitlement API. // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement String eat = getEntitlementAPIToken(authzClient); // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user EntitlementResponse response = authzClient.entitlement(eat).getAll("hello-world-authz-service"); String rpt = response.getRpt(); System.out.println("You got a RPT: " + rpt); // now you can use the RPT to access protected resources on the resource server } Is this configuration as well? Pedro Igor:?It should be a configuration issue. You may check: 1) Your client credentials are correct 2) Check if your client is configured to allow "Direct Grant" and user's credentials are correct 3) Your client is allowed to obtain a token with the uma_authorization scope (check if your client is configured with "Consent Required") Regarding #2, you are not required to enable Direct Grant to obtain RPTs from the server. This example uses direct grant for demonstration purposes. Thanks! Op di 13 dec. 2016 om 14:17 schreef Pedro Igor : It could be related with your policy-enforcer config in keycloak.json. There you can associate a scope with a specific HTTP method for a given path, maybe this is causing the 401. If you have everything set correctly, the only thing we can do is debug and check what is happening. I don't think this smells like a bug because the same scenario works with our tests + photoz app example. But better debug your play adapter and see what may be causing this, to make sure. On 12/13/2016 10:35:21 AM, Richard van Duijn wrote: Thank you for clarifying that! Much appreciated! I'm progressing with my adapter. Using the Photoz example I can login and authorize requests going to the photoz-restfull-api (which in my case is my play application). But one resource refuses to load for non-admin users. Namely the /album/create resource returns an Unauthorized. I will try to elaborate on what I am currently doing. Hopefully someone can point me the error. * The javascript frontend application calls the /photoz-rest-api/album/create resource using a post with the bearerToken received from the login. * Then my PlayFramework controller Action is intercepted and the bearerToken is verified using the:?AdapterRSATokenVerifier.verifyToken() method. * If succceful the KeycloakAdapterPolicyEnforcer is used to authorize my request using the photoz policies. * This returns 401 in case of the user Alice, and is accepted in case of Admin. What I do no understand is that the Policy Evaluator in the admin console results in a PERMIT in case of Alice accessing the album resource with scope 'Create'. But the KeycloakAdapterPolicyEnforcer tells Alice is Unauthorized. Am I missing a vital point in the process? The entitlements I have for Alice are the following (which clearly states the user is allowed to create on the album resource):? { ?"jti": "6fa19f41-f720-4285-965f-e4373544346c", ? "exp": 1481632355, ? "nbf": 0, ? "iat": 1481632055, ? "iss": "http://127.0.0.1:8080/auth/realms/photoz [http://127.0.0.1:8080/auth/realms/photoz]", ? "aud": "photoz-html5-client", ? "sub": "85e9868e-262e-4290-8a23-93f8392cffd7", ? "typ": "Bearer", ? "azp": "photoz-html5-client", ? "nonce": "55b16f6b-5af9-40de-871e-ab8712bd1f57", ? "auth_time": 1481631352, ? "session_state": "73453cd9-01df-4124-a9ca-585352c0e040", ? "name": "Alice In Chains", ? "given_name": "Alice", ? "family_name": "In Chains", ? "preferred_username": "alice", ? "email": "alice at keycloak.org [mailto:alice at keycloak.org]", ? "acr": "0", ? "client_session": "2e16eade-c3a2-40ae-b766-3bac6b89d4d4", ? "allowed-origins": [ ? ? "*" ? ], ? "realm_access": { ? ? "roles": [ ? ? ? "uma_authorization", ? ? ? "user" ? ? ] ? }, ? "resource_access": { ? ? "photoz-restful-api": { ? ? ? "roles": [ ? ? ? ? "manage-albums" ? ? ? ] ? ? } ? }, ? "authorization": { ? ? "permissions": [ ? ? ? { ? ? ? ? "scopes": [ ? ? ? ? ? "urn:photoz.com:scopes:album:view", ? ? ? ? ? "urn:photoz.com:scopes:album:create" ? ? ? ? ], ? ? ? ? "resource_set_id": "71996b0c-48c1-44c9-8fda-d0ba46b451b7", ? ? ? ? "resource_set_name": "Album Resource" ? ? ? }, ? ? ? { ? ? ? ? "scopes": [ ? ? ? ? ? "urn:photoz.com:scopes:profile:view" ? ? ? ? ], ? ? ? ? "resource_set_id": "0236b990-40dd-4bf3-9a49-25bc3bc6273c", ? ? ? ? "resource_set_name": "User Profile Resource" ? ? ? } ? ? ] ? } } /Richard Op do 8 dec. 2016 om 21:11 schreef Pedro Igor : Yeah, I missed that part too :) Clients marked as bearer-only are not allowed to access the token endpoint. However, you can still use bearer-only in your keycloak.json (adapter config) to indicate that only requests with a bearer token are allowed to access your resource server (backend-client). Regards. Pedro Igor On 12/8/2016 5:46:25 PM, Richard van Duijn wrote: Pedro, I've imported the json file myself and I was able to fetch the AT with postman and things work now. The only difference I see in the server configuration is that I had confired the backend-client with Access-Type 'Bearer-only', which (after the import) is now 'Confidential'..? In my perception i had to configure the backend-client with a bearer-only access-type as it does do any logins just as the 'bearer-only:true' flag in the adapter config json. Am I mistaken here? Well at least I can continue now. but still this seems a bit odd to me. Thank you again for your great help! It is much appreciated! /Richard? Op do 8 dec. 2016 om 13:49 schreef Richard van Duijn : You've got me confused as well.. haha No I'm not reaching the lines using the policyEnforcer. The error occurs earlier in the process. Could you perhaps explain what you send in the postman request. What is put in it the request is the following:? requestHeaders.put("Authorization", BasicAuthHelper.createHeader(Configuration.this.clientId, secret)); with the clientId being: backend-client and the secret being: 6ce718ad-2ab1-42ff-bf01-35a03eab3aee? resulting in the header: Authorization : Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Other than that I do not have any clues what is wrong.? The AT request is generated during startup of my backend server. So I do not yet have any frontend rest calls containing a bearerToken comming in. My assumption is that I can initialize the keycloakDeployment once for my entire application and then use it for each call comming in. Am I correct? My guess now is that this assumption is wrong.? /Richard? Op do 8 dec. 2016 om 13:05 schreef Pedro Igor : On 12/8/2016 7:06:44 AM, Richard van Duijn wrote: Hi Pedro, Thank you for the reply. Fist I'll answer your questions, then I'll clarify my setup a bit more. Please find attached my realm config file as well. * The realm name was a typo. In the meantime I've reconfigured my realm to ensure the '.' char was not messing up. Turned out not to be the case. * I'm not able to retrieve an AT from keycloak for the backend-client (which is set to bearer-only). With the given Postman request I just get the 400 bad request error and accompanying message. Pedro Igor:?I was able to get an AT after importing your realm and sending the same postman request. Now I'm confused :) The client is backend-client, correct ? * I've followed the getting started guid up to securing the jboss servlet. I've stopped there as I wanted to use a keycloak distribution in combination with a PlayFramework application (for which there is no adapter available yet).? I've followed the steps from this [http://bandrzejczak.com/blog/2015/11/22/single-sign-on-with-keycloak-in-a-sigle-page-application-part-1-slash-2-angular-dot-js/]?post to get the bearerToken approach working. Using the?AdapterRSATokenVerifier class I was able to verify the bearerToken received from the javascript frontend. What I basically have is a filter that intercepts the frontend requests, picks up the bearerToken and checks it's validity. If valid the resource is accessible otherwise the user receives an error. The next step was to include policies in the setup. Setting up the adapter for the playFramework was a bit difficult as there is no real documentation on that subject, only example implementations like the ones for spring security and jetty. But before getting to the complex logic I've added the policy-enforcer: {} line in the keycloak.json config file for the backend-client. This json is then loaded and used in KeycloakDeploymentBuilder.build(keycloakConfig). This is the point where it fails, as the config contains the policy-enforcer line, the PolicyEnforcer class is initialized, which in turn attempts to retrieve the AT from keycloak.? Is there some flaw in my reasoning? * The javascript frontend authenticates itself using the keycloak.js adapter. It adds the accessToken to the Authorization header for the rest-client to pickup * The rest client (my backend-client) verifies the bearerToken using the AdapterRSATokenVerifier * Then the rest client checks the authorization using the folliwing lines of code: final PolicyEnforcer policyEnforcer = keycloakDeployment.getPolicyEnforcer(); BearerTokenPolicyEnforcer bearerTokenPolicyEnforcer = new BearerTokenPolicyEnforcer(policyEnforcer); final AuthorizationContext authorizationContext = bearerTokenPolicyEnforcer.authorize(facade); Pedro Igor:?It looks correct. Although it seems you are not even reaching the line above where permissions are actually enforced. Besides, make sure you have all bearer token validations in place based on other adapters we have. You are almost there. You just need to figure out why you can't obtain an AT from the server even if using postman, curl, etc. I think that if you solve this, you will get everything working (or hit some new issue after this one :)). Hope this clarifies it a bit. I've attached my realm configuration json file. By the way I'm using keycloak 2.4.0-Final.? Many many thanks for your help! If this approach is valid I'm hapy to contribute my code to the community for others to work with.? /Richard Op do 8 dec. 2016 om 01:13 schreef Pedro Igor : Hi Richard, In your first message, it seems the token endpoint is?http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token.Here]?you are using a realm "local.development". In your last message with the postman request, you are using a token endpoint like this?/auth/realms/development/protocol/openid-connect/token. Where the realm is "development", the same you have used in keycloak.json. Would that be a misconfiguration or just a typo ? Besides, what happens when you send that postman request to the server ? Are you able to get a AT ? This is pretty much what the enforcer does during initialization, obtain a AT before querying the Protection API for protected resources. And is what your stack trace shows. If you are not able to obtain a token using the postman request, it probably means you have something wrong with your realm/client configuration on the server. Last question, are you able to run any of our authorization examples ? Or even successfully follow our Getting Started guide ? Thanks. Pedro Igor On 12/7/2016 12:05:10 PM, Richard van Duijn wrote: Forgot to include the postman request.. here it is: POST /auth/realms/development/protocol/openid-connect/token HTTP/1.1 Host: 127.0.0.1:8080 [http://127.0.0.1:8080] Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded grant_type=client_credentials?? /Richard Op wo 7 dec. 2016 om 15:00 schreef Richard van Duijn : Somehow I do not get any logs in keycloak server.log. I've attempted to change the loglevel in standalone.xml to TRACE, but to no avail. Maybe you can give me a pointer to which logger I should change to see the correct logs show up. Besides that I've done some debugging using Postman as well. Using the following request I get the message: { ? ? "error": "invalid_client", ? ? "error_description": "Bearer-only not allowed" }? This is weird to me as the keycloak.json file states that I am connecting to a bearer-only client. Hope this helps to clarify it for you. My keycloak.json configuration file looks like this: { ? "realm": "development", ? "bearer-only": true, ? "auth-server-url": "http://127.0.0.1:8080/auth [http://127.0.0.1:8080/auth]", ? "ssl-required": "external", ? "resource": "backend-client", ? "use-resource-role-mappings": true, ? "credentials": { ? ? "secret": "SECRETHERE" ? }, ? "policy-enforcer": {} } Hope this helps to clarify some of your questions. /Richard Op wo 7 dec. 2016 om 12:47 schreef Pedro Igor : Do you get anything in server logs ? It may be related with invalid client credentials. On 12/6/2016 12:41:38 PM, Richard van Duijn wrote: I'm creating a POC application using playframework and angular. The frontend will be protected using the keycloak javascript adapter and the backend rest services will be a bearer-only application. Without the policies turned on in the keycloak.json everything goes well. But when I turn the policies by adding "policy-enforcer": { } on for the rest services, I get an 400 Bad Request response from the Keycloak server during initialization. After some debugging I noticed it had to do with the initialization of the PolicyEnforcer which attempts to call the following server keycloak endpoint: http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] Below you will find the stacktrace and request and response objects. Hope someone can point me in the right direction. For instance how to configure keycloak logging to get some more details on what the reason for the 400 bad request is. Many many thanks! /Richard *Stacktrace*: at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:92) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.obtainAccessToken(AuthzClient.java:112) at org.keycloak.authorization.client.AuthzClient.protection(AuthzClient.java:91) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:57) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:135) at security.KeycloakSecurityModule.configure(KeycloakSecurityModule.java:53) at com.google.inject.AbstractModule.configure(AbstractModule.java:62) ... many google guice calls ... at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:129) at play.core.server.DevServerStart$$anonfun$mainDev$1$$anon$1$$anonfun$get$1.apply(DevServerStart.scala:121) *Request object*: builder = {RequestBuilder at 12557} method = "POST" charset = {UTF_8 at 12563} "UTF-8" version = null uri = {URI at 12564} " http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token [http://127.0.0.1:8080/auth/realms/local.development/protocol/openid-connect/token] " headergroup = {HeaderGroup at 12565} "[Authorization: Basic YmFja2VuZC1jbGllbnQ6NmNlNzE4YWQtMmFiMS00MmZmLWJmMDEtMzVhMDNlYWIzYWVl]" entity = null parameters = {LinkedList at 12566} size = 1 0 = {BasicNameValuePair at 12576} "grant_type=client_credentials" config = null *Response object*: HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780 response = {$Proxy16 at 12554} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" h = {CloseableHttpResponseProxy at 12583} original = {BasicHttpResponse at 12584} "HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT] org.apache.http.conn.BasicManagedEntity at 1f8d1780" statusline = {BasicStatusLine at 12556} "HTTP/1.1 400 Bad Request" ver = {HttpVersion at 12586} "HTTP/1.1" code = 400 reasonPhrase = "Bad Request" entity = {BasicManagedEntity at 12555} reasonCatalog = {EnglishReasonPhraseCatalog at 12588} locale = {Locale at 12589} "en_US" headergroup = {HeaderGroup at 12590} "[Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/10, Content-Type: application/json, Content-Length: 72, Date: Tue, 06 Dec 2016 12:24:28 GMT]" params = {ClientParamsStack at 12591} _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user] From cmoullia at redhat.com Wed Dec 14 06:02:51 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Wed, 14 Dec 2016 12:02:51 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: The curl request works now but I'm getting this error when the token received will be checked by the SpringBoot Tomcat Adapter Request curl -sk -X POST https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token -d grant_type=password -d username=admin -d client_secret=MYSECRET -d password=admin -d client_id=demoapp What "URL from configuration" refers to ? 2016-12-14 10:49:29.273 ERROR 1 --- [nio-8080-exec-6] o.k.a.BearerTokenRequestAuthenticator : Failed to verify token org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master, but URL from configuration is https://secure-sso-sso.e8ca.engint.openshiftapps.com/realms/master at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49) ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final] at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35) ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final] at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87) ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82) ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65) ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final] at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:48) ~[keycloak-tomcat8-adapter-1.9.8.Final.jar!/:1.9.8.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1100) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:687) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_101] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_101] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.36.jar!/:8.0.36] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101] Charles Moulliard Sr. Pr. Software Engineer @redhat cmoulliard at redhat.com | work: +31 205 65 12 84 | mobile: +32 473 60 40 14 Twitter: @cmoulliard | blog: cmoulliard.github.io committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm, deltaspike On Wed, Dec 14, 2016 at 8:56 AM, Stian Thorgersen wrote: > Your guess is correct. Or you can also use the much more complicated way > of using basic auth header for client id and secret, but let's not get into > that ;) > > On 14 December 2016 at 08:54, Sebastien Blanc wrote: > >> I guess "-d client_secret=my_secret" ? ;) >> >> On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard >> wrote: >> >>> How do I provide the client secret within the curl request ? An example >>> would be great ;-) >>> >>> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen >>> wrote: >>> >>> > Error message is pretty self explanatory here - you're missing the >>> client >>> > secret >>> > >>> > On 14 December 2016 at 08:17, Charles Moulliard >>> > wrote: >>> > >>> >> Hi, >>> >> >>> >> Why do I get this error when I issue tthis curl request to get a token >>> >> >>> >> curl -sk -X POST >>> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re >>> >> alms/master/protocol/openid-connect/token >>> >> -d >>> >> >> ealms/master/protocol/openid-connect/token-d> >>> >> grant_type=password -d username=admin -d password=admin -d >>> >> client_id=demoapp >>> >> >>> >> {"error_description":"Client secret not provided in >>> >> request","error":"unauthorized_client"} >>> >> >>> >> Keycloak Version : 1.9.8 >>> >> client_id: demoapp >>> >> >>> >> Do I have to set another filed instead of username/password & >>> >> grant_type=password ? >>> >> >>> >> Regards, >>> >> >>> >> Charles >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sblanc at redhat.com Wed Dec 14 06:28:03 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 14 Dec 2016 12:28:03 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: URL from configuration is the one from the keycloak.json : "auth-server-url" , looks like you forgot an /auth On Wed, Dec 14, 2016 at 12:02 PM, Charles Moulliard wrote: > The curl request works now but I'm getting this error when the token > received will be checked by the SpringBoot Tomcat Adapter > > Request > > curl -sk -X POST https://secure-sso-sso.e8ca. > engint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token > -d grant_type=password -d username=admin -d client_secret=MYSECRET -d > password=admin -d client_id=demoapp > > What "URL from configuration" refers to ? > > 2016-12-14 10:49:29.273 ERROR 1 --- [nio-8080-exec-6] o.k.a. > BearerTokenRequestAuthenticator : Failed to verify token > > org.keycloak.common.VerificationException: Token audience doesn't match > domain. Token issuer is https://secure-sso-sso.e8ca. > engint.openshiftapps.com/auth/realms/master, but URL from configuration > is https://secure-sso-sso.e8ca.engint.openshiftapps.com/realms/master > at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49) > ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final] > at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35) > ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final] > at org.keycloak.adapters.BearerTokenRequestAuthenticato > r.authenticateToken(BearerTokenRequestAuthenticator.java:87) > ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] > at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate( > BearerTokenRequestAuthenticator.java:82) ~[keycloak-adapter-core-1.9.8. > Final.jar!/:1.9.8.Final] > at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65) > ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] > at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) > ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final] > at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate( > KeycloakAuthenticatorValve.java:48) ~[keycloak-tomcat8-adapter-1. > 9.8.Final.jar!/:1.9.8.Final] > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke( > AbstractKeycloakAuthenticatorValve.java:187) ~[keycloak-tomcat-core- > adapter-1.9.8.Final.jar!/:1.9.8.Final] > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.coyote.http11.AbstractHttp11Processor.process( > AbstractHttp11Processor.java:1100) [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler. > process(AbstractProtocol.java:687) [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [na:1.8.0_101] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [na:1.8.0_101] > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-embed-core-8.0.36.jar!/:8.0.36] > at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101] > > Charles Moulliard > Sr. Pr. Software Engineer @redhat > cmoulliard at redhat.com | work: +31 205 65 12 84 <+31%2020%20565%201284> | > mobile: +32 473 60 40 14 <+32%20473%2060%2040%2014> > Twitter: @cmoulliard | blog: > cmoulliard.github.io > committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm, > deltaspike > > On Wed, Dec 14, 2016 at 8:56 AM, Stian Thorgersen > wrote: > >> Your guess is correct. Or you can also use the much more complicated way >> of using basic auth header for client id and secret, but let's not get into >> that ;) >> >> On 14 December 2016 at 08:54, Sebastien Blanc wrote: >> >>> I guess "-d client_secret=my_secret" ? ;) >>> >>> On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard >>> wrote: >>> >>>> How do I provide the client secret within the curl request ? An example >>>> would be great ;-) >>>> >>>> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen >>>> wrote: >>>> >>>> > Error message is pretty self explanatory here - you're missing the >>>> client >>>> > secret >>>> > >>>> > On 14 December 2016 at 08:17, Charles Moulliard >>>> > wrote: >>>> > >>>> >> Hi, >>>> >> >>>> >> Why do I get this error when I issue tthis curl request to get a >>>> token >>>> >> >>>> >> curl -sk -X POST >>>> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re >>>> >> alms/master/protocol/openid-connect/token >>>> >> -d >>>> >> >>> ealms/master/protocol/openid-connect/token-d> >>>> >> grant_type=password -d username=admin -d password=admin -d >>>> >> client_id=demoapp >>>> >> >>>> >> {"error_description":"Client secret not provided in >>>> >> request","error":"unauthorized_client"} >>>> >> >>>> >> Keycloak Version : 1.9.8 >>>> >> client_id: demoapp >>>> >> >>>> >> Do I have to set another filed instead of username/password & >>>> >> grant_type=password ? >>>> >> >>>> >> Regards, >>>> >> >>>> >> Charles >>>> >> _______________________________________________ >>>> >> keycloak-user mailing list >>>> >> keycloak-user at lists.jboss.org >>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >>>> > >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From cmoullia at redhat.com Wed Dec 14 06:46:26 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Wed, 14 Dec 2016 12:46:26 +0100 Subject: [keycloak-user] Client secret not provided in request In-Reply-To: References: Message-ID: oups. Added /auth at the end of my SSO URL and now Spring Boot + Keycloak rocks in OpenShift. On Wed, Dec 14, 2016 at 12:28 PM, Sebastien Blanc wrote: > URL from configuration is the one from the keycloak.json : > "auth-server-url" , looks like you forgot an /auth > > On Wed, Dec 14, 2016 at 12:02 PM, Charles Moulliard > wrote: > >> The curl request works now but I'm getting this error when the token >> received will be checked by the SpringBoot Tomcat Adapter >> >> Request >> >> curl -sk -X POST https://secure-sso-sso.e8ca.en >> gint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token >> -d grant_type=password -d username=admin -d client_secret=MYSECRET -d >> password=admin -d client_id=demoapp >> >> What "URL from configuration" refers to ? >> >> 2016-12-14 10:49:29.273 ERROR 1 --- [nio-8080-exec-6] >> o.k.a.BearerTokenRequestAuthenticator : Failed to verify token >> >> org.keycloak.common.VerificationException: Token audience doesn't match >> domain. Token issuer is https://secure-sso-sso.e8ca.en >> gint.openshiftapps.com/auth/realms/master, but URL from configuration is >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/realms/master >> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49) >> ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final] >> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35) >> ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final] >> at org.keycloak.adapters.BearerTokenRequestAuthenticator. >> authenticateToken(BearerTokenRequestAuthenticator.java:87) >> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] >> at org.keycloak.adapters.BearerTokenRequestAuthenticator. >> authenticate(BearerTokenRequestAuthenticator.java:82) >> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] >> at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65) >> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final] >> at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >> lve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) >> ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final] >> at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.auth >> enticate(KeycloakAuthenticatorValve.java:48) >> ~[keycloak-tomcat8-adapter-1.9.8.Final.jar!/:1.9.8.Final] >> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >> lve.invoke(AbstractKeycloakAuthenticatorValve.java:187) >> ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final] >> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >> tractHttp11Processor.java:1100) [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >> .process(AbstractProtocol.java:687) [tomcat-embed-core-8.0.36.jar! >> /:8.0.36] >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [na:1.8.0_101] >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [na:1.8.0_101] >> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> [tomcat-embed-core-8.0.36.jar!/:8.0.36] >> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101] >> >> Charles Moulliard >> Sr. Pr. Software Engineer @redhat >> cmoulliard at redhat.com | work: +31 205 65 12 84 <+31%2020%20565%201284> | >> mobile: +32 473 60 40 14 <+32%20473%2060%2040%2014> >> Twitter: @cmoulliard | blog: >> cmoulliard.github.io >> committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, >> jbpm, deltaspike >> >> On Wed, Dec 14, 2016 at 8:56 AM, Stian Thorgersen >> wrote: >> >>> Your guess is correct. Or you can also use the much more complicated way >>> of using basic auth header for client id and secret, but let's not get into >>> that ;) >>> >>> On 14 December 2016 at 08:54, Sebastien Blanc wrote: >>> >>>> I guess "-d client_secret=my_secret" ? ;) >>>> >>>> On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard >>> > wrote: >>>> >>>>> How do I provide the client secret within the curl request ? An example >>>>> would be great ;-) >>>>> >>>>> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen >>>> > >>>>> wrote: >>>>> >>>>> > Error message is pretty self explanatory here - you're missing the >>>>> client >>>>> > secret >>>>> > >>>>> > On 14 December 2016 at 08:17, Charles Moulliard >>>> > >>>>> > wrote: >>>>> > >>>>> >> Hi, >>>>> >> >>>>> >> Why do I get this error when I issue tthis curl request to get a >>>>> token >>>>> >> >>>>> >> curl -sk -X POST >>>>> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re >>>>> >> alms/master/protocol/openid-connect/token >>>>> >> -d >>>>> >> >>>> ealms/master/protocol/openid-connect/token-d> >>>>> >> grant_type=password -d username=admin -d password=admin -d >>>>> >> client_id=demoapp >>>>> >> >>>>> >> {"error_description":"Client secret not provided in >>>>> >> request","error":"unauthorized_client"} >>>>> >> >>>>> >> Keycloak Version : 1.9.8 >>>>> >> client_id: demoapp >>>>> >> >>>>> >> Do I have to set another filed instead of username/password & >>>>> >> grant_type=password ? >>>>> >> >>>>> >> Regards, >>>>> >> >>>>> >> Charles >>>>> >> _______________________________________________ >>>>> >> keycloak-user mailing list >>>>> >> keycloak-user at lists.jboss.org >>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >> >>>>> > >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From lists at merit.unu.edu Wed Dec 14 07:42:18 2016 From: lists at merit.unu.edu (mj) Date: Wed, 14 Dec 2016 13:42:18 +0100 Subject: [keycloak-user] chrome on windows In-Reply-To: References: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> Message-ID: <2db024e8-c382-3d64-d834-a9b84b93d159@merit.unu.edu> On 12/13/2016 09:23 PM, Marek Posolda wrote: > Depends what exactly means "I disabled kerberos" ? Did you switch the > SPNEGO authenticator in the "Browser" authenticationFlow of your realm > to DISABLED? I meant in keycloak, in my realm config. MJ From RLewis at carbonite.com Wed Dec 14 07:54:26 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 14 Dec 2016 12:54:26 +0000 Subject: [keycloak-user] Using Keycloak with Microsoft Azure Active Directory In-Reply-To: References: Message-ID: <680D2F13-0BBC-48D0-A65D-E480EA2584C1@carbonite.com> I figured it out. I needed to add a mapper in order to get the email. Thank you. From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Wednesday, December 14, 2016 at 12:55 AM To: Reed Lewis Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Using Keycloak with Microsoft Azure Active Directory So the issue is that you're missing the email address? You probably just need to tweak the scope setting on the provider (try adding email) On 9 December 2016 at 14:07, Reed Lewis > wrote: I am attempting to use Microsoft Azure Active Directory with Keycloak. It is not working correctly. Here is how I have it configured: OpenID Connect V1.0 Enabled: On Store Tokens: On Store Tokens Readable: On Trust Email: On Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize Token URL: https://login.microsoftonline.com/common/oauth2/token Logout URL: Backchannel Logout: Off User Info URL: First Login Flow: First Broker Login It directs me to the Microsoft page to login correctly, but when it comes back to keycloak, it either only has the first and last name, but no email address. Is there something I have configured incorrectly? I also tried to use the built in Microsoft connector, but that does not work with Azure Active Directory. Thank you, Reed Lewis _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From favez.steve at gmail.com Wed Dec 14 08:06:16 2016 From: favez.steve at gmail.com (Steve Favez) Date: Wed, 14 Dec 2016 14:06:16 +0100 Subject: [keycloak-user] programmatic authentication flow Message-ID: Hi all, I'd like to implement the following use case. I need a Browser authentication flow that will add, after User / Password Form Authenticator, a kind of "access rules" authenticator, that will, according to some request parameters, (for example, ip address, or application) will add dynamically a second factor authenticator in the flow. (Like OTP or SMS). Furthermore, I'd like to be able to provide a choice of 2FA systems to the end user (For example, we provide a set of second factory, and the end user can choose the one he'd like to use). So, if some "strong authentication" criteria are matched during browser authentication process, after providing user and password, user will get a form allowing him to choose the second factory system he'd like to use to authenticate. My goal is to be able to reuse existing authenticator. (So, not to write a big 2fa authenticator with all authenticators duplicated inside). Thanks in advance for your valuable input Cheers St From java at neposoft.com Wed Dec 14 08:08:57 2016 From: java at neposoft.com (java_os) Date: Wed, 14 Dec 2016 08:08:57 -0500 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: References: Message-ID: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> Hi Sebastien Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client level in kc, any pointers on how this is done? Getting in the value from claim and set it into the MY_MAPPED_LDAP_ROLE?? I am guessing all logged in users (withing the client) will take the role above which value will be the claim coming into from idp. Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets defined in KC? Am a bit confused how spring-sec gets the value of the MY_MAPPED_LDAP_ROLE. Am going to dig more on my side, but would be nice if you can shed more light from role setup in KC. Thanks > Is this not working ? > http.authorizeRequests().antMatchers("/products*").hasRole("MY_MAPPED_LDAP_ROLE") > ? > > > > > On Tue, Dec 13, 2016 at 11:51 PM, java_os wrote: > >> Hi All, >> I put up this question a while back and now back to it since no answer, >> this time with some hope. >> I have this SPA (keycloak.js) calling into Rest api bearer protected by >> KC >> - all good. >> I use KC brokering, so on the Idp side ADFS . User logs in against idp, >> where in ADFS is configured with a claim that acts as a role. On SPA I >> can >> map out that claim from the token. >> The rest api is protected by kc spring sec. I want (and this is what I >> do >> not know) to configure spring sec to react when the call is made to a >> specific rest endpoint when the user does not have a specific role >> (returning 401). >> How can I do this spring sec way - how can I configure spring sec to say >> check at runtime the users's role for a specific endpoint and deny >> access >> to the resource. >> The big un-known to me is: how does KC client role (which is some static >> config) relates to the runtime user's role coming from Idp. >> Anyone has done this - am sure this is a common use case. >> Whoever knows this please share. >> Thank you and appreciate it. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From sblanc at redhat.com Wed Dec 14 08:27:23 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 14 Dec 2016 14:27:23 +0100 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> References: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> Message-ID: You said that your SPA client can read out the roles from the token, well for the Spring-sec app is exactly the same. When your SPA sends a request to it, it also passes the token, the Spring-sec adapter will extract the roles from there (happens here https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java#L91-L93 ). On Wed, Dec 14, 2016 at 2:08 PM, java_os wrote: > Hi Sebastien > Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client > level in kc, any pointers on how this is done? Getting in the value from > claim and set it into the MY_MAPPED_LDAP_ROLE?? > > I am guessing all logged in users (withing the client) will take the role > above which value will be the claim coming into from idp. > Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the > actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets > defined in KC? Am a bit confused how spring-sec gets the value of the > MY_MAPPED_LDAP_ROLE. > > Am going to dig more on my side, but would be nice if you can shed more > light from role setup in KC. > Thanks > > > > Is this not working ? > > http.authorizeRequests().antMatchers("/products*"). > hasRole("MY_MAPPED_LDAP_ROLE") > > ? > > > > > > > > > > On Tue, Dec 13, 2016 at 11:51 PM, java_os wrote: > > > >> Hi All, > >> I put up this question a while back and now back to it since no answer, > >> this time with some hope. > >> I have this SPA (keycloak.js) calling into Rest api bearer protected by > >> KC > >> - all good. > >> I use KC brokering, so on the Idp side ADFS . User logs in against idp, > >> where in ADFS is configured with a claim that acts as a role. On SPA I > >> can > >> map out that claim from the token. > >> The rest api is protected by kc spring sec. I want (and this is what I > >> do > >> not know) to configure spring sec to react when the call is made to a > >> specific rest endpoint when the user does not have a specific role > >> (returning 401). > >> How can I do this spring sec way - how can I configure spring sec to say > >> check at runtime the users's role for a specific endpoint and deny > >> access > >> to the resource. > >> The big un-known to me is: how does KC client role (which is some static > >> config) relates to the runtime user's role coming from Idp. > >> Anyone has done this - am sure this is a common use case. > >> Whoever knows this please share. > >> Thank you and appreciate it. > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > From olivier.lievre at altran.com Wed Dec 14 08:29:46 2016 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Wed, 14 Dec 2016 13:29:46 +0000 Subject: [keycloak-user] client IP not real one with openshift Message-ID: <5E0EBD68B410924EADA89C5CBD233CD06474D540@XMB-DCFR-35.europe.corp.altran.com> Hi, We are using keycloak under Openshift (with a passthrough TLS route), unfortunately, the IP address of the client connecting to keycloak is always 11.1.0.1 instead of his real one. Is there some configuration needed in keycloak to get the right IP address? KR, Olivier From cmoullia at redhat.com Wed Dec 14 08:47:19 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Wed, 14 Dec 2016 14:47:19 +0100 Subject: [keycloak-user] Bash script with curls requests to create a realm, user, clientid, ... Message-ID: Hi, Is there a bash script that I could use to configure a new realm, clientid, role using curl requests (http://www.keycloak.org/docs/rest-api/) ? Regards, Charles From sthorger at redhat.com Wed Dec 14 08:48:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 14:48:10 +0100 Subject: [keycloak-user] client IP not real one with openshift In-Reply-To: <5E0EBD68B410924EADA89C5CBD233CD06474D540@XMB-DCFR-35.europe.corp.altran.com> References: <5E0EBD68B410924EADA89C5CBD233CD06474D540@XMB-DCFR-35.europe.corp.altran.com> Message-ID: Please see https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html it's all explained there On 14 December 2016 at 14:29, LIEVRE Olivier wrote: > Hi, > > We are using keycloak under Openshift (with a passthrough TLS route), > unfortunately, the IP address of the client connecting to keycloak is > always 11.1.0.1 instead of his real one. > > Is there some configuration needed in keycloak to get the right IP address? > > KR, > Olivier > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From chris.savory at edlogics.com Wed Dec 14 08:52:05 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 14 Dec 2016 13:52:05 +0000 Subject: [keycloak-user] Keycloak Memory Settings In-Reply-To: References: <03DA883C-6719-482F-A433-86D23BD91319@edlogics.com> Message-ID: <37B9C7BF-67F2-47B9-88C0-51594CAFF7CC@edlogics.com> Okay, we can do that. I thought RH-SSO was based on keycloak 1.9.8 and the recommended memory settings would be the same. -- Christopher Savory Software Engineer | EdLogics ? From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Tuesday, December 13, 2016 at 11:30 PM To: Chris Savory Cc: "keycloak-user at lists.jboss.org" , Aaron Daniels Subject: Re: [keycloak-user] Keycloak Memory Settings For RH-SSO it would be better to raise a support ticket rather than asking here. On 13 December 2016 at 21:43, Chris Savory wrote: We are using RH SSO 7.0 and I am performing a loadtest for our site.? Currently I?m stuck at going above 200 virtual users because keycloak gets to slow at that point and the long running login threads on our site begin to bog down the rest of the site functions. Currently we are using SSO Standalone, and are planning to run in cluster mode as soon as we upgrade to 7.0.2 because of the cluster bug. https://access.redhat.com/solutions/2427361 While our operations guys are working on getting the cluster functionality working, I wanted to verify the memory settings on our standalone instance are optimized and that there wasn?t something we could do there as well.? Here are the current startup settings. JAVA_OPTS:? -server -verbose:gc -Xloggc:"/opt/eap/standalone/log/gc.log" -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.logmanager,jdk.nashorn.api -Djava.awt.headless=true -Xbootclasspath/p:/opt/eap/jboss-modules.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.0.3.Final-redhat-1.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/javax.json-1.0.4.jar:/opt/eap/modules/system/layers/base/org/jboss/logmanager/ext/main/jboss-logmanager-ext-1.0.0.Alpha2-redhat-1.jar -Djava.util.logging.manager=org.jboss.logmanager.LogManager -javaagent:/opt/eap/jolokia.jar=port=8778,protocol=https,caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt,clientPrincipal=cn=system:master-proxy,useSslClientAuthentication=true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false -Djava.security.egd=file:/dev/./urandom I?m not sure where all these settings came from as the guy that set it up is no longer here. We are running SSO inside a docker container inside of OpenShift OpenShift Master: v1.2.1 Kubernetes Master: v1.2.0-36-g4a3f9c5 -- Christopher Savory Software Engineer | EdLogics _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Dec 14 08:55:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 14:55:51 +0100 Subject: [keycloak-user] Keycloak Memory Settings In-Reply-To: <37B9C7BF-67F2-47B9-88C0-51594CAFF7CC@edlogics.com> References: <03DA883C-6719-482F-A433-86D23BD91319@edlogics.com> <37B9C7BF-67F2-47B9-88C0-51594CAFF7CC@edlogics.com> Message-ID: Yes/no - RH-SSO is Keycloak 1.9.8.Final, but it's based on top of EAP rather than WildFly. EAP is by default tuned more for production use, while WildFly is tuned more for development needs. In either case if you're using RH-SSO and have a subscription for it you'll get more help from the proper support staff than we are able to provide on the community forums. On 14 December 2016 at 14:52, Chris Savory wrote: > Okay, we can do that. I thought RH-SSO was based on keycloak 1.9.8 and > the recommended memory settings would be the same. > > -- > Christopher Savory > Software Engineer | EdLogics > > > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Tuesday, December 13, 2016 at 11:30 PM > To: Chris Savory > Cc: "keycloak-user at lists.jboss.org" , > Aaron Daniels > Subject: Re: [keycloak-user] Keycloak Memory Settings > > For RH-SSO it would be better to raise a support ticket rather than asking > here. > > On 13 December 2016 at 21:43, Chris Savory > wrote: > We are using RH SSO 7.0 and I am performing a loadtest for our site. > Currently I?m stuck at going above 200 virtual users because keycloak gets > to slow at that point and the long running login threads on our site begin > to bog down the rest of the site functions. > > Currently we are using SSO Standalone, and are planning to run in cluster > mode as soon as we upgrade to 7.0.2 because of the cluster bug. > https://access.redhat.com/solutions/2427361 > > While our operations guys are working on getting the cluster functionality > working, I wanted to verify the memory settings on our standalone instance > are optimized and that there wasn?t something we could do there as well. > Here are the current startup settings. > > JAVA_OPTS: -server -verbose:gc -Xloggc:"/opt/eap/standalone/log/gc.log" > -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation > -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading > -Xms1303m -Xmx1303m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m > -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs= > org.jboss.logmanager,jdk.nashorn.api -Djava.awt.headless=true > -Xbootclasspath/p:/opt/eap/jboss-modules.jar:/opt/eap/ > modules/system/layers/base/org/jboss/logmanager/main/ > jboss-logmanager-2.0.3.Final-redhat-1.jar:/opt/eap/modules/ > system/layers/base/org/jboss/logmanager/ext/main/javax. > json-1.0.4.jar:/opt/eap/modules/system/layers/base/ > org/jboss/logmanager/ext/main/jboss-logmanager-ext-1.0.0.Alpha2-redhat-1.jar > -Djava.util.logging.manager=org.jboss.logmanager.LogManager > -javaagent:/opt/eap/jolokia.jar=port=8778,protocol=https, > caCert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt, > clientPrincipal=cn=system:master-proxy,useSslClientAuthentication= > true,extraClientCheck=true,host=0.0.0.0,discoveryEnabled=false > -Djava.security.egd=file:/dev/./urandom > > I?m not sure where all these settings came from as the guy that set it up > is no longer here. > > We are running SSO inside a docker container inside of OpenShift > > OpenShift Master: v1.2.1 > Kubernetes Master: v1.2.0-36-g4a3f9c5 > > -- > Christopher Savory > Software Engineer | EdLogics > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From sthorger at redhat.com Wed Dec 14 08:58:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 14 Dec 2016 14:58:09 +0100 Subject: [keycloak-user] Bash script with curls requests to create a realm, user, clientid, ... In-Reply-To: References: Message-ID: We'll soon have an Admin CLI. Should be available in 2.5.0.CR1 due to be released next week. On 14 December 2016 at 14:47, Charles Moulliard wrote: > Hi, > > Is there a bash script that I could use to configure a new realm, clientid, > role using curl requests (http://www.keycloak.org/docs/rest-api/) ? > > Regards, > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Edgar at info.nl Wed Dec 14 09:37:52 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 14 Dec 2016 14:37:52 +0000 Subject: [keycloak-user] Setting the 'Credentials - Temporary' flag on when creating a new user causes the user to be disabled in MSAD/LDAP(?) In-Reply-To: References: <69CC0F70-911C-41A9-B4F0-EF1A61D91D6A@info.nl> Message-ID: <190E08E2-41F4-4278-AD69-9A87F5A603D4@info.nl> Hi Stian, thanks for the reply. I created a JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-4046 cheers Edgar On 14 Dec 2016, at 06:38, Stian Thorgersen > wrote: Seems like a bug to me - can you create a JIRA please? On 2 December 2016 at 09:04, Edgar Vonk - Info.nl > wrote: hi, Since we migrated from Keycloak 2.0.0.Final to 2.3.0.Final we noticed the following behaviour: 1/ create a new user in Keycloak from the Keycloak admin UI 2/ set a password in the Credentials tab and leave the ?Temporary? flag set to on 3/ if you look in Active Directory (we use an LDAP provider with MSAD account controls) the users?s userAccountControl attribute is now set to 546. This means: 'Disabled, Password Not Required? 4/ when the user attempts to log in she gets an error message saying that the account is inactive; also the ?User Enabled? flag in Keycloak now suddenly changes from enabled to disabled This is the process we used to follow in Keycloak 2.0.0.Final to create users but it stopped working in 2.3.0.Final. After having spent quite some time tracking the issue down we found out that it was the ?Temporary? flag in de Credentials tab that causes this issue. When we set this flag to false (i.e. not a temporary password) we see that in AD the userAccountControl attribute is set to its normal value 512 as we would expect. Now the user can log in normally. Is this a bug introduced after 2.0.0.Final or a desired change in behaviour? I could not find a JIRA issue regarding this change. PS: we are confused about the ?Temporary? flag in any case. Exactly what is it meant for? The fact that a user needs to change her password on first login does not seem to be controlled by this flag in any case but rather by the Required User Action with value ?Change password?? cheers, Edgar _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Wed Dec 14 10:24:03 2016 From: java at neposoft.com (java_os) Date: Wed, 14 Dec 2016 10:24:03 -0500 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: References: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> Message-ID: I get this Sebastien - thanks, but .... My point is: where do you define MY_MAPPED_LDAP_ROLE in KC? How is a user be able to 'aquire' automatically this MY_MAPPED_LDAP_ROLE and who's setting the claim value into MY_MAPPED_LDAP_ROLE? am a bit confused thx > You said that your SPA client can read out the roles from the token, well > for the Spring-sec app is exactly the same. When your SPA sends a request > to it, it also passes the token, the Spring-sec adapter will extract the > roles from there (happens here > https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/SpringSecurityRequestAuthenticator.java#L91-L93 > ). > > > > > > On Wed, Dec 14, 2016 at 2:08 PM, java_os wrote: > >> Hi Sebastien >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client >> level in kc, any pointers on how this is done? Getting in the value from >> claim and set it into the MY_MAPPED_LDAP_ROLE?? >> >> I am guessing all logged in users (withing the client) will take the >> role >> above which value will be the claim coming into from idp. >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets >> defined in KC? Am a bit confused how spring-sec gets the value of the >> MY_MAPPED_LDAP_ROLE. >> >> Am going to dig more on my side, but would be nice if you can shed more >> light from role setup in KC. >> Thanks >> >> >> > Is this not working ? >> > http.authorizeRequests().antMatchers("/products*"). >> hasRole("MY_MAPPED_LDAP_ROLE") >> > ? >> > >> > >> > >> > >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os wrote: >> > >> >> Hi All, >> >> I put up this question a while back and now back to it since no >> answer, >> >> this time with some hope. >> >> I have this SPA (keycloak.js) calling into Rest api bearer protected >> by >> >> KC >> >> - all good. >> >> I use KC brokering, so on the Idp side ADFS . User logs in against >> idp, >> >> where in ADFS is configured with a claim that acts as a role. On SPA >> I >> >> can >> >> map out that claim from the token. >> >> The rest api is protected by kc spring sec. I want (and this is what >> I >> >> do >> >> not know) to configure spring sec to react when the call is made to a >> >> specific rest endpoint when the user does not have a specific role >> >> (returning 401). >> >> How can I do this spring sec way - how can I configure spring sec to >> say >> >> check at runtime the users's role for a specific endpoint and deny >> >> access >> >> to the resource. >> >> The big un-known to me is: how does KC client role (which is some >> static >> >> config) relates to the runtime user's role coming from Idp. >> >> Anyone has done this - am sure this is a common use case. >> >> Whoever knows this please share. >> >> Thank you and appreciate it. >> >> >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > >> >> >> > From Edgar at info.nl Wed Dec 14 10:34:11 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 14 Dec 2016 15:34:11 +0000 Subject: [keycloak-user] Retrieve number of times users have logged in? In-Reply-To: References: <7C3A82AC-0463-4C99-A40F-34C9E6BBC20C@info.nl> Message-ID: <506990D8-7DFD-464D-A189-0649A526A7B6@info.nl> Ah yes, forgot about those.. Thanks Stian! On 14 Dec 2016, at 10:55, Stian Thorgersen > wrote: If you enable login events you can use the admin rest endpoints to retrieve all login events for a particular user. Beyond that you'd have to either create a custom rest provider that provides the data as you want or query the db directly (the events table is pretty simple). On 14 December 2016 at 09:35, Edgar Vonk - Info.nl > wrote: hi, It is possible somehow to get the stats about the number of times users have logged into/authenticated from Keycloak somehow? Maybe from the database? Or is this information not stored? cheers _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Wed Dec 14 10:54:32 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 14 Dec 2016 16:54:32 +0100 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: References: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> Message-ID: I'm sorry I'm not sure what you are really asking then. I assume you defined a role mapper when you configured the LDAP brokering in KC ? So your LDAP role will be mapped to a KC role and your user will have that role. The SpringSec app needs to know these roles to be able to check. On Wed, Dec 14, 2016 at 4:24 PM, java_os wrote: > I get this Sebastien - thanks, but .... > My point is: where do you define MY_MAPPED_LDAP_ROLE in KC? > How is a user be able to 'aquire' automatically this MY_MAPPED_LDAP_ROLE > and who's setting the claim value into MY_MAPPED_LDAP_ROLE? > am a bit confused > thx > > > > You said that your SPA client can read out the roles from the token, well > > for the Spring-sec app is exactly the same. When your SPA sends a request > > to it, it also passes the token, the Spring-sec adapter will extract the > > roles from there (happens here > > https://github.com/keycloak/keycloak/blob/master/adapters/ > oidc/spring-security/src/main/java/org/keycloak/adapters/ > springsecurity/authentication/SpringSecurityRequestAuthentic > ator.java#L91-L93 > > ). > > > > > > > > > > > > On Wed, Dec 14, 2016 at 2:08 PM, java_os wrote: > > > >> Hi Sebastien > >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? Client > >> level in kc, any pointers on how this is done? Getting in the value from > >> claim and set it into the MY_MAPPED_LDAP_ROLE?? > >> > >> I am guessing all logged in users (withing the client) will take the > >> role > >> above which value will be the claim coming into from idp. > >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check the > >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE gets > >> defined in KC? Am a bit confused how spring-sec gets the value of the > >> MY_MAPPED_LDAP_ROLE. > >> > >> Am going to dig more on my side, but would be nice if you can shed more > >> light from role setup in KC. > >> Thanks > >> > >> > >> > Is this not working ? > >> > http.authorizeRequests().antMatchers("/products*"). > >> hasRole("MY_MAPPED_LDAP_ROLE") > >> > ? > >> > > >> > > >> > > >> > > >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os wrote: > >> > > >> >> Hi All, > >> >> I put up this question a while back and now back to it since no > >> answer, > >> >> this time with some hope. > >> >> I have this SPA (keycloak.js) calling into Rest api bearer protected > >> by > >> >> KC > >> >> - all good. > >> >> I use KC brokering, so on the Idp side ADFS . User logs in against > >> idp, > >> >> where in ADFS is configured with a claim that acts as a role. On SPA > >> I > >> >> can > >> >> map out that claim from the token. > >> >> The rest api is protected by kc spring sec. I want (and this is what > >> I > >> >> do > >> >> not know) to configure spring sec to react when the call is made to a > >> >> specific rest endpoint when the user does not have a specific role > >> >> (returning 401). > >> >> How can I do this spring sec way - how can I configure spring sec to > >> say > >> >> check at runtime the users's role for a specific endpoint and deny > >> >> access > >> >> to the resource. > >> >> The big un-known to me is: how does KC client role (which is some > >> static > >> >> config) relates to the runtime user's role coming from Idp. > >> >> Anyone has done this - am sure this is a common use case. > >> >> Whoever knows this please share. > >> >> Thank you and appreciate it. > >> >> > >> >> > >> >> _______________________________________________ > >> >> keycloak-user mailing list > >> >> keycloak-user at lists.jboss.org > >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> > > >> > >> > >> > > > > > From java at neposoft.com Wed Dec 14 11:18:49 2016 From: java at neposoft.com (java_os) Date: Wed, 14 Dec 2016 11:18:49 -0500 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: References: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> Message-ID: <69dafa24d91a7789ae67ad10d89d9ee4.squirrel@neposoft.com> Sebastien, sorry - yes done the role mapper in the brokering totally forgot about this - so I guess this is how ldap role propagates to the users' role. OK - got the big picture -rest impl details. You got me out of the swamp 2nd time - thanks > I'm sorry I'm not sure what you are really asking then. > I assume you defined a role mapper when you configured the LDAP brokering > in KC ? So your LDAP role will be mapped to a KC role and your user will > have that role. > > The SpringSec app needs to know these roles to be able to check. > > > On Wed, Dec 14, 2016 at 4:24 PM, java_os wrote: > >> I get this Sebastien - thanks, but .... >> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC? >> How is a user be able to 'aquire' automatically this MY_MAPPED_LDAP_ROLE >> and who's setting the claim value into MY_MAPPED_LDAP_ROLE? >> am a bit confused >> thx >> >> >> > You said that your SPA client can read out the roles from the token, >> well >> > for the Spring-sec app is exactly the same. When your SPA sends a >> request >> > to it, it also passes the token, the Spring-sec adapter will extract >> the >> > roles from there (happens here >> > https://github.com/keycloak/keycloak/blob/master/adapters/ >> oidc/spring-security/src/main/java/org/keycloak/adapters/ >> springsecurity/authentication/SpringSecurityRequestAuthentic >> ator.java#L91-L93 >> > ). >> > >> > >> > >> > >> > >> > On Wed, Dec 14, 2016 at 2:08 PM, java_os wrote: >> > >> >> Hi Sebastien >> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? >> Client >> >> level in kc, any pointers on how this is done? Getting in the value >> from >> >> claim and set it into the MY_MAPPED_LDAP_ROLE?? >> >> >> >> I am guessing all logged in users (withing the client) will take the >> >> role >> >> above which value will be the claim coming into from idp. >> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check >> the >> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE >> gets >> >> defined in KC? Am a bit confused how spring-sec gets the value of the >> >> MY_MAPPED_LDAP_ROLE. >> >> >> >> Am going to dig more on my side, but would be nice if you can shed >> more >> >> light from role setup in KC. >> >> Thanks >> >> >> >> >> >> > Is this not working ? >> >> > http.authorizeRequests().antMatchers("/products*"). >> >> hasRole("MY_MAPPED_LDAP_ROLE") >> >> > ? >> >> > >> >> > >> >> > >> >> > >> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os >> wrote: >> >> > >> >> >> Hi All, >> >> >> I put up this question a while back and now back to it since no >> >> answer, >> >> >> this time with some hope. >> >> >> I have this SPA (keycloak.js) calling into Rest api bearer >> protected >> >> by >> >> >> KC >> >> >> - all good. >> >> >> I use KC brokering, so on the Idp side ADFS . User logs in against >> >> idp, >> >> >> where in ADFS is configured with a claim that acts as a role. On >> SPA >> >> I >> >> >> can >> >> >> map out that claim from the token. >> >> >> The rest api is protected by kc spring sec. I want (and this is >> what >> >> I >> >> >> do >> >> >> not know) to configure spring sec to react when the call is made >> to a >> >> >> specific rest endpoint when the user does not have a specific role >> >> >> (returning 401). >> >> >> How can I do this spring sec way - how can I configure spring sec >> to >> >> say >> >> >> check at runtime the users's role for a specific endpoint and deny >> >> >> access >> >> >> to the resource. >> >> >> The big un-known to me is: how does KC client role (which is some >> >> static >> >> >> config) relates to the runtime user's role coming from Idp. >> >> >> Anyone has done this - am sure this is a common use case. >> >> >> Whoever knows this please share. >> >> >> Thank you and appreciate it. >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> keycloak-user mailing list >> >> >> keycloak-user at lists.jboss.org >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> > >> >> >> >> >> >> >> > >> >> >> > From Dana.Danet at Evisions.com Wed Dec 14 11:25:42 2016 From: Dana.Danet at Evisions.com (Dana Danet) Date: Wed, 14 Dec 2016 16:25:42 +0000 Subject: [keycloak-user] Technical Guidance Message-ID: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com> I just recently introduced KC to a Spring Cloud micro-service environment as the IDM and Oauth manager of JWT tokens. Front end clients are implementing the javascript adapter and backend Spring Boot services are implemented with the Spring Security adapter (not boot adapter). Our Service Gateway (Zuul) simply passes the token to backend services. My question is regarding offloading offloading AuthN and IDP to external systems and then brokering to Keycloak for JWT creation. Which would look something like ( Customer on premise AuthN) ?> Ping ?> Keycloak. Ping has been introduced purely as an SP to handle customers implementations of Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP mapping is all done via Ping and then a canonical SAML exchange to Keycloak. Is this possible? I would appreciate some guidance here. -dana From tsdgcc2087 at outlook.com Wed Dec 14 14:18:52 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Wed, 14 Dec 2016 19:18:52 +0000 Subject: [keycloak-user] Sessions vs Tokens Message-ID: I'm not sure how best to describe this but I have seen times when I called a secured endpoint (secured with spring security adapter) but a token was not passed and I was able to gain access. The first time I went to a secured endpoint I had to log into keycloak to authenticate, but then on each request, only a session id was passed and no JWT. Is this the standard behavior? If there is no JWT, where are the claims read from? Matt From sam at focus21.io Wed Dec 14 16:15:44 2016 From: sam at focus21.io (Samuel Lewis) Date: Wed, 14 Dec 2016 16:15:44 -0500 Subject: [keycloak-user] Cluster Configuration Message-ID: Have the setup steps for clustering with Docker changed since the April 2015 blog post? When I go through those instructions with version 2.0.0.Final I'm not getting anything like 'Received new cluster view: [b5356f1050cc/keycloak|1] (2) [b5356f1050cc/keycloak, f25f922ce14d/keycloak]' in the logs. I only ever see a single node being listed. From roger.turnau at pwc.com Wed Dec 14 21:50:46 2016 From: roger.turnau at pwc.com (Roger Turnau (US - Advisory)) Date: Wed, 14 Dec 2016 16:50:46 -1000 Subject: [keycloak-user] AngularJS Example for execute-actions-email REST Request Message-ID: Hi all, Can someone show me a quick example of how to create (preferably in AngularJS) the PUT request to send an execute-actions-email to a user? I'm building a service in AngularJS to call the Admin REST service. I can get the access token and make GET requests just fine, but the PUT request on execute-actions-email is giving me errors. Here's what I have so far: $http.put(" http://localhost:8380/auth/admin/realms/realm1/users/bob/execute-actions-email ", { actions: 'VERIFY_EMAIL&UPDATE_PASSWORD' }, { headers: { Authorization: "Bearer eyJhb...", Content-type: "application/json" } }); But this gets the following error in Keycloak: 16:46:15,961 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25) RESTEASY002005: Failed executing PUT /admin/realms/realm1/users/bob/execute-actions-email: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 10fb0244; line: 1,column: 1] at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184) at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) ... It seems not to like that second parameter, but I can't tell why. I appreciate any help you can give on this one. I have no idea how this request is supposed to look. Thank you, Roger Turnau ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. From sblanc at redhat.com Thu Dec 15 01:20:06 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 15 Dec 2016 07:20:06 +0100 Subject: [keycloak-user] AngularJS Example for execute-actions-email REST Request In-Reply-To: References: Message-ID: actions is expecting a string array , so maybe something like : actions: ['VERIFY_EMAIL','UPDATE_PASSWORD'] ? On Thu, Dec 15, 2016 at 3:50 AM, Roger Turnau (US - Advisory) < roger.turnau at pwc.com> wrote: > Hi all, > > Can someone show me a quick example of how to create (preferably in > AngularJS) the PUT request to send an execute-actions-email to a user? > > I'm building a service in AngularJS to call the Admin REST service. I can > get the access token and make GET requests just fine, but the PUT request > on execute-actions-email is giving me errors. > > Here's what I have so far: > > $http.put(" > http://localhost:8380/auth/admin/realms/realm1/users/bob/ > execute-actions-email > ", > { > actions: 'VERIFY_EMAIL&UPDATE_PASSWORD' > }, > { > headers: { > Authorization: "Bearer eyJhb...", > Content-type: "application/json" > } > }); > > But this gets the following error in Keycloak: > > 16:46:15,961 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-25) RESTEASY002005: Failed executing PUT > /admin/realms/realm1/users/bob/execute-actions-email: > org.jboss.resteasy.spi.ReaderException: > com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize > instance of java.util.ArrayList out of START_OBJECT token > at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 10fb0244; > line: 1,column: 1] > at > org.jboss.resteasy.core.MessageBodyParameterInjector.inject( > MessageBodyParameterInjector.java:184) > at > org.jboss.resteasy.core.MethodInjectorImpl.injectArguments( > MethodInjectorImpl.java:91) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:114) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > ... > > It seems not to like that second parameter, but I can't tell why. I > appreciate any help you can give on this one. I have no idea how this > request is supposed to look. > > Thank you, > > Roger Turnau > > ______________________________________________________________________ > The information transmitted, including any attachments, is intended only > for the person or entity to which it is addressed and may contain > confidential and/or privileged material. Any review, retransmission, > dissemination or other use of, or taking of any action in reliance upon, > this information by persons or entities other than the intended recipient > is prohibited, and all liability arising therefrom is disclaimed. If you > received this in error, please contact the sender and delete the material > from any computer. PricewaterhouseCoopers LLP is a Delaware limited > liability partnership. This communication may come from > PricewaterhouseCoopers LLP or one of its subsidiaries. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From roger.turnau at pwc.com Thu Dec 15 02:29:30 2016 From: roger.turnau at pwc.com (Roger Turnau (US - Advisory)) Date: Wed, 14 Dec 2016 21:29:30 -1000 Subject: [keycloak-user] AngularJS Example for execute-actions-email REST Request In-Reply-To: References: Message-ID: Sebastien, Thank you! That sorted it out. The only other error I got was that I needed the user's ID rather than the username. Now the email is sending. Thanks again, Roger Turnau On Wed, Dec 14, 2016 at 8:20 PM, Sebastien Blanc wrote: > actions is expecting a string array , so maybe something like : > actions: ['VERIFY_EMAIL','UPDATE_PASSWORD'] ? > > On Thu, Dec 15, 2016 at 3:50 AM, Roger Turnau (US - Advisory) < > roger.turnau at pwc.com> wrote: > >> Hi all, >> >> Can someone show me a quick example of how to create (preferably in >> AngularJS) the PUT request to send an execute-actions-email to a user? >> >> I'm building a service in AngularJS to call the Admin REST service. I can >> get the access token and make GET requests just fine, but the PUT request >> on execute-actions-email is giving me errors. >> >> Here's what I have so far: >> >> $http.put(" >> http://localhost:8380/auth/admin/realms/realm1/users/bob/exe >> cute-actions-email >> ", >> { >> actions: 'VERIFY_EMAIL&UPDATE_PASSWORD' >> }, >> { >> headers: { >> Authorization: "Bearer eyJhb...", >> Content-type: "application/json" >> } >> }); >> >> But this gets the following error in Keycloak: >> >> 16:46:15,961 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >> task-25) RESTEASY002005: Failed executing PUT >> /admin/realms/realm1/users/bob/execute-actions-email: >> org.jboss.resteasy.spi.ReaderException: >> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize >> instance of java.util.ArrayList out of START_OBJECT token >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 10fb0244; >> line: 1,column: 1] >> at >> org.jboss.resteasy.core.MessageBodyParameterInjector.inject( >> MessageBodyParameterInjector.java:184) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(M >> ethodInjectorImpl.java:91) >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >> ctorImpl.java:114) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >> (ResourceMethodInvoker.java:295) >> at >> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >> eMethodInvoker.java:249) >> ... >> >> It seems not to like that second parameter, but I can't tell why. I >> appreciate any help you can give on this one. I have no idea how this >> request is supposed to look. >> >> Thank you, >> >> Roger Turnau >> >> ______________________________________________________________________ >> The information transmitted, including any attachments, is intended only >> for the person or entity to which it is addressed and may contain >> confidential and/or privileged material. Any review, retransmission, >> dissemination or other use of, or taking of any action in reliance upon, >> this information by persons or entities other than the intended recipient >> is prohibited, and all liability arising therefrom is disclaimed. If you >> received this in error, please contact the sender and delete the material >> from any computer. PricewaterhouseCoopers LLP is a Delaware limited >> liability partnership. This communication may come from >> PricewaterhouseCoopers LLP or one of its subsidiaries. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- *Roger Turnau* PwC | Manager - Advisory Financial Services Mobile: 850-228-2006 Email: roger.turnau at pwc.com PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. From roger.turnau at pwc.com Thu Dec 15 02:35:21 2016 From: roger.turnau at pwc.com (Roger Turnau (US - Advisory)) Date: Wed, 14 Dec 2016 21:35:21 -1000 Subject: [keycloak-user] AngularJS Example for execute-actions-email REST Request In-Reply-To: References: Message-ID: For anyone who stumbles upon this answer later, here's the code that worked for me. Besides putting the actions in an array, I also had to use the user ID rather than username. $http.put("http://localhost:8380/auth/admin/realms/realm1/users/ 09cf5f68-4ac0-4a87-a418-cb4bb7ddec91/execute-actions-email", ['VERIFY_EMAIL', 'UPDATE_PASSWORD'], { headers: { Authorization: "Bearer eyJhb...", Content-type: "application/json" } }); On Wed, Dec 14, 2016 at 9:29 PM, Roger Turnau (US - Advisory) < roger.turnau at pwc.com> wrote: > Sebastien, > > Thank you! That sorted it out. The only other error I got was that I > needed the user's ID rather than the username. Now the email is sending. > > Thanks again, > > Roger Turnau > > > > On Wed, Dec 14, 2016 at 8:20 PM, Sebastien Blanc > wrote: > >> actions is expecting a string array , so maybe something like : >> actions: ['VERIFY_EMAIL','UPDATE_PASSWORD'] ? >> >> On Thu, Dec 15, 2016 at 3:50 AM, Roger Turnau (US - Advisory) < >> roger.turnau at pwc.com> wrote: >> >>> Hi all, >>> >>> Can someone show me a quick example of how to create (preferably in >>> AngularJS) the PUT request to send an execute-actions-email to a user? >>> >>> I'm building a service in AngularJS to call the Admin REST service. I can >>> get the access token and make GET requests just fine, but the PUT request >>> on execute-actions-email is giving me errors. >>> >>> Here's what I have so far: >>> >>> $http.put(" >>> http://localhost:8380/auth/admin/realms/realm1/users/bob/exe >>> cute-actions-email >>> ", >>> { >>> actions: 'VERIFY_EMAIL&UPDATE_PASSWORD' >>> }, >>> { >>> headers: { >>> Authorization: "Bearer eyJhb...", >>> Content-type: "application/json" >>> } >>> }); >>> >>> But this gets the following error in Keycloak: >>> >>> 16:46:15,961 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default >>> task-25) RESTEASY002005: Failed executing PUT >>> /admin/realms/realm1/users/bob/execute-actions-email: >>> org.jboss.resteasy.spi.ReaderException: >>> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize >>> instance of java.util.ArrayList out of START_OBJECT token >>> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 10fb0244; >>> line: 1,column: 1] >>> at >>> org.jboss.resteasy.core.MessageBodyParameterInjector.inject( >>> MessageBodyParameterInjector.java:184) >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(M >>> ethodInjectorImpl.java:91) >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >>> ctorImpl.java:114) >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >>> (ResourceMethodInvoker.java:295) >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >>> eMethodInvoker.java:249) >>> ... >>> >>> It seems not to like that second parameter, but I can't tell why. I >>> appreciate any help you can give on this one. I have no idea how this >>> request is supposed to look. >>> >>> Thank you, >>> >>> Roger Turnau >>> >>> ______________________________________________________________________ >>> The information transmitted, including any attachments, is intended only >>> for the person or entity to which it is addressed and may contain >>> confidential and/or privileged material. Any review, retransmission, >>> dissemination or other use of, or taking of any action in reliance upon, >>> this information by persons or entities other than the intended recipient >>> is prohibited, and all liability arising therefrom is disclaimed. If you >>> received this in error, please contact the sender and delete the material >>> from any computer. PricewaterhouseCoopers LLP is a Delaware limited >>> liability partnership. This communication may come from >>> PricewaterhouseCoopers LLP or one of its subsidiaries. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > *Roger Turnau* > > PwC | Manager - Advisory Financial Services > Mobile: 850-228-2006 <(850)%20228-2006> > Email: roger.turnau at pwc.com > PricewaterhouseCoopers LLP > 50 North Laura Street, Suite 3000, Jacksonville FL 32202 > http://www.pwc.com/us > > Save energy. Save a tree. Save the printing for something really important. > -- *Roger Turnau* PwC | Manager - Advisory Financial Services Mobile: 850-228-2006 Email: roger.turnau at pwc.com PricewaterhouseCoopers LLP 50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us Save energy. Save a tree. Save the printing for something really important. ______________________________________________________________________ The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries. From michael_furman at hotmail.com Thu Dec 15 03:10:20 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 15 Dec 2016 08:10:20 +0000 Subject: [keycloak-user] How to work with SpringSecurity adapter behind HTTP proxy? In-Reply-To: References: , , Message-ID: HI Sebastien, (I have changed the subject since the root cause of the problem is different). I have debugged the code and I have found the following. Please look at getRedirectUri of org.keycloak.adapters.OAuthRequestAuthenticator: It just takes the request URI and creates the redirect URI string: protected String getRedirectUri(String state) { String url = this.getRequestUrl(); Please note that when you work behind getRequestUrl() will always be localhost and therefore I think SpringSecurity adapter can not work behind HTTP proxy. How can I change the code in the minimal way it will support the HTTP proxy? Best regards, Michael ________________________________ From: Michael Furman Sent: Tuesday, December 13, 2016 2:25 PM To: Sebastien Blanc Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. Thanks Sebastien, I see the link but supposed it is related only to Keycloak IDP. Is it also relevant to SpringSecurity adapter? Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers? Best regards, Michael ________________________________ From: Sebastien Blanc Sent: Tuesday, December 13, 2016 2:19 PM To: Michael Furman Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. TBH I have not that much experience with configuring a proxy but : - Have you looked at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html (it also cover proxy configuration) - Search the user list, I see often question around this maybe you can find your answer there) On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman > wrote: HI Sebastien, The problem is not related to HTTPS but to the reverse proxy When I access to SpringSecurity adapter RP over HTTP but behind the Apache HTTPD reverse proxy (the client configuration in IDP configured also HTTP) the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836&login=true&scope=openid Then, I get the error WE'RE SORRY ... Invalid parameter: redirect_uri What should I configure to allow to work with proxy? Any help will be appreciated. Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Michael Furman > Sent: Tuesday, December 13, 2016 1:17 PM To: Sebastien Blanc Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. Hi, Important clarification: The HTTPS handshake is by Apache httpd server that is also reverse proxy for Tomcat. Tomcat is located on the same ip. SpringSecurity RP is deployed in Tomcat. Best regards On Dec 13, 2016 12:44 PM, Michael Furman > wrote: Example 2: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTP Example 3: SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP) IDP is over HTTP BTW, Example 1: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTPS ________________________________ From: Sebastien Blanc > Sent: Tuesday, December 13, 2016 12:23 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. What is the difference between your example 2 and example 3 ? On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman >> wrote: Hi all, I try to access from SpringSecurity adapter over HTTPS without success. When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost: https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid Then I get this error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid Same error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid Finally I can see the login page. What wrong in my configurations? Any help will be appreciated. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From pulgupta at redhat.com Thu Dec 15 05:12:25 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Thu, 15 Dec 2016 15:42:25 +0530 Subject: [keycloak-user] Error while loading the application In-Reply-To: <20161212190449.GB9601@abstractj.org> References: <20161212190449.GB9601@abstractj.org> Message-ID: Hi Bruno, I am consistently able to reproduce the issue if I am using any version of Xalan. However if I exclude this transitive dependency then everything works fine. I tried overriding the version of xalan to 2.7.2 but still getting the same error. *jar tf xxMyJarxx-SNAPSHOT.war | grep xalan* *WEB-INF/lib/xalan-2.7.2.jar* Not sure if I should open this as a bug with keycloak or there is some other work around for this. Regards, Pulkit On Tue, Dec 13, 2016 at 12:34 AM, Bruno Oliveira wrote: > What google told me was that is the problem[1]. But you said that nothing > has changed, which is odd. > > If you restart the server everything returns back to normal? Do you have > any idea about the steps to reproduce this issue? > > > [1] - http://stackoverflow.com/questions/18493541/invalid- > jaxp-api-when-unmarshaling-jaxb > > On 2016-12-09, Pulkit Gupta wrote: > > Hi All, > > > > We are using Keycloak SAML adapters to authenticate our applications with > > Keyclaok. > > The setup was working fine and the applications were able to authenticate > > the users. > > > > However since today we are getting the below error while loading the > > application and this is resulting in a black page for the client. > > > > Can you please check in case anyone has seen this issue before. Is this > > related to java versions as I have not changed anything in the > environments > > recently. > > > > 2016-12-09 08:08:08,875 [ajp-/10.7.24.224:8009-2] ERROR > > [org.apache.catalina.connector] JBWEB001018: An exception or error > occurred > > in the container during the request processing: > > java.lang.AbstractMethodError: > > javax.xml.transform.TransformerFactory.setFeature(Ljava/lang/String;Z)V > > at > > __redirected.__TransformerFactory.setFeature( > __TransformerFactory.java:161) > > at > > org.keycloak.saml.common.util.TransformerUtil.getTransformerFactory( > TransformerUtil.java:113) > > at > > org.keycloak.saml.common.util.TransformerUtil.getTransformer( > TransformerUtil.java:81) > > at > > org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString( > DocumentUtil.java:238) > > at > > org.keycloak.saml.common.util.DocumentUtil.asString( > DocumentUtil.java:454) > > at > > org.keycloak.saml.processing.core.util.XMLSignatureUtil. > sign(XMLSignatureUtil.java:340) > > at > > org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.sign( > SAML2Signature.java:143) > > at > > org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature. > signSAMLDocument(SAML2Signature.java:160) > > at > > org.keycloak.saml.BaseSAML2BindingBuilder.signDocument( > BaseSAML2BindingBuilder.java:266) > > at > > org.keycloak.saml.BaseSAML2BindingBuilder$BasePostBindingBuilder.( > BaseSAML2BindingBuilder.java:145) > > at > > org.keycloak.saml.BaseSAML2BindingBuilder.postBinding( > BaseSAML2BindingBuilder.java:208) > > at org.keycloak.adapters.saml.SamlUtil.sendSaml(SamlUtil.java:38) > > at > > org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHand > ler$5.sendAuthnRequest(AbstractSamlAuthenticationHandler.java:463) > > at > > org.keycloak.adapters.saml.AbstractInitiateLogin.challenge( > AbstractInitiateLogin.java:60) > > at > > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve > .executeAuthenticator(AbstractSamlAuthenticatorValve.java:247) > > at > > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve > .authenticateInternal(AbstractSamlAuthenticatorValve.java:222) > > at > > org.keycloak.adapters.saml.jbossweb.SamlAuthenticatorValve.authenticate( > SamlAuthenticatorValve.java:41) > > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke( > AuthenticatorBase.java:465) > > at > > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke( > AbstractSamlAuthenticatorValve.java:184) > > at > > org.jboss.as.web.security.SecurityContextAssociationValve.invoke( > SecurityContextAssociationValve.java:169) > > at > > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:145) > > at > > org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:97) > > at > > org.jboss.as.web.sso.ClusteredSingleSignOn.invoke( > ClusteredSingleSignOn.java:384) > > at org.apache.catalina.valves.AccessLogValve.invoke( > AccessLogValve.java:559) > > at > > org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:102) > > at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) > > at > > com.redhat.container.redirect.RedirectToInternalValve.invoke( > RedirectToInternalValve.java:61) > > at > > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:336) > > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > > at > > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process( > AjpProtocol.java:420) > > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( > JIoEndpoint.java:926) > > at java.lang.Thread.run(Thread.java:745) > > > > > > -- > > Thanks, > > Pulkit > > AMS > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > PGP: 0x84DC9914 > -- Thanks, Pulkit AMS From sblanc at redhat.com Thu Dec 15 05:45:29 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 15 Dec 2016 11:45:29 +0100 Subject: [keycloak-user] How to work with SpringSecurity adapter behind HTTP proxy? In-Reply-To: References: Message-ID: Hi Michael ! Before we do any code change , could you check if your answer is not in the following thread ? http://lists.jboss.org/pipermail/keycloak-user/2016-May/006287.html Looks like SpringSec should handle correctly the x-forwarded-proto and host headers ... On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman wrote: > HI Sebastien, > > (I have changed the subject since the root cause of the problem is > different). > > I have debugged the code and I have found the following. > > Please look at getRedirectUri of org.keycloak.adapters. > OAuthRequestAuthenticator: > > It just takes the request URI and creates the redirect URI string: > > protected String getRedirectUri(String state) { > > String url = this.getRequestUrl(); > > > > Please note that when you work behind getRequestUrl() will always be > localhost and therefore I think SpringSecurity adapter can not work behind > HTTP proxy. > > > > How can I change the code in the minimal way it will support the HTTP > proxy? > > Best regards, > > Michael > > > > ------------------------------ > *From:* Michael Furman > *Sent:* Tuesday, December 13, 2016 2:25 PM > *To:* Sebastien Blanc > *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP > from SpringSecurity adapter over HTTPS. > > > Thanks Sebastien, > > I see the link but supposed it is related only to Keycloak IDP. > > Is it also relevant to SpringSecurity adapter? > > Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers? > > Best regards, > Michael > > > > ------------------------------ > *From:* Sebastien Blanc > *Sent:* Tuesday, December 13, 2016 2:19 PM > *To:* Michael Furman > *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP > from SpringSecurity adapter over HTTPS. > > TBH I have not that much experience with configuring a proxy but : > - Have you looked at https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html (it also cover > proxy configuration) > - Search the user list, I see often question around this maybe you can > find your answer there) > > > > On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman < > michael_furman at hotmail.com> wrote: > >> HI Sebastien, >> >> The problem is not related to HTTPS but to the reverse proxy >> >> When I access to SpringSecurity adapter RP over HTTP but behind the >> Apache HTTPD reverse proxy (the client configuration in IDP configured also >> HTTP) the redirect_uri is replaced to localhost: >> >> http://192.168.110.2:9080/auth/realms/master/protocol/openid >> -connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp% >> 2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836 >> &login=true&scope=openid >> >> Then, I get the error >> >> >> >> WE'RE SORRY ... >> >> Invalid parameter: redirect_uri >> >> >> >> What should I configure to allow to work with proxy? >> >> Any help will be appreciated. >> >> Best regards, >> >> Michael >> >> >> ------------------------------ >> *From:* keycloak-user-bounces at lists.jboss.org < >> keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman < >> michael_furman at hotmail.com> >> *Sent:* Tuesday, December 13, 2016 1:17 PM >> *To:* Sebastien Blanc >> >> *Cc:* keycloak-user at lists.jboss.org >> *Subject:* Re: [keycloak-user] Very strange behavior when access to IDP >> from SpringSecurity adapter over HTTPS. >> >> Hi, >> Important clarification: >> The HTTPS handshake is by Apache httpd server that is also reverse proxy >> for Tomcat. >> >> >> Tomcat is located on the same ip. >> >> SpringSecurity RP is deployed in Tomcat. >> >> Best regards >> >> >> >> >> On Dec 13, 2016 12:44 PM, Michael Furman >> wrote: >> >> Example 2: >> >> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP >> configured also HTTPS) >> >> IDP is over HTTP >> >> >> >> Example 3: >> >> SpringSecurity adapter RP is over HTTP (the client configuration in IDP >> configured also HTTP) >> >> IDP is over HTTP >> >> >> >> BTW, >> >> Example 1: >> >> SpringSecurity adapter RP is over HTTPS (the client configuration in IDP >> configured also HTTPS) >> >> IDP is over HTTPS >> >> >> >> ________________________________ >> From: Sebastien Blanc >> Sent: Tuesday, December 13, 2016 12:23 PM >> To: Michael Furman >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Very strange behavior when access to IDP >> from SpringSecurity adapter over HTTPS. >> >> What is the difference between your example 2 and example 3 ? >> >> On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman < >> michael_furman at hotmail.com> wrote: >> Hi all, >> I try to access from SpringSecurity adapter over HTTPS without success. >> When I try to access to IDP over HTTPS the redirect_uri is replaced to >> localhost: >> >> https://192.168.110.2:8443/auth/realms/master/protocol/openi >> d-connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp% >> 2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084 >> &login=true&scope=openid >> >> Then I get this error in UI: >> WE'RE SORRY ... >> Invalid parameter: redirect_uri >> >> Similar, when I try to access to IDP over HTTP, the redirect_uri is >> replaced to localhost: >> http://192.168.110.2:9080/auth/realms/master/protocol/openid >> -connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp% >> 2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99 >> &login=true&scope=openid >> >> Same error in UI: >> WE'RE SORRY ... >> Invalid parameter: redirect_uri >> >> Only if I access from SpringSecurity adapter over HTTP the redirect_uri >> has correct value and it works: >> http://192.168.110.2:9080/auth/realms/master/protocol/openid >> -connect/auth?response_type=code&client_id=testclient& >> redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso% >> 2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479& >> login=true&scope=openid >> >> Finally I can see the login page. >> What wrong in my configurations? >> Any help will be appreciated. >> Best regards, >> Michael >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> keycloak-user Info Page - JBoss Developer >> >> lists.jboss.org >> To see the collection of prior postings to the list, visit the >> keycloak-user Archives. Using keycloak-user: To post a message to all the >> list members ... >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> keycloak-user Info Page - JBoss Developer >> >> lists.jboss.org >> To see the collection of prior postings to the list, visit the >> keycloak-user Archives. Using keycloak-user: To post a message to all the >> list members ... >> >> > From ruiwp_93 at hotmail.com Thu Dec 15 06:55:17 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Thu, 15 Dec 2016 04:55:17 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page Message-ID: <1481802917142-1974.post@n6.nabble.com> Hello, I am trying to make the login without keycloak login page. If I use HttpServletRequest.authenticate() it will redirect me to the keycloak login page. Is there any way to do this without the keycloak login page? Also, I tried making the flow by GET and POST calls to the auth and token endpoints. I am able to get an access_token and I set the client_session_state to my current session id. When I logout all the user's sessions in keycloak through the keycloak admin-client I get a success for logging out the sessionId [{sessionId}] answer and a "logout success for {Admin URL}: true" but no token is invalidated. No incoming request from keycloak when the logout is performed whereas when I revoke tokens I do get the POST call to revoke tokens, so the Admin URL is OK. Can anyone help me with this? Best Regards -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974.html Sent from the keycloak-user mailing list archive at Nabble.com. From georgijsr at scandiweb.com Thu Dec 15 07:44:56 2016 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Thu, 15 Dec 2016 14:44:56 +0200 Subject: [keycloak-user] Google as SAML SP and Keycloak as IDP - invalid_signature Message-ID: Hello everyone! I'm trying to configure SSO to Google Apps, using SAML protocol and Keycloak as IDP and Google as SP. Keycloak Version - 2.1.0-Final In Keycloak, I've created a new saml client with following settings: ---------------------------------------------------------------- Client ID - google.com/a/*mydomain*.com Enabled - On Consent Required - Off Include AuthnStatement - On Sign Documents - On Sign Assertions - On Signature Algorithm - RSA_SHA256 Canonicalization Method - EXCLUSIVE Encrypt Assertions - Off Client Signature Required - On Force POST Binding - On Front Channel Logout - On Force Name ID Format - Off Name ID Format - email Root URL - empty Valid Redirect URIs - empty Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps Master SAML Processing URL - empty IDP Initiated SSO URL Name - googleapps IDP Initiated SSO Relay State - empty Assertion Consumer Service POST Binding URL - empty Assertion Consumer Service Redirect Binding URL - https://google.com/a/*mydomain*.com/acs logout-service-post-binding-url - empty Logout Service Redirect Binding URL - empty -------------------------------------------------------------- Google SSO Settings: -------------------------------------------------------------- "Setup SSO with third party identity provider" checkbox - enabled Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm name*/protocol/saml Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm name*/protocol/saml Change password URL - empty Verification certificate - uploaded certificate from keycloak realm, where Google SAML client is defined. "Use a domain specific issuer" checkbox - enabled --------------------------------------------------------------- The problem: When I go to this link - https://mail.google.com/a/*mydomain*.com, to authenticate, I'm redirected back to Keycloak with "Invalid Requester" error and in Keycloak log I see this: "error=invalid_signature" What signature is Keycloak complaining about? What is wrong with my config? -- From bruno at abstractj.org Thu Dec 15 07:55:30 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 15 Dec 2016 10:55:30 -0200 Subject: [keycloak-user] [keycloak-dev] SAML and nodejs adapter In-Reply-To: References: <20161212184354.GA9601@abstractj.org> Message-ID: <20161215125530.GA26156@abstractj.org> Hi Corinne, On 2016-12-13, Corinne Krych wrote: > Thanks Bruno for your answer. > What could be the alternative flow (hybrid OAuth/SAML) I could use with > Keyclaok? I don't think we have such thing. > Is Keyclaok implementing flow like [1]? No we don't, but you can log a Jira describing your use case scenario as a feature request. > > How could I achieve an external IdP (SAML based with LDAP) working with KC > service resource (using keycloak-connect for nodejs based protected > resource)? At the moment we don't have any support for SAML at the Node.js adapter. If you have any suggestions or better, contributions. They will be more than welcome. > > ++ > Corinne > [1] https://tools.ietf.org/html/rfc7521 > > > On 12 December 2016 at 19:43, Bruno Oliveira wrote: > > > Moving this thread to keycloak-user. > > > > Hi Corinne, today we don't have a Node.js adapter for SAML. This is the > > first time that someone asks for SAML on Node.js. > > > > Maybe you could try passport-saml[1] or file a Jira as a feature > > request. > > > > > > [1] - https://github.com/bergie/passport-saml > > > > On 2016-12-12, Corinne Krych wrote: > > > Hello Bruno, Sebi & KC team, > > > > > > I'd like to know how I could configure Keycloak to be a SAML 2.0 provider > > > on a nodejs environment. > > > Looking in the demo folder, I can see a Wildfly java based example [1] > > > using keycloak-saml.xml [2] > > > I couldn't find a nodejs adapter in the gitbook [3]. > > > how could I do similar demo but with a nodejs app? > > > > > > ++ > > > Corinne > > > [1] https://github.com/keycloak/keycloak/tree/master/examples/saml > > > [2] > > > https://github.com/keycloak/keycloak/blob/master/examples/ > > saml/post-with-signature/src/main/webapp/WEB-INF/keycloak-saml.xml > > > > > > [3] > > > https://keycloak.gitbooks.io/securing-client-applications- > > guide/content/topics/saml/saml-overview.html > > > _______________________________________________ > > > keycloak-dev mailing list > > > keycloak-dev at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > -- abstractj PGP: 0x84DC9914 From schween at gmail.com Thu Dec 15 08:57:38 2016 From: schween at gmail.com (Sven Kilchenmann) Date: Thu, 15 Dec 2016 14:57:38 +0100 Subject: [keycloak-user] Create user by api Message-ID: <3F85A151-DD86-4763-BD6D-4618A464CC82@gmail.com> try to create a new user: Keycloak kc = Keycloak.getInstance( "http://192.168.11.55:8080/auth", "master", // the realm to log in to "admin", "pass", // the user "security-admin-console"); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user); It returns a HTTP 400 Bad Request. Keycloak log says: Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "origin" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable (22 known properties: "federatedIdentities", "enabled", "lastName", "emailVerified", "clientConsents", "self", "socialLinks", "applicationRoles", "createdTimestamp", "groups", "username", "attributes", "id", "firstName", "email", "federationLink", "serviceAccountClientId", "requiredActions", "realmRoles", "clientRoles", "totp", "credentials"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 250fdbe0; line: 1, column: 37] (through reference chain: org.keycloak.representations.idm.UserRepresentation["origin"]) I'm using Keycloak 2.3.0.Final and Keycloak Admin REST Client 2.4.0.Final API. Thanks for your support. Cheers From keith.hudson at hudzinga.com Thu Dec 15 09:05:24 2016 From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com) Date: Thu, 15 Dec 2016 09:05:24 -0500 (EST) Subject: [keycloak-user] Create user by api In-Reply-To: <3F85A151-DD86-4763-BD6D-4618A464CC82@gmail.com> References: <3F85A151-DD86-4763-BD6D-4618A464CC82@gmail.com> Message-ID: <1481810724.958111591@apps.rackspace.com> Pretty sure you need to set an email address with the user you are creating via setEmail. Also, we set enabled and realmRoles on our users and they create without issue. -----Original Message----- From: "Sven Kilchenmann" Sent: Thursday, December 15, 2016 8:57am To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Create user by api try to create a new user: Keycloak kc = Keycloak.getInstance( "http://192.168.11.55:8080/auth", "master", // the realm to log in to "admin", "pass", // the user "security-admin-console"); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("testuser"); user.setFirstName("Test"); user.setLastName("User"); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user); It returns a HTTP 400 Bad Request. Keycloak log says: Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "origin" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable (22 known properties: "federatedIdentities", "enabled", "lastName", "emailVerified", "clientConsents", "self", "socialLinks", "applicationRoles", "createdTimestamp", "groups", "username", "attributes", "id", "firstName", "email", "federationLink", "serviceAccountClientId", "requiredActions", "realmRoles", "clientRoles", "totp", "credentials"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 250fdbe0; line: 1, column: 37] (through reference chain: org.keycloak.representations.idm.UserRepresentation["origin"]) I'm using Keycloak 2.3.0.Final and Keycloak Admin REST Client 2.4.0.Final API. Thanks for your support. Cheers _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rjvduijn at gmail.com Thu Dec 15 09:37:29 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Thu, 15 Dec 2016 14:37:29 +0000 Subject: [keycloak-user] Share resources with other users Message-ID: I'm looking into the possiblity to share resources created in the client application to another registered user. Does keycloak provide support for that? Using the authz cient i cannot detect any attributes or fields to set besides the owner. I was hoping to set a custom attribute on the ResourceRepresentation object and use that in the policy evaluation. It should IMHO also be possible to create seperate resources for the shared resource with the user to share to as owner. But wouldn't that pollute te resources too much? I also found this feature request by Pedro Igor which might be related: https://issues.jboss.org/browse/KEYCLOAK-3169 Thanks again! /Richard From pala.ondra at gmail.com Thu Dec 15 10:53:01 2016 From: pala.ondra at gmail.com (Ondra Pala) Date: Thu, 15 Dec 2016 16:53:01 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username Message-ID: Hello, Why I can?t get username of logged user? I can try get this information from Principal, HttpServletResponse ... but still null. Our application use for authentification Keycloak, after successfull login, user is redirect to another url (on the same server) in Java Spring MVC application. Thanks for your answers. Ondra From schween at gmail.com Thu Dec 15 10:55:15 2016 From: schween at gmail.com (Sven Kilchenmann) Date: Thu, 15 Dec 2016 16:55:15 +0100 Subject: [keycloak-user] Create user by api In-Reply-To: <1481810724.958111591@apps.rackspace.com> References: <3F85A151-DD86-4763-BD6D-4618A464CC82@gmail.com> <1481810724.958111591@apps.rackspace.com> Message-ID: <8A0BC94E-E2A1-4297-8DA5-E57E812C27EA@gmail.com> Ouch yes you are right. Now having this log entry: 2016-12-15 16:45:52,510 WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=192.168.1.2, error=not_allowed, auth_method=oauth_credentials, grant_type=password, client_auth_method=client-secret but I have no idea how to solve.. > Am 15.12.2016 um 15:05 schrieb keith.hudson at hudzinga.com: > > Pretty sure you need to set an email address with the user you are creating via setEmail. > > Also, we set enabled and realmRoles on our users and they create without issue. > > -----Original Message----- > From: "Sven Kilchenmann" > Sent: Thursday, December 15, 2016 8:57am > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Create user by api > > try to create a new user: > > Keycloak kc = Keycloak.getInstance( > "http://192.168.11.55:8080/auth", > "master", // the realm to log in to > "admin", "pass", // the user > "security-admin-console"); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setCredentials(Arrays.asList(credential)); > kc.realm("master").users().create(user); > > It returns a HTTP 400 Bad Request. Keycloak log says: > > Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "origin" (class > org.keycloak.representations.idm.UserRepresentation), not marked as > ignorable (22 known properties: "federatedIdentities", "enabled", > "lastName", "emailVerified", "clientConsents", "self", "socialLinks", > "applicationRoles", "createdTimestamp", "groups", "username", > "attributes", "id", "firstName", "email", "federationLink", > "serviceAccountClientId", "requiredActions", "realmRoles", > "clientRoles", "totp", "credentials"]) > > at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 250fdbe0; > line: 1, column: 37] (through reference chain: > org.keycloak.representations.idm.UserRepresentation["origin"]) > > I'm using Keycloak 2.3.0.Final and Keycloak Admin REST Client 2.4.0.Final API. > > Thanks for your support. > Cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From rysiek at occrp.org Thu Dec 15 10:59:55 2016 From: rysiek at occrp.org (Rashiq) Date: Thu, 15 Dec 2016 16:59:55 +0100 Subject: [keycloak-user] Roles in OIDC tokens In-Reply-To: References: <4290815.J5LtNdMR65@lapuntu> Message-ID: <9165970.m6z4IyOMy4@lapuntu> Hi there, Dnia pi?tek, 9 grudnia 2016 10:55:40 CET Sebastien Blanc pisze: > Does anyone have an idea of what could happen here ? I'm clueless on this > one. just for the record, it was us looking at the wrong token -- `id_token` instead of `access_token`. -- Pozdravi, rashiq From rysiek at occrp.org Thu Dec 15 11:05:59 2016 From: rysiek at occrp.org (Rashiq) Date: Thu, 15 Dec 2016 17:05:59 +0100 Subject: [keycloak-user] Discourse-Keycloak OIDC connector Message-ID: <10381311.AFiuNn65Oc@lapuntu> Hi there, I've been working on an OpenID Connect authentication/authorization plugin for Discourse in order to connect it to Keycloak, and well -- it's finally here: https://github.com/occrp/discourse-oidc-basic It still needs code clean-ups, documentation, there's a few bugs that I'm also going to fix within the next few weeks, but we're using it in production already and it gets the job done. The plugin supports mapping roles (either realm or client, as configured in Discourse settings) to Discourse groups, optionally creating missing groups in Discourse if needed and removing users from Discourse groups not expressed in terms of roles. Please report any bugs on GitHub. If you have any questions (or better yet, comments on the code!), happy to hear them! -- Pozdravi, rashiq From sblanc at redhat.com Thu Dec 15 11:11:24 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 15 Dec 2016 17:11:24 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username In-Reply-To: References: Message-ID: Set "principal-attribute":"preferred_username" in your keycloak.json and you should be able to get your username from the Principal object. On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala wrote: > Hello, > > Why I can?t get username of logged user? I can try get this information > from Principal, HttpServletResponse ... but still null. > > Our application use for authentification Keycloak, after successfull login, > user is redirect to another url (on the same server) in Java Spring MVC > application. > > Thanks for your answers. > > Ondra > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From keith.hudson at hudzinga.com Thu Dec 15 11:19:25 2016 From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com) Date: Thu, 15 Dec 2016 11:19:25 -0500 (EST) Subject: [keycloak-user] Create user by api In-Reply-To: <8A0BC94E-E2A1-4297-8DA5-E57E812C27EA@gmail.com> References: <3F85A151-DD86-4763-BD6D-4618A464CC82@gmail.com> <1481810724.958111591@apps.rackspace.com> <8A0BC94E-E2A1-4297-8DA5-E57E812C27EA@gmail.com> Message-ID: <1481818765.49899188@apps.rackspace.com> We use "admin-cli" as the clientId, not "admin-security-console". -----Original Message----- From: "Sven Kilchenmann" Sent: Thursday, December 15, 2016 10:55am To: keith.hudson at hudzinga.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Create user by api Ouch yes you are right. Now having this log entry: 2016-12-15 16:45:52,510 WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=192.168.1.2, error=not_allowed, auth_method=oauth_credentials, grant_type=password, client_auth_method=client-secret but I have no idea how to solve.. > Am 15.12.2016 um 15:05 schrieb keith.hudson at hudzinga.com: > > Pretty sure you need to set an email address with the user you are creating via setEmail. > > Also, we set enabled and realmRoles on our users and they create without issue. > > -----Original Message----- > From: "Sven Kilchenmann" > Sent: Thursday, December 15, 2016 8:57am > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Create user by api > > try to create a new user: > > Keycloak kc = Keycloak.getInstance( > "http://192.168.11.55:8080/auth", > "master", // the realm to log in to > "admin", "pass", // the user > "security-admin-console"); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue("test123"); > UserRepresentation user = new UserRepresentation(); > user.setUsername("testuser"); > user.setFirstName("Test"); > user.setLastName("User"); > user.setCredentials(Arrays.asList(credential)); > kc.realm("master").users().create(user); > > It returns a HTTP 400 Bad Request. Keycloak log says: > > Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "origin" (class > org.keycloak.representations.idm.UserRepresentation), not marked as > ignorable (22 known properties: "federatedIdentities", "enabled", > "lastName", "emailVerified", "clientConsents", "self", "socialLinks", > "applicationRoles", "createdTimestamp", "groups", "username", > "attributes", "id", "firstName", "email", "federationLink", > "serviceAccountClientId", "requiredActions", "realmRoles", > "clientRoles", "totp", "credentials"]) > > at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 250fdbe0; > line: 1, column: 37] (through reference chain: > org.keycloak.representations.idm.UserRepresentation["origin"]) > > I'm using Keycloak 2.3.0.Final and Keycloak Admin REST Client 2.4.0.Final API. > > Thanks for your support. > Cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sblanc at redhat.com Thu Dec 15 11:25:30 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 15 Dec 2016 17:25:30 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username In-Reply-To: References: Message-ID: How do you retrieve the principal ? Something like this ? @RequestMapping(value = "/admin", method = RequestMethod.GET) public String handleAdminRequest(Principal principal, Model model) { model.addAttribute("principal", principal); return "admin"; } On Thu, Dec 15, 2016 at 5:17 PM, Ondra Pala wrote: > This attribute I has set .... > > 2016-12-15 17:11 GMT+01:00 Sebastien Blanc : > >> Set "principal-attribute":"preferred_username" in your keycloak.json and >> you should be able to get your username from the Principal object. >> >> >> On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala wrote: >> >>> Hello, >>> >>> Why I can?t get username of logged user? I can try get this information >>> from Principal, HttpServletResponse ... but still null. >>> >>> Our application use for authentification Keycloak, after successfull >>> login, >>> user is redirect to another url (on the same server) in Java Spring MVC >>> application. >>> >>> Thanks for your answers. >>> >>> Ondra >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From georgijsr at scandiweb.com Thu Dec 15 11:43:51 2016 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Thu, 15 Dec 2016 18:43:51 +0200 Subject: [keycloak-user] Google as SAML SP and Keycloak as IDP - invalid_signature [Solved] In-Reply-To: References: Message-ID: Hello again! Problem solved. Keycloak <-> Google SAML working. The problem was with Sign-in URL on Google App's configuration side. Sign-in page URL was - *https://"keycloak fqdn"/auth/realms/"keycloak realm name"/protocol/saml* But, after I changed it to this: Sign-in page URL - *https://"keycloak fqdn"/auth/realms/"keycloak realm name"/protocol/saml/clients/googleapps* and made these changes: Set *Client Signature Required* to *Off* Set *Assertion Consumer Service POST Binding URL* to *https://google.com/a/"mydomain".com/acs* Set *Assertion Consumer Service Redirect Binding URL* to *empty* Set *Assertion Consumer Service POST Binding URL* to *https://www.google.com/a/"mydomain".com/acs* It worked. Also, if you need to for *IDP initiated SSO URL* to work, add *?RelayState=true* to the *Base URL*, like this: */auth/realms/"keycloak realm"/protocol/saml/clients/googleapps?RelayState=true On 2016.12.15. 14:44, Georgijs Radovs wrote: > Hello everyone! > > > I'm trying to configure SSO to Google Apps, using SAML protocol and > Keycloak as IDP and Google as SP. > > Keycloak Version - 2.1.0-Final > > In Keycloak, I've created a new saml client with following settings: > > ---------------------------------------------------------------- > > Client ID - google.com/a/*mydomain*.com > > Enabled - On > > Consent Required - Off > > Include AuthnStatement - On > > Sign Documents - On > > Sign Assertions - On > > Signature Algorithm - RSA_SHA256 > > Canonicalization Method - EXCLUSIVE > > Encrypt Assertions - Off > > Client Signature Required - On > > Force POST Binding - On > > Front Channel Logout - On > > Force Name ID Format - Off > > Name ID Format - email > > Root URL - empty > > Valid Redirect URIs - empty > > Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps > > Master SAML Processing URL - empty > > IDP Initiated SSO URL Name - googleapps > > IDP Initiated SSO Relay State - empty > > Assertion Consumer Service POST Binding URL - empty > > Assertion Consumer Service Redirect Binding URL - > https://google.com/a/*mydomain*.com/acs > > logout-service-post-binding-url - empty > > Logout Service Redirect Binding URL - empty > -------------------------------------------------------------- > > Google SSO Settings: > > -------------------------------------------------------------- > "Setup SSO with third party identity provider" checkbox - enabled > > Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm > name*/protocol/saml > > Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak > realm name*/protocol/saml > > Change password URL - empty > > Verification certificate - uploaded certificate from keycloak realm, > where Google SAML client is defined. > > "Use a domain specific issuer" checkbox - enabled > --------------------------------------------------------------- > > The problem: > > When I go to this link - https://mail.google.com/a/*mydomain*.com, to > authenticate, I'm redirected back to Keycloak with "Invalid Requester" > error and in Keycloak log I see this: "error=invalid_signature" > > What signature is Keycloak complaining about? > What is wrong with my config? > > -- From pala.ondra at gmail.com Thu Dec 15 12:21:20 2016 From: pala.ondra at gmail.com (Ondra Pala) Date: Thu, 15 Dec 2016 18:21:20 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username In-Reply-To: References: Message-ID: <5e628b71-123e-40b7-9e79-780519ac68fb@typeapp.com> Yes, or I try ?public String handleAdminRequest(HttpServletResponse, Model model) but still null. Odesl?no z BlueMail ? 15. 12. 2016 17:25, 17:25, Sebastien Blanc napsal/a: >How do you retrieve the principal ? >Something like this ? > > @RequestMapping(value = "/admin", method = RequestMethod.GET) > public String handleAdminRequest(Principal principal, Model model) { > model.addAttribute("principal", principal); > return "admin"; > } > > > >On Thu, Dec 15, 2016 at 5:17 PM, Ondra Pala >wrote: > >> This attribute I has set .... >> >> 2016-12-15 17:11 GMT+01:00 Sebastien Blanc : >> >>> Set "principal-attribute":"preferred_username" in your keycloak.json >and >>> you should be able to get your username from the Principal object. >>> >>> >>> On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala >wrote: >>> >>>> Hello, >>>> >>>> Why I can?t get username of logged user? I can try get this >information >>>> from Principal, HttpServletResponse ... but still null. >>>> >>>> Our application use for authentification Keycloak, after >successfull >>>> login, >>>> user is redirect to another url (on the same server) in Java Spring >MVC >>>> application. >>>> >>>> Thanks for your answers. >>>> >>>> Ondra >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> From michael_furman at hotmail.com Thu Dec 15 12:26:02 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 15 Dec 2016 17:26:02 +0000 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Message-ID: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael From sblanc at redhat.com Thu Dec 15 12:26:15 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 15 Dec 2016 18:26:15 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username In-Reply-To: <5e628b71-123e-40b7-9e79-780519ac68fb@typeapp.com> References: <5e628b71-123e-40b7-9e79-780519ac68fb@typeapp.com> Message-ID: Have you set your sessionAuthentificationStrategy ? @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } Or easier, do you have a sample app for us so that we can reproduce the issue ? On Thu, Dec 15, 2016 at 6:21 PM, Ondra Pala wrote: > Yes, or I try > public String handleAdminRequest(HttpServletResponse, Model model) > but still null. > > Odesl?no z BlueMail > 15. 12. 2016, 17:25, Sebastien Blanc napsal/a: >> >> How do you retrieve the principal ? >> Something like this ? >> >> @RequestMapping(value = "/admin", method = RequestMethod.GET) >> public String handleAdminRequest(Principal principal, Model model) { >> model.addAttribute("principal", principal); >> return "admin"; >> } >> >> >> >> On Thu, Dec 15, 2016 at 5:17 PM, Ondra Pala >> wrote: >> >>> This attribute I has set .... >>> >>> 2016-12-15 17:11 GMT+01:00 Sebastien Blanc : >>> >>>> Set "principal-attribute":"preferr ed_username" in your keycloak.json >>>> and you should be able to get your username from the Principal object. >>>> >>>> >>>> On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> Why I can?t get username of logged user? I can try get this >>>>> information >>>>> from Principal, HttpServletResponse ... but still null. >>>>> >>>>> Our application use for authentification Keycloak, after successfull >>>>> login, >>>>> user is redirect to another url (on the same server) in Java Spring >>>>> MVC >>>>> application. >>>>> >>>>> Thanks for your answers. >>>>> >>>>> Ondra >>>>> ______________________________ _________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >> From pala.ondra at gmail.com Thu Dec 15 12:56:33 2016 From: pala.ondra at gmail.com (Ondra Pala) Date: Thu, 15 Dec 2016 18:56:33 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username In-Reply-To: References: <5e628b71-123e-40b7-9e79-780519ac68fb@typeapp.com> Message-ID: ?SessionAuthentificationStrategy not setting, I try it. But Can be a problem, that I don't use spring boot adapter in my application. Login keycloak form is separete and send information about success login to spring application. Odesl?no z BlueMail ? 15. 12. 2016 18:26, 18:26, Sebastien Blanc napsal/a: >Have you set your sessionAuthentificationStrategy ? > > @Bean > @Override >protected SessionAuthenticationStrategy sessionAuthenticationStrategy() >{ > return new RegisterSessionAuthenticationStrategy(new >SessionRegistryImpl()); > } > >Or easier, do you have a sample app for us so that we can reproduce the >issue ? > > >On Thu, Dec 15, 2016 at 6:21 PM, Ondra Pala >wrote: > >> Yes, or I try >> public String handleAdminRequest(HttpServletResponse, Model model) >> but still null. >> >> Odesl?no z BlueMail >> 15. 12. 2016, 17:25, Sebastien Blanc napsal/a: >>> >>> How do you retrieve the principal ? >>> Something like this ? >>> >>> @RequestMapping(value = "/admin", method = RequestMethod.GET) >>> public String handleAdminRequest(Principal principal, Model >model) { >>> model.addAttribute("principal", principal); >>> return "admin"; >>> } >>> >>> >>> >>> On Thu, Dec 15, 2016 at 5:17 PM, Ondra Pala >>> wrote: >>> >>>> This attribute I has set .... >>>> >>>> 2016-12-15 17:11 GMT+01:00 Sebastien Blanc : >>>> >>>>> Set "principal-attribute":"preferr ed_username" in your >keycloak.json >>>>> and you should be able to get your username from the Principal >object. >>>>> >>>>> >>>>> On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Why I can?t get username of logged user? I can try get this >>>>>> information >>>>>> from Principal, HttpServletResponse ... but still null. >>>>>> >>>>>> Our application use for authentification Keycloak, after >successfull >>>>>> login, >>>>>> user is redirect to another url (on the same server) in Java >Spring >>>>>> MVC >>>>>> application. >>>>>> >>>>>> Thanks for your answers. >>>>>> >>>>>> Ondra >>>>>> ______________________________ _________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>> >>> From marcelo.miura at gdcommunity.co.uk Thu Dec 15 13:10:17 2016 From: marcelo.miura at gdcommunity.co.uk (marcelo.miura) Date: Thu, 15 Dec 2016 16:10:17 -0200 Subject: [keycloak-user] Exclude users from password policy Message-ID: Hi, I was wondering if that's possible to exclude a user from the password policies set on keycloak. Problem: I have an admin user used on my API to create new users, reset password and exclude users from keycloak. But as there's a password policy to expire the password within 30 days, this user cannot be used until we reset his password manually. Any ideas? Thanks in advance. From mposolda at redhat.com Thu Dec 15 14:08:37 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 15 Dec 2016 20:08:37 +0100 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: References: Message-ID: Maybe you can use the admin user from master realm (and not set any password policies in master realm), but all your other users will be in some other "business" realms, which will have password policy. Is it work to have different realms? Marek On 15/12/16 19:10, marcelo.miura wrote: > Hi, > > I was wondering if that's possible to exclude a user from the password > policies set on keycloak. > Problem: I have an admin user used on my API to create new users, reset > password and exclude users from keycloak. But as there's a password > policy to expire the password within 30 days, this user cannot be used > until we reset his password manually. > > Any ideas? > > Thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Thu Dec 15 14:21:12 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 15 Dec 2016 19:21:12 +0000 Subject: [keycloak-user] Discourse-Keycloak OIDC connector In-Reply-To: <10381311.AFiuNn65Oc@lapuntu> References: <10381311.AFiuNn65Oc@lapuntu> Message-ID: Thanks for sharing ! Le jeu. 15 d?c. 2016 ? 17:09, Rashiq a ?crit : > Hi there, > > > > I've been working on an OpenID Connect authentication/authorization plugin > for > > Discourse in order to connect it to Keycloak, and well -- it's finally > here: > > https://github.com/occrp/discourse-oidc-basic > > > > It still needs code clean-ups, documentation, there's a few bugs that I'm > also > > going to fix within the next few weeks, but we're using it in production > > already and it gets the job done. > > > > The plugin supports mapping roles (either realm or client, as configured in > > Discourse settings) to Discourse groups, optionally creating missing > groups in > > Discourse if needed and removing users from Discourse groups not expressed > in > > terms of roles. > > > > Please report any bugs on GitHub. If you have any questions (or better yet, > > comments on the code!), happy to hear them! > > > > -- > > Pozdravi, > > rashiq > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From marcelo.miura at gdcommunity.co.uk Thu Dec 15 14:59:20 2016 From: marcelo.miura at gdcommunity.co.uk (marcelo.miura) Date: Thu, 15 Dec 2016 17:59:20 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: References: Message-ID: Thanks for your answer. Unfortunately, all my users are currently on master. Is there a way to change all my users to another realm? Would that work if I try to export and import it to another realm? Marcelo On 15/12/2016 17:08, Marek Posolda wrote: > Maybe you can use the admin user from master realm (and not set any > password policies in master realm), but all your other users will be > in some other "business" realms, which will have password policy. Is > it work to have different realms? > > Marek > > > On 15/12/16 19:10, marcelo.miura wrote: >> Hi, >> >> I was wondering if that's possible to exclude a user from the password >> policies set on keycloak. >> Problem: I have an admin user used on my API to create new users, reset >> password and exclude users from keycloak. But as there's a password >> policy to expire the password within 30 days, this user cannot be used >> until we reset his password manually. >> >> Any ideas? >> >> Thanks in advance. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From michael_furman at hotmail.com Thu Dec 15 15:08:39 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 15 Dec 2016 20:08:39 +0000 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Message-ID: Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bruno at abstractj.org Thu Dec 15 15:09:47 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 15 Dec 2016 18:09:47 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: References: Message-ID: You can make use of partial imports. Take a look here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/export-import.html On Thu, Dec 15, 2016 at 5:59 PM, marcelo.miura wrote: > Thanks for your answer. > > Unfortunately, all my users are currently on master. Is there a way to > change all my users to another realm? > > Would that work if I try to export and import it to another realm? > > > Marcelo > > > On 15/12/2016 17:08, Marek Posolda wrote: >> Maybe you can use the admin user from master realm (and not set any >> password policies in master realm), but all your other users will be >> in some other "business" realms, which will have password policy. Is >> it work to have different realms? >> >> Marek >> >> >> On 15/12/16 19:10, marcelo.miura wrote: >>> Hi, >>> >>> I was wondering if that's possible to exclude a user from the password >>> policies set on keycloak. >>> Problem: I have an admin user used on my API to create new users, reset >>> password and exclude users from keycloak. But as there's a password >>> policy to expire the password within 30 days, this user cannot be used >>> until we reset his password manually. >>> >>> Any ideas? >>> >>> Thanks in advance. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From celso.agra at gmail.com Thu Dec 15 16:50:00 2016 From: celso.agra at gmail.com (Celso Agra) Date: Thu, 15 Dec 2016 18:50:00 -0300 Subject: [keycloak-user] Configure Keycloak with Apache2 Message-ID: Hi all, I'd like to know if would be possible to configure Apache2 with keycloak. So, I'm using a simple webpage with HTML and javascripts, only to get some informations (not big deal). But when I tried to access the page, all HTML is loaded and then keycloak acts to ask for authentication. Ok! This is working as I expected, but I'd like to know if there is a way to configure the keycloak in Apache2. In other words, before to load all HTML. So I found this link https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/mod-auth-openidc.html I'd like to know if would be possible to use the authentication in the Apache2. It can be a public api without secret ID? Thanks a lot! -- --- *Celso Agra* From marcelo.miura at gdcommunity.co.uk Thu Dec 15 19:46:40 2016 From: marcelo.miura at gdcommunity.co.uk (marcelo.miura) Date: Thu, 15 Dec 2016 22:46:40 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: References: Message-ID: <9513d4d3-0bde-5f6b-3278-3dace0820974@gdcommunity.co.uk> Thanks! I tried to do that, but when I imported the users to the new realm it changed the user ids. Am I missing any step here? On 15/12/2016 18:09, Bruno Oliveira wrote: > You can make use of partial imports. Take a look here: > https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/export-import.html > > On Thu, Dec 15, 2016 at 5:59 PM, marcelo.miura > wrote: >> Thanks for your answer. >> >> Unfortunately, all my users are currently on master. Is there a way to >> change all my users to another realm? >> >> Would that work if I try to export and import it to another realm? >> >> >> Marcelo >> >> >> On 15/12/2016 17:08, Marek Posolda wrote: >>> Maybe you can use the admin user from master realm (and not set any >>> password policies in master realm), but all your other users will be >>> in some other "business" realms, which will have password policy. Is >>> it work to have different realms? >>> >>> Marek >>> >>> >>> On 15/12/16 19:10, marcelo.miura wrote: >>>> Hi, >>>> >>>> I was wondering if that's possible to exclude a user from the password >>>> policies set on keycloak. >>>> Problem: I have an admin user used on my API to create new users, reset >>>> password and exclude users from keycloak. But as there's a password >>>> policy to expire the password within 30 days, this user cannot be used >>>> until we reset his password manually. >>>> >>>> Any ideas? >>>> >>>> Thanks in advance. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From schween at gmail.com Fri Dec 16 01:02:30 2016 From: schween at gmail.com (Sven Kilchenmann) Date: Fri, 16 Dec 2016 07:02:30 +0100 Subject: [keycloak-user] Create user by api In-Reply-To: <1481818765.49899188@apps.rackspace.com> References: <3F85A151-DD86-4763-BD6D-4618A464CC82@gmail.com> <1481810724.958111591@apps.rackspace.com> <8A0BC94E-E2A1-4297-8DA5-E57E812C27EA@gmail.com> <1481818765.49899188@apps.rackspace.com> Message-ID: <6DA6A956-A2E5-4957-BA62-B2AA17319EFB@gmail.com> changed to: we get this again: 2016-12-16 06:57:22,981 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing POST /admin/realms/master/users: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "origin" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable (22 known properties: "federatedIdentities", "enabled", "lastName", "emailVerified", "clientConsents", "self", "socialLinks", "applicationRoles", "createdTimestamp", "groups", "username", "attributes", "id", "firstName", "email", "federationLink", "serviceAccountClientId", "requiredActions", "realmRoles", "clientRoles", "totp", "credentials"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 4942ec08; line: 1, column: 37] (through reference chain: org.keycloak.representations.idm.UserRepresentation["origin?]) did I mess up with some versions? Keycloak kc = Keycloak.getInstance( "http://192.168.11.55:8080/auth", "master", // the realm to log in to "admin", "pass", // the user "admin-cli"); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue("test123"); UserRepresentation user = new UserRepresentation(); user.setUsername("test at tester.li"); user.setFirstName("Test"); user.setLastName("User"); user.setEmail("test at tester.li"); user.setEnabled(true); user.setCredentials(Arrays.asList(credential)); kc.realm("master").users().create(user); > Am 15.12.2016 um 17:19 schrieb keith.hudson at hudzinga.com: > > We use "admin-cli" as the clientId, not "admin-security-console". > > -----Original Message----- > From: "Sven Kilchenmann" > Sent: Thursday, December 15, 2016 10:55am > To: keith.hudson at hudzinga.com > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Create user by api > > Ouch yes you are right. > Now having this log entry: > > 2016-12-15 16:45:52,510 WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=192.168.1.2, error=not_allowed, auth_method=oauth_credentials, grant_type=password, client_auth_method=client-secret > > but I have no idea how to solve.. > >> Am 15.12.2016 um 15:05 schrieb keith.hudson at hudzinga.com: >> >> Pretty sure you need to set an email address with the user you are creating via setEmail. >> >> Also, we set enabled and realmRoles on our users and they create without issue. >> >> -----Original Message----- >> From: "Sven Kilchenmann" >> Sent: Thursday, December 15, 2016 8:57am >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Create user by api >> >> try to create a new user: >> >> Keycloak kc = Keycloak.getInstance( >> "http://192.168.11.55:8080/auth", >> "master", // the realm to log in to >> "admin", "pass", // the user >> "security-admin-console"); >> >> CredentialRepresentation credential = new CredentialRepresentation(); >> credential.setType(CredentialRepresentation.PASSWORD); >> credential.setValue("test123"); >> UserRepresentation user = new UserRepresentation(); >> user.setUsername("testuser"); >> user.setFirstName("Test"); >> user.setLastName("User"); >> user.setCredentials(Arrays.asList(credential)); >> kc.realm("master").users().create(user); >> >> It returns a HTTP 400 Bad Request. Keycloak log says: >> >> Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >> Unrecognized field "origin" (class >> org.keycloak.representations.idm.UserRepresentation), not marked as >> ignorable (22 known properties: "federatedIdentities", "enabled", >> "lastName", "emailVerified", "clientConsents", "self", "socialLinks", >> "applicationRoles", "createdTimestamp", "groups", "username", >> "attributes", "id", "firstName", "email", "federationLink", >> "serviceAccountClientId", "requiredActions", "realmRoles", >> "clientRoles", "totp", "credentials"]) >> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 250fdbe0; >> line: 1, column: 37] (through reference chain: >> org.keycloak.representations.idm.UserRepresentation["origin"]) >> >> I'm using Keycloak 2.3.0.Final and Keycloak Admin REST Client 2.4.0.Final API. >> >> Thanks for your support. >> Cheers >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > From manfred.duchrow at caprica.biz Fri Dec 16 01:45:42 2016 From: manfred.duchrow at caprica.biz (Manfred Duchrow) Date: Fri, 16 Dec 2016 07:45:42 +0100 Subject: [keycloak-user] Security proxy not supporting policy enforcement Message-ID: Hi, is the keycloak security proxy intentionally not supporting the policy enforcement (i.e. authorization services) or is it a bug? With activated policy-enforcer I'm getting an exception at startup of security proxy: Exception in thread "main" java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.Launcher.main(Launcher.java:81) Caused by: java.lang.NoClassDefFoundError: org/keycloak/authorization/client/Configuration at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:56) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:126) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:152) at org.keycloak.proxy.ProxyServerBuilder$ApplicationBuilder.(ProxyServerBuilder.java:164) Obviously the library 'keycloak-authz-client-2.4.0.Final.jar' is missing in bundle keycloak-proxy-2.4.0.Final.zip. Should I open a Jira bug? Workaround: Just copy the keycloak-authz-client-2.4.0.Final.jar from another bundle into lib folder of the security proxy. Regards, Manfred From sthorger at redhat.com Fri Dec 16 02:41:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 16 Dec 2016 08:41:24 +0100 Subject: [keycloak-user] Technical Guidance In-Reply-To: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com> References: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com> Message-ID: Not quite sure what you're asking here as there seems to be 3 IdPs? Customer IdP, Ping and Keycloak? On 14 December 2016 at 17:25, Dana Danet wrote: > I just recently introduced KC to a Spring Cloud micro-service environment > as the IDM and Oauth manager of JWT tokens. Front end clients are > implementing the javascript adapter and backend Spring Boot services are > implemented with the Spring Security adapter (not boot adapter). Our > Service Gateway (Zuul) simply passes the token to backend services. > > My question is regarding offloading offloading AuthN and IDP to external > systems and then brokering to Keycloak for JWT creation. Which would look > something like > ( Customer on premise AuthN) ?> Ping ?> Keycloak. Ping has been > introduced purely as an SP to handle customers implementations of > Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP > mapping is all done via Ping and then a canonical SAML exchange to Keycloak. > > Is this possible? I would appreciate some guidance here. > > -dana > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Fri Dec 16 03:22:57 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 16 Dec 2016 09:22:57 +0100 Subject: [keycloak-user] Spring + keycloak - cannot get auth username In-Reply-To: References: <5e628b71-123e-40b7-9e79-780519ac68fb@typeapp.com> Message-ID: On Thu, Dec 15, 2016 at 6:56 PM, Ondra Pala wrote: > SessionAuthentificationStrategy not setting, I try it. > > But Can be a problem, that I don't use spring boot adapter in my > application. > Not that should not be a problem > > Login keycloak form is separete and send information about success login > to spring application. > > > Odesl?no z BlueMail > 15. 12. 2016, 18:26, Sebastien Blanc napsal/a: >> >> Have you set your sessionAuthentificationStrategy ? >> >> @Bean >> @Override >> protected SessionAuthenticationStrategy sessionAuthenticationStrategy() >> { >> return new RegisterSessionAuthenticationStrategy(new >> SessionRegistryImpl()); >> } >> >> Or easier, do you have a sample app for us so that we can reproduce the >> issue ? >> >> >> On Thu, Dec 15, 2016 at 6:21 PM, Ondra Pala >> wrote: >> >>> Yes, or I try >>> public String handleAdminRequest( HttpServletResponse, Model model) >>> but still null. >>> >>> Odesl?no z BlueMail >>> 15. 12. 2016, 17:25, Sebastien Blanc < sblanc at redhat.com> napsal/a: >>>> >>>> How do you retrieve the principal ? >>>> Something like this ? >>>> >>>> @RequestMapping(value = "/admin", method = RequestMethod.GET) >>>> public String handleAdminRequest(Principal principal, Model model) >>>> { >>>> model.addAttribute("principal" , principal); >>>> return "admin"; >>>> } >>>> >>>> >>>> >>>> On Thu, Dec 15, 2016 at 5:17 PM, Ondra Pala >>>> wrote: >>>> >>>>> This attribute I has set .... >>>>> >>>>> 2016-12-15 17:11 GMT+01:00 Sebastien Blanc : >>>>> >>>>>> Set "principal-attribute":"preferr ed_username" in your keycloak.json >>>>>> and you should be able to get your username from the Principal object. >>>>>> >>>>>> >>>>>> On Thu, Dec 15, 2016 at 4:53 PM, Ondra Pala >>>>>> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Why I can?t get username of logged user? I can try get this >>>>>>> information >>>>>>> from Principal, HttpServletResponse ... but still null. >>>>>>> >>>>>>> Our application use for authentification Keycloak, after successfull >>>>>>> login, >>>>>>> user is redirect to another url (on the same server) in Java Spring >>>>>>> MVC >>>>>>> application. >>>>>>> >>>>>>> Thanks for your answers. >>>>>>> >>>>>>> Ondra >>>>>>> ______________________________ _________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> >>>>> >>>> >> From dan at ren.no Fri Dec 16 05:19:51 2016 From: dan at ren.no (=?utf-8?B?RGFuIMOYc3RlcmJlcmc=?=) Date: Fri, 16 Dec 2016 10:19:51 +0000 Subject: [keycloak-user] Login multiple times In-Reply-To: References: Message-ID: Enhancement JIRA created: KEYCLOAK-4097 ~Dan Fra: Stian Thorgersen [mailto:sthorger at redhat.com] Sendt: onsdag 14. desember 2016 06.47 Til: Dan ?sterberg Kopi: keycloak-user at lists.jboss.org Emne: Re: [keycloak-user] Login multiple times I'd say it's a limitation, but something we can probably improve on in 3.x as we're planning to create a separate login session that is used during authentication. This would be backed by a cookie that would make sure the current flow would be shared cross multiple tabs. Could you create a JIRA enhancement request for this please? On 6 December 2016 at 11:35, Dan ?sterberg > wrote: Hi, It's possible (and sometimes likely) to have multiple browser tabs or windows showing the login screen for the same realm. This could for example happen after working with different systems in different tabs, and then timing out the whole SSO session. If the user then logs in from both / all tabs, then the last login will seemingly win, destroy all the other sessions (rather than all of them contributing to the same session). This implies that the other tabs will not have a valid session, and e.g. fetching a new access token will fail. Is this a bug, a limitation, or is it intentional? And what's the recommended approach for dealing with this issue? ~Dan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Fri Dec 16 06:03:14 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Fri, 16 Dec 2016 11:03:14 +0000 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? In-Reply-To: References: Message-ID: Hi all, Will be happy for help. I have tried to search but without success. Can not find details here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/sso-protocols/oidc.html Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Thursday, December 15, 2016 10:08 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From sblanc at redhat.com Fri Dec 16 06:20:20 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 16 Dec 2016 12:20:20 +0100 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? In-Reply-To: References: Message-ID: Not really sure what you are asking for ... To refresh it's this type of url : /protocol/openid-connect/token?grant_type+refresh_token&refresh_token= And I don't understand your additonal question but maybe related to that, a bearer-only client won't have a refresh token. On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman wrote: > Hi all, > > Will be happy for help. > > I have tried to search but without success. > > Can not find details here: > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/sso-protocols/oidc.html > > > Best regards, > > Michael > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org jboss.org> on behalf of Michael Furman > Sent: Thursday, December 15, 2016 10:08 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP > request for Java Adapters? > > Hi, > Additional question: according to my understanding in case a user works > (performs http requests) on some client the Refresh Token HTTP request > comes to other OIDC clients. > > In case a user does not work on any client the Refresh Token HTTP request > does not appear at all. > > Will happy for the confirmation. > Michael > > On Dec 15, 2016 7:26 PM, Michael Furman > wrote: > > Hi, > We use the SpringSecurity adapter. > I need to handle some internal application logic when the URI of the > Refresh Token HTTP request comes to the adapter. > Can you tell me the URI of the Refresh Token HTTP request for Java > Adapters? > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bruno at abstractj.org Fri Dec 16 06:50:38 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 16 Dec 2016 09:50:38 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: <9513d4d3-0bde-5f6b-3278-3dace0820974@gdcommunity.co.uk> References: <9513d4d3-0bde-5f6b-3278-3dace0820974@gdcommunity.co.uk> Message-ID: Hmmm, it looks like we have a similar bug https://issues.jboss.org/browse/KEYCLOAK-3657. Is that what happen with your import, but instead of role ids it changes user ids? On Thu, Dec 15, 2016 at 10:46 PM, marcelo.miura wrote: > Thanks! > > I tried to do that, but when I imported the users to the new realm it > changed the user ids. > > Am I missing any step here? > > > > On 15/12/2016 18:09, Bruno Oliveira wrote: >> >> You can make use of partial imports. Take a look here: >> >> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/export-import.html >> >> On Thu, Dec 15, 2016 at 5:59 PM, marcelo.miura >> wrote: >>> >>> Thanks for your answer. >>> >>> Unfortunately, all my users are currently on master. Is there a way to >>> change all my users to another realm? >>> >>> Would that work if I try to export and import it to another realm? >>> >>> >>> Marcelo >>> >>> >>> On 15/12/2016 17:08, Marek Posolda wrote: >>>> >>>> Maybe you can use the admin user from master realm (and not set any >>>> password policies in master realm), but all your other users will be >>>> in some other "business" realms, which will have password policy. Is >>>> it work to have different realms? >>>> >>>> Marek >>>> >>>> >>>> On 15/12/16 19:10, marcelo.miura wrote: >>>>> >>>>> Hi, >>>>> >>>>> I was wondering if that's possible to exclude a user from the password >>>>> policies set on keycloak. >>>>> Problem: I have an admin user used on my API to create new users, reset >>>>> password and exclude users from keycloak. But as there's a password >>>>> policy to expire the password within 30 days, this user cannot be used >>>>> until we reset his password manually. >>>>> >>>>> Any ideas? >>>>> >>>>> Thanks in advance. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -- - abstractj From marcelo.miura at gdcommunity.co.uk Fri Dec 16 06:54:05 2016 From: marcelo.miura at gdcommunity.co.uk (marcelo.miura) Date: Fri, 16 Dec 2016 09:54:05 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: References: <9513d4d3-0bde-5f6b-3278-3dace0820974@gdcommunity.co.uk> Message-ID: <9b6a8024-7533-ee77-e9ef-391e53bce78e@gdcommunity.co.uk> That's correct, yes! Any ideas? On 16/12/2016 09:50, Bruno Oliveira wrote: > Hmmm, it looks like we have a similar bug > https://issues.jboss.org/browse/KEYCLOAK-3657. > > Is that what happen with your import, but instead of role ids it > changes user ids? > > On Thu, Dec 15, 2016 at 10:46 PM, marcelo.miura > wrote: >> Thanks! >> >> I tried to do that, but when I imported the users to the new realm it >> changed the user ids. >> >> Am I missing any step here? >> >> >> >> On 15/12/2016 18:09, Bruno Oliveira wrote: >>> You can make use of partial imports. Take a look here: >>> >>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/export-import.html >>> >>> On Thu, Dec 15, 2016 at 5:59 PM, marcelo.miura >>> wrote: >>>> Thanks for your answer. >>>> >>>> Unfortunately, all my users are currently on master. Is there a way to >>>> change all my users to another realm? >>>> >>>> Would that work if I try to export and import it to another realm? >>>> >>>> >>>> Marcelo >>>> >>>> >>>> On 15/12/2016 17:08, Marek Posolda wrote: >>>>> Maybe you can use the admin user from master realm (and not set any >>>>> password policies in master realm), but all your other users will be >>>>> in some other "business" realms, which will have password policy. Is >>>>> it work to have different realms? >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 15/12/16 19:10, marcelo.miura wrote: >>>>>> Hi, >>>>>> >>>>>> I was wondering if that's possible to exclude a user from the password >>>>>> policies set on keycloak. >>>>>> Problem: I have an admin user used on my API to create new users, reset >>>>>> password and exclude users from keycloak. But as there's a password >>>>>> policy to expire the password within 30 days, this user cannot be used >>>>>> until we reset his password manually. >>>>>> >>>>>> Any ideas? >>>>>> >>>>>> Thanks in advance. >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> > > From bruno at abstractj.org Fri Dec 16 07:00:24 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 16 Dec 2016 10:00:24 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: <9b6a8024-7533-ee77-e9ef-391e53bce78e@gdcommunity.co.uk> References: <9513d4d3-0bde-5f6b-3278-3dace0820974@gdcommunity.co.uk> <9b6a8024-7533-ee77-e9ef-391e53bce78e@gdcommunity.co.uk> Message-ID: Please file a Jira, describing your setup and the steps to reproduce. On Fri, Dec 16, 2016 at 9:54 AM, marcelo.miura wrote: > That's correct, yes! > > Any ideas? > > > > On 16/12/2016 09:50, Bruno Oliveira wrote: >> >> Hmmm, it looks like we have a similar bug >> https://issues.jboss.org/browse/KEYCLOAK-3657. >> >> Is that what happen with your import, but instead of role ids it >> changes user ids? >> >> On Thu, Dec 15, 2016 at 10:46 PM, marcelo.miura >> wrote: >>> >>> Thanks! >>> >>> I tried to do that, but when I imported the users to the new realm it >>> changed the user ids. >>> >>> Am I missing any step here? >>> >>> >>> >>> On 15/12/2016 18:09, Bruno Oliveira wrote: >>>> >>>> You can make use of partial imports. Take a look here: >>>> >>>> >>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/export-import.html >>>> >>>> On Thu, Dec 15, 2016 at 5:59 PM, marcelo.miura >>>> wrote: >>>>> >>>>> Thanks for your answer. >>>>> >>>>> Unfortunately, all my users are currently on master. Is there a way to >>>>> change all my users to another realm? >>>>> >>>>> Would that work if I try to export and import it to another realm? >>>>> >>>>> >>>>> Marcelo >>>>> >>>>> >>>>> On 15/12/2016 17:08, Marek Posolda wrote: >>>>>> >>>>>> Maybe you can use the admin user from master realm (and not set any >>>>>> password policies in master realm), but all your other users will be >>>>>> in some other "business" realms, which will have password policy. Is >>>>>> it work to have different realms? >>>>>> >>>>>> Marek >>>>>> >>>>>> >>>>>> On 15/12/16 19:10, marcelo.miura wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I was wondering if that's possible to exclude a user from the >>>>>>> password >>>>>>> policies set on keycloak. >>>>>>> Problem: I have an admin user used on my API to create new users, >>>>>>> reset >>>>>>> password and exclude users from keycloak. But as there's a password >>>>>>> policy to expire the password within 30 days, this user cannot be >>>>>>> used >>>>>>> until we reset his password manually. >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> Thanks in advance. >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >> >> > -- - abstractj From michael_furman at hotmail.com Fri Dec 16 07:02:12 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Fri, 16 Dec 2016 12:02:12 +0000 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? In-Reply-To: References: , Message-ID: Hi Sebastien, Thank you for your help! I need to clarify my questions. According to my understanding Keycloak handles the full SSO. For example I have 2 OIDC clients (SpringSecurity adapters) that work with the same IDP. (The client are not bearer-only clients) When a user works (performs HTTP requests) on the first OIDC client the token on the second OIDC client should be refreshed. Otherwise when the user will access the second client it will not be able to work. Therefore I think that Keycloak IDP send some request to the second OIDC client to refresh the token. Is it correct? If yes ? what request IDP sends to the second OIDC client to refresh its token? If not ? how Keycloak allows to access to the second OIDC client after the user works on the first OIDC client for a long time? One additional question about the logout: If a user will execute http:////sso/logout on the first OIDC client I think that the token on the second OIDC client becomes invalid and also the Keycloak session becomes invalid. This is my understanding of the implementation of Single Logout by Keycloak. Will happy for the confirmation. Best regards, Michael ________________________________ From: Sebastien Blanc Sent: Friday, December 16, 2016 1:20 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Not really sure what you are asking for ... To refresh it's this type of url : /protocol/openid-connect/token?grant_type+refresh_token&refresh_token= And I don't understand your additonal question but maybe related to that, a bearer-only client won't have a refresh token. On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman > wrote: Hi all, Will be happy for help. I have tried to search but without success. Can not find details here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/sso-protocols/oidc.html Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Michael Furman > Sent: Thursday, December 15, 2016 10:08 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman > wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ruiwp_93 at hotmail.com Fri Dec 16 07:06:12 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Fri, 16 Dec 2016 05:06:12 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1481802917142-1974.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> Message-ID: <1481889972665-2011.post@n6.nabble.com> As suggested by Stianst, I used the keycloak login page to login. I did the redirect to keycloak login page, but now, when I logout with HttpServletResquest.logout() it gives an error in logs saying invalid_token and userId is set to null. I don't send any parameters, only the Authorization header with "Bearer token". Do I need to send some parameter to logout? I tried to send client_id, user_id, refresh_token, id_token to request and the error in log remains still. type=LOGOUT_ERROR, realmId={realm}, clientId={clientId}, userId=null, ipAddress={ip} error=invalid_token, client_auth_method=client-secret -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2011.html Sent from the keycloak-user mailing list archive at Nabble.com. From marcelo.miura at gdcommunity.co.uk Fri Dec 16 07:36:58 2016 From: marcelo.miura at gdcommunity.co.uk (marcelo.miura) Date: Fri, 16 Dec 2016 10:36:58 -0200 Subject: [keycloak-user] Exclude users from password policy In-Reply-To: References: <9513d4d3-0bde-5f6b-3278-3dace0820974@gdcommunity.co.uk> <9b6a8024-7533-ee77-e9ef-391e53bce78e@gdcommunity.co.uk> Message-ID: <6fb116fc-fa8e-b034-1a8c-787595c6be63@gdcommunity.co.uk> Ok, done. Thanks. On 16/12/2016 10:00, Bruno Oliveira wrote: > Please file a Jira, describing your setup and the steps to reproduce. > > On Fri, Dec 16, 2016 at 9:54 AM, marcelo.miura > wrote: >> That's correct, yes! >> >> Any ideas? >> >> >> >> On 16/12/2016 09:50, Bruno Oliveira wrote: >>> Hmmm, it looks like we have a similar bug >>> https://issues.jboss.org/browse/KEYCLOAK-3657. >>> >>> Is that what happen with your import, but instead of role ids it >>> changes user ids? >>> >>> On Thu, Dec 15, 2016 at 10:46 PM, marcelo.miura >>> wrote: >>>> Thanks! >>>> >>>> I tried to do that, but when I imported the users to the new realm it >>>> changed the user ids. >>>> >>>> Am I missing any step here? >>>> >>>> >>>> >>>> On 15/12/2016 18:09, Bruno Oliveira wrote: >>>>> You can make use of partial imports. Take a look here: >>>>> >>>>> >>>>> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/export-import.html >>>>> >>>>> On Thu, Dec 15, 2016 at 5:59 PM, marcelo.miura >>>>> wrote: >>>>>> Thanks for your answer. >>>>>> >>>>>> Unfortunately, all my users are currently on master. Is there a way to >>>>>> change all my users to another realm? >>>>>> >>>>>> Would that work if I try to export and import it to another realm? >>>>>> >>>>>> >>>>>> Marcelo >>>>>> >>>>>> >>>>>> On 15/12/2016 17:08, Marek Posolda wrote: >>>>>>> Maybe you can use the admin user from master realm (and not set any >>>>>>> password policies in master realm), but all your other users will be >>>>>>> in some other "business" realms, which will have password policy. Is >>>>>>> it work to have different realms? >>>>>>> >>>>>>> Marek >>>>>>> >>>>>>> >>>>>>> On 15/12/16 19:10, marcelo.miura wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I was wondering if that's possible to exclude a user from the >>>>>>>> password >>>>>>>> policies set on keycloak. >>>>>>>> Problem: I have an admin user used on my API to create new users, >>>>>>>> reset >>>>>>>> password and exclude users from keycloak. But as there's a password >>>>>>>> policy to expire the password within 30 days, this user cannot be >>>>>>>> used >>>>>>>> until we reset his password manually. >>>>>>>> >>>>>>>> Any ideas? >>>>>>>> >>>>>>>> Thanks in advance. >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>> > > From sblanc at redhat.com Fri Dec 16 08:48:57 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 16 Dec 2016 14:48:57 +0100 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? In-Reply-To: References: Message-ID: On Fri, Dec 16, 2016 at 1:02 PM, Michael Furman wrote: > Hi Sebastien, > > Thank you for your help! > > I need to clarify my questions. > > According to my understanding Keycloak handles the full SSO. > > For example I have 2 OIDC clients (SpringSecurity adapters) that work with > the same IDP. > > (The client are not bearer-only clients) > > When a user works (performs HTTP requests) on the first OIDC client the > token on the second OIDC client should be refreshed. > Otherwise when the user will access the second client it will not be able > to work. > > Therefore I think that Keycloak IDP send some request to the second OIDC > client to refresh the token. > > Is it correct? > no > If yes ? what request IDP sends to the second OIDC client to refresh its > token? > > If not ? how Keycloak allows to access to the second OIDC client after > the user works on the first OIDC client for a long time? > For SSO, it will use the session or the cookie (depending how you configure it), no extra request are made for the second client. > > > One additional question about the logout: > > If a user will execute http:////sso/logout on the first OIDC > client I think that the token on the second OIDC client becomes invalid > and also the Keycloak session becomes invalid. > yeah the session will be removed so all the clients will be logout. > > This is my understanding of the implementation of Single Logout by > Keycloak. > > Will happy for the confirmation. > > Best regards, > Michael > > > > ------------------------------ > *From:* Sebastien Blanc > *Sent:* Friday, December 16, 2016 1:20 PM > *To:* Michael Furman > *Cc:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] What the URI of the Refresh Token HTTP > request for Java Adapters? > > Not really sure what you are asking for ... To refresh it's this type of > url : /protocol/openid-connect/token?grant_ > type+refresh_token&refresh_token= > > And I don't understand your additonal question but maybe related to that, > a bearer-only client won't have a refresh token. > > > > On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman < > michael_furman at hotmail.com> wrote: > >> Hi all, >> >> Will be happy for help. >> >> I have tried to search but without success. >> >> Can not find details here: >> >> https://keycloak.gitbooks.io/server-adminstration-guide/cont >> ent/topics/sso-protocols/oidc.html >> >> >> Best regards, >> >> Michael >> >> ________________________________ >> From: keycloak-user-bounces at lists.jboss.org < >> keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman < >> michael_furman at hotmail.com> >> Sent: Thursday, December 15, 2016 10:08 PM >> To: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP >> request for Java Adapters? >> >> Hi, >> Additional question: according to my understanding in case a user works >> (performs http requests) on some client the Refresh Token HTTP request >> comes to other OIDC clients. >> >> In case a user does not work on any client the Refresh Token HTTP request >> does not appear at all. >> >> Will happy for the confirmation. >> Michael >> >> On Dec 15, 2016 7:26 PM, Michael Furman >> wrote: >> >> Hi, >> We use the SpringSecurity adapter. >> I need to handle some internal application logic when the URI of the >> Refresh Token HTTP request comes to the adapter. >> Can you tell me the URI of the Refresh Token HTTP request for Java >> Adapters? >> Best regards, >> Michael >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> keycloak-user Info Page - JBoss Developer> org/mailman/listinfo/keycloak-user> >> lists.jboss.org >> To see the collection of prior postings to the list, visit the >> keycloak-user Archives. Using keycloak-user: To post a message to all the >> list members ... >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> keycloak-user Info Page - JBoss Developer> org/mailman/listinfo/keycloak-user> >> lists.jboss.org >> To see the collection of prior postings to the list, visit the >> keycloak-user Archives. Using keycloak-user: To post a message to all the >> list members ... >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From celso.agra at gmail.com Fri Dec 16 08:50:00 2016 From: celso.agra at gmail.com (Celso Agra) Date: Fri, 16 Dec 2016 10:50:00 -0300 Subject: [keycloak-user] problems to configure trustStore and certification path in keycloak Message-ID: Hi all, I was trying to configure a LDAP connection, but I got an error about my certification path. I believe I should set this on standalone.xml but I don't know how to do that. How can I configure this for my LDAP server. Also, I did the keytool import from LDAP to my server, and I'm using ldap slave connection. Here is the error below: Caused by: javax.naming.CommunicationException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; remaining name 'XXXXXXXXXXXXXX' at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:168) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:165) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:165) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:159) ... 61 more Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) ... 73 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 85 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 91 more Best regards, -- --- *Celso Agra* From michael_furman at hotmail.com Fri Dec 16 09:20:50 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Fri, 16 Dec 2016 14:20:50 +0000 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? In-Reply-To: Message-ID: Thanks Sebastien, Can you clarify what you mean the session of the cookie? I want to configire for all clients 30 minutes session timeout. Same timeout for the session cookie on IDP. Still not clear to me if a user will work 2 hours on the first client and then will access to the second client how the session on the second cliend still active. May be the session on the second client already not active but the second client redirects to IDP and see that the IDP token is valid and then it redirects back with the token to the second client without an authentication. Correct? On Dec 16, 2016 3:48 PM, Sebastien Blanc wrote: On Fri, Dec 16, 2016 at 1:02 PM, Michael Furman > wrote: Hi Sebastien, Thank you for your help! I need to clarify my questions. According to my understanding Keycloak handles the full SSO. For example I have 2 OIDC clients (SpringSecurity adapters) that work with the same IDP. (The client are not bearer-only clients) When a user works (performs HTTP requests) on the first OIDC client the token on the second OIDC client should be refreshed. Otherwise when the user will access the second client it will not be able to work. Therefore I think that Keycloak IDP send some request to the second OIDC client to refresh the token. Is it correct? no If yes ? what request IDP sends to the second OIDC client to refresh its token? If not ? how Keycloak allows to access to the second OIDC client after the user works on the first OIDC client for a long time? For SSO, it will use the session or the cookie (depending how you configure it), no extra request are made for the second client. One additional question about the logout: If a user will execute http:////sso/logout on the first OIDC client I think that the token on the second OIDC client becomes invalid and also the Keycloak session becomes invalid. yeah the session will be removed so all the clients will be logout. This is my understanding of the implementation of Single Logout by Keycloak. Will happy for the confirmation. Best regards, Michael ________________________________ From: Sebastien Blanc > Sent: Friday, December 16, 2016 1:20 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Not really sure what you are asking for ... To refresh it's this type of url : /protocol/openid-connect/token?grant_type+refresh_token&refresh_token= And I don't understand your additonal question but maybe related to that, a bearer-only client won't have a refresh token. On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman > wrote: Hi all, Will be happy for help. I have tried to search but without success. Can not find details here: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/sso-protocols/oidc.html Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Michael Furman > Sent: Thursday, December 15, 2016 10:08 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? Hi, Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients. In case a user does not work on any client the Refresh Token HTTP request does not appear at all. Will happy for the confirmation. Michael On Dec 15, 2016 7:26 PM, Michael Furman > wrote: Hi, We use the SpringSecurity adapter. I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter. Can you tell me the URI of the Refresh Token HTTP request for Java Adapters? Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Dec 16 09:27:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 16 Dec 2016 15:27:44 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1481889972665-2011.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> Message-ID: HttpServletResquest.logout should work, so not sure what's going on. Maybe try one of our examples or demo to see a working application? On 16 December 2016 at 13:06, ruiwp13 wrote: > As suggested by Stianst, I used the keycloak login page to login. > > I did the redirect to keycloak login page, but now, when I logout with > HttpServletResquest.logout() it gives an error in logs saying invalid_token > and userId is set to null. I don't send any parameters, only the > Authorization header with "Bearer token". Do I need to send some parameter > to logout? > > I tried to send client_id, user_id, refresh_token, id_token to request and > the error in log remains still. > > type=LOGOUT_ERROR, realmId={realm}, clientId={clientId}, userId=null, > ipAddress={ip} error=invalid_token, client_auth_method=client-secret > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2011.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Fri Dec 16 09:39:39 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Fri, 16 Dec 2016 07:39:39 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> Message-ID: <1481899179398-2017.post@n6.nabble.com> Just to see if all the steps I performed are OK: 1. I access a secured location from my API 2. I get redirected to keycloak login page 3. After logging in I get redirected to my API which returns true for HttpServletRequest.authenticate meaning I'm authenticated and I can get the access_token from the keycloak security context 4. I set header with Authorization "Bearer " + {access_token} 5. I access the logout method where HttpServletRequest.logout is performed. Is this the correct flow? Yes, it's strange that I get invalid_token, doesn't make sense specially because if I make HttpServletRequest.authenticate in the logout method it says that I am authenticated -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html Sent from the keycloak-user mailing list archive at Nabble.com. From sblanc at redhat.com Fri Dec 16 10:06:34 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 16 Dec 2016 16:06:34 +0100 Subject: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters? In-Reply-To: References: Message-ID: There is only 1 session for that user , no matter how many clients are being used, as long it's belong to the same browser session, that is the whole magic of the sso. On Fri, Dec 16, 2016 at 3:20 PM, Michael Furman wrote: > Thanks Sebastien, > > Can you clarify what you mean the session of the cookie? > I want to configire for all clients 30 minutes session timeout. > Same timeout for the session cookie on IDP. > > Still not clear to me if a user will work 2 hours on the first client and > then will access to the second client how the session on the second cliend > still active. > > May be the session on the second client already not active but the second > client redirects to IDP and see that the IDP token is valid and then it > redirects back with the token to the second client without an > authentication. > > Correct? > > On Dec 16, 2016 3:48 PM, Sebastien Blanc wrote: > > > > On Fri, Dec 16, 2016 at 1:02 PM, Michael Furman < > michael_furman at hotmail.com> wrote: > > Hi Sebastien, > > Thank you for your help! > > I need to clarify my questions. > > According to my understanding Keycloak handles the full SSO. > > For example I have 2 OIDC clients (SpringSecurity adapters) that work with > the same IDP. > > (The client are not bearer-only clients) > > When a user works (performs HTTP requests) on the first OIDC client the > token on the second OIDC client should be refreshed. > Otherwise when the user will access the second client it will not be able > to work. > > Therefore I think that Keycloak IDP send some request to the second OIDC > client to refresh the token. > > Is it correct? > > no > > If yes ? what request IDP sends to the second OIDC client to refresh its > token? > > If not ? how Keycloak allows to access to the second OIDC client after > the user works on the first OIDC client for a long time? > > For SSO, it will use the session or the cookie (depending how you > configure it), no extra request are made for the second client. > > > > One additional question about the logout: > > If a user will execute http:////sso/logout on the first OIDC > client I think that the token on the second OIDC client becomes invalid > and also the Keycloak session becomes invalid. > > yeah the session will be removed so all the clients will be logout. > > > This is my understanding of the implementation of Single Logout by > Keycloak. > > Will happy for the confirmation. > > Best regards, > Michael > > > > ------------------------------ > *From:* Sebastien Blanc > *Sent:* Friday, December 16, 2016 1:20 PM > *To:* Michael Furman > *Cc:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] What the URI of the Refresh Token HTTP > request for Java Adapters? > > Not really sure what you are asking for ... To refresh it's this type of > url : /protocol/openid-connect/token?grant_type+ > refresh_token&refresh_token= > > And I don't understand your additonal question but maybe related to that, > a bearer-only client won't have a refresh token. > > > > On Fri, Dec 16, 2016 at 12:03 PM, Michael Furman < > michael_furman at hotmail.com> wrote: > > Hi all, > > Will be happy for help. > > I have tried to search but without success. > > Can not find details here: > > https://keycloak.gitbooks.io/server-adminstration-guide/cont > ent/topics/sso-protocols/oidc.html > > > Best regards, > > Michael > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org boss.org> on behalf of Michael Furman > Sent: Thursday, December 15, 2016 10:08 PM > To: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] What the URI of the Refresh Token HTTP > request for Java Adapters? > > Hi, > Additional question: according to my understanding in case a user works > (performs http requests) on some client the Refresh Token HTTP request > comes to other OIDC clients. > > In case a user does not work on any client the Refresh Token HTTP request > does not appear at all. > > Will happy for the confirmation. > Michael > > On Dec 15, 2016 7:26 PM, Michael Furman > wrote: > > Hi, > We use the SpringSecurity adapter. > I need to handle some internal application logic when the URI of the > Refresh Token HTTP request comes to the adapter. > Can you tell me the URI of the Refresh Token HTTP request for Java > Adapters? > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From Michael.Jacobs at nuance.com Fri Dec 16 14:23:06 2016 From: Michael.Jacobs at nuance.com (Jacobs, Michael) Date: Fri, 16 Dec 2016 19:23:06 +0000 Subject: [keycloak-user] Cross-Site Replication Message-ID: Greetings, I am looking at setting up Cross-site replication for multiple Keycloak clusters, possibly using DB replication. I found this question asked back in May 2016, with no reply. http://lists.jboss.org/pipermail/keycloak-user/2016-May/006142.html Does anyone know the best way to set this up? MJ From java at neposoft.com Sat Dec 17 11:35:45 2016 From: java at neposoft.com (java_os) Date: Sat, 17 Dec 2016 11:35:45 -0500 Subject: [keycloak-user] Spring sec - roles - how? In-Reply-To: <69dafa24d91a7789ae67ad10d89d9ee4.squirrel@neposoft.com> References: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> <69dafa24d91a7789ae67ad10d89d9ee4.squirrel@neposoft.com> Message-ID: <2f01bf5fc8f1f2a79f9bdf268798d1db.squirrel@neposoft.com> Hey Sebastien, So I've create a mapper in the broker to say if claim has a value then set a role on the bearer client say DOOM (I've tested to check for a bogus value that does not come into the specified claim and the DOOM does not show in the token -perfect). I defined this DOOM role in bearer client and so I can see when I invoke the endpopint on the bearer that this role apears in the token. But I do not see the connect from this role in the token with what spring sec is doing on : http.authorizeRequests().antMatchers("/products*").hasRole("DOOM") I get 403 when calling the method. Do you have a gist somewhere that does this minimal stuff I am soing on my side? Appreciate it - thanks. > Sebastien, sorry - yes done the role mapper in the brokering totally > forgot about this - so I guess this is how ldap role propagates to the > users' role. > OK - got the big picture -rest impl details. > You got me out of the swamp 2nd time - thanks > > >> I'm sorry I'm not sure what you are really asking then. >> I assume you defined a role mapper when you configured the LDAP >> brokering >> in KC ? So your LDAP role will be mapped to a KC role and your user will >> have that role. >> >> The SpringSec app needs to know these roles to be able to check. >> >> >> On Wed, Dec 14, 2016 at 4:24 PM, java_os wrote: >> >>> I get this Sebastien - thanks, but .... >>> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC? >>> How is a user be able to 'aquire' automatically this >>> MY_MAPPED_LDAP_ROLE >>> and who's setting the claim value into MY_MAPPED_LDAP_ROLE? >>> am a bit confused >>> thx >>> >>> >>> > You said that your SPA client can read out the roles from the token, >>> well >>> > for the Spring-sec app is exactly the same. When your SPA sends a >>> request >>> > to it, it also passes the token, the Spring-sec adapter will extract >>> the >>> > roles from there (happens here >>> > https://github.com/keycloak/keycloak/blob/master/adapters/ >>> oidc/spring-security/src/main/java/org/keycloak/adapters/ >>> springsecurity/authentication/SpringSecurityRequestAuthentic >>> ator.java#L91-L93 >>> > ). >>> > >>> > >>> > >>> > >>> > >>> > On Wed, Dec 14, 2016 at 2:08 PM, java_os wrote: >>> > >>> >> Hi Sebastien >>> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? >>> Client >>> >> level in kc, any pointers on how this is done? Getting in the value >>> from >>> >> claim and set it into the MY_MAPPED_LDAP_ROLE?? >>> >> >>> >> I am guessing all logged in users (withing the client) will take the >>> >> role >>> >> above which value will be the claim coming into from idp. >>> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this check >>> the >>> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE >>> gets >>> >> defined in KC? Am a bit confused how spring-sec gets the value of >>> the >>> >> MY_MAPPED_LDAP_ROLE. >>> >> >>> >> Am going to dig more on my side, but would be nice if you can shed >>> more >>> >> light from role setup in KC. >>> >> Thanks >>> >> >>> >> >>> >> > Is this not working ? >>> >> > http.authorizeRequests().antMatchers("/products*"). >>> >> hasRole("MY_MAPPED_LDAP_ROLE") >>> >> > ? >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os >>> wrote: >>> >> > >>> >> >> Hi All, >>> >> >> I put up this question a while back and now back to it since no >>> >> answer, >>> >> >> this time with some hope. >>> >> >> I have this SPA (keycloak.js) calling into Rest api bearer >>> protected >>> >> by >>> >> >> KC >>> >> >> - all good. >>> >> >> I use KC brokering, so on the Idp side ADFS . User logs in >>> against >>> >> idp, >>> >> >> where in ADFS is configured with a claim that acts as a role. On >>> SPA >>> >> I >>> >> >> can >>> >> >> map out that claim from the token. >>> >> >> The rest api is protected by kc spring sec. I want (and this is >>> what >>> >> I >>> >> >> do >>> >> >> not know) to configure spring sec to react when the call is made >>> to a >>> >> >> specific rest endpoint when the user does not have a specific >>> role >>> >> >> (returning 401). >>> >> >> How can I do this spring sec way - how can I configure spring sec >>> to >>> >> say >>> >> >> check at runtime the users's role for a specific endpoint and >>> deny >>> >> >> access >>> >> >> to the resource. >>> >> >> The big un-known to me is: how does KC client role (which is some >>> >> static >>> >> >> config) relates to the runtime user's role coming from Idp. >>> >> >> Anyone has done this - am sure this is a common use case. >>> >> >> Whoever knows this please share. >>> >> >> Thank you and appreciate it. >>> >> >> >>> >> >> >>> >> >> _______________________________________________ >>> >> >> keycloak-user mailing list >>> >> >> keycloak-user at lists.jboss.org >>> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >>> >> > >>> >> >>> >> >>> >> >>> > >>> >>> >>> >> > > > From java at neposoft.com Sat Dec 17 13:07:19 2016 From: java at neposoft.com (java_os) Date: Sat, 17 Dec 2016 13:07:19 -0500 Subject: [keycloak-user] Spring sec - roles - how?- SOLVED! In-Reply-To: <2f01bf5fc8f1f2a79f9bdf268798d1db.squirrel@neposoft.com> References: <400d88e431d11d0430dadbf4a1ebd114.squirrel@neposoft.com> <69dafa24d91a7789ae67ad10d89d9ee4.squirrel@neposoft.com> <2f01bf5fc8f1f2a79f9bdf268798d1db.squirrel@neposoft.com> Message-ID: <063c8b7645c806a1db2d84e6bc701c92.squirrel@neposoft.com> Alright - for the record: spring-boot 1.4.2/spring-security 4.1.3/kc 2.3.0.Final Changing hasRole to hasAnyAuthority supplying same role it just works. hasRole somehow is not working (maybe someone here answers why hasRole does not work). Have tested to break the role coming into when claim check fails in the mapper and get 403 - expected - so kc works - it's a matter to spend time to properly configure it along with using hasAnyAuthority. Simple like this - hope this helps anyone hitting the wall as I did for the last couple of weeks. > Hey Sebastien, > So I've create a mapper in the broker to say if claim has a value then set > a role on the bearer client say DOOM (I've tested to check for a bogus > value that does not come into the specified claim and the DOOM does not > show in the token -perfect). > I defined this DOOM role in bearer client and so I can see when I invoke > the endpopint on the bearer that this role apears in the token. > But I do not see the connect from this role in the token with what spring > sec is doing on : > http.authorizeRequests().antMatchers("/products*").hasRole("DOOM") > I get 403 when calling the method. > Do you have a gist somewhere that does this minimal stuff I am soing on my > side? > Appreciate it - thanks. > >> Sebastien, sorry - yes done the role mapper in the brokering totally >> forgot about this - so I guess this is how ldap role propagates to the >> users' role. >> OK - got the big picture -rest impl details. >> You got me out of the swamp 2nd time - thanks >> >> >>> I'm sorry I'm not sure what you are really asking then. >>> I assume you defined a role mapper when you configured the LDAP >>> brokering >>> in KC ? So your LDAP role will be mapped to a KC role and your user >>> will >>> have that role. >>> >>> The SpringSec app needs to know these roles to be able to check. >>> >>> >>> On Wed, Dec 14, 2016 at 4:24 PM, java_os wrote: >>> >>>> I get this Sebastien - thanks, but .... >>>> My point is: where do you define MY_MAPPED_LDAP_ROLE in KC? >>>> How is a user be able to 'aquire' automatically this >>>> MY_MAPPED_LDAP_ROLE >>>> and who's setting the claim value into MY_MAPPED_LDAP_ROLE? >>>> am a bit confused >>>> thx >>>> >>>> >>>> > You said that your SPA client can read out the roles from the token, >>>> well >>>> > for the Spring-sec app is exactly the same. When your SPA sends a >>>> request >>>> > to it, it also passes the token, the Spring-sec adapter will extract >>>> the >>>> > roles from there (happens here >>>> > https://github.com/keycloak/keycloak/blob/master/adapters/ >>>> oidc/spring-security/src/main/java/org/keycloak/adapters/ >>>> springsecurity/authentication/SpringSecurityRequestAuthentic >>>> ator.java#L91-L93 >>>> > ). >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > On Wed, Dec 14, 2016 at 2:08 PM, java_os wrote: >>>> > >>>> >> Hi Sebastien >>>> >> Where is "MY_MAPPED_LDAP_ROLE" assigned the value of the claim? >>>> Client >>>> >> level in kc, any pointers on how this is done? Getting in the value >>>> from >>>> >> claim and set it into the MY_MAPPED_LDAP_ROLE?? >>>> >> >>>> >> I am guessing all logged in users (withing the client) will take >>>> the >>>> >> role >>>> >> above which value will be the claim coming into from idp. >>>> >> Then I see you show hasRole("MY_MAPPED_LDAP_ROLE") - does this >>>> check >>>> the >>>> >> actual value of the claim that'll be set when MY_MAPPED_LDAP_ROLE >>>> gets >>>> >> defined in KC? Am a bit confused how spring-sec gets the value of >>>> the >>>> >> MY_MAPPED_LDAP_ROLE. >>>> >> >>>> >> Am going to dig more on my side, but would be nice if you can shed >>>> more >>>> >> light from role setup in KC. >>>> >> Thanks >>>> >> >>>> >> >>>> >> > Is this not working ? >>>> >> > http.authorizeRequests().antMatchers("/products*"). >>>> >> hasRole("MY_MAPPED_LDAP_ROLE") >>>> >> > ? >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> >> > On Tue, Dec 13, 2016 at 11:51 PM, java_os >>>> wrote: >>>> >> > >>>> >> >> Hi All, >>>> >> >> I put up this question a while back and now back to it since no >>>> >> answer, >>>> >> >> this time with some hope. >>>> >> >> I have this SPA (keycloak.js) calling into Rest api bearer >>>> protected >>>> >> by >>>> >> >> KC >>>> >> >> - all good. >>>> >> >> I use KC brokering, so on the Idp side ADFS . User logs in >>>> against >>>> >> idp, >>>> >> >> where in ADFS is configured with a claim that acts as a role. On >>>> SPA >>>> >> I >>>> >> >> can >>>> >> >> map out that claim from the token. >>>> >> >> The rest api is protected by kc spring sec. I want (and this is >>>> what >>>> >> I >>>> >> >> do >>>> >> >> not know) to configure spring sec to react when the call is made >>>> to a >>>> >> >> specific rest endpoint when the user does not have a specific >>>> role >>>> >> >> (returning 401). >>>> >> >> How can I do this spring sec way - how can I configure spring >>>> sec >>>> to >>>> >> say >>>> >> >> check at runtime the users's role for a specific endpoint and >>>> deny >>>> >> >> access >>>> >> >> to the resource. >>>> >> >> The big un-known to me is: how does KC client role (which is >>>> some >>>> >> static >>>> >> >> config) relates to the runtime user's role coming from Idp. >>>> >> >> Anyone has done this - am sure this is a common use case. >>>> >> >> Whoever knows this please share. >>>> >> >> Thank you and appreciate it. >>>> >> >> >>>> >> >> >>>> >> >> _______________________________________________ >>>> >> >> keycloak-user mailing list >>>> >> >> keycloak-user at lists.jboss.org >>>> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >> >>>> >> > >>>> >> >>>> >> >>>> >> >>>> > >>>> >>>> >>>> >>> >> >> >> > > > From celso.agra at gmail.com Sat Dec 17 20:20:50 2016 From: celso.agra at gmail.com (Celso Agra) Date: Sat, 17 Dec 2016 22:20:50 -0300 Subject: [keycloak-user] Problems to get an AuthorizationContext using keycloak and Jetty Message-ID: Hi all, Need a help to understand this problem. I'm trying to use Jetty in a simple application. Just to use simple JSP pages. So, I followed this configuration about Jetty 9.X and adapter: https://stianst.gitbooks.io/keycloak-documentation/content/securing_apps_guide/topics/oidc/java/jetty9-adapter.html As an example, I'm using the same code and configs of servlet-authz ( https://github.com/keycloak/keycloak/tree/master/examples/authz/servlet-authz ). Unfortunately when I try to run this code (in index.jsp): <% KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); AuthorizationContext authzContext = keycloakSecurityContext.getAuthorizationContext(); %> I got an object authzContext as null. So, I can't get the authorization context, and when I try to get the permissions - authzContext.getPermissions(); I got a java.lang.NullPointerException. Has anyone had this same problem with Jetty? Thanks. Best regards, -- --- *Celso Agra* From mrrothstein at gmail.com Sat Dec 17 23:59:42 2016 From: mrrothstein at gmail.com (Steve Chernyak) Date: Sat, 17 Dec 2016 23:59:42 -0500 Subject: [keycloak-user] Create user with roles using java client Message-ID: Hello, I'm trying to create a user associated with a role: CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(password); UserRepresentation user = new UserRepresentation(); user.setUsername(email.getAddress()); user.setCredentials(Arrays.asList(credential)); user.setRealmRoles(Arrays.asList(someRole)); Response response = kc.realm(appRealm).users().create(user); The response status is the expected 201 and I can see the user in the realm through the admin console. However, the user is not associated with "someRole"... I'm not sure what I'm missing... How should I go about creating a user associated with a role progrmatically? Thanks From haimv at perfectomobile.com Sun Dec 18 05:28:44 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Sun, 18 Dec 2016 10:28:44 +0000 Subject: [keycloak-user] Offline tokens clients best practice Message-ID: Hi, We noticed that when working with offline tokens the same client that generated the offline token must be the one that will generate an access token from it, if we use different client we getting an error message. This approach might be problematic since we have users that want to use multiple applications and the shouldn't be aware of the client id or from which application they generated the offline token. So we would like to use single client for generating the offline tokens and generating access tokens from them for all of our applications, is it the best practice ? any known disadvantages to that approach ? Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From ugur.kolip at gmail.com Sun Dec 18 14:27:31 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Sun, 18 Dec 2016 22:27:31 +0300 Subject: [keycloak-user] Keycloak authorization protected resource with user attributes Message-ID: Hi, I am using keycloak 2.4.0 Final. I try to copy photoz example to spring boot app (with spring boot adapter) and add same features. Features that i try to add : Make a page which admin user can create users ,create protected resources , and adding access ability to users for these protected resource.(to add these i use keycloak-admin-client) For example , with admin page i create protected resource which uri is campaign/*capm1*/* and campaign/*camp2*/* . spring end points are campaign/{campaignName}/create ,campaign/{campaignName}/update ,campaign/{campaignName}/delete For authorization , i add user attribute to user like (key : camp1 value : create,update) or (key:camp2 , value: read) and i try to using these attributes in policy at the protected resource. my questions: 1.is it right way using attributes to authroization ? can these attributes change at the client side to hack ? 2.My other idea is creating role for each protected resource like (camp1_create,camp1_update) and add to users. is these way suitable ? if i use these way , there are too many roles) 3.when i try to use attributes , add maping to rest api (photoz-restful-api) but when i add mapping to client app(photoz-html5-client) , it works. i don't understand , should we add mapping to client which i call ? what should i do if i call these api(photoz-restful-api) some other app ? 4.In the js policy , can i use groups and how ? 5. In the js policy , can i get data from my db or endpoint ? (like these : if(someMethod(identity.getId()) == true) $evaluation.grant(); Because i need extra data to authz . 6. can we debug js policy ? i want to know idenity , content attributes . console.log not work :) 7. can we use request body to authorization , in js policy or somewhere ? My main misson is creating protected resource and find a way to authz these endpoints. What should i add to user ? and how use them ? Thank you for your helping and sorry my english :) From sthorger at redhat.com Mon Dec 19 03:22:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 09:22:10 +0100 Subject: [keycloak-user] Sessions vs Tokens In-Reply-To: References: Message-ID: Depends on the app type. If it's a server-side web application it's secured with a cookie, but if it's a client-side application or a remote service it's secured by passing the token. On 14 December 2016 at 20:18, Matt H wrote: > I'm not sure how best to describe this but I have seen times when I called > a secured endpoint (secured with spring security adapter) but a token was > not passed and I was able to gain access. The first time I went to a > secured endpoint I had to log into keycloak to authenticate, but then on > each request, only a session id was passed and no JWT. Is this the > standard behavior? If there is no JWT, where are the claims read from? > > > Matt > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Dec 19 03:23:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 09:23:58 +0100 Subject: [keycloak-user] Cluster Configuration In-Reply-To: References: Message-ID: Yes, by default clustering traffic is not exposed anymore and you have to explicitly expose it or setup a secure private network for clustering traffic. See https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/multicast.html for more details. On 14 December 2016 at 22:15, Samuel Lewis wrote: > Have the setup steps for clustering with Docker changed since the April > 2015 blog post? > > When I go through those instructions with version 2.0.0.Final I'm not > getting anything like 'Received new cluster view: [b5356f1050cc/keycloak|1] > (2) [b5356f1050cc/keycloak, f25f922ce14d/keycloak]' in the logs. I only > ever see a single node being listed. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Dec 19 03:27:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 09:27:53 +0100 Subject: [keycloak-user] Share resources with other users In-Reply-To: References: Message-ID: Pedro - can you comment on this one please? On 15 December 2016 at 15:37, Richard van Duijn wrote: > I'm looking into the possiblity to share resources created in the client > application to another registered user. > Does keycloak provide support for that? > > Using the authz cient i cannot detect any attributes or fields to set > besides the owner. I was hoping to set a custom attribute on the > ResourceRepresentation object and use that in the policy evaluation. > > > It should IMHO also be possible to create seperate resources for the shared > resource with the user to share to as owner. But wouldn't that pollute te > resources too much? > I also found this feature request by Pedro Igor which might be related: > https://issues.jboss.org/browse/KEYCLOAK-3169 > > Thanks again! > /Richard > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Dec 19 03:49:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 09:49:10 +0100 Subject: [keycloak-user] Cross-Site Replication In-Reply-To: References: Message-ID: We don't currently support cross-DC replication very well and it is something we are looking at improving in 2017. We're tackling this in stages: 1. Dealing with invalidation caches cross-DC - this is already resolved and is done by using external Infinispan/JDG to replicate invalidation messages cross-DC. I don't think we have documentation on how to set this up yet though. 2. Support with sessions affinity to a specific DC - as long as all requests for a session is made to the same cluster everything should work already. This is simpler to setup for SAML than for OIDC due to OIDC backchannel requests from both browser and applications for the same session 3. Support session replication - this requires a fair bit of rework on how we do sessions, including during authentication flows, as currently there is to much updates to a session to fully replicate these cross DCs 4. Support without session affinity - allow requests to go to any DC for any session On 16 December 2016 at 20:23, Jacobs, Michael wrote: > Greetings, > > I am looking at setting up Cross-site replication for multiple Keycloak > clusters, possibly using DB replication. I found this question asked back > in May 2016, with no reply. > > http://lists.jboss.org/pipermail/keycloak-user/2016-May/006142.html > > Does anyone know the best way to set this up? > > > MJ > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Dec 19 03:53:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 09:53:57 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1481899179398-2017.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> Message-ID: On 16 December 2016 at 15:39, ruiwp13 wrote: > Just to see if all the steps I performed are OK: > > 1. I access a secured location from my API > 2. I get redirected to keycloak login page > 3. After logging in I get redirected to my API which returns true for > HttpServletRequest.authenticate meaning I'm authenticated and I can get > the > access_token from the keycloak security context > 4. I set header with Authorization "Bearer " + {access_token} > 5. I access the logout method where HttpServletRequest.logout is performed. > > Is this the correct flow? > Yes, it's strange that I get invalid_token, doesn't make sense specially > because if I make HttpServletRequest.authenticate in the logout method it > says that I am authenticated > Why would you call HttpServletRequest.authenticate within the logout? That makes no sense. > > > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Mon Dec 19 04:00:58 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 02:00:58 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> Message-ID: <1482138058070-2031.post@n6.nabble.com> stianst wrote > On 16 December 2016 at 15:39, ruiwp13 < > ruiwp_93@ > > wrote: > >> Just to see if all the steps I performed are OK: >> >> 1. I access a secured location from my API >> 2. I get redirected to keycloak login page >> 3. After logging in I get redirected to my API which returns true for >> HttpServletRequest.authenticate meaning I'm authenticated and I can get >> the >> access_token from the keycloak security context >> 4. I set header with Authorization "Bearer " + {access_token} >> 5. I access the logout method where HttpServletRequest.logout is >> performed. >> >> Is this the correct flow? >> Yes, it's strange that I get invalid_token, doesn't make sense specially >> because if I make HttpServletRequest.authenticate in the logout method it >> says that I am authenticated >> > > Why would you call HttpServletRequest.authenticate within the logout? That > makes no sense. > > >> >> >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Just to check if it is authenticated. When I make HttpServletRequest.authenticate if redirects me to keycloak login page, I login and it redirects me back to my API but without any URL parameters. It is supposed to, right? Then I can get the token from keycloaksecuritycontext.getTokenString(), right? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html Sent from the keycloak-user mailing list archive at Nabble.com. From sthorger at redhat.com Mon Dec 19 04:09:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 10:09:57 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482138058070-2031.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> Message-ID: On 19 December 2016 at 10:00, ruiwp13 wrote: > stianst wrote > > On 16 December 2016 at 15:39, ruiwp13 < > > > ruiwp_93@ > > > > wrote: > > > >> Just to see if all the steps I performed are OK: > >> > >> 1. I access a secured location from my API > >> 2. I get redirected to keycloak login page > >> 3. After logging in I get redirected to my API which returns true for > >> HttpServletRequest.authenticate meaning I'm authenticated and I can get > >> the > >> access_token from the keycloak security context > >> 4. I set header with Authorization "Bearer " + {access_token} > >> 5. I access the logout method where HttpServletRequest.logout is > >> performed. > >> > >> Is this the correct flow? > >> Yes, it's strange that I get invalid_token, doesn't make sense specially > >> because if I make HttpServletRequest.authenticate in the logout method > it > >> says that I am authenticated > >> > > > > Why would you call HttpServletRequest.authenticate within the logout? > That > > makes no sense. > > > > > >> > >> > >> > >> > >> > >> -- > >> View this message in context: http://keycloak-user.88327.x6. > >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html > >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> _______________________________________________ > >> keycloak-user mailing list > >> > > > keycloak-user at .jboss > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at .jboss > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > Just to check if it is authenticated. > When I make HttpServletRequest.authenticate if redirects me to keycloak > login page, I login and it redirects me back to my API but without any URL > parameters. It is supposed to, right? Then I can get the token from > keycloaksecuritycontext.getTokenString(), right? > Yes, but to check if authenticated use getUserPrincipal. authenticate is used to request authentication, so is not a way to check if it's authenticated > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Mon Dec 19 04:15:30 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 02:15:30 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> Message-ID: <1482138930709-2033.post@n6.nabble.com> stianst wrote > On 19 December 2016 at 10:00, ruiwp13 < > ruiwp_93@ > > wrote: > >> stianst wrote >> > On 16 December 2016 at 15:39, ruiwp13 < >> >> > ruiwp_93@ >> >> > > wrote: >> > >> >> Just to see if all the steps I performed are OK: >> >> >> >> 1. I access a secured location from my API >> >> 2. I get redirected to keycloak login page >> >> 3. After logging in I get redirected to my API which returns true for >> >> HttpServletRequest.authenticate meaning I'm authenticated and I can >> get >> >> the >> >> access_token from the keycloak security context >> >> 4. I set header with Authorization "Bearer " + {access_token} >> >> 5. I access the logout method where HttpServletRequest.logout is >> >> performed. >> >> >> >> Is this the correct flow? >> >> Yes, it's strange that I get invalid_token, doesn't make sense >> specially >> >> because if I make HttpServletRequest.authenticate in the logout method >> it >> >> says that I am authenticated >> >> >> > >> > Why would you call HttpServletRequest.authenticate within the logout? >> That >> > makes no sense. >> > >> > >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> View this message in context: http://keycloak-user.88327.x6. >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> >> > keycloak-user at .jboss >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> Just to check if it is authenticated. >> When I make HttpServletRequest.authenticate if redirects me to keycloak >> login page, I login and it redirects me back to my API but without any >> URL >> parameters. It is supposed to, right? Then I can get the token from >> keycloaksecuritycontext.getTokenString(), right? >> > > Yes, but to check if authenticated use getUserPrincipal. authenticate is > used to request authentication, so is not a way to check if it's > authenticated > > >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Alright, thank you. But I am still getting the same problem. When I make request.logout() it says invalid_token. And if I make kc.realm(realmName).users().get(user_id).logout() it logs all the sessions in keycloak but no callback arrives to the server. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html Sent from the keycloak-user mailing list archive at Nabble.com. From mposolda at redhat.com Mon Dec 19 04:23:29 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 Dec 2016 10:23:29 +0100 Subject: [keycloak-user] Cross-Site Replication In-Reply-To: References: Message-ID: On 19/12/16 09:49, Stian Thorgersen wrote: > We don't currently support cross-DC replication very well and it is > something we are looking at improving in 2017. We're tackling this in > stages: > > 1. Dealing with invalidation caches cross-DC - this is already resolved and > is done by using external Infinispan/JDG to replicate invalidation messages > cross-DC. I don't think we have documentation on how to set this up yet > though. I've added some notes for the basic setup https://github.com/keycloak/keycloak/blob/master/misc/CrossDataCenter.md . This is the setup for 1 external JDG server and with 2 Keycloak nodes, which are not in the cluster, but they both talk to the JDG server. Feel free to check it, just be aware of all the limitations related to sessions (points 2,3,4) . Marek > 2. Support with sessions affinity to a specific DC - as long as all > requests for a session is made to the same cluster everything should work > already. This is simpler to setup for SAML than for OIDC due to OIDC > backchannel requests from both browser and applications for the same session > 3. Support session replication - this requires a fair bit of rework on how > we do sessions, including during authentication flows, as currently there > is to much updates to a session to fully replicate these cross DCs > 4. Support without session affinity - allow requests to go to any DC for > any session > > On 16 December 2016 at 20:23, Jacobs, Michael > wrote: > >> Greetings, >> >> I am looking at setting up Cross-site replication for multiple Keycloak >> clusters, possibly using DB replication. I found this question asked back >> in May 2016, with no reply. >> >> http://lists.jboss.org/pipermail/keycloak-user/2016-May/006142.html >> >> Does anyone know the best way to set this up? >> >> >> MJ >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Dec 19 04:25:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 10:25:34 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482138930709-2033.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> Message-ID: I'm kinda lost at what you are doing. Could you either try one of our examples or provides us with a simple reproducible example? On 19 December 2016 at 10:15, ruiwp13 wrote: > stianst wrote > > On 19 December 2016 at 10:00, ruiwp13 < > > > ruiwp_93@ > > > > wrote: > > > >> stianst wrote > >> > On 16 December 2016 at 15:39, ruiwp13 < > >> > >> > ruiwp_93@ > >> > >> > > wrote: > >> > > >> >> Just to see if all the steps I performed are OK: > >> >> > >> >> 1. I access a secured location from my API > >> >> 2. I get redirected to keycloak login page > >> >> 3. After logging in I get redirected to my API which returns true for > >> >> HttpServletRequest.authenticate meaning I'm authenticated and I can > >> get > >> >> the > >> >> access_token from the keycloak security context > >> >> 4. I set header with Authorization "Bearer " + {access_token} > >> >> 5. I access the logout method where HttpServletRequest.logout is > >> >> performed. > >> >> > >> >> Is this the correct flow? > >> >> Yes, it's strange that I get invalid_token, doesn't make sense > >> specially > >> >> because if I make HttpServletRequest.authenticate in the logout > method > >> it > >> >> says that I am authenticated > >> >> > >> > > >> > Why would you call HttpServletRequest.authenticate within the logout? > >> That > >> > makes no sense. > >> > > >> > > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> View this message in context: http://keycloak-user.88327.x6. > >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html > >> >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> >> _______________________________________________ > >> >> keycloak-user mailing list > >> >> > >> > >> > keycloak-user at .jboss > >> > >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > >> > keycloak-user at .jboss > >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> Just to check if it is authenticated. > >> When I make HttpServletRequest.authenticate if redirects me to keycloak > >> login page, I login and it redirects me back to my API but without any > >> URL > >> parameters. It is supposed to, right? Then I can get the token from > >> keycloaksecuritycontext.getTokenString(), right? > >> > > > > Yes, but to check if authenticated use getUserPrincipal. authenticate is > > used to request authentication, so is not a way to check if it's > > authenticated > > > > > >> > >> > >> > >> -- > >> View this message in context: http://keycloak-user.88327.x6. > >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html > >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> _______________________________________________ > >> keycloak-user mailing list > >> > > > keycloak-user at .jboss > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at .jboss > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > Alright, thank you. > But I am still getting the same problem. When I make request.logout() it > says invalid_token. > And if I make kc.realm(realmName).users().get(user_id).logout() it logs > all > the sessions in keycloak but no callback arrives to the server. > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Mon Dec 19 05:02:40 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 03:02:40 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> Message-ID: <1482141760933-2036.post@n6.nabble.com> stianst wrote > I'm kinda lost at what you are doing. Could you either try one of our > examples or provides us with a simple reproducible example? > > On 19 December 2016 at 10:15, ruiwp13 < > ruiwp_93@ > > wrote: > >> stianst wrote >> > On 19 December 2016 at 10:00, ruiwp13 < >> >> > ruiwp_93@ >> >> > > wrote: >> > >> >> stianst wrote >> >> > On 16 December 2016 at 15:39, ruiwp13 < >> >> >> >> > ruiwp_93@ >> >> >> >> > > wrote: >> >> > >> >> >> Just to see if all the steps I performed are OK: >> >> >> >> >> >> 1. I access a secured location from my API >> >> >> 2. I get redirected to keycloak login page >> >> >> 3. After logging in I get redirected to my API which returns true >> for >> >> >> HttpServletRequest.authenticate meaning I'm authenticated and I can >> >> get >> >> >> the >> >> >> access_token from the keycloak security context >> >> >> 4. I set header with Authorization "Bearer " + {access_token} >> >> >> 5. I access the logout method where HttpServletRequest.logout is >> >> >> performed. >> >> >> >> >> >> Is this the correct flow? >> >> >> Yes, it's strange that I get invalid_token, doesn't make sense >> >> specially >> >> >> because if I make HttpServletRequest.authenticate in the logout >> method >> >> it >> >> >> says that I am authenticated >> >> >> >> >> > >> >> > Why would you call HttpServletRequest.authenticate within the >> logout? >> >> That >> >> > makes no sense. >> >> > >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> View this message in context: http://keycloak-user.88327.x6. >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> >> _______________________________________________ >> >> >> keycloak-user mailing list >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> > _______________________________________________ >> >> > keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> Just to check if it is authenticated. >> >> When I make HttpServletRequest.authenticate if redirects me to >> keycloak >> >> login page, I login and it redirects me back to my API but without any >> >> URL >> >> parameters. It is supposed to, right? Then I can get the token from >> >> keycloaksecuritycontext.getTokenString(), right? >> >> >> > >> > Yes, but to check if authenticated use getUserPrincipal. authenticate >> is >> > used to request authentication, so is not a way to check if it's >> > authenticated >> > >> > >> >> >> >> >> >> >> >> -- >> >> View this message in context: http://keycloak-user.88327.x6. >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> >> > keycloak-user at .jboss >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> Alright, thank you. >> But I am still getting the same problem. When I make request.logout() it >> says invalid_token. >> And if I make kc.realm(realmName).users().get(user_id).logout() it logs >> all >> the sessions in keycloak but no callback arrives to the server. >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user I cannot provide you with an example for you to try. I am posting an image with all the information. Hope this helps to clarify my steps and what I am getting as error. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2036.html Sent from the keycloak-user mailing list archive at Nabble.com. From sthorger at redhat.com Mon Dec 19 05:55:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 11:55:38 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482141760933-2036.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> Message-ID: Nopes, that doesn't help. If you continue to have issues with HttpServletRequest#logout I suggest you try one of our examples/demo and see if they work fine for you. Or otherwise create a bug report and include steps on how to reproduce the issue. Without steps on how to reproduce the issue we are unable to help. On 19 December 2016 at 11:02, ruiwp13 wrote: > stianst wrote > > I'm kinda lost at what you are doing. Could you either try one of our > > examples or provides us with a simple reproducible example? > > > > On 19 December 2016 at 10:15, ruiwp13 < > > > ruiwp_93@ > > > > wrote: > > > >> stianst wrote > >> > On 19 December 2016 at 10:00, ruiwp13 < > >> > >> > ruiwp_93@ > >> > >> > > wrote: > >> > > >> >> stianst wrote > >> >> > On 16 December 2016 at 15:39, ruiwp13 < > >> >> > >> >> > ruiwp_93@ > >> >> > >> >> > > wrote: > >> >> > > >> >> >> Just to see if all the steps I performed are OK: > >> >> >> > >> >> >> 1. I access a secured location from my API > >> >> >> 2. I get redirected to keycloak login page > >> >> >> 3. After logging in I get redirected to my API which returns true > >> for > >> >> >> HttpServletRequest.authenticate meaning I'm authenticated and I > can > >> >> get > >> >> >> the > >> >> >> access_token from the keycloak security context > >> >> >> 4. I set header with Authorization "Bearer " + {access_token} > >> >> >> 5. I access the logout method where HttpServletRequest.logout is > >> >> >> performed. > >> >> >> > >> >> >> Is this the correct flow? > >> >> >> Yes, it's strange that I get invalid_token, doesn't make sense > >> >> specially > >> >> >> because if I make HttpServletRequest.authenticate in the logout > >> method > >> >> it > >> >> >> says that I am authenticated > >> >> >> > >> >> > > >> >> > Why would you call HttpServletRequest.authenticate within the > >> logout? > >> >> That > >> >> > makes no sense. > >> >> > > >> >> > > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> View this message in context: http://keycloak-user.88327.x6. > >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html > >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> >> >> _______________________________________________ > >> >> >> keycloak-user mailing list > >> >> >> > >> >> > >> >> > keycloak-user at .jboss > >> >> > >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> >> > >> >> > _______________________________________________ > >> >> > keycloak-user mailing list > >> >> > >> >> > keycloak-user at .jboss > >> >> > >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> >> > >> >> Just to check if it is authenticated. > >> >> When I make HttpServletRequest.authenticate if redirects me to > >> keycloak > >> >> login page, I login and it redirects me back to my API but without > any > >> >> URL > >> >> parameters. It is supposed to, right? Then I can get the token from > >> >> keycloaksecuritycontext.getTokenString(), right? > >> >> > >> > > >> > Yes, but to check if authenticated use getUserPrincipal. authenticate > >> is > >> > used to request authentication, so is not a way to check if it's > >> > authenticated > >> > > >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> View this message in context: http://keycloak-user.88327.x6. > >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html > >> >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> >> _______________________________________________ > >> >> keycloak-user mailing list > >> >> > >> > >> > keycloak-user at .jboss > >> > >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > >> > keycloak-user at .jboss > >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> Alright, thank you. > >> But I am still getting the same problem. When I make request.logout() it > >> says invalid_token. > >> And if I make kc.realm(realmName).users().get(user_id).logout() it logs > >> all > >> the sessions in keycloak but no callback arrives to the server. > >> > >> > >> > >> -- > >> View this message in context: http://keycloak-user.88327.x6. > >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html > >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> _______________________________________________ > >> keycloak-user mailing list > >> > > > keycloak-user at .jboss > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at .jboss > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > I cannot provide you with an example for you to try. I am posting an image > with all the information. Hope this helps to clarify my steps and what I am > getting as error. > > > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2036.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Mon Dec 19 06:32:49 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 04:32:49 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> Message-ID: <1482147169365-2038.post@n6.nabble.com> stianst wrote > Nopes, that doesn't help. If you continue to have issues with > HttpServletRequest#logout I suggest you try one of our examples/demo and > see if they work fine for you. Or otherwise create a bug report and > include > steps on how to reproduce the issue. Without steps on how to reproduce the > issue we are unable to help. > > On 19 December 2016 at 11:02, ruiwp13 < > ruiwp_93@ > > wrote: > >> stianst wrote >> > I'm kinda lost at what you are doing. Could you either try one of our >> > examples or provides us with a simple reproducible example? >> > >> > On 19 December 2016 at 10:15, ruiwp13 < >> >> > ruiwp_93@ >> >> > > wrote: >> > >> >> stianst wrote >> >> > On 19 December 2016 at 10:00, ruiwp13 < >> >> >> >> > ruiwp_93@ >> >> >> >> > > wrote: >> >> > >> >> >> stianst wrote >> >> >> > On 16 December 2016 at 15:39, ruiwp13 < >> >> >> >> >> >> > ruiwp_93@ >> >> >> >> >> >> > > wrote: >> >> >> > >> >> >> >> Just to see if all the steps I performed are OK: >> >> >> >> >> >> >> >> 1. I access a secured location from my API >> >> >> >> 2. I get redirected to keycloak login page >> >> >> >> 3. After logging in I get redirected to my API which returns >> true >> >> for >> >> >> >> HttpServletRequest.authenticate meaning I'm authenticated and I >> can >> >> >> get >> >> >> >> the >> >> >> >> access_token from the keycloak security context >> >> >> >> 4. I set header with Authorization "Bearer " + {access_token} >> >> >> >> 5. I access the logout method where HttpServletRequest.logout is >> >> >> >> performed. >> >> >> >> >> >> >> >> Is this the correct flow? >> >> >> >> Yes, it's strange that I get invalid_token, doesn't make sense >> >> >> specially >> >> >> >> because if I make HttpServletRequest.authenticate in the logout >> >> method >> >> >> it >> >> >> >> says that I am authenticated >> >> >> >> >> >> >> > >> >> >> > Why would you call HttpServletRequest.authenticate within the >> >> logout? >> >> >> That >> >> >> > makes no sense. >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> View this message in context: http://keycloak-user.88327.x6. >> >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html >> >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> >> >> _______________________________________________ >> >> >> >> keycloak-user mailing list >> >> >> >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> > _______________________________________________ >> >> >> > keycloak-user mailing list >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> >> Just to check if it is authenticated. >> >> >> When I make HttpServletRequest.authenticate if redirects me to >> >> keycloak >> >> >> login page, I login and it redirects me back to my API but without >> any >> >> >> URL >> >> >> parameters. It is supposed to, right? Then I can get the token from >> >> >> keycloaksecuritycontext.getTokenString(), right? >> >> >> >> >> > >> >> > Yes, but to check if authenticated use getUserPrincipal. >> authenticate >> >> is >> >> > used to request authentication, so is not a way to check if it's >> >> > authenticated >> >> > >> >> > >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> View this message in context: http://keycloak-user.88327.x6. >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> >> _______________________________________________ >> >> >> keycloak-user mailing list >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> > _______________________________________________ >> >> > keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> Alright, thank you. >> >> But I am still getting the same problem. When I make request.logout() >> it >> >> says invalid_token. >> >> And if I make kc.realm(realmName).users().get(user_id).logout() it >> logs >> >> all >> >> the sessions in keycloak but no callback arrives to the server. >> >> >> >> >> >> >> >> -- >> >> View this message in context: http://keycloak-user.88327.x6. >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> >> > keycloak-user at .jboss >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> I cannot provide you with an example for you to try. I am posting an >> image >> with all the information. Hope this helps to clarify my steps and what I >> am >> getting as error. >> >> <http://keycloak-user.88327.x6.nabble.com/file/n2036/request.png> >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2036.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Thank you for the answers stianst, I will try with one of the examples, but I don't think it will make a difference on finding out what is wrong here. The steps to reproduce the problem are in the image. Don't really know how to make them more explicit. I think all the information is there. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2038.html Sent from the keycloak-user mailing list archive at Nabble.com. From sthorger at redhat.com Mon Dec 19 07:02:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 19 Dec 2016 13:02:24 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482147169365-2038.post@n6.nabble.com> References: <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482147169365-2038.post@n6.nabble.com> Message-ID: Create an issue, includes steps on how to reproduce (text rather than image) and include a basic WAR that can be deployed to Tomcat to reproduce the issue. That's it and we can look at it. On 19 December 2016 at 12:32, ruiwp13 wrote: > stianst wrote > > Nopes, that doesn't help. If you continue to have issues with > > HttpServletRequest#logout I suggest you try one of our examples/demo and > > see if they work fine for you. Or otherwise create a bug report and > > include > > steps on how to reproduce the issue. Without steps on how to reproduce > the > > issue we are unable to help. > > > > On 19 December 2016 at 11:02, ruiwp13 < > > > ruiwp_93@ > > > > wrote: > > > >> stianst wrote > >> > I'm kinda lost at what you are doing. Could you either try one of our > >> > examples or provides us with a simple reproducible example? > >> > > >> > On 19 December 2016 at 10:15, ruiwp13 < > >> > >> > ruiwp_93@ > >> > >> > > wrote: > >> > > >> >> stianst wrote > >> >> > On 19 December 2016 at 10:00, ruiwp13 < > >> >> > >> >> > ruiwp_93@ > >> >> > >> >> > > wrote: > >> >> > > >> >> >> stianst wrote > >> >> >> > On 16 December 2016 at 15:39, ruiwp13 < > >> >> >> > >> >> >> > ruiwp_93@ > >> >> >> > >> >> >> > > wrote: > >> >> >> > > >> >> >> >> Just to see if all the steps I performed are OK: > >> >> >> >> > >> >> >> >> 1. I access a secured location from my API > >> >> >> >> 2. I get redirected to keycloak login page > >> >> >> >> 3. After logging in I get redirected to my API which returns > >> true > >> >> for > >> >> >> >> HttpServletRequest.authenticate meaning I'm authenticated and > I > >> can > >> >> >> get > >> >> >> >> the > >> >> >> >> access_token from the keycloak security context > >> >> >> >> 4. I set header with Authorization "Bearer " + {access_token} > >> >> >> >> 5. I access the logout method where HttpServletRequest.logout > is > >> >> >> >> performed. > >> >> >> >> > >> >> >> >> Is this the correct flow? > >> >> >> >> Yes, it's strange that I get invalid_token, doesn't make sense > >> >> >> specially > >> >> >> >> because if I make HttpServletRequest.authenticate in the > logout > >> >> method > >> >> >> it > >> >> >> >> says that I am authenticated > >> >> >> >> > >> >> >> > > >> >> >> > Why would you call HttpServletRequest.authenticate within the > >> >> logout? > >> >> >> That > >> >> >> > makes no sense. > >> >> >> > > >> >> >> > > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> -- > >> >> >> >> View this message in context: http://keycloak-user.88327.x6. > >> >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html > >> >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> >> >> >> _______________________________________________ > >> >> >> >> keycloak-user mailing list > >> >> >> >> > >> >> >> > >> >> >> > keycloak-user at .jboss > >> >> >> > >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> >> >> > >> >> >> > _______________________________________________ > >> >> >> > keycloak-user mailing list > >> >> >> > >> >> >> > keycloak-user at .jboss > >> >> >> > >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> >> > >> >> >> > >> >> >> Just to check if it is authenticated. > >> >> >> When I make HttpServletRequest.authenticate if redirects me to > >> >> keycloak > >> >> >> login page, I login and it redirects me back to my API but without > >> any > >> >> >> URL > >> >> >> parameters. It is supposed to, right? Then I can get the token > from > >> >> >> keycloaksecuritycontext.getTokenString(), right? > >> >> >> > >> >> > > >> >> > Yes, but to check if authenticated use getUserPrincipal. > >> authenticate > >> >> is > >> >> > used to request authentication, so is not a way to check if it's > >> >> > authenticated > >> >> > > >> >> > > >> >> >> > >> >> >> > >> >> >> > >> >> >> -- > >> >> >> View this message in context: http://keycloak-user.88327.x6. > >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html > >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> >> >> _______________________________________________ > >> >> >> keycloak-user mailing list > >> >> >> > >> >> > >> >> > keycloak-user at .jboss > >> >> > >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> >> > >> >> > _______________________________________________ > >> >> > keycloak-user mailing list > >> >> > >> >> > keycloak-user at .jboss > >> >> > >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> >> Alright, thank you. > >> >> But I am still getting the same problem. When I make request.logout() > >> it > >> >> says invalid_token. > >> >> And if I make kc.realm(realmName).users().get(user_id).logout() it > >> logs > >> >> all > >> >> the sessions in keycloak but no callback arrives to the server. > >> >> > >> >> > >> >> > >> >> -- > >> >> View this message in context: http://keycloak-user.88327.x6. > >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html > >> >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> >> _______________________________________________ > >> >> keycloak-user mailing list > >> >> > >> > >> > keycloak-user at .jboss > >> > >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > >> > keycloak-user at .jboss > >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> I cannot provide you with an example for you to try. I am posting an > >> image > >> with all the information. Hope this helps to clarify my steps and what I > >> am > >> getting as error. > >> > >> > >> > >> > >> > >> -- > >> View this message in context: http://keycloak-user.88327.x6. > >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2036.html > >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> _______________________________________________ > >> keycloak-user mailing list > >> > > > keycloak-user at .jboss > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at .jboss > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > Thank you for the answers stianst, > > I will try with one of the examples, but I don't think it will make a > difference on finding out what is wrong here. > The steps to reproduce the problem are in the image. Don't really know how > to make them more explicit. I think all the information is there. > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2038.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Mon Dec 19 07:05:37 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 05:05:37 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482147169365-2038.post@n6.nabble.com> Message-ID: <1482149137251-2040.post@n6.nabble.com> stianst wrote > Create an issue, includes steps on how to reproduce (text rather than > image) and include a basic WAR that can be deployed to Tomcat to reproduce > the issue. That's it and we can look at it. > > On 19 December 2016 at 12:32, ruiwp13 < > ruiwp_93@ > > wrote: > >> stianst wrote >> > Nopes, that doesn't help. If you continue to have issues with >> > HttpServletRequest#logout I suggest you try one of our examples/demo >> and >> > see if they work fine for you. Or otherwise create a bug report and >> > include >> > steps on how to reproduce the issue. Without steps on how to reproduce >> the >> > issue we are unable to help. >> > >> > On 19 December 2016 at 11:02, ruiwp13 < >> >> > ruiwp_93@ >> >> > > wrote: >> > >> >> stianst wrote >> >> > I'm kinda lost at what you are doing. Could you either try one of >> our >> >> > examples or provides us with a simple reproducible example? >> >> > >> >> > On 19 December 2016 at 10:15, ruiwp13 < >> >> >> >> > ruiwp_93@ >> >> >> >> > > wrote: >> >> > >> >> >> stianst wrote >> >> >> > On 19 December 2016 at 10:00, ruiwp13 < >> >> >> >> >> >> > ruiwp_93@ >> >> >> >> >> >> > > wrote: >> >> >> > >> >> >> >> stianst wrote >> >> >> >> > On 16 December 2016 at 15:39, ruiwp13 < >> >> >> >> >> >> >> >> > ruiwp_93@ >> >> >> >> >> >> >> >> > > wrote: >> >> >> >> > >> >> >> >> >> Just to see if all the steps I performed are OK: >> >> >> >> >> >> >> >> >> >> 1. I access a secured location from my API >> >> >> >> >> 2. I get redirected to keycloak login page >> >> >> >> >> 3. After logging in I get redirected to my API which returns >> >> true >> >> >> for >> >> >> >> >> HttpServletRequest.authenticate meaning I'm authenticated and >> I >> >> can >> >> >> >> get >> >> >> >> >> the >> >> >> >> >> access_token from the keycloak security context >> >> >> >> >> 4. I set header with Authorization "Bearer " + {access_token} >> >> >> >> >> 5. I access the logout method where HttpServletRequest.logout >> is >> >> >> >> >> performed. >> >> >> >> >> >> >> >> >> >> Is this the correct flow? >> >> >> >> >> Yes, it's strange that I get invalid_token, doesn't make >> sense >> >> >> >> specially >> >> >> >> >> because if I make HttpServletRequest.authenticate in the >> logout >> >> >> method >> >> >> >> it >> >> >> >> >> says that I am authenticated >> >> >> >> >> >> >> >> >> > >> >> >> >> > Why would you call HttpServletRequest.authenticate within the >> >> >> logout? >> >> >> >> That >> >> >> >> > makes no sense. >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> >> View this message in context: http://keycloak-user.88327.x6. >> >> >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2017.html >> >> >> >> >> Sent from the keycloak-user mailing list archive at >> Nabble.com. >> >> >> >> >> _______________________________________________ >> >> >> >> >> keycloak-user mailing list >> >> >> >> >> >> >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> >> > _______________________________________________ >> >> >> >> > keycloak-user mailing list >> >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> >> >> >> >> >> Just to check if it is authenticated. >> >> >> >> When I make HttpServletRequest.authenticate if redirects me to >> >> >> keycloak >> >> >> >> login page, I login and it redirects me back to my API but >> without >> >> any >> >> >> >> URL >> >> >> >> parameters. It is supposed to, right? Then I can get the token >> from >> >> >> >> keycloaksecuritycontext.getTokenString(), right? >> >> >> >> >> >> >> > >> >> >> > Yes, but to check if authenticated use getUserPrincipal. >> >> authenticate >> >> >> is >> >> >> > used to request authentication, so is not a way to check if it's >> >> >> > authenticated >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> View this message in context: http://keycloak-user.88327.x6. >> >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2031.html >> >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> >> >> _______________________________________________ >> >> >> >> keycloak-user mailing list >> >> >> >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> > _______________________________________________ >> >> >> > keycloak-user mailing list >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> Alright, thank you. >> >> >> But I am still getting the same problem. When I make >> request.logout() >> >> it >> >> >> says invalid_token. >> >> >> And if I make kc.realm(realmName).users().get(user_id).logout() it >> >> logs >> >> >> all >> >> >> the sessions in keycloak but no callback arrives to the server. >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> View this message in context: http://keycloak-user.88327.x6. >> >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2033.html >> >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> >> _______________________________________________ >> >> >> keycloak-user mailing list >> >> >> >> >> >> >> > keycloak-user at .jboss >> >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> > _______________________________________________ >> >> > keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> I cannot provide you with an example for you to try. I am posting an >> >> image >> >> with all the information. Hope this helps to clarify my steps and what >> I >> >> am >> >> getting as error. >> >> >> >> >> <http://keycloak-user.88327.x6.nabble.com/file/n2036/request.png> >> >> >> >> >> >> >> >> -- >> >> View this message in context: http://keycloak-user.88327.x6. >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2036.html >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> >> > keycloak-user at .jboss >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> Thank you for the answers stianst, >> >> I will try with one of the examples, but I don't think it will make a >> difference on finding out what is wrong here. >> The steps to reproduce the problem are in the image. Don't really know >> how >> to make them more explicit. I think all the information is there. >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2038.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Will do. Thank you very much stianst. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2040.html Sent from the keycloak-user mailing list archive at Nabble.com. From ugur.kolip at gmail.com Mon Dec 19 09:38:37 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Mon, 19 Dec 2016 17:38:37 +0300 Subject: [keycloak-user] spring boot protected resource not effect until restart Message-ID: Hi, I use keycloak 2.4.0.Final , keycloak-spring-boot-adapter , keycloak-tomcat8-adapter ,kyecloak-authz-client and keycloak-admin-clinet When i create protected resource , it is not effect until spring boot app restart . is it a bug or i should do samething to effect . Thank you for helping From keith.hudson at hudzinga.com Mon Dec 19 09:44:15 2016 From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com) Date: Mon, 19 Dec 2016 09:44:15 -0500 (EST) Subject: [keycloak-user] Offline tokens clients best practice In-Reply-To: References: Message-ID: <1482158655.72736579@apps.rackspace.com> If you want to use on client-id, I would recommend that you use one client-id to represent your suite of applications and then use security realms and roles to segregate your applications and the corresponding access that your users are granted. The one disadvantage to this is that if your retire an application or need to make security requirements different on a "per application" basis, you will have a tough time managing that with all of your applications using a single client-id. Depending on the number of applications you are talking about here, I would recommend using separate client-ids per application. Of course, this is based on our own personal configuration where we have a few separate client-ids (less than 5). Perhaps someone with a more extensible setup could offer you a better recommendation. -----Original Message----- From: "Haim Vana" Sent: Sunday, December 18, 2016 5:28am To: "keycloak-user at lists.jboss.org" Subject: [keycloak-user] Offline tokens clients best practice Hi, We noticed that when working with offline tokens the same client that generated the offline token must be the one that will generate an access token from it, if we use different client we getting an error message. This approach might be problematic since we have users that want to use multiple applications and the shouldn't be aware of the client id or from which application they generated the offline token. So we would like to use single client for generating the offline tokens and generating access tokens from them for all of our applications, is it the best practice ? any known disadvantages to that approach ? Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Dec 19 10:28:59 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 19 Dec 2016 10:28:59 -0500 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482141760933-2036.post@n6.nabble.com> References: <1481802917142-1974.post@n6.nabble.com> <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> Message-ID: I looked at the image, specifically the @Path("/login") JAX-RS method. What you are attempting will just not work. Period. I don't think you understand how basic servlet, JAX-RS, and HTTP works along with how Open ID Connection works. OpenID Connect (and SAML) require browser redirects. In looking at your code, you're expecting authenticate() to redirect the browser to keycloak, have the user login, then redirect back. This just doesn't do what you expect. And it shouldn't. Calling servletRequest.authenticate() sets a 302 response with a Location header pointing back to the server. That's it... You actually override what authenticate() did by returning a JAX-RS response. From pulgupta at redhat.com Mon Dec 19 10:55:40 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Mon, 19 Dec 2016 21:25:40 +0530 Subject: [keycloak-user] Error while loading the application In-Reply-To: References: <20161212190449.GB9601@abstractj.org> Message-ID: Hi All, I have created a bug for the same as we are now facing this for each application having xalan on its classpath. https://issues.jboss.org/browse/KEYCLOAK-4111 Please share your thoughts on the same. Regards, Pulkit On Thu, Dec 15, 2016 at 3:42 PM, Pulkit Gupta wrote: > Hi Bruno, > > I am consistently able to reproduce the issue if I am using any version of > Xalan. > However if I exclude this transitive dependency then everything works fine. > I tried overriding the version of xalan to 2.7.2 but still getting the > same error. > > *jar tf xxMyJarxx-SNAPSHOT.war | grep xalan* > *WEB-INF/lib/xalan-2.7.2.jar* > > > Not sure if I should open this as a bug with keycloak or there is some > other work around for this. > > Regards, > Pulkit > > > On Tue, Dec 13, 2016 at 12:34 AM, Bruno Oliveira > wrote: > >> What google told me was that is the problem[1]. But you said that nothing >> has changed, which is odd. >> >> If you restart the server everything returns back to normal? Do you have >> any idea about the steps to reproduce this issue? >> >> >> [1] - http://stackoverflow.com/questions/18493541/invalid-jaxp- >> api-when-unmarshaling-jaxb >> >> On 2016-12-09, Pulkit Gupta wrote: >> > Hi All, >> > >> > We are using Keycloak SAML adapters to authenticate our applications >> with >> > Keyclaok. >> > The setup was working fine and the applications were able to >> authenticate >> > the users. >> > >> > However since today we are getting the below error while loading the >> > application and this is resulting in a black page for the client. >> > >> > Can you please check in case anyone has seen this issue before. Is this >> > related to java versions as I have not changed anything in the >> environments >> > recently. >> > >> > 2016-12-09 08:08:08,875 [ajp-/10.7.24.224:8009-2] ERROR >> > [org.apache.catalina.connector] JBWEB001018: An exception or error >> occurred >> > in the container during the request processing: >> > java.lang.AbstractMethodError: >> > javax.xml.transform.TransformerFactory.setFeature(Ljava/lang/String;Z)V >> > at >> > __redirected.__TransformerFactory.setFeature(__ >> TransformerFactory.java:161) >> > at >> > org.keycloak.saml.common.util.TransformerUtil.getTransformer >> Factory(TransformerUtil.java:113) >> > at >> > org.keycloak.saml.common.util.TransformerUtil.getTransformer >> (TransformerUtil.java:81) >> > at >> > org.keycloak.saml.common.util.DocumentUtil.getDocumentAsStri >> ng(DocumentUtil.java:238) >> > at >> > org.keycloak.saml.common.util.DocumentUtil.asString(Document >> Util.java:454) >> > at >> > org.keycloak.saml.processing.core.util.XMLSignatureUtil.sign >> (XMLSignatureUtil.java:340) >> > at >> > org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature. >> sign(SAML2Signature.java:143) >> > at >> > org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature. >> signSAMLDocument(SAML2Signature.java:160) >> > at >> > org.keycloak.saml.BaseSAML2BindingBuilder.signDocument(BaseS >> AML2BindingBuilder.java:266) >> > at >> > org.keycloak.saml.BaseSAML2BindingBuilder$BasePostBindingBui >> lder.(BaseSAML2BindingBuilder.java:145) >> > at >> > org.keycloak.saml.BaseSAML2BindingBuilder.postBinding(BaseSA >> ML2BindingBuilder.java:208) >> > at org.keycloak.adapters.saml.SamlUtil.sendSaml(SamlUtil.java:38) >> > at >> > org.keycloak.adapters.saml.profile.AbstractSamlAuthenticatio >> nHandler$5.sendAuthnRequest(AbstractSamlAuthenticationHandler.java:463) >> > at >> > org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(A >> bstractInitiateLogin.java:60) >> > at >> > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve. >> executeAuthenticator(AbstractSamlAuthenticatorValve.java:247) >> > at >> > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve. >> authenticateInternal(AbstractSamlAuthenticatorValve.java:222) >> > at >> > org.keycloak.adapters.saml.jbossweb.SamlAuthenticatorValve.a >> uthenticate(SamlAuthenticatorValve.java:41) >> > at >> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >> uthenticatorBase.java:465) >> > at >> > org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve. >> invoke(AbstractSamlAuthenticatorValve.java:184) >> > at >> > org.jboss.as.web.security.SecurityContextAssociationValve. >> invoke(SecurityContextAssociationValve.java:169) >> > at >> > org.apache.catalina.core.StandardHostValve.invoke(StandardHo >> stValve.java:145) >> > at >> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >> rtValve.java:97) >> > at >> > org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredS >> ingleSignOn.java:384) >> > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogVa >> lve.java:559) >> > at >> > org.apache.catalina.core.StandardEngineValve.invoke(Standard >> EngineValve.java:102) >> > at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) >> > at >> > com.redhat.container.redirect.RedirectToInternalValve.invoke >> (RedirectToInternalValve.java:61) >> > at >> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >> apter.java:336) >> > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) >> > at >> > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler. >> process(AjpProtocol.java:420) >> > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoin >> t.java:926) >> > at java.lang.Thread.run(Thread.java:745) >> > >> > >> > -- >> > Thanks, >> > Pulkit >> > AMS >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> >> abstractj >> PGP: 0x84DC9914 >> > > > > -- > Thanks, > Pulkit > AMS > -- Thanks, Pulkit AMS From ruiwp_93 at hotmail.com Mon Dec 19 11:32:36 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 09:32:36 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> Message-ID: <1482165156177-2045.post@n6.nabble.com> Bill Burke wrote > I looked at the image, specifically the @Path("/login") JAX-RS method. > What you are attempting will just not work. Period. I don't think you > understand how basic servlet, JAX-RS, and HTTP works along with how Open > ID Connection works. OpenID Connect (and SAML) require browser > redirects. In looking at your code, you're expecting authenticate() to > redirect the browser to keycloak, have the user login, then redirect > back. This just doesn't do what you expect. And it shouldn't. > Calling servletRequest.authenticate() sets a 302 response with a > Location header pointing back to the server. That's it... You > actually override what authenticate() did by returning a JAX-RS response. > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Thank you for the answer Bill, It does redirect me to keycloak login page and then back to my login page. The redirect back is managed by keycloak. It redirects back to the application after login. It may have something wrong when I do the authenticate(), but it does redirect me to Keycloak login page. If I knew how everything worked I wasn't here asking for help eheh. I came here to know what I was doing wrong or if it was a keycloak problem. What is the correct way to do it then? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2045.html Sent from the keycloak-user mailing list archive at Nabble.com. From bburke at redhat.com Mon Dec 19 12:08:12 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 19 Dec 2016 12:08:12 -0500 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482165156177-2045.post@n6.nabble.com> References: <1481889972665-2011.post@n6.nabble.com> <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> Message-ID: <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> On 12/19/16 11:32 AM, ruiwp13 wrote: > Bill Burke wrote >> I looked at the image, specifically the @Path("/login") JAX-RS method. >> What you are attempting will just not work. Period. I don't think you >> understand how basic servlet, JAX-RS, and HTTP works along with how Open >> ID Connection works. OpenID Connect (and SAML) require browser >> redirects. In looking at your code, you're expecting authenticate() to >> redirect the browser to keycloak, have the user login, then redirect >> back. This just doesn't do what you expect. And it shouldn't. >> Calling servletRequest.authenticate() sets a 302 response with a >> Location header pointing back to the server. That's it... You >> actually override what authenticate() did by returning a JAX-RS response. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > Thank you for the answer Bill, > > It does redirect me to keycloak login page and then back to my login page. > The redirect back is managed by keycloak. It redirects back to the > application after login. It may have something wrong when I do the > authenticate(), but it does redirect me to Keycloak login page. If I knew > how everything worked I wasn't here asking for help eheh. I came here to > know what I was doing wrong or if it was a keycloak problem. > > What is the correct way to do it then? I'm not sure what you mean by "Login without Keycloak Login Page". Is this a browser application? If so, I strongly suggest you use our adapter and Keycloak Login pages. Login pages can be stylized however you want. You are not using our adapter as it was intended to be used so we just can't help you. You're on your own. You can do a login without keycloak login pages, but this flow is for REST clients only, not browser applications. Use direct grant [1] to obtain a token. Here's a crude example [2] Sorry there isn't better docs on this. [1] https://tools.ietf.org/html/rfc6749#section-4.3 [2] https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java From ruiwp_93 at hotmail.com Mon Dec 19 12:28:19 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Mon, 19 Dec 2016 10:28:19 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> References: <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> Message-ID: <1482168499118-2047.post@n6.nabble.com> Bill Burke wrote > On 12/19/16 11:32 AM, ruiwp13 wrote: >> Bill Burke wrote >>> I looked at the image, specifically the @Path("/login") JAX-RS method. >>> What you are attempting will just not work. Period. I don't think you >>> understand how basic servlet, JAX-RS, and HTTP works along with how Open >>> ID Connection works. OpenID Connect (and SAML) require browser >>> redirects. In looking at your code, you're expecting authenticate() to >>> redirect the browser to keycloak, have the user login, then redirect >>> back. This just doesn't do what you expect. And it shouldn't. >>> Calling servletRequest.authenticate() sets a 302 response with a >>> Location header pointing back to the server. That's it... You >>> actually override what authenticate() did by returning a JAX-RS >>> response. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> Thank you for the answer Bill, >> >> It does redirect me to keycloak login page and then back to my login >> page. >> The redirect back is managed by keycloak. It redirects back to the >> application after login. It may have something wrong when I do the >> authenticate(), but it does redirect me to Keycloak login page. If I knew >> how everything worked I wasn't here asking for help eheh. I came here to >> know what I was doing wrong or if it was a keycloak problem. >> >> What is the correct way to do it then? > I'm not sure what you mean by "Login without Keycloak Login Page". Is > this a browser application? If so, I strongly suggest you use our > adapter and Keycloak Login pages. Login pages can be stylized however > you want. You are not using our adapter as it was intended to be used > so we just can't help you. You're on your own. > > You can do a login without keycloak login pages, but this flow is for > REST clients only, not browser applications. Use direct grant [1] to > obtain a token. Here's a crude example [2] Sorry there isn't better > docs on this. > > [1] https://tools.ietf.org/html/rfc6749#section-4.3 > [2] > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Thank you for your kindness Bill. Yes, it is a browser application but I can also make the login through REST. At first, I was making the login with direct grant flow like in [2]. But when I logged out the token would still be active in the application although the session had been terminated in Keycloak. So I asked in the forum and saw a post where they said backchannel logout isn't possible with direct_grant and I had to use the adapters. So I was trying to do the adapter flow with the HttpServletRequest.authenticate() and logout() through the browser and made this post. Basically: 1. When I tried the direct grant flow, the token was not being invalidated after logout and I was told it wouldn't be possible to invalidate the token unless I used the adapters. 2. I am trying to do with the adapters, using a browser and redirecting to Keycloak Login page and then back to my API and the problem that I am having now with the adapter flow is that it says invalid_token when I logout. Maybe in this one I am doing something wrong in login, but I am not sure what. I don't see specificaly anywhere how to use the adapter here with the Servlet. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2047.html Sent from the keycloak-user mailing list archive at Nabble.com. From thomas.darimont at googlemail.com Mon Dec 19 12:34:07 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 19 Dec 2016 18:34:07 +0100 Subject: [keycloak-user] programmatic authentication flow In-Reply-To: References: Message-ID: Hello Steve, something similar to what you want is already available in Keycloak. Look for the "Conditional OTP Form" in the "Create Authenticator Execution" screen, when you create a new Authenticator Execution. The implementation can be found in the keycloak-services module: org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator Cheers, Thomas 2016-12-14 14:06 GMT+01:00 Steve Favez : > Hi all, > > I'd like to implement the following use case. I need a Browser > authentication flow that will add, after User / Password Form > Authenticator, a kind of "access rules" authenticator, that will, according > to some request parameters, (for example, ip address, or application) will > add dynamically a second factor authenticator in the flow. (Like OTP or > SMS). > Furthermore, I'd like to be able to provide a choice of 2FA systems to the > end user (For example, we provide a set of second factory, and the end user > can choose the one he'd like to use). > So, if some "strong authentication" criteria are matched during browser > authentication process, after providing user and password, user will get a > form allowing him to choose the second factory system he'd like to use to > authenticate. > My goal is to be able to reuse existing authenticator. (So, not to write a > big 2fa authenticator with all authenticators duplicated inside). > > Thanks in advance for your valuable input > > Cheers > > St > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Mon Dec 19 13:04:42 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 19 Dec 2016 19:04:42 +0100 Subject: [keycloak-user] Cluster Configuration In-Reply-To: References: Message-ID: Hello Samuel, you can find a working clustered keycloak docker environment here: https://github.com/jugsaar/visit-yajug-20161023-keycloak Cheers, Thomas 2016-12-19 9:23 GMT+01:00 Stian Thorgersen : > Yes, by default clustering traffic is not exposed anymore and you have to > explicitly expose it or setup a secure private network for clustering > traffic. See > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/multicast.html > for more details. > > On 14 December 2016 at 22:15, Samuel Lewis wrote: > > > Have the setup steps for clustering with Docker changed since the April > > 2015 blog post? > > > > When I go through those instructions with version 2.0.0.Final I'm not > > getting anything like 'Received new cluster view: > [b5356f1050cc/keycloak|1] > > (2) [b5356f1050cc/keycloak, f25f922ce14d/keycloak]' in the logs. I only > > ever see a single node being listed. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Mon Dec 19 13:31:51 2016 From: psilva at redhat.com (Pedro Igor) Date: Mon, 19 Dec 2016 16:31:51 -0200 Subject: [keycloak-user] Keycloak authorization protected resource with user attributes In-Reply-To: References: Message-ID: <142f487e-e321-4443-8606-1532c4bf5c40@getmailbird.com> Hi, answers inline. On 12/18/2016 5:30:03 PM, u?ur kolip wrote: Hi, I am using keycloak 2.4.0 Final. I try to copy photoz example to spring boot app (with spring boot adapter) and add same features. Features that i try to add : Make a page which admin user can create users ,create protected resources , and adding access ability to users for these protected resource.(to add these i use keycloak-admin-client) For example , with admin page i create protected resource which uri is campaign/*capm1*/* and campaign/*camp2*/* . spring end points are campaign/{campaignName}/create ,campaign/{campaignName}/update ,campaign/{campaignName}/delete For authorization , i add user attribute to user like (key : camp1 value : create,update) or (key:camp2 , value: read) and i try to using these attributes in policy at the protected resource. Pedro Igor:?Aren't create and update scopes ? If they are actions you can perform in a resource, you probably need to map them as such. Resources can have scopes and you can apply permissions to a resource or for specific scopes. Or combination of resource + scopes. my questions: 1.is it right way using attributes to authroization ? can these attributes change at the client side to hack ? Pedro Igor:?You can use attributes for authorization, we are ABAC friendly and whatever you have in your token as a claim, it can be used to create policies. However, the only way you can do ABAC right now is using either JS or Rule policies. We do have plans to support OOTB a specific ABAC policy provider with its own UI. 2.My other idea is creating role for each protected resource like (camp1_create,camp1_update) and add to users. is these way suitable ? if i use these way , there are too many roles) Pedro Igor:?It seems you are trying to build something that we are planing to support. Allow users to manage their own resources. Things like resource sharing, etc. Is that what you are looking for ? 3.when i try to use attributes , add maping to rest api (photoz-restful-api) but when i add mapping to client app(photoz-html5-client) , it works. i don't understand , should we add mapping to client which i call ? what should i do if i call these api(photoz-restful-api) some other app ? Pedro Igor:?When you authenticate you do that through the photoz-html5-client, which is acting on your behalf in order to obtain authentication and authorization data from Keycloak. That is why you need to map things to photoz-html5-client. What our authorization endpoints do is introspect this token and extract all information from in it in order to pass to your policies during evaluation.? 4.In the js policy , can i use groups and how ? Pedro Igor:?We don't support a Group-based policy right, it is something we have a JIRA for. However, groups are just another claim within a token thus can be obtained from your JS policy. It is not the better way, but it should work. Better would be once we get the GBAC JIRA done. 5. In the js policy , can i get data from my db or endpoint ? (like these : if(someMethod(identity.getId()) == true) $evaluation.grant(); Because i need extra data to authz . Pedro Igor:?No, you can't. But that is probably something we can improve in order to push objects to your JS code when using the JS policy. However, you can write your own policy providers if you need to. 6. can we debug js policy ? i want to know idenity , content attributes . console.log not work :) Pedro Igor:?You can use print("something") instead. But no online debugger or anything like that. One thing you can do is use our evaluation tool when developing your policies.? 7. can we use request body to authorization , in js policy or somewhere ? Pedro Igor:?Not right now. But we do have some built-in attributes that we push during evaluation of policies, for instance, the user agent, client address, etc. My main misson is creating protected resource and find a way to authz these endpoints. What should i add to user ? and how use them ? Thank you for your helping and sorry my english :) _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From lists at merit.unu.edu Mon Dec 19 13:57:51 2016 From: lists at merit.unu.edu (lists) Date: Mon, 19 Dec 2016 19:57:51 +0100 Subject: [keycloak-user] ldap server credentials only 10 chars saved? Message-ID: Hi, I just wanted to create my first JIRA bug report, but wanted to check that others are also seeing the same problem. Fresh 2.4.0 install, I added an AD ldap server federation backend with a 20 character password. The "test connection" / "test authentication" buttons both confirm that the settings are correct. It shows the 20 dots for the password. After I click 'save', only 10 password dots remain, and the "test authentication" button now fails. Should I file a bug report about this? This DOES seem to work in 2.3.0. MJ From lists at merit.unu.edu Mon Dec 19 14:18:50 2016 From: lists at merit.unu.edu (lists) Date: Mon, 19 Dec 2016 20:18:50 +0100 Subject: [keycloak-user] ldap server credentials only 10 chars saved? In-Reply-To: References: Message-ID: No, the issue seems to be even different: ANY password I try to save, changes into a 10-dot-password, even shorter ones. So after saving, the password shows 10 characters, and it no longer works to authenticate. Hard to believe such a major issue would exist on 2.4.0-Final... Does it work for others? On 19-12-2016 19:57, lists wrote: > Hi, > > I just wanted to create my first JIRA bug report, but wanted to check > that others are also seeing the same problem. > > Fresh 2.4.0 install, I added an AD ldap server federation backend with a > 20 character password. > > The "test connection" / "test authentication" buttons both confirm that > the settings are correct. It shows the 20 dots for the password. > > After I click 'save', only 10 password dots remain, and the "test > authentication" button now fails. > > Should I file a bug report about this? This DOES seem to work in 2.3.0. > > MJ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Mon Dec 19 15:04:31 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Mon, 19 Dec 2016 20:04:31 +0000 Subject: [keycloak-user] How to work with SpringSecurity adapter behind HTTP proxy? In-Reply-To: References: , Message-ID: HI Sebastien, I really need your help. I read the thread, I have configured the Apache HTTP proxy to send all required X-Forward* headers. Unfortunately the redirect URI string still created in the wrong way. According to my understanding in the Spring Security Adapter should be code that handle the X-Forward* headers. Like io.undertow.server.handlers.ProxyPeerAddressHandler in the IDP. Can you point me to the code that handle the X-Forward* headers? May be I will found the bug and I will be able to fix it. Thanks in advance, Best regards, Michael ________________________________ From: Sebastien Blanc Sent: Thursday, December 15, 2016 12:45 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: How to work with SpringSecurity adapter behind HTTP proxy? Hi Michael ! Before we do any code change , could you check if your answer is not in the following thread ? http://lists.jboss.org/pipermail/keycloak-user/2016-May/006287.html Looks like SpringSec should handle correctly the x-forwarded-proto and host headers ... On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman > wrote: HI Sebastien, (I have changed the subject since the root cause of the problem is different). I have debugged the code and I have found the following. Please look at getRedirectUri of org.keycloak.adapters.OAuthRequestAuthenticator: It just takes the request URI and creates the redirect URI string: protected String getRedirectUri(String state) { String url = this.getRequestUrl(); Please note that when you work behind getRequestUrl() will always be localhost and therefore I think SpringSecurity adapter can not work behind HTTP proxy. How can I change the code in the minimal way it will support the HTTP proxy? Best regards, Michael ________________________________ From: Michael Furman > Sent: Tuesday, December 13, 2016 2:25 PM To: Sebastien Blanc Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. Thanks Sebastien, I see the link but supposed it is related only to Keycloak IDP. Is it also relevant to SpringSecurity adapter? Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers? Best regards, Michael ________________________________ From: Sebastien Blanc > Sent: Tuesday, December 13, 2016 2:19 PM To: Michael Furman Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. TBH I have not that much experience with configuring a proxy but : - Have you looked at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html (it also cover proxy configuration) - Search the user list, I see often question around this maybe you can find your answer there) On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman > wrote: HI Sebastien, The problem is not related to HTTPS but to the reverse proxy When I access to SpringSecurity adapter RP over HTTP but behind the Apache HTTPD reverse proxy (the client configuration in IDP configured also HTTP) the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf-1f99d2278836&login=true&scope=openid Then, I get the error WE'RE SORRY ... Invalid parameter: redirect_uri What should I configure to allow to work with proxy? Any help will be appreciated. Best regards, Michael ________________________________ From: keycloak-user-bounces at lists.jboss.org > on behalf of Michael Furman > Sent: Tuesday, December 13, 2016 1:17 PM To: Sebastien Blanc Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. Hi, Important clarification: The HTTPS handshake is by Apache httpd server that is also reverse proxy for Tomcat. Tomcat is located on the same ip. SpringSecurity RP is deployed in Tomcat. Best regards On Dec 13, 2016 12:44 PM, Michael Furman > wrote: Example 2: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTP Example 3: SpringSecurity adapter RP is over HTTP (the client configuration in IDP configured also HTTP) IDP is over HTTP BTW, Example 1: SpringSecurity adapter RP is over HTTPS (the client configuration in IDP configured also HTTPS) IDP is over HTTPS ________________________________ From: Sebastien Blanc > Sent: Tuesday, December 13, 2016 12:23 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Very strange behavior when access to IDP from SpringSecurity adapter over HTTPS. What is the difference between your example 2 and example 3 ? On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman >> wrote: Hi all, I try to access from SpringSecurity adapter over HTTPS without success. When I try to access to IDP over HTTPS the redirect_uri is replaced to localhost: https://192.168.110.2:8443/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f-ba1e3eae8084&login=true&scope=openid Then I get this error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Similar, when I try to access to IDP over HTTP, the redirect_uri is replaced to localhost: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6-07d0a7f4bc99&login=true&scope=openid Same error in UI: WE'RE SORRY ... Invalid parameter: redirect_uri Only if I access from SpringSecurity adapter over HTTP the redirect_uri has correct value and it works: http://192.168.110.2:9080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2-c882c9625479&login=true&scope=openid Finally I can see the login page. What wrong in my configurations? Any help will be appreciated. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user keycloak-user Info Page - JBoss Developer lists.jboss.org To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ... From deepu.laghuvaram at gmail.com Mon Dec 19 15:17:03 2016 From: deepu.laghuvaram at gmail.com (Raghu Laghuvaram) Date: Mon, 19 Dec 2016 15:17:03 -0500 Subject: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production? Message-ID: We are evaluating Keycloak as SSO solution for our retail application and we would like to know if there are any clients using Keycloak SSO solution in their production? It would gie us a lot of confidence if we know that some one are already using in their production. Thanks, Deep From thomas.raehalme at aitiofinland.com Mon Dec 19 15:24:14 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Mon, 19 Dec 2016 22:24:14 +0200 Subject: [keycloak-user] How to work with SpringSecurity adapter behind HTTP proxy? In-Reply-To: References: Message-ID: Hi! Are you using Tomcat? Please have a look at the two documents below. You need to configure Tomcat properly when behind a load balancer and not using AJP. http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve Best regards, Thomas On Dec 19, 2016 10:07 PM, "Michael Furman" wrote: > HI Sebastien, > I really need your help. > I read the thread, I have configured the Apache HTTP proxy to send all > required X-Forward* headers. > Unfortunately the redirect URI string still created in the wrong way. > According to my understanding in the Spring Security Adapter should be > code that handle the X-Forward* headers. > Like io.undertow.server.handlers.ProxyPeerAddressHandler in the IDP. > Can you point me to the code that handle the X-Forward* headers? > May be I will found the bug and I will be able to fix it. > Thanks in advance, > Best regards, > Michael > > > ________________________________ > From: Sebastien Blanc > Sent: Thursday, December 15, 2016 12:45 PM > To: Michael Furman > Cc: keycloak-user at lists.jboss.org > Subject: Re: How to work with SpringSecurity adapter behind HTTP proxy? > > Hi Michael ! > > Before we do any code change , could you check if your answer is not in > the following thread ? http://lists.jboss.org/ > pipermail/keycloak-user/2016-May/006287.html > Looks like SpringSec should handle correctly the x-forwarded-proto and > host headers ... > > > > On Thu, Dec 15, 2016 at 9:10 AM, Michael Furman < > michael_furman at hotmail.com> wrote: > HI Sebastien, > (I have changed the subject since the root cause of the problem is > different). > I have debugged the code and I have found the following. > Please look at getRedirectUri of org.keycloak.adapters. > OAuthRequestAuthenticator: > It just takes the request URI and creates the redirect URI string: > protected String getRedirectUri(String state) { > String url = this.getRequestUrl(); > > Please note that when you work behind getRequestUrl() will always be > localhost and therefore I think SpringSecurity adapter can not work behind > HTTP proxy. > > How can I change the code in the minimal way it will support the HTTP > proxy? > Best regards, > Michael > > > > ________________________________ > From: Michael Furman michael_furman at hotmail.com>> > Sent: Tuesday, December 13, 2016 2:25 PM > To: Sebastien Blanc > Subject: Re: [keycloak-user] Very strange behavior when access to IDP from > SpringSecurity adapter over HTTPS. > > Thanks Sebastien, > I see the link but supposed it is related only to Keycloak IDP. > Is it also relevant to SpringSecurity adapter? > Will SpringSecurity adapter handle X-Forwarded-Proto or other HTTP headers? > Best regards, > Michael > > > ________________________________ > From: Sebastien Blanc > > Sent: Tuesday, December 13, 2016 2:19 PM > To: Michael Furman > Subject: Re: [keycloak-user] Very strange behavior when access to IDP from > SpringSecurity adapter over HTTPS. > > TBH I have not that much experience with configuring a proxy but : > - Have you looked at https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html (it also cover > proxy configuration) > - Search the user list, I see often question around this maybe you can > find your answer there) > > > > On Tue, Dec 13, 2016 at 1:13 PM, Michael Furman < > michael_furman at hotmail.com> wrote: > HI Sebastien, > The problem is not related to HTTPS but to the reverse proxy > When I access to SpringSecurity adapter RP over HTTP but behind the Apache > HTTPD reverse proxy (the client configuration in IDP configured also HTTP) > the redirect_uri is replaced to localhost: > http://192.168.110.2:9080/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081% > 2Fapp%2Fsso%2Flogin&state=3%2Fc6734b8c-6679-45b6-8acf- > 1f99d2278836&login=true&scope=openid > Then, I get the error > > WE'RE SORRY ... > Invalid parameter: redirect_uri > > What should I configure to allow to work with proxy? > Any help will be appreciated. > Best regards, > Michael > > > ________________________________ > From: keycloak-user-bounces at lists.jboss.org user-bounces at lists.jboss.org> > on behalf of Michael > Furman > > Sent: Tuesday, December 13, 2016 1:17 PM > To: Sebastien Blanc > > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Very strange behavior when access to IDP from > SpringSecurity adapter over HTTPS. > > Hi, > Important clarification: > The HTTPS handshake is by Apache httpd server that is also reverse proxy > for Tomcat. > > > Tomcat is located on the same ip. > > SpringSecurity RP is deployed in Tomcat. > > Best regards > > > > > On Dec 13, 2016 12:44 PM, Michael Furman mailto:michael_furman at hotmail.com>> wrote: > > Example 2: > > SpringSecurity adapter RP is over HTTPS (the client configuration in IDP > configured also HTTPS) > > IDP is over HTTP > > > > Example 3: > > SpringSecurity adapter RP is over HTTP (the client configuration in IDP > configured also HTTP) > > IDP is over HTTP > > > > BTW, > > Example 1: > > SpringSecurity adapter RP is over HTTPS (the client configuration in IDP > configured also HTTPS) > > IDP is over HTTPS > > > > ________________________________ > From: Sebastien Blanc > > Sent: Tuesday, December 13, 2016 12:23 PM > To: Michael Furman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Very strange behavior when access to IDP from > SpringSecurity adapter over HTTPS. > > What is the difference between your example 2 and example 3 ? > > On Tue, Dec 13, 2016 at 11:12 AM, Michael Furman < > michael_furman at hotmail.com michael_furman at hotmail.com>> wrote: > Hi all, > I try to access from SpringSecurity adapter over HTTPS without success. > When I try to access to IDP over HTTPS the redirect_uri is replaced to > localhost: > > https://192.168.110.2:8443/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081% > 2Fapp%2Fsso%2Flogin&state=0%2Fdb8aabf5-0756-4eef-992f- > ba1e3eae8084&login=true&scope=openid > > Then I get this error in UI: > WE'RE SORRY ... > Invalid parameter: redirect_uri > > Similar, when I try to access to IDP over HTTP, the redirect_uri is > replaced to localhost: > http://192.168.110.2:9080/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2Flocalhost%3A8081% > 2Fapp%2Fsso%2Flogin&state=0%2F66c8bcdb-7ebc-4812-afb6- > 07d0a7f4bc99&login=true&scope=openid > > Same error in UI: > WE'RE SORRY ... > Invalid parameter: redirect_uri > > Only if I access from SpringSecurity adapter over HTTP the redirect_uri > has correct value and it works: > http://192.168.110.2:9080/auth/realms/master/protocol/ > openid-connect/auth?response_type=code&client_id= > testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081% > 2Fapp%2Fsso%2Flogin&state=2%2F7553a833-0fdf-48e8-afc2- > c882c9625479&login=true&scope=openid > > Finally I can see the login page. > What wrong in my configurations? > Any help will be appreciated. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > ycloak-user at lists.jboss.org>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > keycloak-user Info Page - JBoss Developer org/mailman/listinfo/keycloak-user> > lists.jboss.org > To see the collection of prior postings to the list, visit the > keycloak-user Archives. Using keycloak-user: To post a message to all the > list members ... > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Mon Dec 19 15:39:10 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 Dec 2016 21:39:10 +0100 Subject: [keycloak-user] ldap server credentials only 10 chars saved? In-Reply-To: References: Message-ID: <0a9f5c42-d298-04c3-ce45-466053cf36f6@redhat.com> This is reported already and will be fixed in next version https://issues.jboss.org/browse/KEYCLOAK-4038 . Just a note that this is not major issue. You're right that the button "Test authentication" doesn't work after LDAP provider configuration is saved, however the LDAP connection itself works fine. LDAP bind password is saved on the server-side correctly, it is just hidden from the UI and hence why "Test authentication" button doesn't work as it is currently always using the stuff from UI. Marek On 19/12/16 20:18, lists wrote: > No, the issue seems to be even different: > > ANY password I try to save, changes into a 10-dot-password, even shorter > ones. So after saving, the password shows 10 characters, and it no > longer works to authenticate. > > Hard to believe such a major issue would exist on 2.4.0-Final... > > Does it work for others? > > On 19-12-2016 19:57, lists wrote: >> Hi, >> >> I just wanted to create my first JIRA bug report, but wanted to check >> that others are also seeing the same problem. >> >> Fresh 2.4.0 install, I added an AD ldap server federation backend with a >> 20 character password. >> >> The "test connection" / "test authentication" buttons both confirm that >> the settings are correct. It shows the 20 dots for the password. >> >> After I click 'save', only 10 password dots remain, and the "test >> authentication" button now fails. >> >> Should I file a bug report about this? This DOES seem to work in 2.3.0. >> >> MJ >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jcain at redhat.com Mon Dec 19 17:57:02 2016 From: jcain at redhat.com (Josh Cain) Date: Mon, 19 Dec 2016 16:57:02 -0600 Subject: [keycloak-user] New Device Sign-in Notifications? Message-ID: <1482188222.13800.1.camel@redhat.com> Hi all, We're looking to start sending out new device sign-in notifications from our Keycloak IDP. Is this a feature that's supported OOTB? I combed through the docs and Jira and all I could find was KEYCLOAK- 242[0]. If it's not supported, can I implement a la Google[1]? [0] https://issues.jboss.org/browse/KEYCLOAK-242 [1] http://googlesystem.blogspot.com/2015/05/google-sends-email-notific ations-for.html -- Josh Cain | Software Applications Engineer Identity and Access Management Red Hat +1 256-452-0150 From niko at n-k.de Tue Dec 20 01:50:52 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Tue, 20 Dec 2016 07:50:52 +0100 Subject: [keycloak-user] Info about locked user at login? Message-ID: <3EE3CB85-F915-476F-ABD9-69303579543F@n-k.de> Hi all, is there a possibility to show at the login form that the current user trying to login is locked/disabled due to brute force settings? I understand that this is also a security issue to show that the user is (temprorarily) locked, b/c then you know that the user exists. But anyway, is there a possibility to show this information? And if yes, how do I configure/implement it? Thanks, - Niko From cmoullia at redhat.com Tue Dec 20 04:18:45 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Tue, 20 Dec 2016 10:18:45 +0100 Subject: [keycloak-user] Red Hat SSO - Issue on OpenShift Dedicated Message-ID: Hi, This project (= Spring Boot App secured with Red Hat SSO & Keycloak Adapter) which was working last Friday on " https://console.engint.openshift.com/console" doesn't work anymore If I issue a curl/httpie request, I receive a token but next when I try to access the service, OpenShift returns ./scripts/httpie/token_req.sh >>> Greeting GET /greeting HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...AC7tLlhit79g Connection: keep-alive Host: secured-springboot-rest-sso.e8ca.engint.openshiftapps.com User-Agent: HTTPie/0.9.6 HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html

503 Service Unavailable

No server is available to handle this request. When I issue a curl request within the pod running the SpringBoot app, I get a response from the Red Hat SSO Server sh-4.2$ more /etc/hosts # Kubernetes-managed hosts file. 127.0.0.1 localhost 10.1.7.20 secured-springboot-rest-5-7tcxs sh-4.2$ curl -k -v http://10.1.7.20:8080/greeting * About to connect() to 10.1.7.20 port 8080 (#0) * Trying 10.1.7.20... * Connected to 10.1.7.20 (10.1.7.20) port 8080 (#0) > GET /greeting HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 10.1.7.20:8080 > Accept: */* > < HTTP/1.1 302 Found < Server: Apache-Coyote/1.1 < Cache-Control: private < Expires: Thu, 01 Jan 1970 00:00:00 UTC < Set-Cookie: JSESSIONID=C6437B316FE0C08F833B0B5F9DEEB231; Path=/; HttpOnly < Set-Cookie: OAuth_Token_Request_State=5/64fcf1a6-1b05-4235-8463-3eb024e1a0c5; Version=1; HttpOnly < Location: https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=demoapp&redirect_uri=http%3A%2F%2F10.1.7.20%3A8080%2Fgreeting&state=5%2F64fc f1a6-1b05-4235-8463-3eb024e1a0c5&login=true What is the problem ? Regards, Charles From lists at merit.unu.edu Tue Dec 20 04:57:39 2016 From: lists at merit.unu.edu (lists) Date: Tue, 20 Dec 2016 10:57:39 +0100 Subject: [keycloak-user] chrome on windows In-Reply-To: References: <397e3095-c4a3-4c27-92de-97c56b65d569@merit.unu.edu> Message-ID: <406fc829-e171-65f0-5676-b5b50986494f@merit.unu.edu> Hi, On 14-12-2016 7:00, Stian Thorgersen wrote: > Strange - this should not happen. Do you have steps to reproduce? Please > create a JIRA if you do and also include a screenshot. I have been trying to reproduce this on 2.4.0 but I cannot. (it was happening on 2.3.0) I guess this became fixed somehow. MJ From eduard.matuszak at worldline.com Tue Dec 20 05:14:19 2016 From: eduard.matuszak at worldline.com (Matuszak, Eduard) Date: Tue, 20 Dec 2016 10:14:19 +0000 Subject: [keycloak-user] updateCredential-method: relevance of output true or false Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723E89F40@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello Could you please explain the meaning of the boolean result of boolean updateCredential(RealmModel realm, UserModel user, CredentialInput input); in package org.keycloak.credential.CredentialInputUpdater (Keycloak 2.4.0 Final)? It's not obvious to me, if there are any differences in Keycloak's behaviour between returning true or false when overriding the method in a customized federation provider, whereas I realized that errorhandling can be triggered by throwing an exception. Thanks in advance, Eduard Matuszak From avinash at avinash.com.np Tue Dec 20 05:29:03 2016 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Tue, 20 Dec 2016 16:14:03 +0545 Subject: [keycloak-user] regarding custom attributes and mapping resources to users Message-ID: Hello Community, I am fairly new to using keycloak and still getting immersed into the authentication and authorization jargons. I have some basic queries that i am curious about. * Regarding the custom attributes for each user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html). Is this something that a user can edit for themselves or is something for an administrator to manage custom content for the user? Basically, as an administrator can I put information that should be hidden from the user as a custom attribute ? * My second question is more about architecture of applications with authentication and authorization. What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Looking forward to some constructive discussions and some answers to the basic issues I have. Regards, Avinash From sthorger at redhat.com Tue Dec 20 07:17:17 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Dec 2016 13:17:17 +0100 Subject: [keycloak-user] New Device Sign-in Notifications? In-Reply-To: <1482188222.13800.1.camel@redhat.com> References: <1482188222.13800.1.camel@redhat.com> Message-ID: We don't have support for this at the moment. Would be nice to have it OOTB though. Would be hard to do properly with a custom extension as it's not just a custom authentication flow, the account management console should also have support. Might even want to do different auth flows for a known device (no OTP for example) and an unknown device. On 19 December 2016 at 23:57, Josh Cain wrote: > Hi all, > > We're looking to start sending out new device sign-in notifications > from our Keycloak IDP. Is this a feature that's supported OOTB? I > combed through the docs and Jira and all I could find was KEYCLOAK- > 242[0]. > > If it's not supported, can I implement a la Google[1]? > > [0] https://issues.jboss.org/browse/KEYCLOAK-242 > [1] http://googlesystem.blogspot.com/2015/05/google-sends-email-notific > ations-for.html > > -- > Josh Cain | Software Applications Engineer > Identity and Access Management > Red Hat > +1 256-452-0150 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jcain at redhat.com Tue Dec 20 09:46:53 2016 From: jcain at redhat.com (Josh Cain) Date: Tue, 20 Dec 2016 08:46:53 -0600 Subject: [keycloak-user] New Device Sign-in Notifications? In-Reply-To: References: <1482188222.13800.1.camel@redhat.com> Message-ID: <1482245213.13800.9.camel@redhat.com> Sounds good, created KEYCLOAK-4124[0] to track it. Will continue discussions on specifics there. [0] https://issues.jboss.org/browse/KEYCLOAK-4124 On Tue, 2016-12-20 at 13:17 +0100, Stian Thorgersen wrote: > We don't have support for this at the moment. Would be nice to have > it OOTB though. > > Would be hard to do properly with a custom extension as it's not just > a custom authentication flow, the account management console should > also have support. Might even want to do different auth flows for a > known device (no OTP for example) and an unknown device. > > On 19 December 2016 at 23:57, Josh Cain wrote: > > Hi all, > > > > We're looking to start sending out new device sign-in notifications > > from our Keycloak IDP.? Is this a feature that's supported OOTB?? I > > combed through the docs and Jira and all I could find was KEYCLOAK- > > 242[0]. > > > > If it's not supported, can I implement a la Google[1]? > > > > [0] https://issues.jboss.org/browse/KEYCLOAK-242 > > [1] http://googlesystem.blogspot.com/2015/05/google-sends-email-not > > ific > > ations-for.html > > > > -- > > Josh Cain | Software Applications Engineer > > Identity and Access Management > > Red Hat > > +1 256-452-0150 > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From jcain at redhat.com Tue Dec 20 09:51:43 2016 From: jcain at redhat.com (Josh Cain) Date: Tue, 20 Dec 2016 08:51:43 -0600 Subject: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production? In-Reply-To: References: Message-ID: <1482245503.13800.11.camel@redhat.com> Hi Raghu, I can say that Red Hat (access.redhat.com, developers.redhat.com, etc.) uses RH-SSO (the enterprise bits for Keycloak), and it has done very well overall as a solution. If you're wanting to know more about enterprise level support, I'd contact sales and strongly consider RH-SSO over Keycloak. -- Josh Cain | Software Applications Engineer Identity and Access Management Red Hat +1 256-452-0150 On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote: > We are evaluating Keycloak as SSO solution for our retail application > and > we would like to know if there are any clients using Keycloak SSO > solution > in their production? It would gie us a lot of confidence if we know > that > some one are already using in their production. > > > Thanks, > Deep > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From cmoullia at redhat.com Tue Dec 20 11:23:31 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Tue, 20 Dec 2016 17:23:31 +0100 Subject: [keycloak-user] JWT - Signature Verification Failure Message-ID: Hi, Is there a workaround when we use Keycloak 1.9.4 to avoid that the client who will verify the certificate of the JWT will issue this error WARNING: JWT decode failure java.lang.RuntimeException: Signature verification failed at io.vertx.ext.auth.jwt.impl.JWT.decode(JWT.java:200) at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.authenticate(JWTAuthProviderImpl.java:84) if (!crypto.verify(base64urlDecode(signatureSeg), signingInput.getBytes(UTF8))) { throw new RuntimeException("Signature verification failed"); } Is it because the token is not base64 ? Regards, Charles Moulliard Sr. Pr. Software Engineer @redhat cmoulliard at redhat.com | work: +31 205 65 12 84 | mobile: +32 473 60 40 14 Twitter: @cmoulliard | blog: cmoulliard.github.io committer: apache camel, karaf, servicemix, hawtio, fabric8, drools, jbpm, deltaspike From ruiwp_93 at hotmail.com Tue Dec 20 12:00:49 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Tue, 20 Dec 2016 10:00:49 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> References: <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> Message-ID: <1482253249853-2067.post@n6.nabble.com> Bill Burke wrote > On 12/19/16 11:32 AM, ruiwp13 wrote: >> Bill Burke wrote >>> I looked at the image, specifically the @Path("/login") JAX-RS method. >>> What you are attempting will just not work. Period. I don't think you >>> understand how basic servlet, JAX-RS, and HTTP works along with how Open >>> ID Connection works. OpenID Connect (and SAML) require browser >>> redirects. In looking at your code, you're expecting authenticate() to >>> redirect the browser to keycloak, have the user login, then redirect >>> back. This just doesn't do what you expect. And it shouldn't. >>> Calling servletRequest.authenticate() sets a 302 response with a >>> Location header pointing back to the server. That's it... You >>> actually override what authenticate() did by returning a JAX-RS >>> response. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> Thank you for the answer Bill, >> >> It does redirect me to keycloak login page and then back to my login >> page. >> The redirect back is managed by keycloak. It redirects back to the >> application after login. It may have something wrong when I do the >> authenticate(), but it does redirect me to Keycloak login page. If I knew >> how everything worked I wasn't here asking for help eheh. I came here to >> know what I was doing wrong or if it was a keycloak problem. >> >> What is the correct way to do it then? > I'm not sure what you mean by "Login without Keycloak Login Page". Is > this a browser application? If so, I strongly suggest you use our > adapter and Keycloak Login pages. Login pages can be stylized however > you want. You are not using our adapter as it was intended to be used > so we just can't help you. You're on your own. > > You can do a login without keycloak login pages, but this flow is for > REST clients only, not browser applications. Use direct grant [1] to > obtain a token. Here's a crude example [2] Sorry there isn't better > docs on this. > > [1] https://tools.ietf.org/html/rfc6749#section-4.3 > [2] > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Is there no possibility of invalidating the token or at least, set it's expiration to "now" when the user logs out? Now, when I logout I get the backchannel logout request from keycloak but the token is still valid. I am able to access the secured pages even though the session in keycloak has ended. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2067.html Sent from the keycloak-user mailing list archive at Nabble.com. From deepu.laghuvaram at gmail.com Tue Dec 20 13:16:40 2016 From: deepu.laghuvaram at gmail.com (Raghu Laghuvaram) Date: Tue, 20 Dec 2016 13:16:40 -0500 Subject: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production? In-Reply-To: <1482245503.13800.11.camel@redhat.com> References: <1482245503.13800.11.camel@redhat.com> Message-ID: Josh Cain, Thanks for your response, If possible would you be able to let us know if there any clients(retail) using RH-SSO in production other than Red Hat? And coming to RH-SSO, I dont see an option for evaluating it, I think I need to contact sales even for that. I will talk to my leadership and proceed further. Thanks, Deep. On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain wrote: > Hi Raghu, > > I can say that Red Hat (access.redhat.com, developers.redhat.com, etc.) > uses RH-SSO (the enterprise bits for Keycloak), and it has done very > well overall as a solution. > > If you're wanting to know more about enterprise level support, I'd > contact sales and strongly consider RH-SSO over Keycloak. > > -- > Josh Cain | Software Applications Engineer > Identity and Access Management > Red Hat > +1 256-452-0150 > > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote: > > We are evaluating Keycloak as SSO solution for our retail application > > and > > we would like to know if there are any clients using Keycloak SSO > > solution > > in their production? It would gie us a lot of confidence if we know > > that > > some one are already using in their production. > > > > > > Thanks, > > Deep > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From tsdgcc2087 at outlook.com Tue Dec 20 13:28:28 2016 From: tsdgcc2087 at outlook.com (Matt H) Date: Tue, 20 Dec 2016 18:28:28 +0000 Subject: [keycloak-user] Sessions vs Tokens In-Reply-To: References: , Message-ID: It is a spring boot application, so server side. Is there any way to change it to force a token to be sent on each call? ________________________________ From: Stian Thorgersen Sent: Monday, December 19, 2016 2:22 AM To: Matt H Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Sessions vs Tokens Depends on the app type. If it's a server-side web application it's secured with a cookie, but if it's a client-side application or a remote service it's secured by passing the token. On 14 December 2016 at 20:18, Matt H > wrote: I'm not sure how best to describe this but I have seen times when I called a secured endpoint (secured with spring security adapter) but a token was not passed and I was able to gain access. The first time I went to a secured endpoint I had to log into keycloak to authenticate, but then on each request, only a session id was passed and no JWT. Is this the standard behavior? If there is no JWT, where are the claims read from? Matt _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Tue Dec 20 13:29:07 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 20 Dec 2016 13:29:07 -0500 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482253249853-2067.post@n6.nabble.com> References: <1481899179398-2017.post@n6.nabble.com> <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> <1482253249853-2067.post@n6.nabble.com> Message-ID: On 12/20/16 12:00 PM, ruiwp13 wrote: > Bill Burke wrote >> On 12/19/16 11:32 AM, ruiwp13 wrote: >>> Bill Burke wrote >>>> I looked at the image, specifically the @Path("/login") JAX-RS method. >>>> What you are attempting will just not work. Period. I don't think you >>>> understand how basic servlet, JAX-RS, and HTTP works along with how Open >>>> ID Connection works. OpenID Connect (and SAML) require browser >>>> redirects. In looking at your code, you're expecting authenticate() to >>>> redirect the browser to keycloak, have the user login, then redirect >>>> back. This just doesn't do what you expect. And it shouldn't. >>>> Calling servletRequest.authenticate() sets a 302 response with a >>>> Location header pointing back to the server. That's it... You >>>> actually override what authenticate() did by returning a JAX-RS >>>> response. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at .jboss >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> Thank you for the answer Bill, >>> >>> It does redirect me to keycloak login page and then back to my login >>> page. >>> The redirect back is managed by keycloak. It redirects back to the >>> application after login. It may have something wrong when I do the >>> authenticate(), but it does redirect me to Keycloak login page. If I knew >>> how everything worked I wasn't here asking for help eheh. I came here to >>> know what I was doing wrong or if it was a keycloak problem. >>> >>> What is the correct way to do it then? >> I'm not sure what you mean by "Login without Keycloak Login Page". Is >> this a browser application? If so, I strongly suggest you use our >> adapter and Keycloak Login pages. Login pages can be stylized however >> you want. You are not using our adapter as it was intended to be used >> so we just can't help you. You're on your own. >> >> You can do a login without keycloak login pages, but this flow is for >> REST clients only, not browser applications. Use direct grant [1] to >> obtain a token. Here's a crude example [2] Sorry there isn't better >> docs on this. >> >> [1] https://tools.ietf.org/html/rfc6749#section-4.3 >> [2] >> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user > Is there no possibility of invalidating the token or at least, set it's > expiration to "now" when the user logs out? > Now, when I logout I get the backchannel logout request from keycloak but > the token is still valid. I am able to access the secured pages even though > the session in keycloak has ended. Are you still doing your *hack* approach? HttpServletRequest.getSession().invalidate() might work. Like I said before, if you insist on doing things your own way and in a way that was not intended for the adapter to work, there's not much we can help you with. Bill From mrrothstein at gmail.com Tue Dec 20 22:20:45 2016 From: mrrothstein at gmail.com (Steve Chernyak) Date: Tue, 20 Dec 2016 22:20:45 -0500 Subject: [keycloak-user] Create user with roles using java client In-Reply-To: References: Message-ID: I would really appreciate some help with this... Am I missing something in the documentation? I can't find anything that describes this process in detail. It also doesn't appear that the password I'm using during the creation process is honored either. I have to change the password through the console to get the login to work. Is there a specific set of attributes that are used for the user creation process while others are ignored? Is there anything that documents the correct way to do what i'm trying? Thanks On Sat, Dec 17, 2016 at 11:59 PM, Steve Chernyak wrote: > Hello, > > I'm trying to create a user associated with a role: > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(password); > UserRepresentation user = new UserRepresentation(); > user.setUsername(email.getAddress()); > user.setCredentials(Arrays.asList(credential)); > user.setRealmRoles(Arrays.asList(someRole)); > Response response = kc.realm(appRealm).users().create(user); > > The response status is the expected 201 and I can see the user in the > realm through the admin console. However, the user is not associated with > "someRole"... > > I'm not sure what I'm missing... > > How should I go about creating a user associated with a role > progrmatically? > > Thanks > From mrrothstein at gmail.com Tue Dec 20 22:26:56 2016 From: mrrothstein at gmail.com (Steve Chernyak) Date: Tue, 20 Dec 2016 22:26:56 -0500 Subject: [keycloak-user] Create user with roles using java client In-Reply-To: References: Message-ID: Forgot to mention, I did set the enabled attribute. Current version: CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(password); UserRepresentation user = new UserRepresentation(); user.setUsername(email.getAddress()); user.setEmail(email.getAddress()); user.setCredentials(Arrays.asList(credential)); user.setRealmRoles(Arrays.asList(Role.OWNER.authority())); user.setEnabled(true); Response response = kc.realm(appRealm).users().create(user); On Tue, Dec 20, 2016 at 10:20 PM, Steve Chernyak wrote: > I would really appreciate some help with this... > > Am I missing something in the documentation? I can't find anything that > describes this process in detail. > > It also doesn't appear that the password I'm using during the creation > process is honored either. I have to change the password through the > console to get the login to work. > > Is there a specific set of attributes that are used for the user creation > process while others are ignored? Is there anything that documents the > correct way to do what i'm trying? > > Thanks > > On Sat, Dec 17, 2016 at 11:59 PM, Steve Chernyak > wrote: > >> Hello, >> >> I'm trying to create a user associated with a role: >> >> CredentialRepresentation credential = new CredentialRepresentation(); >> credential.setType(CredentialRepresentation.PASSWORD); >> credential.setValue(password); >> UserRepresentation user = new UserRepresentation(); >> user.setUsername(email.getAddress()); >> user.setCredentials(Arrays.asList(credential)); >> user.setRealmRoles(Arrays.asList(someRole)); >> Response response = kc.realm(appRealm).users().create(user); >> >> The response status is the expected 201 and I can see the user in the >> realm through the admin console. However, the user is not associated with >> "someRole"... >> >> I'm not sure what I'm missing... >> >> How should I go about creating a user associated with a role >> progrmatically? >> >> Thanks >> > > From sthorger at redhat.com Wed Dec 21 00:46:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 06:46:37 +0100 Subject: [keycloak-user] Sessions vs Tokens In-Reply-To: References: Message-ID: You can't force the browser to send a header so using a cookie is the only way for a server-side web app On 20 December 2016 at 19:28, Matt H wrote: > It is a spring boot application, so server side. Is there any way to > change it to force a token to be sent on each call? > > > ------------------------------ > *From:* Stian Thorgersen > *Sent:* Monday, December 19, 2016 2:22 AM > *To:* Matt H > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Sessions vs Tokens > > Depends on the app type. If it's a server-side web application it's > secured with a cookie, but if it's a client-side application or a remote > service it's secured by passing the token. > > On 14 December 2016 at 20:18, Matt H wrote: > >> I'm not sure how best to describe this but I have seen times when I >> called a secured endpoint (secured with spring security adapter) but a >> token was not passed and I was able to gain access. The first time I went >> to a secured endpoint I had to log into keycloak to authenticate, but then >> on each request, only a session id was passed and no JWT. Is this the >> standard behavior? If there is no JWT, where are the claims read from? >> >> >> Matt >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Wed Dec 21 00:55:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 06:55:01 +0100 Subject: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production? In-Reply-To: References: <1482245503.13800.11.camel@redhat.com> Message-ID: You can evaluate RH-SSO without contacting sales. It's available at http://access.redhat.com/. Sales may be able to give you some customer references if you ask them. FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO 7.1.0.GA will be based on Keycloak 2.5.z.Final. On 20 December 2016 at 19:16, Raghu Laghuvaram wrote: > Josh Cain, > Thanks for your response, If possible would you be able to let us > know if there any clients(retail) using RH-SSO in production other than Red > Hat? And coming to RH-SSO, I dont see an option for evaluating it, I think > I need to contact sales even for that. I will talk to my leadership and > proceed further. > > Thanks, > Deep. > > On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain wrote: > > > Hi Raghu, > > > > I can say that Red Hat (access.redhat.com, developers.redhat.com, etc.) > > uses RH-SSO (the enterprise bits for Keycloak), and it has done very > > well overall as a solution. > > > > If you're wanting to know more about enterprise level support, I'd > > contact sales and strongly consider RH-SSO over Keycloak. > > > > -- > > Josh Cain | Software Applications Engineer > > Identity and Access Management > > Red Hat > > +1 256-452-0150 > > > > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote: > > > We are evaluating Keycloak as SSO solution for our retail application > > > and > > > we would like to know if there are any clients using Keycloak SSO > > > solution > > > in their production? It would gie us a lot of confidence if we know > > > that > > > some one are already using in their production. > > > > > > > > > Thanks, > > > Deep > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Wed Dec 21 03:21:44 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Wed, 21 Dec 2016 01:21:44 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> <1482253249853-2067.post@n6.nabble.com> Message-ID: <1482308504835-2075.post@n6.nabble.com> Bill Burke wrote > On 12/20/16 12:00 PM, ruiwp13 wrote: >> Bill Burke wrote >>> On 12/19/16 11:32 AM, ruiwp13 wrote: >>>> Bill Burke wrote >>>>> I looked at the image, specifically the @Path("/login") JAX-RS method. >>>>> What you are attempting will just not work. Period. I don't think >>>>> you >>>>> understand how basic servlet, JAX-RS, and HTTP works along with how >>>>> Open >>>>> ID Connection works. OpenID Connect (and SAML) require browser >>>>> redirects. In looking at your code, you're expecting authenticate() >>>>> to >>>>> redirect the browser to keycloak, have the user login, then redirect >>>>> back. This just doesn't do what you expect. And it shouldn't. >>>>> Calling servletRequest.authenticate() sets a 302 response with a >>>>> Location header pointing back to the server. That's it... You >>>>> actually override what authenticate() did by returning a JAX-RS >>>>> response. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at .jboss >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> Thank you for the answer Bill, >>>> >>>> It does redirect me to keycloak login page and then back to my login >>>> page. >>>> The redirect back is managed by keycloak. It redirects back to the >>>> application after login. It may have something wrong when I do the >>>> authenticate(), but it does redirect me to Keycloak login page. If I >>>> knew >>>> how everything worked I wasn't here asking for help eheh. I came here >>>> to >>>> know what I was doing wrong or if it was a keycloak problem. >>>> >>>> What is the correct way to do it then? >>> I'm not sure what you mean by "Login without Keycloak Login Page". Is >>> this a browser application? If so, I strongly suggest you use our >>> adapter and Keycloak Login pages. Login pages can be stylized however >>> you want. You are not using our adapter as it was intended to be used >>> so we just can't help you. You're on your own. >>> >>> You can do a login without keycloak login pages, but this flow is for >>> REST clients only, not browser applications. Use direct grant [1] to >>> obtain a token. Here's a crude example [2] Sorry there isn't better >>> docs on this. >>> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3 >>> [2] >>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at .jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> Is there no possibility of invalidating the token or at least, set it's >> expiration to "now" when the user logs out? >> Now, when I logout I get the backchannel logout request from keycloak but >> the token is still valid. I am able to access the secured pages even >> though >> the session in keycloak has ended. > Are you still doing your *hack* approach? > HttpServletRequest.getSession().invalidate() might work. Like I said > before, if you insist on doing things your own way and in a way that was > not intended for the adapter to work, there's not much we can help you > with. > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Hello Bill, Well, not sure if it is an hack approach. I want to login through REST without having to be redirected to keycloak login page because there is a part where there will be no broswer interaction. At the moment, I am logging in with authorization code flow through HTTP GETs and POSTs and scrapping the login form to get the code & state. I also send the client_session_state containing the HttpServletRequest.getSession().getId() To logout I am making a POST call to the logout endpoint sending the refresh_token and the client_id and client_secret. Is this the right way to do it? Otherwise how am I supposed to logout without a browser, in a servlet? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html Sent from the keycloak-user mailing list archive at Nabble.com. From mark.schaefer at markschaefer.de Wed Dec 21 03:26:42 2016 From: mark.schaefer at markschaefer.de (mark) Date: Wed, 21 Dec 2016 01:26:42 -0700 (MST) Subject: [keycloak-user] ECP example? In-Reply-To: <1476789125.2477.59.camel@redhat.com> References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> <1476789125.2477.59.camel@redhat.com> Message-ID: <1482308802453-2076.post@n6.nabble.com> Pedro Igor Craveiro e Silva wrote > We do have some very basic support for ECP on the SP side. The > implementation is really specific to Openstack use case and > requirements. > > This capability is not advertised in any doc as we don't want people > using it. In Keycloak we have some tests [1] for SAML ECP that use this > stuff, but that is all. Just to make sure our IdP is aligned with > Openstack. Are there any plans for more ECP Support? I am just evaluating Keycloak and made good progress with browser based applications but we will also need ECP. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184p2076.html Sent from the keycloak-user mailing list archive at Nabble.com. From sthorger at redhat.com Wed Dec 21 04:09:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 10:09:32 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482308504835-2075.post@n6.nabble.com> References: <1482138058070-2031.post@n6.nabble.com> <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> <1482253249853-2067.post@n6.nabble.com> <1482308504835-2075.post@n6.nabble.com> Message-ID: That's an extremely bad hack! The authorization code flow is a redirect based flow and should not be used in this way. Please use the real login page as recommended. Alternatively use resource owner password grant (direct grant in Keycloak). With direct grants you can only invalidate the refresh token, not the session or access token so you should have a short lifespan on your access tokens. On 21 December 2016 at 09:21, ruiwp13 wrote: > Bill Burke wrote > > On 12/20/16 12:00 PM, ruiwp13 wrote: > >> Bill Burke wrote > >>> On 12/19/16 11:32 AM, ruiwp13 wrote: > >>>> Bill Burke wrote > >>>>> I looked at the image, specifically the @Path("/login") JAX-RS > method. > >>>>> What you are attempting will just not work. Period. I don't think > >>>>> you > >>>>> understand how basic servlet, JAX-RS, and HTTP works along with how > >>>>> Open > >>>>> ID Connection works. OpenID Connect (and SAML) require browser > >>>>> redirects. In looking at your code, you're expecting authenticate() > >>>>> to > >>>>> redirect the browser to keycloak, have the user login, then redirect > >>>>> back. This just doesn't do what you expect. And it shouldn't. > >>>>> Calling servletRequest.authenticate() sets a 302 response with a > >>>>> Location header pointing back to the server. That's it... You > >>>>> actually override what authenticate() did by returning a JAX-RS > >>>>> response. > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at .jboss > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> Thank you for the answer Bill, > >>>> > >>>> It does redirect me to keycloak login page and then back to my login > >>>> page. > >>>> The redirect back is managed by keycloak. It redirects back to the > >>>> application after login. It may have something wrong when I do the > >>>> authenticate(), but it does redirect me to Keycloak login page. If I > >>>> knew > >>>> how everything worked I wasn't here asking for help eheh. I came here > >>>> to > >>>> know what I was doing wrong or if it was a keycloak problem. > >>>> > >>>> What is the correct way to do it then? > >>> I'm not sure what you mean by "Login without Keycloak Login Page". Is > >>> this a browser application? If so, I strongly suggest you use our > >>> adapter and Keycloak Login pages. Login pages can be stylized however > >>> you want. You are not using our adapter as it was intended to be used > >>> so we just can't help you. You're on your own. > >>> > >>> You can do a login without keycloak login pages, but this flow is for > >>> REST clients only, not browser applications. Use direct grant [1] to > >>> obtain a token. Here's a crude example [2] Sorry there isn't better > >>> docs on this. > >>> > >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3 > >>> [2] > >>> https://github.com/keycloak/keycloak/blob/master/examples/ > demo-template/admin-access-app/src/main/java/org/ > keycloak/example/AdminClient.java > >>> > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at .jboss > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> Is there no possibility of invalidating the token or at least, set it's > >> expiration to "now" when the user logs out? > >> Now, when I logout I get the backchannel logout request from keycloak > but > >> the token is still valid. I am able to access the secured pages even > >> though > >> the session in keycloak has ended. > > Are you still doing your *hack* approach? > > HttpServletRequest.getSession().invalidate() might work. Like I said > > before, if you insist on doing things your own way and in a way that was > > not intended for the adapter to work, there's not much we can help you > > with. > > > > Bill > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at .jboss > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > Hello Bill, > > Well, not sure if it is an hack approach. I want to login through REST > without having to be redirected to keycloak login page because there is a > part where there will be no broswer interaction. > At the moment, I am logging in with authorization code flow through HTTP > GETs and POSTs and scrapping the login form to get the code & state. I also > send the client_session_state containing the > HttpServletRequest.getSession().getId() > To logout I am making a POST call to the logout endpoint sending the > refresh_token and the client_id and client_secret. > > Is this the right way to do it? > Otherwise how am I supposed to logout without a browser, in a servlet? > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Wed Dec 21 04:24:50 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Wed, 21 Dec 2016 02:24:50 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> <1482253249853-2067.post@n6.nabble.com> <1482308504835-2075.post@n6.nabble.com> Message-ID: <1482312290701-2078.post@n6.nabble.com> stianst wrote > That's an extremely bad hack! The authorization code flow is a redirect > based flow and should not be used in this way. > > Please use the real login page as recommended. Alternatively use resource > owner password grant (direct grant in Keycloak). With direct grants you > can > only invalidate the refresh token, not the session or access token so you > should have a short lifespan on your access tokens. > > On 21 December 2016 at 09:21, ruiwp13 < > ruiwp_93@ > > wrote: > >> Bill Burke wrote >> > On 12/20/16 12:00 PM, ruiwp13 wrote: >> >> Bill Burke wrote >> >>> On 12/19/16 11:32 AM, ruiwp13 wrote: >> >>>> Bill Burke wrote >> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS >> method. >> >>>>> What you are attempting will just not work. Period. I don't think >> >>>>> you >> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with how >> >>>>> Open >> >>>>> ID Connection works. OpenID Connect (and SAML) require browser >> >>>>> redirects. In looking at your code, you're expecting >> authenticate() >> >>>>> to >> >>>>> redirect the browser to keycloak, have the user login, then >> redirect >> >>>>> back. This just doesn't do what you expect. And it shouldn't. >> >>>>> Calling servletRequest.authenticate() sets a 302 response with a >> >>>>> Location header pointing back to the server. That's it... You >> >>>>> actually override what authenticate() did by returning a JAX-RS >> >>>>> response. >> >>>>> _______________________________________________ >> >>>>> keycloak-user mailing list >> >>>>> keycloak-user at .jboss >> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>> Thank you for the answer Bill, >> >>>> >> >>>> It does redirect me to keycloak login page and then back to my login >> >>>> page. >> >>>> The redirect back is managed by keycloak. It redirects back to the >> >>>> application after login. It may have something wrong when I do the >> >>>> authenticate(), but it does redirect me to Keycloak login page. If I >> >>>> knew >> >>>> how everything worked I wasn't here asking for help eheh. I came >> here >> >>>> to >> >>>> know what I was doing wrong or if it was a keycloak problem. >> >>>> >> >>>> What is the correct way to do it then? >> >>> I'm not sure what you mean by "Login without Keycloak Login Page". Is >> >>> this a browser application? If so, I strongly suggest you use our >> >>> adapter and Keycloak Login pages. Login pages can be stylized >> however >> >>> you want. You are not using our adapter as it was intended to be >> used >> >>> so we just can't help you. You're on your own. >> >>> >> >>> You can do a login without keycloak login pages, but this flow is for >> >>> REST clients only, not browser applications. Use direct grant [1] to >> >>> obtain a token. Here's a crude example [2] Sorry there isn't better >> >>> docs on this. >> >>> >> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3 >> >>> [2] >> >>> https://github.com/keycloak/keycloak/blob/master/examples/ >> demo-template/admin-access-app/src/main/java/org/ >> keycloak/example/AdminClient.java >> >>> >> >>> >> >>> _______________________________________________ >> >>> keycloak-user mailing list >> >>> keycloak-user at .jboss >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> Is there no possibility of invalidating the token or at least, set >> it's >> >> expiration to "now" when the user logs out? >> >> Now, when I logout I get the backchannel logout request from keycloak >> but >> >> the token is still valid. I am able to access the secured pages even >> >> though >> >> the session in keycloak has ended. >> > Are you still doing your *hack* approach? >> > HttpServletRequest.getSession().invalidate() might work. Like I said >> > before, if you insist on doing things your own way and in a way that >> was >> > not intended for the adapter to work, there's not much we can help you >> > with. >> > >> > Bill >> > _______________________________________________ >> > keycloak-user mailing list >> >> > keycloak-user at .jboss >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> Hello Bill, >> >> Well, not sure if it is an hack approach. I want to login through REST >> without having to be redirected to keycloak login page because there is a >> part where there will be no broswer interaction. >> At the moment, I am logging in with authorization code flow through HTTP >> GETs and POSTs and scrapping the login form to get the code & state. I >> also >> send the client_session_state containing the >> HttpServletRequest.getSession().getId() >> To logout I am making a POST call to the logout endpoint sending the >> refresh_token and the client_id and client_secret. >> >> Is this the right way to do it? >> Otherwise how am I supposed to logout without a browser, in a servlet? >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user OK, thank you. Well stianst, it is a bad hack but I am getting the callback from keycloak to my server. I receive the {Admin URL}/k_logout call. Why doesn't it invalidate the token as well? When I tried the browser redirect login it did logged me out of the app and I had to login again in browser to access secured pages but I still could use the token anyway. The token was not invalidated. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html Sent from the keycloak-user mailing list archive at Nabble.com. From sthorger at redhat.com Wed Dec 21 04:38:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 10:38:57 +0100 Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: <1482312290701-2078.post@n6.nabble.com> References: <1482138930709-2033.post@n6.nabble.com> <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> <1482253249853-2067.post@n6.nabble.com> <1482308504835-2075.post@n6.nabble.com> <1482312290701-2078.post@n6.nabble.com> Message-ID: Sorry, but I just can't spend time on figuring out what's going wrong when you are doing something bad. On 21 December 2016 at 10:24, ruiwp13 wrote: > stianst wrote > > That's an extremely bad hack! The authorization code flow is a redirect > > based flow and should not be used in this way. > > > > Please use the real login page as recommended. Alternatively use resource > > owner password grant (direct grant in Keycloak). With direct grants you > > can > > only invalidate the refresh token, not the session or access token so you > > should have a short lifespan on your access tokens. > > > > On 21 December 2016 at 09:21, ruiwp13 < > > > ruiwp_93@ > > > > wrote: > > > >> Bill Burke wrote > >> > On 12/20/16 12:00 PM, ruiwp13 wrote: > >> >> Bill Burke wrote > >> >>> On 12/19/16 11:32 AM, ruiwp13 wrote: > >> >>>> Bill Burke wrote > >> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS > >> method. > >> >>>>> What you are attempting will just not work. Period. I don't > think > >> >>>>> you > >> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with > how > >> >>>>> Open > >> >>>>> ID Connection works. OpenID Connect (and SAML) require browser > >> >>>>> redirects. In looking at your code, you're expecting > >> authenticate() > >> >>>>> to > >> >>>>> redirect the browser to keycloak, have the user login, then > >> redirect > >> >>>>> back. This just doesn't do what you expect. And it shouldn't. > >> >>>>> Calling servletRequest.authenticate() sets a 302 response with a > >> >>>>> Location header pointing back to the server. That's it... You > >> >>>>> actually override what authenticate() did by returning a JAX-RS > >> >>>>> response. > >> >>>>> _______________________________________________ > >> >>>>> keycloak-user mailing list > >> >>>>> keycloak-user at .jboss > >> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >>>> Thank you for the answer Bill, > >> >>>> > >> >>>> It does redirect me to keycloak login page and then back to my > login > >> >>>> page. > >> >>>> The redirect back is managed by keycloak. It redirects back to the > >> >>>> application after login. It may have something wrong when I do the > >> >>>> authenticate(), but it does redirect me to Keycloak login page. If > I > >> >>>> knew > >> >>>> how everything worked I wasn't here asking for help eheh. I came > >> here > >> >>>> to > >> >>>> know what I was doing wrong or if it was a keycloak problem. > >> >>>> > >> >>>> What is the correct way to do it then? > >> >>> I'm not sure what you mean by "Login without Keycloak Login Page". > Is > >> >>> this a browser application? If so, I strongly suggest you use our > >> >>> adapter and Keycloak Login pages. Login pages can be stylized > >> however > >> >>> you want. You are not using our adapter as it was intended to be > >> used > >> >>> so we just can't help you. You're on your own. > >> >>> > >> >>> You can do a login without keycloak login pages, but this flow is > for > >> >>> REST clients only, not browser applications. Use direct grant [1] > to > >> >>> obtain a token. Here's a crude example [2] Sorry there isn't > better > >> >>> docs on this. > >> >>> > >> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3 > >> >>> [2] > >> >>> https://github.com/keycloak/keycloak/blob/master/examples/ > >> demo-template/admin-access-app/src/main/java/org/ > >> keycloak/example/AdminClient.java > >> >>> > >> >>> > >> >>> _______________________________________________ > >> >>> keycloak-user mailing list > >> >>> keycloak-user at .jboss > >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> >> Is there no possibility of invalidating the token or at least, set > >> it's > >> >> expiration to "now" when the user logs out? > >> >> Now, when I logout I get the backchannel logout request from keycloak > >> but > >> >> the token is still valid. I am able to access the secured pages even > >> >> though > >> >> the session in keycloak has ended. > >> > Are you still doing your *hack* approach? > >> > HttpServletRequest.getSession().invalidate() might work. Like I said > >> > before, if you insist on doing things your own way and in a way that > >> was > >> > not intended for the adapter to work, there's not much we can help you > >> > with. > >> > > >> > Bill > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > >> > keycloak-user at .jboss > >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> Hello Bill, > >> > >> Well, not sure if it is an hack approach. I want to login through REST > >> without having to be redirected to keycloak login page because there is > a > >> part where there will be no broswer interaction. > >> At the moment, I am logging in with authorization code flow through HTTP > >> GETs and POSTs and scrapping the login form to get the code & state. I > >> also > >> send the client_session_state containing the > >> HttpServletRequest.getSession().getId() > >> To logout I am making a POST call to the logout endpoint sending the > >> refresh_token and the client_id and client_secret. > >> > >> Is this the right way to do it? > >> Otherwise how am I supposed to logout without a browser, in a servlet? > >> > >> > >> > >> -- > >> View this message in context: http://keycloak-user.88327.x6. > >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html > >> Sent from the keycloak-user mailing list archive at Nabble.com. > >> _______________________________________________ > >> keycloak-user mailing list > >> > > > keycloak-user at .jboss > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > > keycloak-user at .jboss > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > OK, thank you. > > Well stianst, it is a bad hack but I am getting the callback from keycloak > to my server. I receive the {Admin URL}/k_logout call. Why doesn't it > invalidate the token as well? When I tried the browser redirect login it > did > logged me out of the app and I had to login again in browser to access > secured pages but I still could use the token anyway. The token was not > invalidated. > > > > -- > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Dec 21 04:41:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 10:41:49 +0100 Subject: [keycloak-user] Security proxy not supporting policy enforcement In-Reply-To: References: Message-ID: It's not intentionally not supporting it, just hasn't been implemented yet. Not sure when/if we will have a chance to do that though. We're not 100% sure at this point if we are going to invest in the security proxy or deprecate it in favor of something else. On 16 December 2016 at 07:45, Manfred Duchrow wrote: > Hi, > > is the keycloak security proxy intentionally not supporting the policy > enforcement (i.e. authorization services) > or is it a bug? > > With activated policy-enforcer I'm getting an exception at startup of > security proxy: > > Exception in thread "main" java.lang.reflect.InvocationTargetException > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.keycloak.Launcher.main(Launcher.java:81) > Caused by: java.lang.NoClassDefFoundError: > org/keycloak/authorization/client/Configuration > at > org.keycloak.adapters.authorization.PolicyEnforcer.< > init>(PolicyEnforcer.java:56) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild( > KeycloakDeploymentBuilder.java:126) > at > org.keycloak.adapters.KeycloakDeploymentBuilder.build( > KeycloakDeploymentBuilder.java:152) > at > org.keycloak.proxy.ProxyServerBuilder$ApplicationBuilder.( > ProxyServerBuilder.java:164) > > Obviously the library 'keycloak-authz-client-2.4.0.Final.jar' is missing > in bundle keycloak-proxy-2.4.0.Final.zip. > Should I open a Jira bug? > > Workaround: Just copy the keycloak-authz-client-2.4.0.Final.jar from > another bundle into lib folder of the security proxy. > > Regards, > Manfred > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ruiwp_93 at hotmail.com Wed Dec 21 04:48:18 2016 From: ruiwp_93 at hotmail.com (ruiwp13) Date: Wed, 21 Dec 2016 02:48:18 -0700 (MST) Subject: [keycloak-user] Login without Keycloak Login Page In-Reply-To: References: <1482141760933-2036.post@n6.nabble.com> <1482165156177-2045.post@n6.nabble.com> <2a20c26d-826c-937c-8a5f-5b9e60ce1198@redhat.com> <1482253249853-2067.post@n6.nabble.com> <1482308504835-2075.post@n6.nabble.com> <1482312290701-2078.post@n6.nabble.com> Message-ID: <1482313698415-2081.post@n6.nabble.com> stianst wrote > Sorry, but I just can't spend time on figuring out what's going wrong when > you are doing something bad. > > On 21 December 2016 at 10:24, ruiwp13 < > ruiwp_93@ > > wrote: > >> stianst wrote >> > That's an extremely bad hack! The authorization code flow is a redirect >> > based flow and should not be used in this way. >> > >> > Please use the real login page as recommended. Alternatively use >> resource >> > owner password grant (direct grant in Keycloak). With direct grants you >> > can >> > only invalidate the refresh token, not the session or access token so >> you >> > should have a short lifespan on your access tokens. >> > >> > On 21 December 2016 at 09:21, ruiwp13 < >> >> > ruiwp_93@ >> >> > > wrote: >> > >> >> Bill Burke wrote >> >> > On 12/20/16 12:00 PM, ruiwp13 wrote: >> >> >> Bill Burke wrote >> >> >>> On 12/19/16 11:32 AM, ruiwp13 wrote: >> >> >>>> Bill Burke wrote >> >> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS >> >> method. >> >> >>>>> What you are attempting will just not work. Period. I don't >> think >> >> >>>>> you >> >> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with >> how >> >> >>>>> Open >> >> >>>>> ID Connection works. OpenID Connect (and SAML) require browser >> >> >>>>> redirects. In looking at your code, you're expecting >> >> authenticate() >> >> >>>>> to >> >> >>>>> redirect the browser to keycloak, have the user login, then >> >> redirect >> >> >>>>> back. This just doesn't do what you expect. And it shouldn't. >> >> >>>>> Calling servletRequest.authenticate() sets a 302 response with a >> >> >>>>> Location header pointing back to the server. That's it... You >> >> >>>>> actually override what authenticate() did by returning a JAX-RS >> >> >>>>> response. >> >> >>>>> _______________________________________________ >> >> >>>>> keycloak-user mailing list >> >> >>>>> keycloak-user at .jboss >> >> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >>>> Thank you for the answer Bill, >> >> >>>> >> >> >>>> It does redirect me to keycloak login page and then back to my >> login >> >> >>>> page. >> >> >>>> The redirect back is managed by keycloak. It redirects back to >> the >> >> >>>> application after login. It may have something wrong when I do >> the >> >> >>>> authenticate(), but it does redirect me to Keycloak login page. >> If >> I >> >> >>>> knew >> >> >>>> how everything worked I wasn't here asking for help eheh. I came >> >> here >> >> >>>> to >> >> >>>> know what I was doing wrong or if it was a keycloak problem. >> >> >>>> >> >> >>>> What is the correct way to do it then? >> >> >>> I'm not sure what you mean by "Login without Keycloak Login Page". >> Is >> >> >>> this a browser application? If so, I strongly suggest you use our >> >> >>> adapter and Keycloak Login pages. Login pages can be stylized >> >> however >> >> >>> you want. You are not using our adapter as it was intended to be >> >> used >> >> >>> so we just can't help you. You're on your own. >> >> >>> >> >> >>> You can do a login without keycloak login pages, but this flow is >> for >> >> >>> REST clients only, not browser applications. Use direct grant [1] >> to >> >> >>> obtain a token. Here's a crude example [2] Sorry there isn't >> better >> >> >>> docs on this. >> >> >>> >> >> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3 >> >> >>> [2] >> >> >>> https://github.com/keycloak/keycloak/blob/master/examples/ >> >> demo-template/admin-access-app/src/main/java/org/ >> >> keycloak/example/AdminClient.java >> >> >>> >> >> >>> >> >> >>> _______________________________________________ >> >> >>> keycloak-user mailing list >> >> >>> keycloak-user at .jboss >> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> Is there no possibility of invalidating the token or at least, set >> >> it's >> >> >> expiration to "now" when the user logs out? >> >> >> Now, when I logout I get the backchannel logout request from >> keycloak >> >> but >> >> >> the token is still valid. I am able to access the secured pages >> even >> >> >> though >> >> >> the session in keycloak has ended. >> >> > Are you still doing your *hack* approach? >> >> > HttpServletRequest.getSession().invalidate() might work. Like I >> said >> >> > before, if you insist on doing things your own way and in a way that >> >> was >> >> > not intended for the adapter to work, there's not much we can help >> you >> >> > with. >> >> > >> >> > Bill >> >> > _______________________________________________ >> >> > keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> Hello Bill, >> >> >> >> Well, not sure if it is an hack approach. I want to login through REST >> >> without having to be redirected to keycloak login page because there >> is >> a >> >> part where there will be no broswer interaction. >> >> At the moment, I am logging in with authorization code flow through >> HTTP >> >> GETs and POSTs and scrapping the login form to get the code & state. I >> >> also >> >> send the client_session_state containing the >> >> HttpServletRequest.getSession().getId() >> >> To logout I am making a POST call to the logout endpoint sending the >> >> refresh_token and the client_id and client_secret. >> >> >> >> Is this the right way to do it? >> >> Otherwise how am I supposed to logout without a browser, in a servlet? >> >> >> >> >> >> >> >> -- >> >> View this message in context: http://keycloak-user.88327.x6. >> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html >> >> Sent from the keycloak-user mailing list archive at Nabble.com. >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> >> >> > keycloak-user at .jboss >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> >> > keycloak-user at .jboss >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> OK, thank you. >> >> Well stianst, it is a bad hack but I am getting the callback from >> keycloak >> to my server. I receive the {Admin URL}/k_logout call. Why doesn't it >> invalidate the token as well? When I tried the browser redirect login it >> did >> logged me out of the app and I had to login again in browser to access >> secured pages but I still could use the token anyway. The token was not >> invalidated. >> >> >> >> -- >> View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html >> Sent from the keycloak-user mailing list archive at Nabble.com. >> _______________________________________________ >> keycloak-user mailing list >> > keycloak-user at .jboss >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at .jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user I'm sorry, but before this "hack" I used the adapter correctly with the browser redirect and the token wasn't invalidated. That is what I am saying. The browser session ended, the cookies and JSESSION were cleaned and I had to login again to access secure pages. But if I copied the token to POSTMAN and made a request I was able to access secure pages through REST anyway. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2081.html Sent from the keycloak-user mailing list archive at Nabble.com. From fabian.eriksson at gi-de.com Wed Dec 21 05:24:51 2016 From: fabian.eriksson at gi-de.com (Eriksson Fabian) Date: Wed, 21 Dec 2016 10:24:51 +0000 Subject: [keycloak-user] Brute force detector extension Message-ID: Hi all! We would like to have ability to configure the brute force detector so it can disable a user account after X failed attempts completely and not only lock him/her out for a period of time (setting the lockout-time to a few years is not enough). In the end we would like the admins of KeyCloak to be able to set a timed lockout-period or set a permanent one for different realms. I guess this would also require the detector to reset the failed-login-attempts count on a successful login. Does this sound interesting and could this then be something that we could contribute with to KeyCloak? Or is there a way to substitute the already existing brute force detector? Thanks in advance! Fabian Eriksson From adilelfahmi at gmail.com Wed Dec 21 05:26:22 2016 From: adilelfahmi at gmail.com (Harits Elfahmi) Date: Wed, 21 Dec 2016 17:26:22 +0700 Subject: [keycloak-user] Externalising session storage in keycloak in 1.9.4.Final Message-ID: Hello, I'm trying something similar with this: http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html, but it seem doesn't work with the version 1.9.4.Final docker version. Any changing configuration? I'm using docker + kubernetes if that helps. -- Cheers, *Harits* Elfahmi From sthorger at redhat.com Wed Dec 21 06:00:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 12:00:26 +0100 Subject: [keycloak-user] Externalising session storage in keycloak in 1.9.4.Final In-Reply-To: References: Message-ID: JPA user session provider was removed a long time ago (see migration guide for details). We also do not support 1.9.4 anymore. On 21 December 2016 at 11:26, Harits Elfahmi wrote: > Hello, > > I'm trying something similar with this: > http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html, but > it seem doesn't work with the version 1.9.4.Final docker version. Any > changing configuration? I'm using docker + kubernetes if that helps. > > -- > Cheers, > > *Harits* Elfahmi > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From niko at n-k.de Wed Dec 21 06:35:06 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Wed, 21 Dec 2016 12:35:06 +0100 Subject: [keycloak-user] Info about locked user at login? In-Reply-To: <3EE3CB85-F915-476F-ABD9-69303579543F@n-k.de> References: <3EE3CB85-F915-476F-ABD9-69303579543F@n-k.de> Message-ID: <87CC651C-EA46-4DEE-BDBF-46795B385E4B@n-k.de> No answer at all? No general ?no? or ?yes, it?s possible?? > Am 20.12.2016 um 07:50 schrieb Niko K?bler : > > Hi all, > > is there a possibility to show at the login form that the current user trying to login is locked/disabled due to brute force settings? > I understand that this is also a security issue to show that the user is (temprorarily) locked, b/c then you know that the user exists. > But anyway, is there a possibility to show this information? And if yes, how do I configure/implement it? > > Thanks, > - Niko > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ugur.kolip at gmail.com Wed Dec 21 06:50:26 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Wed, 21 Dec 2016 14:50:26 +0300 Subject: [keycloak-user] spring boot protected resource not effect until restart In-Reply-To: References: Message-ID: Hi, In KeycloakSpringBootConfigResolver class , @Override public KeycloakDeployment resolve(OIDCHttpFacade.Request request) { if (keycloakDeployment != null) { return keycloakDeployment; } keycloakDeployment = KeycloakDeploymentBuilder.build(KeycloakSpringBootConfigResolver.adapterConfig); return keycloakDeployment; } i am not sure but this code is used to don't instatiate same thing again. when i create protected resource , policy enforcer paths should change , and new path should be added. But i think , because of this code , keycloakDeployment not change and new path not be added.(when try to keycloakDeployment = KeycloakDeploymentBuilder.build(KeycloakSpringBootConfigResolver.adapterConfig); run , path change) Because of these , protected resource which i create not effect until spring boot restart. am i wrong or should i add some something to change policy enforcer path ? My target is creating protected resource with spring boot adapter. Thank for helping 2016-12-19 17:38 GMT+03:00 u?ur kolip : > Hi, > I use keycloak 2.4.0.Final , keycloak-spring-boot-adapter , > keycloak-tomcat8-adapter ,kyecloak-authz-client and keycloak-admin-clinet > > When i create protected resource , it is not effect until spring boot app > restart . is it a bug or i should do samething to effect . > > Thank you for helping > From matt at woolnough.com.au Wed Dec 21 07:19:16 2016 From: matt at woolnough.com.au (Matthew Woolnough) Date: Wed, 21 Dec 2016 22:19:16 +1000 Subject: [keycloak-user] Native App Authorization with multiple Identity Providers Message-ID: I'm trying to: 1) Use Facebook as an initial Identity Provider for a native app 2) Have the native app pass it's access token back to a service which would then retrieve the fb_exchange_token. Another service would then retrieve additional information back from Facebook via the approved scopes. 3) Have an option to use LinkedIn to provide additional information about the user, so have it as an addtional supplemental identity provider. 4) Have the native app pass the token back to a service. Another service would retrieve additional information from LinkedIn to supplement the users profile. I'd like to know how much of this functionality Keycloak can provide. Should I be using aerogear-ios-oauth2 configured with Facebook and LinkedIn providers, or configuring aerogear-ios-oauth2 with a keycloak provider & configuring Facebook and LinkedIn as provider there? Any assistance appreciated! mW From sthorger at redhat.com Wed Dec 21 07:37:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 21 Dec 2016 13:37:25 +0100 Subject: [keycloak-user] Info about locked user at login? In-Reply-To: <87CC651C-EA46-4DEE-BDBF-46795B385E4B@n-k.de> References: <3EE3CB85-F915-476F-ABD9-69303579543F@n-k.de> <87CC651C-EA46-4DEE-BDBF-46795B385E4B@n-k.de> Message-ID: Or maybe wait until someone has time to answer? On 21 December 2016 at 12:35, Niko K?bler wrote: > No answer at all? > No general ?no? or ?yes, it?s possible?? > > > > Am 20.12.2016 um 07:50 schrieb Niko K?bler : > > > > Hi all, > > > > is there a possibility to show at the login form that the current user > trying to login is locked/disabled due to brute force settings? > > I understand that this is also a security issue to show that the user is > (temprorarily) locked, b/c then you know that the user exists. > > But anyway, is there a possibility to show this information? And if yes, > how do I configure/implement it? > > > > Thanks, > > - Niko > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Wed Dec 21 09:45:48 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 21 Dec 2016 15:45:48 +0100 Subject: [keycloak-user] Create user with roles using java client In-Reply-To: References: Message-ID: You need to set user's password as a separate step from user creation. First create a user: UserRepresentation user = new UserRepresentation(); user.setUsername(email.getAddress()); user.setRealmRoles(Arrays.asList(someRole)); Response response = kc.realm(appRealm).users().create(user); String userId = ApiUtil.getCreatedId(response); response.close(); Then set a password: CredentialRepresentation cred = new CredentialRepresentation(); cred.setType(CredentialRepresentation.PASSWORD); cred.setValue("password"); cred.setTemporary(false); realm.users().get(userId).resetPassword(cred); On Wed, Dec 21, 2016 at 4:26 AM, Steve Chernyak wrote: > Forgot to mention, I did set the enabled attribute. > > Current version: > > CredentialRepresentation credential = new > CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(password); > UserRepresentation user = new UserRepresentation(); > user.setUsername(email.getAddress()); > user.setEmail(email.getAddress()); > user.setCredentials(Arrays.asList(credential)); > user.setRealmRoles(Arrays.asList(Role.OWNER.authority())); > user.setEnabled(true); > Response response = kc.realm(appRealm).users().create(user); > > On Tue, Dec 20, 2016 at 10:20 PM, Steve Chernyak > wrote: > > > I would really appreciate some help with this... > > > > Am I missing something in the documentation? I can't find anything that > > describes this process in detail. > > > > It also doesn't appear that the password I'm using during the creation > > process is honored either. I have to change the password through the > > console to get the login to work. > > > > Is there a specific set of attributes that are used for the user creation > > process while others are ignored? Is there anything that documents the > > correct way to do what i'm trying? > > > > Thanks > > > > On Sat, Dec 17, 2016 at 11:59 PM, Steve Chernyak > > wrote: > > > >> Hello, > >> > >> I'm trying to create a user associated with a role: > >> > >> CredentialRepresentation credential = new CredentialRepresentation(); > >> credential.setType(CredentialRepresentation.PASSWORD); > >> credential.setValue(password); > >> UserRepresentation user = new UserRepresentation(); > >> user.setUsername(email.getAddress()); > >> user.setCredentials(Arrays.asList(credential)); > >> user.setRealmRoles(Arrays.asList(someRole)); > >> Response response = kc.realm(appRealm).users().create(user); > >> > >> The response status is the expected 201 and I can see the user in the > >> realm through the admin console. However, the user is not associated > with > >> "someRole"... > >> > >> I'm not sure what I'm missing... > >> > >> How should I go about creating a user associated with a role > >> progrmatically? > >> > >> Thanks > >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From deepu.laghuvaram at gmail.com Wed Dec 21 10:09:28 2016 From: deepu.laghuvaram at gmail.com (Raghu Laghuvaram) Date: Wed, 21 Dec 2016 10:09:28 -0500 Subject: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production? In-Reply-To: References: <1482245503.13800.11.camel@redhat.com> Message-ID: Stian Thorgersen, Thanks for your response and information. You said we can evaluate the RH-SSO, but when I go to https://access.redhat.com/downloads/ I dont see an option as "Start Evaluation" for Red Hat Single Sign-On, am I looking at wrong place? On Wed, Dec 21, 2016 at 12:55 AM, Stian Thorgersen wrote: > You can evaluate RH-SSO without contacting sales. It's available at > http://access.redhat.com/. Sales may be able to give you some customer > references if you ask them. > > FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO > 7.1.0.GA will be based on Keycloak 2.5.z.Final. > > On 20 December 2016 at 19:16, Raghu Laghuvaram > wrote: > >> Josh Cain, >> Thanks for your response, If possible would you be able to let us >> know if there any clients(retail) using RH-SSO in production other than >> Red >> Hat? And coming to RH-SSO, I dont see an option for evaluating it, I think >> I need to contact sales even for that. I will talk to my leadership and >> proceed further. >> >> Thanks, >> Deep. >> >> On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain wrote: >> >> > Hi Raghu, >> > >> > I can say that Red Hat (access.redhat.com, developers.redhat.com, etc.) >> > uses RH-SSO (the enterprise bits for Keycloak), and it has done very >> > well overall as a solution. >> > >> > If you're wanting to know more about enterprise level support, I'd >> > contact sales and strongly consider RH-SSO over Keycloak. >> > >> > -- >> > Josh Cain | Software Applications Engineer >> > Identity and Access Management >> > Red Hat >> > +1 256-452-0150 >> > >> > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote: >> > > We are evaluating Keycloak as SSO solution for our retail application >> > > and >> > > we would like to know if there are any clients using Keycloak SSO >> > > solution >> > > in their production? It would gie us a lot of confidence if we know >> > > that >> > > some one are already using in their production. >> > > >> > > >> > > Thanks, >> > > Deep >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From mrrothstein at gmail.com Wed Dec 21 10:19:48 2016 From: mrrothstein at gmail.com (Steve Chernyak) Date: Wed, 21 Dec 2016 10:19:48 -0500 Subject: [keycloak-user] Create user with roles using java client In-Reply-To: References: Message-ID: Thank You! That ApiUtil class is a gold mine. On Wed, Dec 21, 2016 at 9:45 AM, Marko Strukelj wrote: > You need to set user's password as a separate step from user creation. > > First create a user: > > UserRepresentation user = new UserRepresentation(); > user.setUsername(email.getAddress()); > user.setRealmRoles(Arrays.asList(someRole)); > > Response response = kc.realm(appRealm).users().create(user); > String userId = ApiUtil.getCreatedId(response); > response.close(); > > Then set a password: > > CredentialRepresentation cred = new CredentialRepresentation(); > cred.setType(CredentialRepresentation.PASSWORD); > cred.setValue("password"); > cred.setTemporary(false); > > realm.users().get(userId).resetPassword(cred); > > On Wed, Dec 21, 2016 at 4:26 AM, Steve Chernyak > wrote: > >> Forgot to mention, I did set the enabled attribute. >> >> Current version: >> >> CredentialRepresentation credential = new >> CredentialRepresentation(); >> credential.setType(CredentialRepresentation.PASSWORD); >> credential.setValue(password); >> UserRepresentation user = new UserRepresentation(); >> user.setUsername(email.getAddress()); >> user.setEmail(email.getAddress()); >> user.setCredentials(Arrays.asList(credential)); >> user.setRealmRoles(Arrays.asList(Role.OWNER.authority())); >> user.setEnabled(true); >> Response response = kc.realm(appRealm).users().create(user); >> >> On Tue, Dec 20, 2016 at 10:20 PM, Steve Chernyak >> wrote: >> >> > I would really appreciate some help with this... >> > >> > Am I missing something in the documentation? I can't find anything that >> > describes this process in detail. >> > >> > It also doesn't appear that the password I'm using during the creation >> > process is honored either. I have to change the password through the >> > console to get the login to work. >> > >> > Is there a specific set of attributes that are used for the user >> creation >> > process while others are ignored? Is there anything that documents the >> > correct way to do what i'm trying? >> > >> > Thanks >> > >> > On Sat, Dec 17, 2016 at 11:59 PM, Steve Chernyak > > >> > wrote: >> > >> >> Hello, >> >> >> >> I'm trying to create a user associated with a role: >> >> >> >> CredentialRepresentation credential = new CredentialRepresentation(); >> >> credential.setType(CredentialRepresentation.PASSWORD); >> >> credential.setValue(password); >> >> UserRepresentation user = new UserRepresentation(); >> >> user.setUsername(email.getAddress()); >> >> user.setCredentials(Arrays.asList(credential)); >> >> user.setRealmRoles(Arrays.asList(someRole)); >> >> Response response = kc.realm(appRealm).users().create(user); >> >> >> >> The response status is the expected 201 and I can see the user in the >> >> realm through the admin console. However, the user is not associated >> with >> >> "someRole"... >> >> >> >> I'm not sure what I'm missing... >> >> >> >> How should I go about creating a user associated with a role >> >> progrmatically? >> >> >> >> Thanks >> >> >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From java at neposoft.com Wed Dec 21 10:48:57 2016 From: java at neposoft.com (java_os) Date: Wed, 21 Dec 2016 10:48:57 -0500 Subject: [keycloak-user] kc2.4 - breaks PK idp brokering to adfs Message-ID: <72128899b3f1be39714680069e84e9da.squirrel@neposoft.com> Hi, In KC 2.3 I can establish trust with adfs by exporting kc meta and importing into adfs. With KC 2.4 - this breaks - I tried to re-gen the rsa key, export meta, import into adfs - it fails on this adfs error: "ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier" I'm seeing from UI perspective you've added stuff into around PK in 2.4 - but behind the scenes something is breaks on the 'key' or something - so, going back to 2.3 - regen a new RSA, exported meta into adfs, works just fine. Please raise a JIRA with the info above. thx From java at neposoft.com Wed Dec 21 10:51:42 2016 From: java at neposoft.com (java_os) Date: Wed, 21 Dec 2016 10:51:42 -0500 Subject: [keycloak-user] kc2.4 - breaks PK idp brokering to adfs In-Reply-To: <72128899b3f1be39714680069e84e9da.squirrel@neposoft.com> References: <72128899b3f1be39714680069e84e9da.squirrel@neposoft.com> Message-ID: <5f3f82e6d45cf0d69579a7bc3120405f.squirrel@neposoft.com> I should add: to begin with I've upgraded to 2.4 and importing the realm that was working fine on 2.3 - and things started to break - spending time to isolate and understand the issue - and my findings in the prev email. > Hi, > In KC 2.3 I can establish trust with adfs by exporting kc meta and > importing into adfs. > With KC 2.4 - this breaks - I tried to re-gen the rsa key, export meta, > import into adfs - it fails on this adfs error: > "ID4037: The key needed to verify the signature could not be resolved from > the following security key identifier 'SecurityKeyIdentifier" > > I'm seeing from UI perspective you've added stuff into around PK in 2.4 - > but behind the scenes something is breaks on the 'key' or something - so, > going back to 2.3 - regen a new RSA, exported meta into adfs, works just > fine. > Please raise a JIRA with the info above. > thx > From hmlnarik at redhat.com Wed Dec 21 15:58:13 2016 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 21 Dec 2016 21:58:13 +0100 Subject: [keycloak-user] kc2.4 - breaks PK idp brokering to adfs In-Reply-To: <5f3f82e6d45cf0d69579a7bc3120405f.squirrel@neposoft.com> References: <72128899b3f1be39714680069e84e9da.squirrel@neposoft.com> <5f3f82e6d45cf0d69579a7bc3120405f.squirrel@neposoft.com> Message-ID: Will be resolved in 2.5.0: https://issues.jboss.org/browse/KEYCLOAK-4057 On Wed, Dec 21, 2016 at 4:51 PM, java_os wrote: > I should add: to begin with I've upgraded to 2.4 and importing the realm > that was working fine on 2.3 - and things started to break - spending time > to isolate and understand the issue - and my findings in the prev email. > > > Hi, > > In KC 2.3 I can establish trust with adfs by exporting kc meta and > > importing into adfs. > > With KC 2.4 - this breaks - I tried to re-gen the rsa key, export meta, > > import into adfs - it fails on this adfs error: > > "ID4037: The key needed to verify the signature could not be resolved > from > > the following security key identifier 'SecurityKeyIdentifier" > > > > I'm seeing from UI perspective you've added stuff into around PK in 2.4 - > > but behind the scenes something is breaks on the 'key' or something - so, > > going back to 2.3 - regen a new RSA, exported meta into adfs, works just > > fine. > > Please raise a JIRA with the info above. > > thx > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From psilva at redhat.com Wed Dec 21 18:01:30 2016 From: psilva at redhat.com (Pedro Igor) Date: Wed, 21 Dec 2016 21:01:30 -0200 Subject: [keycloak-user] spring boot protected resource not effect until restart In-Reply-To: References: Message-ID: Yeah, you are right. We don't update paths on the enforcer. Right now, the app must be restarted. Can you open a JIRA, please ? Thanks ! On 12/21/2016 9:51:28 AM, u?ur kolip wrote: Hi, In KeycloakSpringBootConfigResolver class , @Override public KeycloakDeployment resolve(OIDCHttpFacade.Request request) { if (keycloakDeployment != null) { return keycloakDeployment; } keycloakDeployment = KeycloakDeploymentBuilder.build(KeycloakSpringBootConfigResolver.adapterConfig); return keycloakDeployment; } i am not sure but this code is used to don't instatiate same thing again. when i create protected resource , policy enforcer paths should change , and new path should be added. But i think , because of this code , keycloakDeployment not change and new path not be added.(when try to keycloakDeployment = KeycloakDeploymentBuilder.build(KeycloakSpringBootConfigResolver.adapterConfig); run , path change) Because of these , protected resource which i create not effect until spring boot restart. am i wrong or should i add some something to change policy enforcer path ? My target is creating protected resource with spring boot adapter. Thank for helping 2016-12-19 17:38 GMT+03:00 u?ur kolip : > Hi, > I use keycloak 2.4.0.Final , keycloak-spring-boot-adapter , > keycloak-tomcat8-adapter ,kyecloak-authz-client and keycloak-admin-clinet > > When i create protected resource , it is not effect until spring boot app > restart . is it a bug or i should do samething to effect . > > Thank you for helping > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Dec 21 18:04:24 2016 From: psilva at redhat.com (Pedro Igor) Date: Wed, 21 Dec 2016 21:04:24 -0200 Subject: [keycloak-user] ECP example? In-Reply-To: <1482308802453-2076.post@n6.nabble.com> References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> <1476789125.2477.59.camel@redhat.com> <1482308802453-2076.post@n6.nabble.com> Message-ID: <0df5fb01-07dd-4dfa-937b-12e3b08c0834@getmailbird.com> Did you try what we have today ? It should allow you to obtain SAML assertions using the ECP profile already. Or do you need something else that we don't yet support from the specs ? Thanks. On 12/21/2016 6:27:22 AM, mark wrote: Pedro Igor Craveiro e Silva wrote > We do have some very basic support for ECP on the SP side. The > implementation is really specific to Openstack use case and > requirements. > > This capability is not advertised in any doc as we don't want people > using it. In Keycloak we have some tests [1] for SAML ECP that use this > stuff, but that is all. Just to make sure our IdP is aligned with > Openstack. Are there any plans for more ECP Support? I am just evaluating Keycloak and made good progress with browser based applications but we will also need ECP. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184p2076.html Sent from the keycloak-user mailing list archive at Nabble.com. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Dana.Danet at Evisions.com Wed Dec 21 20:27:24 2016 From: Dana.Danet at Evisions.com (Dana Danet) Date: Thu, 22 Dec 2016 01:27:24 +0000 Subject: [keycloak-user] Technical Guidance In-Reply-To: References: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com> Message-ID: Thank you for responding and I apologize if my question was misleading, let me try again. My requirement is to support a SSO IdM/IdP for customers without their own system, ideally in a multi tenant way, and to support SSO for customers that have on-premise SSO implementations, mostly are InCommon. We have decided to implement Ping as a SP to handshake with the on-premise (InCommon) customers. Since these integration points could be more than just InCommon. My thought is that Ping will accept the authN, translate the properties to a grant (SAML2) and forward to Keycloak to create the JWT. I attached a image reflecting this below. My question is how would I register within Keycloak that AuthN would be handled by Ping, and to create a JWT. [cid:AAEF3E4F-5D02-49A2-AE50-0C83E98B9D0C at attlocal.net] On Dec 15, 2016, at 11:41 PM, Stian Thorgersen > wrote: Not quite sure what you're asking here as there seems to be 3 IdPs? Customer IdP, Ping and Keycloak? On 14 December 2016 at 17:25, Dana Danet > wrote: I just recently introduced KC to a Spring Cloud micro-service environment as the IDM and Oauth manager of JWT tokens. Front end clients are implementing the javascript adapter and backend Spring Boot services are implemented with the Spring Security adapter (not boot adapter). Our Service Gateway (Zuul) simply passes the token to backend services. My question is regarding offloading offloading AuthN and IDP to external systems and then brokering to Keycloak for JWT creation. Which would look something like ( Customer on premise AuthN) ?> Ping ?> Keycloak. Ping has been introduced purely as an SP to handle customers implementations of Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP mapping is all done via Ping and then a canonical SAML exchange to Keycloak. Is this possible? I would appreciate some guidance here. -dana _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Dana.Danet at Evisions.com Wed Dec 21 20:37:20 2016 From: Dana.Danet at Evisions.com (Dana Danet) Date: Thu, 22 Dec 2016 01:37:20 +0000 Subject: [keycloak-user] User Search by Attribute Message-ID: <27720D9E-FEF3-4796-9EC1-E3660D4B4E9F@evisions.com> I am replacing a custom java built IdP build in Spring with Keycloak. Initially I was hoping to leverage Realms as a way to separate users across tenants, unfortunately clients cannot be registered across Realms (AFAIK?). Since I am replacing a user db including some minor attribution with Keycloak, I will need to support fetching users by tenantId. As far as I know this can only be done via user attributes and using client templates to expose those attribute to token primary level objects. My question is.. Is there a way to leverage the Java Client API to search for realm users belonging to a specific tenantId? Ideally?. List users = keycloak.realm("iacuc").users().search(?tenantId:", , ); or List users = keycloak.realm("iacuc").users().search(?attribute:tenantId:", , ); -dana From Dana.Danet at Evisions.com Wed Dec 21 20:43:48 2016 From: Dana.Danet at Evisions.com (Dana Danet) Date: Thu, 22 Dec 2016 01:43:48 +0000 Subject: [keycloak-user] User Search by Attribute In-Reply-To: <27720D9E-FEF3-4796-9EC1-E3660D4B4E9F@evisions.com> References: <27720D9E-FEF3-4796-9EC1-E3660D4B4E9F@evisions.com> Message-ID: <543D0695-D522-420B-B6FF-8014297CF64B@evisions.com> Users ??????SP(uncommon) ???? Company SSO ?? ?? | | |(saml2) | | Users ???????????? IdP ??? ????????? Keycloak ????? (JWT) ????> service gateway ????> clients/resources > On Dec 21, 2016, at 5:37 PM, Dana Danet wrote: > > I am replacing a custom java built IdP build in Spring with Keycloak. Initially I was hoping to leverage Realms as a way to separate users across tenants, unfortunately clients cannot be registered across Realms (AFAIK?). > > Since I am replacing a user db including some minor attribution with Keycloak, I will need to support fetching users by tenantId. As far as I know this can only be done via user attributes and using client templates to expose those attribute to token primary level objects. My question is.. Is there a way to leverage the Java Client API to search for realm users belonging to a specific tenantId? > > Ideally?. > > > List users = keycloak.realm("iacuc").users().search(?tenantId:", , ); > > or > > List users = keycloak.realm("iacuc").users().search(?attribute:tenantId:", , ); > > > -dana > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Dec 22 01:29:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 22 Dec 2016 07:29:36 +0100 Subject: [keycloak-user] User Search by Attribute In-Reply-To: <543D0695-D522-420B-B6FF-8014297CF64B@evisions.com> References: <27720D9E-FEF3-4796-9EC1-E3660D4B4E9F@evisions.com> <543D0695-D522-420B-B6FF-8014297CF64B@evisions.com> Message-ID: No, we don't support searching by attributes at the moment. You could use groups for tenants instead of attributes though. That'd be a better match for what you are doing and you can look for users belonging to a group already. On 22 December 2016 at 02:43, Dana Danet wrote: > > Users ??????SP(uncommon) ???? Company SSO ?? ?? > > | > > | > > |(saml2) > > | > > | > Users ???????????? IdP ??? ????????? Keycloak ????? (JWT) ????> service > gateway ????> clients/resources > > > > On Dec 21, 2016, at 5:37 PM, Dana Danet wrote: > > > > I am replacing a custom java built IdP build in Spring with Keycloak. > Initially I was hoping to leverage Realms as a way to separate users across > tenants, unfortunately clients cannot be registered across Realms (AFAIK?). > > > > Since I am replacing a user db including some minor attribution with > Keycloak, I will need to support fetching users by tenantId. As far as I > know this can only be done via user attributes and using client templates > to expose those attribute to token primary level objects. My question is.. > Is there a way to leverage the Java Client API to search for realm users > belonging to a specific tenantId? > > > > Ideally?. > > > > > > List users = keycloak.realm("iacuc").users().search(?tenantId: uuid>", , ); > > > > or > > > > List users = keycloak.realm("iacuc").users( > ).search(?attribute:tenantId:", , ); > > > > > > -dana > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Dec 22 01:32:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 22 Dec 2016 07:32:37 +0100 Subject: [keycloak-user] Technical Guidance In-Reply-To: References: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com> Message-ID: Why not just register the customer IdPs directly with Keycloak using identity brokering? On 22 December 2016 at 02:27, Dana Danet wrote: > Thank you for responding and I apologize if my question was misleading, > let me try again. > > My requirement is to support a SSO IdM/IdP for customers without their own > system, ideally in a multi tenant way, and to support SSO for customers > that have on-premise SSO implementations, mostly are InCommon. > > We have decided to implement Ping as a SP to handshake with the on-premise > (InCommon) customers. Since these integration points could be more than > just InCommon. My thought is that Ping will accept the authN, translate > the properties to a grant (SAML2) and forward to Keycloak to create the > JWT. I attached a image reflecting this below. > > My question is how would I register within Keycloak that AuthN would be > handled by Ping, and to create a JWT. > > > > > On Dec 15, 2016, at 11:41 PM, Stian Thorgersen > wrote: > > Not quite sure what you're asking here as there seems to be 3 IdPs? > Customer IdP, Ping and Keycloak? > > On 14 December 2016 at 17:25, Dana Danet wrote: > >> I just recently introduced KC to a Spring Cloud micro-service environment >> as the IDM and Oauth manager of JWT tokens. Front end clients are >> implementing the javascript adapter and backend Spring Boot services are >> implemented with the Spring Security adapter (not boot adapter). Our >> Service Gateway (Zuul) simply passes the token to backend services. >> >> My question is regarding offloading offloading AuthN and IDP to external >> systems and then brokering to Keycloak for JWT creation. Which would look >> something like >> ( Customer on premise AuthN) ?> Ping ?> Keycloak. Ping has been >> introduced purely as an SP to handle customers implementations of >> Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP >> mapping is all done via Ping and then a canonical SAML exchange to Keycloak. >> >> Is this possible? I would appreciate some guidance here. >> >> -dana >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From avinash at avinash.com.np Thu Dec 22 04:20:03 2016 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Thu, 22 Dec 2016 15:05:03 +0545 Subject: [keycloak-user] Fwd: regarding custom attributes and mapping resources to users In-Reply-To: References: Message-ID: Hi, since I got no response to my previous email and i can see some action happening in the mailing list, I will try to forward my question and explain it again. * Can a user update their own custom attributes ? I want to use custom attributes to store data that would help in creating policies for their permissions. From what i could understand from previous discussions, it looks like users cannot, but its not confirmed or mentioned anywhere. * Related to the question above, is there a defined structure/ pattern to define resource ownership in keycloak, eg. user-id *"xx"* is a manger of resource-id *"yy"* , user-id "*aa*" is a viewer of resource-id "*bb*" and so on and so forth. From my question last time, What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Some help or push in the right direction would be helpful. Regards, Avinash -------- Forwarded Message -------- Subject: regarding custom attributes and mapping resources to users Date: Tue, 20 Dec 2016 16:14:03 +0545 From: Avinash Kundaliya To: keycloak-user at lists.jboss.org Hello Community, I am fairly new to using keycloak and still getting immersed into the authentication and authorization jargons. I have some basic queries that i am curious about. * Regarding the custom attributes for each user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html). Is this something that a user can edit for themselves or is something for an administrator to manage custom content for the user? Basically, as an administrator can I put information that should be hidden from the user as a custom attribute ? * My second question is more about architecture of applications with authentication and authorization. What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Looking forward to some constructive discussions and some answers to the basic issues I have. Regards, Avinash From mark.schaefer at markschaefer.de Thu Dec 22 04:45:17 2016 From: mark.schaefer at markschaefer.de (mark) Date: Thu, 22 Dec 2016 02:45:17 -0700 (MST) Subject: [keycloak-user] ECP example? In-Reply-To: <0df5fb01-07dd-4dfa-937b-12e3b08c0834@getmailbird.com> References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> <1476789125.2477.59.camel@redhat.com> <1482308802453-2076.post@n6.nabble.com> <0df5fb01-07dd-4dfa-937b-12e3b08c0834@getmailbird.com> Message-ID: I am using Keycloak 2.3.0.Final at the moment. What I need is ECP for a no browser scenario with brokering, i.e. multiple identity providers, but I am not sure how to achieve it. My service is secured by a Keycloak Servlet-Filter, which has a Keycloak-Instance as identity provider. When I request a secured resource like this curl -H "Accept: text/html; application/vnd.paos+xml" -H 'PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp","urn:oasis:names:tc:SAML:2.0:cm:bearer' http://localhost:8081/kvtg-keycloak-simple/Page I get an authentication request: DemoWebApp DemoWebApp btw: the response does not conform to the SAML ECP Spec Section 2.3.2 (http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.pdf) since the element does contain a valid responseConsumerURL attribute. When I send the element within a SOAP envelope to the SAML endpoint of the Keycloak realm from above, I receive a SAML assertion. curl -v -X POST -H "Content-Type: text/xml" -H '"SOAPAction: ""' -d @authnrequest.xml -u mark:.... http://localhost:8080/auth/realms/KVTG/protocol/saml At this point I am not sure which Java library I should use for the clients and how to POST the assertion back to my service. My main problem is how to configure multiple identity providers for ECP. I configured multiple identity providers for the realm in the Keycloak admin console and this works for web applications. Is it possible that the Keycloak realm SAML endpoint responds somehow with redirects to the already configured identity providers? I tried to configure multiple identity providers for the servlet filter, since the ECP spec allows for a list of these in the AuthnRequest response. This did not work, in fact the xsd for the configuration file allows for only one IDP element. The latter approach seems to be more simple, but I would not get the other features from the realm like attribute mapping, which I would get maybe form the first approach. What is the right way to configure multiple identity providers? On 22/12/16 00:08, Pedro Igor Craveiro e Silva [via keycloak-user] wrote: > Did you try what we have today ? It should allow you to obtain SAML > assertions using the ECP profile already. > > Or do you need something else that we don't yet support from the specs ? > > Thanks. > On 12/21/2016 6:27:22 AM, mark <[hidden email] > > wrote: > Pedro Igor Craveiro e Silva wrote >> We do have some very basic support for ECP on the SP side. The >> implementation is really specific to Openstack use case and >> requirements. >> >> This capability is not advertised in any doc as we don't want people >> using it. In Keycloak we have some tests [1] for SAML ECP that use this >> stuff, but that is all. Just to make sure our IdP is aligned with >> Openstack. > > Are there any plans for more ECP Support? I am just evaluating Keycloak and > made good progress with browser based applications but we will also need > ECP. > > > > > -- > View this message in context: > http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184p2076.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > [hidden email] > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > [hidden email] > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------------------------------------------------ > If you reply to this email, your message will be added to the discussion > below: > http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184p2096.html > > To unsubscribe from [keycloak-user] ECP example?, click here > . > NAML > > -- View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184p2103.html Sent from the keycloak-user mailing list archive at Nabble.com. From abhi.raghav007 at gmail.com Thu Dec 22 05:03:21 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Thu, 22 Dec 2016 15:33:21 +0530 Subject: [keycloak-user] Recommendation for the choice of RDBMS with keycloak Message-ID: Hi, We?re looking into databases to use with Keycloak. We have been using Mongo, but Keycloak has indicated they might drop support for that. Does anyone keycloak or somebody who is using RDBMS have a strong or weak recommendation between Postgres, MySQL, and SQL Server? Keycloak seems to have good support for Postgres and MySQL, while also supporting SQL Server. Does it matter which one to choose and if yes in what manner. We might be dealing with users between 2k to 5k in a multitenant environment. Let me know the thoughts on that. Thanks Abhishek From java at neposoft.com Thu Dec 22 06:12:16 2016 From: java at neposoft.com (java_os) Date: Thu, 22 Dec 2016 06:12:16 -0500 Subject: [keycloak-user] how to intercept/flow: VerificationException: Token is not active Message-ID: Hi I have 2 bearer rest layers (A,B): A calls B. In front I have an angular web layer calling A -> B. What is the best practices to handle "Token is not active" when user sits in front idle and token becomes inactive, http session still valid but KC token expired? If B reaches token not active, on the call from A to B - how would I propagate this to the front layer? A has to consume the ValidationException from B and notify front layer to auto logout or prompt the user with a message saying 'your session expired, please login' or automatically throw the user into the login prompt in front. For this scenario above, anyone share some thoughts? Thanks From java at neposoft.com Thu Dec 22 06:13:25 2016 From: java at neposoft.com (java_os) Date: Thu, 22 Dec 2016 06:13:25 -0500 Subject: [keycloak-user] kc2.4 - breaks PK idp brokering to adfs In-Reply-To: References: <72128899b3f1be39714680069e84e9da.squirrel@neposoft.com> <5f3f82e6d45cf0d69579a7bc3120405f.squirrel@neposoft.com> Message-ID: <54a0cdf61ddc47a2b0390b6963c9bd48.squirrel@neposoft.com> Thanks Hynek - what is the time frame for 2.5.0.Final release then? Thank you. j > Will be resolved in 2.5.0: https://issues.jboss.org/browse/KEYCLOAK-4057 > > On Wed, Dec 21, 2016 at 4:51 PM, java_os wrote: > >> I should add: to begin with I've upgraded to 2.4 and importing the realm >> that was working fine on 2.3 - and things started to break - spending >> time >> to isolate and understand the issue - and my findings in the prev email. >> >> > Hi, >> > In KC 2.3 I can establish trust with adfs by exporting kc meta and >> > importing into adfs. >> > With KC 2.4 - this breaks - I tried to re-gen the rsa key, export >> meta, >> > import into adfs - it fails on this adfs error: >> > "ID4037: The key needed to verify the signature could not be resolved >> from >> > the following security key identifier 'SecurityKeyIdentifier" >> > >> > I'm seeing from UI perspective you've added stuff into around PK in >> 2.4 - >> > but behind the scenes something is breaks on the 'key' or something - >> so, >> > going back to 2.3 - regen a new RSA, exported meta into adfs, works >> just >> > fine. >> > Please raise a JIRA with the info above. >> > thx >> > >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > > --Hynek > From java at neposoft.com Thu Dec 22 06:17:00 2016 From: java at neposoft.com (java_os) Date: Thu, 22 Dec 2016 06:17:00 -0500 Subject: [keycloak-user] how to intercept/flow: VerificationException: Token is not active In-Reply-To: References: Message-ID: <2c96821bfa22035eaa8b54da720b5378.squirrel@neposoft.com> Forgot to mention that the angular piece is under keycloak.js and so this may be able to expire the session before A or B 's token becomes inactive? Overall am trying to see how others handle this , as I think this is a regular web/rest scenario that I am not the only one doing it. Hoping to get some help from whoever. Thanks > Hi > I have 2 bearer rest layers (A,B): A calls B. In front I have an angular > web layer calling A -> B. > > What is the best practices to handle "Token is not active" when user sits > in front idle and token becomes inactive, http session still valid but KC > token expired? If B reaches token not active, on the call from A to B - > how would I propagate this to the front layer? > A has to consume the ValidationException from B and notify front layer to > auto logout or prompt the user with a message saying 'your session > expired, please login' or automatically throw the user into the login > prompt in front. > > For this scenario above, anyone share some thoughts? > Thanks > From psilva at redhat.com Thu Dec 22 06:33:33 2016 From: psilva at redhat.com (Pedro Igor) Date: Thu, 22 Dec 2016 09:33:33 -0200 Subject: [keycloak-user] Fwd: regarding custom attributes and mapping resources to users In-Reply-To: References: Message-ID: <096db3e6-5cff-4c5c-b018-53666cd6ec80@getmailbird.com> Pedro Igor:?Hello, answers inline. On 12/22/2016 7:21:13 AM, Avinash Kundaliya wrote: Hi, since I got no response to my previous email and i can see some action happening in the mailing list, I will try to forward my question and explain it again. * Can a user update their own custom attributes ? I want to use custom attributes to store data that would help in creating policies for their permissions. From what i could understand from previous discussions, it looks like users cannot, but its not confirmed or mentioned anywhere. Pedro Igor:?In general, only admins via Administrator Console. There is an Account Management Page intended for user self-service, you can probably extend themes and provide the attributes you want to update there. See?https://github.com/keycloak/keycloak/tree/master/examples/themes. * Related to the question above, is there a defined structure/ pattern to define resource ownership in keycloak, eg. user-id *"xx"* is a manger of resource-id *"yy"* , user-id "*aa*" is a viewer of resource-id "*bb*" and so on and so forth. Pedro Igor:?Resources always have an owner. This is different than the role of an user for a particular resource. By default, resources belongs to the resource server itself. But when creating new resources via Protection API you can set the owner to be an user. >From my question last time, What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Pedro Igor:?If the user is the owner of a shop, you probably want to create the resource setting the user as the owner. After that, you need to associate permissions to your resources. For instance, you can use a JS Policy to grant access to the resource based on the owner of a resource. As well, associate other permissions based on other types of policies. If you want an example about how to enforce permissions to a resource based on the owner, you can check the Photoz example application. There we demonstrate how to use Drools for that. But you can also use a JS policy. Some help or push in the right direction would be helpful. Regards, Avinash -------- Forwarded Message -------- Subject: regarding custom attributes and mapping resources to users Date: Tue, 20 Dec 2016 16:14:03 +0545 From: Avinash Kundaliya To: keycloak-user at lists.jboss.org Hello Community, I am fairly new to using keycloak and still getting immersed into the authentication and authorization jargons. I have some basic queries that i am curious about. * Regarding the custom attributes for each user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html). Is this something that a user can edit for themselves or is something for an administrator to manage custom content for the user? Basically, as an administrator can I put information that should be hidden from the user as a custom attribute ? * My second question is more about architecture of applications with authentication and authorization. What are the best practices to map roles to specific resources? For example if i have a role called as shop_owner how do i map a user with that role to a specific shop (for example). Is this something that keycloak has defined structures for ? How can i achieve such a structure with keycloak and with/without using the keycloak authorization/resource services. Looking forward to some constructive discussions and some answers to the basic issues I have. Regards, Avinash _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Thu Dec 22 06:36:58 2016 From: java at neposoft.com (java_os) Date: Thu, 22 Dec 2016 06:36:58 -0500 Subject: [keycloak-user] how to intercept/flow: VerificationException: Token is not active In-Reply-To: <2c96821bfa22035eaa8b54da720b5378.squirrel@neposoft.com> References: <2c96821bfa22035eaa8b54da720b5378.squirrel@neposoft.com> Message-ID: I would think that the front end would block or re-new the token and send into the call a valid token to the bearer call. I am passing the token extracted from the front-end into the header to the bearer rest call. So does keycloak.js re-issuing a new valid token if the existing one expired? Currently it does not since I am seeing VerificationException on the bearer rest layer. thoughts??? > Forgot to mention that the angular piece is under keycloak.js and so this > may be able to expire the session before A or B 's token becomes inactive? > Overall am trying to see how others handle this , as I think this is a > regular web/rest scenario that I am not the only one doing it. > Hoping to get some help from whoever. > Thanks > >> Hi >> I have 2 bearer rest layers (A,B): A calls B. In front I have an angular >> web layer calling A -> B. >> >> What is the best practices to handle "Token is not active" when user >> sits >> in front idle and token becomes inactive, http session still valid but >> KC >> token expired? If B reaches token not active, on the call from A to B - >> how would I propagate this to the front layer? >> A has to consume the ValidationException from B and notify front layer >> to >> auto logout or prompt the user with a message saying 'your session >> expired, please login' or automatically throw the user into the login >> prompt in front. >> >> For this scenario above, anyone share some thoughts? >> Thanks >> > > > From Krzysztof.Goworek at ingbank.pl Thu Dec 22 07:10:23 2016 From: Krzysztof.Goworek at ingbank.pl (Goworek Krzysztof INNE) Date: Thu, 22 Dec 2016 12:10:23 +0000 Subject: [keycloak-user] Session cookie settings overwritten by undertow keycloak adapter Message-ID: <5D6D47A3F675BA46823D762152C022BE48B4739B@spplapp03344.pl.ing-ad> Hello all, I am developing a web application using Keycloak on JBoss EAP7 (Wildfly 10, Undertow). We have migrated recently from EAP6.4 and now I?ve got several issues to solve. One of them is session cookie configuration in web.xml which used to work, but now is completely ignored. After further investigation it looks that keycloak-undertow-adapter module is overwriting existing settings with uninitialized configuration object (). All of this is done in KeycloakServletExtension class (https://github.com/keycloak/keycloak/blob/master/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/KeycloakServletExtension.java#L179), lines 177-179 on master. Can somebody tell me whether this is a bug or maybe this was done on purpose? Can I in any way reconfigure these settings somehow later? From the code it does not seem to read any configuration values, it just sets cookie path basing on context path and leaves the rest fields uninitialized. I would expect it sets the path and copies the rest from ?servletSessionConfig? field. Am I missing something? Krzysztof From Dana.Danet at Evisions.com Thu Dec 22 08:02:36 2016 From: Dana.Danet at Evisions.com (Dana Danet) Date: Thu, 22 Dec 2016 13:02:36 +0000 Subject: [keycloak-user] Technical Guidance In-Reply-To: References: <1CDCBEFB-CD05-4537-AB7E-11CC3F97D9BC@evisions.com> Message-ID: <3FB077AE-82AA-446F-983D-91F7F4D34370@evisions.com> I was concerned you might suggest that :). While a valid option, it unfortunately would require me to add hundreds of custom InCommmon providers for our customers to handle the user property mappings. Not to mentioned many customer build systems. Our company has an in-company customer on boarding and integrations team has chosen Ping to handle this part of the handshake was would like to hand off to Keycloak a SAML 2 token. Most of them do not like the idea of exposing internal request into their systems and would prefer to have the login start internally. Additionally I would need to brand every login page within Keycloak. Thoughts? On Dec 21, 2016, at 10:32 PM, Stian Thorgersen > wrote: Why not just register the customer IdPs directly with Keycloak using identity brokering? On 22 December 2016 at 02:27, Dana Danet > wrote: Thank you for responding and I apologize if my question was misleading, let me try again. My requirement is to support a SSO IdM/IdP for customers without their own system, ideally in a multi tenant way, and to support SSO for customers that have on-premise SSO implementations, mostly are InCommon. We have decided to implement Ping as a SP to handshake with the on-premise (InCommon) customers. Since these integration points could be more than just InCommon. My thought is that Ping will accept the authN, translate the properties to a grant (SAML2) and forward to Keycloak to create the JWT. I attached a image reflecting this below. My question is how would I register within Keycloak that AuthN would be handled by Ping, and to create a JWT. On Dec 15, 2016, at 11:41 PM, Stian Thorgersen > wrote: Not quite sure what you're asking here as there seems to be 3 IdPs? Customer IdP, Ping and Keycloak? On 14 December 2016 at 17:25, Dana Danet > wrote: I just recently introduced KC to a Spring Cloud micro-service environment as the IDM and Oauth manager of JWT tokens. Front end clients are implementing the javascript adapter and backend Spring Boot services are implemented with the Spring Security adapter (not boot adapter). Our Service Gateway (Zuul) simply passes the token to backend services. My question is regarding offloading offloading AuthN and IDP to external systems and then brokering to Keycloak for JWT creation. Which would look something like ( Customer on premise AuthN) ?> Ping ?> Keycloak. Ping has been introduced purely as an SP to handle customers implementations of Shibboleth and Incommon. Initially I was thinking that IDP - Ping SP mapping is all done via Ping and then a canonical SAML exchange to Keycloak. Is this possible? I would appreciate some guidance here. -dana _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From georgijsr at scandiweb.com Thu Dec 22 11:32:31 2016 From: georgijsr at scandiweb.com (Georgijs Radovs) Date: Thu, 22 Dec 2016 18:32:31 +0200 Subject: [keycloak-user] User federation from multiple LDAP servers Message-ID: <82cbab9f-38b7-73e3-7232-090936fcc304@scandiweb.com> Hello everyone! Is it possible to set up User Federation from multiple replicating LDAP servers? For example: We have 2 FreeIPA servers, which are replicating between each other. And, we have 2 Keycloak servers in standalone-ha mode, using S3_PING session failover. How to add second FreeIPA server to User Federation? We've tried to add second LDAP server in User Federation and set lower priority for it, but when user account sync happens, Keylcoak server shows, that user account from FreeIPA server 2 is already linked to FreeIPA server 1. -- From lists at merit.unu.edu Thu Dec 22 14:01:33 2016 From: lists at merit.unu.edu (mj) Date: Thu, 22 Dec 2016 20:01:33 +0100 Subject: [keycloak-user] User federation from multiple LDAP servers In-Reply-To: <82cbab9f-38b7-73e3-7232-090936fcc304@scandiweb.com> References: <82cbab9f-38b7-73e3-7232-090936fcc304@scandiweb.com> Message-ID: <8dd8f671-7fc6-c2fe-dbd0-537e9e7ad7f3@merit.unu.edu> Hi, What we do: Setup HAProxy on the keycloak host, define one front-end server in haproxy on localhost:636, then multiple ldap.host:636 servers as backend-servers in HAProxy. And then make keycloak talk to localhost:636. HAProxy does a very good job at that. MJ On 12/22/2016 05:32 PM, Georgijs Radovs wrote: > Hello everyone! > > > Is it possible to set up User Federation from multiple replicating LDAP > servers? > > For example: > > We have 2 FreeIPA servers, which are replicating between each other. > > And, we have 2 Keycloak servers in standalone-ha mode, using S3_PING > session failover. > > How to add second FreeIPA server to User Federation? > > We've tried to add second LDAP server in User Federation and set lower > priority for it, but when user account sync happens, Keylcoak server > shows, that user account from FreeIPA server 2 is already linked to > FreeIPA server 1. > > > From Edgar at info.nl Fri Dec 23 05:24:30 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Fri, 23 Dec 2016 10:24:30 +0000 Subject: [keycloak-user] Best way to add custom attributes to the user session? Message-ID: Hi, We would like to a add custom attributes (using custom logic including custom database queries) to the user session in Keycloak on authentication. What is the best way to do this? We use an LDAP/AD user federation provider. Should we write a custom user attribute mapper and add it to our user federation provider? I guess we could also write a custom token mapper and misuse it a little in that it will only add data to the user session and not to the token? Previously we had a custom token mapper that added this custom data to the token, however it is becoming too much data and we have reached the max size limit (JWT tokens are transported as HTTP headers and those have a max size of 8kb). So now we are thinking of adding this data to the user session and Keycloak and when we need it later on get it from Keycloak using Keycloak?s REST API. cheers From dt at zyres.com Fri Dec 23 05:53:19 2016 From: dt at zyres.com (Danny Trunk) Date: Fri, 23 Dec 2016 11:53:19 +0100 Subject: [keycloak-user] Update passwords with old hash algorithm Message-ID: <2a1d7825-e969-6e83-0f0f-f448121554b5@zyres.com> Hello everybody, I've already implemented a custom Password Hash SPI which encodes and verifies encoded passwords with an old hash algorithm. Now I would like to update those passwords with a new hash algorithm as I have access to the raw password in the Password Hash SPI (Keyword: self-healing process). Which possibilities do I have? Best regards Danny. From ugur.kolip at gmail.com Fri Dec 23 07:23:33 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Fri, 23 Dec 2016 15:23:33 +0300 Subject: [keycloak-user] policy enforcer without content path Message-ID: Hi i use keycloack 4.5.0.Final with spring boot adapter. When there isn't context path , i get 403 forbidden error. (message:"Could not find a configuration for path [/getRoles/alice]." path:"/admin/getRoles/alice" ) do we have to add contextPath ? do i do something wrong ? or is it bug ? if we don't , path be wrong, My opinion because of these : In AbstractPolicyEnforcer class(keycloak-adapter-core) , there are String pathInfo = URI.create(request.getURI()).getPath().substring(1); String path = pathInfo.substring(pathInfo.indexOf('/'), pathInfo.length()); Thank you for helping From ugur.kolip at gmail.com Fri Dec 23 10:50:04 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Fri, 23 Dec 2016 18:50:04 +0300 Subject: [keycloak-user] policy enforcer without content path In-Reply-To: References: Message-ID: Also (i enable authorization , both of emails) When i use server.host , i get forbidden too. I don't understand why get this my application.properties like server.port = 16085 server.host : example.com server.contextPath= /photoz-restful-api keycloak.realm = photoz keycloak.auth-server-url = http://example.com:16090/auth keycloak.ssl-required = none keycloak.resource = photoz-restful-api keycloak.credentials.secret = secret keycloak.cors = true keycloak.securityConstraints[0].securityCollections[0].name = All admin keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /admin/* keycloak.securityConstraints[1].securityCollections[0].name = All keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /* keycloak.policy-enforcer-config.enforcement-mode = ENFORCING 2016-12-23 15:23 GMT+03:00 u?ur kolip : > Hi > > i use keycloack 4.5.0.Final with spring boot adapter. > When there isn't context path , i get 403 forbidden error. (message:"Could > not find a configuration for path [/getRoles/alice]." > path:"/admin/getRoles/alice" ) > > do we have to add contextPath ? do i do something wrong ? or is it bug ? > > if we don't , path be wrong, > > My opinion because of these : > In AbstractPolicyEnforcer class(keycloak-adapter-core) , there are > String pathInfo = URI.create(request.getURI()).getPath().substring(1); > String path = pathInfo.substring(pathInfo.indexOf('/'), > pathInfo.length()); > > Thank you for helping > From psilva at redhat.com Sat Dec 24 12:56:29 2016 From: psilva at redhat.com (Pedro Igor) Date: Sat, 24 Dec 2016 15:56:29 -0200 Subject: [keycloak-user] policy enforcer without content path In-Reply-To: References: Message-ID: <713e4110-1a63-4c05-9c09-ccd55dc76c5b@getmailbird.com> I think you are hitting?https://issues.jboss.org/browse/KEYCLOAK-3261. Right now we have an issue when handling apps deployed at the ROOT context. On 12/23/2016 1:51:57 PM, u?ur kolip wrote: Also (i enable authorization , both of emails) When i use server.host , i get forbidden too. I don't understand why get this my application.properties like server.port = 16085 server.host : example.com server.contextPath= /photoz-restful-api keycloak.realm = photoz keycloak.auth-server-url = http://example.com:16090/auth keycloak.ssl-required = none keycloak.resource = photoz-restful-api keycloak.credentials.secret = secret keycloak.cors = true keycloak.securityConstraints[0].securityCollections[0].name = All admin keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[1] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /admin/* keycloak.securityConstraints[1].securityCollections[0].name = All keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /* keycloak.policy-enforcer-config.enforcement-mode = ENFORCING 2016-12-23 15:23 GMT+03:00 u?ur kolip : > Hi > > i use keycloack 4.5.0.Final with spring boot adapter. > When there isn't context path , i get 403 forbidden error. (message:"Could > not find a configuration for path [/getRoles/alice]." > path:"/admin/getRoles/alice" ) > > do we have to add contextPath ? do i do something wrong ? or is it bug ? > > if we don't , path be wrong, > > My opinion because of these : > In AbstractPolicyEnforcer class(keycloak-adapter-core) , there are > String pathInfo = URI.create(request.getURI()).getPath().substring(1); > String path = pathInfo.substring(pathInfo.indexOf('/'), > pathInfo.length()); > > Thank you for helping > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From haimv at perfectomobile.com Sun Dec 25 11:06:10 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Sun, 25 Dec 2016 16:06:10 +0000 Subject: [keycloak-user] After keycloak upgrade offline tokens are revoked Message-ID: Hi, We would to upgrade our keycloak version to latest, currently we use 1.9.3. After upgrading to version 2.3 we noticed that the offline tokens that were created before the upgrade are revoked - the below response is received. Is it a known defect ? is there any workaround ? { "error": "invalid_grant", "error_description": "Invalid refresh token" } Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From smichea at gmail.com Sun Dec 25 22:31:08 2016 From: smichea at gmail.com (smichea at gmail.com) Date: Mon, 26 Dec 2016 04:31:08 +0100 Subject: [keycloak-user] user group management from servlet app Message-ID: <58608efb.c793620a.24ff.ccd5@mx.google.com> Hi all, Is there a way to access/manage groups of a user from the KeycloakSecurityContext obtained in a servlet ? Thank you, Sebastien From avinash at avinash.com.np Mon Dec 26 04:28:02 2016 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Mon, 26 Dec 2016 15:13:02 +0545 Subject: [keycloak-user] understanding the photoz example Message-ID: <92457584-1fc1-3f0b-c34c-53ba443fc345@avinash.com.np> I have been going through the photoz example and I am curious how does the drool application know the resource owner [1] or get details about the resource in general ? Can this be done with a javascript based policy? Is there a post/description about how the photoz example works and how information flows in this example. I am trying to understand via the code as of now, the Readme is a good introduction of what it does, but not enough to understand what's really happening? I am having a hard time understanding how to setup keycloak authorization and also missing documentation/explanation on how to do things. If there's a resource that someone could refer to, that would be great. [1] https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11 Regards, Avinash From haimv at perfectomobile.com Mon Dec 26 10:18:04 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Mon, 26 Dec 2016 15:18:04 +0000 Subject: [keycloak-user] Spring security adapter best practices Message-ID: Hi, We were wondering what is the best practice for the use of spring security adapter: I notice that the security context is an instance of RefreshableKeycloakSecurityContext, which means (correct me if I'm wrong) that whenever a token is about to revoke, a refresh is issued. I used all xml beans that's in the documentation, but still, when I put a breakpoint on RefreshableKeycloakSecurityContext -> refreshExpiredToken, it stops only once - on logout (which is another mystery to me). I also noticed that this method is public yet no other class uses it. Do I need to invoke it explicitly? Where? Thanks, Dekel. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From ugur.kolip at gmail.com Mon Dec 26 10:33:15 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Mon, 26 Dec 2016 18:33:15 +0300 Subject: [keycloak-user] can we use authorization with bearer-only ? Message-ID: can we use bearer-only with authorization ? if it can be , how can we use ? are there any example ? when i try to use with photoz example , i get bad request (or 403 i am not sure , i change a lot of thing) Because i don't want redirect or store session , it can be used by mobil apps . Thank you for helping From michael_furman at hotmail.com Mon Dec 26 12:59:23 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Mon, 26 Dec 2016 17:59:23 +0000 Subject: [keycloak-user] Can I create the bearer token by administrator on behalf of other users? Message-ID: Hi, I need to the create bearer token by admin on behalf of other users. In means: 1. I have admin user and password. 2. I have the user name (e.g. bob). 3. I want to create the bearer token and to access the bearer client. 4. When I access the bearer client with the bearer token it authenticates user (e.g. bob). How can I do it? Thank you for your help, Michael From haimv at perfectomobile.com Tue Dec 27 09:53:48 2016 From: haimv at perfectomobile.com (Haim Vana) Date: Tue, 27 Dec 2016 14:53:48 +0000 Subject: [keycloak-user] COMPOSITE_ROLE table duplicate rows issue Message-ID: Hi, We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel. We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE. Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows. Deleting the duplicate rows solved the issue. Any idea what might have caused the duplicated rows ? or how to prevent it ? Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup) Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From deepu.laghuvaram at gmail.com Tue Dec 27 13:38:37 2016 From: deepu.laghuvaram at gmail.com (Raghu Laghuvaram) Date: Tue, 27 Dec 2016 13:38:37 -0500 Subject: [keycloak-user] Passing Data to Registration Fields Message-ID: I am trying to use direct registration link and I want to pass some of the fields from my application, is it possible to pass fields such as First Name, Last Name and other custom fields if needed? Thanks, Deepu From RLewis at carbonite.com Tue Dec 27 15:05:59 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Tue, 27 Dec 2016 20:05:59 +0000 Subject: [keycloak-user] Some questions about user authentication with external IDP Message-ID: <7F411399-9C99-4727-86DC-9BA812B38867@carbonite.com> We are planning on using Keycloak to authenticate users in our environment. There will be multiple sources of user logins. 1. Local to Keycloak 2. Using a Federation provider to pull accounts from on a one time basis (The first time the user logs in they will authenticate using the p/w in the Federation server, and subsequent logins will occur entirely in Keycloak) 3. Using a third party IDP (Like Microsoft/ Google/ etc.) But the initial source of these accounts might be local in keycloak. I of course can do #1, and know how to do #2. For #3 I have the external 3Rd party IDP working. But what we would like to have is this: 1. A user goes to a form in which they enter the username only. 2. If the user is new, it asks them to create an account 3. If the user is new, but we know the login to be associated with a third party IDP, we go there, and link the account. 4. If the user is not new, and if they are linked to third party IDP, it automatically loads that IDP page without having to pick that login. Here is the workflow we are thinking. An admin adds a list of accounts (either csv, or somehow else) into keycloak, but it says that all these accounts need to be authenticated by some third part IDP. So when a user logs into Keycloak and enters their password, it automatically redirects the user to the 3rd part IDP and then associates the local keycloak login with the IDP without having to do too much. Does this make sense? Reed Lewis Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website. From psilva at redhat.com Tue Dec 27 20:19:44 2016 From: psilva at redhat.com (Pedro Igor) Date: Tue, 27 Dec 2016 23:19:44 -0200 Subject: [keycloak-user] can we use authorization with bearer-only ? In-Reply-To: References: Message-ID: <8f57e4b3-32a1-4f19-bbe5-d3c3005146f5@getmailbird.com> Hi, Your client can't be set as bearer-only on Keycloak Server. You can still use bearer-only on the adapter configuration though.?Keycloak doesn't allow "bearer only" clients (when setting up your client on the server) to obtain tokens from the server. Try to change your client to "confidential" on the server and set bearer-only on your adapter configuration (keycloak.json). Regards. Pedro Igor On 12/26/2016 1:34:06 PM, u?ur kolip wrote: can we use bearer-only with authorization ? if it can be , how can we use ? are there any example ? when i try to use with photoz example , i get bad request (or 403 i am not sure , i change a lot of thing) Because i don't want redirect or store session , it can be used by mobil apps . Thank you for helping _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Dec 27 20:32:56 2016 From: psilva at redhat.com (Pedro Igor) Date: Tue, 27 Dec 2016 23:32:56 -0200 Subject: [keycloak-user] understanding the photoz example In-Reply-To: <92457584-1fc1-3f0b-c34c-53ba443fc345@avinash.com.np> References: <92457584-1fc1-3f0b-c34c-53ba443fc345@avinash.com.np> Message-ID: <179d1b4e-6c76-45c1-b739-1cd0ae0226a7@getmailbird.com> On 12/26/2016 7:29:14 AM, Avinash Kundaliya wrote: I have been going through the photoz example and I am curious how does the drool application know the resource owner [1] or get details about the resource in general ? Pedro Igor:?The rule used with the Drools policy is basically using the Policy Evaluation API [1], which provides access not only to the resource but also the identity (built based on the access token sent along the authorization request), the permission being evaluated (resource + scope) and a few contextual attributes. [1]?https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html Can this be done with a javascript based policy? Pedro Igor:?Yes, both policy types allows you to use ABAC and all attributes available through the Policy Evaluation API to write your policies. You can even mix ABAC with RBAC, if you also need to check roles granted to the identity asking for access. Is there a post/description about how the photoz example works and how information flows in this example. I am trying to understand via the code as of now, the Readme is a good introduction of what it does, but not enough to understand what's really happening? Pedro Igor:?No, but we can update docs to include such info. I am having a hard time understanding how to setup keycloak authorization and also missing documentation/explanation on how to do things. If there's a resource that someone could refer to, that would be great. Pedro Igor:?What about the documentation [2] ? I think it is going to be useful to understand some key concepts. Fell free to open issues to our doc if you find something is not clear [2]?https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html [1] https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11 Regards, Avinash _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From avinash at avinash.com.np Wed Dec 28 03:58:17 2016 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Wed, 28 Dec 2016 14:43:17 +0545 Subject: [keycloak-user] understanding the photoz example In-Reply-To: <179d1b4e-6c76-45c1-b739-1cd0ae0226a7@getmailbird.com> References: <92457584-1fc1-3f0b-c34c-53ba443fc345@avinash.com.np> <179d1b4e-6c76-45c1-b739-1cd0ae0226a7@getmailbird.com> Message-ID: <9f9a8144-9c09-6a93-afa6-0ae339dc35dc@avinash.com.np> Reply inline. I want to confirm if Keycloak requests the resource server to get the resource or not. On 12/28/16 07:17, Pedro Igor wrote: >> >> On 12/26/2016 7:29:14 AM, Avinash Kundaliya >> wrote: >> >> I have been going through the photoz example and I am curious how does >> the drool application know the resource owner [1] or get details about >> the resource in general ? > *Pedro Igor:* The rule used with the Drools policy is basically using > the Policy Evaluation API [1], which provides access not only to the > resource but also the identity (built based on the access token sent > along the authorization request), the permission being evaluated > (resource + scope) and a few contextual attributes. > > [1] https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html > > *Avinash**:* Ok, so does this mean that keycloak requests the resource > server to get the resource, that is then passed to the evaluation API > along with the identity and contextual-attributes ? >> Can this be done with a javascript based policy? > *Pedro Igor:* Yes, both policy types allows you to use ABAC and all > attributes available through the Policy Evaluation API to write your > policies. You can even mix ABAC with RBAC, if you also need to check > roles granted to the identity asking for access. >> >> >> Is there a post/description about how the photoz example works and how >> information flows in this example. I am trying to understand via the >> code as of now, the Readme is a good introduction of what it does, but >> not enough to understand what's really happening? > *Pedro Igor:* No, but we can update docs to include such info. > *Avinash:* That would be nice! I would also like to help as i move along and understand what's really happening. This is apparently more complicated a topic than initially thought it to be. >> >> >> I am having a hard time understanding how to setup keycloak >> authorization and also missing documentation/explanation on how to do >> things. If there's a resource that someone could refer to, that would be >> great. > *Pedro Igor:* What about the documentation [2] ? I think it is going > to be useful to understand some key concepts. Fell free to open issues > to our doc if you find something is not clear > > [2] > https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html >> >> >> [1] >> https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11 >> >> >> Regards, >> Avinash >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From teknodjs at gmail.com Wed Dec 28 07:50:33 2016 From: teknodjs at gmail.com (Padmaka Wijaygoonawardena) Date: Wed, 28 Dec 2016 18:20:33 +0530 Subject: [keycloak-user] Performance lag in client role creation and retrieval In-Reply-To: References: Message-ID: Hi, I have created a new ticket as requested https://issues. jboss.org/browse/KEYCLOAK-4137 Cheers Padmaka On Wed, Dec 14, 2016 at 11:21 AM, Stian Thorgersen wrote: > As Marek commented on the issue can you please create another JIRA for > your issues on 2.4? > > On 8 December 2016 at 07:31, Padmaka Wijaygoonawardena > wrote: > >> Hi, >> >> I've tried Keycloak 2.4.0.Final with the same setup as above regarding >> the performance issue. For creating a role and assign role there is a good >> performance improvement. >> >> However, after the 2.4.0 upgrade, for the 'get client role by role name' >> endpoint it is taking around 15s on average. Earlier there wasn't this much >> of a performance lag. In the database I have around 30000 client roles and >> around 10000 roles per client. >> >> Please note that I have a MySQL DB, and a two node cluster. >> >> Any advice or fix would be highly appreciated. Thanks in advance. >> >> I have commented on the related ticket as well [1] >> >> [1] - https://issues.jboss.org/browse/KEYCLOAK-3863 >> >> On Fri, Nov 4, 2016 at 3:48 PM, Padmaka Wijaygoonawardena < >> teknodjs at gmail.com> wrote: >> >>> Hi, >>> >>> Thanks for replying I created a ticket here [1]. >>> >>> Cheers, >>> Padmaka >>> >>> [1] - https://issues.jboss.org/browse/KEYCLOAK-3863 >>> >>> On Fri, Nov 4, 2016 at 11:01 AM, Stian Thorgersen >>> wrote: >>> >>>> We're actually currently looking at some issues around this. Please >>>> create a JIRA and we'll make sure your case is checked as well. >>>> >>>> Hopefully this will be solved in the upcoming 2.4 release. >>>> >>>> On 3 November 2016 at 12:16, Padmaka Wijaygoonawardena < >>>> teknodjs at gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm >>>>> using has 2 Keycloak nodes and around 4000 client roles for one >>>>> client. the >>>>> process I go through for adding is as follows: >>>>> >>>>> >>>>> 1. GET call to check whether the role already exists. (takes around >>>>> 2000ms) >>>>> 2. POST call to create the new client role. (takes around 10000ms) >>>>> 3. GET call to get the newly created client role(Since the create >>>>> role >>>>> call doesn't send the full client role in the response body). >>>>> (takes around >>>>> 10000ms) >>>>> >>>>> The Keycloak version I used earlier was 1.9.0 with that version this >>>>> process worked fine with one call taking around 700ms on average. >>>>> >>>>> So as shown above this is a huge performance lag. With further >>>>> investigation I found the following points >>>>> >>>>> >>>>> 1. When using only one Keycloak node this problem doesn't appear. >>>>> Therefore it should be some issue with infinispan cache. >>>>> 2. When I remove the get calls and only send the create calls then >>>>> the >>>>> calls return in 2000ms in average. >>>>> 3. This lag only appears when executing a get role call soon after >>>>> creating a client role. >>>>> >>>>> I double checked the changes for 2.3.0 [1] since there is nothing said >>>>> about cache or related issues I raised this issue. >>>>> >>>>> Any advice or fix would be highly appreciated. Thanks in advance. >>>>> >>>>> [1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html >>>>> >>>>> Cheers, >>>>> Padmaka. >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From psilva at redhat.com Wed Dec 28 07:51:24 2016 From: psilva at redhat.com (Pedro Igor) Date: Wed, 28 Dec 2016 10:51:24 -0200 Subject: [keycloak-user] understanding the photoz example In-Reply-To: <9f9a8144-9c09-6a93-afa6-0ae339dc35dc@avinash.com.np> References: <92457584-1fc1-3f0b-c34c-53ba443fc345@avinash.com.np> <179d1b4e-6c76-45c1-b739-1cd0ae0226a7@getmailbird.com> <9f9a8144-9c09-6a93-afa6-0ae339dc35dc@avinash.com.np> Message-ID: <7da56b6f-2f7d-40b9-904e-bc87ca36e26b@getmailbird.com> On 12/28/2016 6:58:26 AM, Avinash Kundaliya wrote: Reply inline. I want to confirm if Keycloak requests the resource server to get the resource or not. On 12/28/16 07:17, Pedro Igor wrote: On 12/26/2016 7:29:14 AM, Avinash Kundaliya [mailto:avinash at avinash.com.np] wrote: I have been going through the photoz example and I am curious how does the drool application know the resource owner [1] or get details about the resource in general ? Pedro Igor:?The rule used with the Drools policy is basically using the Policy Evaluation API [1], which provides access not only to the resource but also the identity (built based on the access token sent along the authorization request), the permission being evaluated (resource + scope) and a few contextual attributes. [1]?https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html [https://keycloak.gitbooks.io/authorization-services-guide/content/topics/policy/evaluation-api.html] Avinash: Ok, so does this mean that keycloak requests the resource server to get the resource, that is then passed to the evaluation API along with the identity and contextual-attributes ? Pedro Igor:?Basically, yes. Not sure what you mean by "Keycloak requests the resource server to get the resource" but what happens is that during evaluation Keycloak checks the resources being requested along with the authorization request (see the section "Authorization Services", specially both Entitlement and Authorization APIs) and creates an evaluation context which is then passed to your policies. The evaluation context is the guy holding all information you might need to actually write your policies and take decisions. Can this be done with a javascript based policy? Pedro Igor:?Yes, both policy types allows you to use ABAC and all attributes available through the Policy Evaluation API to write your policies. You can even mix ABAC with RBAC, if you also need to check roles granted to the identity asking for access. Is there a post/description about how the photoz example works and how information flows in this example. I am trying to understand via the code as of now, the Readme is a good introduction of what it does, but not enough to understand what's really happening? Pedro Igor:?No, but we can update docs to include such info. Avinash: That would be nice! I would also like to help as i move along and understand what's really happening. This is apparently more complicated a topic than initially thought it to be. Pedro Igor:?I would appreciate your help, fell free to send changes to docs (gitbook is quite nice and easy to get started). The PhotoZ example is intended for those trying to protect APIs. The main thing it tries to demonstrate is: * How resource servers can create resources remotely using the Protection API * How users resources (album instances, such as "Avinash Family Album") can inherit permissions assigned to a "Typed Resource". * How to use the keycloak-authz.js to interact with a Keycloak server and resource servers in order to obtain tokens with the necessary permissions and use them to actually get access to protected resources * How to use the Authorization Client Java API * How a RPT (requesting party token, the guy holding the permissions) looks like * How incremental authorization works. In other words, when asking permissions for a set of one or more resources if you already have a valid RPT, the next RPT is going to have all permissions previously granted + the new ones. Probably good topics to write some additional docs :) I am having a hard time understanding how to setup keycloak authorization and also missing documentation/explanation on how to do things. If there's a resource that someone could refer to, that would be great. Pedro Igor:?What about the documentation [2] ? I think it is going to be useful to understand some key concepts. Fell free to open issues to our doc if you find something is not clear [2]?https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html [https://keycloak.gitbooks.io/authorization-services-guide/content/topics/overview/overview.html] [1] https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11 [https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl#L11] Regards, Avinash _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org [mailto:keycloak-user at lists.jboss.org] https://lists.jboss.org/mailman/listinfo/keycloak-user [https://lists.jboss.org/mailman/listinfo/keycloak-user] From rjvduijn at gmail.com Wed Dec 28 08:29:20 2016 From: rjvduijn at gmail.com (Richard van Duijn) Date: Wed, 28 Dec 2016 13:29:20 +0000 Subject: [keycloak-user] Updating resources via adapter client Message-ID: Hi, Referring to ticket: https://issues.jboss.org/browse/KEYCLOAK-4136 I'm puzzled. I was investigating the possibility to update a given resource (for instance updating the name of the resource). I read the documentation ( here ) stating that there is a PUT endpoint with the path set to:* Update resource set description: PUT /resource_set/{_id}* I use the AuthzClient to manage resources from my client using the line: *ProtectedResource resourceClient = this.authzClient.protection().resource()*; The ProtectedResource class does not implement the updateResource method. (I hope this will be fixed soon.) BUT, I attempted to implement the logic myself but kept receiving a *405* response from keycloak stating. Details on the call can be found here In the debug mode I get the following data: "PUT /auth/realms/photoz/authz/protection/resource_set/98800456-37d5-4ebe-9a63-c007e7bdd70b HTTP/1.1[\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Authorization: Bearer [BEARER-TOKEN-HERE][\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Type: application/json[\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Length: 206[\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: 127.0.0.1:8080[\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_112)[\r][\n]" 14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]" 14:17:52.612 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 14:17:52.612 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "{"name":"my-resource-2","uri":"/test/1","type":"urn:nl.company:type:testresource","scopes":[{"name":"urn: nl.company :scope:testscope"}],"owner":"admin","_id":"98800456-37d5-4ebe-9a63-c007e7bdd70b"}" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 405 Method Not Allowed[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Allow: HEAD, DELETE, GET, OPTIONS[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Connection: keep-alive[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "X-Powered-By: Undertow/1[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: WildFly/10[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 0[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Wed, 28 Dec 2016 13:17:52 GMT[\r][\n]" 14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]" Is the endpoint correctly configured or is there something else I'm doing incorrectly. From pulgupta at redhat.com Wed Dec 28 09:36:39 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Wed, 28 Dec 2016 20:06:39 +0530 Subject: [keycloak-user] Flow supported by keycloak for openId connect and jboss Message-ID: Hi Team, I have a basic question which I searched through the documentation but was not able to find. Can you please let me know which flow is supported by keycloak for OpenId on jboss platform. I am exploring openID connect as a way to secure my Java applications using keycloak. These applications are hosted on jboss. -- Thanks, Pulkit AMS From amaeztu at tesicnor.com Wed Dec 28 11:43:56 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Wed, 28 Dec 2016 17:43:56 +0100 Subject: [keycloak-user] Flow supported by keycloak for openId connect and jboss In-Reply-To: References: Message-ID: <3emgbpoa0tbq14h7kbq2u2kb.1482943436594@email.android.com> Hello, The keycloak software fully passes the openid connect certification. http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html?m=1 The flow to use in your application is up to you. Nire Sony Xperia? telefonotik bidalita ---- Pulkit Gupta igorleak idatzi du ---- >Hi Team, > >I have a basic question which I searched through the documentation but was >not able to find. >Can you please let me know which flow is supported by keycloak for OpenId >on jboss platform. > >I am exploring openID connect as a way to secure my Java applications using >keycloak. >These applications are hosted on jboss. > >-- >Thanks, >Pulkit >AMS >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From aikeaguinea at xsmail.com Wed Dec 28 11:58:37 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Wed, 28 Dec 2016 11:58:37 -0500 Subject: [keycloak-user] Are there any clients(retail) are using keycloak as their sso solution in production? Message-ID: <1482944317.1199761.831413089.5EFC0D8F@webmail.messagingengine.com> We have also been having difficulty getting an evaluation version of RH-SSO without contacting sales. Not only is there not a "Start Evaluation" link next to Red Hat SSO, but if I log in with a Red Hat account and try the "Download Latest" option on the pulldown I get a "You do not have access to the requested software" response. This is particularly annoying because if you contact Red Hat sales they then refer you to a reseller, and you still can't get a download before interacting with the third party. Honestly, based on our interaction so far it's as if they don't want to sell the product. On Wed, Dec 21, 2016 at 10:09 AM, Raghu Laghuvaram wrote: Stian Thorgersen, Thanks for your response and information. You said we can evaluate the RH-SSO, but when I go to https://access.redhat.com/downloads/ I dont see an option as "Start Evaluation" for Red Hat Single Sign-On, am I looking at wrong place? On Wed, Dec 21, 2016 at 12:55 AM, Stian Thorgersen wrote: > You can evaluate RH-SSO without contacting sales. It's available at > http://access.redhat.com/. Sales may be able to give you some customer > references if you ask them. > > FIY RH-SSO 7.0.0.GA is based on Keycloak 1.9.8.Final, while RH-SSO > 7.1.0.GA will be based on Keycloak 2.5.z.Final. > > On 20 December 2016 at 19:16, Raghu Laghuvaram > wrote: > >> Josh Cain, >> Thanks for your response, If possible would you be able to let us >> know if there any clients(retail) using RH-SSO in production other than >> Red >> Hat? And coming to RH-SSO, I dont see an option for evaluating it, I think >> I need to contact sales even for that. I will talk to my leadership and >> proceed further. >> >> Thanks, >> Deep. >> >> On Tue, Dec 20, 2016 at 9:51 AM, Josh Cain wrote: >> >> > Hi Raghu, >> > >> > I can say that Red Hat (access.redhat.com, developers.redhat.com, etc.) >> > uses RH-SSO (the enterprise bits for Keycloak), and it has done very >> > well overall as a solution. >> > >> > If you're wanting to know more about enterprise level support, I'd >> > contact sales and strongly consider RH-SSO over Keycloak. >> > >> > -- >> > Josh Cain | Software Applications Engineer >> > Identity and Access Management >> > Red Hat >> > +1 256-452-0150 >> > >> > On Mon, 2016-12-19 at 15:17 -0500, Raghu Laghuvaram wrote: >> > > We are evaluating Keycloak as SSO solution for our retail application >> > > and >> > > we would like to know if there are any clients using Keycloak SSO >> > > solution >> > > in their production? It would gie us a lot of confidence if we know >> > > that >> > > some one are already using in their production. >> > > >> > > >> > > Thanks, >> > > Deep >> > > _______________________________________________ >> > > keycloak-user mailing list >> > > keycloak-user at lists.jboss.org >> > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- http://www.fastmail.com - Does exactly what it says on the tin From marcelo.miura at gdcommunity.co.uk Wed Dec 28 14:59:48 2016 From: marcelo.miura at gdcommunity.co.uk (marcelo.miura) Date: Wed, 28 Dec 2016 17:59:48 -0200 Subject: [keycloak-user] Migrate data between realms by the startup command Message-ID: <8d49fb2b-0071-5b72-93c3-162e237a6523@gdcommunity.co.uk> Hi, Is there a way to import data from a realm to another by the startup command? I could do it by the admin console option, but it does not keep the user ids and I would need that. Also tried using the option -Dkeycloak.migration.realmName for importing the data, but it did work either. Thanks in advance. From ugur.kolip at gmail.com Thu Dec 29 01:57:22 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Thu, 29 Dec 2016 09:57:22 +0300 Subject: [keycloak-user] is resource owner username or userid Message-ID: Hi, I use keycloak 2.4.0.Final with spring boot adapter, and authz-client -authz-admin. When i set owner , i set (getAccessToken().getPreferredUsername()) (my user name, admin ) But when i try to get resource owner ($evaluation.getPermission().getResource().getOwner()), it returns userid not username. is it wrong ? or do you these purposely ? is username unique ? why does we use username ? thank you for helping From dan at ren.no Thu Dec 29 05:27:19 2016 From: dan at ren.no (=?utf-8?B?RGFuIMOYc3RlcmJlcmc=?=) Date: Thu, 29 Dec 2016 10:27:19 +0000 Subject: [keycloak-user] Log out server sessions when using bearer authentication Message-ID: Hi, How can we make single sign out work when passing bearer tokens to a server guarded by a ?traditional? session based Oauth2 client / adapter? Lets say we use bearer authentication via the Javascript adapter, and make REST requests to a stateless (no session) server. Lets further say that during some later request, a server session will be created ? either intentionally to store state, or unintentionally e.g. by some shared code (since sessions are auto-created in Java EE). Now single sign out won?t work, because Keycloak is neither aware of the server session nor the Oauth2 client that has an admin URL. One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I?m just missing or misunderstanding something... ~Dan From ugur.kolip at gmail.com Thu Dec 29 09:00:38 2016 From: ugur.kolip at gmail.com (=?UTF-8?Q?u=C4=9Fur_kolip?=) Date: Thu, 29 Dec 2016 17:00:38 +0300 Subject: [keycloak-user] what is resource owner with spring boot adapter ? Message-ID: Hi, I am using spring boot adapter. is owner of resource just a attribute like others (name, type ) to use ? *Resource owner filter all request if request's owner is not same. I expect to not filter* when make a request to server with admin user , resource which owner is not admin not shown. I try to add some logic to js policy but js policy not work because even don't reach that level. what should i do , if a group of user use same resource ? i think that photoz example work different .(both admin and owner can access to album) should i do something to not filter who is not owner ? Thank you for helping From pulgupta at redhat.com Thu Dec 29 09:11:01 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Thu, 29 Dec 2016 19:41:01 +0530 Subject: [keycloak-user] OpenId connect and saml application intercommunication Message-ID: Hi Team, I have a scenario where I have one application which is using SAML adapter and another application which is using openid connect. Both these applications are built using different technologies. The first one uses Java and is hosted on Jboss. The second one uses angular js. The point which I would like to check is : Is it possible for these two application to intercommunicate. For Example if I login in SAML based application and then I switch to openID connect based application will it ask for me to login again or it will get the token/assertion from the keycloak server without asking me to enter my credentials again. -- Thanks, Pulkit AMS From david_delbecq at trimble.com Thu Dec 29 11:11:46 2016 From: david_delbecq at trimble.com (David Delbecq) Date: Thu, 29 Dec 2016 16:11:46 +0000 Subject: [keycloak-user] Setting up webapplication to accept both bearer and openid redirect login Message-ID: I have a wildlfy application where i need this behaviour: 1) If user provides a token during request and try to access a secure area, use it (typically soap ant rest requests) 2) If user has no credentials to show, issue interactive web login So far I managed to get either 1) or 2) on the application, depending on using bearer-only accesstype or not. But i can't seem to find out how to have both behaviour. Below is json export of my current realm config. I am currently doing this in wildfly Shipping ${authURL} true EXTERNAL shipping-soap true using this code to get a token from the WS client Keycloak keycloak = Keycloak.getInstance(System.getProperty("keycloak.url"), "Shipping", username, password, "shipping-soap"); customHeaders.put("Authorization", Arrays.asList("Bearer: "+keycloak.tokenManager().getAccessTokenString())); but when i issue the ws request, i get a redirect to keycloak (see below). I suspect i misunderstood some parts of the keycloak configuration and it's behaviour, but i am not sure what i did wrong. Can somebody explain me how to integrate both webservice and webpages with a single client id? POST /shipping/service/1.0/shipping HTTP/1.1 Content-Type: text/xml; charset=UTF-8 Accept: */* Authorization: Bearer: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZNjlCMm1aT2NuX0tnMTVEVC03MU5tUTNVN3NhdG1BLTJsc3BCM2VNRFNRIn0.eyJqdGkiOiI2ZGRmMjMxYy01YjY4LTQ4MDUtOWU4YS0zNWQ5YjQ2YzYwZDciLCJleHAiOjE0ODMwMjY0NzQsIm5iZiI6MCwiaWF0IjoxNDgzMDI2MTc0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjEzMDgwL2F1dGgvcmVhbG1zL1NoaXBwaW5nIiwiYXVkIjoic2hpcHBpbmctc29hcCIsInN1YiI6ImZiNjJlN2Y2LTIzMjAtNDc5YS04NTEwLWM4OTg0MzZiZmJlMSIsInR5cCI6IkJlYXJlciIsImF6cCI6InNoaXBwaW5nLXNvYXAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJkMWFhMTE1OS00Y2JiLTRkMDItOTcxNC0zNGQwMWJjZjYwYWYiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiJmZWZkODg3Ni1lZWUyLTRiOWYtOWNkZS1kZGZhNWZkZjAyNjEiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJzaGlwcGluZy1zb2FwIjp7InJvbGVzIjpbImF1dGhlbnRpY2F0ZWQiLCJST0xFX2F1dGhlbnRpY2F0ZWQiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibG9naW5AbHNwNCJ9.d_mRQaUIrxW0poRS3cxZt37IWoRusLKq5OG9_zSd5YAjzQS1sRZgHEvK7yF1aQy_kqebrN4xT67QVYCwqMZzsjIYC0_QBGm6vddCgFXuPLADjVXZJ5UHwHig7aoLRWB511AvpFwCQQuTkYaWD7neGKh4TWOqAkMqTvhzUZPD1GrxyzdBTqCQEKlWgkvBUousKoYd6x4Ua6ofbFgYi5H-1GlSXCHVyqXv3zlDwujhtiZWoAWdoKgEDkQ_dV4SZFZFigGwwYwqKViXm0HIQMOT9QwkN_Yjrhc5eeOgeOKr_YxQ_GkIjPuD4-5C-oM4tp8ikMC-kqsPmaXstlZTM3z5kA SOAPAction: "" User-Agent: Apache CXF 3.0.5 Cache-Control: no-cache Pragma: no-cache Host: localhost:18080 Connection: keep-alive Content-Length: 1784 shipmentidfull-truckloadnonebox-dry-vanstandardbreak-bulkshipment nameconsignoridconsignor name
street11city1zipcode1area1AE
12name1company1phone11970-01-01T01:00:01+01:001970-01-01T01:00:02+01:00consigneeidconsignee name
street33city3zipcode3area3AG
34name3company3phone31970-01-01T01:00:03+01:001970-01-01T01:00:04+01:00box1100.01000.010.0645testrefsome descriptiontype.goods1000HTTP/1.1 302 Found Expires: 0 Cache-Control: no-cache, no-store, must-revalidate X-Powered-By: Undertow/1 Set-Cookie: JSESSIONID=9XhPxotKq3r_uuhaVAya8iavBVSyqQ9Ibf1h2Emu.ddelbecq-precision; path=/shipping Set-Cookie: OAuth_Token_Request_State=916/8084d5f9-fd05-4267-9d72-026acf016857; HttpOnly Server: WildFly/9 Pragma: no-cache Location: http://localhost:13080/auth/realms/Shipping/protocol/openid-connect/auth?response_type=code&client_id=shipping-soap&redirect_uri=http%3A%2F%2Flocalhost%3A18080%2Fshipping%2Fservice%2F1.0%2Fshipping&state=916%2F8084d5f9-fd05-4267-9d72-026acf016857&login=true&scope=openid Date: Thu, 29 Dec 2016 15:43:16 GMT Connection: keep-alive Content-Length: 0 { "id" : "c3558938-fa2a-43c6-8de0-17d6ebbe9750", "clientId" : "shipping-soap", "description" : "Workbench, Adminbench and Administration", "rootUrl" : "http://localhost:8080/", "adminUrl" : "/shipping", "baseUrl" : "/shipping", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "secret" : "b556a2b8-bb1d-478e-97a0-14105556427f", "defaultRoles" : [ "authenticated", "ROLE_authenticated" ], "redirectUris" : [ "http://localhost:8080/shipping/*" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : false, "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "b2eb4fed-68e3-4064-b0a8-f5926696a99f", "name" : "username", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${username}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "username", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "preferred_username", "jsonType.label" : "String" } }, { "id" : "1b943ce9-b67b-4ce5-a5d8-3d795900555b", "name" : "locale", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-attribute-mapper", "consentRequired" : false, "consentText" : "${locale}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "locale", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "locale", "jsonType.label" : "String" } }, { "id" : "f14bc53c-1d7b-480d-b2da-72b1e47e7f1e", "name" : "email", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${email}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "email", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "email", "jsonType.label" : "String" } }, { "id" : "5429c06f-8b9b-4b33-bbb3-015117922910", "name" : "role list", "protocol" : "saml", "protocolMapper" : "saml-role-list-mapper", "consentRequired" : false, "config" : { "single" : "false", "attribute.nameformat" : "Basic", "attribute.name" : "Role" } }, { "id" : "95315e0e-1136-4e06-9f04-8ccbb29d2c70", "name" : "family name", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${familyName}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "lastName", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "family_name", "jsonType.label" : "String" } }, { "id" : "a371b53c-5543-4188-a16f-005db9a73d7a", "name" : "full name", "protocol" : "openid-connect", "protocolMapper" : "oidc-full-name-mapper", "consentRequired" : true, "consentText" : "${fullName}", "config" : { "id.token.claim" : "true", "access.token.claim" : "true" } }, { "id" : "e3ca3001-3f19-4654-b84c-7a352306cad1", "name" : "given name", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${givenName}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "firstName", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "given_name", "jsonType.label" : "String" } } ], "useTemplateConfig" : false, "useTemplateScope" : false, "useTemplateMappers" : false } -- David Delbecq Software engineer, Transport & Logistics Geldenaaksebaan 329, 1st floor | 3001 Leuven +32 16 391 121 <+32%2016%20391%20121> Direct david.delbecq at trimbletl.com From gomes at memsql.com Thu Dec 29 15:01:54 2016 From: gomes at memsql.com (David Gomes) Date: Thu, 29 Dec 2016 12:01:54 -0800 Subject: [keycloak-user] Running into an issue with login.ftl in a custom-made theme Message-ID: Good day, I am writing my own Keycloak theme and I am using the Sunrise example theme as a starting point. It seems, however, that when I create a sunrise/login/login.ftl file, such as the one in the base theme, this file doesn't actually get used for rendering the login form. I tried to edit the base theme instead and edit its login/login.ftl. It seems that editing this file has no effect at all. I wrote this in the file and the login page for the base theme remained exactly the same. <#import "template.ftl" as layout> <@layout.registrationLayout displayInfo=social.displayInfo; section> Editing CSS, template.tfl and other things works, but editing the theme/login/login.ftl has no effect at all. The relevant settings for my Realm are the following: "registrationAllowed": true, "registrationEmailAsUsername": true, "rememberMe": true, "requiredCredentials": [ "password" ] In the Keycloak administration console, editing the current theme works perfectly fine as well, but I'm not being able to edit the actual login form in any of the example themes. I tried other files such as register.ftl and editing this one works perfectly fine. David Gomes MemSQL From 321j.con at gmail.com Thu Dec 29 15:22:37 2016 From: 321j.con at gmail.com (Jordan Conner) Date: Thu, 29 Dec 2016 15:22:37 -0500 Subject: [keycloak-user] Testing secured EJB with Arquillian (using Keycloak adapter as SecurityDomain) Message-ID: Hello, I am getting EJBAccessException (method invocation is not allowed) when using Arquillian to test secured EJBs. I expect to get this exception because I have not logged in at all. My project works great outside of the test suite when redirecting to my keycloak server and then serving up my web applications protected resource. Before securing my EJBs, Arquillian was working fine. I've looked all over and the only example that comes remotely close is this link... https://samaxes.com/2014/11/test-javaee-security-with-arquillian/ In it the author uses @RunAs. I would also like to use this annotation. I have set up my project exactly like the authors, however I still can not access my secured EJB. The author's project does not use @SecurityDomain("keycloak") and I'm having a hard time finding any examples that do. Can my test suite use @RunAs when configured with the keycloak-wildfly-adapter? The only other option I can think of (and would rather not go this route) is writing a custom module (because I don't see how to do it via the adapter) to obtain an access token with Resource Owner Password Grant. But then I do not see any examples of how to use keycloak-wildfly-adapter and programmatically login with a raw access token, so is this even possible? Thanks for your time, Jordan From adam.michalski at aol.com Fri Dec 30 05:13:47 2016 From: adam.michalski at aol.com (adam.michalski at aol.com) Date: Fri, 30 Dec 2016 05:13:47 -0500 Subject: [keycloak-user] Create access to secured data for user Message-ID: <1594f389b78-3070-29883@webprd-a54.mail.aol.com> Hi. My name is Adam and I am new to keycloak. I want to create link/access point where user does'n input his password or send his secret in angular 2 application + rest client secured by keycloak. This access is for specified part of data but temporary not single access. What possibilities keycloak gives to resolve this feature? I think about generating token in other application on server and send it to user by email. This way I can use client secret. How to generate valid token accepted in keycloak without connection with it? But is this good approach? If it is what can I use to create this in best way? Can send request to keycloak for this kind of token for specified client for user requested? Adam Michalski From avinash at avinash.com.np Fri Dec 30 11:03:53 2016 From: avinash at avinash.com.np (Avinash Kundaliya) Date: Fri, 30 Dec 2016 21:48:53 +0545 Subject: [keycloak-user] Fwd: regarding custom attributes and mapping resources to users In-Reply-To: <096db3e6-5cff-4c5c-b018-53666cd6ec80@getmailbird.com> References: <096db3e6-5cff-4c5c-b018-53666cd6ec80@getmailbird.com> Message-ID: Just thinking about the following scenario: Is it anyhow possible for a user to change his custom attributes without extending the Account Management Page theme? maybe via the API? I hope not, but want to confirm as I couldn't find where the custom attributes were defined in the Keycloak source. Regards, Avinash On 12/22/16 17:18, Pedro Igor wrote: > *Pedro Igor:* Hello, answers inline. > >> On 12/22/2016 7:21:13 AM, Avinash Kundaliya >> wrote: >> >> Hi, >> since I got no response to my previous email and i can see some action >> happening in the mailing list, I will try to forward my question and >> explain it again. >> >> * Can a user update their own custom attributes ? I want to use custom >> attributes to store data that would help in creating policies for >> their permissions. From what i could understand from previous >> discussions, it looks like users cannot, but its not confirmed or >> mentioned anywhere. > *Pedro Igor:* In general, only admins via Administrator Console. There > is an Account Management Page intended for user self-service, you can > probably extend themes and provide the attributes you want to update > there. > > See https://github.com/keycloak/keycloak/tree/master/examples/themes. >> >> >> * Related to the question above, is there a defined structure/ pattern >> to define resource ownership in keycloak, eg. user-id *"xx"* is a >> manger of resource-id *"yy"* , user-id "*aa*" is a viewer of >> resource-id "*bb*" and so on and so forth. > *Pedro Igor:* Resources always have an owner. This is different than > the role of an user for a particular resource. By default, resources > belongs to the resource server itself. But when creating new resources > via Protection API you can set the owner to be an user. >> >> >> From my question last time, What are the best practices to map >> roles to specific resources? For example if i have a role called as >> shop_owner how do i map a user with that role to a specific shop >> (for example). Is this something that keycloak has defined >> structures for ? How can i achieve such a structure with keycloak >> and with/without using the keycloak authorization/resource services. > *Pedro Igor:* If the user is the owner of a shop, you probably want to > create the resource setting the user as the owner. After that, you > need to associate permissions to your resources. > > For instance, you can use a JS Policy to grant access to the resource > based on the owner of a resource. As well, associate other permissions > based on other types of policies. > > If you want an example about how to enforce permissions to a resource > based on the owner, you can check the Photoz example application. > There we demonstrate how to use Drools for that. But you can also use > a JS policy. >> >> Some help or push in the right direction would be helpful. >> >> Regards, >> Avinash >> >> >> -------- Forwarded Message -------- >> Subject: regarding custom attributes and mapping resources to users >> Date: Tue, 20 Dec 2016 16:14:03 +0545 >> From: Avinash Kundaliya >> To: keycloak-user at lists.jboss.org >> >> >> >> Hello Community, >> >> I am fairly new to using keycloak and still getting immersed into the >> authentication and authorization jargons. I have some basic queries that >> i am curious about. >> >> * Regarding the custom attributes for each user >> (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/users/attributes.html). >> >> Is this something that a user can edit for themselves or is >> something for an administrator to manage custom content for the >> user? Basically, as an administrator can I put information that >> should be hidden from the user as a custom attribute ? >> * My second question is more about architecture of applications with >> authentication and authorization. What are the best practices to map >> roles to specific resources? For example if i have a role called as >> shop_owner how do i map a user with that role to a specific shop >> (for example). Is this something that keycloak has defined >> structures for ? How can i achieve such a structure with keycloak >> and with/without using the keycloak authorization/resource services. >> >> Looking forward to some constructive discussions and some answers to the >> basic issues I have. >> >> Regards, >> Avinash >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From cpitman at redhat.com Fri Dec 30 16:43:35 2016 From: cpitman at redhat.com (Chris Pitman) Date: Fri, 30 Dec 2016 16:43:35 -0500 Subject: [keycloak-user] OpenId connect and saml application intercommunication In-Reply-To: References: Message-ID: Your user will not need to login again (assuming their session with the Keycloak server is still valid). Your two client applications are not "communicating" to each other, they are both redirecting your user to keycloak, which knows if the user is already logged in and asking for credentials if they are not. On Thu, Dec 29, 2016 at 9:11 AM, Pulkit Gupta wrote: > Hi Team, > > I have a scenario where I have one application which is using SAML adapter > and another application which is using openid connect. Both these > applications are built using different technologies. The first one uses > Java and is hosted on Jboss. The second one uses angular js. > > The point which I would like to check is : > Is it possible for these two application to > intercommunicate. For Example if I login in SAML based application and then > I switch to openID connect based application will it ask for me to login > again or it will get the token/assertion from the keycloak server without > asking me to enter my credentials again. > > -- > Thanks, > Pulkit > AMS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >