From bburke at redhat.com Mon Feb 1 00:24:10 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 1 Feb 2016 00:24:10 -0500 Subject: [keycloak-user] Is it possible to use Keycloak just as a library? In-Reply-To: References: Message-ID: <56AEEBFA.1040805@redhat.com> We do have a SAML client adapter which can be used as a library...But no, sorry, the keycloak IDP is a server. What do you want to use "as a library" which features? On 1/31/2016 9:57 PM, Renann Prado wrote: > Hello > > At least for now, I would like to use Keycloak as a library so I don't > have to configure a "Keycloak server". > Is it possible? > > Renann Prado > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/7e8c614c/attachment.html From hr.stoyanov at peruncs.com Mon Feb 1 01:47:24 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Mon, 1 Feb 2016 06:47:24 +0000 Subject: [keycloak-user] KC1.8 failing realm merge/upgrade ? Message-ID: Hi all, I ma trying to install KC1.8.Final over a previous KC1.7 installation backed by Postgres. I use template files to bootstrap my realm: 36 -rw-r--r-- 1 root root 36806 Feb 1 05:50 FinancialApps-realm.json 40 -rw-r--r-- 1 root root 39545 Feb 1 05:50 master-realm.json 4 -rw-r--r-- 1 root root 709 Feb 1 05:50 master-users-0.json 4 -rw-r--r-- 1 root root 77 Feb 1 05:50 version.json and I use the import facility: -Dkeycloak.migration.action=import \ -Dkeycloak.migration.provider=dir \ -Dkeycloak.migration.dir={{wildfly_home}}/keycloak \ -Dkeycloak.migration.strategy=IGNORE_EXISTING Below is the exception I get. I understand that I can wipe out my Postgress database and have a clean import, but I thought the import was careful enough to check for duplicate keys??? ================================================================= Caused by: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) at com.sun.proxy.$Proxy83.flush(Unknown Source) at org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:61) at org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:267) at org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:1168) at org.keycloak.exportimport.util.ImportUtils.importUsers(ImportUtils.java:191) at org.keycloak.exportimport.util.ImportUtils.importUsersFromStream(ImportUtils.java:175) at org.keycloak.exportimport.dir.DirImportProvider$4.runExportImportTask(DirImportProvider.java:121) at org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:267) at org.keycloak.exportimport.dir.DirImportProvider.importRealm(DirImportProvider.java:117) at org.keycloak.exportimport.dir.DirImportProvider.importModel(DirImportProvider.java:55) at org.keycloak.exportimport.ExportImportManager.runImport(ExportImportManager.java:69) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:107) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 19 more Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) ... 37 more Caused by: org.hibernate.exception.ConstraintViolationException: could not execute statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) ... 41 more *Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "uk_ru8tt6t700s9v50bu18ws5ha6"* * Detail: Key (realm_id, username)=(master, admin) already exists.* at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2182) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1911) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:173) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:645) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:495) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:441) at sun.reflect.GeneratedMethodAccessor295.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.postgresql.ds.jdbc23.AbstractJdbc23PooledConnection$StatementHandler.invoke(AbstractJdbc23PooledConnection.java:453) at com.sun.proxy.$Proxy84.executeUpdate(Unknown Source) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/f261d931/attachment.html From mposolda at redhat.com Mon Feb 1 02:55:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Feb 2016 08:55:11 +0100 Subject: [keycloak-user] KC1.8 failing realm merge/upgrade ? In-Reply-To: References: Message-ID: <56AF0F5F.6070600@redhat.com> Hi, could you please create JIRA? Until it's fixed, I suggest to backup your DB and instead use strategy OVERWRITE_EXISTING (or just remove strategy property as OVERWRITE_EXISTING is the default) Marek On 01/02/16 07:47, Hristo Stoyanov wrote: > Hi all, > I ma trying to install KC1.8.Final over a previous KC1.7 installation > backed by Postgres. I use template files to bootstrap my realm: > > 36 -rw-r--r-- 1 root root 36806 Feb 1 05:50 FinancialApps-realm.json > 40 -rw-r--r-- 1 root root 39545 Feb 1 05:50 master-realm.json > 4 -rw-r--r-- 1 root root 709 Feb 1 05:50 master-users-0.json > 4 -rw-r--r-- 1 root root 77 Feb 1 05:50 version.json > > and I use the import facility: > > -Dkeycloak.migration.action=import \ > -Dkeycloak.migration.provider=dir \ > -Dkeycloak.migration.dir={{wildfly_home}}/keycloak \ > -Dkeycloak.migration.strategy=IGNORE_EXISTING > > Below is the exception I get. I understand that I can wipe out my > Postgress database and have a clean import, but I thought the import > was careful enough to check for duplicate keys??? > ================================================================= > Caused by: org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) > at com.sun.proxy.$Proxy83.flush(Unknown Source) > at > org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:61) > at > org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:267) > at > org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:1168) > at > org.keycloak.exportimport.util.ImportUtils.importUsers(ImportUtils.java:191) > at > org.keycloak.exportimport.util.ImportUtils.importUsersFromStream(ImportUtils.java:175) > at > org.keycloak.exportimport.dir.DirImportProvider$4.runExportImportTask(DirImportProvider.java:121) > at > org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:267) > at > org.keycloak.exportimport.dir.DirImportProvider.importRealm(DirImportProvider.java:117) > at > org.keycloak.exportimport.dir.DirImportProvider.importModel(DirImportProvider.java:55) > at > org.keycloak.exportimport.ExportImportManager.runImport(ExportImportManager.java:69) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:107) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ... 19 more > Caused by: javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) > at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) > ... 37 more > Caused by: org.hibernate.exception.ConstraintViolationException: could > not execute statement > at > org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) > at > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386) > at > org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) > at > org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) > ... 41 more > *Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key > value violates unique constraint "uk_ru8tt6t700s9v50bu18ws5ha6"* > * Detail: Key (realm_id, username)=(master, admin) already exists.* > at > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2182) > at > org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1911) > at > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:173) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:645) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:495) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:441) > at sun.reflect.GeneratedMethodAccessor295.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.postgresql.ds.jdbc23.AbstractJdbc23PooledConnection$StatementHandler.invoke(AbstractJdbc23PooledConnection.java:453) > at com.sun.proxy.$Proxy84.executeUpdate(Unknown Source) > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/213bcdb6/attachment-0001.html From mposolda at redhat.com Mon Feb 1 03:00:46 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Feb 2016 09:00:46 +0100 Subject: [keycloak-user] Social login error message In-Reply-To: References: Message-ID: <56AF10AE.7050006@redhat.com> I suggest to upgrade to 1.8 where this is fixed. Or you can workaround in 1.7 by edit file $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml and add the line: into dependencies section. Same for module $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml Marek On 29/01/16 23:49, Martin Min wrote: > Hello, I am configuring the social login with google, twitter and > github. Everything else works fine until this point, namely, after > it's authorized, at the "update account information" page, after I > fill out the fields on this page, clicked the "submitted" and I > received this error message. > > What could cause this? I followed the instruction carefully, but not > sure what caused this. > > Context Path: > /auth > > Servlet Path: > > Path Info: > /realms/myproject/login-actions/first-broker-login > > Query String: > code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925 > > *Stack Trace* > java.lang.RuntimeException: request path: > /auth/realms/myproject/login-actions/first-broker-login > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > java.lang.Thread.run(Thread.java:745) > > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext > > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/7b0239cc/attachment.html From mposolda at redhat.com Mon Feb 1 03:04:39 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 1 Feb 2016 09:04:39 +0100 Subject: [keycloak-user] Google social login in In-Reply-To: References: Message-ID: <56AF1197.6060601@redhat.com> By default, keycloak uses H2 database with data stored on filesystem inside $KEYCLOAK_HOME/standalone/data directory. You can switch to other database by configure datasource in standalone.xml or by switch to Mongo model (see our documentation for more details). So unless you delete $KEYCLOAK_HOME/standalone/data directory, the data should be persistent among restarts. Marek On 29/01/16 21:57, Martin Min wrote: > After I restarted my KeyCloak server, all my realm and applications > created are gone. Is that because the built-in database H2 doesn't > persist the data on disk? How to keep the database after I restart the > keycloak server? > > Thanks. > > On Fri, Jan 29, 2016 at 1:48 AM, Marko Strukelj > wrote: > > No, localhost should work fine. > It's not Google's servers, but your browser that connects to this url > after being redirected from Google. So as long as your browser can see > it it should work. > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/88483425/attachment.html From bystrik.horvath at gmail.com Mon Feb 1 04:08:41 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Mon, 1 Feb 2016 10:08:41 +0100 Subject: [keycloak-user] KeycloakConfigResolver vs. unprotected resources Message-ID: Hello, I have an application that is part of several realms. That's why I implemented the KeycloakConfigResolver and it works fine. I observed that the KeycloakConfigResolver implementation gets called even when unprotected resources of the application are requested. Is there a (recommended) way how to avoid it? Or do I do something wrong? Thank you for the answer. Best regards, Bystrik -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/dab1c726/attachment.html From sthorger at redhat.com Mon Feb 1 05:23:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 1 Feb 2016 11:23:25 +0100 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: On 28 January 2016 at 08:41, Lohitha Chiranjeewa wrote: > Thanks Fabricio, will check on how we can proceed with such an > implementation. > > Since there is an already existing registration-email API, I thought it's > consistent from Keycloak's perspective to expose a reset-password API as > well... > Not sure what you refer to, but there are no APIs for these actions outside of the admin endpoints. > > > Regards, > Lohitha. > > On Thu, Jan 28, 2016 at 2:31 AM, Fabricio Milone < > fabricio.milone at shinetech.com> wrote: > >> Hi Lohitha, >> >> I had the same requirements (Direct grant + forgotten password) and ended >> up implementing a SPI using some piece of code made by Pedro Igor. >> >> An extract of the DEV Mailing list called: "*Add custom REST paths? New >> SPI?*" >> >> *It is part of a working in progress around fine-grained authorization >>> [1].* >>> *The new SPI changes [2] specific to Keycloak are located in a specific >>> branch [3] in my Keycloak fork.* >> >> >>> *I need to discuss these changes with Bill and see what he thinks about >>> it. Depending on his feedback, I can prepare a PR and send these changes to >>> upstream.* >> >> >>> >>> *[1] https://github.com/pedroigor/keycloak-authz >>> * >>> *[2] >>> https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 >>> **[3] >>> https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified >>> * >> >> >> >> Not sure if Keycloak will ever adopt those changes as official or >> something similar though. >> >> That's a good starting point. >> >> Regards >> >> On 27 January 2016 at 21:19, Stian Thorgersen >> wrote: >> >>> There is in the admin endpoints, but nothing that's available to >>> end-users. >>> >>> On 22 January 2016 at 06:45, Lohitha Chiranjeewa >>> wrote: >>> >>>> Hi, >>>> >>>> There are a few clients of ours who use the Direct Grants API to >>>> authenticate their users. A requirement has come up to provide the Reset >>>> Password flow to those clients. From what I've checked and gathered, >>>> there's no REST API to initiate this flow (sending the Keycloak password >>>> reset email + resetting the password through the UI); only way to do is >>>> through the browser. >>>> >>>> If it's actually there somewhere, can someone point me to it? >>>> >>>> >>>> Regards, >>>> Lohitha. >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> -- >> *Fabricio Milone* >> Developer >> >> *Shine Consulting * >> >> 30/600 Bourke Street >> >> Melbourne VIC 3000 >> >> T: 03 8488 9939 >> >> M: 04 3200 4006 >> >> >> www.shinetech.com *a* passion for excellence >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/42795a4b/attachment-0001.html From sthorger at redhat.com Mon Feb 1 05:32:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 1 Feb 2016 11:32:23 +0100 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> Message-ID: This could be related to https://issues.jboss.org/browse/KEYCLOAK-2327. It's already fixed in master, so if you can try it out that would be great. We should also have a 1.8.1.Final release this week with the fix in as well. On 30 January 2016 at 05:16, Malmi Samarasinghe wrote: > Hi Bill, > > We are using keycloak 1.7.0 and rdbms (mysql) > > Regards, > Malmi Samarasinghe > On Jan 29, 2016 7:41 PM, "Bill Burke" wrote: > >> Which version of keycloak? RDBMS or Mongo? >> >> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >> >> Hi Everyone, >> >> In my application we create retrieve and assign role subsequently and it >> seems that even for a small load (2-3 threads) with realm cache enabled >> option, assign realm role call fails due to role not exist error and 404 is >> returned from keycloak. >> >> With the realm cache disabled option the load works fine. >> >> Please get back to me if you have any information on any other option we >> can follow to get this issue sorted or on what action the realm cache will >> be persisted to DB. >> >> Regards, >> Malmi >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/acc04ae2/attachment.html From sthorger at redhat.com Mon Feb 1 05:35:17 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 1 Feb 2016 11:35:17 +0100 Subject: [keycloak-user] KC1.8 failing realm merge/upgrade ? In-Reply-To: <56AF0F5F.6070600@redhat.com> References: <56AF0F5F.6070600@redhat.com> Message-ID: The import is really meant for a clean database. Or at least to import non-existing realms. Why are you doing an import during upgrade if you are not starting with a clean database? On 1 February 2016 at 08:55, Marek Posolda wrote: > Hi, > > could you please create JIRA? Until it's fixed, I suggest to backup your > DB and instead use strategy OVERWRITE_EXISTING (or just remove strategy > property as OVERWRITE_EXISTING is the default) > > Marek > > > On 01/02/16 07:47, Hristo Stoyanov wrote: > > Hi all, > I ma trying to install KC1.8.Final over a previous KC1.7 installation > backed by Postgres. I use template files to bootstrap my realm: > > 36 -rw-r--r-- 1 root root 36806 Feb 1 05:50 FinancialApps-realm.json > 40 -rw-r--r-- 1 root root 39545 Feb 1 05:50 master-realm.json > 4 -rw-r--r-- 1 root root 709 Feb 1 05:50 master-users-0.json > 4 -rw-r--r-- 1 root root 77 Feb 1 05:50 version.json > > and I use the import facility: > > -Dkeycloak.migration.action=import \ > -Dkeycloak.migration.provider=dir \ > -Dkeycloak.migration.dir={{wildfly_home}}/keycloak \ > -Dkeycloak.migration.strategy=IGNORE_EXISTING > > Below is the exception I get. I understand that I can wipe out my > Postgress database and have a clean import, but I thought the import was > careful enough to check for duplicate keys??? > ================================================================= > Caused by: org.keycloak.models.ModelDuplicateException: > javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) > at com.sun.proxy.$Proxy83.flush(Unknown Source) > at org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:61) > at > org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:267) > at > org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:1168) > at > org.keycloak.exportimport.util.ImportUtils.importUsers(ImportUtils.java:191) > at > org.keycloak.exportimport.util.ImportUtils.importUsersFromStream(ImportUtils.java:175) > at > org.keycloak.exportimport.dir.DirImportProvider$4.runExportImportTask(DirImportProvider.java:121) > at > org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:267) > at > org.keycloak.exportimport.dir.DirImportProvider.importRealm(DirImportProvider.java:117) > at > org.keycloak.exportimport.dir.DirImportProvider.importModel(DirImportProvider.java:55) > at > org.keycloak.exportimport.ExportImportManager.runImport(ExportImportManager.java:69) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:107) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:422) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ... 19 more > Caused by: javax.persistence.PersistenceException: > org.hibernate.exception.ConstraintViolationException: could not execute > statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) > at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) > ... 37 more > Caused by: org.hibernate.exception.ConstraintViolationException: could not > execute statement > at > org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) > at > org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386) > at > org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) > at > org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) > ... 41 more > *Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value > violates unique constraint "uk_ru8tt6t700s9v50bu18ws5ha6"* > * Detail: Key (realm_id, username)=(master, admin) already exists.* > at > org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2182) > at > org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1911) > at > org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:173) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:645) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:495) > at > org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:441) > at sun.reflect.GeneratedMethodAccessor295.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at > org.postgresql.ds.jdbc23.AbstractJdbc23PooledConnection$StatementHandler.invoke(AbstractJdbc23PooledConnection.java:453) > at com.sun.proxy.$Proxy84.executeUpdate(Unknown Source) > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/d1fe8190/attachment-0001.html From prado.renann at gmail.com Mon Feb 1 06:02:44 2016 From: prado.renann at gmail.com (Renann Prado) Date: Mon, 1 Feb 2016 09:02:44 -0200 Subject: [keycloak-user] Is it possible to use Keycloak just as a library? In-Reply-To: <56AEEBFA.1040805@redhat.com> References: <56AEEBFA.1040805@redhat.com> Message-ID: I'd like to use oauth 2. On Feb 1, 2016 03:25, "Bill Burke" wrote: > We do have a SAML client adapter which can be used as a library...But no, > sorry, the keycloak IDP is a server. What do you want to use "as a > library" which features? > > On 1/31/2016 9:57 PM, Renann Prado wrote: > > Hello > > At least for now, I would like to use Keycloak as a library so I don't > have to configure a "Keycloak server". > Is it possible? > > Renann Prado > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/34295ea0/attachment.html From prabhalar at yahoo.com Mon Feb 1 07:37:10 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Mon, 1 Feb 2016 12:37:10 +0000 (UTC) Subject: [keycloak-user] Realm Certificate from commercial Vendors In-Reply-To: <56A8D18B.7040306@redhat.com> References: <56A8D18B.7040306@redhat.com> Message-ID: <888753579.2668620.1454330230993.JavaMail.yahoo@mail.yahoo.com> Thanks Bill and Stian. Will look at the admin endpoints to handle the upload of certificates. Really surprised that this feature wasn't requested yet - created a jira kc2422 From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Wednesday, January 27, 2016 9:17 AM Subject: Re: [keycloak-user] Realm Certificate from commercial Vendors You can upload client certs for saml clients, but I think we have a attribute size problem for large cert chains. On 1/27/2016 5:17 AM, Stian Thorgersen wrote: We don't support uploading the realm keys through the admin console at the moment. However, you should be able to use the admin endpoints to manually set it. Should be relatively easy to add though, so you can create a JIRA to request it, but you're actually the first to request it. With regards to clients we don't have an elegant way to deal with this. What we have is if the public key is not specified in the client config it will download it from Keycloak at startup, so if you restart your clients after creating new keys it should work. Ideally Keycloak should send a message to the clients to notify them that the keys have changed so they can re-fetch from Keycloak, but that hasn't been implemented yet. Again, feel free to request that. On 25 January 2016 at 11:50, Raghuram Prabhala wrote: Dev team - any comments on the commercial certificates instead of the ones created by Keycloak? Raghu From: Raghuram Prabhala To: Keycloak-user Sent: Thursday, January 21, 2016 2:23 PM Subject: Realm Certificate from commercial Vendors I have a question about the Certificate/private key which is generated today by Keycloak. But rather than use that certificate ,is there any way we can use a commercial Certificate from Vendors like Verisign? When that certificate expires, how do we generate/upload a new certificate (lifecycle) and handle the switch over to a new certificate with minimal impact to any of the client who will have to download the new certificate and use it when KC starts using the new one? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/a2f641ac/attachment.html From Edgar at info.nl Mon Feb 1 07:46:55 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 1 Feb 2016 12:46:55 +0000 Subject: [keycloak-user] Back to application link is not shown on the success screen after a reset password action Message-ID: Hi, Considering the following scenario: 1/ Admin performs a ?Reset Action? on the user from the admin console (Manage - Users - Credentials). In our case an ?Update password? action and send the ?Reset Actions Email?. 2/ User receives the reset action email with a link back to Keycloak. 3/ User follows the link, sets his/her password. 4/ User is now shown a success screen stating "Your account has been updated.? only. There is no link to the application or anything. The user is left on his/her own. This happens because in AuthenticationManager#nextActionAfterAuthentication the ?skipLink? attribute is set to true. This results in the info.ftl template not showing the ?back to application? link. I think in this case the link should be shown however. Otherwise the user has no idea where to go to next. In fact I think the ?back to application? link should nearly always be shown. So for now we have simply removed the {{<#if skipLink??>}} check in the info.ftl in our custom email theme. I do wonder why this ?skipLink? functionality was built in the first place? Does it not make sense to remove it altogether maybe? cheers From sthorger at redhat.com Mon Feb 1 08:58:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 1 Feb 2016 14:58:57 +0100 Subject: [keycloak-user] Back to application link is not shown on the success screen after a reset password action In-Reply-To: References: Message-ID: If you initiate the action through the admin console there's no application to go back to. Unless we add an option in the admin console to specify the client that is. On 1 February 2016 at 13:46, Edgar Vonk - Info.nl wrote: > Hi, > > Considering the following scenario: > 1/ Admin performs a ?Reset Action? on the user from the admin console > (Manage - Users - Credentials). In our case an ?Update password? action and > send the ?Reset Actions Email?. > 2/ User receives the reset action email with a link back to Keycloak. > 3/ User follows the link, sets his/her password. > 4/ User is now shown a success screen stating "Your account has been > updated.? only. There is no link to the application or anything. The user > is left on his/her own. > > This happens because in > AuthenticationManager#nextActionAfterAuthentication the ?skipLink? > attribute is set to true. This results in the info.ftl template not showing > the ?back to application? link. > > I think in this case the link should be shown however. Otherwise the user > has no idea where to go to next. In fact I think the ?back to application? > link should nearly always be shown. So for now we have simply removed the > {{<#if skipLink??>}} check in the info.ftl in our custom email theme. I do > wonder why this ?skipLink? functionality was built in the first place? Does > it not make sense to remove it altogether maybe? > > cheers > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/55272c9a/attachment-0001.html From bburke at redhat.com Mon Feb 1 09:26:16 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 1 Feb 2016 09:26:16 -0500 Subject: [keycloak-user] KeycloakConfigResolver vs. unprotected resources In-Reply-To: References: Message-ID: <56AF6B08.90103@redhat.com> Depends on the adapter. Some/most platforms, the authenticator gets executed irregardless. On 2/1/2016 4:08 AM, Bystrik Horvath wrote: > Hello, > > I have an application that is part of several realms. That's why I > implemented the KeycloakConfigResolver and it works fine. > I observed that the KeycloakConfigResolver implementation gets called > even when unprotected resources of the application are requested. Is > there a (recommended) way how to avoid it? Or do I do something wrong? > > Thank you for the answer. > > Best regards, > Bystrik > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/e457b41a/attachment.html From Edgar at info.nl Mon Feb 1 10:01:22 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 1 Feb 2016 15:01:22 +0000 Subject: [keycloak-user] Back to application link is not shown on the success screen after a reset password action In-Reply-To: References: Message-ID: <19E1475B-2D35-4DDF-9B77-B49D7BD7BAFA@info.nl> Ah yes, clear. Adding the option to specify the client would be nice indeed. :-) For now we will simply ?hard code? the link into our theme since we only use a single client in this context at this stage. I do realise that you really should not make the theme client-specific. On 01 Feb 2016, at 14:58, Stian Thorgersen > wrote: If you initiate the action through the admin console there's no application to go back to. Unless we add an option in the admin console to specify the client that is. On 1 February 2016 at 13:46, Edgar Vonk - Info.nl > wrote: Hi, Considering the following scenario: 1/ Admin performs a ?Reset Action? on the user from the admin console (Manage - Users - Credentials). In our case an ?Update password? action and send the ?Reset Actions Email?. 2/ User receives the reset action email with a link back to Keycloak. 3/ User follows the link, sets his/her password. 4/ User is now shown a success screen stating "Your account has been updated.? only. There is no link to the application or anything. The user is left on his/her own. This happens because in AuthenticationManager#nextActionAfterAuthentication the ?skipLink? attribute is set to true. This results in the info.ftl template not showing the ?back to application? link. I think in this case the link should be shown however. Otherwise the user has no idea where to go to next. In fact I think the ?back to application? link should nearly always be shown. So for now we have simply removed the {{<#if skipLink??>}} check in the info.ftl in our custom email theme. I do wonder why this ?skipLink? functionality was built in the first place? Does it not make sense to remove it altogether maybe? cheers _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/4f7c1048/attachment.html From bystrik.horvath at gmail.com Mon Feb 1 10:06:45 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Mon, 1 Feb 2016 16:06:45 +0100 Subject: [keycloak-user] KeycloakConfigResolver vs. unprotected resources In-Reply-To: <56AF6B08.90103@redhat.com> References: <56AF6B08.90103@redhat.com> Message-ID: Hi Bill, thank you for response. I use Adapter deployed in Keycloak 1.7.0. So I need then somehow propagate the list of unprotected (or protected) resources to the KeycloakConfigResolver implementation by my own and return from resolve(...) method when unprotected URIs is accessed. Best regards, Bystrik On Mon, Feb 1, 2016 at 3:26 PM, Bill Burke wrote: > Depends on the adapter. Some/most platforms, the authenticator gets > executed irregardless. > > On 2/1/2016 4:08 AM, Bystrik Horvath wrote: > > Hello, > > I have an application that is part of several realms. That's why I > implemented the KeycloakConfigResolver and it works fine. > I observed that the KeycloakConfigResolver implementation gets called even > when unprotected resources of the application are requested. Is there a > (recommended) way how to avoid it? Or do I do something wrong? > > Thank you for the answer. > > Best regards, > Bystrik > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/ac592cbb/attachment.html From darkness.renann at gmail.com Mon Feb 1 10:07:53 2016 From: darkness.renann at gmail.com (Renann Prado) Date: Mon, 1 Feb 2016 13:07:53 -0200 Subject: [keycloak-user] Is it possible to use Keycloak just as a library? In-Reply-To: References: <56AEEBFA.1040805@redhat.com> Message-ID: Basically I have an application that I'll deploy in Wildfly, but I'd like to use OAuth2, just like it was with Resteasy Skeleton Key (or something like that). Renann Prado On Mon, Feb 1, 2016 at 9:02 AM, Renann Prado wrote: > I'd like to use oauth 2. > On Feb 1, 2016 03:25, "Bill Burke" wrote: > >> We do have a SAML client adapter which can be used as a library...But no, >> sorry, the keycloak IDP is a server. What do you want to use "as a >> library" which features? >> >> On 1/31/2016 9:57 PM, Renann Prado wrote: >> >> Hello >> >> At least for now, I would like to use Keycloak as a library so I don't >> have to configure a "Keycloak server". >> Is it possible? >> >> Renann Prado >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/9ab48944/attachment-0001.html From bburke at redhat.com Mon Feb 1 10:17:13 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 1 Feb 2016 10:17:13 -0500 Subject: [keycloak-user] Is it possible to use Keycloak just as a library? In-Reply-To: References: <56AEEBFA.1040805@redhat.com> Message-ID: <56AF76F9.2060702@redhat.com> We don't have that option in Keycloak. You can install the server overlay on an existing app server and run keycloak and your app in the same JVM. That's it. On 2/1/2016 10:07 AM, Renann Prado wrote: > Basically I have an application that I'll deploy in Wildfly, but I'd > like to use OAuth2, just like it was with Resteasy Skeleton Key (or > something like that). > > Renann Prado > > On Mon, Feb 1, 2016 at 9:02 AM, Renann Prado > wrote: > > I'd like to use oauth 2. > > On Feb 1, 2016 03:25, "Bill Burke" > wrote: > > We do have a SAML client adapter which can be used as a > library...But no, sorry, the keycloak IDP is a server. What > do you want to use "as a library" which features? > > On 1/31/2016 9:57 PM, Renann Prado wrote: >> Hello >> >> At least for now, I would like to use Keycloak as a library >> so I don't have to configure a "Keycloak server". >> Is it possible? >> >> Renann Prado >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/6b95c058/attachment.html From prado.renann at gmail.com Mon Feb 1 10:18:07 2016 From: prado.renann at gmail.com (Renann Prado) Date: Mon, 1 Feb 2016 13:18:07 -0200 Subject: [keycloak-user] Is it possible to use Keycloak just as a library? In-Reply-To: <56AF76F9.2060702@redhat.com> References: <56AEEBFA.1040805@redhat.com> <56AF76F9.2060702@redhat.com> Message-ID: Ok. Thanks! On Feb 1, 2016 13:17, "Bill Burke" wrote: > We don't have that option in Keycloak. You can install the server overlay > on an existing app server and run keycloak and your app in the same JVM. > That's it. > > On 2/1/2016 10:07 AM, Renann Prado wrote: > > Basically I have an application that I'll deploy in Wildfly, but I'd like > to use OAuth2, just like it was with Resteasy Skeleton Key (or something > like that). > > Renann Prado > > On Mon, Feb 1, 2016 at 9:02 AM, Renann Prado > wrote: > >> I'd like to use oauth 2. >> On Feb 1, 2016 03:25, "Bill Burke" wrote: >> >>> We do have a SAML client adapter which can be used as a library...But >>> no, sorry, the keycloak IDP is a server. What do you want to use "as a >>> library" which features? >>> >>> On 1/31/2016 9:57 PM, Renann Prado wrote: >>> >>> Hello >>> >>> At least for now, I would like to use Keycloak as a library so I don't >>> have to configure a "Keycloak server". >>> Is it possible? >>> >>> Renann Prado >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/6fbcbc08/attachment.html From pblair at clearme.com Mon Feb 1 11:15:41 2016 From: pblair at clearme.com (Paul Blair) Date: Mon, 1 Feb 2016 16:15:41 +0000 Subject: [keycloak-user] keycloak-server.json settings in 1.8.0.Final Message-ID: I'm upgrading from 1.7.0.Final to 1.8.0.Final and when comparing my keycloak-server.json settings I see the following are not there in the newer version: "userSessions": { "provider" : "infinispan" }, "realmCache": { "provider": "infinispan" }, "userCache": { "provider": "infinispan" }, These may be configurations I added in 1.7.0, but I can't find a reference to them in the 1.8.0.Final reference guide. Are they now obsolete? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/23a68d11/attachment.html From pblair at clearme.com Mon Feb 1 11:19:01 2016 From: pblair at clearme.com (Paul Blair) Date: Mon, 1 Feb 2016 16:19:01 +0000 Subject: [keycloak-user] add-user-keycloak.sh in 1.8.0.Final Message-ID: I'm noticing the 1.8.0.Final overlay contains a script named add-user-keycloak.sh but the reference guide only mentions add-user.sh. Should this script be used instead of add-user.sh? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/64ea3ee1/attachment.html From adrianmatei at gmail.com Mon Feb 1 11:25:34 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Mon, 1 Feb 2016 17:25:34 +0100 Subject: [keycloak-user] password forgotten - override UpdatePasswd required action (v 1.7.0) Message-ID: Hi guys, in the UpdatePassword class we need to modify the string values that come from formData so that there are not "password-new" but "passwordNew" (JS conform as we've build the GUI with AngularJS on top of Freemarker actions): https://github.com/keycloak/keycloak/blob/de472dbd43dd2767afb3436835f77924a78e9f82/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java#L67 We've created our own CustomUpdatePassword (similar with the class above except the two lines and own id -UPDATE_PASSWORD_CUSTOM) and tried to hook it in our own custom ResetPassword class: @Override public void authenticate(AuthenticationFlowContext context) { if (context.getExecution().isRequired() || (context.getExecution().isOptional() && configuredFor(context))) { context.getClientSession().addRequiredAction(CustomUpdatePassword.UPDATE_PASSWORD_CUSTOM); } context.success(); } The custom classes are registered in META-INF services and everything, and we can add the custom reset password execution in the Reset Credentials workflow... The result is a NPE in AuthenticationManager by trying to get the providerId from the model RequiredActionProviderModel model = realm.getRequiredActionProviderByAlias(action); RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId()); I am tired and cannot look through anymore, so your advice is more than welcomed... Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/6e306a09/attachment-0001.html From RLewis at carbonite.com Mon Feb 1 11:27:11 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Mon, 1 Feb 2016 16:27:11 +0000 Subject: [keycloak-user] Key cloak Direct Access Grants. How? Message-ID: <0E8BAB17-3699-45CB-8610-4A4DB73D82D3@carbonite.com> I have Keycloak working very well now where it can validate users in its own database, against a legacy database in our company, and from Google and Microsoft. Right now I have been testing with this module for Apache: https://github.com/pingidentity/mod_auth_openidc And it works as it should. I can go to a webpage on my webserver, and the complete flow works well. The user is redirected to the login page, then it returns, and my webserver requests a token as it should. :) What I plan on doing though is securing a mobile App. I cannot find a raw HTTP(s) example of how to make a direct access grant where keycloak well ask the user for credentials, and directly return an jwt? Is this possible, or should I use the two step method (keyclock with redirect => to URL in APP => makes request with code to get the tokens? Also, does anyone have good standalone python, node.js or even C code to validate a token? I see there are libraries, but I would like to use just openssl if possible. Thank you, Reed Lewis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/99408f1b/attachment.html From bburke at redhat.com Mon Feb 1 11:46:13 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 1 Feb 2016 11:46:13 -0500 Subject: [keycloak-user] Key cloak Direct Access Grants. How? In-Reply-To: <0E8BAB17-3699-45CB-8610-4A4DB73D82D3@carbonite.com> References: <0E8BAB17-3699-45CB-8610-4A4DB73D82D3@carbonite.com> Message-ID: <56AF8BD5.7050703@redhat.com> Take a look at the admin-access-app example. So, mod-auth-openidc works with Keycloak? Would you be interested in contributing a ClientInstaller that generates config for it? Similar to the mod-auth-mellon one? https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/saml/installation/ModAuthMellonClientInstallation.java Here's one that generates keycloak client adapter config for OIDC too: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/installation/KeycloakOIDCClientInstallation.java On 2/1/2016 11:27 AM, Reed Lewis wrote: > I have Keycloak working very well now where it can validate users in > its own database, against a legacy database in our company, and from > Google and Microsoft. Right now I have been testing with this module > for Apache: > > https://github.com/pingidentity/mod_auth_openidc > > And it works as it should. I can go to a webpage on my webserver, > and the complete flow works well. The user is redirected to the login > page, then it returns, and my webserver requests a token as it should. :) > > What I plan on doing though is securing a mobile App. I cannot find > a raw HTTP(s) example of how to make a direct access grant where > keycloak well ask the user for credentials, and directly return an > jwt? Is this possible, or should I use the two step method (keyclock > with redirect => to URL in APP => makes request with code to get the > tokens? > > Also, does anyone have good standalone python, node.js or even C code > to validate a token? I see there are libraries, but I would like to > use just openssl if possible. > > Thank you, > > Reed Lewis > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/1096cb4b/attachment.html From kalc04 at gmail.com Mon Feb 1 13:00:28 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Mon, 1 Feb 2016 23:30:28 +0530 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: Hi Stian, I was referring to a potential API endpoint which actually sends out the password reset email (there's a similar API which sends out the registration email), not the existing one which just resets the password. Regards, Lohitha. On Mon, Feb 1, 2016 at 3:53 PM, Stian Thorgersen wrote: > > > On 28 January 2016 at 08:41, Lohitha Chiranjeewa wrote: > >> Thanks Fabricio, will check on how we can proceed with such an >> implementation. >> >> Since there is an already existing registration-email API, I thought it's >> consistent from Keycloak's perspective to expose a reset-password API as >> well... >> > > Not sure what you refer to, but there are no APIs for these actions > outside of the admin endpoints. > > >> >> >> Regards, >> Lohitha. >> >> On Thu, Jan 28, 2016 at 2:31 AM, Fabricio Milone < >> fabricio.milone at shinetech.com> wrote: >> >>> Hi Lohitha, >>> >>> I had the same requirements (Direct grant + forgotten password) and >>> ended up implementing a SPI using some piece of code made by Pedro Igor. >>> >>> An extract of the DEV Mailing list called: "*Add custom REST paths? New >>> SPI?*" >>> >>> *It is part of a working in progress around fine-grained authorization >>>> [1].* >>>> *The new SPI changes [2] specific to Keycloak are located in a specific >>>> branch [3] in my Keycloak fork.* >>> >>> >>>> *I need to discuss these changes with Bill and see what he thinks about >>>> it. Depending on his feedback, I can prepare a PR and send these changes to >>>> upstream.* >>> >>> >>>> >>>> *[1] https://github.com/pedroigor/keycloak-authz >>>> * >>>> *[2] >>>> https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 >>>> **[3] >>>> https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified >>>> * >>> >>> >>> >>> Not sure if Keycloak will ever adopt those changes as official or >>> something similar though. >>> >>> That's a good starting point. >>> >>> Regards >>> >>> On 27 January 2016 at 21:19, Stian Thorgersen >>> wrote: >>> >>>> There is in the admin endpoints, but nothing that's available to >>>> end-users. >>>> >>>> On 22 January 2016 at 06:45, Lohitha Chiranjeewa >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> There are a few clients of ours who use the Direct Grants API to >>>>> authenticate their users. A requirement has come up to provide the Reset >>>>> Password flow to those clients. From what I've checked and gathered, >>>>> there's no REST API to initiate this flow (sending the Keycloak password >>>>> reset email + resetting the password through the UI); only way to do is >>>>> through the browser. >>>>> >>>>> If it's actually there somewhere, can someone point me to it? >>>>> >>>>> >>>>> Regards, >>>>> Lohitha. >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> -- >>> *Fabricio Milone* >>> Developer >>> >>> *Shine Consulting * >>> >>> 30/600 Bourke Street >>> >>> Melbourne VIC 3000 >>> >>> T: 03 8488 9939 >>> >>> M: 04 3200 4006 >>> >>> >>> www.shinetech.com *a* passion for excellence >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/7ec0844f/attachment-0001.html From hr.stoyanov at peruncs.com Mon Feb 1 15:34:54 2016 From: hr.stoyanov at peruncs.com (Hristo Stoyanov) Date: Mon, 1 Feb 2016 20:34:54 +0000 Subject: [keycloak-user] KC1.8 failing realm merge/upgrade ? In-Reply-To: References: <56AF0F5F.6070600@redhat.com> Message-ID: Stian, What you explained seem to contradict the documented purpose for the IGNORE_EXISTING import option. /Hristo Stoyanov On Feb 1, 2016 2:35 AM, "Stian Thorgersen" wrote: > The import is really meant for a clean database. Or at least to import > non-existing realms. > > Why are you doing an import during upgrade if you are not starting with a > clean database? > > On 1 February 2016 at 08:55, Marek Posolda wrote: > >> Hi, >> >> could you please create JIRA? Until it's fixed, I suggest to backup your >> DB and instead use strategy OVERWRITE_EXISTING (or just remove strategy >> property as OVERWRITE_EXISTING is the default) >> >> Marek >> >> >> On 01/02/16 07:47, Hristo Stoyanov wrote: >> >> Hi all, >> I ma trying to install KC1.8.Final over a previous KC1.7 installation >> backed by Postgres. I use template files to bootstrap my realm: >> >> 36 -rw-r--r-- 1 root root 36806 Feb 1 05:50 FinancialApps-realm.json >> 40 -rw-r--r-- 1 root root 39545 Feb 1 05:50 master-realm.json >> 4 -rw-r--r-- 1 root root 709 Feb 1 05:50 master-users-0.json >> 4 -rw-r--r-- 1 root root 77 Feb 1 05:50 version.json >> >> and I use the import facility: >> >> -Dkeycloak.migration.action=import \ >> -Dkeycloak.migration.provider=dir \ >> -Dkeycloak.migration.dir={{wildfly_home}}/keycloak \ >> -Dkeycloak.migration.strategy=IGNORE_EXISTING >> >> Below is the exception I get. I understand that I can wipe out my >> Postgress database and have a clean import, but I thought the import was >> careful enough to check for duplicate keys??? >> ================================================================= >> Caused by: org.keycloak.models.ModelDuplicateException: >> javax.persistence.PersistenceException: >> org.hibernate.exception.ConstraintViolationException: could not execute >> statement >> at >> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) >> at >> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) >> at com.sun.proxy.$Proxy83.flush(Unknown Source) >> at >> org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:61) >> at >> org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:267) >> at >> org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:1168) >> at >> org.keycloak.exportimport.util.ImportUtils.importUsers(ImportUtils.java:191) >> at >> org.keycloak.exportimport.util.ImportUtils.importUsersFromStream(ImportUtils.java:175) >> at >> org.keycloak.exportimport.dir.DirImportProvider$4.runExportImportTask(DirImportProvider.java:121) >> at >> org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18) >> at >> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:267) >> at >> org.keycloak.exportimport.dir.DirImportProvider.importRealm(DirImportProvider.java:117) >> at >> org.keycloak.exportimport.dir.DirImportProvider.importModel(DirImportProvider.java:55) >> at >> org.keycloak.exportimport.ExportImportManager.runImport(ExportImportManager.java:69) >> at >> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:107) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >> at >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >> ... 19 more >> Caused by: javax.persistence.PersistenceException: >> org.hibernate.exception.ConstraintViolationException: could not execute >> statement >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) >> at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:497) >> at >> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) >> ... 37 more >> Caused by: org.hibernate.exception.ConstraintViolationException: could >> not execute statement >> at >> org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) >> at >> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) >> at >> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) >> at >> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) >> at >> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) >> at >> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386) >> at >> org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) >> at >> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) >> at >> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) >> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) >> ... 41 more >> *Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value >> violates unique constraint "uk_ru8tt6t700s9v50bu18ws5ha6"* >> * Detail: Key (realm_id, username)=(master, admin) already exists.* >> at >> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2182) >> at >> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1911) >> at >> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:173) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:645) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:495) >> at >> org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:441) >> at sun.reflect.GeneratedMethodAccessor295.invoke(Unknown Source) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:497) >> at >> org.postgresql.ds.jdbc23.AbstractJdbc23PooledConnection$StatementHandler.invoke(AbstractJdbc23PooledConnection.java:453) >> at com.sun.proxy.$Proxy84.executeUpdate(Unknown Source) >> at >> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) >> at >> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/4f4d51c5/attachment.html From beny.moser at gmail.com Mon Feb 1 15:37:14 2016 From: beny.moser at gmail.com (Benjamin Moser) Date: Mon, 1 Feb 2016 21:37:14 +0100 Subject: [keycloak-user] spring-security-adapter on wildfly: How? Message-ID: Hello I've been trying to get to work spring security with keycloak on widlfly for hours. I follow the instructions as described here: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#spring-security-adapter . This is my environment: - Wildfly 9 (not spring-boot) - Keycloak 1.7 - keycloak-spring-security-adapter in webapplication - keycloak.json in WEB-INF - spring-security-xml configuration as described in 8.10.2.2. - No security config in web.xml - No keycloak adapter in wildfly Application starts up fine, spring security configuration seems to be loaded. But when I directly access a protected resources, the resource is not protected and I can access it directly. I am not redirected to login on keycloak. So it seems spring security is not picking up the security rules... When I do not use the keycloak-spring-security-adapter and do the security configuration in web.xml, it works. But then I'm missing the integration with spring security, and thats what I need... Any advice is more than welcomed... Thanks, Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/dbbe907a/attachment-0001.html From lingvisa at gmail.com Mon Feb 1 15:43:53 2016 From: lingvisa at gmail.com (Martin Min) Date: Mon, 1 Feb 2016 12:43:53 -0800 Subject: [keycloak-user] Social login error message In-Reply-To: <56AF10AE.7050006@redhat.com> References: <56AF10AE.7050006@redhat.com> Message-ID: Hi, Marek and all: I received this message for Google and github now. I followed the instruction in the doc and created the identity broker: 12:40:39,607 WARN [org.keycloak.events] (default task-63) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bword, clientId=null, userId=null, ipAddress=127.0.0.1, error=couldNotSendAuthenticationRequestMessage, identity_provider=github 12:40:39,608 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-63) couldNotSendAuthenticationRequestMessage: org.keycloak.broker.provider.IdentityBrokerException: Invalid code, please login again through your client. at org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) at org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:744) Thank you. On Mon, Feb 1, 2016 at 12:00 AM, Marek Posolda wrote: > I suggest to upgrade to 1.8 where this is fixed. Or you can workaround in > 1.7 by edit file > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml > and add the line: > > > > into dependencies section. Same for module > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml > > Marek > > > On 29/01/16 23:49, Martin Min wrote: > > Hello, I am configuring the social login with google, twitter and github. > Everything else works fine until this point, namely, after it's authorized, > at the "update account information" page, after I fill out the fields on > this page, clicked the "submitted" and I received this error message. > > What could cause this? I followed the instruction carefully, but not sure > what caused this. > > Context Path: > /auth > > Servlet Path: > > Path Info: > /realms/myproject/login-actions/first-broker-login > > Query String: > > code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925 > > *Stack Trace* > java.lang.RuntimeException: request path: > /auth/realms/myproject/login-actions/first-broker-login > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > java.lang.Thread.run(Thread.java:745) > > Caused by: org.jboss.resteasy.spi.UnhandledException: > java.lang.NoClassDefFoundError: > org/keycloak/broker/provider/BrokeredIdentityContext > > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/328de297/attachment.html From bburke at redhat.com Mon Feb 1 16:02:10 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 1 Feb 2016 16:02:10 -0500 Subject: [keycloak-user] Social login error message In-Reply-To: References: <56AF10AE.7050006@redhat.com> Message-ID: <56AFC7D2.4090709@redhat.com> version? On 2/1/2016 3:43 PM, Martin Min wrote: > Hi, Marek and all: > > I received this message for Google and github now. I followed the > instruction in the doc and created the identity broker: > > 12:40:39,607 WARN [org.keycloak.events] (default task-63) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bword, clientId=null, > userId=null, ipAddress=127.0.0.1, > error=couldNotSendAuthenticationRequestMessage, identity_provider=github > 12:40:39,608 ERROR > [org.keycloak.services.resources.IdentityBrokerService] (default > task-63) couldNotSendAuthenticationRequestMessage: > org.keycloak.broker.provider.IdentityBrokerException: Invalid code, > please login again through your client. > > at > org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) > at > org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:149) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:744) > > Thank you. > > On Mon, Feb 1, 2016 at 12:00 AM, Marek Posolda > wrote: > > I suggest to upgrade to 1.8 where this is fixed. Or you can > workaround in 1.7 by edit file > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml > and add the line: > > > > into dependencies section. Same for module > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml > > Marek > > > On 29/01/16 23:49, Martin Min wrote: >> Hello, I am configuring the social login with google, twitter and >> github. Everything else works fine until this point, namely, >> after it's authorized, at the "update account information" page, >> after I fill out the fields on this page, clicked the "submitted" >> and I received this error message. >> >> What could cause this? I followed the instruction carefully, but >> not sure what caused this. >> >> Context Path: >> /auth >> >> Servlet Path: >> >> Path Info: >> /realms/myproject/login-actions/first-broker-login >> >> Query String: >> code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925 >> >> *Stack Trace* >> java.lang.RuntimeException: request path: >> /auth/realms/myproject/login-actions/first-broker-login >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> java.lang.Thread.run(Thread.java:745) >> >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/c71b158d/attachment-0001.html From lingvisa at gmail.com Mon Feb 1 16:05:47 2016 From: lingvisa at gmail.com (Martin Min) Date: Mon, 1 Feb 2016 13:05:47 -0800 Subject: [keycloak-user] Social login error message In-Reply-To: References: <56AF10AE.7050006@redhat.com> Message-ID: I restarted my keycloak server and my application,and clicked "Twitter" to log in, and I received a different error message. When it redirects to my log in page from twitter, I got a single "Forbidden" message on the login page. It looks like the authentication through the identity broker is right, but somehow the login page is now not allowed to be accessed from my client (browser). I tried github and got the same problem. What may cause this? Thank you. On Mon, Feb 1, 2016 at 12:43 PM, Martin Min wrote: > Hi, Marek and all: > > I received this message for Google and github now. I followed the > instruction in the doc and created the identity broker: > > 12:40:39,607 WARN [org.keycloak.events] (default task-63) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bword, clientId=null, > userId=null, ipAddress=127.0.0.1, > error=couldNotSendAuthenticationRequestMessage, identity_provider=github > 12:40:39,608 ERROR [org.keycloak.services.resources.IdentityBrokerService] > (default task-63) couldNotSendAuthenticationRequestMessage: > org.keycloak.broker.provider.IdentityBrokerException: Invalid code, please > login again through your client. > > at > org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) > at > org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:149) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:744) > > Thank you. > > On Mon, Feb 1, 2016 at 12:00 AM, Marek Posolda > wrote: > >> I suggest to upgrade to 1.8 where this is fixed. Or you can workaround in >> 1.7 by edit file >> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml >> and add the line: >> >> >> >> into dependencies section. Same for module >> $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml >> >> Marek >> >> >> On 29/01/16 23:49, Martin Min wrote: >> >> Hello, I am configuring the social login with google, twitter and github. >> Everything else works fine until this point, namely, after it's authorized, >> at the "update account information" page, after I fill out the fields on >> this page, clicked the "submitted" and I received this error message. >> >> What could cause this? I followed the instruction carefully, but not sure >> what caused this. >> >> Context Path: >> /auth >> >> Servlet Path: >> >> Path Info: >> /realms/myproject/login-actions/first-broker-login >> >> Query String: >> >> code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925 >> >> *Stack Trace* >> java.lang.RuntimeException: request path: >> /auth/realms/myproject/login-actions/first-broker-login >> >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> java.lang.Thread.run(Thread.java:745) >> >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160201/5243f595/attachment.html From sthorger at redhat.com Tue Feb 2 03:45:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Feb 2016 09:45:01 +0100 Subject: [keycloak-user] keycloak-server.json settings in 1.8.0.Final In-Reply-To: References: Message-ID: If you look at the migration guide you'll notice that they are no longer needed. As Infinispan is the only built-in provider for these it's no longer any need to configure which one to use. On 1 February 2016 at 17:15, Paul Blair wrote: > I'm upgrading from 1.7.0.Final to 1.8.0.Final and when comparing my > keycloak-server.json settings I see the following are not there in the > newer version: > > "userSessions": { > "provider" : "infinispan" > }, > > "realmCache": { > "provider": "infinispan" > }, > > "userCache": { > "provider": "infinispan" > }, > > These may be configurations I added in 1.7.0, but I can't find a reference > to them in the 1.8.0.Final reference guide. Are they now obsolete? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/9afb51e2/attachment-0001.html From sthorger at redhat.com Tue Feb 2 03:45:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Feb 2016 09:45:44 +0100 Subject: [keycloak-user] add-user-keycloak.sh in 1.8.0.Final In-Reply-To: References: Message-ID: Yes, as the overlay is to be added on to an existing WildFly installation we don't override the add-user script from WildFly and instead rename it. Same as we do for the standalone-keycloak.xml On 1 February 2016 at 17:19, Paul Blair wrote: > I'm noticing the 1.8.0.Final overlay contains a script > named add-user-keycloak.sh but the reference guide only mentions > add-user.sh. Should this script be used instead of add-user.sh? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/d6f37bbd/attachment.html From sthorger at redhat.com Tue Feb 2 03:48:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Feb 2016 09:48:18 +0100 Subject: [keycloak-user] KC1.8 failing realm merge/upgrade ? In-Reply-To: References: <56AF0F5F.6070600@redhat.com> Message-ID: It looks like you've found a bug for the import. However, are you doing a migration as the same time as you are importing existing realms from a json import? My point was just the fact that it seems you are mixing two strategies for migrating. On 1 February 2016 at 21:34, Hristo Stoyanov wrote: > Stian, > What you explained seem to contradict the documented purpose for the > IGNORE_EXISTING import option. > > /Hristo Stoyanov > On Feb 1, 2016 2:35 AM, "Stian Thorgersen" wrote: > >> The import is really meant for a clean database. Or at least to import >> non-existing realms. >> >> Why are you doing an import during upgrade if you are not starting with a >> clean database? >> >> On 1 February 2016 at 08:55, Marek Posolda wrote: >> >>> Hi, >>> >>> could you please create JIRA? Until it's fixed, I suggest to backup your >>> DB and instead use strategy OVERWRITE_EXISTING (or just remove strategy >>> property as OVERWRITE_EXISTING is the default) >>> >>> Marek >>> >>> >>> On 01/02/16 07:47, Hristo Stoyanov wrote: >>> >>> Hi all, >>> I ma trying to install KC1.8.Final over a previous KC1.7 installation >>> backed by Postgres. I use template files to bootstrap my realm: >>> >>> 36 -rw-r--r-- 1 root root 36806 Feb 1 05:50 FinancialApps-realm.json >>> 40 -rw-r--r-- 1 root root 39545 Feb 1 05:50 master-realm.json >>> 4 -rw-r--r-- 1 root root 709 Feb 1 05:50 master-users-0.json >>> 4 -rw-r--r-- 1 root root 77 Feb 1 05:50 version.json >>> >>> and I use the import facility: >>> >>> -Dkeycloak.migration.action=import \ >>> -Dkeycloak.migration.provider=dir \ >>> -Dkeycloak.migration.dir={{wildfly_home}}/keycloak \ >>> -Dkeycloak.migration.strategy=IGNORE_EXISTING >>> >>> Below is the exception I get. I understand that I can wipe out my >>> Postgress database and have a clean import, but I thought the import was >>> careful enough to check for duplicate keys??? >>> ================================================================= >>> Caused by: org.keycloak.models.ModelDuplicateException: >>> javax.persistence.PersistenceException: >>> org.hibernate.exception.ConstraintViolationException: could not execute >>> statement >>> at >>> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40) >>> at >>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34) >>> at com.sun.proxy.$Proxy83.flush(Unknown Source) >>> at >>> org.keycloak.models.jpa.JpaUserProvider.addUser(JpaUserProvider.java:61) >>> at >>> org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.addUser(DefaultCacheUserProvider.java:267) >>> at >>> org.keycloak.models.utils.RepresentationToModel.createUser(RepresentationToModel.java:1168) >>> at >>> org.keycloak.exportimport.util.ImportUtils.importUsers(ImportUtils.java:191) >>> at >>> org.keycloak.exportimport.util.ImportUtils.importUsersFromStream(ImportUtils.java:175) >>> at >>> org.keycloak.exportimport.dir.DirImportProvider$4.runExportImportTask(DirImportProvider.java:121) >>> at >>> org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:18) >>> at >>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:267) >>> at >>> org.keycloak.exportimport.dir.DirImportProvider.importRealm(DirImportProvider.java:117) >>> at >>> org.keycloak.exportimport.dir.DirImportProvider.importModel(DirImportProvider.java:55) >>> at >>> org.keycloak.exportimport.ExportImportManager.runImport(ExportImportManager.java:69) >>> at >>> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:107) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:422) >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>> ... 19 more >>> Caused by: javax.persistence.PersistenceException: >>> org.hibernate.exception.ConstraintViolationException: could not execute >>> statement >>> at >>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) >>> at >>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) >>> at >>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) >>> at >>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1303) >>> at sun.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:497) >>> at >>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32) >>> ... 37 more >>> Caused by: org.hibernate.exception.ConstraintViolationException: could >>> not execute statement >>> at >>> org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112) >>> at >>> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) >>> at >>> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) >>> at >>> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) >>> at >>> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) >>> at >>> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) >>> at >>> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886) >>> at >>> org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386) >>> at >>> org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) >>> at >>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560) >>> at >>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434) >>> at >>> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) >>> at >>> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) >>> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1282) >>> at >>> org.hibernate.jpa.spi.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:1300) >>> ... 41 more >>> *Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key >>> value violates unique constraint "uk_ru8tt6t700s9v50bu18ws5ha6"* >>> * Detail: Key (realm_id, username)=(master, admin) already exists.* >>> at >>> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2182) >>> at >>> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1911) >>> at >>> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:173) >>> at >>> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:645) >>> at >>> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:495) >>> at >>> org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:441) >>> at sun.reflect.GeneratedMethodAccessor295.invoke(Unknown Source) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:497) >>> at >>> org.postgresql.ds.jdbc23.AbstractJdbc23PooledConnection$StatementHandler.invoke(AbstractJdbc23PooledConnection.java:453) >>> at com.sun.proxy.$Proxy84.executeUpdate(Unknown Source) >>> at >>> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) >>> at >>> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/a493d4c1/attachment-0001.html From sthorger at redhat.com Tue Feb 2 03:49:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Feb 2016 09:49:26 +0100 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: Have no idea what you are saying. We don't have any API outside of the admin endpoints that do password reset, register email or anything else like that. For the admin endpoints we have a very flexibly endpoint that lets you send exactly what actions you want. On 1 February 2016 at 19:00, Lohitha Chiranjeewa wrote: > Hi Stian, > > I was referring to a potential API endpoint which actually sends out the > password reset email (there's a similar API which sends out the > registration email), not the existing one which just resets the password. > > > Regards, > Lohitha. > > On Mon, Feb 1, 2016 at 3:53 PM, Stian Thorgersen > wrote: > >> >> >> On 28 January 2016 at 08:41, Lohitha Chiranjeewa >> wrote: >> >>> Thanks Fabricio, will check on how we can proceed with such an >>> implementation. >>> >>> Since there is an already existing registration-email API, I thought >>> it's consistent from Keycloak's perspective to expose a reset-password API >>> as well... >>> >> >> Not sure what you refer to, but there are no APIs for these actions >> outside of the admin endpoints. >> >> >>> >>> >>> Regards, >>> Lohitha. >>> >>> On Thu, Jan 28, 2016 at 2:31 AM, Fabricio Milone < >>> fabricio.milone at shinetech.com> wrote: >>> >>>> Hi Lohitha, >>>> >>>> I had the same requirements (Direct grant + forgotten password) and >>>> ended up implementing a SPI using some piece of code made by Pedro Igor. >>>> >>>> An extract of the DEV Mailing list called: "*Add custom REST paths? >>>> New SPI?*" >>>> >>>> *It is part of a working in progress around fine-grained authorization >>>>> [1].* >>>>> *The new SPI changes [2] specific to Keycloak are located in a >>>>> specific branch [3] in my Keycloak fork.* >>>> >>>> >>>>> *I need to discuss these changes with Bill and see what he thinks >>>>> about it. Depending on his feedback, I can prepare a PR and send these >>>>> changes to upstream.* >>>> >>>> >>>>> >>>>> *[1] https://github.com/pedroigor/keycloak-authz >>>>> * >>>>> *[2] >>>>> https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 >>>>> **[3] >>>>> https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified >>>>> * >>>> >>>> >>>> >>>> Not sure if Keycloak will ever adopt those changes as official or >>>> something similar though. >>>> >>>> That's a good starting point. >>>> >>>> Regards >>>> >>>> On 27 January 2016 at 21:19, Stian Thorgersen >>>> wrote: >>>> >>>>> There is in the admin endpoints, but nothing that's available to >>>>> end-users. >>>>> >>>>> On 22 January 2016 at 06:45, Lohitha Chiranjeewa >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> There are a few clients of ours who use the Direct Grants API to >>>>>> authenticate their users. A requirement has come up to provide the Reset >>>>>> Password flow to those clients. From what I've checked and gathered, >>>>>> there's no REST API to initiate this flow (sending the Keycloak password >>>>>> reset email + resetting the password through the UI); only way to do is >>>>>> through the browser. >>>>>> >>>>>> If it's actually there somewhere, can someone point me to it? >>>>>> >>>>>> >>>>>> Regards, >>>>>> Lohitha. >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> -- >>>> *Fabricio Milone* >>>> Developer >>>> >>>> *Shine Consulting * >>>> >>>> 30/600 Bourke Street >>>> >>>> Melbourne VIC 3000 >>>> >>>> T: 03 8488 9939 >>>> >>>> M: 04 3200 4006 >>>> >>>> >>>> www.shinetech.com *a* passion for excellence >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/548ec609/attachment.html From mposolda at redhat.com Tue Feb 2 04:04:08 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 2 Feb 2016 10:04:08 +0100 Subject: [keycloak-user] Social login error message In-Reply-To: References: <56AF10AE.7050006@redhat.com> Message-ID: <56B07108.4020605@redhat.com> You can check in admin console if user authenticated from Twitter (or github) was successfully registered and can be seen in keycloak admin console. If yes, it's likely an authorization issue and you need to assign some roles to thpse newly created users, so they have access to your application. You can use default roles to assign some roles "by default" at the time when user is registered. See docs for more details. Marek On 01/02/16 22:05, Martin Min wrote: > I restarted my keycloak server and my application,and clicked > "Twitter" to log in, and I received a different error message. When it > redirects to my log in page from twitter, I got a single "Forbidden" > message on the login page. It looks like the authentication through > the identity broker is right, but somehow the login page is now not > allowed to be accessed from my client (browser). I tried github and > got the same problem. > > What may cause this? Thank you. > > On Mon, Feb 1, 2016 at 12:43 PM, Martin Min > wrote: > > Hi, Marek and all: > > I received this message for Google and github now. I followed the > instruction in the doc and created the identity broker: > > 12:40:39,607 WARN [org.keycloak.events] (default task-63) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bword, clientId=null, > userId=null, ipAddress=127.0.0.1, > error=couldNotSendAuthenticationRequestMessage, > identity_provider=github > 12:40:39,608 ERROR > [org.keycloak.services.resources.IdentityBrokerService] (default > task-63) couldNotSendAuthenticationRequestMessage: > org.keycloak.broker.provider.IdentityBrokerException: Invalid > code, please login again through your client. > > at > org.keycloak.services.resources.IdentityBrokerService.parseClientSessionCode(IdentityBrokerService.java:551) > at > org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:149) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:483) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:744) > > Thank you. > > On Mon, Feb 1, 2016 at 12:00 AM, Marek Posolda > > wrote: > > I suggest to upgrade to 1.8 where this is fixed. Or you can > workaround in 1.7 by edit file > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-login-freemarker/main/module.xml > and add the line: > > > > into dependencies section. Same for module > $KEYCLOAK_HOME/modules/system/layers/base/org/keycloak/keycloak-email-freemarker/main/module.xml > > Marek > > > On 29/01/16 23:49, Martin Min wrote: >> Hello, I am configuring the social login with google, twitter >> and github. Everything else works fine until this point, >> namely, after it's authorized, at the "update account >> information" page, after I fill out the fields on this page, >> clicked the "submitted" and I received this error message. >> >> What could cause this? I followed the instruction carefully, >> but not sure what caused this. >> >> Context Path: >> /auth >> >> Servlet Path: >> >> Path Info: >> /realms/myproject/login-actions/first-broker-login >> >> Query String: >> code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925 >> >> *Stack Trace* >> java.lang.RuntimeException: request path: >> /auth/realms/myproject/login-actions/first-broker-login >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> java.lang.Thread.run(Thread.java:745) >> >> Caused by: org.jboss.resteasy.spi.UnhandledException: >> java.lang.NoClassDefFoundError: >> org/keycloak/broker/provider/BrokeredIdentityContext >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/a5d93d44/attachment-0001.html From andrey.saroul at gmail.com Tue Feb 2 06:06:16 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Tue, 2 Feb 2016 14:06:16 +0300 Subject: [keycloak-user] Keycloak logout flow Message-ID: I'm using keycloak 1.7.0 with WildFly 9.0.2 I have rest service and Keycloak deployed on one the same machine. Consider this scenario: 1) In browser i try to test my rest service (e.g. http://my-ip-address:8080/rest/test) secured under Keycloak 2) I got redirect to login page. 3) I enter my login and password. 4) I got some response from my rest service. That's Ok! 5) Then I go to Keycloak admin console, find my user and force session logout. 6) Then I try to access my rest service again by the same url, and NO redirect happens. Browser caches jsessionid cookie and don't know anything about user beeing logout. It seems to my that during step #6 server should invalidate expired session cookie due to admin logout. I considere that user after beeing logout will get redirect to login page again, and will not be able to access service with old jsessionid cookie. Is this a bug, or could you help me explain what am i doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/e38f6bbf/attachment.html From andrey.saroul at gmail.com Tue Feb 2 06:17:04 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Tue, 2 Feb 2016 14:17:04 +0300 Subject: [keycloak-user] spring-security-adapter on wildfly: How? Message-ID: I had the same issue. I missed the spring security initializer and so springSecurityFilterChain was not registered. I added this class in my app, and then all security worked just fine public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { } And by the way, no web.xml required at all if you use annotation config. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/5bc64ca9/attachment.html From sthorger at redhat.com Tue Feb 2 07:55:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Feb 2016 13:55:33 +0100 Subject: [keycloak-user] Keycloak logout flow In-Reply-To: References: Message-ID: You probably haven't configured admin url for your client so the Keycloak server can't send backchannel logout to your service On 2 February 2016 at 12:06, Andrey Saroul wrote: > I'm using keycloak 1.7.0 with WildFly 9.0.2 > I have rest service and Keycloak deployed on one the same machine. > Consider this scenario: > 1) In browser i try to test my rest service (e.g. > http://my-ip-address:8080/rest/test) secured under Keycloak > 2) I got redirect to login page. > 3) I enter my login and password. > 4) I got some response from my rest service. That's Ok! > 5) Then I go to Keycloak admin console, find my user and force session > logout. > 6) Then I try to access my rest service again by the same url, and NO > redirect happens. Browser caches jsessionid cookie and don't know anything > about user beeing logout. > It seems to my that during step #6 server should invalidate expired > session cookie due to admin logout. > I considere that user after beeing logout will get redirect to login page > again, and will not be able to access service with old jsessionid cookie. > Is this a bug, or could you help me explain what am i doing wrong? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/02607c6b/attachment.html From Edgar at info.nl Tue Feb 2 11:45:52 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 2 Feb 2016 16:45:52 +0000 Subject: [keycloak-user] No LDAP Group Attribute mapper in Keycloak? Message-ID: <68E5BD0C-F36F-4476-A69E-F8200572A474@info.nl> Hi, If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be synched to and from Keycloak at the moment? I guess it should not be too hard to write an LDAP Group Attribute mapper should we want to? cheers From adrianmatei at gmail.com Tue Feb 2 14:43:22 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Tue, 2 Feb 2016 20:43:22 +0100 Subject: [keycloak-user] password forgotten - override UpdatePasswd required action (v 1.7.0) In-Reply-To: References: Message-ID: Solution: I had to register the CustomRequiredAction via the Register button that appears under Realm > Authentication > Required Actions ... On Mon, Feb 1, 2016 at 5:25 PM, Adrian Matei wrote: > Hi guys, > > in the UpdatePassword class we need to modify the string values that come > from formData > so that there are not "password-new" but "passwordNew" (JS conform as > we've build the GUI with AngularJS on top of Freemarker actions): > > https://github.com/keycloak/keycloak/blob/de472dbd43dd2767afb3436835f77924a78e9f82/services/src/main/java/org/keycloak/authentication/requiredactions/UpdatePassword.java#L67 > > > We've created our own CustomUpdatePassword (similar with the class above > except the two lines and own id -UPDATE_PASSWORD_CUSTOM) and tried to hook > it in our own custom ResetPassword class: > @Override > public void authenticate(AuthenticationFlowContext context) { > if (context.getExecution().isRequired() || > (context.getExecution().isOptional() && > configuredFor(context))) { > > context.getClientSession().addRequiredAction(CustomUpdatePassword.UPDATE_PASSWORD_CUSTOM); > } > context.success(); > } > > The custom classes are registered in META-INF services and everything, and > we can add the custom reset password execution in the Reset Credentials > workflow... > > The result is a NPE in AuthenticationManager by trying to get the > providerId from the model > RequiredActionProviderModel model = > realm.getRequiredActionProviderByAlias(action); > RequiredActionFactory factory = > (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, > model.getProviderId()); > > I am tired and cannot look through anymore, so your advice is more than > welcomed... > > Thanks, > Adrian > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/8a8571cb/attachment.html From lars.noldan at drillinginfo.com Tue Feb 2 21:29:07 2016 From: lars.noldan at drillinginfo.com (Lars Noldan) Date: Tue, 2 Feb 2016 20:29:07 -0600 Subject: [keycloak-user] Course and Fine Grained Entitlements Message-ID: We're in the investigation stage on moving from a $BigExpensiveVendor solution toward keycloak, and we're looking for a solution to help manage both Course and Fine grained entitlements. Keycloak appears to be a fantastic authentication solution, but I'm wondering what are you, the keycloak community using to handle Authorization? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160202/41619ea3/attachment-0001.html From kalc04 at gmail.com Wed Feb 3 01:10:28 2016 From: kalc04 at gmail.com (Lohitha Chiranjeewa) Date: Wed, 3 Feb 2016 11:40:28 +0530 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: Hey Stian, let me re-track what I've been trying to say here.... My first query was to check with you guys if there was an admin API to trigger the reset-password email. Seems there is no such API. However, there is an admin API to just reset the password without email verification ( http://keycloak.github.io/docs/rest-api/index.html#_set_up_a_temporary_password_for_the_user ). My follow-up concern was that since there is an admin API to trigger the verification email ( http://keycloak.github.io/docs/rest-api/index.html#_send_an_email_verification_email_to_the_user), it would have been consistent if there was an admin API to send the reset-password email as well. Hope this clarifies the misunderstanding. Regards, Lohitha. On Tue, Feb 2, 2016 at 2:19 PM, Stian Thorgersen wrote: > Have no idea what you are saying. > > We don't have any API outside of the admin endpoints that do password > reset, register email or anything else like that. For the admin endpoints > we have a very flexibly endpoint that lets you send exactly what actions > you want. > > On 1 February 2016 at 19:00, Lohitha Chiranjeewa wrote: > >> Hi Stian, >> >> I was referring to a potential API endpoint which actually sends out the >> password reset email (there's a similar API which sends out the >> registration email), not the existing one which just resets the password. >> >> >> Regards, >> Lohitha. >> >> On Mon, Feb 1, 2016 at 3:53 PM, Stian Thorgersen >> wrote: >> >>> >>> >>> On 28 January 2016 at 08:41, Lohitha Chiranjeewa >>> wrote: >>> >>>> Thanks Fabricio, will check on how we can proceed with such an >>>> implementation. >>>> >>>> Since there is an already existing registration-email API, I thought >>>> it's consistent from Keycloak's perspective to expose a reset-password API >>>> as well... >>>> >>> >>> Not sure what you refer to, but there are no APIs for these actions >>> outside of the admin endpoints. >>> >>> >>>> >>>> >>>> Regards, >>>> Lohitha. >>>> >>>> On Thu, Jan 28, 2016 at 2:31 AM, Fabricio Milone < >>>> fabricio.milone at shinetech.com> wrote: >>>> >>>>> Hi Lohitha, >>>>> >>>>> I had the same requirements (Direct grant + forgotten password) and >>>>> ended up implementing a SPI using some piece of code made by Pedro Igor. >>>>> >>>>> An extract of the DEV Mailing list called: "*Add custom REST paths? >>>>> New SPI?*" >>>>> >>>>> *It is part of a working in progress around fine-grained authorization >>>>>> [1].* >>>>>> *The new SPI changes [2] specific to Keycloak are located in a >>>>>> specific branch [3] in my Keycloak fork.* >>>>> >>>>> >>>>>> *I need to discuss these changes with Bill and see what he thinks >>>>>> about it. Depending on his feedback, I can prepare a PR and send these >>>>>> changes to upstream.* >>>>> >>>>> >>>>>> >>>>>> *[1] https://github.com/pedroigor/keycloak-authz >>>>>> * >>>>>> *[2] >>>>>> https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 >>>>>> **[3] >>>>>> https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified >>>>>> * >>>>> >>>>> >>>>> >>>>> Not sure if Keycloak will ever adopt those changes as official or >>>>> something similar though. >>>>> >>>>> That's a good starting point. >>>>> >>>>> Regards >>>>> >>>>> On 27 January 2016 at 21:19, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> There is in the admin endpoints, but nothing that's available to >>>>>> end-users. >>>>>> >>>>>> On 22 January 2016 at 06:45, Lohitha Chiranjeewa >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> There are a few clients of ours who use the Direct Grants API to >>>>>>> authenticate their users. A requirement has come up to provide the Reset >>>>>>> Password flow to those clients. From what I've checked and gathered, >>>>>>> there's no REST API to initiate this flow (sending the Keycloak password >>>>>>> reset email + resetting the password through the UI); only way to do is >>>>>>> through the browser. >>>>>>> >>>>>>> If it's actually there somewhere, can someone point me to it? >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> Lohitha. >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Fabricio Milone* >>>>> Developer >>>>> >>>>> *Shine Consulting * >>>>> >>>>> 30/600 Bourke Street >>>>> >>>>> Melbourne VIC 3000 >>>>> >>>>> T: 03 8488 9939 >>>>> >>>>> M: 04 3200 4006 >>>>> >>>>> >>>>> www.shinetech.com *a* passion for excellence >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/d3d6f8c5/attachment.html From stuart.jacobs at symbiotics.co.za Wed Feb 3 02:40:15 2016 From: stuart.jacobs at symbiotics.co.za (Stuart Jacobs) Date: Wed, 3 Feb 2016 09:40:15 +0200 Subject: [keycloak-user] User-Federation Message-ID: Hi Everyone, I have an application that runs on a postgresql database, keycloak has been configured and has created all the required tables/columns in my schema using liquibase on start up of the keycloak server. I need to authenticate users using the projects existing user table obtaining the username and password from this table. I have had a look at the federation provider project under the example projects but this still eludes me as to how I change the keycloak mapping to use my own tables in postgress? Can someone please point me in the right direction or if someone has implemented such a solution please share how you have done it? Thanks everyone. Regards, Stuart Jacobs -- www.symbiotics.co.za ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/99e15dda/attachment.html From sthorger at redhat.com Wed Feb 3 03:07:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 3 Feb 2016 09:07:01 +0100 Subject: [keycloak-user] Is there a REST Admin API to initiate the Reset Password flow? In-Reply-To: References: Message-ID: There is an admin api to set password reset email, verify email and other required actions, including custom actions, can be triggered with this api as well. On 3 February 2016 at 07:10, Lohitha Chiranjeewa wrote: > Hey Stian, let me re-track what I've been trying to say here.... > > My first query was to check with you guys if there was an admin API to > trigger the reset-password email. Seems there is no such API. However, > there is an admin API to just reset the password without email verification > ( > http://keycloak.github.io/docs/rest-api/index.html#_set_up_a_temporary_password_for_the_user > ). > > My follow-up concern was that since there is an admin API to trigger the > verification email ( > http://keycloak.github.io/docs/rest-api/index.html#_send_an_email_verification_email_to_the_user), > it would have been consistent if there was an admin API to send the > reset-password email as well. > > Hope this clarifies the misunderstanding. > > > Regards, > Lohitha. > > On Tue, Feb 2, 2016 at 2:19 PM, Stian Thorgersen > wrote: > >> Have no idea what you are saying. >> >> We don't have any API outside of the admin endpoints that do password >> reset, register email or anything else like that. For the admin endpoints >> we have a very flexibly endpoint that lets you send exactly what actions >> you want. >> >> On 1 February 2016 at 19:00, Lohitha Chiranjeewa >> wrote: >> >>> Hi Stian, >>> >>> I was referring to a potential API endpoint which actually sends out the >>> password reset email (there's a similar API which sends out the >>> registration email), not the existing one which just resets the password. >>> >>> >>> Regards, >>> Lohitha. >>> >>> On Mon, Feb 1, 2016 at 3:53 PM, Stian Thorgersen >>> wrote: >>> >>>> >>>> >>>> On 28 January 2016 at 08:41, Lohitha Chiranjeewa >>>> wrote: >>>> >>>>> Thanks Fabricio, will check on how we can proceed with such an >>>>> implementation. >>>>> >>>>> Since there is an already existing registration-email API, I thought >>>>> it's consistent from Keycloak's perspective to expose a reset-password API >>>>> as well... >>>>> >>>> >>>> Not sure what you refer to, but there are no APIs for these actions >>>> outside of the admin endpoints. >>>> >>>> >>>>> >>>>> >>>>> Regards, >>>>> Lohitha. >>>>> >>>>> On Thu, Jan 28, 2016 at 2:31 AM, Fabricio Milone < >>>>> fabricio.milone at shinetech.com> wrote: >>>>> >>>>>> Hi Lohitha, >>>>>> >>>>>> I had the same requirements (Direct grant + forgotten password) and >>>>>> ended up implementing a SPI using some piece of code made by Pedro Igor. >>>>>> >>>>>> An extract of the DEV Mailing list called: "*Add custom REST paths? >>>>>> New SPI?*" >>>>>> >>>>>> *It is part of a working in progress around fine-grained >>>>>>> authorization [1].* >>>>>>> *The new SPI changes [2] specific to Keycloak are located in a >>>>>>> specific branch [3] in my Keycloak fork.* >>>>>> >>>>>> >>>>>>> *I need to discuss these changes with Bill and see what he thinks >>>>>>> about it. Depending on his feedback, I can prepare a PR and send these >>>>>>> changes to upstream.* >>>>>> >>>>>> >>>>>>> >>>>>>> *[1] https://github.com/pedroigor/keycloak-authz >>>>>>> * >>>>>>> *[2] >>>>>>> https://github.com/pedroigor/keycloak/commit/5e99614aacb70f7840a5ae25cfeaf3fc9d74ac54 >>>>>>> **[3] >>>>>>> https://github.com/pedroigor/keycloak/tree/keycloak-authz-modified >>>>>>> * >>>>>> >>>>>> >>>>>> >>>>>> Not sure if Keycloak will ever adopt those changes as official or >>>>>> something similar though. >>>>>> >>>>>> That's a good starting point. >>>>>> >>>>>> Regards >>>>>> >>>>>> On 27 January 2016 at 21:19, Stian Thorgersen >>>>>> wrote: >>>>>> >>>>>>> There is in the admin endpoints, but nothing that's available to >>>>>>> end-users. >>>>>>> >>>>>>> On 22 January 2016 at 06:45, Lohitha Chiranjeewa >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> There are a few clients of ours who use the Direct Grants API to >>>>>>>> authenticate their users. A requirement has come up to provide the Reset >>>>>>>> Password flow to those clients. From what I've checked and gathered, >>>>>>>> there's no REST API to initiate this flow (sending the Keycloak password >>>>>>>> reset email + resetting the password through the UI); only way to do is >>>>>>>> through the browser. >>>>>>>> >>>>>>>> If it's actually there somewhere, can someone point me to it? >>>>>>>> >>>>>>>> >>>>>>>> Regards, >>>>>>>> Lohitha. >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Fabricio Milone* >>>>>> Developer >>>>>> >>>>>> *Shine Consulting * >>>>>> >>>>>> 30/600 Bourke Street >>>>>> >>>>>> Melbourne VIC 3000 >>>>>> >>>>>> T: 03 8488 9939 >>>>>> >>>>>> M: 04 3200 4006 >>>>>> >>>>>> >>>>>> www.shinetech.com *a* passion for excellence >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/08c3dce9/attachment-0001.html From pkkamos at gmail.com Wed Feb 3 07:35:18 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Wed, 3 Feb 2016 12:35:18 +0000 Subject: [keycloak-user] KeyCloak Admin Client : Message-ID: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> Hello, I have tried out KeyCloak Admin Client. In fact, I have done a standalone application which works nicely with KeyCloak Server. What I don?t get is, when I port a similar thing into a web application context and deploy same on wildfly fly I keep getting the Exception below: Caused by: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"]) Any lead on how to resolve all these maven dependency issues? Thanks. Sent from Mail for Windows 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/715dceb7/attachment.html From sthorger at redhat.com Wed Feb 3 07:57:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 3 Feb 2016 13:57:41 +0100 Subject: [keycloak-user] KeyCloak Admin Client : In-Reply-To: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> References: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> Message-ID: In the past the admin client required Jackson 1.x and didn't work with Jackson 2.x. This is being fixed in 1.9. To make it work you'll need to either wait for 1.9 or make your WAR use Jackson instead of Jackson 2. Check out the admin client example as it doesn't exactly that. On 3 February 2016 at 13:35, PAA KOJO KONDUAH AMOS wrote: > Hello, I have tried out KeyCloak Admin Client. In fact, I have done a > standalone application which works nicely with KeyCloak Server. > > > > What I don?t get is, when I port a similar thing into a web application > context and deploy same on wildfly fly I keep getting the Exception below: > > > > *Caused by: javax.ws.rs.ProcessingException: > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "access_token" (class > org.keycloak.representations.AccessTokenResponse), not marked as ignorable > (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", > "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", > "refreshToken"])* > > > > > > Any lead on how to resolve all these maven dependency issues? > > > > > > Thanks. > > > > Sent from Mail for > Windows 10 > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/85c83cd1/attachment.html From pkkamos at gmail.com Wed Feb 3 08:04:10 2016 From: pkkamos at gmail.com (pkkamos) Date: Wed, 3 Feb 2016 13:04:10 +0000 Subject: [keycloak-user] KeyCloak Admin Client : In-Reply-To: References: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> Message-ID: Thanks a lot Stian. I will give that a try whiles i wait for 1.9. On 3 Feb 2016 12:57, "Stian Thorgersen" wrote: > In the past the admin client required Jackson 1.x and didn't work with > Jackson 2.x. This is being fixed in 1.9. > > To make it work you'll need to either wait for 1.9 or make your WAR use > Jackson instead of Jackson 2. Check out the admin client example as it > doesn't exactly that. > > On 3 February 2016 at 13:35, PAA KOJO KONDUAH AMOS > wrote: > >> Hello, I have tried out KeyCloak Admin Client. In fact, I have done a >> standalone application which works nicely with KeyCloak Server. >> >> >> >> What I don?t get is, when I port a similar thing into a web application >> context and deploy same on wildfly fly I keep getting the Exception below: >> >> >> >> *Caused by: javax.ws.rs.ProcessingException: >> com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: >> Unrecognized field "access_token" (class >> org.keycloak.representations.AccessTokenResponse), not marked as ignorable >> (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", >> "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", >> "refreshToken"])* >> >> >> >> >> >> Any lead on how to resolve all these maven dependency issues? >> >> >> >> >> >> Thanks. >> >> >> >> Sent from Mail for >> Windows 10 >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/25fcd67f/attachment.html From mposolda at redhat.com Wed Feb 3 08:06:25 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 3 Feb 2016 14:06:25 +0100 Subject: [keycloak-user] No LDAP Group Attribute mapper in Keycloak? In-Reply-To: <68E5BD0C-F36F-4476-A69E-F8200572A474@info.nl> References: <68E5BD0C-F36F-4476-A69E-F8200572A474@info.nl> Message-ID: <56B1FB51.9070004@redhat.com> This is actually supported. If you look at LDAP Group mapper, you can see field "Mapped Group Attribues" . Here you can specify list of attributes, which will be mapped from LDAP group to Keycloak group and viceversa. There is one limitation, that name of attribute needs to be same on both places (ie. you can map LDAP attribute "description" to Keycloak attribute "description" . But you can't map LDAP attribute "description" to Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you. I've actually go simple way, but it can be improved if there is additional demand. Marek On 02/02/16 17:45, Edgar Vonk - Info.nl wrote: > Hi, > > If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be synched to and from Keycloak at the moment? > > I guess it should not be too hard to write an LDAP Group Attribute mapper should we want to? > > cheers > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From RLewis at carbonite.com Wed Feb 3 08:17:34 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Wed, 3 Feb 2016 13:17:34 +0000 Subject: [keycloak-user] User-Federation In-Reply-To: References: Message-ID: If you use the federation provider listed here: [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider You can specify a URL that will be called when a user needs to be validated. There are three requests that need to be implemented in your sever. GET /api/users// If the user exists, it should return a 200 with a json object with the return type ?application/json? with the following fields: username email emailVerified firstName lastName roles [?user?] If the user does not exist, return a 404 HEAD /api/users// Always return 200 POST /api/users// The password is posted to you in a json object. Return 200 if the password is OK, 401 if not. In both cases return no data. I wrote a small python module which implements these methods which works quite well. Reed From: > on behalf of Stuart Jacobs > Date: Wednesday, February 3, 2016 at 2:40 AM To: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] User-Federation Hi Everyone, I have an application that runs on a postgresql database, keycloak has been configured and has created all the required tables/columns in my schema using liquibase on start up of the keycloak server. I need to authenticate users using the projects existing user table obtaining the username and password from this table. I have had a look at the federation provider project under the example projects but this still eludes me as to how I change the keycloak mapping to use my own tables in postgress? Can someone please point me in the right direction or if someone has implemented such a solution please share how you have done it? Thanks everyone. Regards, Stuart Jacobs [https://ci5.googleusercontent.com/proxy/3YryZCxSi_o_xtypjkc6GCt6zmosqqyhCc2hzF4xME0bLLsxYcQ3ZPjUtXEcbbLjxFi7e5GxX1dgk22OqzBZVxCbKSoTNqpS_Lz-GuFPz5FrTfeHGug2yGqIQdc=s0-d-e1-ft#http://symbiotics.co.za/website/image/ir.attachment/1578_e14aa73/datas] www.symbiotics.co.za ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/cebe27b6/attachment-0001.html From leo.nunes at gjccorp.com.br Wed Feb 3 08:27:09 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Wed, 3 Feb 2016 13:27:09 +0000 Subject: [keycloak-user] Obtain client name inside email-verification.ftl Message-ID: Hi, I would like to know if there's a way to get the Client Name at the email-verification.ftl, I tried to use client.name but it didn't work. How can I find the variables available to use at the email template? ${msg("emailVerificationBodyHtml",link, linkExpiration, realmName, client.name)} -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/d05f000a/attachment.html From thomas.darimont at googlemail.com Wed Feb 3 08:38:56 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 3 Feb 2016 14:38:56 +0100 Subject: [keycloak-user] Obtain client name inside email-verification.ftl In-Reply-To: References: Message-ID: Hello Leonardo, this was discussed a while ago: http://lists.jboss.org/pipermail/keycloak-user/2016-January/004513.html There is an issue for this in JIRA: https://issues.jboss.org/browse/KEYCLOAK-2359 I created a prototypic fix for this here: https://github.com/keycloak/keycloak/pull/2061 - but it was rejected after some discussion for the sake of taking another route which has not been implemented yet. Cheers, Thomas 2016-02-03 14:27 GMT+01:00 LEONARDO NUNES : > Hi, I would like to know if there's a way to get the Client Name at the > email-verification.ftl, I tried to use client.name but it didn't work. > How can I find the variables available to use at the email template? > > > > ${msg("emailVerificationBodyHtml",link, linkExpiration, realmName, > client.name)} > > > > -- > Leonardo Nunes > ------------------------------ > > > *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. This message may contain > confidential and/or privileged information. If you are not the addressee or > authorized to receive this for the addressee, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by reply e-mail and delete this message. Thank you for > your cooperation* > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/0d32616f/attachment.html From Edgar at info.nl Wed Feb 3 08:55:12 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 3 Feb 2016 13:55:12 +0000 Subject: [keycloak-user] No LDAP Group Attribute mapper in Keycloak? In-Reply-To: <56B1FB51.9070004@redhat.com> References: <68E5BD0C-F36F-4476-A69E-F8200572A474@info.nl> <56B1FB51.9070004@redhat.com> Message-ID: Ah, you are right. Sorry, overlooked that completely. Seems fine for us at the moment. Thanks. > On 03 Feb 2016, at 14:06, Marek Posolda wrote: > > This is actually supported. If you look at LDAP Group mapper, you can see field "Mapped Group Attribues" . Here you can specify list of attributes, which will be mapped from LDAP group to Keycloak group and viceversa. > > There is one limitation, that name of attribute needs to be same on both places (ie. you can map LDAP attribute "description" to Keycloak attribute "description" . But you can't map LDAP attribute "description" to Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you. I've actually go simple way, but it can be improved if there is additional demand. > > Marek > > On 02/02/16 17:45, Edgar Vonk - Info.nl wrote: >> Hi, >> >> If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be synched to and from Keycloak at the moment? >> >> I guess it should not be too hard to write an LDAP Group Attribute mapper should we want to? >> >> cheers >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From Edgar at info.nl Wed Feb 3 09:36:30 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 3 Feb 2016 14:36:30 +0000 Subject: [keycloak-user] No LDAP Group Attribute mapper in Keycloak? In-Reply-To: References: <68E5BD0C-F36F-4476-A69E-F8200572A474@info.nl> <56B1FB51.9070004@redhat.com> Message-ID: <453B409F-828A-4A9A-99FC-074F568079ED@info.nl> Hi Marek, Somewhat related: we would like to have certain LDAP group attributes end up in the user?s JWT tokens as well so that we can use this data in our client. The Group Membership Mapper places the name of the (LDAP) group in the token but what would we need to do to get group attributes in there as well? I guess we would then need to extend the Group Membership Mapper and add a mapping of group attributes there? Or for now I guess we could use the Keycloak REST API from our client to retrieve all the group information for a user using the 'GET /admin/realms/{realm}/users/{id}/groups? endpoint. cheers > On 03 Feb 2016, at 14:55, Edgar Vonk - Info.nl wrote: > > Ah, you are right. Sorry, overlooked that completely. Seems fine for us at the moment. Thanks. > >> On 03 Feb 2016, at 14:06, Marek Posolda wrote: >> >> This is actually supported. If you look at LDAP Group mapper, you can see field "Mapped Group Attribues" . Here you can specify list of attributes, which will be mapped from LDAP group to Keycloak group and viceversa. >> >> There is one limitation, that name of attribute needs to be same on both places (ie. you can map LDAP attribute "description" to Keycloak attribute "description" . But you can't map LDAP attribute "description" to Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you. I've actually go simple way, but it can be improved if there is additional demand. >> >> Marek >> >> On 02/02/16 17:45, Edgar Vonk - Info.nl wrote: >>> Hi, >>> >>> If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be synched to and from Keycloak at the moment? >>> >>> I guess it should not be too hard to write an LDAP Group Attribute mapper should we want to? >>> >>> cheers >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 3 10:28:50 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 3 Feb 2016 16:28:50 +0100 Subject: [keycloak-user] No LDAP Group Attribute mapper in Keycloak? In-Reply-To: <453B409F-828A-4A9A-99FC-074F568079ED@info.nl> References: <68E5BD0C-F36F-4476-A69E-F8200572A474@info.nl> <56B1FB51.9070004@redhat.com> <453B409F-828A-4A9A-99FC-074F568079ED@info.nl> Message-ID: <56B21CB2.3070308@redhat.com> You can do it with builtin Keycloak "User Attribute" protocol mapper. In admin console under clients (or client template if you want to reuse same mapper in more client applications), you can create this mapper. If the mapped attribute is found on the user himself, it has precedence. Otherwise Keycloak will try to search all groups, which user is member of, and look for the attribute inside those groups (or respectively also their parent groups). So if you have both Group LDAP mapper and this UserAttribute protocol mapper, you can map attributes of LDAP group to the JWT access token issued to user. Marek On 03/02/16 15:36, Edgar Vonk - Info.nl wrote: > Hi Marek, > > Somewhat related: we would like to have certain LDAP group attributes end up in the user?s JWT tokens as well so that we can use this data in our client. > > The Group Membership Mapper places the name of the (LDAP) group in the token but what would we need to do to get group attributes in there as well? I guess we would then need to extend the Group Membership Mapper and add a mapping of group attributes there? > > Or for now I guess we could use the Keycloak REST API from our client to retrieve all the group information for a user using the 'GET /admin/realms/{realm}/users/{id}/groups? endpoint. > > cheers > >> On 03 Feb 2016, at 14:55, Edgar Vonk - Info.nl wrote: >> >> Ah, you are right. Sorry, overlooked that completely. Seems fine for us at the moment. Thanks. >> >>> On 03 Feb 2016, at 14:06, Marek Posolda wrote: >>> >>> This is actually supported. If you look at LDAP Group mapper, you can see field "Mapped Group Attribues" . Here you can specify list of attributes, which will be mapped from LDAP group to Keycloak group and viceversa. >>> >>> There is one limitation, that name of attribute needs to be same on both places (ie. you can map LDAP attribute "description" to Keycloak attribute "description" . But you can't map LDAP attribute "description" to Keycloak attribute "foo" ). Feel free to create JIRA if this is limiting you. I've actually go simple way, but it can be improved if there is additional demand. >>> >>> Marek >>> >>> On 02/02/16 17:45, Edgar Vonk - Info.nl wrote: >>>> Hi, >>>> >>>> If I am correct there is no LDAP Group Attribute mapper in Keycloak right? There is a User Attribute mapper and there is a Group Mapper but group attributes in LDAP cannot be synched to and from Keycloak at the moment? >>>> >>>> I guess it should not be too hard to write an LDAP Group Attribute mapper should we want to? >>>> >>>> cheers >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From guydavis.ca at gmail.com Wed Feb 3 13:47:21 2016 From: guydavis.ca at gmail.com (Guy Davis) Date: Wed, 3 Feb 2016 12:47:21 -0600 Subject: [keycloak-user] Course and Fine Grained Entitlements In-Reply-To: References: Message-ID: Hi Lars, Good question. My organization is also asking similar questions about adopting Keycloak. Let me give my understanding as a user, then Keycloak team can correct my misunderstandings. Basically, Keycloak offers coarse-grained authorizations (realm-roles and client-app roles ) assigned to users (or groups ). So I understand Keycloak will let you grant user Bob the 'myapp-admin' role. However, it falls to the backend service or application to then map that role to application-specific permissions. For example, role 'myapp-admins' can access /myapp/project1/admin page. This resource security can be done (for Java apps) in declarative fashion using web.xml security constraints. Alternatively, your application code could dynamically obtain the Keycloak user principal, check their roles, and map into your app's permission scheme. This understanding implies that your application is responsible for an admin UI to map fine-grained permissions on your app's resources to Keycloak roles. If your app only has 'coarse-grained" resources, then you can probably just use Keycloak roles, with no need for a permission layer or the UI it entails. Also, see this pre-amble about Permission Scopes . In future, it sounds like Keycloak team is considering support for the UMA portion of the OAuth standard . This may help with fine-grained permission management within Keycloak itself? Hope this helps, Guy On Tue, Feb 2, 2016 at 8:29 PM, Lars Noldan wrote: > We're in the investigation stage on moving from a $BigExpensiveVendor > solution toward keycloak, and we're looking for a solution to help manage > both Course and Fine grained entitlements. Keycloak appears to be a > fantastic authentication solution, but I'm wondering what are you, the > keycloak community using to handle Authorization? > > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/885bba2f/attachment.html From bburke at redhat.com Wed Feb 3 14:03:22 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Feb 2016 14:03:22 -0500 Subject: [keycloak-user] Course and Fine Grained Entitlements In-Reply-To: References: Message-ID: <56B24EFA.7050100@redhat.com> Pedro is working on that...He has some stuff. Hope he responds. Not going to be part of Keycloak until 2.0 though. And yes, its around UMA. On 2/3/2016 1:47 PM, Guy Davis wrote: > Hi Lars, > > Good question. My organization is also asking similar questions about > adopting Keycloak. Let me give my understanding as a user, then > Keycloak team can correct my misunderstandings. > > Basically, Keycloak offers coarse-grained authorizations (realm-roles > and client-app > roles > ) > assigned to users (or groups > ). > So I understand Keycloak will let you grant user Bob the > 'myapp-admin' role. However, it falls to the backend service or > application to then map that role to application-specific > permissions. For example, role 'myapp-admins' can access > /myapp/project1/admin page. This resource security can be done (for > Java apps) in declarative fashion using web.xml security constraints. > Alternatively, your application code could dynamically obtain the > Keycloak user principal, check their roles, and map into your app's > permission scheme. > > This understanding implies that your application is responsible for an > admin UI to map fine-grained permissions on your app's resources to > Keycloak roles. If your app only has 'coarse-grained" resources, > then you can probably just use Keycloak roles, with no need for a > permission layer or the UI it entails. > > Also, see this pre-amble about Permission Scopes > . In > future, it sounds like Keycloak team is considering support for the > UMA portion of the OAuth standard > . This > may help with fine-grained permission management within Keycloak itself? > > Hope this helps, > Guy > > > > On Tue, Feb 2, 2016 at 8:29 PM, Lars Noldan > > > wrote: > > We're in the investigation stage on moving from a > $BigExpensiveVendor solution toward keycloak, and we're looking > for a solution to help manage both Course and Fine grained > entitlements. Keycloak appears to be a fantastic authentication > solution, but I'm wondering what are you, the keycloak community > using to handle Authorization? > > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/6ccb06bc/attachment.html From malmi.suh at gmail.com Wed Feb 3 21:45:45 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Thu, 4 Feb 2016 08:15:45 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> Message-ID: Hi Bill, We tried the above fix on top of 1.7.0 by applying the changes from the commits attached to the https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it seems to have the same issue. If you have any further update on this please let us know. Regards, Malmi On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen wrote: > This could be related to https://issues.jboss.org/browse/KEYCLOAK-2327. > > It's already fixed in master, so if you can try it out that would be > great. We should also have a 1.8.1.Final release this week with the fix in > as well. > > On 30 January 2016 at 05:16, Malmi Samarasinghe > wrote: > >> Hi Bill, >> >> We are using keycloak 1.7.0 and rdbms (mysql) >> >> Regards, >> Malmi Samarasinghe >> On Jan 29, 2016 7:41 PM, "Bill Burke" wrote: >> >>> Which version of keycloak? RDBMS or Mongo? >>> >>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>> >>> Hi Everyone, >>> >>> In my application we create retrieve and assign role subsequently and it >>> seems that even for a small load (2-3 threads) with realm cache enabled >>> option, assign realm role call fails due to role not exist error and 404 is >>> returned from keycloak. >>> >>> With the realm cache disabled option the load works fine. >>> >>> Please get back to me if you have any information on any other option we >>> can follow to get this issue sorted or on what action the realm cache will >>> be persisted to DB. >>> >>> Regards, >>> Malmi >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/ea9652fd/attachment-0001.html From bburke at redhat.com Wed Feb 3 22:27:25 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Feb 2016 22:27:25 -0500 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> Message-ID: <56B2C51D.3010800@redhat.com> Ok, I can try and reproduce this if you give me an idea of what exactly you are doing? Are you creating a user too? or assigning role to an existing user? 1. fetch user 2. create role 3. assign role Do this in a bunch of threads at same time? On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: > Hi Bill, > > We tried the above fix on top of 1.7.0 by applying the changes from > the commits attached to the > https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it > seems to have the same issue. If you have any further update on this > please let us know. > > Regards, > Malmi > > On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen > wrote: > > This could be related to > https://issues.jboss.org/browse/KEYCLOAK-2327. > > It's already fixed in master, so if you can try it out that would > be great. We should also have a 1.8.1.Final release this week with > the fix in as well. > > On 30 January 2016 at 05:16, Malmi Samarasinghe > > wrote: > > Hi Bill, > > We are using keycloak 1.7.0 and rdbms (mysql) > > Regards, > Malmi Samarasinghe > > On Jan 29, 2016 7:41 PM, "Bill Burke" > wrote: > > Which version of keycloak? RDBMS or Mongo? > > On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >> Hi Everyone, >> >> In my application we create retrieve and assign role >> subsequently and it seems that even for a small load (2-3 >> threads) with realm cache enabled option, assign realm >> role call fails due to role not exist error and 404 is >> returned from keycloak. >> >> With the realm cache disabled option the load works fine. >> >> Please get back to me if you have any information on any >> other option we can follow to get this issue sorted or on >> what action the realm cache will be persisted to DB. >> >> Regards, >> Malmi >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/8d572d3f/attachment.html From bburke at redhat.com Wed Feb 3 22:30:29 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 3 Feb 2016 22:30:29 -0500 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> Message-ID: <56B2C5D5.8050702@redhat.com> Can you give me what REST invocations you are doing? How do you find the role? How do you create the role? etc... On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: > Hi Bill, > > We tried the above fix on top of 1.7.0 by applying the changes from > the commits attached to the > https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it > seems to have the same issue. If you have any further update on this > please let us know. > > Regards, > Malmi > > On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen > wrote: > > This could be related to > https://issues.jboss.org/browse/KEYCLOAK-2327. > > It's already fixed in master, so if you can try it out that would > be great. We should also have a 1.8.1.Final release this week with > the fix in as well. > > On 30 January 2016 at 05:16, Malmi Samarasinghe > > wrote: > > Hi Bill, > > We are using keycloak 1.7.0 and rdbms (mysql) > > Regards, > Malmi Samarasinghe > > On Jan 29, 2016 7:41 PM, "Bill Burke" > wrote: > > Which version of keycloak? RDBMS or Mongo? > > On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >> Hi Everyone, >> >> In my application we create retrieve and assign role >> subsequently and it seems that even for a small load (2-3 >> threads) with realm cache enabled option, assign realm >> role call fails due to role not exist error and 404 is >> returned from keycloak. >> >> With the realm cache disabled option the load works fine. >> >> Please get back to me if you have any information on any >> other option we can follow to get this issue sorted or on >> what action the realm cache will be persisted to DB. >> >> Regards, >> Malmi >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160203/65e2d2de/attachment.html From beny.moser at gmail.com Thu Feb 4 05:09:55 2016 From: beny.moser at gmail.com (Benjamin Moser) Date: Thu, 4 Feb 2016 11:09:55 +0100 Subject: [keycloak-user] spring-security-adapter on wildfly: How? In-Reply-To: References: Message-ID: Hi Andrey Thank you for your response. This fixed my problem. Best regards Ben 2016-02-02 12:17 GMT+01:00 Andrey Saroul : > I had the same issue. > I missed the spring security initializer and so springSecurityFilterChain > was not registered. > I added this class in my app, and then all security worked just fine > > public class SecurityWebApplicationInitializer > extends AbstractSecurityWebApplicationInitializer { > } > > And by the way, no web.xml required at all if you use annotation config. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/4089cd42/attachment-0001.html From srinivas.nangunoori at hpe.com Thu Feb 4 05:24:35 2016 From: srinivas.nangunoori at hpe.com (Nangunoori, Srinivas) Date: Thu, 4 Feb 2016 10:24:35 +0000 Subject: [keycloak-user] Size of keyclaok_access_token Message-ID: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00CF97@G9W0755.americas.hpqcorp.net> Hi, We are seeing some strange behavior with access token size. Some keycloak servers are generating with 1308 character size and some others are generating with 2055 character size. May I know what would be the correct size? Environment details, Server Version : 1.6.1.Final Current working directory: /opt/jboss Java Version: 1.7.0_85 Java Vendor: Oracle Corporation Java Runtime: OpenJDK Runtime Environment Java VM: OpenJDK 64-Bit Server VM Java VM Version: 24.85-b03 Java Home: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre System Encoding: ANSI_X3.4-1968 Operating System: Linux 3.10.0-123.9.3.el7.x86_64 OS Architecture: amd64 Regards, Srinivas N HPE, Bengaluru -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/e9b75d3e/attachment.html From sthorger at redhat.com Thu Feb 4 05:57:21 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 4 Feb 2016 11:57:21 +0100 Subject: [keycloak-user] Size of keyclaok_access_token In-Reply-To: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00CF97@G9W0755.americas.hpqcorp.net> References: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00CF97@G9W0755.americas.hpqcorp.net> Message-ID: Size of the token depends on what goes into it. What roles, scope you have for users/clients as well as what mappers you have. On 4 February 2016 at 11:24, Nangunoori, Srinivas < srinivas.nangunoori at hpe.com> wrote: > Hi, > > > > We are seeing some strange behavior with access token size. Some keycloak > servers are generating with 1308 character size and some others are > generating with 2055 character size. > > May I know what would be the correct size? > > Environment details, > > Server Version : 1.6.1.Final > > Current working directory: /opt/jboss > > Java Version: 1.7.0_85 > > Java Vendor: Oracle Corporation > > Java Runtime: OpenJDK Runtime Environment > > Java VM: OpenJDK 64-Bit Server VM > > Java VM Version: 24.85-b03 > > Java Home: > /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre > > System Encoding: ANSI_X3.4-1968 > > Operating System: Linux 3.10.0-123.9.3.el7.x86_64 > > OS Architecture: amd64 > > > > > > Regards, > > Srinivas N > > HPE, Bengaluru > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/fc7727af/attachment.html From parul.com at gmail.com Thu Feb 4 06:20:30 2016 From: parul.com at gmail.com (Arulkumar Ponnusamy) Date: Thu, 4 Feb 2016 16:50:30 +0530 Subject: [keycloak-user] Does keycloak SAML sp support encryption? Message-ID: I have enabled encryption on keycloak-saml file.. However i dont see any encryption happened on SAML request.. Similarly. When idp sends encrypted response, keycloak sp couldn't handle and throwing null pointer exception.. Is it a defect?.. M using HTTP POST binding.. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/e7ee73a0/attachment.html From malmi.suh at gmail.com Thu Feb 4 06:31:28 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Thu, 4 Feb 2016 17:01:28 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: <56B2C5D5.8050702@redhat.com> References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Hi Bill, Please find the work flow that we have implemented create user : POST : admin/realms/{realm}/users *Method1* wrapps the following API calls Create Realm role : POST : admin/realms/{realm}/roles Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} Assign Role : POST : admin/realms/leapset/users/{0}/role-mappings/realm Same for the client roles as well. *Method1 *is executed in multiple threads and assign reams role API starts failing with 404 (keycloak log states role not found) Regards, Malmi On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: > Can you give me what REST invocations you are doing? How do you find the > role? How do you create the role? etc... > > On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: > > Hi Bill, > > We tried the above fix on top of 1.7.0 by applying the changes from the > commits attached to the > https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it seems > to have the same issue. If you have any further update on this please let > us know. > > Regards, > Malmi > > On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen > wrote: > >> This could be related to >> https://issues.jboss.org/browse/KEYCLOAK-2327. >> >> It's already fixed in master, so if you can try it out that would be >> great. We should also have a 1.8.1.Final release this week with the fix in >> as well. >> >> On 30 January 2016 at 05:16, Malmi Samarasinghe < >> malmi.suh at gmail.com> wrote: >> >>> Hi Bill, >>> >>> We are using keycloak 1.7.0 and rdbms (mysql) >>> >>> Regards, >>> Malmi Samarasinghe >>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>> bburke at redhat.com> wrote: >>> >>>> Which version of keycloak? RDBMS or Mongo? >>>> >>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>> >>>> Hi Everyone, >>>> >>>> In my application we create retrieve and assign role subsequently and >>>> it seems that even for a small load (2-3 threads) with realm cache enabled >>>> option, assign realm role call fails due to role not exist error and 404 is >>>> returned from keycloak. >>>> >>>> With the realm cache disabled option the load works fine. >>>> >>>> Please get back to me if you have any information on any other option >>>> we can follow to get this issue sorted or on what action the realm cache >>>> will be persisted to DB. >>>> >>>> Regards, >>>> Malmi >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/6fa8493d/attachment-0001.html From sthorger at redhat.com Thu Feb 4 06:53:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 4 Feb 2016 12:53:41 +0100 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: When you say method1 is executed in multiple threads, do you mean one thread creates the role and another retrieves it? Or do you have multiple threads creating different roles? On 4 February 2016 at 12:31, Malmi Samarasinghe wrote: > Hi Bill, > > Please find the work flow that we have implemented > create user : POST : admin/realms/{realm}/users > > *Method1* wrapps the following API calls > Create Realm role : POST : admin/realms/{realm}/roles > Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} > Assign Role : POST : admin/realms/leapset/users/{0}/role-mappings/realm > > Same for the client roles as well. > > *Method1 *is executed in multiple threads and assign reams role API > starts failing with 404 (keycloak log states role not found) > > Regards, > Malmi > > On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: > >> Can you give me what REST invocations you are doing? How do you find the >> role? How do you create the role? etc... >> >> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >> >> Hi Bill, >> >> We tried the above fix on top of 1.7.0 by applying the changes from the >> commits attached to the >> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it seems >> to have the same issue. If you have any further update on this please let >> us know. >> >> Regards, >> Malmi >> >> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen >> wrote: >> >>> This could be related to >>> >>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>> >>> It's already fixed in master, so if you can try it out that would be >>> great. We should also have a 1.8.1.Final release this week with the fix in >>> as well. >>> >>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>> malmi.suh at gmail.com> wrote: >>> >>>> Hi Bill, >>>> >>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>> >>>> Regards, >>>> Malmi Samarasinghe >>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>> bburke at redhat.com> wrote: >>>> >>>>> Which version of keycloak? RDBMS or Mongo? >>>>> >>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>> >>>>> Hi Everyone, >>>>> >>>>> In my application we create retrieve and assign role subsequently and >>>>> it seems that even for a small load (2-3 threads) with realm cache enabled >>>>> option, assign realm role call fails due to role not exist error and 404 is >>>>> returned from keycloak. >>>>> >>>>> With the realm cache disabled option the load works fine. >>>>> >>>>> Please get back to me if you have any information on any other option >>>>> we can follow to get this issue sorted or on what action the realm cache >>>>> will be persisted to DB. >>>>> >>>>> Regards, >>>>> Malmi >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/654be7d0/attachment.html From malmi.suh at gmail.com Thu Feb 4 10:08:49 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Thu, 4 Feb 2016 20:38:49 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Hi Stian I have multiple threads creating different roles. Basically one thread will execute all three apis one after another. Regards, Malmi On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen wrote: > When you say method1 is executed in multiple threads, do you mean one > thread creates the role and another retrieves it? Or do you have multiple > threads creating different roles? > > On 4 February 2016 at 12:31, Malmi Samarasinghe > wrote: > >> Hi Bill, >> >> Please find the work flow that we have implemented >> create user : POST : admin/realms/{realm}/users >> >> *Method1* wrapps the following API calls >> Create Realm role : POST : admin/realms/{realm}/roles >> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >> Assign Role : POST : admin/realms/leapset/users/{0}/role-mappings/realm >> >> Same for the client roles as well. >> >> *Method1 *is executed in multiple threads and assign reams role API >> starts failing with 404 (keycloak log states role not found) >> >> Regards, >> Malmi >> >> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: >> >>> Can you give me what REST invocations you are doing? How do you find the >>> role? How do you create the role? etc... >>> >>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>> >>> Hi Bill, >>> >>> We tried the above fix on top of 1.7.0 by applying the changes from the >>> commits attached to the >>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it >>> seems to have the same issue. If you have any further update on this please >>> let us know. >>> >>> Regards, >>> Malmi >>> >>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen >>> wrote: >>> >>>> This could be related to >>>> >>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>> >>>> It's already fixed in master, so if you can try it out that would be >>>> great. We should also have a 1.8.1.Final release this week with the fix in >>>> as well. >>>> >>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>> malmi.suh at gmail.com> wrote: >>>> >>>>> Hi Bill, >>>>> >>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>> >>>>> Regards, >>>>> Malmi Samarasinghe >>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>> bburke at redhat.com> wrote: >>>>> >>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>> >>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>> >>>>>> Hi Everyone, >>>>>> >>>>>> In my application we create retrieve and assign role subsequently and >>>>>> it seems that even for a small load (2-3 threads) with realm cache enabled >>>>>> option, assign realm role call fails due to role not exist error and 404 is >>>>>> returned from keycloak. >>>>>> >>>>>> With the realm cache disabled option the load works fine. >>>>>> >>>>>> Please get back to me if you have any information on any other option >>>>>> we can follow to get this issue sorted or on what action the realm cache >>>>>> will be persisted to DB. >>>>>> >>>>>> Regards, >>>>>> Malmi >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/f7f3697c/attachment-0001.html From sthorger at redhat.com Thu Feb 4 10:12:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 4 Feb 2016 16:12:27 +0100 Subject: [keycloak-user] Keycloak 1.8.1.Final and 1.9.0.CR1 released Message-ID: Today we have two releases. As 1.8.0.Final was released before WildFly 10 Final was available, we decided to release 1.8.1.Final which is now built on top of WildFly 10 Final. The bigger release today is 1.9.0.CR1, this release contains a large number of bug fixes and improvements, but no major new features. For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160204/8e2e8f1e/attachment.html From m.hayen at first8.nl Thu Feb 4 10:50:01 2016 From: m.hayen at first8.nl (Mark Hayen) Date: Thu, 4 Feb 2016 16:50:01 +0100 Subject: [keycloak-user] invalid code errormessage Message-ID: <56B37329.4060909@first8.nl> Hi all, We have a problem with the link in the reset password email. Sometimes, but not always we get an error saying invalid code. This is the log entry: type=RESET_PASSWORD_ERROR, realmId=master, clientId=null, userId=null, ipAddress=xxx.xxx.xxx.xxx, error=invalid_code Has anybody seen this error too? Is it maybe fixed in a newer version? We are running keycloak 1.4.0.Final. Thank you Mark Hayen First8 From malmi.suh at gmail.com Fri Feb 5 00:53:55 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Fri, 5 Feb 2016 11:23:55 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Hi Stian/Bill, I just wanted to highlight that this issue only occurred when realm cache enabled option is ON. Regards, Malmi On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe wrote: > Hi Stian > > I have multiple threads creating different roles. Basically one thread > will execute all three apis one after another. > > Regards, > Malmi > > On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen > wrote: > >> When you say method1 is executed in multiple threads, do you mean one >> thread creates the role and another retrieves it? Or do you have multiple >> threads creating different roles? >> >> On 4 February 2016 at 12:31, Malmi Samarasinghe >> wrote: >> >>> Hi Bill, >>> >>> Please find the work flow that we have implemented >>> create user : POST : admin/realms/{realm}/users >>> >>> *Method1* wrapps the following API calls >>> Create Realm role : POST : admin/realms/{realm}/roles >>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>> Assign Role : POST : admin/realms/leapset/users/{0}/role-mappings/realm >>> >>> Same for the client roles as well. >>> >>> *Method1 *is executed in multiple threads and assign reams role API >>> starts failing with 404 (keycloak log states role not found) >>> >>> Regards, >>> Malmi >>> >>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: >>> >>>> Can you give me what REST invocations you are doing? How do you find >>>> the role? How do you create the role? etc... >>>> >>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>> >>>> Hi Bill, >>>> >>>> We tried the above fix on top of 1.7.0 by applying the changes from the >>>> commits attached to the >>>> >>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it >>>> seems to have the same issue. If you have any further update on this please >>>> let us know. >>>> >>>> Regards, >>>> Malmi >>>> >>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> This could be related to >>>>> >>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>> >>>>> It's already fixed in master, so if you can try it out that would be >>>>> great. We should also have a 1.8.1.Final release this week with the fix in >>>>> as well. >>>>> >>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>> malmi.suh at gmail.com> wrote: >>>>> >>>>>> Hi Bill, >>>>>> >>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>> >>>>>> Regards, >>>>>> Malmi Samarasinghe >>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>> bburke at redhat.com> wrote: >>>>>> >>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>> >>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>> >>>>>>> Hi Everyone, >>>>>>> >>>>>>> In my application we create retrieve and assign role subsequently >>>>>>> and it seems that even for a small load (2-3 threads) with realm cache >>>>>>> enabled option, assign realm role call fails due to role not exist error >>>>>>> and 404 is returned from keycloak. >>>>>>> >>>>>>> With the realm cache disabled option the load works fine. >>>>>>> >>>>>>> Please get back to me if you have any information on any other >>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>> cache will be persisted to DB. >>>>>>> >>>>>>> Regards, >>>>>>> Malmi >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/9ae1882f/attachment.html From anujgargcse at gmail.com Fri Feb 5 01:02:02 2016 From: anujgargcse at gmail.com (Anuj Garg) Date: Fri, 5 Feb 2016 11:32:02 +0530 Subject: [keycloak-user] turning on Direct Grant API in keycloak 1.8.0.CR1 Message-ID: Can't find where is the option to turn on Direct Grant API in keycloack 1.8.0.CR it was written somewhere "switch in the admin console under Settings->General, specifically the "Direct Grant API" switch." But cant find this in admin console. I know It is not good to use it but i need to Please tell how to turn it on or it have been removed from this release? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/c8b42b0e/attachment-0001.html From pkkamos at gmail.com Fri Feb 5 02:16:26 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Fri, 5 Feb 2016 07:16:26 +0000 Subject: [keycloak-user] KeyCloak Admin Client : DEALING WITH [Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse)] ISSUE. In-Reply-To: References: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> Message-ID: <56b44c26.42711c0a.25efd.4c16@mx.google.com> Hello Stian, I am very happy to share that, Keycloak admin-client 1.9.0.CR1 is working for me. I will like to share 2 things I have done to get it woking in a web context. 1. Dependency definition: org.keycloak keycloak-admin-client 1.9.0.CR1 2. created a jboss-deployment-structure.xml file, placed it in my WEB-INF folder ,with the following content(This ensures Jackson2 is used)[Credit: https://docs.jboss.org/resteasy/docs/3.0.2.Final/userguide/html/json.html, 21.4. Using Jackson 2.2.x Inside of JBoss AS7]: Sent from Mail for Windows 10 From: Stian Thorgersen Sent: Wednesday, February 3, 2016 12:57 PM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak Admin Client : In the past the admin client required Jackson 1.x and didn't work with Jackson 2.x. This is being fixed in 1.9. To make it work you'll need to either wait for 1.9 or make your WAR use Jackson instead of Jackson 2. Check out the admin client example as it doesn't exactly that. On 3 February 2016 at 13:35, PAA KOJO KONDUAH AMOS wrote: Hello, I have tried out KeyCloak Admin Client. In fact, I have done a standalone application which works nicely with KeyCloak Server. ? What I don?t get is, when I port a similar thing into a web application context and deploy same on wildfly fly I keep getting the Exception below: ? Caused by: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"]) ? ? Any lead on how to resolve all these maven dependency issues? ? ? Thanks. ? Sent from Mail for Windows 10 ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/9515de6b/attachment.html From sthorger at redhat.com Fri Feb 5 03:41:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 09:41:22 +0100 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Confirmed this bug https://issues.jboss.org/browse/KEYCLOAK-2458 On 5 February 2016 at 06:53, Malmi Samarasinghe wrote: > Hi Stian/Bill, > > I just wanted to highlight that this issue only occurred when realm cache > enabled option is ON. > > Regards, > Malmi > > On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe > wrote: > >> Hi Stian >> >> I have multiple threads creating different roles. Basically one thread >> will execute all three apis one after another. >> >> Regards, >> Malmi >> >> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen >> wrote: >> >>> When you say method1 is executed in multiple threads, do you mean one >>> thread creates the role and another retrieves it? Or do you have multiple >>> threads creating different roles? >>> >>> On 4 February 2016 at 12:31, Malmi Samarasinghe >>> wrote: >>> >>>> Hi Bill, >>>> >>>> Please find the work flow that we have implemented >>>> create user : POST : admin/realms/{realm}/users >>>> >>>> *Method1* wrapps the following API calls >>>> Create Realm role : POST : admin/realms/{realm}/roles >>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>> Assign Role : POST : admin/realms/leapset/users/{0}/role-mappings/realm >>>> >>>> Same for the client roles as well. >>>> >>>> *Method1 *is executed in multiple threads and assign reams role API >>>> starts failing with 404 (keycloak log states role not found) >>>> >>>> Regards, >>>> Malmi >>>> >>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: >>>> >>>>> Can you give me what REST invocations you are doing? How do you find >>>>> the role? How do you create the role? etc... >>>>> >>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>> >>>>> Hi Bill, >>>>> >>>>> We tried the above fix on top of 1.7.0 by applying the changes from >>>>> the commits attached to the >>>>> >>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it >>>>> seems to have the same issue. If you have any further update on this please >>>>> let us know. >>>>> >>>>> Regards, >>>>> Malmi >>>>> >>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> This could be related to >>>>>> >>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>> >>>>>> It's already fixed in master, so if you can try it out that would be >>>>>> great. We should also have a 1.8.1.Final release this week with the fix in >>>>>> as well. >>>>>> >>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>> malmi.suh at gmail.com> wrote: >>>>>> >>>>>>> Hi Bill, >>>>>>> >>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>> >>>>>>> Regards, >>>>>>> Malmi Samarasinghe >>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>> bburke at redhat.com> wrote: >>>>>>> >>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>> >>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>> >>>>>>>> Hi Everyone, >>>>>>>> >>>>>>>> In my application we create retrieve and assign role subsequently >>>>>>>> and it seems that even for a small load (2-3 threads) with realm cache >>>>>>>> enabled option, assign realm role call fails due to role not exist error >>>>>>>> and 404 is returned from keycloak. >>>>>>>> >>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>> >>>>>>>> Please get back to me if you have any information on any other >>>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>>> cache will be persisted to DB. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Malmi >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Bill Burke >>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/e42ed525/attachment-0001.html From malmi.suh at gmail.com Fri Feb 5 03:57:20 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Fri, 5 Feb 2016 14:27:20 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Hi Stian, We have this in production is there any intermediary fix that we can do or any workaround? Regards, Malmi On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen wrote: > Confirmed this bug https://issues.jboss.org/browse/KEYCLOAK-2458 > > On 5 February 2016 at 06:53, Malmi Samarasinghe > wrote: > >> Hi Stian/Bill, >> >> I just wanted to highlight that this issue only occurred when realm cache >> enabled option is ON. >> >> Regards, >> Malmi >> >> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe >> wrote: >> >>> Hi Stian >>> >>> I have multiple threads creating different roles. Basically one thread >>> will execute all three apis one after another. >>> >>> Regards, >>> Malmi >>> >>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen >>> wrote: >>> >>>> When you say method1 is executed in multiple threads, do you mean one >>>> thread creates the role and another retrieves it? Or do you have multiple >>>> threads creating different roles? >>>> >>>> On 4 February 2016 at 12:31, Malmi Samarasinghe >>>> wrote: >>>> >>>>> Hi Bill, >>>>> >>>>> Please find the work flow that we have implemented >>>>> create user : POST : admin/realms/{realm}/users >>>>> >>>>> *Method1* wrapps the following API calls >>>>> Create Realm role : POST : admin/realms/{realm}/roles >>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>>> Assign Role : POST : admin/realms/leapset/users/{0}/role-mappings/realm >>>>> >>>>> Same for the client roles as well. >>>>> >>>>> *Method1 *is executed in multiple threads and assign reams role API >>>>> starts failing with 404 (keycloak log states role not found) >>>>> >>>>> Regards, >>>>> Malmi >>>>> >>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: >>>>> >>>>>> Can you give me what REST invocations you are doing? How do you find >>>>>> the role? How do you create the role? etc... >>>>>> >>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>>> >>>>>> Hi Bill, >>>>>> >>>>>> We tried the above fix on top of 1.7.0 by applying the changes from >>>>>> the commits attached to the >>>>>> >>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it >>>>>> seems to have the same issue. If you have any further update on this please >>>>>> let us know. >>>>>> >>>>>> Regards, >>>>>> Malmi >>>>>> >>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen >>>>> > wrote: >>>>>> >>>>>>> This could be related to >>>>>>> >>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>>> >>>>>>> It's already fixed in master, so if you can try it out that would be >>>>>>> great. We should also have a 1.8.1.Final release this week with the fix in >>>>>>> as well. >>>>>>> >>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>>> malmi.suh at gmail.com> wrote: >>>>>>> >>>>>>>> Hi Bill, >>>>>>>> >>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>>> >>>>>>>> Regards, >>>>>>>> Malmi Samarasinghe >>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>>> bburke at redhat.com> wrote: >>>>>>>> >>>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>>> >>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>>> >>>>>>>>> Hi Everyone, >>>>>>>>> >>>>>>>>> In my application we create retrieve and assign role subsequently >>>>>>>>> and it seems that even for a small load (2-3 threads) with realm cache >>>>>>>>> enabled option, assign realm role call fails due to role not exist error >>>>>>>>> and 404 is returned from keycloak. >>>>>>>>> >>>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>>> >>>>>>>>> Please get back to me if you have any information on any other >>>>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>>>> cache will be persisted to DB. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Malmi >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Bill Burke >>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/9c9fe43e/attachment.html From srinivas.nangunoori at hpe.com Fri Feb 5 04:27:03 2016 From: srinivas.nangunoori at hpe.com (Nangunoori, Srinivas) Date: Fri, 5 Feb 2016 09:27:03 +0000 Subject: [keycloak-user] Size of keyclaok_access_token In-Reply-To: References: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00CF97@G9W0755.americas.hpqcorp.net> Message-ID: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00D388@G9W0755.americas.hpqcorp.net> Thanks for the info. Stian. Can we configure size of access_token? If yes, how we can do that. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, February 04, 2016 4:27 PM To: Nangunoori, Srinivas Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Size of keyclaok_access_token Size of the token depends on what goes into it. What roles, scope you have for users/clients as well as what mappers you have. On 4 February 2016 at 11:24, Nangunoori, Srinivas > wrote: Hi, We are seeing some strange behavior with access token size. Some keycloak servers are generating with 1308 character size and some others are generating with 2055 character size. May I know what would be the correct size? Environment details, Server Version : 1.6.1.Final Current working directory: /opt/jboss Java Version: 1.7.0_85 Java Vendor: Oracle Corporation Java Runtime: OpenJDK Runtime Environment Java VM: OpenJDK 64-Bit Server VM Java VM Version: 24.85-b03 Java Home: /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre System Encoding: ANSI_X3.4-1968 Operating System: Linux 3.10.0-123.9.3.el7.x86_64 OS Architecture: amd64 Regards, Srinivas N HPE, Bengaluru _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/60189658/attachment-0001.html From sthorger at redhat.com Fri Feb 5 04:31:58 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 10:31:58 +0100 Subject: [keycloak-user] Size of keyclaok_access_token In-Reply-To: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00D388@G9W0755.americas.hpqcorp.net> References: <8FD052C8E2EC9B40B07B148AF2E1E77A3A00CF97@G9W0755.americas.hpqcorp.net> <8FD052C8E2EC9B40B07B148AF2E1E77A3A00D388@G9W0755.americas.hpqcorp.net> Message-ID: You can configure what goes into the token. There are two things you can do to reduce the size: * Set the scope of your client to only include the roles the client requires * Configure mappers for the client to control what other properties are included in the token On 5 February 2016 at 10:27, Nangunoori, Srinivas < srinivas.nangunoori at hpe.com> wrote: > Thanks for the info. Stian. > > Can we configure size of access_token? If yes, how we can do that. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Thursday, February 04, 2016 4:27 PM > *To:* Nangunoori, Srinivas > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Size of keyclaok_access_token > > > > Size of the token depends on what goes into it. What roles, scope you have > for users/clients as well as what mappers you have. > > > > On 4 February 2016 at 11:24, Nangunoori, Srinivas < > srinivas.nangunoori at hpe.com> wrote: > > Hi, > > > > We are seeing some strange behavior with access token size. Some keycloak > servers are generating with 1308 character size and some others are > generating with 2055 character size. > > May I know what would be the correct size? > > Environment details, > > Server Version : 1.6.1.Final > > Current working directory: /opt/jboss > > Java Version: 1.7.0_85 > > Java Vendor: Oracle Corporation > > Java Runtime: OpenJDK Runtime Environment > > Java VM: OpenJDK 64-Bit Server VM > > Java VM Version: 24.85-b03 > > Java Home: > /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre > > System Encoding: ANSI_X3.4-1968 > > Operating System: Linux 3.10.0-123.9.3.el7.x86_64 > > OS Architecture: amd64 > > > > > > Regards, > > Srinivas N > > HPE, Bengaluru > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/a07ee618/attachment.html From pkkamos at gmail.com Fri Feb 5 04:41:57 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Fri, 5 Feb 2016 09:41:57 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. Message-ID: <56b46e3f.6507c20a.91457.7eff@mx.google.com> Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following; @SecurityDomain("keycloak") @Context SecurityContext sc; And KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal(); But the above line is returning a NullPointerException. I must say, I have already done the required configuration; as in enabling the Keycloak Subsystem within my app server's server configuration:?standalone.xml. Please any lead on how to retrieve the logged in User via KeyCloak? Sent from Mail for Windows 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/20e6f2fd/attachment.html From sthorger at redhat.com Fri Feb 5 04:46:45 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 10:46:45 +0100 Subject: [keycloak-user] turning on Direct Grant API in keycloak 1.8.0.CR1 In-Reply-To: References: Message-ID: We remove the option to enable/disable direct grant on the realm level a long time ago. Instead you can control this on a per-client basis. On 5 February 2016 at 07:02, Anuj Garg wrote: > Can't find where is the option to turn on Direct Grant API in keycloack > 1.8.0.CR > > it was written somewhere "switch in the admin console under > Settings->General, specifically the "Direct Grant API" switch." > But cant find this in admin console. > > I know It is not good to use it but i need to > Please tell how to turn it on or it have been removed from this release? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/b1864b43/attachment.html From sthorger at redhat.com Fri Feb 5 04:50:04 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 10:50:04 +0100 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Either don't create roles concurrently or disable cache. How frequently are you creating roles? Just wondering because if you do it will significantly impact the benefits of the cache as we invalidate a large amount of the cache when roles are added/removed. The problem you are seeing is most likely down to a race condition when the realm role list (or client role lists) are re-loaded after they are invalidated. I haven't had much time to look at it yet, so I don't know the exact cause or a solution. On 5 February 2016 at 09:57, Malmi Samarasinghe wrote: > Hi Stian, > > We have this in production is there any intermediary fix that we can do or > any workaround? > > Regards, > Malmi > > On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen > wrote: > >> Confirmed this bug https://issues.jboss.org/browse/KEYCLOAK-2458 >> >> On 5 February 2016 at 06:53, Malmi Samarasinghe >> wrote: >> >>> Hi Stian/Bill, >>> >>> I just wanted to highlight that this issue only occurred when realm >>> cache enabled option is ON. >>> >>> Regards, >>> Malmi >>> >>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe >>> wrote: >>> >>>> Hi Stian >>>> >>>> I have multiple threads creating different roles. Basically one thread >>>> will execute all three apis one after another. >>>> >>>> Regards, >>>> Malmi >>>> >>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen >>>> wrote: >>>> >>>>> When you say method1 is executed in multiple threads, do you mean one >>>>> thread creates the role and another retrieves it? Or do you have multiple >>>>> threads creating different roles? >>>>> >>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe >>>>> wrote: >>>>> >>>>>> Hi Bill, >>>>>> >>>>>> Please find the work flow that we have implemented >>>>>> create user : POST : admin/realms/{realm}/users >>>>>> >>>>>> *Method1* wrapps the following API calls >>>>>> Create Realm role : POST : admin/realms/{realm}/roles >>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>>>> Assign Role : POST : >>>>>> admin/realms/leapset/users/{0}/role-mappings/realm >>>>>> >>>>>> Same for the client roles as well. >>>>>> >>>>>> *Method1 *is executed in multiple threads and assign reams role API >>>>>> starts failing with 404 (keycloak log states role not found) >>>>>> >>>>>> Regards, >>>>>> Malmi >>>>>> >>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke wrote: >>>>>> >>>>>>> Can you give me what REST invocations you are doing? How do you find >>>>>>> the role? How do you create the role? etc... >>>>>>> >>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>>>> >>>>>>> Hi Bill, >>>>>>> >>>>>>> We tried the above fix on top of 1.7.0 by applying the changes from >>>>>>> the commits attached to the >>>>>>> >>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it >>>>>>> seems to have the same issue. If you have any further update on this please >>>>>>> let us know. >>>>>>> >>>>>>> Regards, >>>>>>> Malmi >>>>>>> >>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen < >>>>>>> sthorger at redhat.com> wrote: >>>>>>> >>>>>>>> This could be related to >>>>>>>> >>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>>>> >>>>>>>> It's already fixed in master, so if you can try it out that would >>>>>>>> be great. We should also have a 1.8.1.Final release this week with the fix >>>>>>>> in as well. >>>>>>>> >>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi Bill, >>>>>>>>> >>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Malmi Samarasinghe >>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>>>> >>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>>>> >>>>>>>>>> Hi Everyone, >>>>>>>>>> >>>>>>>>>> In my application we create retrieve and assign role subsequently >>>>>>>>>> and it seems that even for a small load (2-3 threads) with realm cache >>>>>>>>>> enabled option, assign realm role call fails due to role not exist error >>>>>>>>>> and 404 is returned from keycloak. >>>>>>>>>> >>>>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>>>> >>>>>>>>>> Please get back to me if you have any information on any other >>>>>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>>>>> cache will be persisted to DB. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Malmi >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Bill Burke >>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/2b9b0406/attachment-0001.html From porfyrios.vasileiou at gmail.com Fri Feb 5 04:52:28 2016 From: porfyrios.vasileiou at gmail.com (Porfyrios Vasileiou) Date: Fri, 5 Feb 2016 11:52:28 +0200 Subject: [keycloak-user] Keycloak saml v1.1 to oauth2 token Message-ID: Hello, I have a project that includes 2 client applications. In ONLY ONE of the clients(web application in angular) users login via a 3rd party authorization server that also has a login procedure where the user logs in and it returns an saml v1.1 xml token and then they can access the client. (This procedure cannot be changed) But i want this client to also be secured with keycloak so i can have a token that i can pass to my rest services that are also secured with keycloak. Can i convert this saml v1.1 token to oauth2 via keycloak? Once we have logged in I want to login this user to keycloak programmatically and get an oauth2 token instead that can be used for the rest services requests in the Bearer authentication header. How can i do this? I also want to say that the keycloak is setup to use the same active directory that the 3rd party authorization server is using to authenticate the users. Is this possible? Thanks, Porfyrios -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/fd8a8c3d/attachment.html From sthorger at redhat.com Fri Feb 5 04:53:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 10:53:59 +0100 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: <56b46e3f.6507c20a.91457.7eff@mx.google.com> References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> Message-ID: Did you actually add @SecurityDomain("keycloak")? Does the request require authentication (does it have a security-constraint in web.xml)? On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS wrote: > Hello, I am trying to retrieve information about the User logged into the > webapp via keycloak. I have seen around information on using the following; > > > > *@SecurityDomain("keycloak")* > > > > *@Context* > > *SecurityContext** sc**;* > > > > And > > *KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal();* > > > > > > > > *But the above line is returning a NullPointerException**.* > > > > I must say, I have already done the required configuration; as in enabling > the Keycloak Subsystem within my app server's server configuration: > standalone.xml. > > Please any lead on how to retrieve the logged in User via KeyCloak? > > > > > > Sent from Mail for > Windows 10 > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/e37f0469/attachment.html From pkkamos at gmail.com Fri Feb 5 04:57:33 2016 From: pkkamos at gmail.com (pkkamos) Date: Fri, 5 Feb 2016 09:57:33 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> Message-ID: Yes to both questions. On 5 Feb 2016 09:53, "Stian Thorgersen" wrote: > Did you actually add @SecurityDomain("keycloak")? > > Does the request require authentication (does it have a > security-constraint in web.xml)? > > On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS > wrote: > >> Hello, I am trying to retrieve information about the User logged into the >> webapp via keycloak. I have seen around information on using the following; >> >> >> >> *@SecurityDomain("keycloak")* >> >> >> >> *@Context* >> >> *SecurityContext** sc**;* >> >> >> >> And >> >> *KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal();* >> >> >> >> >> >> >> >> *But the above line is returning a NullPointerException**.* >> >> >> >> I must say, I have already done the required configuration; as in enabling >> the Keycloak Subsystem within my app server's server configuration: >> standalone.xml. >> >> Please any lead on how to retrieve the logged in User via KeyCloak? >> >> >> >> >> >> Sent from Mail for >> Windows 10 >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/9452a245/attachment.html From manfred.duchrow at caprica.biz Fri Feb 5 05:17:03 2016 From: manfred.duchrow at caprica.biz (manfred.duchrow at caprica.biz) Date: Fri, 5 Feb 2016 11:17:03 +0100 Subject: [keycloak-user] access_token always contains JWT Message-ID: <56B4769F.8080603@caprica.biz> Hi, I am trying to retrieve an access token from a Keycloak (1.8.0.Final) service account by POST /auth/realms/myrealm/protocol/openid-connect/token with grant_type=client_credentials. The result contains a signed JWT as value of field "access_token" rather than a simple token as described in chapter 18 (Service Accounts) of the user guide. So what I expect (need) is a response like this: { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":60, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "refresh_expires_in":600, "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", "not-before-policy":0, "session-state":"234234-234234-234234" } Is there a way to configure the account or the realm to return a simple token in "access_token" (and "refresh_token") rather than a JWT? Cheers, Manfred -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/f1cf06c6/attachment.html From pkkamos at gmail.com Fri Feb 5 05:29:14 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Fri, 5 Feb 2016 10:29:14 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> Message-ID: <56b47956.9447620a.f3b5a.2e92@mx.google.com> Hello Stian, my reponse in blue below. Did you actually add?@SecurityDomain("keycloak")? YES. Does the request require authentication (does it have a security-constraint in web.xml)?? YES; The request say http://ip:port/context/index.html will be routed to Keycloak for the rquester to login. On successful log-in the requester is redirected back to the index.html. It is at this point I want to retrieve or know who the User is. Sent from Mail for Windows 10 From: Stian Thorgersen Sent: Friday, February 5, 2016 9:53 AM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Retrieving Logged In User Information. Did you actually add?@SecurityDomain("keycloak")? Does the request require authentication (does it have a security-constraint in web.xml)?? On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS wrote: Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following; ? @SecurityDomain("keycloak") ? @Context SecurityContext sc; ? And KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal(); ? ? ? But the above line is returning a NullPointerException. ? I must say, I have already done the required configuration; as in enabling the Keycloak Subsystem within my app server's server configuration:?standalone.xml. Please any lead on how to retrieve the logged in User via KeyCloak? ? ? Sent from Mail for Windows 10 ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/86cb2f2a/attachment-0001.html From Tero.Ahonen at cybercom.com Fri Feb 5 05:37:31 2016 From: Tero.Ahonen at cybercom.com (Tero Ahonen) Date: Fri, 5 Feb 2016 10:37:31 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: <56b47956.9447620a.f3b5a.2e92@mx.google.com> References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> <56b47956.9447620a.f3b5a.2e92@mx.google.com> Message-ID: Hi, Do u have auth-contraint in web.xml? somerolehere If there is not required role then no auth is needed. .t On 05 Feb 2016, at 12:29 PM, PAA KOJO KONDUAH AMOS > wrote: Hello Stian, my reponse in blue below. Did you actually add @SecurityDomain("keycloak")? YES. Does the request require authentication (does it have a security-constraint in web.xml)? YES; The request say http://ip:port/context/index.html will be routed to Keycloak for the rquester to login. On successful log-in the requester is redirected back to the index.html. It is at this point I want to retrieve or know who the User is. Sent from Mail for Windows 10 From: Stian Thorgersen Sent: Friday, February 5, 2016 9:53 AM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Retrieving Logged In User Information. Did you actually add @SecurityDomain("keycloak")? Does the request require authentication (does it have a security-constraint in web.xml)? On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS > wrote: Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following; @SecurityDomain("keycloak") @Context SecurityContext sc; And KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal(); But the above line is returning a NullPointerException. I must say, I have already done the required configuration; as in enabling the Keycloak Subsystem within my app server's server configuration: standalone.xml. Please any lead on how to retrieve the logged in User via KeyCloak? Sent from Mail for Windows 10 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/e666ba94/attachment.html From pkkamos at gmail.com Fri Feb 5 05:45:13 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Fri, 5 Feb 2016 10:45:13 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> <56b47956.9447620a.f3b5a.2e92@mx.google.com> Message-ID: <56b47d13.c615c20a.950c7.ffff924d@mx.google.com> Hi, This is my auth-constraint definition in my web.xml keyconnect /* customer CONFIDENTIAL So, this is fine. Works well for me. I just want to after a successful login?.retrieve the User who logged in. Sent from Mail for Windows 10 From: Tero Ahonen Sent: Friday, February 5, 2016 10:37 AM To: PAA KOJO KONDUAH AMOS Cc: Stian Thorgersen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Retrieving Logged In User Information. Hi, Do u have auth-contraint in web.xml? ??somerolehere If there is not required role then no auth is needed. .t On 05 Feb 2016, at 12:29 PM, PAA KOJO KONDUAH AMOS wrote: Hello Stian, my reponse in blue below. ? Did you actually add?@SecurityDomain("keycloak")? ? YES. ? Does the request require authentication (does it have a security-constraint in web.xml)?? ? ? YES; The request say?http://ip:port/context/index.html?will be routed to Keycloak for the rquester to login. On successful log-in the requester is redirected back to the index.html. It is at this point I want to retrieve or know who the User is. ? ? Sent from?Mail?for Windows 10 ? From:?Stian Thorgersen Sent:?Friday, February 5, 2016 9:53 AM To:?PAA KOJO KONDUAH AMOS Cc:?keycloak-user at lists.jboss.org Subject:?Re: [keycloak-user] Retrieving Logged In User Information. ? Did you actually add?@SecurityDomain("keycloak")? ? Does the request require authentication (does it have a security-constraint in web.xml)?? ? On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS wrote: Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following; ? @SecurityDomain("keycloak") ? @Context SecurityContext sc; ? And? KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal(); ? ? ? But the above line is returning a NullPointerException. ? I must say, I have already done the required configuration; as in?enabling the Keycloak Subsystem within my app server's server configuration:?standalone.xml. Please any lead on how to retrieve the logged in User via KeyCloak? ? ? Sent from?Mail?for Windows 10 ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ? ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/a3b7a4f7/attachment-0001.html From Tero.Ahonen at cybercom.com Fri Feb 5 06:06:56 2016 From: Tero.Ahonen at cybercom.com (Tero Ahonen) Date: Fri, 5 Feb 2016 11:06:56 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: <56b47d13.c615c20a.950c7.ffff924d@mx.google.com> References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> <56b47956.9447620a.f3b5a.2e92@mx.google.com> <56b47d13.c615c20a.950c7.ffff924d@mx.google.com> Message-ID: <39211878-7970-4E6C-B34F-C0EB3E598D9C@cybercom.com> What request.getRemoteUser() returns? .t On 05 Feb 2016, at 12:45 PM, PAA KOJO KONDUAH AMOS > wrote: Hi, This is my auth-constraint definition in my web.xml keyconnect /* customer CONFIDENTIAL So, this is fine. Works well for me. I just want to after a successful login?.retrieve the User who logged in. Sent from Mail for Windows 10 From: Tero Ahonen Sent: Friday, February 5, 2016 10:37 AM To: PAA KOJO KONDUAH AMOS Cc: Stian Thorgersen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Retrieving Logged In User Information. Hi, Do u have auth-contraint in web.xml? somerolehere If there is not required role then no auth is needed. .t On 05 Feb 2016, at 12:29 PM, PAA KOJO KONDUAH AMOS > wrote: Hello Stian, my reponse in blue below. Did you actually add @SecurityDomain("keycloak")? YES. Does the request require authentication (does it have a security-constraint in web.xml)? YES; The request say http://ip:port/context/index.html will be routed to Keycloak for the rquester to login. On successful log-in the requester is redirected back to the index.html. It is at this point I want to retrieve or know who the User is. Sent from Mail for Windows 10 From: Stian Thorgersen Sent: Friday, February 5, 2016 9:53 AM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Retrieving Logged In User Information. Did you actually add @SecurityDomain("keycloak")? Does the request require authentication (does it have a security-constraint in web.xml)? On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS > wrote: Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following; @SecurityDomain("keycloak") @Context SecurityContext sc; And KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal(); But the above line is returning a NullPointerException. I must say, I have already done the required configuration; as in enabling the Keycloak Subsystem within my app server's server configuration: standalone.xml. Please any lead on how to retrieve the logged in User via KeyCloak? Sent from Mail for Windows 10 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/c9767c63/attachment-0001.html From pkkamos at gmail.com Fri Feb 5 06:26:24 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Fri, 5 Feb 2016 11:26:24 +0000 Subject: [keycloak-user] Retrieving Logged In User Information. In-Reply-To: <39211878-7970-4E6C-B34F-C0EB3E598D9C@cybercom.com> References: <56b46e3f.6507c20a.91457.7eff@mx.google.com> <56b47956.9447620a.f3b5a.2e92@mx.google.com> <56b47d13.c615c20a.950c7.ffff924d@mx.google.com> <39211878-7970-4E6C-B34F-C0EB3E598D9C@cybercom.com> Message-ID: <56b486ba.6a69c20a.37087.ffff9ebf@mx.google.com> Hello Tero, I have found my answer. Thanks to the Lead from a friend @Edem_Morny. You see, I am using JSF(PrimeFaces) and so @Context HttpServletRequest didn?t work for me. Rather this worked. So rather than passing the HttpServletRequest using the @Context annotation, I obtain same via the FacesContext. FacesContext context = FacesContext.getCurrentInstance(); KeycloakSecurityContext session = (KeycloakSecurityContext) ((HttpServletRequest) context.getExternalContext() .getRequest()).getAttribute(KeycloakSecurityContext.class.getName()); So this works for me now. Thanks greatly for your time. Sent from Mail for Windows 10 From: Tero Ahonen Sent: Friday, February 5, 2016 11:07 AM To: PAA KOJO KONDUAH AMOS Cc: Stian Thorgersen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Retrieving Logged In User Information. What request.getRemoteUser() returns? .t On 05 Feb 2016, at 12:45 PM, PAA KOJO KONDUAH AMOS wrote: Hi, This is my auth-constraint definition in my web.xml ? ?????????????????????????? ???????????????????????????????????????? keyconnect ???????????????????????????????????????? /* ?????????????????????????? ?????????????????????????? ???????????????????????????????????????? customer ?????????????????????????? ?????????????????????????? ???????????????????????????????????????? CONFIDENTIAL ?????????????????????????? ????????????? ? So, this is fine. Works well for me. I just want to after a successful login?.retrieve the User who logged in. ? Sent from?Mail?for Windows 10 ? From:?Tero Ahonen Sent:?Friday, February 5, 2016 10:37 AM To:?PAA KOJO KONDUAH AMOS Cc:?Stian Thorgersen;?keycloak-user at lists.jboss.org Subject:?Re: [keycloak-user] Retrieving Logged In User Information. ? Hi, ? Do u have auth-contraint in web.xml?? ? ??somerolehere ? If there is not required role then no auth is needed. ? .t ? On 05 Feb 2016, at 12:29 PM, PAA KOJO KONDUAH AMOS wrote: ? Hello Stian, my reponse in blue below. ? Did you actually add?@SecurityDomain("keycloak")? ? YES. ? Does the request require authentication (does it have a security-constraint in web.xml)?? ? ? YES; The request say?http://ip:port/context/index.html?will be routed to Keycloak for the rquester to login. On successful log-in the requester is redirected back to the index.html. It is at this point I want to retrieve or know who the User is. ? ? Sent from?Mail?for Windows 10 ? From:?Stian Thorgersen Sent:?Friday, February 5, 2016 9:53 AM To:?PAA KOJO KONDUAH AMOS Cc:?keycloak-user at lists.jboss.org Subject:?Re: [keycloak-user] Retrieving Logged In User Information. ? Did you actually add?@SecurityDomain("keycloak")? ? Does the request require authentication (does it have a security-constraint in web.xml)?? ? On 5 February 2016 at 10:41, PAA KOJO KONDUAH AMOS wrote: Hello, I am trying to retrieve information about the User logged into the webapp via keycloak. I have seen around information on using the following; ? @SecurityDomain("keycloak") ? @Context SecurityContext sc; ? And? KeycloakPrincipal principal = (KeycloakPrincipal) sc.getUserPrincipal(); ? ? ? But the above line is returning a NullPointerException. ? I must say, I have already done the required configuration; as in?enabling the Keycloak Subsystem within my app server's server configuration:?standalone.xml. Please any lead on how to retrieve the logged in User via KeyCloak? ? ? Sent from?Mail?for Windows 10 ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ? ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/bcb1c9e5/attachment-0001.html From m.hayen at first8.nl Fri Feb 5 07:00:17 2016 From: m.hayen at first8.nl (Mark Hayen) Date: Fri, 5 Feb 2016 13:00:17 +0100 Subject: [keycloak-user] changes in Email SPI Message-ID: <56B48ED1.9080404@first8.nl> Hi, In keycloak 1.4.0.Final I've made a custom EmailSender, plugging into the Email SPI. Now we're upgrading to 1.8.1.Final but I'm running into problems porting my existing EmailSender to 1.8.1. From the docs I understand that it has been split up. Has there been changes to the registration of the email SPI in keycloak-server.json? How do I register the emailtemplate and emailsender providers? Thank you Mark Hayen First8 From sthorger at redhat.com Fri Feb 5 07:06:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 13:06:39 +0100 Subject: [keycloak-user] changes in Email SPI In-Reply-To: <56B48ED1.9080404@first8.nl> References: <56B48ED1.9080404@first8.nl> Message-ID: I don't quite understand what your problem is. If you where able to register and configure a custom provider for email SPI in the past it seems you know what to do. Taking a guess what you are doing is trying to register a provider using "email" in keycloak-server.json. As the migration docs states there is no longer a single "email" SPI, instead there are now "emailTemplate" and "emailSender". On 5 February 2016 at 13:00, Mark Hayen wrote: > Hi, > > In keycloak 1.4.0.Final I've made a custom EmailSender, plugging into > the Email SPI. > Now we're upgrading to 1.8.1.Final but I'm running into problems porting > my existing > EmailSender to 1.8.1. > From the docs I understand that it has been split up. > > Has there been changes to the registration of the email SPI in > keycloak-server.json? > > How do I register the emailtemplate and emailsender providers? > > Thank you > Mark Hayen > First8 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/f5e00449/attachment.html From sthorger at redhat.com Fri Feb 5 07:10:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 13:10:05 +0100 Subject: [keycloak-user] access_token always contains JWT In-Reply-To: <56B4769F.8080603@caprica.biz> References: <56B4769F.8080603@caprica.biz> Message-ID: There's no such thing as a "simple token". Tokens are always a signed JWT. On 5 February 2016 at 11:17, wrote: > Hi, > > I am trying to retrieve an access token from a Keycloak (1.8.0.Final) > service account by > POST /auth/realms/myrealm/protocol/openid-connect/token > with grant_type=client_credentials. > > The result contains a signed JWT as value of field "access_token" rather > than a simple token > as described in chapter 18 (Service Accounts) of the user guide. > > So what I expect (need) is a response like this: > > { > "access_token":"2YotnFZFEjr1zCsicMWpAA", > "token_type":"bearer", > "expires_in":60, > "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", > "refresh_expires_in":600, > "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", > "not-before-policy":0, > "session-state":"234234-234234-234234" > } > > Is there a way to configure the account or the realm to return a simple > token > in "access_token" (and "refresh_token") rather than a JWT? > > Cheers, > Manfred > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/98cbf1a9/attachment.html From sthorger at redhat.com Fri Feb 5 07:12:21 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 13:12:21 +0100 Subject: [keycloak-user] invalid code errormessage In-Reply-To: <56B37329.4060909@first8.nl> References: <56B37329.4060909@first8.nl> Message-ID: The link is probably expired. By default these links are only valid for 5 minutes (may have been 10 in 1.4). You can configure this in the tokens settings in the admin console, it's "Login action timeout". On 4 February 2016 at 16:50, Mark Hayen wrote: > Hi all, > > We have a problem with the link in the reset password email. > Sometimes, but not always we get an error saying invalid code. > This is the log entry: > > type=RESET_PASSWORD_ERROR, realmId=master, clientId=null, userId=null, > ipAddress=xxx.xxx.xxx.xxx, error=invalid_code > > Has anybody seen this error too? > Is it maybe fixed in a newer version? We are running keycloak 1.4.0.Final. > > Thank you > > Mark Hayen > First8 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/e5ec0aef/attachment.html From sthorger at redhat.com Fri Feb 5 07:13:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 13:13:54 +0100 Subject: [keycloak-user] KeyCloak Admin Client : DEALING WITH [Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse)] ISSUE. In-Reply-To: <56b44c26.42711c0a.25efd.4c16@mx.google.com> References: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> <56b44c26.42711c0a.25efd.4c16@mx.google.com> Message-ID: On 5 February 2016 at 08:16, PAA KOJO KONDUAH AMOS wrote: > Hello Stian, I am very happy to share that, Keycloak admin-client > 1.9.0.CR1 is working for me. I will like to share 2 things I have done to > get it woking in a web context. > > > > 1. Dependency definition: > > > > * * > > * org.keycloak* > > * > keycloak-admin-client* > > * 1.9.0.CR1* > > * * > > > > 2. created a *jboss-deployment-structure.xml* file, placed it in my > *WEB-INF* folder ,with the following content(*This ensures Jackson2 is > used*)[Credit: > https://docs.jboss.org/resteasy/docs/3.0.2.Final/userguide/html/json.html, > 21.4. Using Jackson 2.2.x Inside of JBoss AS7]: > > ** > > * * > > * * > > > > * name="org.jboss.resteasy.resteasy-jackson-provider" />* > > * * > > * * > > * name="org.jboss.resteasy.resteasy-jackson2-provider"* > > * services="import" />* > > * * > > * * > > * * > You shouldn't need the jboss-deployment-structure.xml at all if you are using a recent version of WildFly as Jackson2 is the default. > > > > > Sent from Mail for > Windows 10 > > > > *From: *Stian Thorgersen > *Sent: *Wednesday, February 3, 2016 12:57 PM > *To: *PAA KOJO KONDUAH AMOS > *Cc: *keycloak-user at lists.jboss.org > *Subject: *Re: [keycloak-user] KeyCloak Admin Client : > > > > In the past the admin client required Jackson 1.x and didn't work with > Jackson 2.x. This is being fixed in 1.9. > > > > To make it work you'll need to either wait for 1.9 or make your WAR use > Jackson instead of Jackson 2. Check out the admin client example as it > doesn't exactly that. > > > > On 3 February 2016 at 13:35, PAA KOJO KONDUAH AMOS > wrote: > > Hello, I have tried out KeyCloak Admin Client. In fact, I have done a > standalone application which works nicely with KeyCloak Server. > > > > What I don?t get is, when I port a similar thing into a web application > context and deploy same on wildfly fly I keep getting the Exception below: > > > > *Caused by: javax.ws.rs.ProcessingException: > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "access_token" (class > org.keycloak.representations.AccessTokenResponse), not marked as ignorable > (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", > "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", > "refreshToken"])* > > > > > > Any lead on how to resolve all these maven dependency issues? > > > > > > Thanks. > > > > Sent from Mail for > Windows 10 > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/bdc7da9b/attachment-0001.html From pkkamos at gmail.com Fri Feb 5 07:35:48 2016 From: pkkamos at gmail.com (PAA KOJO KONDUAH AMOS) Date: Fri, 5 Feb 2016 12:35:48 +0000 Subject: [keycloak-user] KeyCloak Admin Client : DEALING WITH[Unrecognized field "access_token" (classorg.keycloak.representations.AccessTokenResponse)] ISSUE. In-Reply-To: References: <56b1f3e1.8e811c0a.ca774.63f6@mx.google.com> <56b44c26.42711c0a.25efd.4c16@mx.google.com> Message-ID: <56b496ff.a3e8420a.ba474.4523@mx.google.com> Ok. Noted. Thanks Kindly. Sent from Mail for Windows 10 From: Stian Thorgersen Sent: Friday, February 5, 2016 12:13 PM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak Admin Client : DEALING WITH[Unrecognized field "access_token" (classorg.keycloak.representations.AccessTokenResponse)] ISSUE. On 5 February 2016 at 08:16, PAA KOJO KONDUAH AMOS wrote: Hello Stian, I am very happy to share that, Keycloak admin-client 1.9.0.CR1 is working for me. I will like to share 2 things I have done to get it woking in a web context. ? 1.????? Dependency definition: ? ??????????????? ????????????????????????????????? org.keycloak ????????????????????????????????? keycloak-admin-client ????????????????????????????????? 1.9.0.CR1 ??????????????????? ? 2.????? created a jboss-deployment-structure.xml file, placed it in my WEB-INF folder ,with the following content(This ensures Jackson2 is used)[Credit: https://docs.jboss.org/resteasy/docs/3.0.2.Final/userguide/html/json.html, 21.4. Using Jackson 2.2.x Inside of JBoss AS7]: ???????????????? ??????? ?????????????????????? ????????????????????? ????????????????? ? ?????????????????????????????????? ????????? ????????????????????? ?????????????? ????????????????????? ???????????? ?????????????????????????????????? ?????? ????????????????????? ??????????? ??????? ????????????????? ???????????????? ??????????????? ??????? You shouldn't need the?jboss-deployment-structure.xml at all if you are using a recent version of WildFly as Jackson2 is the default. ? ? ? Sent from Mail for Windows 10 ? From: Stian Thorgersen Sent: Wednesday, February 3, 2016 12:57 PM To: PAA KOJO KONDUAH AMOS Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] KeyCloak Admin Client : ? In the past the admin client required Jackson 1.x and didn't work with Jackson 2.x. This is being fixed in 1.9. ? To make it work you'll need to either wait for 1.9 or make your WAR use Jackson instead of Jackson 2. Check out the admin client example as it doesn't exactly that. ? On 3 February 2016 at 13:35, PAA KOJO KONDUAH AMOS wrote: Hello, I have tried out KeyCloak Admin Client. In fact, I have done a standalone application which works nicely with KeyCloak Server. ? What I don?t get is, when I port a similar thing into a web application context and deploy same on wildfly fly I keep getting the Exception below: ? Caused by: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"]) ? ? Any lead on how to resolve all these maven dependency issues? ? ? Thanks. ? Sent from Mail for Windows 10 ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ? ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/389c1762/attachment.html From prabhalar at yahoo.com Fri Feb 5 07:47:03 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Fri, 5 Feb 2016 12:47:03 +0000 (UTC) Subject: [keycloak-user] access_token always contains JWT In-Reply-To: References: Message-ID: <355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com> Access token is implementation specific. Some commercial software have the concept of "reference tokens" which are nothing but random strings indicated below. The clients have to query back the Authorization server to get a validated JWT token From: Stian Thorgersen To: manfred.duchrow at caprica.biz Cc: keycloak-user Sent: Friday, February 5, 2016 7:10 AM Subject: Re: [keycloak-user] access_token always contains JWT There's no such thing as a "simple token". Tokens are always a signed JWT. On 5 February 2016 at 11:17, wrote: Hi, I am trying to retrieve an access token from a Keycloak (1.8.0.Final) service account by POST /auth/realms/myrealm/protocol/openid-connect/token with grant_type=client_credentials. The result contains a signed JWT as value of field "access_token" rather than a simple token as described in chapter 18 (Service Accounts) of the user guide. So what I expect (need) is a response like this: { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":60, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "refresh_expires_in":600, "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", "not-before-policy":0, "session-state":"234234-234234-234234" } Is there a way to configure the account or the realm to return a simple token in "access_token" (and "refresh_token") rather than a JWT? Cheers, Manfred _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/396739d2/attachment-0001.html From malmi.suh at gmail.com Fri Feb 5 07:50:47 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Fri, 5 Feb 2016 18:20:47 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: Hi Stian, Thank you very much for looking in to the issue. We tried with around 6 role creations per second, and I tried switching off realm cache and it had negative impact on the performance of other API s. Really appreciate if you could suggest us a rough timeline for a fix date. Regards, Malmi On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen wrote: > Either don't create roles concurrently or disable cache. > > How frequently are you creating roles? Just wondering because if you do it > will significantly impact the benefits of the cache as we invalidate a > large amount of the cache when roles are added/removed. > > The problem you are seeing is most likely down to a race condition when > the realm role list (or client role lists) are re-loaded after they are > invalidated. I haven't had much time to look at it yet, so I don't know the > exact cause or a solution. > > On 5 February 2016 at 09:57, Malmi Samarasinghe > wrote: > >> Hi Stian, >> >> We have this in production is there any intermediary fix that we can do >> or any workaround? >> >> Regards, >> Malmi >> >> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen >> wrote: >> >>> Confirmed this bug https://issues.jboss.org/browse/KEYCLOAK-2458 >>> >>> On 5 February 2016 at 06:53, Malmi Samarasinghe >>> wrote: >>> >>>> Hi Stian/Bill, >>>> >>>> I just wanted to highlight that this issue only occurred when realm >>>> cache enabled option is ON. >>>> >>>> Regards, >>>> Malmi >>>> >>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe >>> > wrote: >>>> >>>>> Hi Stian >>>>> >>>>> I have multiple threads creating different roles. Basically one thread >>>>> will execute all three apis one after another. >>>>> >>>>> Regards, >>>>> Malmi >>>>> >>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> When you say method1 is executed in multiple threads, do you mean one >>>>>> thread creates the role and another retrieves it? Or do you have multiple >>>>>> threads creating different roles? >>>>>> >>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe >>>>>> wrote: >>>>>> >>>>>>> Hi Bill, >>>>>>> >>>>>>> Please find the work flow that we have implemented >>>>>>> create user : POST : admin/realms/{realm}/users >>>>>>> >>>>>>> *Method1* wrapps the following API calls >>>>>>> Create Realm role : POST : admin/realms/{realm}/roles >>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>>>>> Assign Role : POST : >>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm >>>>>>> >>>>>>> Same for the client roles as well. >>>>>>> >>>>>>> *Method1 *is executed in multiple threads and assign reams role API >>>>>>> starts failing with 404 (keycloak log states role not found) >>>>>>> >>>>>>> Regards, >>>>>>> Malmi >>>>>>> >>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke >>>>>>> wrote: >>>>>>> >>>>>>>> Can you give me what REST invocations you are doing? How do you >>>>>>>> find the role? How do you create the role? etc... >>>>>>>> >>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>>>>> >>>>>>>> Hi Bill, >>>>>>>> >>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes from >>>>>>>> the commits attached to the >>>>>>>> >>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and it >>>>>>>> seems to have the same issue. If you have any further update on this please >>>>>>>> let us know. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Malmi >>>>>>>> >>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen < >>>>>>>> sthorger at redhat.com> wrote: >>>>>>>> >>>>>>>>> This could be related to >>>>>>>>> >>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>>>>> >>>>>>>>> It's already fixed in master, so if you can try it out that would >>>>>>>>> be great. We should also have a 1.8.1.Final release this week with the fix >>>>>>>>> in as well. >>>>>>>>> >>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hi Bill, >>>>>>>>>> >>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Malmi Samarasinghe >>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>>>>> >>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Everyone, >>>>>>>>>>> >>>>>>>>>>> In my application we create retrieve and assign role >>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with >>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not >>>>>>>>>>> exist error and 404 is returned from keycloak. >>>>>>>>>>> >>>>>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>>>>> >>>>>>>>>>> Please get back to me if you have any information on any other >>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>>>>>> cache will be persisted to DB. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Malmi >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Bill Burke >>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Bill Burke >>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/b43a2b64/attachment.html From thomas.darimont at googlemail.com Fri Feb 5 07:59:03 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 13:59:03 +0100 Subject: [keycloak-user] Realm wide custom id / access token claims. Message-ID: Hello group, In my user model I have a custom user attribute that I want to make available to multiple clients via the id / access token with just one definition. Is this already possible somehow? Currently one can define custom mappers for a single client via: (In Admin Console) Realm -> Clients -> example-client -> Mappers -> create There I can specify a new mapper of type "user attribute" where I can refer to the actual user attribute, give it a "token claim name" (e.g. "myattribute") and specify whether this should be included in the ID and / or access token. The user attribute in the token can then be accessed from within the client via: KeycloakSecurityContext:getIdToken().getOtherClaims().get("myattribute") This apporach however requires that I configure this for every client - for which I already have 10 (trend: upwards)... It would make thinks a lot easier if it were possible to specify those mappers realm wide... PS: I'm currently using Keycloak 1.9.0.CR1 Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/7140c821/attachment.html From bburke at redhat.com Fri Feb 5 08:42:35 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 5 Feb 2016 08:42:35 -0500 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> Message-ID: <56B4A6CB.3020507@redhat.com> 1.9.0.Final will have it... On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote: > Hi Stian, > > Thank you very much for looking in to the issue. We tried with around > 6 role creations per second, and I tried switching off realm cache and > it had negative impact on the performance of other API s. > > Really appreciate if you could suggest us a rough timeline for a fix > date. > > Regards, > Malmi > > On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen > wrote: > > Either don't create roles concurrently or disable cache. > > How frequently are you creating roles? Just wondering because if > you do it will significantly impact the benefits of the cache as > we invalidate a large amount of the cache when roles are > added/removed. > > The problem you are seeing is most likely down to a race condition > when the realm role list (or client role lists) are re-loaded > after they are invalidated. I haven't had much time to look at it > yet, so I don't know the exact cause or a solution. > > On 5 February 2016 at 09:57, Malmi Samarasinghe > > wrote: > > Hi Stian, > > We have this in production is there any intermediary fix that > we can do or any workaround? > > Regards, > Malmi > > On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen > > wrote: > > Confirmed this bug > https://issues.jboss.org/browse/KEYCLOAK-2458 > > On 5 February 2016 at 06:53, Malmi Samarasinghe > > wrote: > > Hi Stian/Bill, > > I just wanted to highlight that this issue only > occurred when realm cache enabled option is ON. > > Regards, > Malmi > > On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe > > wrote: > > Hi Stian > > I have multiple threads creating different roles. > Basically one thread will execute all three apis > one after another. > > Regards, > Malmi > > On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen > > > wrote: > > When you say method1 is executed in multiple > threads, do you mean one thread creates the > role and another retrieves it? Or do you have > multiple threads creating different roles? > > On 4 February 2016 at 12:31, Malmi > Samarasinghe > wrote: > > Hi Bill, > > Please find the work flow that we have > implemented > create user : POST > : admin/realms/{realm}/users > > *Method1* wrapps the following API calls > Create Realm role : POST : > admin/realms/{realm}/roles > Retrieve Role : GET > : admin/realms/{realm}/roles/{roleName} > Assign Role : POST : > admin/realms/leapset/users/{0}/role-mappings/realm > > Same for the client roles as well. > > *Method1 *is executed in multiple threads > and assign reams role API starts failing > with 404 (keycloak log states role not found) > > Regards, > Malmi > > On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke > > wrote: > > Can you give me what REST invocations > you are doing? How do you find the > role? How do you create the role? etc... > > On 2/3/2016 9:45 PM, Malmi > Samarasinghe wrote: >> Hi Bill, >> >> We tried the above fix on top of >> 1.7.0 by applying the changes from >> the commits attached to the >> https://issues.jboss.org/browse/KEYCLOAK-2327 and >> deployed, and it seems to have the >> same issue. If you have any >> further update on this please let us >> know. >> >> Regards, >> Malmi >> >> On Mon, Feb 1, 2016 at 4:02 PM, Stian >> Thorgersen > > wrote: >> >> This could be related to >> https://issues.jboss.org/browse/KEYCLOAK-2327. >> >> >> It's already fixed in master, so >> if you can try it out that would >> be great. We should also have a >> 1.8.1.Final release this week >> with the fix in as well. >> >> On 30 January 2016 at 05:16, >> Malmi Samarasinghe >> > > wrote: >> >> Hi Bill, >> >> We are using keycloak 1.7.0 >> and rdbms (mysql) >> >> Regards, >> Malmi Samarasinghe >> >> On Jan 29, 2016 7:41 PM, >> "Bill Burke" >> > > >> wrote: >> >> Which version of >> keycloak? RDBMS or Mongo? >> >> On 1/29/2016 12:35 AM, >> Malmi Samarasinghe wrote: >>> Hi Everyone, >>> >>> In my application we >>> create retrieve and >>> assign role subsequently >>> and it seems that even >>> for a small load (2-3 >>> threads) with realm >>> cache enabled option, >>> assign realm role call >>> fails due to role not >>> exist error and 404 is >>> returned from keycloak. >>> >>> With the realm cache >>> disabled option the load >>> works fine. >>> >>> Please get back to me if >>> you have any information >>> on any other option we >>> can follow to get this >>> issue sorted or on what >>> action the realm cache >>> will be persisted to DB. >>> >>> Regards, >>> Malmi >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > > > > > > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/b0692957/attachment-0001.html From thomas.darimont at googlemail.com Fri Feb 5 08:48:35 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 14:48:35 +0100 Subject: [keycloak-user] Default client for a realm Message-ID: Hi group, I have multiple realms and a list of clients registered within each realm. For each realm I'd like to configure a "default" client that can be used as a redirect fallback if no client or redirect_uri was specified in requests. The usecase is to provide some kind of "home" or "launchpad" service where users are redirected to in case they don't know or didn't specify where to go. The launchpad would then present a "fancy selection" of all the apps (clients) that are available to the current user, somewhat comparable to the https://www.google.de/intl/de/about/products/ page. Is this already possible or considered as a feature? A default "default" client could be the account application. A quick hack I could think of would be to define a client with the name "default" (or another well-known name) and register a custom endpoint in Keycloak that would accept the client_id as a url parameter and redirect to the configured client base url. Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/62034466/attachment.html From thomas.raehalme at aitiofinland.com Fri Feb 5 08:55:19 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Fri, 5 Feb 2016 15:55:19 +0200 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Hi! How about just a default redirect URL where the user is redirected when it's appropriate to return back to the application? The redirection could be immediate or a link on the error view. I think this would help avoid a lot of confusion when Keycloak for a reason or another is not aware of the client and needs to abort the process. Best regards, Thomas On Fri, Feb 5, 2016 at 3:48 PM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > Hi group, > > I have multiple realms and a list of clients registered within each realm. > For each realm I'd like to configure > a "default" client that can be used as a redirect fallback if no client or > redirect_uri was specified in requests. > > The usecase is to provide some kind of "home" or "launchpad" service where > users are redirected to in case > they don't know or didn't specify where to go. > The launchpad would then present a "fancy selection" of all the apps > (clients) that are available to the current user, > somewhat comparable to the https://www.google.de/intl/de/about/products/ > page. > > Is this already possible or considered as a feature? > > A default "default" client could be the account application. > > A quick hack I could think of would be to define a client with the name > "default" (or another well-known name) > and register a custom endpoint in Keycloak that would accept the client_id > as a url parameter and redirect to the > configured client base url. > > Cheers, > Thomas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/811e4236/attachment.html From sthorger at redhat.com Fri Feb 5 08:59:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 14:59:31 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Missing client_id or redirect_uri are errors and should not just be masked by redirecting the user to a random location. You can customize the error page though to make it more friendly to your users, as well as including a link to your apps page. FIY We actually want to eventually have a clients page like https://www.google.de/intl/de/about/products/ which lists all clients available in the realm. On 5 February 2016 at 14:48, Thomas Darimont wrote: > Hi group, > > I have multiple realms and a list of clients registered within each realm. > For each realm I'd like to configure > a "default" client that can be used as a redirect fallback if no client or > redirect_uri was specified in requests. > > The usecase is to provide some kind of "home" or "launchpad" service where > users are redirected to in case > they don't know or didn't specify where to go. > The launchpad would then present a "fancy selection" of all the apps > (clients) that are available to the current user, > somewhat comparable to the https://www.google.de/intl/de/about/products/ > page. > > Is this already possible or considered as a feature? > > A default "default" client could be the account application. > > A quick hack I could think of would be to define a client with the name > "default" (or another well-known name) > and register a custom endpoint in Keycloak that would accept the client_id > as a url parameter and redirect to the > configured client base url. > > Cheers, > Thomas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/ddbc58d2/attachment.html From thomas.darimont at googlemail.com Fri Feb 5 09:02:19 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 15:02:19 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Hoi, I had the same idea initially but then I thought that simply tagging a client as "default" would be more flexible since you have all the client metadata, role support etc. Cheers, Thomas 2016-02-05 14:55 GMT+01:00 Thomas Raehalme : > Hi! > > How about just a default redirect URL where the user is redirected when > it's appropriate to return back to the application? > The redirection could be immediate or a link on the error view. > > I think this would help avoid a lot of confusion when Keycloak for a > reason or another is not aware of the client and needs to abort the process. > > Best regards, > Thomas > > > On Fri, Feb 5, 2016 at 3:48 PM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Hi group, >> >> I have multiple realms and a list of clients registered within each >> realm. For each realm I'd like to configure >> a "default" client that can be used as a redirect fallback if no client >> or redirect_uri was specified in requests. >> >> The usecase is to provide some kind of "home" or "launchpad" service >> where users are redirected to in case >> they don't know or didn't specify where to go. >> The launchpad would then present a "fancy selection" of all the apps >> (clients) that are available to the current user, >> somewhat comparable to the https://www.google.de/intl/de/about/products/ >> page. >> >> Is this already possible or considered as a feature? >> >> A default "default" client could be the account application. >> >> A quick hack I could think of would be to define a client with the name >> "default" (or another well-known name) >> and register a custom endpoint in Keycloak that would accept the >> client_id as a url parameter and redirect to the >> configured client base url. >> >> Cheers, >> Thomas >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/780fbf1a/attachment.html From sthorger at redhat.com Fri Feb 5 09:03:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Feb 2016 15:03:08 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: On 5 February 2016 at 14:55, Thomas Raehalme < thomas.raehalme at aitiofinland.com> wrote: > Hi! > > How about just a default redirect URL where the user is redirected when > it's appropriate to return back to the application? > The redirection could be immediate or a link on the error view. > Errors should not be masked and you can already customize the error page to add a link > > I think this would help avoid a lot of confusion when Keycloak for a > reason or another is not aware of the client and needs to abort the process. > There are only a few cases where the client isn't known and I don't think this is a good solution for either of those: * Admin sends email action to user - a better solution here would be to allow admin to select a client * Client session times out and is garbage collected - we could add client uuid to the client session code which would mean it's always available * Client is not specified - this is an error in your application and should not just be masked. Solution to make it more friendly is to improve error page > > Best regards, > Thomas > > > On Fri, Feb 5, 2016 at 3:48 PM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Hi group, >> >> I have multiple realms and a list of clients registered within each >> realm. For each realm I'd like to configure >> a "default" client that can be used as a redirect fallback if no client >> or redirect_uri was specified in requests. >> >> The usecase is to provide some kind of "home" or "launchpad" service >> where users are redirected to in case >> they don't know or didn't specify where to go. >> The launchpad would then present a "fancy selection" of all the apps >> (clients) that are available to the current user, >> somewhat comparable to the https://www.google.de/intl/de/about/products/ >> page. >> >> Is this already possible or considered as a feature? >> >> A default "default" client could be the account application. >> >> A quick hack I could think of would be to define a client with the name >> "default" (or another well-known name) >> and register a custom endpoint in Keycloak that would accept the >> client_id as a url parameter and redirect to the >> configured client base url. >> >> Cheers, >> Thomas >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/79f2fb4f/attachment-0001.html From bburke at redhat.com Fri Feb 5 09:05:30 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 5 Feb 2016 09:05:30 -0500 Subject: [keycloak-user] Realm wide custom id / access token claims. In-Reply-To: References: Message-ID: <56B4AC2A.3020201@redhat.com> See ClientTemplates On 2/5/2016 7:59 AM, Thomas Darimont wrote: > Hello group, > > In my user model I have a custom user attribute that I want to make > available to multiple > clients via the id / access token with just one definition. Is this > already possible somehow? > > Currently one can define custom mappers for a single client via: > (In Admin Console) Realm -> Clients -> example-client -> Mappers -> create > > There I can specify a new mapper of type "user attribute" where I can > refer to the actual user attribute, give it a "token claim name" (e.g. > "myattribute") and specify whether this should be included in the ID > and / or access token. > > The user attribute in the token can then be accessed from within the > client via: > KeycloakSecurityContext:getIdToken().getOtherClaims().get("myattribute") > > This apporach however requires that I configure this for every client > - for which I already have 10 (trend: upwards)... > It would make thinks a lot easier if it were possible to specify those > mappers realm wide... > > PS: I'm currently using Keycloak 1.9.0.CR1 > > Cheers, > Thomas > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/7024b2a6/attachment.html From thomas.darimont at googlemail.com Fri Feb 5 09:15:31 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 15:15:31 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Hello Stian, Hello Thomas, yes I understand that - and I agree that falling back to the default client in case of a missing client is not a good idea. However I think I would be very helpful to be able to initiate a redirect from one client to another client (that is just known by client_id) for the use case I outlined above -> e.g. redirecting to a "launchpad" app. E.g.: https://keycloak-server:8080/auth/realms/my-realm/redirect?client_id=my-default-client -> would redirect to the my-default-client base url. https://keycloak-server:8080/auth/realms/my-realm/redirect -> would redirect to the client marked as "default" @Thomas Initially I also thought about having a default redirect url per realm but then I thought that simply refering to a client_id and let keycloak redirect the user appropriatly would be more flexible, especially because you can then also leverage all the client metadata that is available for a client (name, description etc.). Cheers, Thomas 2016-02-05 15:03 GMT+01:00 Stian Thorgersen : > > > On 5 February 2016 at 14:55, Thomas Raehalme < > thomas.raehalme at aitiofinland.com> wrote: > >> Hi! >> >> How about just a default redirect URL where the user is redirected when >> it's appropriate to return back to the application? >> The redirection could be immediate or a link on the error view. >> > > Errors should not be masked and you can already customize the error page > to add a link > > >> >> I think this would help avoid a lot of confusion when Keycloak for a >> reason or another is not aware of the client and needs to abort the process. >> > > There are only a few cases where the client isn't known and I don't think > this is a good solution for either of those: > > * Admin sends email action to user - a better solution here would be to > allow admin to select a client > * Client session times out and is garbage collected - we could add client > uuid to the client session code which would mean it's always available > * Client is not specified - this is an error in your application and > should not just be masked. Solution to make it more friendly is to improve > error page > > >> >> Best regards, >> Thomas >> >> >> On Fri, Feb 5, 2016 at 3:48 PM, Thomas Darimont < >> thomas.darimont at googlemail.com> wrote: >> >>> Hi group, >>> >>> I have multiple realms and a list of clients registered within each >>> realm. For each realm I'd like to configure >>> a "default" client that can be used as a redirect fallback if no client >>> or redirect_uri was specified in requests. >>> >>> The usecase is to provide some kind of "home" or "launchpad" service >>> where users are redirected to in case >>> they don't know or didn't specify where to go. >>> The launchpad would then present a "fancy selection" of all the apps >>> (clients) that are available to the current user, >>> somewhat comparable to the https://www.google.de/intl/de/about/products/ >>> page. >>> >>> Is this already possible or considered as a feature? >>> >>> A default "default" client could be the account application. >>> >>> A quick hack I could think of would be to define a client with the name >>> "default" (or another well-known name) >>> and register a custom endpoint in Keycloak that would accept the >>> client_id as a url parameter and redirect to the >>> configured client base url. >>> >>> Cheers, >>> Thomas >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/502b2cb6/attachment.html From manfred.duchrow at caprica.biz Fri Feb 5 09:17:40 2016 From: manfred.duchrow at caprica.biz (manfred.duchrow at caprica.biz) Date: Fri, 5 Feb 2016 15:17:40 +0100 Subject: [keycloak-user] access_token always contains JWT In-Reply-To: <355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com> References: <355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com> Message-ID: <56B4AF04.4080608@caprica.biz> Yes, that's true (even for some open source software too). So am I supposed to put this JWT access token into the Authorization request header as Bearer value to authorize a request? The access token I got from Keycloak is over 5000 characters long! On 05.02.2016 13:47, Raghuram Prabhala wrote: > Access token is implementation specific. Some commercial software have > the concept of "reference tokens" which are nothing but random strings > indicated below. The clients have to query back the Authorization > server to get a validated JWT token > > > > ------------------------------------------------------------------------ > *From:* Stian Thorgersen > *To:* manfred.duchrow at caprica.biz > *Cc:* keycloak-user > *Sent:* Friday, February 5, 2016 7:10 AM > *Subject:* Re: [keycloak-user] access_token always contains JWT > > There's no such thing as a "simple token". Tokens are always a signed JWT. > > On 5 February 2016 at 11:17, > wrote: > > Hi, > > I am trying to retrieve an access token from a Keycloak (1.8.0.Final) > service account by > POST /auth/realms/myrealm/protocol/openid-connect/token > with grant_type=client_credentials. > > The result contains a signed JWT as value of field "access_token" rather > than a simple token > as described in chapter 18 (Service Accounts) of the user guide. > > So what I expect (need) is a response like this: > > { > "access_token":"2YotnFZFEjr1zCsicMWpAA", > "token_type":"bearer", > "expires_in":60, > "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", > "refresh_expires_in":600, > "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", > "not-before-policy":0, > "session-state":"234234-234234-234234" > } > > Is there a way to configure the account or the realm to return a simple > token > in "access_token" (and "refresh_token") rather than a JWT? > > Cheers, > Manfred > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- ======================================== Caprica Ltd. 69 Great Hampton Street Birmingham, West Midlands, B186EW, Registered in England and Wales Company No. 5298548 Managing Director: Manfred Duchrow Zweigniederlassung Deutschland Gartenstr. 48, 89150 Laichingen Amtsgericht Ulm: HRB 5073 Gesch?ftsf?hrer: Manfred Duchrow ---------------------------------------- Tel: +49 (0)7333 9232190 Fax: +49 (0)7333 9232191 E-Mail: manfred.duchrow at caprica.de ======================================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/9ffbcf30/attachment-0001.html From thomas.raehalme at aitiofinland.com Fri Feb 5 09:22:55 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Fri, 5 Feb 2016 16:22:55 +0200 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Hi, On Fri, Feb 5, 2016 at 4:15 PM, Thomas Darimont < thomas.darimont at googlemail.com> wrote: > yes I understand that - and I agree that falling back to the default > client in case of a missing client is not a good idea. > I understand this as well, but it has not been uncommon to encounter a situation where the user needs to know where to go next, because Keycloak doesn't have a link available. Maybe and hopefully it's just related to the development phase when applications are redeployed often. > @Thomas > Initially I also thought about having a default redirect url per realm but > then I thought that simply refering to a client_id and let keycloak > redirect the user > appropriatly would be more flexible, especially because you can then also > leverage all the client metadata that is available for a client (name, > description etc.). > Defining an existing client as a default is indeed a better idea. I probably misunderstood you first. Best regards, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/5797f415/attachment.html From thomas.darimont at googlemail.com Fri Feb 5 09:28:16 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 15:28:16 +0100 Subject: [keycloak-user] Realm wide custom id / access token claims. In-Reply-To: <56B4AC2A.3020201@redhat.com> References: <56B4AC2A.3020201@redhat.com> Message-ID: Hello Bill, seems to do what I need - I think it should be documented that changes in client templates (e.g. configured mappers) are reflected in created clients. Cheers, Thomas 2016-02-05 15:05 GMT+01:00 Bill Burke : > See ClientTemplates > > > > On 2/5/2016 7:59 AM, Thomas Darimont wrote: > > Hello group, > > In my user model I have a custom user attribute that I want to make > available to multiple > clients via the id / access token with just one definition. Is this > already possible somehow? > > Currently one can define custom mappers for a single client via: > (In Admin Console) Realm -> Clients -> example-client -> Mappers -> create > > There I can specify a new mapper of type "user attribute" where I can > refer to the actual user attribute, give it a "token claim name" (e.g. > "myattribute") and specify whether this should be included in the ID and / > or access token. > > The user attribute in the token can then be accessed from within the > client via: > KeycloakSecurityContext:getIdToken().getOtherClaims().get("myattribute") > > This apporach however requires that I configure this for every client - > for which I already have 10 (trend: upwards)... > It would make thinks a lot easier if it were possible to specify those > mappers realm wide... > > PS: I'm currently using Keycloak 1.9.0.CR1 > > Cheers, > Thomas > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/7c53f76b/attachment.html From thomas.darimont at googlemail.com Fri Feb 5 10:23:41 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 16:23:41 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Hello, 2016-02-05 15:22 GMT+01:00 Thomas Raehalme : > I understand this as well, but it has not been uncommon to encounter a > situation where the user needs to know where to go next, because Keycloak > doesn't have a link available. with a redirect facility as outlined above - one could render a link to the "$KEYCLOAK_BASE_URL/redirect" or lookup the "default" client in order to render the client base url link with a proper label (client name). Cheers, Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/605a7de9/attachment.html From manfred.duchrow at caprica.biz Fri Feb 5 10:51:58 2016 From: manfred.duchrow at caprica.biz (Manfred Duchrow) Date: Fri, 5 Feb 2016 16:51:58 +0100 Subject: [keycloak-user] Class is swallowing exceptions Message-ID: <56B4C51E.7070701@caprica.biz> Hi, I just got a "Failed to introspect token" result when trying to use this new endpoint. When I tried to find out what went wrong I observed that also no additional log entry was available. Looking at the code (1.8.0.Final) of class TokenIntrospectionEndpoint revealed that in method introspect() there is a try-catch that swallows all caught exception information. In methods private AccessToken toAccessToken(String tokenString) private void authorizeClient() its the same pattern. A new exception gets thrown without any information about the caught exception. You might consider opening an issue to add either some log statements in all catch blocks of this class or propagate the exception information in the new thrown exceptions. So currently there is no chance to find out why an introspection request failed. Cheers, Manfred -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/40ea9950/attachment.html From thomas.darimont at googlemail.com Fri Feb 5 13:05:41 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 5 Feb 2016 19:05:41 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Quick update - I did some further experiments with this... I added /redirect path to the a org.keycloak.services.resources.RealmsResource like: @Path("{realm}/{client-id}/redirect") see code fragment below. This allows keycloak to initiate a redirect to the browser with the actual target url of the client. Other clients now only need to now the realm and clientId to generate a link that eventually redirects to the target application. Usage: GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302 response with location: http://apps.corp.local/launchpad Any chance to get this in as a PR? Cheers, Thomas @GET @Path("{realm}/{client-id}/redirect") public Response getRedirect(final @PathParam("realm") String realmName, final @PathParam("client-id") String clientId) throws Exception{ RealmModel realm = init(realmName); if (realm == null){ return null; } ClientModel client = realm.getClientByClientId(clientId); if (client == null){ return null; } if (client.getRootUrl() == null){ return Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build(); } return Response.temporaryRedirect(URI.create(client.getRootUrl() + client.getBaseUrl())).build(); } 2016-02-05 16:23 GMT+01:00 Thomas Darimont : > Hello, > > 2016-02-05 15:22 GMT+01:00 Thomas Raehalme < > thomas.raehalme at aitiofinland.com>: > >> I understand this as well, but it has not been uncommon to encounter a >> situation where the user needs to know where to go next, because Keycloak >> doesn't have a link available. > > > with a redirect facility as outlined above - one could render a link to > the "$KEYCLOAK_BASE_URL/redirect" or > lookup the "default" client in order to render the client base url link > with a proper label (client name). > > Cheers, > Thomas > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/370c4362/attachment-0001.html From m.hayen at first8.nl Fri Feb 5 14:09:03 2016 From: m.hayen at first8.nl (Mark Hayen) Date: Fri, 5 Feb 2016 20:09:03 +0100 Subject: [keycloak-user] changes in Email SPI In-Reply-To: References: <56B48ED1.9080404@first8.nl> Message-ID: <56B4F34F.4010301@first8.nl> An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160205/d1ddb072/attachment.html From malmi.suh at gmail.com Fri Feb 5 22:03:38 2016 From: malmi.suh at gmail.com (Malmi Samarasinghe) Date: Sat, 6 Feb 2016 08:33:38 +0530 Subject: [keycloak-user] Assign Role Fails Just After Creating the Role In-Reply-To: <56B4A6CB.3020507@redhat.com> References: <56AB7318.6050009@redhat.com> <56B2C5D5.8050702@redhat.com> <56B4A6CB.3020507@redhat.com> Message-ID: Many Thanks to your assistance regarding the issue. On Fri, Feb 5, 2016 at 7:12 PM, Bill Burke wrote: > 1.9.0.Final will have it... > > > On 2/5/2016 7:50 AM, Malmi Samarasinghe wrote: > > Hi Stian, > > Thank you very much for looking in to the issue. We tried with around 6 > role creations per second, and I tried switching off realm cache and it had > negative impact on the performance of other API s. > > Really appreciate if you could suggest us a rough timeline for a fix date. > > Regards, > Malmi > > On Fri, Feb 5, 2016 at 3:20 PM, Stian Thorgersen > wrote: > >> Either don't create roles concurrently or disable cache. >> >> How frequently are you creating roles? Just wondering because if you do >> it will significantly impact the benefits of the cache as we invalidate a >> large amount of the cache when roles are added/removed. >> >> The problem you are seeing is most likely down to a race condition when >> the realm role list (or client role lists) are re-loaded after they are >> invalidated. I haven't had much time to look at it yet, so I don't know the >> exact cause or a solution. >> >> On 5 February 2016 at 09:57, Malmi Samarasinghe < >> malmi.suh at gmail.com> wrote: >> >>> Hi Stian, >>> >>> We have this in production is there any intermediary fix that we can do >>> or any workaround? >>> >>> Regards, >>> Malmi >>> >>> On Fri, Feb 5, 2016 at 2:11 PM, Stian Thorgersen >>> wrote: >>> >>>> Confirmed this bug >>>> https://issues.jboss.org/browse/KEYCLOAK-2458 >>>> >>>> On 5 February 2016 at 06:53, Malmi Samarasinghe < >>>> malmi.suh at gmail.com> wrote: >>>> >>>>> Hi Stian/Bill, >>>>> >>>>> I just wanted to highlight that this issue only occurred when realm >>>>> cache enabled option is ON. >>>>> >>>>> Regards, >>>>> Malmi >>>>> >>>>> On Thu, Feb 4, 2016 at 8:38 PM, Malmi Samarasinghe < >>>>> malmi.suh at gmail.com> wrote: >>>>> >>>>>> Hi Stian >>>>>> >>>>>> I have multiple threads creating different roles. Basically one >>>>>> thread will execute all three apis one after another. >>>>>> >>>>>> Regards, >>>>>> Malmi >>>>>> >>>>>> On Thu, Feb 4, 2016 at 5:23 PM, Stian Thorgersen < >>>>>> sthorger at redhat.com> wrote: >>>>>> >>>>>>> When you say method1 is executed in multiple threads, do you mean >>>>>>> one thread creates the role and another retrieves it? Or do you have >>>>>>> multiple threads creating different roles? >>>>>>> >>>>>>> On 4 February 2016 at 12:31, Malmi Samarasinghe < >>>>>>> malmi.suh at gmail.com> wrote: >>>>>>> >>>>>>>> Hi Bill, >>>>>>>> >>>>>>>> Please find the work flow that we have implemented >>>>>>>> create user : POST : admin/realms/{realm}/users >>>>>>>> >>>>>>>> *Method1* wrapps the following API calls >>>>>>>> Create Realm role : POST : admin/realms/{realm}/roles >>>>>>>> Retrieve Role : GET : admin/realms/{realm}/roles/{roleName} >>>>>>>> Assign Role : POST : >>>>>>>> admin/realms/leapset/users/{0}/role-mappings/realm >>>>>>>> >>>>>>>> Same for the client roles as well. >>>>>>>> >>>>>>>> *Method1 *is executed in multiple threads and assign reams role >>>>>>>> API starts failing with 404 (keycloak log states role not found) >>>>>>>> >>>>>>>> Regards, >>>>>>>> Malmi >>>>>>>> >>>>>>>> On Thu, Feb 4, 2016 at 9:00 AM, Bill Burke < >>>>>>>> bburke at redhat.com> wrote: >>>>>>>> >>>>>>>>> Can you give me what REST invocations you are doing? How do you >>>>>>>>> find the role? How do you create the role? etc... >>>>>>>>> >>>>>>>>> On 2/3/2016 9:45 PM, Malmi Samarasinghe wrote: >>>>>>>>> >>>>>>>>> Hi Bill, >>>>>>>>> >>>>>>>>> We tried the above fix on top of 1.7.0 by applying the changes >>>>>>>>> from the commits attached to the >>>>>>>>> >>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327 and deployed, and >>>>>>>>> it seems to have the same issue. If you have any further update on this >>>>>>>>> please let us know. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Malmi >>>>>>>>> >>>>>>>>> On Mon, Feb 1, 2016 at 4:02 PM, Stian Thorgersen < >>>>>>>>> sthorger at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> This could be related to >>>>>>>>>> >>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2327. >>>>>>>>>> >>>>>>>>>> It's already fixed in master, so if you can try it out that would >>>>>>>>>> be great. We should also have a 1.8.1.Final release this week with the fix >>>>>>>>>> in as well. >>>>>>>>>> >>>>>>>>>> On 30 January 2016 at 05:16, Malmi Samarasinghe < >>>>>>>>>> malmi.suh at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Bill, >>>>>>>>>>> >>>>>>>>>>> We are using keycloak 1.7.0 and rdbms (mysql) >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Malmi Samarasinghe >>>>>>>>>>> On Jan 29, 2016 7:41 PM, "Bill Burke" < >>>>>>>>>>> bburke at redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Which version of keycloak? RDBMS or Mongo? >>>>>>>>>>>> >>>>>>>>>>>> On 1/29/2016 12:35 AM, Malmi Samarasinghe wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Everyone, >>>>>>>>>>>> >>>>>>>>>>>> In my application we create retrieve and assign role >>>>>>>>>>>> subsequently and it seems that even for a small load (2-3 threads) with >>>>>>>>>>>> realm cache enabled option, assign realm role call fails due to role not >>>>>>>>>>>> exist error and 404 is returned from keycloak. >>>>>>>>>>>> >>>>>>>>>>>> With the realm cache disabled option the load works fine. >>>>>>>>>>>> >>>>>>>>>>>> Please get back to me if you have any information on any other >>>>>>>>>>>> option we can follow to get this issue sorted or on what action the realm >>>>>>>>>>>> cache will be persisted to DB. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Malmi >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Bill Burke >>>>>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>> >>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>> >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Bill Burke >>>>>>>>> JBoss, a division of Red Hathttp://bill.burkecentral.com >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160206/4c1e25c7/attachment-0001.html From leo.nunes at gjccorp.com.br Sat Feb 6 08:53:56 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Sat, 6 Feb 2016 13:53:56 +0000 Subject: [keycloak-user] NoClassDefFoundError during Logout (Domain Mode) Message-ID: Hi, i'm getting the exception below when I try to logout from my aplication or when I click Logout All from the Sessions menu at the admin console. I'm using the Overlay keycloak-overlay-eap6-1.8.1.Final on our EAP 6.3.3 in Domain Mode with 2 hosts. I copied the modules from the overlay zip to our modules in the EAP folder. Then, I did the installation with jboss-cli. The Admin Console is working fine. I deployed the customer-app at another server and i'm able to register and login succssesfully. Then, when I try to logout I get the error below. >>>>>>>> 2016-02-06 11:47:13,502 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[eap-corp-dev].[/auth].[Keycloak REST Interface]] (ajp-/192.168.10.67:8019-2) JBWEB000236: Servlet.service() for servlet Keycloak REST Interface threw exception: java.lang.RuntimeException: request path: /auth/admin/realms/demo/logout-all at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] Caused by: org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.spi.ApplicationException: java.lang.NoClassDefFoundError: org/apache/http/conn/socket/LayeredConnectionSocketFactory at org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:365) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:233) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:209) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:557) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] ... 15 more Caused by: org.jboss.resteasy.spi.ApplicationException: java.lang.NoClassDefFoundError: org/apache/http/conn/socket/LayeredConnectionSocketFactory at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:69) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at com.sun.proxy.$Proxy206.getProvider(Unknown Source) at org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:235) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at org.keycloak.services.managers.ResourceAdminManager.logoutClient(ResourceAdminManager.java:220) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at org.keycloak.services.managers.ResourceAdminManager.logoutAll(ResourceAdminManager.java:196) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at org.keycloak.services.resources.admin.RealmAdminResource.logoutAll(RealmAdminResource.java:338) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45] at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] ... 24 more Caused by: java.lang.NoClassDefFoundError: org/apache/http/conn/socket/LayeredConnectionSocketFactory at org.keycloak.connections.httpclient.DefaultHttpClientFactory.lazyInit(DefaultHttpClientFactory.java:120) at org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:36) at org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:27) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45] at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:57) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] ... 41 more Caused by: java.lang.ClassNotFoundException: org.apache.http.conn.socket.LayeredConnectionSocketFactory from [Module "org.keycloak.keycloak-connections-http-client:main" from local module loader @543c6f6d (finder: local module finder @13eb8acf (roots: /opt/jboss-eap-6.3/modules,/opt/jboss-eap-6.3/modules/system/layers/base/.overlays/layer-base-jboss-eap-6.3.3.CP,/opt/jboss-eap-6.3/modules/system/layers/base,/var/opt/jboss_domains/modules))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) [jboss-modules.jar:1.3.5.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) [jboss-modules.jar:1.3.5.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) [jboss-modules.jar:1.3.5.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) [jboss-modules.jar:1.3.5.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) [jboss-modules.jar:1.3.5.Final-redhat-1] ... 50 more -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160206/eca12eb1/attachment-0001.html From sthorger at redhat.com Mon Feb 8 02:57:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 8 Feb 2016 08:57:09 +0100 Subject: [keycloak-user] Class is swallowing exceptions In-Reply-To: <56B4C51E.7070701@caprica.biz> References: <56B4C51E.7070701@caprica.biz> Message-ID: Please create a JIRA On 5 February 2016 at 16:51, Manfred Duchrow wrote: > Hi, > > I just got a "Failed to introspect token" result when trying to use this > new endpoint. > When I tried to find out what went wrong I observed that also no > additional log entry was available. > Looking at the code (1.8.0.Final) of class TokenIntrospectionEndpoint > revealed that in method > introspect() there is a try-catch that swallows all caught exception > information. > > In methods > private AccessToken toAccessToken(String tokenString) > private void authorizeClient() > its the same pattern. > A new exception gets thrown without any information about the caught > exception. > > You might consider opening an issue to add either some log statements in > all catch blocks of this class > or propagate the exception information in the new thrown exceptions. > > So currently there is no chance to find out why an introspection request > failed. > > Cheers, > Manfred > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/7bf39038/attachment.html From sthorger at redhat.com Mon Feb 8 04:29:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 8 Feb 2016 10:29:32 +0100 Subject: [keycloak-user] Keycloak saml v1.1 to oauth2 token In-Reply-To: References: Message-ID: We don't have a token exchange facility, but we have support for authenticating with external IdPs through what we call identity brokering. It supports SAMLv2 IdPs only though. We do have SPIs that let you customize/extend Keycloak. For your use-case I could think of two options: 1. Add a custom authenticator for direct grant flow that allows authenticating by passing a SAML v1.1 token - see http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html for more info 2. Add a custom identity broker provider that allows users to login through an external SAMLv1.1 IdP On 5 February 2016 at 10:52, Porfyrios Vasileiou < porfyrios.vasileiou at gmail.com> wrote: > Hello, I have a project that includes 2 client applications. > > In ONLY ONE of the clients(web application in angular) users login via a > 3rd party authorization server that also has a login procedure where the > user logs in and it returns an saml v1.1 xml token and then they can access > the client. (This procedure cannot be changed) But i want this client to > also be secured with keycloak so i can have a token that i can pass to my > rest services that are also secured with keycloak. > > Can i convert this saml v1.1 token to oauth2 via keycloak? > > Once we have logged in I want to login this user to keycloak > programmatically and get an oauth2 token instead that can be used for the > rest services requests in the Bearer authentication header. How can i do > this? > > I also want to say that the keycloak is setup to use the same active > directory that the 3rd party authorization server is using to authenticate > the users. > > Is this possible? > > Thanks, Porfyrios > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/22d8974e/attachment.html From andrey.saroul at gmail.com Mon Feb 8 04:30:59 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Mon, 8 Feb 2016 12:30:59 +0300 Subject: [keycloak-user] Keycloak logout flow In-Reply-To: References: Message-ID: Thanks, it was the right reason. 2016-02-02 15:55 GMT+03:00 Stian Thorgersen : > You probably haven't configured admin url for your client so the Keycloak > server can't send backchannel logout to your service > > On 2 February 2016 at 12:06, Andrey Saroul > wrote: > >> I'm using keycloak 1.7.0 with WildFly 9.0.2 >> I have rest service and Keycloak deployed on one the same machine. >> Consider this scenario: >> 1) In browser i try to test my rest service (e.g. >> http://my-ip-address:8080/rest/test) secured under Keycloak >> 2) I got redirect to login page. >> 3) I enter my login and password. >> 4) I got some response from my rest service. That's Ok! >> 5) Then I go to Keycloak admin console, find my user and force session >> logout. >> 6) Then I try to access my rest service again by the same url, and NO >> redirect happens. Browser caches jsessionid cookie and don't know anything >> about user beeing logout. >> It seems to my that during step #6 server should invalidate expired >> session cookie due to admin logout. >> I considere that user after beeing logout will get redirect to login page >> again, and will not be able to access service with old jsessionid cookie. >> Is this a bug, or could you help me explain what am i doing wrong? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/cfb8e05b/attachment.html From mstrukel at redhat.com Mon Feb 8 05:27:55 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 8 Feb 2016 11:27:55 +0100 Subject: [keycloak-user] NoClassDefFoundError during Logout (Domain Mode) In-Reply-To: References: Message-ID: Server overlay is only supposed to be used with latest EAP 6 version. But ATM it should work on EAP 6.4, and above. Your error suggests the org.apache.httpcomponents module is too old. And in fact EAP 6.3 uses httpclient 4.2.1, whereas Keycloak server depends on version 4.3.6. On Sat, Feb 6, 2016 at 2:53 PM, LEONARDO NUNES wrote: > Hi, i'm getting the exception below when I try to logout from my aplication > or when I click Logout All from the Sessions menu at the admin console. > > I'm using the Overlay keycloak-overlay-eap6-1.8.1.Final on our EAP 6.3.3 in > Domain Mode with 2 hosts. > I copied the modules from the overlay zip to our modules in the EAP folder. > Then, I did the installation with jboss-cli. > > The Admin Console is working fine. I deployed the customer-app at another > server and i'm able to register and login succssesfully. > Then, when I try to logout I get the error below. > > >>>>>>>>> > > 2016-02-06 11:47:13,502 ERROR > [org.apache.catalina.core.ContainerBase.[jboss.web].[eap-corp-dev].[/auth].[Keycloak > REST Interface]] (ajp-/192.168.10.67:8019-2) JBWEB000236: Servlet.service() > for servlet Keycloak REST Interface threw exception: > java.lang.RuntimeException: request path: /auth/admin/realms/demo/logout-all > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) > at > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > Caused by: org.jboss.resteasy.spi.UnhandledException: > org.jboss.resteasy.spi.ApplicationException: java.lang.NoClassDefFoundError: > org/apache/http/conn/socket/LayeredConnectionSocketFactory > at > org.jboss.resteasy.core.SynchronousDispatcher.handleApplicationException(SynchronousDispatcher.java:365) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:233) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:209) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:557) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > ... 15 more > Caused by: org.jboss.resteasy.spi.ApplicationException: > java.lang.NoClassDefFoundError: > org/apache/http/conn/socket/LayeredConnectionSocketFactory > at > org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:69) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at com.sun.proxy.$Proxy206.getProvider(Unknown Source) > at > org.keycloak.services.managers.ResourceAdminManager.sendLogoutRequest(ResourceAdminManager.java:235) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at > org.keycloak.services.managers.ResourceAdminManager.logoutClient(ResourceAdminManager.java:220) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at > org.keycloak.services.managers.ResourceAdminManager.logoutAll(ResourceAdminManager.java:196) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at > org.keycloak.services.resources.admin.RealmAdminResource.logoutAll(RealmAdminResource.java:338) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.8.0_45] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > [rt.jar:1.8.0_45] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.8.0_45] > at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > ... 24 more > Caused by: java.lang.NoClassDefFoundError: > org/apache/http/conn/socket/LayeredConnectionSocketFactory > at > org.keycloak.connections.httpclient.DefaultHttpClientFactory.lazyInit(DefaultHttpClientFactory.java:120) > at > org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:36) > at > org.keycloak.connections.httpclient.DefaultHttpClientFactory.create(DefaultHttpClientFactory.java:27) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.8.0_45] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > [rt.jar:1.8.0_45] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.8.0_45] > at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > at > org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:57) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > ... 41 more > Caused by: java.lang.ClassNotFoundException: > org.apache.http.conn.socket.LayeredConnectionSocketFactory from [Module > "org.keycloak.keycloak-connections-http-client:main" from local module > loader @543c6f6d (finder: local module finder @13eb8acf (roots: > /opt/jboss-eap-6.3/modules,/opt/jboss-eap-6.3/modules/system/layers/base/.overlays/layer-base-jboss-eap-6.3.3.CP,/opt/jboss-eap-6.3/modules/system/layers/base,/var/opt/jboss_domains/modules))] > at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:213) > [jboss-modules.jar:1.3.5.Final-redhat-1] > at > org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459) > [jboss-modules.jar:1.3.5.Final-redhat-1] > at > org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:408) > [jboss-modules.jar:1.3.5.Final-redhat-1] > at > org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389) > [jboss-modules.jar:1.3.5.Final-redhat-1] > at > org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134) > [jboss-modules.jar:1.3.5.Final-redhat-1] > ... 50 more > > > > -- > Leonardo Nunes > > > ________________________________ > Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? > n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o > poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e em > seguida apague-o. Agradecemos sua coopera??o. > > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose or take any action based on this message or any > information herein. If you have received this message in error, please > advise the sender immediately by reply e-mail and delete this message. Thank > you for your cooperation > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From parul.com at gmail.com Mon Feb 8 11:57:43 2016 From: parul.com at gmail.com (Arulkumar Ponnusamy) Date: Mon, 8 Feb 2016 22:27:43 +0530 Subject: [keycloak-user] do we have reference document for enabling ECP on keycloak Message-ID: Hi All, do we have any reference document for keycloak IDP ECP profile? Thanks, Arul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/5789885f/attachment.html From srossillo at smartling.com Mon Feb 8 12:16:45 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Mon, 8 Feb 2016 12:16:45 -0500 Subject: [keycloak-user] access_token always contains JWT In-Reply-To: <56B4AF04.4080608@caprica.biz> References: <355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com> <56B4AF04.4080608@caprica.biz> Message-ID: Opaque access tokens are an interesting idea for security reasons. I?ve heard them referred to as "by reference" access tokens because the actual JWT access token has to be stored somewhere. The OpenID spec doesn?t address this but it?s a solid idea for access tokens exposed to external applications, which do not need to be concerned with, or possibly shouldn?t be privy to the information inside the token. There?s another option that may be more manageable. That is to offer a per client option of encrypting the access token, known as JWE, or JSON Web Encryption[0]. The basic idea is that the signed token is then encrypted with a symmetrical key. This key would probably be a realm level key. Another benefit or JWE is the access token payload is compressed, making the access token shorter. Is this something we would be interested in adding support for? [0]: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Feb 5, 2016, at 9:17 AM, manfred.duchrow at caprica.biz wrote: > > Yes, that's true (even for some open source software too). > So am I supposed to put this JWT access token into the Authorization request header as Bearer value to authorize a request? > The access token I got from Keycloak is over 5000 characters long! > > > On 05.02.2016 13:47, Raghuram Prabhala wrote: >> Access token is implementation specific. Some commercial software have the concept of "reference tokens" which are nothing but random strings indicated below. The clients have to query back the Authorization server to get a validated JWT token >> >> >> >> From: Stian Thorgersen >> To: manfred.duchrow at caprica.biz >> Cc: keycloak-user >> Sent: Friday, February 5, 2016 7:10 AM >> Subject: Re: [keycloak-user] access_token always contains JWT >> >> There's no such thing as a "simple token". Tokens are always a signed JWT. >> >> On 5 February 2016 at 11:17, < manfred.duchrow at caprica.biz > wrote: >> Hi, >> >> I am trying to retrieve an access token from a Keycloak (1.8.0.Final) >> service account by >> POST /auth/realms/myrealm/protocol/openid-connect/token >> with grant_type=client_credentials. >> >> The result contains a signed JWT as value of field "access_token" rather >> than a simple token >> as described in chapter 18 (Service Accounts) of the user guide. >> >> So what I expect (need) is a response like this: >> >> { >> "access_token":"2YotnFZFEjr1zCsicMWpAA", >> "token_type":"bearer", >> "expires_in":60, >> "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", >> "refresh_expires_in":600, >> "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", >> "not-before-policy":0, >> "session-state":"234234-234234-234234" >> } >> >> Is there a way to configure the account or the realm to return a simple >> token >> in "access_token" (and "refresh_token") rather than a JWT? >> >> Cheers, >> Manfred >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > ======================================== > Caprica Ltd. > 69 Great Hampton Street > Birmingham, West Midlands, B186EW, > Registered in England and Wales > Company No. 5298548 > Managing Director: Manfred Duchrow > > Zweigniederlassung Deutschland > Gartenstr. 48, 89150 Laichingen > Amtsgericht Ulm: HRB 5073 > Gesch?ftsf?hrer: Manfred Duchrow > ---------------------------------------- > Tel: +49 (0)7333 9232190 > Fax: +49 (0)7333 9232191 > E-Mail: manfred.duchrow at caprica.de > ======================================== > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/676b0a6e/attachment.html From bburke at redhat.com Mon Feb 8 12:22:25 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 8 Feb 2016 12:22:25 -0500 Subject: [keycloak-user] access_token always contains JWT In-Reply-To: References: <355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com> <56B4AF04.4080608@caprica.biz> Message-ID: <56B8CED1.2000003@redhat.com> Yes. We want that. Just too busy :) On 2/8/2016 12:16 PM, Scott Rossillo wrote: > Opaque access tokens are an interesting idea for security reasons. > I?ve heard them referred to as "by reference" access tokens because > the actual JWT access token has to be stored somewhere. The OpenID > spec doesn?t address this but it?s a solid idea for access tokens > exposed to external applications, which do not need to be concerned > with, or possibly shouldn?t be privy to the information inside the token. > > There?s another option that may be more manageable. That is to offer a > per client option of encrypting the access token, known as JWE, or > JSON Web Encryption[0]. The basic idea is that the signed token is > then encrypted with a symmetrical key. This key would probably be a > realm level key. Another benefit or JWE is the access token payload is > compressed, making the access token shorter. > > Is this something we would be interested in adding support for? > > [0]: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > >> On Feb 5, 2016, at 9:17 AM, manfred.duchrow at caprica.biz >> wrote: >> >> Yes, that's true (even for some open source software too). >> So am I supposed to put this JWT access token into the Authorization >> request header as Bearer value to authorize a request? >> The access token I got from Keycloak is over 5000 characters long! >> >> >> On 05.02.2016 13:47, Raghuram Prabhala wrote: >>> Access token is implementation specific. Some commercial software >>> have the concept of "reference tokens" which are nothing but random >>> strings indicated below. The clients have to query back the >>> Authorization server to get a validated JWT token >>> >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Stian Thorgersen >>> *To:* manfred.duchrow at caprica.biz >>> *Cc:* keycloak-user >>> *Sent:* Friday, February 5, 2016 7:10 AM >>> *Subject:* Re: [keycloak-user] access_token always contains JWT >>> >>> There's no such thing as a "simple token". Tokens are always a >>> signed JWT. >>> >>> On 5 February 2016 at 11:17, wrote: >>> >>> Hi, >>> >>> I am trying to retrieve an access token from a Keycloak (1.8.0.Final) >>> service account by >>> POST /auth/realms/myrealm/protocol/openid-connect/token >>> with grant_type=client_credentials. >>> >>> The result contains a signed JWT as value of field "access_token" rather >>> than a simple token >>> as described in chapter 18 (Service Accounts) of the user guide. >>> >>> So what I expect (need) is a response like this: >>> >>> { >>> "access_token":"2YotnFZFEjr1zCsicMWpAA", >>> "token_type":"bearer", >>> "expires_in":60, >>> "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", >>> "refresh_expires_in":600, >>> "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", >>> "not-before-policy":0, >>> "session-state":"234234-234234-234234" >>> } >>> >>> Is there a way to configure the account or the realm to return a simple >>> token >>> in "access_token" (and "refresh_token") rather than a JWT? >>> >>> Cheers, >>> Manfred >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> >> -- >> ======================================== >> Caprica Ltd. >> 69 Great Hampton Street >> Birmingham, West Midlands, B186EW, >> Registered in England and Wales >> Company No. 5298548 >> Managing Director: Manfred Duchrow >> >> Zweigniederlassung Deutschland >> Gartenstr. 48, 89150 Laichingen >> Amtsgericht Ulm: HRB 5073 >> Gesch?ftsf?hrer: Manfred Duchrow >> ---------------------------------------- >> Tel: +49 (0)7333 9232190 >> Fax: +49 (0)7333 9232191 >> E-Mail:manfred.duchrow at caprica.de >> ======================================== >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/970431fe/attachment-0001.html From pblair at clearme.com Mon Feb 8 14:22:48 2016 From: pblair at clearme.com (Paul Blair) Date: Mon, 8 Feb 2016 19:22:48 +0000 Subject: [keycloak-user] access_token always contains JWT In-Reply-To: <56B8CED1.2000003@redhat.com> References: <355538146.1756649.1454676424011.JavaMail.yahoo@mail.yahoo.com> <56B4AF04.4080608@caprica.biz> <56B8CED1.2000003@redhat.com> Message-ID: +1 on this, but I understand the time constraints. From: > on behalf of Bill Burke > Date: Monday, February 8, 2016 at 12:22 PM To: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] access_token always contains JWT Yes. We want that. Just too busy :) On 2/8/2016 12:16 PM, Scott Rossillo wrote: Opaque access tokens are an interesting idea for security reasons. I've heard them referred to as "by reference" access tokens because the actual JWT access token has to be stored somewhere. The OpenID spec doesn't address this but it's a solid idea for access tokens exposed to external applications, which do not need to be concerned with, or possibly shouldn't be privy to the information inside the token. There's another option that may be more manageable. That is to offer a per client option of encrypting the access token, known as JWE, or JSON Web Encryption[0]. The basic idea is that the signed token is then encrypted with a symmetrical key. This key would probably be a realm level key. Another benefit or JWE is the access token payload is compressed, making the access token shorter. Is this something we would be interested in adding support for? [0]: https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40 Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com On Feb 5, 2016, at 9:17 AM, manfred.duchrow at caprica.biz wrote: Yes, that's true (even for some open source software too). So am I supposed to put this JWT access token into the Authorization request header as Bearer value to authorize a request? The access token I got from Keycloak is over 5000 characters long! On 05.02.2016 13:47, Raghuram Prabhala wrote: Access token is implementation specific. Some commercial software have the concept of "reference tokens" which are nothing but random strings indicated below. The clients have to query back the Authorization server to get a validated JWT token ________________________________ From: Stian Thorgersen To: manfred.duchrow at caprica.biz Cc: keycloak-user Sent: Friday, February 5, 2016 7:10 AM Subject: Re: [keycloak-user] access_token always contains JWT There's no such thing as a "simple token". Tokens are always a signed JWT. On 5 February 2016 at 11:17, <manfred.duchrow at caprica.biz> wrote: Hi, I am trying to retrieve an access token from a Keycloak (1.8.0.Final) service account by POST /auth/realms/myrealm/protocol/openid-connect/token with grant_type=client_credentials. The result contains a signed JWT as value of field "access_token" rather than a simple token as described in chapter 18 (Service Accounts) of the user guide. So what I expect (need) is a response like this: { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"bearer", "expires_in":60, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "refresh_expires_in":600, "id_token":"tGzv3JOkF0XG5Qx2TlKWIA", "not-before-policy":0, "session-state":"234234-234234-234234" } Is there a way to configure the account or the realm to return a simple token in "access_token" (and "refresh_token") rather than a JWT? Cheers, Manfred _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- ======================================== Caprica Ltd. 69 Great Hampton Street Birmingham, West Midlands, B186EW, Registered in England and Wales Company No. 5298548 Managing Director: Manfred Duchrow Zweigniederlassung Deutschland Gartenstr. 48, 89150 Laichingen Amtsgericht Ulm: HRB 5073 Gesch?ftsf?hrer: Manfred Duchrow ---------------------------------------- Tel: +49 (0)7333 9232190 Fax: +49 (0)7333 9232191 E-Mail: manfred.duchrow at caprica.de ======================================== _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/c618b56c/attachment.html From jessec at dnbcloud.com Mon Feb 8 20:18:59 2016 From: jessec at dnbcloud.com (Jesse Chahal) Date: Mon, 8 Feb 2016 17:18:59 -0800 Subject: [keycloak-user] Social Login, whitelist company domains (google) Message-ID: Hi, So I've been experimented with the social login, mostly the google one, and am trying to figure out how to allow whitelisting of domains for people using google apps for business. I think it is common practice to use social login for companies if they are using services from said provider. Is there a way to limit google's social login to only those who are using email's from specific domains? If not would be the best way for me to go around implementing this? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160208/d170eb91/attachment.html From sthorger at redhat.com Tue Feb 9 03:11:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Feb 2016 09:11:39 +0100 Subject: [keycloak-user] Social Login, whitelist company domains (google) In-Reply-To: References: Message-ID: We don't currently have support for this. However, it would be a nice addition and you're not the first person to ask. Google provides an hd query parameter that allows specifying the domain. However, it also needs to be verified on the server side in the callback. On 9 February 2016 at 02:18, Jesse Chahal wrote: > Hi, > > So I've been experimented with the social login, mostly the google one, > and am trying to figure out how to allow whitelisting of domains for people > using google apps for business. I think it is common practice to use social > login for companies if they are using services from said provider. Is there > a way to limit google's social login to only those who are using email's > from specific domains? If not would be the best way for me to go around > implementing this? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/f23feccf/attachment-0001.html From davidillsley at gmail.com Tue Feb 9 03:27:55 2016 From: davidillsley at gmail.com (David Illsley) Date: Tue, 9 Feb 2016 08:27:55 +0000 Subject: [keycloak-user] Social Login, whitelist company domains (google) In-Reply-To: References: Message-ID: Are there any thoughts or plans to implement something like auth0 rules [1] which would allow easy customisaton of things like this (the checking part anyway)? [1] https://auth0.com/docs/rules On Tue, Feb 9, 2016 at 8:11 AM, Stian Thorgersen wrote: > We don't currently have support for this. However, it would be a nice > addition and you're not the first person to ask. > > Google provides an hd query parameter that allows specifying the domain. > However, it also needs to be verified on the server side in the callback. > > On 9 February 2016 at 02:18, Jesse Chahal wrote: > >> Hi, >> >> So I've been experimented with the social login, mostly the google one, >> and am trying to figure out how to allow whitelisting of domains for people >> using google apps for business. I think it is common practice to use social >> login for companies if they are using services from said provider. Is there >> a way to limit google's social login to only those who are using email's >> from specific domains? If not would be the best way for me to go around >> implementing this? >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/2fd5da35/attachment.html From sthorger at redhat.com Tue Feb 9 03:36:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Feb 2016 09:36:09 +0100 Subject: [keycloak-user] Social Login, whitelist company domains (google) In-Reply-To: References: Message-ID: We already have that through custom authentication flows. See http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html Whitelist company domain can be done by customizing the first social login flow. On 9 February 2016 at 09:27, David Illsley wrote: > Are there any thoughts or plans to implement something like auth0 rules > [1] which would allow easy customisaton of things like this (the checking > part anyway)? > > [1] https://auth0.com/docs/rules > > On Tue, Feb 9, 2016 at 8:11 AM, Stian Thorgersen > wrote: > >> We don't currently have support for this. However, it would be a nice >> addition and you're not the first person to ask. >> >> Google provides an hd query parameter that allows specifying the domain. >> However, it also needs to be verified on the server side in the callback. >> >> On 9 February 2016 at 02:18, Jesse Chahal wrote: >> >>> Hi, >>> >>> So I've been experimented with the social login, mostly the google one, >>> and am trying to figure out how to allow whitelisting of domains for people >>> using google apps for business. I think it is common practice to use social >>> login for companies if they are using services from said provider. Is there >>> a way to limit google's social login to only those who are using email's >>> from specific domains? If not would be the best way for me to go around >>> implementing this? >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/547af226/attachment.html From andrey.saroul at gmail.com Tue Feb 9 05:43:19 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Tue, 9 Feb 2016 13:43:19 +0300 Subject: [keycloak-user] Keycloak redirect to wrong destination Message-ID: Recently I encountered with unexpected behavour of Keycloak. I did a simple rest service and had deployed Keycloak on one the same machine. I'm using keycloak 1.7.0 with WildFly 9.0.2 My root URL of rest service is: /rest In Keycloak admin console I have configured my rest service this way: Client Protocol: openid-connect, Valid Redirect URIs: /rest/* I tried to access my test page of rest service by url: http://localhost:8080/rest/test?id=1 I got redirect to login form, entered my login and password. That's fine, browser got valid jsessionid from Keycloak, BUT at the end of redirect chain I end up with root url of my webapp (http://localhost:8080/rest), but I tried to access different location (http://localhost:8080/rest/test?id=1) I expect to be redirected to the url I entered in the first place. I wonder, is this a bug or a misconfiguration issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/8bd65f9d/attachment.html From thomas.darimont at googlemail.com Tue Feb 9 06:02:14 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Feb 2016 12:02:14 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Hello, any ideas regarding this? We need to link to a default application from several applications and it would be helpful if keycloak would provide said redirect mechanism, such that each application would only need to know the clientId of the default client application and keycloak performs the proper redirect to the actual target application. The example posted earlier works like a charm. This could even be extended to the point that in case no clientId is given keycloak can decide which client to redirect to. Cheers, Thomas 2016-02-05 19:05 GMT+01:00 Thomas Darimont : > Quick update - I did some further experiments with this... > > I added /redirect path to the a > org.keycloak.services.resources.RealmsResource > like: @Path("{realm}/{client-id}/redirect") > see code fragment below. > > This allows keycloak to initiate a redirect to the browser with the actual > target url of the client. Other clients now only need to now the realm and > clientId > to generate a link that eventually redirects to the target application. > > Usage: > GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302 > response with location: http://apps.corp.local/launchpad > > Any chance to get this in as a PR? > > Cheers, > Thomas > > @GET > @Path("{realm}/{client-id}/redirect") > public Response getRedirect(final @PathParam("realm") String > realmName, final @PathParam("client-id") String clientId) throws Exception{ > > RealmModel realm = init(realmName); > > if (realm == null){ > return null; > } > > ClientModel client = realm.getClientByClientId(clientId); > > if (client == null){ > return null; > } > > if (client.getRootUrl() == null){ > return > Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build(); > } > > return Response.temporaryRedirect(URI.create(client.getRootUrl() + > client.getBaseUrl())).build(); > } > > 2016-02-05 16:23 GMT+01:00 Thomas Darimont >: > >> Hello, >> >> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme < >> thomas.raehalme at aitiofinland.com>: >> >>> I understand this as well, but it has not been uncommon to encounter a >>> situation where the user needs to know where to go next, because Keycloak >>> doesn't have a link available. >> >> >> with a redirect facility as outlined above - one could render a link to >> the "$KEYCLOAK_BASE_URL/redirect" or >> lookup the "default" client in order to render the client base url link >> with a proper label (client name). >> >> Cheers, >> Thomas >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/8dde1341/attachment-0001.html From sthorger at redhat.com Tue Feb 9 06:18:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Feb 2016 12:18:51 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: One concern with including this is if there's some potential way it can be a vulnerability. The only thing I can think of is that it allows figuring out the base url for a client. That could then be used to figure out valid redirect uris for a client. Don't think that's a huge deal though. Another thing is that it is related to a feature we want to add at some point. We'd like to be able to have a SSO page that lists all clients, including icons and links to the clients. This would have two use-cases: 1. As a landing page on SSO server, and as a way for users to find all applications they can login to 2. A rest service would enable applications to get a list of all clients and provide a link to other applications in the realm (like Google does with the square boxes icon) With that in mind it would be better if the URL for client redirect was "{realm}/clients/{client-id}/redirect" as that would allows us to use "{realm}/clients" in the future for the above feature. "{realm}/clients" is already used by ClientRegistrationService, but I think we can move that to "{realm}/clients/registration" as there's probably not that many people that are using the client registration service yet. On 9 February 2016 at 12:02, Thomas Darimont wrote: > Hello, > > any ideas regarding this? > > We need to link to a default application from several applications and it > would be helpful if keycloak would provide said redirect mechanism, such > that > each application would only need to know the clientId of the default > client application and keycloak performs the proper redirect to the actual > target application. > > The example posted earlier works like a charm. This could even be extended > to the point that in case no clientId is given keycloak can decide which > client to redirect to. > > Cheers, > Thomas > > 2016-02-05 19:05 GMT+01:00 Thomas Darimont >: > >> Quick update - I did some further experiments with this... >> >> I added /redirect path to the a >> org.keycloak.services.resources.RealmsResource >> like: @Path("{realm}/{client-id}/redirect") >> see code fragment below. >> >> This allows keycloak to initiate a redirect to the browser with the actual >> target url of the client. Other clients now only need to now the realm >> and clientId >> to generate a link that eventually redirects to the target application. >> >> Usage: >> GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302 >> response with location: http://apps.corp.local/launchpad >> >> Any chance to get this in as a PR? >> >> Cheers, >> Thomas >> >> @GET >> @Path("{realm}/{client-id}/redirect") >> public Response getRedirect(final @PathParam("realm") String >> realmName, final @PathParam("client-id") String clientId) throws Exception{ >> >> RealmModel realm = init(realmName); >> >> if (realm == null){ >> return null; >> } >> >> ClientModel client = realm.getClientByClientId(clientId); >> >> if (client == null){ >> return null; >> } >> >> if (client.getRootUrl() == null){ >> return >> Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build(); >> } >> >> return Response.temporaryRedirect(URI.create(client.getRootUrl() >> + client.getBaseUrl())).build(); >> } >> >> 2016-02-05 16:23 GMT+01:00 Thomas Darimont < >> thomas.darimont at googlemail.com>: >> >>> Hello, >>> >>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme < >>> thomas.raehalme at aitiofinland.com>: >>> >>>> I understand this as well, but it has not been uncommon to encounter a >>>> situation where the user needs to know where to go next, because Keycloak >>>> doesn't have a link available. >>> >>> >>> with a redirect facility as outlined above - one could render a link to >>> the "$KEYCLOAK_BASE_URL/redirect" or >>> lookup the "default" client in order to render the client base url link >>> with a proper label (client name). >>> >>> Cheers, >>> Thomas >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/97192e40/attachment.html From andrey.saroul at gmail.com Tue Feb 9 10:25:56 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Tue, 9 Feb 2016 18:25:56 +0300 Subject: [keycloak-user] Establish session by ajax request Message-ID: Is there any way to establish session with client (webapp with browser enabled authn, not a Bearer type) by XMLHttpRequest? I have central webapp which provide access to other services (restful). The problem is that when I login into central app I establish session with jsessionid connected to it. That works fine until I try to access other services. I have front-end as a single page (ExtJS) which issue XMLHttpRequest to service (separate web app in the same server). By the time I login into central app browser has its jsessionid, but to access other service, I need to establish another session and keycloak has to generate another jsessionid for me to access this service. And I can't get it supposedly because of XMLHttpRequest not a HttpRequest. For example, for this request (with jsessionid of central webapp): GET /rest/test HTTP/1.1 Host: localhost:8080 *X-Requested-With: XMLHttpRequest* Cookie: JSESSIONID=XAVXi... Connection: keep-alive Response is (I ommited some unimportant headers): *HTTP/1.1 401 Unauthorized* Expires: 0 Cache-Control: no-cache, no-store, max-age=0, must-revalidate X-Powered-By: Undertow/1 Server: WildFly/9 Pragma: no-cache Connection: keep-alive *WWW-Authenticate: Bearer realm="Unknown"* And when I change request to generic http, I got correct jsessionid and can access my rest service. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/bd06332c/attachment.html From thomas.darimont at googlemail.com Tue Feb 9 11:18:59 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Feb 2016 17:18:59 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: Thanks for your input :) The redirect would only work after a successful authentication, so unauthenticated users couldn't "probe" the realm for clients / target urls. But I see your point that an authenticated "malicious" user could probe all clients if he knew all clientIds (potentially via the new API). Perhaps one could offer a way to define some kind of grouping concept to describe which clients that can see each other (client group?) - so only clients from within the same group would be eligible for such a redirect. Btw. I adapted your suggestion regarding the endpoint path (which is now: {realm}/clients/{client_id}/redirect) and created a JIRA issue [0] and PR [1] with my current impl as a base for further discussion. > Another thing is that it is related to a feature we want to add at some point. > We'd like to be able to have a SSO > page that lists all clients, including icons and links to the clients. > This would have two use-cases: > 1. As a landing page on SSO server, and as a way for users to find all applications they can login to This would be really helpful - is this supposed to replace the applications section in the account page? > 2. A rest service would enable applications to get a list of all clients and provide a link > to other applications in the realm (like Google does with the square boxes icon) This would also be very helpful, currently I pull the information with the keycloak admin client in order to render such a page. A dedicated endpoint that returns clients metadata in JSON format would be neat. Are you planning to just build a dedicated page of all apps or also a html/js widget like the 9 square app selector? [0] https://issues.jboss.org/browse/KEYCLOAK-2469 [1] https://github.com/keycloak/keycloak/pull/2202 2016-02-09 12:18 GMT+01:00 Stian Thorgersen : > One concern with including this is if there's some potential way it can be > a vulnerability. > > The only thing I can think of is that it allows figuring out the base url > for a client. That could then be used to figure out valid redirect uris for > a client. Don't think that's a huge deal though. > > Another thing is that it is related to a feature we want to add at some > point. We'd like to be able to have a SSO page that lists all clients, > including icons and links to the clients. This would have two use-cases: > 1. As a landing page on SSO server, and as a way for users to find all > applications they can login to > 2. A rest service would enable applications to get a list of all clients > and provide a link to other applications in the realm (like Google does > with the square boxes icon) > > With that in mind it would be better if the URL for client redirect was > "{realm}/clients/{client-id}/redirect" as that would allows us to use > "{realm}/clients" in the future for the above feature. "{realm}/clients" is > already used by ClientRegistrationService, but I think we can move that to > "{realm}/clients/registration" as there's probably not that many people > that are using the client registration service yet. > > On 9 February 2016 at 12:02, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > >> Hello, >> >> any ideas regarding this? >> >> We need to link to a default application from several applications and it >> would be helpful if keycloak would provide said redirect mechanism, such >> that >> each application would only need to know the clientId of the default >> client application and keycloak performs the proper redirect to the actual >> target application. >> >> The example posted earlier works like a charm. This could even be >> extended to the point that in case no clientId is given keycloak can decide >> which client to redirect to. >> >> Cheers, >> Thomas >> >> 2016-02-05 19:05 GMT+01:00 Thomas Darimont < >> thomas.darimont at googlemail.com>: >> >>> Quick update - I did some further experiments with this... >>> >>> I added /redirect path to the a >>> org.keycloak.services.resources.RealmsResource >>> like: @Path("{realm}/{client-id}/redirect") >>> see code fragment below. >>> >>> This allows keycloak to initiate a redirect to the browser with the >>> actual >>> target url of the client. Other clients now only need to now the realm >>> and clientId >>> to generate a link that eventually redirects to the target application. >>> >>> Usage: >>> GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302 >>> response with location: http://apps.corp.local/launchpad >>> >>> Any chance to get this in as a PR? >>> >>> Cheers, >>> Thomas >>> >>> @GET >>> @Path("{realm}/{client-id}/redirect") >>> public Response getRedirect(final @PathParam("realm") String >>> realmName, final @PathParam("client-id") String clientId) throws Exception{ >>> >>> RealmModel realm = init(realmName); >>> >>> if (realm == null){ >>> return null; >>> } >>> >>> ClientModel client = realm.getClientByClientId(clientId); >>> >>> if (client == null){ >>> return null; >>> } >>> >>> if (client.getRootUrl() == null){ >>> return >>> Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build(); >>> } >>> >>> return Response.temporaryRedirect(URI.create(client.getRootUrl() >>> + client.getBaseUrl())).build(); >>> } >>> >>> 2016-02-05 16:23 GMT+01:00 Thomas Darimont < >>> thomas.darimont at googlemail.com>: >>> >>>> Hello, >>>> >>>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme < >>>> thomas.raehalme at aitiofinland.com>: >>>> >>>>> I understand this as well, but it has not been uncommon to encounter a >>>>> situation where the user needs to know where to go next, because Keycloak >>>>> doesn't have a link available. >>>> >>>> >>>> with a redirect facility as outlined above - one could render a link to >>>> the "$KEYCLOAK_BASE_URL/redirect" or >>>> lookup the "default" client in order to render the client base url link >>>> with a proper label (client name). >>>> >>>> Cheers, >>>> Thomas >>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/cdbd1a01/attachment-0001.html From andrey.saroul at gmail.com Tue Feb 9 13:00:24 2016 From: andrey.saroul at gmail.com (Andrey Saroul) Date: Tue, 9 Feb 2016 21:00:24 +0300 Subject: [keycloak-user] Establish session by ajax request Message-ID: No more actual. I fixed it by using bearer type auth instead of confidential. I generated token and set its value to front-end ExtJs. 2016-02-09 18:25 GMT+03:00 Andrey Saroul : > Is there any way to establish session with client (webapp with browser > enabled authn, not a Bearer type) by XMLHttpRequest? > I have central webapp which provide access to other services (restful). > The problem is that when I login into central app I establish session with > jsessionid connected to it. That works fine until I try to access other > services. I have front-end as a single page (ExtJS) which issue > XMLHttpRequest to service (separate web app in the same server). By the > time I login into central app browser has its jsessionid, but to access > other service, I need to establish another session and keycloak has to > generate another jsessionid for me to access this service. And I can't get > it supposedly because of XMLHttpRequest not a HttpRequest. > > For example, for this request (with jsessionid of central webapp): > GET /rest/test HTTP/1.1 > Host: localhost:8080 > *X-Requested-With: XMLHttpRequest* > Cookie: JSESSIONID=XAVXi... > Connection: keep-alive > > Response is (I ommited some unimportant headers): > *HTTP/1.1 401 Unauthorized* > Expires: 0 > Cache-Control: no-cache, no-store, max-age=0, must-revalidate > X-Powered-By: Undertow/1 > Server: WildFly/9 > Pragma: no-cache > Connection: keep-alive > > > *WWW-Authenticate: Bearer realm="Unknown"* > And when I change request to generic http, I got correct jsessionid and > can access my rest service. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/3eb511a8/attachment.html From jeremy at jeremysimon.com Tue Feb 9 14:47:31 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Tue, 9 Feb 2016 14:47:31 -0500 Subject: [keycloak-user] spring security getting username Message-ID: Hi, I can't seem to get my user's name using the keycloak adaptor for spring security. I have a rest controller that i'm trying this chunk of code: ... Authentication KeyCloakAuth = SecurityContextHolder.getContext().getAuthentication(); KeycloakAccount keyAccount = ((KeycloakAuthenticationToken) KeyCloakAuth).getAccount(); String username1 = keyAccount.getPrincipal().getName() String username2 = SecurityContextHolder.getContext().getAuthentication().getName() KeycloakPrincipal prince = (KeycloakPrincipal) ((KeycloakAuthenticationToken) KeyCloakAuth).getPrincipal(); String username3 = prince.getName(); ... username1, username2, username3 will have something like this: aa5f6e42-9463-4862-a750-bd0c092daf11 I gleaned this from some stackoverflow examples that claimed these approached worked... There something I don't have set right? jeremy jeremy at jeremysimon.com www.JeremySimon.com From thomas.darimont at googlemail.com Tue Feb 9 15:25:12 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Feb 2016 21:25:12 +0100 Subject: [keycloak-user] spring security getting username In-Reply-To: References: Message-ID: Hello Jeremy, try adding: "principal-attribute": "preferred_username" to your keycloak.json. See: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config Cheers, Thomas 2016-02-09 20:47 GMT+01:00 Jeremy Simon : > Hi, > > I can't seem to get my user's name using the keycloak adaptor for > spring security. I have a rest controller that i'm trying this chunk > of code: > > ... > Authentication KeyCloakAuth = > SecurityContextHolder.getContext().getAuthentication(); > KeycloakAccount keyAccount = ((KeycloakAuthenticationToken) > KeyCloakAuth).getAccount(); > > String username1 = keyAccount.getPrincipal().getName() > String username2 = > SecurityContextHolder.getContext().getAuthentication().getName() > > KeycloakPrincipal prince = (KeycloakPrincipal) > ((KeycloakAuthenticationToken) KeyCloakAuth).getPrincipal(); > String username3 = prince.getName(); > > ... > > > username1, username2, username3 will have something like this: > aa5f6e42-9463-4862-a750-bd0c092daf11 > > > I gleaned this from some stackoverflow examples that claimed these > approached worked... There something I don't have set right? > > > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/22b9f922/attachment.html From RLewis at carbonite.com Tue Feb 9 15:37:14 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Tue, 9 Feb 2016 20:37:14 +0000 Subject: [keycloak-user] Adding additional security questions for forgotten password. Message-ID: <56A52C5E-07D4-4F69-ACE1-26EA4087984A@carbonite.com> I am implementing Keycloak and need to have the ability to have user questions that can be stored, and asked randomly if the user forgets their password. Can Keycloak store this content, or do I need a separate instance? How do I integrate this into Keycloak? Thank you, Reed Lewis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/aa1248fe/attachment.html From jeremy at jeremysimon.com Tue Feb 9 15:44:31 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Tue, 9 Feb 2016 15:44:31 -0500 Subject: [keycloak-user] spring security getting username In-Reply-To: References: Message-ID: That's the trick! Thank you! jeremy jeremy at jeremysimon.com www.JeremySimon.com On Tue, Feb 9, 2016 at 3:25 PM, Thomas Darimont wrote: > Hello Jeremy, > > try adding: "principal-attribute": "preferred_username" to your > keycloak.json. > > See: > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > > Cheers, > Thomas > > 2016-02-09 20:47 GMT+01:00 Jeremy Simon : >> >> Hi, >> >> I can't seem to get my user's name using the keycloak adaptor for >> spring security. I have a rest controller that i'm trying this chunk >> of code: >> >> ... >> Authentication KeyCloakAuth = >> SecurityContextHolder.getContext().getAuthentication(); >> KeycloakAccount keyAccount = ((KeycloakAuthenticationToken) >> KeyCloakAuth).getAccount(); >> >> String username1 = keyAccount.getPrincipal().getName() >> String username2 = >> SecurityContextHolder.getContext().getAuthentication().getName() >> >> KeycloakPrincipal prince = (KeycloakPrincipal) >> ((KeycloakAuthenticationToken) KeyCloakAuth).getPrincipal(); >> String username3 = prince.getName(); >> >> ... >> >> >> username1, username2, username3 will have something like this: >> aa5f6e42-9463-4862-a750-bd0c092daf11 >> >> >> I gleaned this from some stackoverflow examples that claimed these >> approached worked... There something I don't have set right? >> >> >> jeremy >> jeremy at jeremysimon.com >> www.JeremySimon.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bl at onion.io Tue Feb 9 17:11:23 2016 From: bl at onion.io (Boken Lin) Date: Tue, 9 Feb 2016 17:11:23 -0500 Subject: [keycloak-user] Information in Access Token Message-ID: <56BA640B.7000901@onion.io> Hi all, Is there a way to define what kind of information gets encoded in the access token? Right now I'm looking for a way to reduce the length of the access token. Any help would be greatly appreciated! Thanks. Boken. From thomas.darimont at googlemail.com Tue Feb 9 17:32:59 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 9 Feb 2016 23:32:59 +0100 Subject: [keycloak-user] Information in Access Token In-Reply-To: <56BA640B.7000901@onion.io> References: <56BA640B.7000901@onion.io> Message-ID: Hello Boken, you can use Client Mappers to control which attributes are encoded in the Access Token. Further more check whether you have full scope activated and if yes, whether this is necessary. Cheers, Thomas 2016-02-09 23:11 GMT+01:00 Boken Lin : > Hi all, > > Is there a way to define what kind of information gets encoded in the > access token? Right now I'm looking for a way to reduce the length of > the access token. > > Any help would be greatly appreciated! > > Thanks. > Boken. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/98ba40c9/attachment.html From mstrukel at redhat.com Tue Feb 9 17:39:42 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 9 Feb 2016 23:39:42 +0100 Subject: [keycloak-user] Adding additional security questions for forgotten password. In-Reply-To: <56A52C5E-07D4-4F69-ACE1-26EA4087984A@carbonite.com> References: <56A52C5E-07D4-4F69-ACE1-26EA4087984A@carbonite.com> Message-ID: There is an authenticator provider example you can study to create your own auth provider: https://github.com/keycloak/keycloak/tree/master/examples/providers/authenticator It implements user questions - just what you need, but only one, and without randomness. On Tue, Feb 9, 2016 at 9:37 PM, Reed Lewis wrote: > I am implementing Keycloak and need to have the ability to have user > questions that can be stored, and asked randomly if the user forgets their > password. > > Can Keycloak store this content, or do I need a separate instance? How do > I integrate this into Keycloak? > > Thank you, > > Reed Lewis > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bl at onion.io Tue Feb 9 17:57:29 2016 From: bl at onion.io (Boken Lin) Date: Tue, 9 Feb 2016 17:57:29 -0500 Subject: [keycloak-user] Information in Access Token In-Reply-To: References: <56BA640B.7000901@onion.io> Message-ID: Thank you! On Feb 9, 2016 5:33 PM, "Thomas Darimont" wrote: > Hello Boken, > > you can use Client Mappers to control which attributes are encoded in the > Access Token. > Further more check whether you have full scope activated and if yes, > whether this is necessary. > > Cheers, > Thomas > > 2016-02-09 23:11 GMT+01:00 Boken Lin : > >> Hi all, >> >> Is there a way to define what kind of information gets encoded in the >> access token? Right now I'm looking for a way to reduce the length of >> the access token. >> >> Any help would be greatly appreciated! >> >> Thanks. >> Boken. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/f326c016/attachment.html From technolengy at gmail.com Tue Feb 9 21:56:14 2016 From: technolengy at gmail.com (Steve Nolen) Date: Wed, 10 Feb 2016 02:56:14 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP Message-ID: Hi! First of all, keycloak is legitimately awesome! I was attempting to test the use of keycloak as a shibboleth SP today (testing against the testshib.org test IdP) and am having some trouble. Keycloak Version: 1.9.0CR1 (using it on openshift currently) Both sides seem to be set up as they should (I used the testshib endpoint to import the settings to keycloak). I'm able to take the redirect over to idp.testshib but on logging in I get a 500 Internal Server Error from keycloak. The message is "No Assertion from response" (stack trace below). Any thoughts on what might be missing? ==== stack trace ==== http://pastebin.com/3tsApUKK ==== broker details ==== https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor ==== provider details ==== https://www.testshib.org/metadata/testshib-providers.xml Thank you! Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/58dc1745/attachment.html From michael.anthon at infoview.com.au Tue Feb 9 23:24:10 2016 From: michael.anthon at infoview.com.au (Michael Anthon) Date: Wed, 10 Feb 2016 04:24:10 +0000 Subject: [keycloak-user] Issues with password reset link expiration Message-ID: We are having issues with some users when they are attempting to use the password reset feature. It does work for most users however for some they always end up at an error page saying "WE'RE SORRY ... An error occurred, please login again through your application" What I have been able to determine so far is that for the affected users we are seeing a double hit on that URL in the server logs and from what I understand, these reset URLs are invalidated as soon as they are accessed. So here's the state of play * works for most users * some users hitting the reset URL twice * URL is only valid for the first access (I'm not 100% sure about this, can someone confirm please?) * URL is only valid for 30 minutes (but is being accessed within a few minutes of generation) * affected users are mostly using Outlook * some people tend to double click links in emails but I've verified with a reliable user that they are only clicking the link once * having the affected person send themselves another reset email and then copy and paste the URL from the mail client usually resolves this problem And questions * is this an issue anyone else has noticed with Outlook, doesn't affect ALL Outlook users, just some * is there a way to prevent the URL from being invalidated on initial access * is it feasible to change the behavior so that the URL is only invalidated when the password is changed * any other thoughts on how to avoid this issue? Thanks and Regards, Michael Anthon InfoView Technologies Pty Ltd 12/15 Adelaide St, Brisbane Qld 4000 P O Box 15478, City East, Brisbane Qld 4000 PH:????????? +61 7 3014 2204 F:???????????? +61 7 3014 2200 M:?????????? +61 408 768 055 michael.anthon at infoview.com.au The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of InfoView Technologies Pty Ltd. From jayblanc at gmail.com Wed Feb 10 04:10:40 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Wed, 10 Feb 2016 09:10:40 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: Hi Steve, I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's working fine. The problem you encounter comes from the fact that you ask for a persistent nameId in the config of your SP and, according to the provider details, it's only able to send transient nameId. Feel the parameter of nameId to undefined and check the authentication again. Best regards, J?r?me. Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen a ?crit : > Hi! > > First of all, keycloak is legitimately awesome! > > I was attempting to test the use of keycloak as a shibboleth SP today > (testing against the testshib.org test IdP) and am having some trouble. > > Keycloak Version: 1.9.0CR1 (using it on openshift currently) > > Both sides seem to be set up as they should (I used the testshib endpoint > to import the settings to keycloak). I'm able to take the redirect over to > idp.testshib but on logging in I get a 500 Internal Server Error from > keycloak. The message is "No Assertion from response" (stack trace below). > > Any thoughts on what might be missing? > > ==== stack trace ==== > http://pastebin.com/3tsApUKK > > ==== broker details ==== > > https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor > > ==== provider details ==== > https://www.testshib.org/metadata/testshib-providers.xml > > Thank you! > Steve > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/06e7e9ff/attachment-0001.html From sthorger at redhat.com Wed Feb 10 04:21:40 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Feb 2016 10:21:40 +0100 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: References: Message-ID: It should be possible to open the link multiple times, but only submit the password reset once. If that's not the case (sounds like it is) feel free to create a JIRA issue to report this as a bug. On 10 February 2016 at 05:24, Michael Anthon wrote: > We are having issues with some users when they are attempting to use the > password reset feature. It does work for most users however for some they > always end up at an error page saying "WE'RE SORRY ... An error occurred, > please login again through your application" > > What I have been able to determine so far is that for the affected users > we are seeing a double hit on that URL in the server logs and from what I > understand, these reset URLs are invalidated as soon as they are accessed. > > So here's the state of play > * works for most users > * some users hitting the reset URL twice > * URL is only valid for the first access (I'm not 100% sure about this, > can someone confirm please?) > * URL is only valid for 30 minutes (but is being accessed within a few > minutes of generation) > * affected users are mostly using Outlook > * some people tend to double click links in emails but I've verified with > a reliable user that they are only clicking the link once > * having the affected person send themselves another reset email and then > copy and paste the URL from the mail client usually resolves this problem > > And questions > * is this an issue anyone else has noticed with Outlook, doesn't affect > ALL Outlook users, just some > * is there a way to prevent the URL from being invalidated on initial > access > * is it feasible to change the behavior so that the URL is only > invalidated when the password is changed > * any other thoughts on how to avoid this issue? > > Thanks and Regards, > > Michael Anthon > InfoView Technologies Pty Ltd > 12/15 Adelaide St, Brisbane Qld 4000 > P O Box 15478, City East, Brisbane Qld 4000 > PH: +61 7 3014 2204 > F: +61 7 3014 2200 > M: +61 408 768 055 > michael.anthon at infoview.com.au > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. Any views or opinions expressed in this email are solely those of > the author and do not necessarily represent those of InfoView Technologies > Pty Ltd. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/4af26194/attachment.html From sthorger at redhat.com Wed Feb 10 04:48:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Feb 2016 10:48:34 +0100 Subject: [keycloak-user] Default client for a realm In-Reply-To: References: Message-ID: It's to late to add this for 1.9, so we need to wait with merging it after we've branched 1.9.x. I also need to figure out what to do with the client-registration service as your PR adds this to "{realm}/clients" which is also the endpoint for the client registration service. On 9 February 2016 at 17:18, Thomas Darimont wrote: > Thanks for your input :) > > The redirect would only work after a successful authentication, > so unauthenticated users couldn't "probe" the realm for clients / target > urls. > > But I see your point that an authenticated "malicious" user could probe > all > clients if he knew all clientIds (potentially via the new API). > Perhaps one could offer a way to define some kind of grouping concept to > describe > which clients that can see each other (client group?) - so only clients > from within the > same group would be eligible for such a redirect. > > Btw. I adapted your suggestion regarding the endpoint path (which is now: > {realm}/clients/{client_id}/redirect) > and created a JIRA issue [0] and PR [1] with my current impl as a base for > further discussion. > > > Another thing is that it is related to a feature we want to add at some > point. > > We'd like to be able to have a SSO > page that lists all clients, > including icons and links to the clients. > > This would have two use-cases: > > 1. As a landing page on SSO server, and as a way for users to find all > applications they can login to > > This would be really helpful - is this supposed to replace the > applications section in the account page? > The plan was to have a separate page. It would be simpler than the one in account management as it would simply list the applications, not show access. > > > 2. A rest service would enable applications to get a list of all clients > and provide a link > > to other applications in the realm (like Google does with the square > boxes icon) > > This would also be very helpful, currently I pull the information with the > keycloak admin client > in order to render such a page. A dedicated endpoint that returns clients > metadata in JSON format > would be neat. Are you planning to just build a dedicated page of all apps > or also a html/js widget like the 9 square app selector? > We where only planning on doing the REST endpoints and the applications landing page Not sure a html/js widget would be that useful. It would be fairly simple to create your own using the REST endpoints and chances are we wouldn't be able to create one that accommodates everyone needs so most folks would end up having to do their own. > > [0] https://issues.jboss.org/browse/KEYCLOAK-2469 > [1] https://github.com/keycloak/keycloak/pull/2202 > > > 2016-02-09 12:18 GMT+01:00 Stian Thorgersen : > >> One concern with including this is if there's some potential way it can >> be a vulnerability. >> >> The only thing I can think of is that it allows figuring out the base url >> for a client. That could then be used to figure out valid redirect uris for >> a client. Don't think that's a huge deal though. >> >> Another thing is that it is related to a feature we want to add at some >> point. We'd like to be able to have a SSO page that lists all clients, >> including icons and links to the clients. This would have two use-cases: >> 1. As a landing page on SSO server, and as a way for users to find all >> applications they can login to >> 2. A rest service would enable applications to get a list of all clients >> and provide a link to other applications in the realm (like Google does >> with the square boxes icon) >> >> With that in mind it would be better if the URL for client redirect was >> "{realm}/clients/{client-id}/redirect" as that would allows us to use >> "{realm}/clients" in the future for the above feature. "{realm}/clients" is >> already used by ClientRegistrationService, but I think we can move that to >> "{realm}/clients/registration" as there's probably not that many people >> that are using the client registration service yet. >> >> On 9 February 2016 at 12:02, Thomas Darimont < >> thomas.darimont at googlemail.com> wrote: >> >>> Hello, >>> >>> any ideas regarding this? >>> >>> We need to link to a default application from several applications and >>> it would be helpful if keycloak would provide said redirect mechanism, such >>> that >>> each application would only need to know the clientId of the default >>> client application and keycloak performs the proper redirect to the actual >>> target application. >>> >>> The example posted earlier works like a charm. This could even be >>> extended to the point that in case no clientId is given keycloak can decide >>> which client to redirect to. >>> >>> Cheers, >>> Thomas >>> >>> 2016-02-05 19:05 GMT+01:00 Thomas Darimont < >>> thomas.darimont at googlemail.com>: >>> >>>> Quick update - I did some further experiments with this... >>>> >>>> I added /redirect path to the a >>>> org.keycloak.services.resources.RealmsResource >>>> like: @Path("{realm}/{client-id}/redirect") >>>> see code fragment below. >>>> >>>> This allows keycloak to initiate a redirect to the browser with the >>>> actual >>>> target url of the client. Other clients now only need to now the realm >>>> and clientId >>>> to generate a link that eventually redirects to the target application. >>>> >>>> Usage: >>>> GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302 >>>> response with location: http://apps.corp.local/launchpad >>>> >>>> Any chance to get this in as a PR? >>>> >>>> Cheers, >>>> Thomas >>>> >>>> @GET >>>> @Path("{realm}/{client-id}/redirect") >>>> public Response getRedirect(final @PathParam("realm") String >>>> realmName, final @PathParam("client-id") String clientId) throws Exception{ >>>> >>>> RealmModel realm = init(realmName); >>>> >>>> if (realm == null){ >>>> return null; >>>> } >>>> >>>> ClientModel client = realm.getClientByClientId(clientId); >>>> >>>> if (client == null){ >>>> return null; >>>> } >>>> >>>> if (client.getRootUrl() == null){ >>>> return >>>> Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build(); >>>> } >>>> >>>> return >>>> Response.temporaryRedirect(URI.create(client.getRootUrl() + >>>> client.getBaseUrl())).build(); >>>> } >>>> >>>> 2016-02-05 16:23 GMT+01:00 Thomas Darimont < >>>> thomas.darimont at googlemail.com>: >>>> >>>>> Hello, >>>>> >>>>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme < >>>>> thomas.raehalme at aitiofinland.com>: >>>>> >>>>>> I understand this as well, but it has not been uncommon to encounter >>>>>> a situation where the user needs to know where to go next, because Keycloak >>>>>> doesn't have a link available. >>>>> >>>>> >>>>> with a redirect facility as outlined above - one could render a link >>>>> to the "$KEYCLOAK_BASE_URL/redirect" or >>>>> lookup the "default" client in order to render the client base url >>>>> link with a proper label (client name). >>>>> >>>>> Cheers, >>>>> Thomas >>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/c09224f5/attachment-0001.html From eduard.matuszak at atos.net Wed Feb 10 04:56:47 2016 From: eduard.matuszak at atos.net (Matuszak, Eduard) Date: Wed, 10 Feb 2016 09:56:47 +0000 Subject: [keycloak-user] angularjs ng2 sample Message-ID: <61D077C6283D454FAFD06F6AC4AB74D723D7B263@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Hello We are adviced to implement the GUI of a new project with angularjs ng2. There is an inspiring sample (https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app) for using keycloak.js-library in colaboration with the older angular version. Do you intend to publish a comparable example based on ng2 in the near future? This would be very helpful. Thanks in advance for your feedback, Eduard Matuszak Dr. Eduard Matuszak Worldline, an atos company T +49 (211)399 398 63 M +49 (163)166 23 67 F +49(211) 399 22 430 eduard.matuszak at atos.net Max-Stromeyer-Stra?e 116 78467 Konstanz Germany de.worldline.com worldline.jobs.de facebook.com/WorldlineKarriere Worldline GmbH Gesch?ftsf?hrer: Wolf Kunisch Aufsichtsratsvorsitzender: Christophe Duquenne Sitz der Gesellschaft: Frankfurt/Main Handelsregister: Frankfurt/Main HRB 40 417 * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted. * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/551270f9/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture (Device Independent Bitmap) 1.jpg Type: image/jpeg Size: 1226 bytes Desc: Picture (Device Independent Bitmap) 1.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/551270f9/attachment.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: Picture (Device Independent Bitmap) 2.jpg Type: image/jpeg Size: 2886 bytes Desc: Picture (Device Independent Bitmap) 2.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/551270f9/attachment-0001.jpg From sthorger at redhat.com Wed Feb 10 05:03:32 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Feb 2016 11:03:32 +0100 Subject: [keycloak-user] angularjs ng2 sample In-Reply-To: <61D077C6283D454FAFD06F6AC4AB74D723D7B263@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> References: <61D077C6283D454FAFD06F6AC4AB74D723D7B263@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: The main issue with Angular is that Keycloak and the Route provider conflicts with each other, which causes a endless redirect loop. Current work around we have is to make sure Keycloak is fully initialized before Angular is bootstrap. The proper solution would be to have a Angular library for Keycloak that can handle this. We have not had time to look at that, nor have we looked at Angular2 at all. So it would be a while until we would get to this, unless someone from the community wants to contribute it. On 10 February 2016 at 10:56, Matuszak, Eduard wrote: > Hello > > We are adviced to implement the GUI of a new project with angularjs ng2. > There is an inspiring sample ( > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app) > for using keycloak.js-library in colaboration with the older angular > version. Do you intend to publish a comparable example based on ng2 in the > near future? This would be very helpful. > > Thanks in advance for your feedback, Eduard Matuszak > > *Dr. Eduard Matuszak* > > Worldline, an atos company > T +49 (211)399 398 63 > M +49 (163)166 23 67 > F +49(211) 399 22 430 > *eduard.matuszak at atos.net* > Max-Stromeyer-Stra?e 116 > 78467 Konstanz > Germany > *de.worldline.com* > *worldline.jobs.de* > *facebook.com/WorldlineKarriere* > > > > Worldline GmbH > Gesch?ftsf?hrer: Wolf Kunisch > Aufsichtsratsvorsitzender: Christophe Duquenne > Sitz der Gesellschaft: Frankfurt/Main > Handelsregister: Frankfurt/Main HRB 40 417 > > * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * > This e-mail and the documents attached are confidential and intended > solely for the addressee; it may also be privileged. If you receive this > e-mail by error, please notify the sender immediately and destroy it. As > its integrity cannot be secured on the internet, the Atos group liability > cannot be triggered for the message content. Although the sender endeavors > to maintain a computer virus-free network, the sender does not warrant that > this transmission is virus-free and shall not be liable for any damages > resulting from any virus transmitted. > * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/5a49774b/attachment.html From sthorger at redhat.com Wed Feb 10 07:45:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Feb 2016 13:45:29 +0100 Subject: [keycloak-user] Keycloak redirect to wrong destination In-Reply-To: References: Message-ID: I can't reproduce this issue. We have tests that verify query parameters are including in the redirect uri, I've also verified this manually with our demo ( http://localhost:8180/customer-portal/customers/view.jsp?test=test2). A rest service should be bearer-only though, it shouldn't redirect to login page at all. On 9 February 2016 at 11:43, Andrey Saroul wrote: > Recently I encountered with unexpected behavour of Keycloak. > I did a simple rest service and had deployed Keycloak on one the same > machine. > I'm using keycloak 1.7.0 with WildFly 9.0.2 > > My root URL of rest service is: /rest > In Keycloak admin console I have configured my rest service this way: > Client Protocol: openid-connect, Valid Redirect URIs: /rest/* > > I tried to access my test page of rest service by url: > http://localhost:8080/rest/test?id=1 > I got redirect to login form, entered my login and password. That's fine, > browser got valid jsessionid from Keycloak, BUT at the end of redirect > chain I end up with root url of my webapp (http://localhost:8080/rest), > but I tried to access different location ( > http://localhost:8080/rest/test?id=1) I expect to be redirected to the > url I entered in the first place. > I wonder, is this a bug or a misconfiguration issue? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/b6de9449/attachment-0001.html From bburke at redhat.com Wed Feb 10 08:53:52 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Feb 2016 08:53:52 -0500 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: References: Message-ID: <56BB40F0.1080204@redhat.com> We changed the "error" message in I think 1.9? Maybe 1.8 to say "You clicked on a stale link. Maybe you have already verified your email?" I'll look into improving this I guess. On 2/10/2016 4:21 AM, Stian Thorgersen wrote: > It should be possible to open the link multiple times, but only submit > the password reset once. If that's not the case (sounds like it is) > feel free to create a JIRA issue to report this as a bug. > > On 10 February 2016 at 05:24, Michael Anthon > > wrote: > > We are having issues with some users when they are attempting to > use the password reset feature. It does work for most users > however for some they always end up at an error page saying "WE'RE > SORRY ... An error occurred, please login again through your > application" > > What I have been able to determine so far is that for the affected > users we are seeing a double hit on that URL in the server logs > and from what I understand, these reset URLs are invalidated as > soon as they are accessed. > > So here's the state of play > * works for most users > * some users hitting the reset URL twice > * URL is only valid for the first access (I'm not 100% sure about > this, can someone confirm please?) > * URL is only valid for 30 minutes (but is being accessed within a > few minutes of generation) > * affected users are mostly using Outlook > * some people tend to double click links in emails but I've > verified with a reliable user that they are only clicking the link > once > * having the affected person send themselves another reset email > and then copy and paste the URL from the mail client usually > resolves this problem > > And questions > * is this an issue anyone else has noticed with Outlook, doesn't > affect ALL Outlook users, just some > * is there a way to prevent the URL from being invalidated on > initial access > * is it feasible to change the behavior so that the URL is only > invalidated when the password is changed > * any other thoughts on how to avoid this issue? > > Thanks and Regards, > > Michael Anthon > InfoView Technologies Pty Ltd > 12/15 Adelaide St, Brisbane Qld 4000 > P O Box 15478, City East, Brisbane Qld 4000 > PH: +61 7 3014 2204 > F: +61 7 3014 2200 > M: +61 408 768 055 > michael.anthon at infoview.com.au > > The information transmitted is intended only for the person or > entity to which it is addressed and may contain confidential > and/or privileged material. Any review, retransmission, > dissemination or other use of, or taking of any action in reliance > upon, this information by persons or entities other than the > intended recipient is prohibited. If you received this in error, > please contact the sender and delete the material from any > computer. Any views or opinions expressed in this email are solely > those of the author and do not necessarily represent those of > InfoView Technologies Pty Ltd. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/91f5b410/attachment.html From jeremy at jeremysimon.com Wed Feb 10 08:56:38 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Wed, 10 Feb 2016 08:56:38 -0500 Subject: [keycloak-user] spring security getting username In-Reply-To: References: Message-ID: So, this is nice that it can be fixed by hand. I'm wondering, is there any way to configure these things for a particular client or realm so that when you're downloading the keycloak.json from the admin console that it's present? jeremy jeremy at jeremysimon.com www.JeremySimon.com On Tue, Feb 9, 2016 at 3:44 PM, Jeremy Simon wrote: > That's the trick! Thank you! > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > > > On Tue, Feb 9, 2016 at 3:25 PM, Thomas Darimont > wrote: >> Hello Jeremy, >> >> try adding: "principal-attribute": "preferred_username" to your >> keycloak.json. >> >> See: >> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config >> >> Cheers, >> Thomas >> >> 2016-02-09 20:47 GMT+01:00 Jeremy Simon : >>> >>> Hi, >>> >>> I can't seem to get my user's name using the keycloak adaptor for >>> spring security. I have a rest controller that i'm trying this chunk >>> of code: >>> >>> ... >>> Authentication KeyCloakAuth = >>> SecurityContextHolder.getContext().getAuthentication(); >>> KeycloakAccount keyAccount = ((KeycloakAuthenticationToken) >>> KeyCloakAuth).getAccount(); >>> >>> String username1 = keyAccount.getPrincipal().getName() >>> String username2 = >>> SecurityContextHolder.getContext().getAuthentication().getName() >>> >>> KeycloakPrincipal prince = (KeycloakPrincipal) >>> ((KeycloakAuthenticationToken) KeyCloakAuth).getPrincipal(); >>> String username3 = prince.getName(); >>> >>> ... >>> >>> >>> username1, username2, username3 will have something like this: >>> aa5f6e42-9463-4862-a750-bd0c092daf11 >>> >>> >>> I gleaned this from some stackoverflow examples that claimed these >>> approached worked... There something I don't have set right? >>> >>> >>> jeremy >>> jeremy at jeremysimon.com >>> www.JeremySimon.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Feb 10 08:58:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Feb 2016 14:58:15 +0100 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: <56BB40F0.1080204@redhat.com> References: <56BB40F0.1080204@redhat.com> Message-ID: It's not about the error message though. It should be possible to open the link multiple times as long as the form is not submitted. On 10 February 2016 at 14:53, Bill Burke wrote: > We changed the "error" message in I think 1.9? Maybe 1.8 to say "You > clicked on a stale link. Maybe you have already verified your email?" > I'll look into improving this I guess. > > > On 2/10/2016 4:21 AM, Stian Thorgersen wrote: > > It should be possible to open the link multiple times, but only submit the > password reset once. If that's not the case (sounds like it is) feel free > to create a JIRA issue to report this as a bug. > > On 10 February 2016 at 05:24, Michael Anthon < > michael.anthon at infoview.com.au> wrote: > >> We are having issues with some users when they are attempting to use the >> password reset feature. It does work for most users however for some they >> always end up at an error page saying "WE'RE SORRY ... An error occurred, >> please login again through your application" >> >> What I have been able to determine so far is that for the affected users >> we are seeing a double hit on that URL in the server logs and from what I >> understand, these reset URLs are invalidated as soon as they are accessed. >> >> So here's the state of play >> * works for most users >> * some users hitting the reset URL twice >> * URL is only valid for the first access (I'm not 100% sure about this, >> can someone confirm please?) >> * URL is only valid for 30 minutes (but is being accessed within a few >> minutes of generation) >> * affected users are mostly using Outlook >> * some people tend to double click links in emails but I've verified with >> a reliable user that they are only clicking the link once >> * having the affected person send themselves another reset email and then >> copy and paste the URL from the mail client usually resolves this problem >> >> And questions >> * is this an issue anyone else has noticed with Outlook, doesn't affect >> ALL Outlook users, just some >> * is there a way to prevent the URL from being invalidated on initial >> access >> * is it feasible to change the behavior so that the URL is only >> invalidated when the password is changed >> * any other thoughts on how to avoid this issue? >> >> Thanks and Regards, >> >> Michael Anthon >> InfoView Technologies Pty Ltd >> 12/15 Adelaide St, Brisbane Qld 4000 >> P O Box 15478, City East, Brisbane Qld 4000 >> PH: +61 7 3014 2204 <%2B61%207%203014%202204> >> F: +61 7 3014 2200 <%2B61%207%203014%202200> >> M: +61 408 768 055 <%2B61%20408%20768%20055> >> michael.anthon at infoview.com.au >> >> The information transmitted is intended only for the person or entity to >> which it is addressed and may contain confidential and/or privileged >> material. Any review, retransmission, dissemination or other use of, or >> taking of any action in reliance upon, this information by persons or >> entities other than the intended recipient is prohibited. If you received >> this in error, please contact the sender and delete the material from any >> computer. Any views or opinions expressed in this email are solely those of >> the author and do not necessarily represent those of InfoView Technologies >> Pty Ltd. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/fec405eb/attachment-0001.html From thomas.darimont at googlemail.com Wed Feb 10 09:00:29 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 10 Feb 2016 15:00:29 +0100 Subject: [keycloak-user] spring security getting username In-Reply-To: References: Message-ID: Hello Jeremy, have a look at this issue: https://issues.jboss.org/browse/KEYCLOAK-2079?jql=project%20%3D%20KEYCLOAK%20AND%20status%20%3D%20Open%20AND%20text%20~%20%22installation%22 Cheers, Thomas 2016-02-10 14:56 GMT+01:00 Jeremy Simon : > So, this is nice that it can be fixed by hand. I'm wondering, is > there any way to configure these things for a particular client or > realm so that when you're downloading the keycloak.json from the admin > console that it's present? > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > > > On Tue, Feb 9, 2016 at 3:44 PM, Jeremy Simon > wrote: > > That's the trick! Thank you! > > jeremy > > jeremy at jeremysimon.com > > www.JeremySimon.com > > > > > > On Tue, Feb 9, 2016 at 3:25 PM, Thomas Darimont > > wrote: > >> Hello Jeremy, > >> > >> try adding: "principal-attribute": "preferred_username" to your > >> keycloak.json. > >> > >> See: > >> > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config > >> > >> Cheers, > >> Thomas > >> > >> 2016-02-09 20:47 GMT+01:00 Jeremy Simon : > >>> > >>> Hi, > >>> > >>> I can't seem to get my user's name using the keycloak adaptor for > >>> spring security. I have a rest controller that i'm trying this chunk > >>> of code: > >>> > >>> ... > >>> Authentication KeyCloakAuth = > >>> SecurityContextHolder.getContext().getAuthentication(); > >>> KeycloakAccount keyAccount = ((KeycloakAuthenticationToken) > >>> KeyCloakAuth).getAccount(); > >>> > >>> String username1 = keyAccount.getPrincipal().getName() > >>> String username2 = > >>> SecurityContextHolder.getContext().getAuthentication().getName() > >>> > >>> KeycloakPrincipal prince = (KeycloakPrincipal) > >>> ((KeycloakAuthenticationToken) KeyCloakAuth).getPrincipal(); > >>> String username3 = prince.getName(); > >>> > >>> ... > >>> > >>> > >>> username1, username2, username3 will have something like this: > >>> aa5f6e42-9463-4862-a750-bd0c092daf11 > >>> > >>> > >>> I gleaned this from some stackoverflow examples that claimed these > >>> approached worked... There something I don't have set right? > >>> > >>> > >>> jeremy > >>> jeremy at jeremysimon.com > >>> www.JeremySimon.com > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/af5f7804/attachment.html From bburke at redhat.com Wed Feb 10 09:15:48 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Feb 2016 09:15:48 -0500 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: References: <56BB40F0.1080204@redhat.com> Message-ID: <56BB4614.8090509@redhat.com> I think this may have been fixed in 1.9 with the flow changes I made. I don't have time to try it out right now though. On 2/10/2016 8:58 AM, Stian Thorgersen wrote: > It's not about the error message though. It should be possible to open > the link multiple times as long as the form is not submitted. > > On 10 February 2016 at 14:53, Bill Burke > wrote: > > We changed the "error" message in I think 1.9? Maybe 1.8 to say > "You clicked on a stale link. Maybe you have already verified > your email?" I'll look into improving this I guess. > > > On 2/10/2016 4:21 AM, Stian Thorgersen wrote: >> It should be possible to open the link multiple times, but only >> submit the password reset once. If that's not the case (sounds >> like it is) feel free to create a JIRA issue to report this as a bug. >> >> On 10 February 2016 at 05:24, Michael Anthon >> > > wrote: >> >> We are having issues with some users when they are attempting >> to use the password reset feature. It does work for most >> users however for some they always end up at an error page >> saying "WE'RE SORRY ... An error occurred, please login again >> through your application" >> >> What I have been able to determine so far is that for the >> affected users we are seeing a double hit on that URL in the >> server logs and from what I understand, these reset URLs are >> invalidated as soon as they are accessed. >> >> So here's the state of play >> * works for most users >> * some users hitting the reset URL twice >> * URL is only valid for the first access (I'm not 100% sure >> about this, can someone confirm please?) >> * URL is only valid for 30 minutes (but is being accessed >> within a few minutes of generation) >> * affected users are mostly using Outlook >> * some people tend to double click links in emails but I've >> verified with a reliable user that they are only clicking the >> link once >> * having the affected person send themselves another reset >> email and then copy and paste the URL from the mail client >> usually resolves this problem >> >> And questions >> * is this an issue anyone else has noticed with Outlook, >> doesn't affect ALL Outlook users, just some >> * is there a way to prevent the URL from being invalidated on >> initial access >> * is it feasible to change the behavior so that the URL is >> only invalidated when the password is changed >> * any other thoughts on how to avoid this issue? >> >> Thanks and Regards, >> >> Michael Anthon >> InfoView Technologies Pty Ltd >> 12/15 Adelaide St, Brisbane Qld 4000 >> P O Box 15478, City East, Brisbane Qld 4000 >> PH: +61 7 3014 2204 >> F: +61 7 3014 2200 >> M: +61 408 768 055 >> michael.anthon at infoview.com.au >> >> >> The information transmitted is intended only for the person >> or entity to which it is addressed and may contain >> confidential and/or privileged material. Any review, >> retransmission, dissemination or other use of, or taking of >> any action in reliance upon, this information by persons or >> entities other than the intended recipient is prohibited. If >> you received this in error, please contact the sender and >> delete the material from any computer. Any views or opinions >> expressed in this email are solely those of the author and do >> not necessarily represent those of InfoView Technologies Pty Ltd. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/08cd7be0/attachment.html From sthorger at redhat.com Wed Feb 10 09:25:57 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 10 Feb 2016 15:25:57 +0100 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: <56BB4614.8090509@redhat.com> References: <56BB40F0.1080204@redhat.com> <56BB4614.8090509@redhat.com> Message-ID: Michael, Can you confirm if this issue still exists on 1.9.0.CR1 and if it does create a JIRA issue? On 10 February 2016 at 15:15, Bill Burke wrote: > I think this may have been fixed in 1.9 with the flow changes I made. I > don't have time to try it out right now though. > > > On 2/10/2016 8:58 AM, Stian Thorgersen wrote: > > It's not about the error message though. It should be possible to open the > link multiple times as long as the form is not submitted. > > On 10 February 2016 at 14:53, Bill Burke wrote: > >> We changed the "error" message in I think 1.9? Maybe 1.8 to say "You >> clicked on a stale link. Maybe you have already verified your email?" >> I'll look into improving this I guess. >> >> >> On 2/10/2016 4:21 AM, Stian Thorgersen wrote: >> >> It should be possible to open the link multiple times, but only submit >> the password reset once. If that's not the case (sounds like it is) feel >> free to create a JIRA issue to report this as a bug. >> >> On 10 February 2016 at 05:24, Michael Anthon < >> michael.anthon at infoview.com.au> wrote: >> >>> We are having issues with some users when they are attempting to use the >>> password reset feature. It does work for most users however for some they >>> always end up at an error page saying "WE'RE SORRY ... An error occurred, >>> please login again through your application" >>> >>> What I have been able to determine so far is that for the affected users >>> we are seeing a double hit on that URL in the server logs and from what I >>> understand, these reset URLs are invalidated as soon as they are accessed. >>> >>> So here's the state of play >>> * works for most users >>> * some users hitting the reset URL twice >>> * URL is only valid for the first access (I'm not 100% sure about this, >>> can someone confirm please?) >>> * URL is only valid for 30 minutes (but is being accessed within a few >>> minutes of generation) >>> * affected users are mostly using Outlook >>> * some people tend to double click links in emails but I've verified >>> with a reliable user that they are only clicking the link once >>> * having the affected person send themselves another reset email and >>> then copy and paste the URL from the mail client usually resolves this >>> problem >>> >>> And questions >>> * is this an issue anyone else has noticed with Outlook, doesn't affect >>> ALL Outlook users, just some >>> * is there a way to prevent the URL from being invalidated on initial >>> access >>> * is it feasible to change the behavior so that the URL is only >>> invalidated when the password is changed >>> * any other thoughts on how to avoid this issue? >>> >>> Thanks and Regards, >>> >>> Michael Anthon >>> InfoView Technologies Pty Ltd >>> 12/15 Adelaide St, Brisbane Qld 4000 >>> P O Box 15478, City East, Brisbane Qld 4000 >>> PH: +61 7 3014 2204 <%2B61%207%203014%202204> >>> F: +61 7 3014 2200 <%2B61%207%203014%202200> >>> M: +61 408 768 055 <%2B61%20408%20768%20055> >>> michael.anthon at infoview.com.au >>> >>> The information transmitted is intended only for the person or entity to >>> which it is addressed and may contain confidential and/or privileged >>> material. Any review, retransmission, dissemination or other use of, or >>> taking of any action in reliance upon, this information by persons or >>> entities other than the intended recipient is prohibited. If you received >>> this in error, please contact the sender and delete the material from any >>> computer. Any views or opinions expressed in this email are solely those of >>> the author and do not necessarily represent those of InfoView Technologies >>> Pty Ltd. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/4e6c60d0/attachment-0001.html From technolengy at gmail.com Wed Feb 10 11:02:51 2016 From: technolengy at gmail.com (Steve Nolen) Date: Wed, 10 Feb 2016 16:02:51 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: Hi J?r?me, Thanks for the help! I swapped the NameId in keycloak for this broker to unspecified (I uploaded my sp metadata to testshib.org again as well just in case) and am still receiving the same error. On Wed, Feb 10, 2016 at 1:10 AM J?r?me Blanchard wrote: > Hi Steve, > > I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's > working fine. The problem you encounter comes from the fact that you ask > for a persistent nameId in the config of your SP and, according to the > provider details, it's only able to send transient nameId. > Feel the parameter of nameId to undefined and check the authentication > again. > > Best regards, J?r?me. > > Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen a > ?crit : > >> Hi! >> >> First of all, keycloak is legitimately awesome! >> >> I was attempting to test the use of keycloak as a shibboleth SP today >> (testing against the testshib.org test IdP) and am having some trouble. >> >> Keycloak Version: 1.9.0CR1 (using it on openshift currently) >> >> Both sides seem to be set up as they should (I used the testshib endpoint >> to import the settings to keycloak). I'm able to take the redirect over to >> idp.testshib but on logging in I get a 500 Internal Server Error from >> keycloak. The message is "No Assertion from response" (stack trace below). >> >> Any thoughts on what might be missing? >> >> ==== stack trace ==== >> http://pastebin.com/3tsApUKK >> >> ==== broker details ==== >> >> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor >> >> ==== provider details ==== >> https://www.testshib.org/metadata/testshib-providers.xml >> >> Thank you! >> Steve >> > _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/02dd324c/attachment.html From RRathod at carbonite.com Wed Feb 10 15:00:59 2016 From: RRathod at carbonite.com (Riddhi Rathod) Date: Wed, 10 Feb 2016 20:00:59 +0000 Subject: [keycloak-user] Keycloak clustering in AWS Message-ID: <5D0EA50B-5F8C-4F79-A72F-738A1E586560@carboniteinc.com> I am trying to setup keycloak cluster with a shared database in AWS environment. I followed all steps mentioned on this link: http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html Keycloak nodes are AWS EC2 and shared database is AWS RDS. How does the keycloak instances identify each other in cluster in AWS (how does multicast work in a AWS VPC)? Has anyone tried this before? Any references or things to take care of list would be great. Thank you, Riddhi Rathod -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/c5d8ea5b/attachment.html From bburke at redhat.com Wed Feb 10 15:04:44 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Feb 2016 15:04:44 -0500 Subject: [keycloak-user] Keycloak clustering in AWS In-Reply-To: <5D0EA50B-5F8C-4F79-A72F-738A1E586560@carboniteinc.com> References: <5D0EA50B-5F8C-4F79-A72F-738A1E586560@carboniteinc.com> Message-ID: <56BB97DC.5000006@redhat.com> I don't have the link, but search the email archives of keycloak-user/keycloak-dev There was a long discussion about this. Basically, you can't use multicast and you have to configure jgroups/infinispan to use a different protocol. On 2/10/2016 3:00 PM, Riddhi Rathod wrote: > I am trying to setup keycloak cluster with a shared database in AWS > environment. I followed all steps mentioned on this link: > http://keycloak.github.io/docs/userguide/keycloak-server/html/clustering.html > Keycloak nodes are AWS EC2 and shared database is AWS RDS. How does > the keycloak instances identify each other in cluster in AWS (how does > multicast work in a AWS VPC)? > Has anyone tried this before? Any references or things to take care of > list would be great. > Thank you, > Riddhi Rathod > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/348b9e66/attachment.html From darkness.renann at gmail.com Wed Feb 10 15:23:12 2016 From: darkness.renann at gmail.com (Renann Prado) Date: Wed, 10 Feb 2016 18:23:12 -0200 Subject: [keycloak-user] NullPointerException during deployment Message-ID: I've been following keycloak guide, but I'm facing the below exception. I'm trying to secure a WAR that is inside of an EAR, I've tried to add below two dependencies in my pom.xml. What am I missing? *Wildfly version: *10.0.0.Final *Keycloak version: *1.9.0.CR1 *Dependencies (tried in EAR and in WAR, no luck):* org.keycloak keycloak-core 1.9.0.CR1 provided org.keycloak keycloak-adapter-core 1.9.0.CR1 provided *Subsystem configuration:* TestRealm test-resource MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpxbZQMAf2NPcWCbdVWfu3JKEZ5PHuL+a5JTzyuln/wXpfhGPyCDS8rYDj2tf5lA8WQYoV8M5ip3DbCdL43wsW8/oJM/UOKn7mwy2x0OdW40bw1c8b1D6FveliIXwtovyw0EGCFn67qLdtHPLAlVvv5UXPIPFCakzdx1xS/6zgZ1uF2fzwLZpLh21M9XYNHQk6ui047+13Uf5H5yYQNLin8WluZ4JLfO8teVV9ARTqezVoZ5/+SNH4Mw+N1i7sGr13mzl51XvpFmm10Yx0dNiuy+WPA9xv1eNWcWgQWXxCEzDBenn59pmZ9JnTpoOqvZknmBGqyQPDqN9tJIWnWZKQIDAQAB http://localhost:8082/auth none password *Exception* 8:13:18,779 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: org.jboss.msc.service.StartException in service jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: WFLYSRV0153: Failed to process phase DEPENDENCIES of deployment "Test-ear.ear" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.subsystem.adapter.extension.KeycloakDependencyProcessor.deploy(KeycloakDependencyProcessor.java:52) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) ... 5 more 18:13:18,784 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "Test-ear.ear")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: Failed to process phase DEPENDENCIES of deployment \"Test-ear.ear\" Caused by: java.lang.NullPointerException"}} 18:13:18,786 ERROR [org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0021: Deploy of deployment "Test-ear.ear" was rolled back with the following failure message: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: Failed to process phase DEPENDENCIES of deployment \"Test-ear.ear\" Caused by: java.lang.NullPointerException"}} Renann Prado -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/761a0d47/attachment-0001.html From RRathod at carbonite.com Wed Feb 10 18:01:49 2016 From: RRathod at carbonite.com (Riddhi Rathod) Date: Wed, 10 Feb 2016 23:01:49 +0000 Subject: [keycloak-user] Device tokens with keycloak Message-ID: Does Keycloak have the ability to provide ?device? tokens in addition to the user tokens ? I found discussion link on device registration: http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001116.html . However, I wanted to know whether or not this feature is supported now? Thank you, Riddhi Rathod -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/04da444f/attachment.html From charles at dazen.com.br Wed Feb 10 18:49:25 2016 From: charles at dazen.com.br (Charles Queiroz) Date: Wed, 10 Feb 2016 20:49:25 -0300 Subject: [keycloak-user] Create user + keycloak-admin-client Message-ID: Hi folks, I?m trying programmatically add user in keycloak server using the admin client (version 1.8.0.RC3) like this post show (link: http://www.first8.nl/blog/programmatically-adding-users-in-keycloak/ ), but no success yet! ;( The Steps: 1 - Add dependence on pom.xml like: org.keycloak keycloak-admin-client 1.8.0.CR3 2 - Implement the method body like: public User save(User user) { Keycloak kc = Keycloak.getInstance("http://localhost:8080/auth", "forum", ?admin", ?admin", "security-admin-console"); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(user.getPassword()); UserRepresentation newUser = new UserRepresentation(); newUser.setUsername(user.getLogin()); newUser.setFirstName(user.getName()); newUser.setCredentials(Arrays.asList(credential)); kc.realm("forum").users().create(newUser); User saved = repository.save(user); savedUser.fire(saved); return saved; } When I run the app, the exception thrown is: 20:46:03,583 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-14) Sending request: POST /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 20:46:03,584 DEBUG [org.apache.http.wire] (default task-14) >> "POST /auth/realms/forum/protocol/openid-connect/token HTTP/1.1[\r][\n]" 20:46:03,585 DEBUG [org.apache.http.wire] (default task-14) >> "Accept: application/json[\r][\n]" 20:46:03,587 DEBUG [org.apache.http.wire] (default task-14) >> "Accept-Encoding: gzip, deflate[\r][\n]" 20:46:03,589 DEBUG [org.apache.http.wire] (default task-14) >> "Content-Type: application/x-www-form-urlencoded[\r][\n]" 20:46:03,591 DEBUG [org.apache.http.wire] (default task-14) >> "Content-Length: 82[\r][\n]" 20:46:03,592 DEBUG [org.apache.http.wire] (default task-14) >> "Host: localhost:8080[\r][\n]" 20:46:03,594 DEBUG [org.apache.http.wire] (default task-14) >> "Connection: Keep-Alive[\r][\n]" 20:46:03,596 DEBUG [org.apache.http.wire] (default task-14) >> "[\r][\n]" 20:46:03,598 DEBUG [org.apache.http.headers] (default task-14) >> POST /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 20:46:03,599 DEBUG [org.apache.http.headers] (default task-14) >> Accept: application/json 20:46:03,601 DEBUG [org.apache.http.headers] (default task-14) >> Accept-Encoding: gzip, deflate 20:46:03,602 DEBUG [org.apache.http.headers] (default task-14) >> Content-Type: application/x-www-form-urlencoded 20:46:03,604 DEBUG [org.apache.http.headers] (default task-14) >> Content-Length: 82 20:46:03,605 DEBUG [org.apache.http.headers] (default task-14) >> Host: localhost:8080 20:46:03,606 DEBUG [org.apache.http.headers] (default task-14) >> Connection: Keep-Alive 20:46:03,610 DEBUG [org.apache.http.wire] (default task-14) >> "grant_type=password&username=admin&password=admin&client_id=security-admin-console" 20:46:03,612 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) RESTEASY002315: PathInfo: /realms/forum/protocol/openid-connect/token 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) AUTHENTICATE CLIENT 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) client authenticator: client-secret 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) client authenticator SUCCESS: client-secret 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) Client security-admin-console authenticated by client-secret 20:46:03,615 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) AUTHENTICATE ONLY 20:46:03,615 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) processFlow 20:46:03,615 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) check execution: direct-grant-validate-username requirement: REQUIRED 20:46:03,616 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator: direct-grant-validate-username 20:46:03,616 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) invoke authenticator.authenticate 20:46:03,617 FINE [org.mongodb.driver.protocol.query] (default task-15) Sending query of namespace forum.users on connection [connectionId{localValue:2, serverValue:184}] to server 127.0.0.1:27017 20:46:03,617 FINE [org.mongodb.driver.protocol.query] (default task-15) Query completed 20:46:03,618 WARN [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=forum, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, grant_type=password, client_auth_method=client-secret, username=admin 20:46:03,619 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator FAILED: direct-grant-validate-username 20:46:03,624 DEBUG [org.apache.http.wire] (default task-14) << "HTTP/1.1 401 Unauthorized[\r][\n]" 20:46:03,627 DEBUG [org.apache.http.wire] (default task-14) << "Connection: keep-alive[\r][\n]" 20:46:03,629 DEBUG [org.apache.http.wire] (default task-14) << "X-Powered-By: Undertow/1[\r][\n]" 20:46:03,631 DEBUG [org.apache.http.wire] (default task-14) << "Server: WildFly/10[\r][\n]" 20:46:03,632 DEBUG [org.apache.http.wire] (default task-14) << "Transfer-Encoding: chunked[\r][\n]" 20:46:03,634 DEBUG [org.apache.http.wire] (default task-14) << "Content-Type: application/json[\r][\n]" 20:46:03,636 DEBUG [org.apache.http.wire] (default task-14) << "Date: Wed, 10 Feb 2016 23:46:03 GMT[\r][\n]" 20:46:03,637 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" 20:46:03,639 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-14) Receiving response: HTTP/1.1 401 Unauthorized 20:46:03,640 DEBUG [org.apache.http.headers] (default task-14) << HTTP/1.1 401 Unauthorized 20:46:03,642 DEBUG [org.apache.http.headers] (default task-14) << Connection: keep-alive 20:46:03,643 DEBUG [org.apache.http.headers] (default task-14) << X-Powered-By: Undertow/1 20:46:03,645 DEBUG [org.apache.http.headers] (default task-14) << Server: WildFly/10 20:46:03,646 DEBUG [org.apache.http.headers] (default task-14) << Transfer-Encoding: chunked 20:46:03,647 DEBUG [org.apache.http.headers] (default task-14) << Content-Type: application/json 20:46:03,649 DEBUG [org.apache.http.headers] (default task-14) << Date: Wed, 10 Feb 2016 23:46:03 GMT 20:46:03,651 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-14) Connection can be kept alive indefinitely 20:46:03,653 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-14) Authentication required 20:46:03,654 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-14) localhost:8080 requested authentication 20:46:03,656 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-14) Response contains no authentication challenges 20:46:03,665 DEBUG [org.apache.http.wire] (default task-14) << "48[\r][\n]" 20:46:03,667 DEBUG [org.apache.http.wire] (default task-14) << "{"error_description":"Invalid user credentials","error":"invalid_grant"}" 20:46:03,668 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" 20:46:03,670 DEBUG [org.apache.http.wire] (default task-14) << "0[\r][\n]" 20:46:03,671 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" 20:46:03,673 DEBUG [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl at 1d6c4f71 20:46:03,675 DEBUG [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) Connection can be kept alive indefinitely 20:46:11,315 DEBUG [org.jboss.as.jpa] (default task-14) default task-14:transaction scoped EntityManager [forum.war#ForumPU]: closing entity managersession 20:46:11,315 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-14) Initiating JDBC connection release from afterTransaction 20:46:11,316 ERROR [org.jboss.as.ejb3.invocation] (default task-14) WFLYEJB0034: EJB Invocation failed on component UserRestEndpoint for method public javax.ws.rs.core.Response br.com.projetolead.forum.integration.rest.UserRestEndpoint.save(br.com.projetolead.forum.model.User,javax.servlet.http.HttpServletRequest) throws java.io.IOException: javax.ejb.EJBException: javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:187) ------ but, when I change the user to charles (no admin user. login: charles, password: java) the error is: ------ 20:41:18,314 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-14) Sending request: POST /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 20:41:18,315 DEBUG [org.apache.http.wire] (default task-14) >> "POST /auth/realms/forum/protocol/openid-connect/token HTTP/1.1[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Accept: application/json[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Accept-Encoding: gzip, deflate[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Content-Type: application/x-www-form-urlencoded[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Content-Length: 83[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Host: localhost:8080[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Connection: Keep-Alive[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "[\r][\n]" 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> POST /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Accept: application/json 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Accept-Encoding: gzip, deflate 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Content-Type: application/x-www-form-urlencoded 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Content-Length: 83 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Host: localhost:8080 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Connection: Keep-Alive 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "grant_type=password&username=charles&password=java&client_id=security-admin-console" 20:41:18,318 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-15) RESTEASY002315: PathInfo: /realms/forum/protocol/openid-connect/token 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) AUTHENTICATE CLIENT 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) client authenticator: client-secret 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) client authenticator SUCCESS: client-secret 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) Client security-admin-console authenticated by client-secret 20:41:18,321 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-15) AUTHENTICATE ONLY 20:41:18,321 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) processFlow 20:41:18,321 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) check execution: direct-grant-validate-username requirement: REQUIRED 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator: direct-grant-validate-username 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) invoke authenticator.authenticate 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator SUCCESS: direct-grant-validate-username 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) check execution: direct-grant-validate-password requirement: REQUIRED 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator: direct-grant-validate-password 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) invoke authenticator.authenticate 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator SUCCESS: direct-grant-validate-password 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) check execution: direct-grant-validate-otp requirement: OPTIONAL 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator: direct-grant-validate-otp 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) invoke authenticator.authenticate 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-15) authenticator ATTEMPTED: direct-grant-validate-otp 20:41:18,360 DEBUG [org.keycloak.events] (default task-15) type=LOGIN, realmId=forum, clientId=security-admin-console, userId=f785e600-124c-4e26-914e-2c4f6ec9c95b, ipAddress=127.0.0.1, auth_method=openid-connect, token_id=4dd8bbcb-e771-4652-8711-b2c0937bb8fe, grant_type=password, refresh_token_type=Refresh, refresh_token_id=c0e58e55-9edc-4940-9ff4-52a5a5a9f577, client_auth_method=client-secret, username=charles 20:41:18,363 DEBUG [org.apache.http.wire] (default task-14) << "HTTP/1.1 200 OK[\r][\n]" 20:41:18,363 DEBUG [org.apache.http.wire] (default task-14) << "Connection: keep-alive[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "X-Powered-By: Undertow/1[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "Server: WildFly/10[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "Transfer-Encoding: chunked[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "Content-Type: application/json[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "Date: Wed, 10 Feb 2016 23:41:18 GMT[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" 20:41:18,364 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-14) Receiving response: HTTP/1.1 200 OK 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << HTTP/1.1 200 OK 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Connection: keep-alive 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << X-Powered-By: Undertow/1 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Server: WildFly/10 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Transfer-Encoding: chunked 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Content-Type: application/json 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Date: Wed, 10 Feb 2016 23:41:18 GMT 20:41:18,364 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-14) Connection can be kept alive indefinitely 20:41:18,386 DEBUG [org.apache.http.wire] (default task-14) << "0ed6[\r][\n]" 20:41:18,386 DEBUG [org.apache.http.wire] (default task-14) << "{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0ZGQ4YmJjYi1lNzcxLTQ2NTItODcxMS1iMmMwOTM3YmI4ZmUiLCJleHAiOjE0NTUxNDc5NzgsIm5iZiI6MCwiaWF0IjoxNDU1MTQ3Njc4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZm9ydW0iLCJhdWQiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic3ViIjoiZjc4NWU2MDAtMTI0Yy00ZTI2LTkxNGUtMmM0ZjZlYzljOTViIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsInNlc3Npb25fc3RhdGUiOiIyYzkwMDMzOS1mNjNhLTQ4MGItYjJiZS0wZjZmNDlkNDc3MmYiLCJjbGllbnRfc2Vzc2lvbiI6IjE4YTlhNDQ1LTVkMWMtNGYyZi1iNmYxLTI0NDdkZGQzYzAxNSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1jbGllbnRzIl19fSwibmFtZSI6IkNoYXJsZXMgUXVlaXJveiIsInByZWZlcnJlZF91c2VybmFtZSI6ImNoYXJsZXMiLCJnaXZlbl9uYW1lIjoiQ2hhcmxlcyIsImxvY2FsZSI6InB0LUJSIiwiZmFtaWx5X25hbWUiOiJRdWVpcm96IiwiZW1haWwiOiJjaGFybGVzQGRhemVuLmNvbSJ9.bDRa_LxZeClP3k8GpcZPabZFcZA2oizTWdv-11xsUOutGx6zcP50EogkCfgFOyIsF0LCmTFOoqgBIS1XA8lFAImmCmxad6kOi7Jv1vxt-7YvxauxQdppDmKa10QTV-Za46QQEMyEjxT6o3AuCi-clxUUfLmKE7PVXmZeB07ejABoEKRZhEJVDHo3u-O1G_hjtwuH1DDkwLpgsEWBRYJ-_Dh-vKupgXxuckduelhbasLdiSXhJwdmVfY2Johfyk6WxVEViuigoLi8qe6y0KNbcyt3Vtf_t_9y7dvyGZZaM_9WLzwr29yR-91uM0rcr0V_B3W0MAwSXLFV5c1nEn03Pg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMGU1OGU1NS05ZWRjLTQ5NDAtOWZmNC01MmE1YTVhOWY1NzciLCJleHAiOjE0NTUxNDk0NzgsIm5iZiI6MCwiaWF0IjoxNDU1MTQ3Njc4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZm9ydW0iLCJhdWQiOm51bGwsInN1YiI6ImY3ODVlNjAwLTEyNGMtNGUyNi05MTRlLTJjNGY2ZWM5Yzk1YiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic2Vzc2lvbl9zdGF0ZSI6IjJjOTAwMzM5LWY2M2EtNDgwYi1iMmJlLTBmNmY0OWQ0NzcyZiIsImNsaWVudF9zZXNzaW9uIjoiMThhOWE0NDUtNWQxYy00ZjJmLWI2ZjEtMjQ0N2RkZDNjMDE1IiwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJ2aWV3LXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJyZWFsbS1hZG1pbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWNsaWVudHMiXX19fQ.MPwbo7nnYspbbgAzWt2Z5ozWaMpP0ONI5WKAR-A8GkrrjYXTyJZk9mDLxHxUVaINboesSAhTd_RO4-g0k6yK8YOQLetztdl-YJxIUnVZQmCFdPwBOkty2Azmcib7mNI2eJWvUdFAIvpRhWt-2_P03DXAE0sAN4oS48HocQxKD2ZMHkB_rDWwKX313l_wFxUkW5T9tOv93jMHFx8k6dGV5GWVEH6-fuw4K5k-zUGRxKrBsQaCxJrpmjxXsx2gFqoYgU8PnRk2ReqblEIxC4fQfMk0SsW0Hm77_I0YaPMPW-yn4eULm31yYqnWOphZhtNmybMgi2Y8iJ_Q2yqCU2iJkw","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5YWM5M2UxNy1jMGJiLTQyZDYtYWM2Mi1kYmVhNWU0NmJmMWQiLCJleHAiOjE0NTUxNDc5NzgsIm5iZiI6MCwiaWF0IjoxNDU1MTQ3Njc4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZm9ydW0iLCJhdWQiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic3ViIjoiZjc4NWU2MDAtMTI0Yy00ZTI2LTkxNGUtMmM0ZjZlYzljOTViIiwidHlwIjoiSUQiLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic2Vzc2lvbl9zdGF0ZSI6IjJjOTAwMzM5LWY2M2EtNDgwYi1iMmJlLTBmNmY0OWQ0NzcyZiIsIm5hbWUiOiJDaGFybGVzIFF1ZWlyb3oiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjaGFybGVzIiwiZ2l2ZW5fbmFtZSI6IkNoYXJsZXMiLCJsb2NhbGUiOiJwdC1CUiIsImZhbWlseV9uYW1lIjoiUXVlaXJveiIsImVtYWlsIjoiY2hhcmxlc0BkYXplbi5jb20ifQ.YxeYJ9cKFyDRQ1YyJbwflQSr-n8l9nW1ORsvQbWo1XYfd6UqiUJlSsygIg4JqFIJGfCU_X8DJcV5HmdOtt90IHqW0_Oc6P8ZvVA1UdGEcoWlVBi88Hd_dIGC3WgyaE4WdOW1KC6nh3Eba2KmdUPQQ3xRKYXd9-pxmE2DwDrHZtONd8EaqTeK4J8vE34Jr_BQyNdv9yGztUh73AGVXAeVk4MqKBRAVmcod_eYOpaaf2OfQwaHQZpskwVqrEIIffyXmIMwD1MbmIP4tMPdMnNBK7bzNO-Qx7VTgWOuTu-VRQQoH0-fXetJdxKb5O1_2G7qCi_CYLeolh2DbIWswM6bag","not-before-policy":0,"session-state":"2c900339-f63a-480b-b2be-0f6f49d4772f"}" 20:41:18,409 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" 20:41:18,409 DEBUG [org.apache.http.wire] (default task-14) << "0[\r][\n]" 20:41:18,409 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" 20:41:18,409 DEBUG [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl at 24993c5f 20:41:18,409 DEBUG [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) Connection can be kept alive indefinitely 20:41:18,413 DEBUG [org.jboss.as.jpa] (default task-14) default task-14:transaction scoped EntityManager [forum.war#ForumPU]: closing entity managersession 20:41:18,414 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-14) Initiating JDBC connection release from afterTransaction 20:41:18,414 ERROR [org.jboss.as.ejb3.invocation] (default task-14) WFLYEJB0034: EJB Invocation failed on component UserRestEndpoint for method public javax.ws.rs.core.Response br.com.projetolead.forum.integration.rest.UserRestEndpoint.save(br.com.projetolead.forum.model.User,javax.servlet.http.HttpServletRequest) throws java.io.IOException: javax.ejb.EJBException: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"]) at [Source: org.apache.http.conn.EofSensorInputStream at 5af6ffba; line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token?]) ------ Where is the problem? Atenciosamente, Charles Queiroz Dazen? IT Services Technology - Software Development charles at dazen.com.br Fortaleza - CE Phone: +55 85 9933 1585 Twitter: @CharlesQueiiroz -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/82b5ebf1/attachment-0001.html From bburke at redhat.com Wed Feb 10 19:26:53 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Feb 2016 19:26:53 -0500 Subject: [keycloak-user] NullPointerException during deployment In-Reply-To: References: Message-ID: <56BBD54D.8080004@redhat.com> Its a scheduled bug. Fixed in master. On 2/10/2016 3:23 PM, Renann Prado wrote: > I've been following keycloak guide, but I'm facing the below exception. > I'm trying to secure a WAR that is inside of an EAR, I've tried to add > below two dependencies in my pom.xml. > What am I missing? > > *Wildfly version: *10.0.0.Final > *Keycloak version: *1.9.0.CR1 > > *Dependencies (tried in EAR and in WAR, no luck):* > > > org.keycloak > keycloak-core > 1.9.0.CR1 > provided > > > org.keycloak > keycloak-adapter-core > 1.9.0.CR1 > provided > > * > * > *Subsystem configuration:* > * > * > > > TestRealm > test-resource > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpxbZQMAf2NPcWCbdVWfu3JKEZ5PHuL+a5JTzyuln/wXpfhGPyCDS8rYDj2tf5lA8WQYoV8M5ip3DbCdL43wsW8/oJM/UOKn7mwy2x0OdW40bw1c8b1D6FveliIXwtovyw0EGCFn67qLdtHPLAlVvv5UXPIPFCakzdx1xS/6zgZ1uF2fzwLZpLh21M9XYNHQk6ui047+13Uf5H5yYQNLin8WluZ4JLfO8teVV9ARTqezVoZ5/+SNH4Mw+N1i7sGr13mzl51XvpFmm10Yx0dNiuy+WPA9xv1eNWcWgQWXxCEzDBenn59pmZ9JnTpoOqvZknmBGqyQPDqN9tJIWnWZKQIDAQAB > http://localhost:8082/auth > none > password > > > > *Exception* > > > 8:13:18,779 ERROR [org.jboss.msc.service.fail] (MSC service thread > 1-3) MSC000001: Failed to start service > jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: > org.jboss.msc.service.StartException in service > jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: WFLYSRV0153: Failed > to process phase DEPENDENCIES of deployment "Test-ear.ear" > at > org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NullPointerException > at > org.keycloak.subsystem.adapter.extension.KeycloakDependencyProcessor.deploy(KeycloakDependencyProcessor.java:52) > at > org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) > ... 5 more > > 18:13:18,784 ERROR [org.jboss.as.controller.management-operation] > (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") > failed - address: ([("deployment" => "Test-ear.ear")]) - failure > description: {"WFLYCTL0080: Failed services" => > {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => > "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: > Failed to process phase DEPENDENCIES of deployment \"Test-ear.ear\" > Caused by: java.lang.NullPointerException"}} > 18:13:18,786 ERROR [org.jboss.as.server] (management-handler-thread - > 2) WFLYSRV0021: Deploy of deployment "Test-ear.ear" was rolled back > with the following failure message: > {"WFLYCTL0080: Failed services" => > {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => > "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: > Failed to process phase DEPENDENCIES of deployment \"Test-ear.ear\" > Caused by: java.lang.NullPointerException"}} > > Renann Prado > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/4a352daa/attachment.html From prado.renann at gmail.com Wed Feb 10 19:30:47 2016 From: prado.renann at gmail.com (Renann Prado) Date: Wed, 10 Feb 2016 22:30:47 -0200 Subject: [keycloak-user] NullPointerException during deployment In-Reply-To: <56BBD54D.8080004@redhat.com> References: <56BBD54D.8080004@redhat.com> Message-ID: I changed to 1.8.1.Final and it worked! Now my only problem is that, for some reason, I do not get redirected to the login page when I access a protected resource. I'm watching your tutorial right now to try to understand why it isn't working. Thanks On Feb 10, 2016 22:27, "Bill Burke" wrote: > Its a scheduled bug. Fixed in master. > > On 2/10/2016 3:23 PM, Renann Prado wrote: > > I've been following keycloak guide, but I'm facing the below exception. > I'm trying to secure a WAR that is inside of an EAR, I've tried to add > below two dependencies in my pom.xml. > What am I missing? > > *Wildfly version: *10.0.0.Final > *Keycloak version: *1.9.0.CR1 > > *Dependencies (tried in EAR and in WAR, no luck):* > > > org.keycloak > keycloak-core > 1.9.0.CR1 > provided > > > org.keycloak > keycloak-adapter-core > 1.9.0.CR1 > provided > > > *Subsystem configuration:* > > > > TestRealm > test-resource > > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpxbZQMAf2NPcWCbdVWfu3JKEZ5PHuL+a5JTzyuln/wXpfhGPyCDS8rYDj2tf5lA8WQYoV8M5ip3DbCdL43wsW8/oJM/UOKn7mwy2x0OdW40bw1c8b1D6FveliIXwtovyw0EGCFn67qLdtHPLAlVvv5UXPIPFCakzdx1xS/6zgZ1uF2fzwLZpLh21M9XYNHQk6ui047+13Uf5H5yYQNLin8WluZ4JLfO8teVV9ARTqezVoZ5/+SNH4Mw+N1i7sGr13mzl51XvpFmm10Yx0dNiuy+WPA9xv1eNWcWgQWXxCEzDBenn59pmZ9JnTpoOqvZknmBGqyQPDqN9tJIWnWZKQIDAQAB > http://localhost:8082/auth > none > password > > > > *Exception* > > > 8:13:18,779 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) > MSC000001: Failed to start service > jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: > org.jboss.msc.service.StartException in service > jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: WFLYSRV0153: Failed to > process phase DEPENDENCIES of deployment "Test-ear.ear" > at > org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > at > org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NullPointerException > at > org.keycloak.subsystem.adapter.extension.KeycloakDependencyProcessor.deploy(KeycloakDependencyProcessor.java:52) > at > org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) > ... 5 more > > 18:13:18,784 ERROR [org.jboss.as.controller.management-operation] > (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed - > address: ([("deployment" => "Test-ear.ear")]) - failure description: > {"WFLYCTL0080: Failed services" => > {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => > "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: Failed to > process phase DEPENDENCIES of deployment \"Test-ear.ear\" > Caused by: java.lang.NullPointerException"}} > 18:13:18,786 ERROR [org.jboss.as.server] (management-handler-thread - 2) > WFLYSRV0021: Deploy of deployment "Test-ear.ear" was rolled back with the > following failure message: > {"WFLYCTL0080: Failed services" => > {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => > "org.jboss.msc.service.StartException in service > jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: Failed to > process phase DEPENDENCIES of deployment \"Test-ear.ear\" > Caused by: java.lang.NullPointerException"}} > > Renann Prado > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/17986825/attachment-0001.html From bburke at redhat.com Wed Feb 10 20:03:49 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 10 Feb 2016 20:03:49 -0500 Subject: [keycloak-user] NullPointerException during deployment In-Reply-To: References: <56BBD54D.8080004@redhat.com> Message-ID: <56BBDDF5.2030008@redhat.com> Yes, this is because the error was introduced in 1.9.RC1. Tutorials are a bit ancient. We'll be updating them soon....but if you download the demo distribution, there are tons of examples. On 2/10/2016 7:30 PM, Renann Prado wrote: > > I changed to 1.8.1.Final and it worked! > Now my only problem is that, for some reason, I do not get redirected > to the login page when I access a protected resource. > I'm watching your tutorial right now to try to understand why it isn't > working. > > Thanks > > On Feb 10, 2016 22:27, "Bill Burke" > wrote: > > Its a scheduled bug. Fixed in master. > > On 2/10/2016 3:23 PM, Renann Prado wrote: >> I've been following keycloak guide, but I'm facing the below >> exception. >> I'm trying to secure a WAR that is inside of an EAR, I've tried >> to add below two dependencies in my pom.xml. >> What am I missing? >> >> *Wildfly version: *10.0.0.Final >> *Keycloak version: *1.9.0.CR1 >> >> *Dependencies (tried in EAR and in WAR, no luck):* >> >> >> org.keycloak >> keycloak-core >> 1.9.0.CR1 >> provided >> >> >> org.keycloak >> keycloak-adapter-core >> 1.9.0.CR1 >> provided >> >> * >> * >> *Subsystem configuration:* >> * >> * >> >> >> TestRealm >> test-resource >> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpxbZQMAf2NPcWCbdVWfu3JKEZ5PHuL+a5JTzyuln/wXpfhGPyCDS8rYDj2tf5lA8WQYoV8M5ip3DbCdL43wsW8/oJM/UOKn7mwy2x0OdW40bw1c8b1D6FveliIXwtovyw0EGCFn67qLdtHPLAlVvv5UXPIPFCakzdx1xS/6zgZ1uF2fzwLZpLh21M9XYNHQk6ui047+13Uf5H5yYQNLin8WluZ4JLfO8teVV9ARTqezVoZ5/+SNH4Mw+N1i7sGr13mzl51XvpFmm10Yx0dNiuy+WPA9xv1eNWcWgQWXxCEzDBenn59pmZ9JnTpoOqvZknmBGqyQPDqN9tJIWnWZKQIDAQAB >> http://localhost:8082/auth >> none >> password >> >> >> >> *Exception* >> >> >> 8:13:18,779 ERROR [org.jboss.msc.service.fail] (MSC service >> thread 1-3) MSC000001: Failed to start service >> jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: >> org.jboss.msc.service.StartException in service >> jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: WFLYSRV0153: >> Failed to process phase DEPENDENCIES of deployment "Test-ear.ear" >> at >> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) >> at >> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) >> at >> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.subsystem.adapter.extension.KeycloakDependencyProcessor.deploy(KeycloakDependencyProcessor.java:52) >> at >> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) >> ... 5 more >> >> 18:13:18,784 ERROR [org.jboss.as.controller.management-operation] >> (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") >> failed - address: ([("deployment" => "Test-ear.ear")]) - failure >> description: {"WFLYCTL0080: Failed services" => >> {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => >> "org.jboss.msc.service.StartException in service >> jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: >> Failed to process phase DEPENDENCIES of deployment \"Test-ear.ear\" >> Caused by: java.lang.NullPointerException"}} >> 18:13:18,786 ERROR [org.jboss.as.server] >> (management-handler-thread - 2) WFLYSRV0021: Deploy of deployment >> "Test-ear.ear" was rolled back with the following failure message: >> {"WFLYCTL0080: Failed services" => >> {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => >> "org.jboss.msc.service.StartException in service >> jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: >> Failed to process phase DEPENDENCIES of deployment \"Test-ear.ear\" >> Caused by: java.lang.NullPointerException"}} >> >> Renann Prado >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160210/25e15cf5/attachment.html From chenkeong.yap at izeno.com Wed Feb 10 20:15:21 2016 From: chenkeong.yap at izeno.com (chenkeong.yap at izeno.com) Date: Thu, 11 Feb 2016 09:15:21 +0800 Subject: [keycloak-user] ldap federation provider Message-ID: <5EB73BCF-AC62-460F-8F45-9A784EE5311B@izeno.com> hi guys, please assist to clarify. after adding ldap federation provider, is the password stored in keycloak database? if yes, is there anyway to prevent sync of password? Regards, CK Yap From jean.merelis at gmail.com Wed Feb 10 22:27:40 2016 From: jean.merelis at gmail.com (Jeandeson O. Merelis) Date: Thu, 11 Feb 2016 01:27:40 -0200 Subject: [keycloak-user] angularjs ng2 sample In-Reply-To: References: <61D077C6283D454FAFD06F6AC4AB74D723D7B263@DEFTHW99EZ1MSX.ww931.my-it-solutions.net> Message-ID: I sent a pull request with angular2 example. It works the same way of example angular-product-app, except for http interceptors, this should be improved in the future. 2016-02-10 8:03 GMT-02:00 Stian Thorgersen : > The main issue with Angular is that Keycloak and the Route provider > conflicts with each other, which causes a endless redirect loop. Current > work around we have is to make sure Keycloak is fully initialized before > Angular is bootstrap. The proper solution would be to have a Angular > library for Keycloak that can handle this. > > We have not had time to look at that, nor have we looked at Angular2 at > all. So it would be a while until we would get to this, unless someone from > the community wants to contribute it. > > On 10 February 2016 at 10:56, Matuszak, Eduard > wrote: > >> Hello >> >> We are adviced to implement the GUI of a new project with angularjs ng2. >> There is an inspiring sample ( >> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app) >> for using keycloak.js-library in colaboration with the older angular >> version. Do you intend to publish a comparable example based on ng2 in the >> near future? This would be very helpful. >> >> Thanks in advance for your feedback, Eduard Matuszak >> >> *Dr. Eduard Matuszak* >> >> Worldline, an atos company >> T +49 (211)399 398 63 >> M +49 (163)166 23 67 >> F +49(211) 399 22 430 >> *eduard.matuszak at atos.net* >> Max-Stromeyer-Stra?e 116 >> 78467 Konstanz >> Germany >> *de.worldline.com* >> *worldline.jobs.de* >> *facebook.com/WorldlineKarriere* >> >> >> >> Worldline GmbH >> Gesch?ftsf?hrer: Wolf Kunisch >> Aufsichtsratsvorsitzender: Christophe Duquenne >> Sitz der Gesellschaft: Frankfurt/Main >> Handelsregister: Frankfurt/Main HRB 40 417 >> >> * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * >> This e-mail and the documents attached are confidential and intended >> solely for the addressee; it may also be privileged. If you receive this >> e-mail by error, please notify the sender immediately and destroy it. As >> its integrity cannot be secured on the internet, the Atos group liability >> cannot be triggered for the message content. Although the sender endeavors >> to maintain a computer virus-free network, the sender does not warrant that >> this transmission is virus-free and shall not be liable for any damages >> resulting from any virus transmitted. >> * * * * * * * * L E G A L D I S C L A I M E R * * * * * * * * >> >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Jeandeson O. Merelis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/e95d4963/attachment-0001.html From michael.anthon at infoview.com.au Wed Feb 10 23:42:00 2016 From: michael.anthon at infoview.com.au (Michael Anthon) Date: Thu, 11 Feb 2016 04:42:00 +0000 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: References: <56BB40F0.1080204@redhat.com> <56BB4614.8090509@redhat.com> Message-ID: Thanks for the replies, I forgot to mention we are currently on 1.6.1.Final however we do have a test setup where we can run an upgrade and check this out. Will try that and report back and/or create a ticket as required. Cheers, Michael From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, 11 February 2016 12:26 AM To: Bill Burke ; Michael Anthon Cc: keycloak-user Subject: Re: [keycloak-user] Issues with password reset link expiration Michael, Can you confirm if this issue still exists on 1.9.0.CR1 and if it does create a JIRA issue? On 10 February 2016 at 15:15, Bill Burke > wrote: I think this may have been fixed in 1.9 with the flow changes I made. I don't have time to try it out right now though. On 2/10/2016 8:58 AM, Stian Thorgersen wrote: It's not about the error message though. It should be possible to open the link multiple times as long as the form is not submitted. On 10 February 2016 at 14:53, Bill Burke > wrote: We changed the "error" message in I think 1.9? Maybe 1.8 to say "You clicked on a stale link. Maybe you have already verified your email?" I'll look into improving this I guess. On 2/10/2016 4:21 AM, Stian Thorgersen wrote: It should be possible to open the link multiple times, but only submit the password reset once. If that's not the case (sounds like it is) feel free to create a JIRA issue to report this as a bug. On 10 February 2016 at 05:24, Michael Anthon > wrote: We are having issues with some users when they are attempting to use the password reset feature. It does work for most users however for some they always end up at an error page saying "WE'RE SORRY ... An error occurred, please login again through your application" What I have been able to determine so far is that for the affected users we are seeing a double hit on that URL in the server logs and from what I understand, these reset URLs are invalidated as soon as they are accessed. So here's the state of play * works for most users * some users hitting the reset URL twice * URL is only valid for the first access (I'm not 100% sure about this, can someone confirm please?) * URL is only valid for 30 minutes (but is being accessed within a few minutes of generation) * affected users are mostly using Outlook * some people tend to double click links in emails but I've verified with a reliable user that they are only clicking the link once * having the affected person send themselves another reset email and then copy and paste the URL from the mail client usually resolves this problem And questions * is this an issue anyone else has noticed with Outlook, doesn't affect ALL Outlook users, just some * is there a way to prevent the URL from being invalidated on initial access * is it feasible to change the behavior so that the URL is only invalidated when the password is changed * any other thoughts on how to avoid this issue? Thanks and Regards, Michael Anthon InfoView Technologies Pty Ltd 12/15 Adelaide St, Brisbane Qld 4000 P O Box 15478, City East, Brisbane Qld 4000 PH: +61 7 3014 2204 F: +61 7 3014 2200 M: +61 408 768 055 michael.anthon at infoview.com.au The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of InfoView Technologies Pty Ltd. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/82fb9cfb/attachment.html From darkness.renann at gmail.com Thu Feb 11 01:33:10 2016 From: darkness.renann at gmail.com (Renann Prado) Date: Thu, 11 Feb 2016 04:33:10 -0200 Subject: [keycloak-user] What's the point of creating roles per realm and client? Message-ID: I'm pretty new to keycloak. Amazing application btw. It's working very well, however I found strange/confusing that I have to create roles in the level of the realm, then per client and then assign to each user. What I mean is: why don't we have the roles created in the level of the realm and then we just assign per application user or is there an option to make that happen? Otherwise I have to keep creating roles for all clients, then assigning for all users. In my case there aren't many users/roles/applications, so it's fine. But it would be nice to know how to do that. Thanks Renann Prado -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/946ef4cb/attachment-0001.html From darkness.renann at gmail.com Thu Feb 11 02:38:18 2016 From: darkness.renann at gmail.com (Renann Prado) Date: Thu, 11 Feb 2016 05:38:18 -0200 Subject: [keycloak-user] How do I set session variable upon first API hit? Message-ID: Basically I have some session variables that should be set upon first hit in the API (using bearer token). The requirement is that session variables will be dynamically loaded from the database and put into the http session before I actually process the request, so I can use the variables to process it. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/8cd10ac2/attachment.html From sthorger at redhat.com Thu Feb 11 03:18:22 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 11 Feb 2016 09:18:22 +0100 Subject: [keycloak-user] Create user + keycloak-admin-client In-Reply-To: References: Message-ID: The realm you pass into Keycloak.getInstance is the realm you are authenticating the user with. Is your admin user in the master realm? If so use "master" there instead of "forum". The other issue you are seeing is related to the version of Jackson you are using. In 1.9.0.CR1 we upgraded to Jackson2 (fasterxml), in 1.8.0 we required Jackson1. Take a look at the admin-client example it shows how to exclude Jackson2 and include Jackson1 instead. Or you can upgrade to 1.9.0.CR1. On 11 February 2016 at 00:49, Charles Queiroz wrote: > Hi folks, > > I?m trying programmatically add user in keycloak server using the admin > client (version 1.8.0.RC3) like this post show (link: > http://www.first8.nl/blog/programmatically-adding-users-in-keycloak/ ), > but no success yet! ;( > > > > The Steps: > > 1 - Add dependence on pom.xml like: > > > org.keycloak > keycloak-admin-client > 1.8.0.CR3 > > > > 2 - Implement the method body like: > > > public User save(User user) { > Keycloak kc = Keycloak.getInstance("http://localhost:8080/auth", "forum", ?admin", ?admin", "security-admin-console"); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(user.getPassword()); > UserRepresentation newUser = new UserRepresentation(); > newUser.setUsername(user.getLogin()); > newUser.setFirstName(user.getName()); > newUser.setCredentials(Arrays.asList(credential)); > > kc.realm("forum").users().create(newUser); > > User saved = repository.save(user); > savedUser.fire(saved); > return saved; > } > > > When I run the app, the exception thrown is: > > 20:46:03,583 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] > (default task-14) Sending request: POST > /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 > 20:46:03,584 DEBUG [org.apache.http.wire] (default task-14) >> "POST > /auth/realms/forum/protocol/openid-connect/token HTTP/1.1[\r][\n]" > 20:46:03,585 DEBUG [org.apache.http.wire] (default task-14) >> "Accept: > application/json[\r][\n]" > 20:46:03,587 DEBUG [org.apache.http.wire] (default task-14) >> > "Accept-Encoding: gzip, deflate[\r][\n]" > 20:46:03,589 DEBUG [org.apache.http.wire] (default task-14) >> > "Content-Type: application/x-www-form-urlencoded[\r][\n]" > 20:46:03,591 DEBUG [org.apache.http.wire] (default task-14) >> > "Content-Length: 82[\r][\n]" > 20:46:03,592 DEBUG [org.apache.http.wire] (default task-14) >> "Host: > localhost:8080[\r][\n]" > 20:46:03,594 DEBUG [org.apache.http.wire] (default task-14) >> > "Connection: Keep-Alive[\r][\n]" > 20:46:03,596 DEBUG [org.apache.http.wire] (default task-14) >> "[\r][\n]" > 20:46:03,598 DEBUG [org.apache.http.headers] (default task-14) >> POST > /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 > 20:46:03,599 DEBUG [org.apache.http.headers] (default task-14) >> Accept: > application/json > 20:46:03,601 DEBUG [org.apache.http.headers] (default task-14) >> > Accept-Encoding: gzip, deflate > 20:46:03,602 DEBUG [org.apache.http.headers] (default task-14) >> > Content-Type: application/x-www-form-urlencoded > 20:46:03,604 DEBUG [org.apache.http.headers] (default task-14) >> > Content-Length: 82 > 20:46:03,605 DEBUG [org.apache.http.headers] (default task-14) >> Host: > localhost:8080 > 20:46:03,606 DEBUG [org.apache.http.headers] (default task-14) >> > Connection: Keep-Alive > 20:46:03,610 DEBUG [org.apache.http.wire] (default task-14) >> > "grant_type=password&username=admin&password=admin&client_id=security-admin-console" > 20:46:03,612 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-15) RESTEASY002315: PathInfo: > /realms/forum/protocol/openid-connect/token > 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) AUTHENTICATE CLIENT > 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) client authenticator: client-secret > 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) client authenticator SUCCESS: client-secret > 20:46:03,614 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) Client security-admin-console authenticated by > client-secret > 20:46:03,615 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) AUTHENTICATE ONLY > 20:46:03,615 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) processFlow > 20:46:03,615 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) check execution: direct-grant-validate-username > requirement: REQUIRED > 20:46:03,616 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator: direct-grant-validate-username > 20:46:03,616 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) invoke authenticator.authenticate > 20:46:03,617 FINE [org.mongodb.driver.protocol.query] (default task-15) > Sending query of namespace forum.users on connection > [connectionId{localValue:2, serverValue:184}] to server 127.0.0.1:27017 > 20:46:03,617 FINE [org.mongodb.driver.protocol.query] (default task-15) > Query completed > 20:46:03,618 WARN [org.keycloak.events] (default task-15) > type=LOGIN_ERROR, realmId=forum, clientId=security-admin-console, > userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, > auth_method=openid-connect, grant_type=password, > client_auth_method=client-secret, username=admin > 20:46:03,619 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator FAILED: direct-grant-validate-username > 20:46:03,624 DEBUG [org.apache.http.wire] (default task-14) << "HTTP/1.1 > 401 Unauthorized[\r][\n]" > 20:46:03,627 DEBUG [org.apache.http.wire] (default task-14) << > "Connection: keep-alive[\r][\n]" > 20:46:03,629 DEBUG [org.apache.http.wire] (default task-14) << > "X-Powered-By: Undertow/1[\r][\n]" > 20:46:03,631 DEBUG [org.apache.http.wire] (default task-14) << "Server: > WildFly/10[\r][\n]" > 20:46:03,632 DEBUG [org.apache.http.wire] (default task-14) << > "Transfer-Encoding: chunked[\r][\n]" > 20:46:03,634 DEBUG [org.apache.http.wire] (default task-14) << > "Content-Type: application/json[\r][\n]" > 20:46:03,636 DEBUG [org.apache.http.wire] (default task-14) << "Date: > Wed, 10 Feb 2016 23:46:03 GMT[\r][\n]" > 20:46:03,637 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" > 20:46:03,639 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] > (default task-14) Receiving response: HTTP/1.1 401 Unauthorized > 20:46:03,640 DEBUG [org.apache.http.headers] (default task-14) << HTTP/1.1 > 401 Unauthorized > 20:46:03,642 DEBUG [org.apache.http.headers] (default task-14) << > Connection: keep-alive > 20:46:03,643 DEBUG [org.apache.http.headers] (default task-14) << > X-Powered-By: Undertow/1 > 20:46:03,645 DEBUG [org.apache.http.headers] (default task-14) << Server: > WildFly/10 > 20:46:03,646 DEBUG [org.apache.http.headers] (default task-14) << > Transfer-Encoding: chunked > 20:46:03,647 DEBUG [org.apache.http.headers] (default task-14) << > Content-Type: application/json > 20:46:03,649 DEBUG [org.apache.http.headers] (default task-14) << Date: > Wed, 10 Feb 2016 23:46:03 GMT > 20:46:03,651 DEBUG [org.apache.http.impl.client.DefaultHttpClient] > (default task-14) Connection can be kept alive indefinitely > 20:46:03,653 DEBUG [org.apache.http.impl.client.DefaultHttpClient] > (default task-14) Authentication required > 20:46:03,654 DEBUG [org.apache.http.impl.client.DefaultHttpClient] > (default task-14) localhost:8080 requested authentication > 20:46:03,656 DEBUG [org.apache.http.impl.client.DefaultHttpClient] > (default task-14) Response contains no authentication challenges > 20:46:03,665 DEBUG [org.apache.http.wire] (default task-14) << > "48[\r][\n]" > 20:46:03,667 DEBUG [org.apache.http.wire] (default task-14) << > "{"error_description":"Invalid user credentials","error":"invalid_grant"}" > 20:46:03,668 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" > 20:46:03,670 DEBUG [org.apache.http.wire] (default task-14) << "0[\r][\n]" > 20:46:03,671 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" > 20:46:03,673 DEBUG > [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) > Releasing connection > org.apache.http.impl.conn.ManagedClientConnectionImpl at 1d6c4f71 > 20:46:03,675 DEBUG > [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) > Connection can be kept alive indefinitely > 20:46:11,315 DEBUG [org.jboss.as.jpa] (default task-14) default > task-14:transaction scoped EntityManager [forum.war#ForumPU]: closing > entity managersession > 20:46:11,315 DEBUG > [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] > (default task-14) Initiating JDBC connection release from afterTransaction > 20:46:11,316 ERROR [org.jboss.as.ejb3.invocation] (default task-14) > WFLYEJB0034: EJB Invocation failed on component UserRestEndpoint for method > public javax.ws.rs.core.Response > br.com.projetolead.forum.integration.rest.UserRestEndpoint.save(br.com.projetolead.forum.model.User,javax.servlet.http.HttpServletRequest) > throws java.io.IOException: javax.ejb.EJBException: > javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:187) > > > ------ > > but, when I change the user to charles (no admin user. login: charles, > password: java) the error is: > > ------ > > 20:41:18,314 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] > (default task-14) Sending request: POST > /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 > 20:41:18,315 DEBUG [org.apache.http.wire] (default task-14) >> "POST > /auth/realms/forum/protocol/openid-connect/token HTTP/1.1[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Accept: > application/json[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> > "Accept-Encoding: gzip, deflate[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> > "Content-Type: application/x-www-form-urlencoded[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> > "Content-Length: 83[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "Host: > localhost:8080[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> > "Connection: Keep-Alive[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> "[\r][\n]" > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> POST > /auth/realms/forum/protocol/openid-connect/token HTTP/1.1 > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Accept: > application/json > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> > Accept-Encoding: gzip, deflate > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> > Content-Type: application/x-www-form-urlencoded > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> > Content-Length: 83 > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> Host: > localhost:8080 > 20:41:18,316 DEBUG [org.apache.http.headers] (default task-14) >> > Connection: Keep-Alive > 20:41:18,316 DEBUG [org.apache.http.wire] (default task-14) >> > "grant_type=password&username=charles&password=java&client_id=security-admin-console" > 20:41:18,318 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-15) RESTEASY002315: PathInfo: > /realms/forum/protocol/openid-connect/token > 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) AUTHENTICATE CLIENT > 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) client authenticator: client-secret > 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) client authenticator SUCCESS: client-secret > 20:41:18,320 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) Client security-admin-console authenticated by > client-secret > 20:41:18,321 DEBUG [org.keycloak.authentication.AuthenticationProcessor] > (default task-15) AUTHENTICATE ONLY > 20:41:18,321 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) processFlow > 20:41:18,321 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) check execution: direct-grant-validate-username > requirement: REQUIRED > 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator: direct-grant-validate-username > 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) invoke authenticator.authenticate > 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator SUCCESS: direct-grant-validate-username > 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) check execution: direct-grant-validate-password > requirement: REQUIRED > 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator: direct-grant-validate-password > 20:41:18,322 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) invoke authenticator.authenticate > 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator SUCCESS: direct-grant-validate-password > 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) check execution: direct-grant-validate-otp requirement: > OPTIONAL > 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator: direct-grant-validate-otp > 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) invoke authenticator.authenticate > 20:41:18,323 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] > (default task-15) authenticator ATTEMPTED: direct-grant-validate-otp > 20:41:18,360 DEBUG [org.keycloak.events] (default task-15) type=LOGIN, > realmId=forum, clientId=security-admin-console, > userId=f785e600-124c-4e26-914e-2c4f6ec9c95b, ipAddress=127.0.0.1, > auth_method=openid-connect, token_id=4dd8bbcb-e771-4652-8711-b2c0937bb8fe, > grant_type=password, refresh_token_type=Refresh, > refresh_token_id=c0e58e55-9edc-4940-9ff4-52a5a5a9f577, > client_auth_method=client-secret, username=charles > 20:41:18,363 DEBUG [org.apache.http.wire] (default task-14) << "HTTP/1.1 > 200 OK[\r][\n]" > 20:41:18,363 DEBUG [org.apache.http.wire] (default task-14) << > "Connection: keep-alive[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << > "X-Powered-By: Undertow/1[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "Server: > WildFly/10[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << > "Transfer-Encoding: chunked[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << > "Content-Type: application/json[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "Date: > Wed, 10 Feb 2016 23:41:18 GMT[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" > 20:41:18,364 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] > (default task-14) Receiving response: HTTP/1.1 200 OK > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << HTTP/1.1 > 200 OK > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << > Connection: keep-alive > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << > X-Powered-By: Undertow/1 > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Server: > WildFly/10 > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << > Transfer-Encoding: chunked > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << > Content-Type: application/json > 20:41:18,364 DEBUG [org.apache.http.headers] (default task-14) << Date: > Wed, 10 Feb 2016 23:41:18 GMT > 20:41:18,364 DEBUG [org.apache.http.impl.client.DefaultHttpClient] > (default task-14) Connection can be kept alive indefinitely > 20:41:18,386 DEBUG [org.apache.http.wire] (default task-14) << > "0ed6[\r][\n]" > 20:41:18,386 DEBUG [org.apache.http.wire] (default task-14) << > "{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0ZGQ4YmJjYi1lNzcxLTQ2NTItODcxMS1iMmMwOTM3YmI4ZmUiLCJleHAiOjE0NTUxNDc5NzgsIm5iZiI6MCwiaWF0IjoxNDU1MTQ3Njc4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZm9ydW0iLCJhdWQiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic3ViIjoiZjc4NWU2MDAtMTI0Yy00ZTI2LTkxNGUtMmM0ZjZlYzljOTViIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsInNlc3Npb25fc3RhdGUiOiIyYzkwMDMzOS1mNjNhLTQ4MGItYjJiZS0wZjZmNDlkNDc3MmYiLCJjbGllbnRfc2Vzc2lvbiI6IjE4YTlhNDQ1LTVkMWMtNGYyZi1iNmYxLTI0NDdkZGQzYzAxNSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwidmlldy1yZWFsbSIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1jbGllbnRzIl19fSwibmFtZSI6IkNoYXJsZXMgUXVlaXJveiIsInByZWZlcnJlZF91c2VybmFtZSI6ImNoYXJsZXMiLCJnaXZlbl9uYW1lIjoiQ2hhcmxlcyIsImxvY2FsZSI6InB0LUJSIiwiZmFtaWx5X25hbWUiOiJRdWVpcm96IiwiZW1haWwiOiJjaGFybGVzQGRhemVuLmNvbSJ9.bDRa_LxZeClP3k8GpcZPabZFcZA2oizTWdv-11xsUOutGx6zcP50EogkCfgFOyIsF0LCmTFOoqgBIS1XA8lFAImmCmxad6kOi7Jv1vxt-7YvxauxQdppDmKa10QTV-Za46QQEMyEjxT6o3AuCi-clxUUfLmKE7PVXmZeB07ejABoEKRZhEJVDHo3u-O1G_hjtwuH1DDkwLpgsEWBRYJ-_Dh-vKupgXxuckduelhbasLdiSXhJwdmVfY2Johfyk6WxVEViuigoLi8qe6y0KNbcyt3Vtf_t_9y7dvyGZZaM_9WLzwr29yR-91uM0rcr0V_B3W0MAwSXLFV5c1nEn03Pg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMGU1OGU1NS05ZWRjLTQ5NDAtOWZmNC01MmE1YTVhOWY1NzciLCJleHAiOjE0NTUxNDk0NzgsIm5iZiI6MCwiaWF0IjoxNDU1MTQ3Njc4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZm9ydW0iLCJhdWQiOm51bGwsInN1YiI6ImY3ODVlNjAwLTEyNGMtNGUyNi05MTRlLTJjNGY2ZWM5Yzk1YiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic2Vzc2lvbl9zdGF0ZSI6IjJjOTAwMzM5LWY2M2EtNDgwYi1iMmJlLTBmNmY0OWQ0NzcyZiIsImNsaWVudF9zZXNzaW9uIjoiMThhOWE0NDUtNWQxYy00ZjJmLWI2ZjEtMjQ0N2RkZDNjMDE1IiwicmVzb3VyY2VfYWNjZXNzIjp7InJlYWxtLW1hbmFnZW1lbnQiOnsicm9sZXMiOlsidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJ2aWV3LXJlYWxtIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJyZWFsbS1hZG1pbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWNsaWVudHMiXX19fQ.MPwbo7nnYspbbgAzWt2Z5ozWaMpP0ONI5WKAR-A8GkrrjYXTyJZk9mDLxHxUVaINboesSAhTd_RO4-g0k6yK8YOQLetztdl-YJxIUnVZQmCFdPwBOkty2Azmcib7mNI2eJWvUdFAIvpRhWt-2_P03DXAE0sAN4oS48HocQxKD2ZMHkB_rDWwKX313l_wFxUkW5T9tOv93jMHFx8k6dGV5GWVEH6-fuw4K5k-zUGRxKrBsQaCxJrpmjxXsx2gFqoYgU8PnRk2ReqblEIxC4fQfMk0SsW0Hm77_I0YaPMPW-yn4eULm31yYqnWOphZhtNmybMgi2Y8iJ_Q2yqCU2iJkw","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5YWM5M2UxNy1jMGJiLTQyZDYtYWM2Mi1kYmVhNWU0NmJmMWQiLCJleHAiOjE0NTUxNDc5NzgsIm5iZiI6MCwiaWF0IjoxNDU1MTQ3Njc4LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZm9ydW0iLCJhdWQiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic3ViIjoiZjc4NWU2MDAtMTI0Yy00ZTI2LTkxNGUtMmM0ZjZlYzljOTViIiwidHlwIjoiSUQiLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwic2Vzc2lvbl9zdGF0ZSI6IjJjOTAwMzM5LWY2M2EtNDgwYi1iMmJlLTBmNmY0OWQ0NzcyZiIsIm5hbWUiOiJDaGFybGVzIFF1ZWlyb3oiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJjaGFybGVzIiwiZ2l2ZW5fbmFtZSI6IkNoYXJsZXMiLCJsb2NhbGUiOiJwdC1CUiIsImZhbWlseV9uYW1lIjoiUXVlaXJveiIsImVtYWlsIjoiY2hhcmxlc0BkYXplbi5jb20ifQ.YxeYJ9cKFyDRQ1YyJbwflQSr-n8l9nW1ORsvQbWo1XYfd6UqiUJlSsygIg4JqFIJGfCU_X8DJcV5HmdOtt90IHqW0_Oc6P8ZvVA1UdGEcoWlVBi88Hd_dIGC3WgyaE4WdOW1KC6nh3Eba2KmdUPQQ3xRKYXd9-pxmE2DwDrHZtONd8EaqTeK4J8vE34Jr_BQyNdv9yGztUh73AGVXAeVk4MqKBRAVmcod_eYOpaaf2OfQwaHQZpskwVqrEIIffyXmIMwD1MbmIP4tMPdMnNBK7bzNO-Qx7VTgWOuTu-VRQQoH0-fXetJdxKb5O1_2G7qCi_CYLeolh2DbIWswM6bag","not-before-policy":0,"session-state":"2c900339-f63a-480b-b2be-0f6f49d4772f"}" > 20:41:18,409 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" > 20:41:18,409 DEBUG [org.apache.http.wire] (default task-14) << "0[\r][\n]" > 20:41:18,409 DEBUG [org.apache.http.wire] (default task-14) << "[\r][\n]" > 20:41:18,409 DEBUG > [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) > Releasing connection > org.apache.http.impl.conn.ManagedClientConnectionImpl at 24993c5f > 20:41:18,409 DEBUG > [org.apache.http.impl.conn.BasicClientConnectionManager] (default task-14) > Connection can be kept alive indefinitely > 20:41:18,413 DEBUG [org.jboss.as.jpa] (default task-14) default > task-14:transaction scoped EntityManager [forum.war#ForumPU]: closing > entity managersession > 20:41:18,414 DEBUG > [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] > (default task-14) Initiating JDBC connection release from afterTransaction > 20:41:18,414 ERROR [org.jboss.as.ejb3.invocation] (default task-14) > WFLYEJB0034: EJB Invocation failed on component UserRestEndpoint for method > public javax.ws.rs.core.Response > br.com.projetolead.forum.integration.rest.UserRestEndpoint.save(br.com.projetolead.forum.model.User,javax.servlet.http.HttpServletRequest) > throws java.io.IOException: javax.ejb.EJBException: > javax.ws.rs.client.ResponseProcessingException: > javax.ws.rs.ProcessingException: > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "access_token" (class > org.keycloak.representations.AccessTokenResponse), not marked as ignorable > (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", > "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", > "refreshToken"]) > at [Source: org.apache.http.conn.EofSensorInputStream at 5af6ffba; line: 1, > column: 18] (through reference chain: > org.keycloak.representations.AccessTokenResponse["access_token?]) > > ------ > > > Where is the problem? > > Atenciosamente, > > *Charles Queiroz * > ------------------------------ > > *Dazen?* *IT Services* > *Technology - Software Development * > charles at dazen.com.br > Fortaleza - CE > Phone: +55 85 9933 1585 > > Twitter: @CharlesQueiiroz > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/af76a807/attachment-0001.html From sthorger at redhat.com Thu Feb 11 03:22:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 11 Feb 2016 09:22:03 +0100 Subject: [keycloak-user] What's the point of creating roles per realm and client? In-Reply-To: References: Message-ID: Realm roles vs client roles are there to give you an option. You can use one or both, it's up to you. In general realm roles would be roles that are global to your organization (for example sales, admin, etc..). While client roles would be roles that are specific to the client. On 11 February 2016 at 07:33, Renann Prado wrote: > I'm pretty new to keycloak. Amazing application btw. > It's working very well, however I found strange/confusing that I have to > create roles in the level of the realm, then per client and then assign to > each user. > What I mean is: why don't we have the roles created in the level of the > realm and then we just assign per application user or is there an option to > make that happen? > Otherwise I have to keep creating roles for all clients, then assigning > for all users. In my case there aren't many users/roles/applications, so > it's fine. But it would be nice to know how to do that. > > Thanks > > Renann Prado > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/a884965a/attachment.html From sthorger at redhat.com Thu Feb 11 03:24:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 11 Feb 2016 09:24:39 +0100 Subject: [keycloak-user] How do I set session variable upon first API hit? In-Reply-To: References: Message-ID: Assuming you're talking about an JEE application, why not just use a servlet filter? Make it take a peek in the http session to check if the variables are set, if not load from database and add them. On 11 February 2016 at 08:38, Renann Prado wrote: > Basically I have some session variables that should be set upon first hit > in the API (using bearer token). The requirement is that session variables > will be dynamically loaded from the database and put into the http session > before I actually process the request, so I can use the variables to > process it. > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/e93d363a/attachment.html From mposolda at redhat.com Thu Feb 11 03:26:13 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 11 Feb 2016 09:26:13 +0100 Subject: [keycloak-user] ldap federation provider In-Reply-To: <5EB73BCF-AC62-460F-8F45-9A784EE5311B@izeno.com> References: <5EB73BCF-AC62-460F-8F45-9A784EE5311B@izeno.com> Message-ID: <56BC45A5.9080008@redhat.com> Depends on EDIT_MODE you choose. After you add LDAP federation provider, then with all 3 modes, you are able to authenticate existing LDAP users with existing LDAP passwords. But when you're update password through Keycloak admin console or account management then: - if edit mode is READABLE, password update from Keycloak is not allowed and it will fail with "User is read only" - if edit mode is WRITABLE, password will be updated in LDAP. So during next password checks, Keycloak will still use LDAP to authenticate user against. Also all your apps integrated directly with LDAP should be able to see newly updated password in LDAP. - if edit mode is UNSYNCED, password will be updated in Keycloak DB, but not in LDAP. Next password checks from Keycloak will use Keycloak DB and hence new password. But your apps integrated directly with LDAP will still see the old password. Marek On 11/02/16 02:15, chenkeong.yap at izeno.com wrote: > hi guys, > > please assist to clarify. after adding ldap federation provider, is the password stored in keycloak database? if yes, is there anyway to prevent sync of password? > > Regards, > CK Yap > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bmcwhirt at redhat.com Thu Feb 11 05:27:22 2016 From: bmcwhirt at redhat.com (Bob McWhirter) Date: Thu, 11 Feb 2016 10:27:22 +0000 Subject: [keycloak-user] NullPointerException during deployment In-Reply-To: <56BBDDF5.2030008@redhat.com> References: <56BBD54D.8080004@redhat.com> <56BBDDF5.2030008@redhat.com> Message-ID: For reference: https://issues.jboss.org/browse/KEYCLOAK-2461 On Thu, Feb 11, 2016 at 1:03 AM, Bill Burke wrote: > Yes, this is because the error was introduced in 1.9.RC1. > > Tutorials are a bit ancient. We'll be updating them soon....but if you > download the demo distribution, there are tons of examples. > > > On 2/10/2016 7:30 PM, Renann Prado wrote: > > I changed to 1.8.1.Final and it worked! > Now my only problem is that, for some reason, I do not get redirected to > the login page when I access a protected resource. > I'm watching your tutorial right now to try to understand why it isn't > working. > > Thanks > On Feb 10, 2016 22:27, "Bill Burke" < bburke at redhat.com> > wrote: > >> Its a scheduled bug. Fixed in master. >> >> On 2/10/2016 3:23 PM, Renann Prado wrote: >> >> I've been following keycloak guide, but I'm facing the below exception. >> I'm trying to secure a WAR that is inside of an EAR, I've tried to add >> below two dependencies in my pom.xml. >> What am I missing? >> >> *Wildfly version: *10.0.0.Final >> *Keycloak version: *1.9.0.CR1 >> >> *Dependencies (tried in EAR and in WAR, no luck):* >> >> >> org.keycloak >> keycloak-core >> 1.9.0.CR1 >> provided >> >> >> org.keycloak >> keycloak-adapter-core >> 1.9.0.CR1 >> provided >> >> >> *Subsystem configuration:* >> >> >> >> TestRealm >> test-resource >> >> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpxbZQMAf2NPcWCbdVWfu3JKEZ5PHuL+a5JTzyuln/wXpfhGPyCDS8rYDj2tf5lA8WQYoV8M5ip3DbCdL43wsW8/oJM/UOKn7mwy2x0OdW40bw1c8b1D6FveliIXwtovyw0EGCFn67qLdtHPLAlVvv5UXPIPFCakzdx1xS/6zgZ1uF2fzwLZpLh21M9XYNHQk6ui047+13Uf5H5yYQNLin8WluZ4JLfO8teVV9ARTqezVoZ5/+SNH4Mw+N1i7sGr13mzl51XvpFmm10Yx0dNiuy+WPA9xv1eNWcWgQWXxCEzDBenn59pmZ9JnTpoOqvZknmBGqyQPDqN9tJIWnWZKQIDAQAB >> >> http://localhost:8082/auth >> none >> password >> >> >> >> *Exception* >> >> >> 8:13:18,779 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) >> MSC000001: Failed to start service >> jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: >> org.jboss.msc.service.StartException in service >> jboss.deployment.unit."Test-ear.ear".DEPENDENCIES: WFLYSRV0153: Failed to >> process phase DEPENDENCIES of deployment "Test-ear.ear" >> at >> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) >> at >> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) >> at >> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.subsystem.adapter.extension.KeycloakDependencyProcessor.deploy(KeycloakDependencyProcessor.java:52) >> at >> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) >> ... 5 more >> >> 18:13:18,784 ERROR [org.jboss.as.controller.management-operation] >> (management-handler-thread - 2) WFLYCTL0013: Operation ("deploy") failed - >> address: ([("deployment" => "Test-ear.ear")]) - failure description: >> {"WFLYCTL0080: Failed services" => >> {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => >> "org.jboss.msc.service.StartException in service >> jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: Failed to >> process phase DEPENDENCIES of deployment \"Test-ear.ear\" >> Caused by: java.lang.NullPointerException"}} >> 18:13:18,786 ERROR [org.jboss.as.server] (management-handler-thread - 2) >> WFLYSRV0021: Deploy of deployment "Test-ear.ear" was rolled back with the >> following failure message: >> {"WFLYCTL0080: Failed services" => >> {"jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES" => >> "org.jboss.msc.service.StartException in service >> jboss.deployment.unit.\"Test-ear.ear\".DEPENDENCIES: WFLYSRV0153: Failed to >> process phase DEPENDENCIES of deployment \"Test-ear.ear\" >> Caused by: java.lang.NullPointerException"}} >> >> Renann Prado >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/7ae2ec4e/attachment-0001.html From jayblanc at gmail.com Thu Feb 11 06:19:53 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Thu, 11 Feb 2016 11:19:53 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: I'm able to reproduce your bug. Making authentication using debug mode a break point in AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted response : StatusType [statusCode=StatusCodeType [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null], statusMessage=Unable to encrypt assertion, statusDetail=null] By the way, when I try to use the Want AuthnRequests Signed= true, I can't upload the configuration to the testshib site because it considere the file as not wellformed !! I'm sorry, but it seems that the configuration os the testshib is very well coupled to shibboleth... Maybe you could try with your own instance of an IdP. Best regards, J?r?me. Le mer. 10 f?vr. 2016 ? 17:03, Steve Nolen a ?crit : > Hi J?r?me, > > Thanks for the help! I swapped the NameId in keycloak for this broker to > unspecified (I uploaded my sp metadata to testshib.org again as well just > in case) and am still receiving the same error. > > On Wed, Feb 10, 2016 at 1:10 AM J?r?me Blanchard > wrote: > >> Hi Steve, >> >> I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's >> working fine. The problem you encounter comes from the fact that you ask >> for a persistent nameId in the config of your SP and, according to the >> provider details, it's only able to send transient nameId. >> Feel the parameter of nameId to undefined and check the authentication >> again. >> >> Best regards, J?r?me. >> >> Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen a >> ?crit : >> >>> Hi! >>> >>> First of all, keycloak is legitimately awesome! >>> >>> I was attempting to test the use of keycloak as a shibboleth SP today >>> (testing against the testshib.org test IdP) and am having some trouble. >>> >>> Keycloak Version: 1.9.0CR1 (using it on openshift currently) >>> >>> Both sides seem to be set up as they should (I used the testshib >>> endpoint to import the settings to keycloak). I'm able to take the redirect >>> over to idp.testshib but on logging in I get a 500 Internal Server Error >>> from keycloak. The message is "No Assertion from response" (stack trace >>> below). >>> >>> Any thoughts on what might be missing? >>> >>> ==== stack trace ==== >>> http://pastebin.com/3tsApUKK >>> >>> ==== broker details ==== >>> >>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor >>> >>> ==== provider details ==== >>> https://www.testshib.org/metadata/testshib-providers.xml >>> >>> Thank you! >>> Steve >>> >> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/eea1c3ae/attachment.html From kga.official at gmail.com Thu Feb 11 06:29:27 2016 From: kga.official at gmail.com (Akshay Kini) Date: Thu, 11 Feb 2016 16:59:27 +0530 Subject: [keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions. Message-ID: Hi Folks, We are using Keycloak as a SAML SP. I notice that SAML Assertions are signed using rsa-sha1, could we configure it to use RSA-SHA256? Thanks, Regards, Akshay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/943c29b8/attachment.html From prado.renann at gmail.com Thu Feb 11 07:04:33 2016 From: prado.renann at gmail.com (Renann Prado) Date: Thu, 11 Feb 2016 10:04:33 -0200 Subject: [keycloak-user] How do I set session variable upon first API hit? In-Reply-To: References: Message-ID: On Feb 11, 2016 10:03, "Renann Prado" wrote: > Yes, it is a JEE application and I am using standard adapter. > I thought about creating a servlet filter, but is this the right approach > to take? > > Thanks > On Feb 11, 2016 06:24, "Stian Thorgersen" wrote: > >> Assuming you're talking about an JEE application, why not just use a >> servlet filter? Make it take a peek in the http session to check if the >> variables are set, if not load from database and add them. >> >> On 11 February 2016 at 08:38, Renann Prado >> wrote: >> >>> Basically I have some session variables that should be set upon first >>> hit in the API (using bearer token). The requirement is that session >>> variables will be dynamically loaded from the database and put into the >>> http session before I actually process the request, so I can use the >>> variables to process it. >>> >>> Thanks >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/43d80814/attachment.html From leo.nunes at gjccorp.com.br Thu Feb 11 08:09:56 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Thu, 11 Feb 2016 13:09:56 +0000 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException Message-ID: Hi, i'm getting the error below when I try to login with Facebook. I've followed the instructions at http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore and http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 I was able to login with Facebook when trying at localhost. But at our development server we are getting this error. We are using EAP in domain mode. The truststore I placed inside of keycloak-server.json "truststore": { "file": { "file": "/home/soa/jboss/ssl/keycloak.jks", "password": "keycloak123", "hostname-verification-policy": "ANY", "disabled": false } } ####### ERRO: 2016-02-11 10:44:53,927 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [jsse.jar:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) [jsse.jar:1.8.0_45] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_45] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) [rt.jar:1.8.0_45] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) [rt.jar:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) [rt.jar:1.8.0_45] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) [rt.jar:1.8.0_45] at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45] at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_45] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) [rt.jar:1.8.0_45] at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) [jsse.jar:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) [jsse.jar:1.8.0_45] ... 50 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) [rt.jar:1.8.0_45] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) [rt.jar:1.8.0_45] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_45] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [rt.jar:1.8.0_45] ... 56 more -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/f26bd6c2/attachment-0001.html From prado.renann at gmail.com Thu Feb 11 08:16:29 2016 From: prado.renann at gmail.com (Renann Prado) Date: Thu, 11 Feb 2016 11:16:29 -0200 Subject: [keycloak-user] User-Federation In-Reply-To: References: Message-ID: Is there any recommended way to make sure these endpoints won't be spammed by an attacker? Looks like these endpoints need to be open to anyone. Thanks On Feb 3, 2016 11:18, "Reed Lewis" wrote: > If you use the federation provider listed here: > > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > [1]: https://github.com/Smartling/keycloak-user-migration-provider > > You can specify a URL that will be called when a user needs to be > validated. > > There are three requests that need to be implemented in your sever. > > GET /api/users// > If the user exists, it should return a 200 with a json object with the > return type ?application/json? with the following fields: > username > email > emailVerified > firstName > lastName > roles [?user?] > > If the user does not exist, return a 404 > > HEAD /api/users// > Always return 200 > > POST /api/users// > The password is posted to you in a json object. > Return 200 if the password is OK, 401 if not. In both cases return no > data. > > I wrote a small python module which implements these methods which works > quite well. > > Reed > > From: on behalf of Stuart Jacobs < > stuart.jacobs at symbiotics.co.za> > Date: Wednesday, February 3, 2016 at 2:40 AM > To: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] User-Federation > > Hi Everyone, > > I have an application that runs on a postgresql database, keycloak has > been configured and has created all the required tables/columns in my > schema using liquibase on start up of the keycloak server. > > I need to authenticate users using the projects existing user table > obtaining the username and password from this table. > > I have had a look at the federation provider project under the example > projects but this still eludes me as to how I change the keycloak mapping > to use my own tables in postgress? > > Can someone please point me in the right direction or if someone has > implemented such a solution please share how you have done it? > > Thanks everyone. > > Regards, > Stuart Jacobs > > > > > > > > www.symbiotics.co.za > > ******************************************************************************** > This email and any accompanying attachments may contain confidential and > proprietary information. This information is private and protected by law > and, accordingly, if you are not the intended recipient, you are requested > to delete this entire communication immediately and are notified that any > disclosure, copying or distribution of or taking any action based on this > information is prohibited. > > Emails cannot be guaranteed to be secure or free of errors or viruses. The > sender does not accept any liability or responsibility for any > interception, corruption, destruction, loss, late arrival or incompleteness > of or tampering or interference with any of the information contained in > this email or for its incorrect delivery or non-delivery for whatsoever > reason or for its effect on any electronic device of the recipient. > > ******************************************************************************** > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment.html From prado.renann at gmail.com Thu Feb 11 08:17:14 2016 From: prado.renann at gmail.com (Renann Prado) Date: Thu, 11 Feb 2016 11:17:14 -0200 Subject: [keycloak-user] User-Federation In-Reply-To: References: Message-ID: Everyone* On Feb 11, 2016 11:16, "Renann Prado" wrote: > Is there any recommended way to make sure these endpoints won't be spammed > by an attacker? Looks like these endpoints need to be open to anyone. > > Thanks > On Feb 3, 2016 11:18, "Reed Lewis" wrote: > >> If you use the federation provider listed here: >> >> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ >> [1]: https://github.com/Smartling/keycloak-user-migration-provider >> >> You can specify a URL that will be called when a user needs to be >> validated. >> >> There are three requests that need to be implemented in your sever. >> >> GET /api/users// >> If the user exists, it should return a 200 with a json object with the >> return type ?application/json? with the following fields: >> username >> email >> emailVerified >> firstName >> lastName >> roles [?user?] >> >> If the user does not exist, return a 404 >> >> HEAD /api/users// >> Always return 200 >> >> POST /api/users// >> The password is posted to you in a json object. >> Return 200 if the password is OK, 401 if not. In both cases return no >> data. >> >> I wrote a small python module which implements these methods which works >> quite well. >> >> Reed >> >> From: on behalf of Stuart Jacobs >> >> Date: Wednesday, February 3, 2016 at 2:40 AM >> To: "keycloak-user at lists.jboss.org" >> Subject: [keycloak-user] User-Federation >> >> Hi Everyone, >> >> I have an application that runs on a postgresql database, keycloak has >> been configured and has created all the required tables/columns in my >> schema using liquibase on start up of the keycloak server. >> >> I need to authenticate users using the projects existing user table >> obtaining the username and password from this table. >> >> I have had a look at the federation provider project under the example >> projects but this still eludes me as to how I change the keycloak mapping >> to use my own tables in postgress? >> >> Can someone please point me in the right direction or if someone has >> implemented such a solution please share how you have done it? >> >> Thanks everyone. >> >> Regards, >> Stuart Jacobs >> >> >> >> >> >> >> >> www.symbiotics.co.za >> >> ******************************************************************************** >> This email and any accompanying attachments may contain confidential and >> proprietary information. This information is private and protected by law >> and, accordingly, if you are not the intended recipient, you are requested >> to delete this entire communication immediately and are notified that any >> disclosure, copying or distribution of or taking any action based on this >> information is prohibited. >> >> Emails cannot be guaranteed to be secure or free of errors or viruses. >> The sender does not accept any liability or responsibility for any >> interception, corruption, destruction, loss, late arrival or incompleteness >> of or tampering or interference with any of the information contained in >> this email or for its incorrect delivery or non-delivery for whatsoever >> reason or for its effect on any electronic device of the recipient. >> >> ******************************************************************************** >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment.html From bburke at redhat.com Thu Feb 11 09:06:49 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 11 Feb 2016 09:06:49 -0500 Subject: [keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions. In-Reply-To: References: Message-ID: <56BC9579.8080102@redhat.com> Where? Keycloak Saml SP? Keycloak Server interaction with an app/client? Or Keycloak Server acting as an SP in a broker scenario? They all *should* support plugging in the algorithm. Did you configure this correctly? On 2/11/2016 6:29 AM, Akshay Kini wrote: > Hi Folks, > > We are using Keycloak as a SAML SP. > > I notice that SAML Assertions are signed using rsa-sha1, could we > configure it to use RSA-SHA256? > > Thanks, > Regards, > Akshay > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment-0001.html From sthorger at redhat.com Thu Feb 11 09:23:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 11 Feb 2016 15:23:39 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: References: Message-ID: Does it work if you don't specify the truststore? That will use the default truststore provided by the JDK. Also, does your truststore contain the required CA certs? For Facebook to work it'll have to contain the required CA's for their certs On 11 February 2016 at 14:09, LEONARDO NUNES wrote: > Hi, i'm getting the error below when I try to login with Facebook. > I've followed the instructions at > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore > and > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 > > I was able to login with Facebook when trying at localhost. But at our > development server we are getting this error. > > We are using EAP in domain mode. > > The truststore I placed inside of keycloak-server.json > "truststore": { > "file": { > "file": "/home/soa/jboss/ssl/keycloak.jks", > "password": "keycloak123", > "hostname-verification-policy": "ANY", > "disabled": false > } > } > > > ####### > > ERRO: > > > 2016-02-11 10:44:53,927 ERROR > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] > (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth > callback: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > [jsse.jar:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) > [jsse.jar:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) > [jsse.jar:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) > [jsse.jar:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) > [jsse.jar:1.8.0_45] > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > [rt.jar:1.8.0_45] > at > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) > at > org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.8.0_45] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > [rt.jar:1.8.0_45] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.8.0_45] > at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) > at > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > [rt.jar:1.8.0_45] > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > [rt.jar:1.8.0_45] > at sun.security.validator.Validator.validate(Validator.java:260) > [rt.jar:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) > [jsse.jar:1.8.0_45] > ... 50 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) > [rt.jar:1.8.0_45] > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) > [rt.jar:1.8.0_45] > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > [rt.jar:1.8.0_45] > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > [rt.jar:1.8.0_45] > ... 56 more > > > > > > -- > Leonardo Nunes > ------------------------------ > > > *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. This message may contain > confidential and/or privileged information. If you are not the addressee or > authorized to receive this for the addressee, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by reply e-mail and delete this message. Thank you for > your cooperation* > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/b21c30fb/attachment.html From RLewis at carbonite.com Thu Feb 11 09:35:31 2016 From: RLewis at carbonite.com (Reed Lewis) Date: Thu, 11 Feb 2016 14:35:31 +0000 Subject: [keycloak-user] User-Federation In-Reply-To: References: Message-ID: <81B2EA95-4A60-4992-ADF0-17AD754D1E46@carbonite.com> The endpoint that is used by the federation provider is only called from Keycloak, so you can run it on localhost on the keycloak machine if that is going to work for you. OTOH, if you need to run it on a different machine, you can lock down the endpoint to only be accessible from the Keycloak server. End users never call the endpoint I documented. Reed From: > on behalf of Renann Prado > Date: Thursday, February 11, 2016 at 8:17 AM To: Reed Lewis > Cc: "keycloak-user at lists.jboss.org" >, Stuart Jacobs > Subject: Re: [keycloak-user] User-Federation Everyone* On Feb 11, 2016 11:16, "Renann Prado" > wrote: Is there any recommended way to make sure these endpoints won't be spammed by an attacker? Looks like these endpoints need to be open to anyone. Thanks On Feb 3, 2016 11:18, "Reed Lewis" > wrote: If you use the federation provider listed here: [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ [1]: https://github.com/Smartling/keycloak-user-migration-provider You can specify a URL that will be called when a user needs to be validated. There are three requests that need to be implemented in your sever. GET /api/users// If the user exists, it should return a 200 with a json object with the return type ?application/json? with the following fields: username email emailVerified firstName lastName roles [?user?] If the user does not exist, return a 404 HEAD /api/users// Always return 200 POST /api/users// The password is posted to you in a json object. Return 200 if the password is OK, 401 if not. In both cases return no data. I wrote a small python module which implements these methods which works quite well. Reed From: > on behalf of Stuart Jacobs > Date: Wednesday, February 3, 2016 at 2:40 AM To: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] User-Federation Hi Everyone, I have an application that runs on a postgresql database, keycloak has been configured and has created all the required tables/columns in my schema using liquibase on start up of the keycloak server. I need to authenticate users using the projects existing user table obtaining the username and password from this table. I have had a look at the federation provider project under the example projects but this still eludes me as to how I change the keycloak mapping to use my own tables in postgress? Can someone please point me in the right direction or if someone has implemented such a solution please share how you have done it? Thanks everyone. Regards, Stuart Jacobs [http://symbiotics.co.za/website/image/ir.attachment/1578_e14aa73/datas] www.symbiotics.co.za ******************************************************************************** This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. ******************************************************************************** _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/89e94a0e/attachment-0001.html From technolengy at gmail.com Thu Feb 11 11:04:20 2016 From: technolengy at gmail.com (Steve Nolen) Date: Thu, 11 Feb 2016 16:04:20 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: Hi J?r?me! Thanks so much for the details! Perhaps the issue when uploading was actually the other issue I stumbled upon in this endeavor! When attempting to upload the keycloak sp metadata to testshib.org, I received a malformed metadata error, the testshib.org folks noted that the SingleLogoutService element must come before the NameID element (they also suggested to remove the newline&whitespace from NameID, which existed in my keycloak sp metadata). Once I modified those I was able to upload at least. I suppose the ordering/newline issues may be a fixable issue for keycloak. As for the signing issue, I think I'll give up on using the testshib instance (I did try to re-upload with your authn suggestion after fixing the SingleLogoutService and NameID issues I mentioned above) and did receive an invalid metadata error. I appreciate your help though, and I'm sure that integrating with a univ IdP as I intend to will be a bit easier! On Thu, Feb 11, 2016 at 3:20 AM J?r?me Blanchard wrote: > I'm able to reproduce your bug. > Making authentication using debug mode a break point in > AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted > response : > > StatusType [statusCode=StatusCodeType > [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null], > statusMessage=Unable to encrypt assertion, statusDetail=null] > > By the way, when I try to use the Want AuthnRequests Signed= true, I can't > upload the configuration to the testshib site because it considere the file > as not wellformed !! > > I'm sorry, but it seems that the configuration os the testshib is very > well coupled to shibboleth... Maybe you could try with your own instance of > an IdP. > > Best regards, J?r?me. > > Le mer. 10 f?vr. 2016 ? 17:03, Steve Nolen a > ?crit : > >> Hi J?r?me, >> >> Thanks for the help! I swapped the NameId in keycloak for this broker to >> unspecified (I uploaded my sp metadata to testshib.org again as well >> just in case) and am still receiving the same error. >> >> On Wed, Feb 10, 2016 at 1:10 AM J?r?me Blanchard >> wrote: >> >>> Hi Steve, >>> >>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and It's >>> working fine. The problem you encounter comes from the fact that you ask >>> for a persistent nameId in the config of your SP and, according to the >>> provider details, it's only able to send transient nameId. >>> Feel the parameter of nameId to undefined and check the authentication >>> again. >>> >>> Best regards, J?r?me. >>> >>> Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen a >>> ?crit : >>> >>>> Hi! >>>> >>>> First of all, keycloak is legitimately awesome! >>>> >>>> I was attempting to test the use of keycloak as a shibboleth SP today >>>> (testing against the testshib.org test IdP) and am having some trouble. >>>> >>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently) >>>> >>>> Both sides seem to be set up as they should (I used the testshib >>>> endpoint to import the settings to keycloak). I'm able to take the redirect >>>> over to idp.testshib but on logging in I get a 500 Internal Server Error >>>> from keycloak. The message is "No Assertion from response" (stack trace >>>> below). >>>> >>>> Any thoughts on what might be missing? >>>> >>>> ==== stack trace ==== >>>> http://pastebin.com/3tsApUKK >>>> >>>> ==== broker details ==== >>>> >>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor >>>> >>>> ==== provider details ==== >>>> https://www.testshib.org/metadata/testshib-providers.xml >>>> >>>> Thank you! >>>> Steve >>>> >>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/bd8dd90c/attachment.html From jayblanc at gmail.com Thu Feb 11 11:14:37 2016 From: jayblanc at gmail.com (=?UTF-8?B?SsOpcsO0bWUgQmxhbmNoYXJk?=) Date: Thu, 11 Feb 2016 16:14:37 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: Hi Steve, I spent some time in order to integrate into Renater federation (french research shibbolet federation) because keycloak does not handle the discovery service that parse the WAYF... So I have develop a small apps to parse this file and synchronize my 250 IdP into keycloak !! I also customize the template in order to build a choice list taking info from my discovery app. Next step for me is to fork the saml provider of keycloak to built a dedicated shibboleth one. You probably faced some issues about transient nameid because shibboleth federation does not give a persistent nameId but a transient one and because keycloak need to associate the IdP/nameId to a real keycloak account, transient nameid result in new account for each new shibboleth IdP session... You have to rely on an attribute eduPersonTargetedID but this attribute is a complex type and keycloak SAML attribute parser can't handle it correctly. I have make a small patch also to avoid problem with that and to ensure the mapping between this attribute and the nameID. By the way, I'm intrested if you succeed in order to share some tips and to enlarge knowledge base about those aspects around Shibboleth and keycloak. Best regards, J?r?me. Le jeu. 11 f?vr. 2016 ? 17:04, Steve Nolen a ?crit : > Hi J?r?me! > > Thanks so much for the details! > > Perhaps the issue when uploading was actually the other issue I stumbled > upon in this endeavor! When attempting to upload the keycloak sp metadata > to testshib.org, I received a malformed metadata error, the testshib.org > folks noted that the SingleLogoutService element must come before the > NameID element (they also suggested to remove the newline&whitespace from > NameID, which existed in my keycloak sp metadata). > > Once I modified those I was able to upload at least. I suppose the > ordering/newline issues may be a fixable issue for keycloak. > > As for the signing issue, I think I'll give up on using the testshib > instance (I did try to re-upload with your authn suggestion after fixing > the SingleLogoutService and NameID issues I mentioned above) and did > receive an invalid metadata error. I appreciate your help though, and I'm > sure that integrating with a univ IdP as I intend to will be a bit easier! > > > On Thu, Feb 11, 2016 at 3:20 AM J?r?me Blanchard > wrote: > >> I'm able to reproduce your bug. >> Making authentication using debug mode a break point in >> AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted >> response : >> >> StatusType [statusCode=StatusCodeType >> [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null], >> statusMessage=Unable to encrypt assertion, statusDetail=null] >> >> By the way, when I try to use the Want AuthnRequests Signed= true, I >> can't upload the configuration to the testshib site because it considere >> the file as not wellformed !! >> >> I'm sorry, but it seems that the configuration os the testshib is very >> well coupled to shibboleth... Maybe you could try with your own instance of >> an IdP. >> >> Best regards, J?r?me. >> >> Le mer. 10 f?vr. 2016 ? 17:03, Steve Nolen a >> ?crit : >> >>> Hi J?r?me, >>> >>> Thanks for the help! I swapped the NameId in keycloak for this broker to >>> unspecified (I uploaded my sp metadata to testshib.org again as well >>> just in case) and am still receiving the same error. >>> >>> On Wed, Feb 10, 2016 at 1:10 AM J?r?me Blanchard >>> wrote: >>> >>>> Hi Steve, >>>> >>>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and >>>> It's working fine. The problem you encounter comes from the fact that you >>>> ask for a persistent nameId in the config of your SP and, according to the >>>> provider details, it's only able to send transient nameId. >>>> Feel the parameter of nameId to undefined and check the authentication >>>> again. >>>> >>>> Best regards, J?r?me. >>>> >>>> Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen a >>>> ?crit : >>>> >>>>> Hi! >>>>> >>>>> First of all, keycloak is legitimately awesome! >>>>> >>>>> I was attempting to test the use of keycloak as a shibboleth SP today >>>>> (testing against the testshib.org test IdP) and am having some >>>>> trouble. >>>>> >>>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently) >>>>> >>>>> Both sides seem to be set up as they should (I used the testshib >>>>> endpoint to import the settings to keycloak). I'm able to take the redirect >>>>> over to idp.testshib but on logging in I get a 500 Internal Server Error >>>>> from keycloak. The message is "No Assertion from response" (stack trace >>>>> below). >>>>> >>>>> Any thoughts on what might be missing? >>>>> >>>>> ==== stack trace ==== >>>>> http://pastebin.com/3tsApUKK >>>>> >>>>> ==== broker details ==== >>>>> >>>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor >>>>> >>>>> ==== provider details ==== >>>>> https://www.testshib.org/metadata/testshib-providers.xml >>>>> >>>>> Thank you! >>>>> Steve >>>>> >>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/168882b0/attachment-0001.html From technolengy at gmail.com Thu Feb 11 11:21:14 2016 From: technolengy at gmail.com (Steve Nolen) Date: Thu, 11 Feb 2016 16:21:14 +0000 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: Sounds like you've got quite some experience with this!! I would certainly be happy to share any steps/procedure I use when I'm successful! > Next step for me is to fork the saml provider of keycloak to built a dedicated shibboleth one. This is good news as well. I've noticed that a very large percentage of people creating SPs for shibboleth tend to use the standard shibd/apache setup so as to avoid touching shibboleth as much as possible. It would be fantastic to be able use keycloak in place of that where possible! On Thu, Feb 11, 2016 at 8:14 AM J?r?me Blanchard wrote: > Hi Steve, > > I spent some time in order to integrate into Renater federation (french > research shibbolet federation) because keycloak does not handle the > discovery service that parse the WAYF... > So I have develop a small apps to parse this file and synchronize my 250 > IdP into keycloak !! I also customize the template in order to build a > choice list taking info from my discovery app. > Next step for me is to fork the saml provider of keycloak to built a > dedicated shibboleth one. > You probably faced some issues about transient nameid because shibboleth > federation does not give a persistent nameId but a transient one and > because keycloak need to associate the IdP/nameId to a real keycloak > account, transient nameid result in new account for each new shibboleth IdP > session... > You have to rely on an attribute eduPersonTargetedID but this attribute is > a complex type and keycloak SAML attribute parser can't handle it > correctly. I have make a small patch also to avoid problem with that and to > ensure the mapping between this attribute and the nameID. > > By the way, I'm intrested if you succeed in order to share some tips and > to enlarge knowledge base about those aspects around Shibboleth and > keycloak. > > Best regards, J?r?me. > > Le jeu. 11 f?vr. 2016 ? 17:04, Steve Nolen a > ?crit : > >> Hi J?r?me! >> >> Thanks so much for the details! >> >> Perhaps the issue when uploading was actually the other issue I stumbled >> upon in this endeavor! When attempting to upload the keycloak sp metadata >> to testshib.org, I received a malformed metadata error, the testshib.org >> folks noted that the SingleLogoutService element must come before the >> NameID element (they also suggested to remove the newline&whitespace from >> NameID, which existed in my keycloak sp metadata). >> >> Once I modified those I was able to upload at least. I suppose the >> ordering/newline issues may be a fixable issue for keycloak. >> >> As for the signing issue, I think I'll give up on using the testshib >> instance (I did try to re-upload with your authn suggestion after fixing >> the SingleLogoutService and NameID issues I mentioned above) and did >> receive an invalid metadata error. I appreciate your help though, and I'm >> sure that integrating with a univ IdP as I intend to will be a bit easier! >> >> >> On Thu, Feb 11, 2016 at 3:20 AM J?r?me Blanchard >> wrote: >> >>> I'm able to reproduce your bug. >>> Making authentication using debug mode a break point in >>> AssertionUtil.getAssertion() show that the IdP refuse to use unencrypted >>> response : >>> >>> StatusType [statusCode=StatusCodeType >>> [value=urn:oasis:names:tc:SAML:2.0:status:Responder, statusCode=null], >>> statusMessage=Unable to encrypt assertion, statusDetail=null] >>> >>> By the way, when I try to use the Want AuthnRequests Signed= true, I >>> can't upload the configuration to the testshib site because it considere >>> the file as not wellformed !! >>> >>> I'm sorry, but it seems that the configuration os the testshib is very >>> well coupled to shibboleth... Maybe you could try with your own instance of >>> an IdP. >>> >>> Best regards, J?r?me. >>> >>> Le mer. 10 f?vr. 2016 ? 17:03, Steve Nolen a >>> ?crit : >>> >>>> Hi J?r?me, >>>> >>>> Thanks for the help! I swapped the NameId in keycloak for this broker >>>> to unspecified (I uploaded my sp metadata to testshib.org again as >>>> well just in case) and am still receiving the same error. >>>> >>>> On Wed, Feb 10, 2016 at 1:10 AM J?r?me Blanchard >>>> wrote: >>>> >>>>> Hi Steve, >>>>> >>>>> I'm using Keycloak as a shibboleth SP in a federation (Renater) and >>>>> It's working fine. The problem you encounter comes from the fact that you >>>>> ask for a persistent nameId in the config of your SP and, according to the >>>>> provider details, it's only able to send transient nameId. >>>>> Feel the parameter of nameId to undefined and check the authentication >>>>> again. >>>>> >>>>> Best regards, J?r?me. >>>>> >>>>> Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen a >>>>> ?crit : >>>>> >>>>>> Hi! >>>>>> >>>>>> First of all, keycloak is legitimately awesome! >>>>>> >>>>>> I was attempting to test the use of keycloak as a shibboleth SP today >>>>>> (testing against the testshib.org test IdP) and am having some >>>>>> trouble. >>>>>> >>>>>> Keycloak Version: 1.9.0CR1 (using it on openshift currently) >>>>>> >>>>>> Both sides seem to be set up as they should (I used the testshib >>>>>> endpoint to import the settings to keycloak). I'm able to take the redirect >>>>>> over to idp.testshib but on logging in I get a 500 Internal Server Error >>>>>> from keycloak. The message is "No Assertion from response" (stack trace >>>>>> below). >>>>>> >>>>>> Any thoughts on what might be missing? >>>>>> >>>>>> ==== stack trace ==== >>>>>> http://pastebin.com/3tsApUKK >>>>>> >>>>>> ==== broker details ==== >>>>>> >>>>>> https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor >>>>>> >>>>>> ==== provider details ==== >>>>>> https://www.testshib.org/metadata/testshib-providers.xml >>>>>> >>>>>> Thank you! >>>>>> Steve >>>>>> >>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/85e4d8cc/attachment.html From srossillo at smartling.com Thu Feb 11 11:51:54 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 11 Feb 2016 11:51:54 -0500 Subject: [keycloak-user] User-Federation In-Reply-To: <81B2EA95-4A60-4992-ADF0-17AD754D1E46@carbonite.com> References: <81B2EA95-4A60-4992-ADF0-17AD754D1E46@carbonite.com> Message-ID: <4B71E2D9-755C-40C4-8C4B-DC516C9CF11E@smartling.com> Hi, The example omits securing the endpoints for simplicity demonstrating the concepts. I?d suggest using some type of security though on the legacy system if the endpoints are publicly accessible though. Best, Scott Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Feb 11, 2016, at 9:35 AM, Reed Lewis wrote: > > The endpoint that is used by the federation provider is only called from Keycloak, so you can run it on localhost on the keycloak machine if that is going to work for you. > > OTOH, if you need to run it on a different machine, you can lock down the endpoint to only be accessible from the Keycloak server. > > End users never call the endpoint I documented. > > Reed > > From: > on behalf of Renann Prado > > Date: Thursday, February 11, 2016 at 8:17 AM > To: Reed Lewis > > Cc: "keycloak-user at lists.jboss.org " >, Stuart Jacobs > > Subject: Re: [keycloak-user] User-Federation > > Everyone* > > On Feb 11, 2016 11:16, "Renann Prado" > wrote: > Is there any recommended way to make sure these endpoints won't be spammed by an attacker? Looks like these endpoints need to be open to anyone. > > Thanks > > On Feb 3, 2016 11:18, "Reed Lewis" > wrote: > If you use the federation provider listed here: > > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > [1]: https://github.com/Smartling/keycloak-user-migration-provider > > You can specify a URL that will be called when a user needs to be validated. > > There are three requests that need to be implemented in your sever. > > GET /api/users// > If the user exists, it should return a 200 with a json object with the return type ?application/json? with the following fields: > username > email > emailVerified > firstName > lastName > roles [?user?] > > If the user does not exist, return a 404 > > HEAD /api/users// > Always return 200 > > POST /api/users// > The password is posted to you in a json object. > Return 200 if the password is OK, 401 if not. In both cases return no data. > > I wrote a small python module which implements these methods which works quite well. > > Reed > > From: > on behalf of Stuart Jacobs > > Date: Wednesday, February 3, 2016 at 2:40 AM > To: "keycloak-user at lists.jboss.org " > > Subject: [keycloak-user] User-Federation > > Hi Everyone, > > I have an application that runs on a postgresql database, keycloak has been configured and has created all the required tables/columns in my schema using liquibase on start up of the keycloak server. > > I need to authenticate users using the projects existing user table obtaining the username and password from this table. > > I have had a look at the federation provider project under the example projects but this still eludes me as to how I change the keycloak mapping to use my own tables in postgress? > > Can someone please point me in the right direction or if someone has implemented such a solution please share how you have done it? > > Thanks everyone. > > Regards, > Stuart Jacobs > > > > > > > > www.symbiotics.co.za > ******************************************************************************** > This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited. > > Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. > > ******************************************************************************** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/25c7c0e5/attachment-0001.html From bburke at redhat.com Thu Feb 11 11:57:02 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 11 Feb 2016 11:57:02 -0500 Subject: [keycloak-user] trouble acting as SP with testshib.org IdP In-Reply-To: References: Message-ID: <56BCBD5E.7010704@redhat.com> Just create a detailed jira on how we can make this easier. On 2/11/2016 11:21 AM, Steve Nolen wrote: > Sounds like you've got quite some experience with this!! I would > certainly be happy to share any steps/procedure I use when I'm > successful! > > > Next step for me is to fork the saml provider of keycloak to built a dedicated shibboleth one. > This is good news as well. I've noticed that a very large percentage > of people creating SPs for shibboleth tend to use the standard > shibd/apache setup so as to avoid touching shibboleth as much as > possible. It would be fantastic to be able use keycloak in place of > that where possible! > > On Thu, Feb 11, 2016 at 8:14 AM J?r?me Blanchard > wrote: > > Hi Steve, > > I spent some time in order to integrate into Renater federation > (french research shibbolet federation) because keycloak does not > handle the discovery service that parse the WAYF... > So I have develop a small apps to parse this file and synchronize > my 250 IdP into keycloak !! I also customize the template in order > to build a choice list taking info from my discovery app. > Next step for me is to fork the saml provider of keycloak to built > a dedicated shibboleth one. > You probably faced some issues about transient nameid because > shibboleth federation does not give a persistent nameId but a > transient one and because keycloak need to associate the > IdP/nameId to a real keycloak account, transient nameid result in > new account for each new shibboleth IdP session... > You have to rely on an attribute eduPersonTargetedID but this > attribute is a complex type and keycloak SAML attribute parser > can't handle it correctly. I have make a small patch also to avoid > problem with that and to ensure the mapping between this attribute > and the nameID. > > By the way, I'm intrested if you succeed in order to share some > tips and to enlarge knowledge base about those aspects around > Shibboleth and keycloak. > > Best regards, J?r?me. > > Le jeu. 11 f?vr. 2016 ? 17:04, Steve Nolen > a ?crit : > > Hi J?r?me! > > Thanks so much for the details! > > Perhaps the issue when uploading was actually the other issue > I stumbled upon in this endeavor! When attempting to upload > the keycloak sp metadata to testshib.org > , I received a malformed metadata error, > the testshib.org folks noted that the > SingleLogoutService element must come before the NameID > element (they also suggested to remove the newline&whitespace > from NameID, which existed in my keycloak sp metadata). > > Once I modified those I was able to upload at least. I > suppose the ordering/newline issues may be a fixable issue for > keycloak. > > As for the signing issue, I think I'll give up on using the > testshib instance (I did try to re-upload with your authn > suggestion after fixing the SingleLogoutService and NameID > issues I mentioned above) and did receive an invalid metadata > error. I appreciate your help though, and I'm sure that > integrating with a univ IdP as I intend to will be a bit easier! > > > On Thu, Feb 11, 2016 at 3:20 AM J?r?me Blanchard > > wrote: > > I'm able to reproduce your bug. > Making authentication using debug mode a break point in > AssertionUtil.getAssertion() show that the IdP refuse to > use unencrypted response : > > StatusType [statusCode=StatusCodeType > [value=urn:oasis:names:tc:SAML:2.0:status:Responder, > statusCode=null], statusMessage=Unable to encrypt > assertion, statusDetail=null] > > By the way, when I try to use the Want AuthnRequests > Signed= true, I can't upload the configuration to the > testshib site because it considere the file as not > wellformed !! > > I'm sorry, but it seems that the configuration os the > testshib is very well coupled to shibboleth... Maybe you > could try with your own instance of an IdP. > > Best regards, J?r?me. > > Le mer. 10 f?vr. 2016 ? 17:03, Steve Nolen > > a > ?crit : > > Hi J?r?me, > > Thanks for the help! I swapped the NameId in keycloak > for this broker to unspecified (I uploaded my sp > metadata to testshib.org again > as well just in case) and am still receiving the same > error. > > On Wed, Feb 10, 2016 at 1:10 AM J?r?me Blanchard > > wrote: > > Hi Steve, > > I'm using Keycloak as a shibboleth SP in a > federation (Renater) and It's working fine. The > problem you encounter comes from the fact that you > ask for a persistent nameId in the config of your > SP and, according to the provider details, it's > only able to send transient nameId. > Feel the parameter of nameId to undefined and > check the authentication again. > > Best regards, J?r?me. > > Le mer. 10 f?vr. 2016 ? 03:57, Steve Nolen > > a ?crit : > > Hi! > > First of all, keycloak is legitimately awesome! > > I was attempting to test the use of keycloak > as a shibboleth SP today (testing against the > testshib.org test IdP) > and am having some trouble. > > Keycloak Version: 1.9.0CR1 (using it on > openshift currently) > > Both sides seem to be set up as they should (I > used the testshib endpoint to import the > settings to keycloak). I'm able to take the > redirect over to idp.testshib but on logging > in I get a 500 Internal Server Error from > keycloak. The message is "No Assertion from > response" (stack trace below). > > Any thoughts on what might be missing? > > ==== stack trace ==== > http://pastebin.com/3tsApUKK > > ==== broker details ==== > https://keycloak-technolengy.rhcloud.com/auth/realms/technolengy/broker/testshib.org/endpoint/descriptor > > ==== provider details ==== > https://www.testshib.org/metadata/testshib-providers.xml > > Thank you! > Steve > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/15f08aeb/attachment-0001.html From akaya at expedia.com Fri Feb 12 01:08:16 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 12 Feb 2016 06:08:16 +0000 Subject: [keycloak-user] Extending Themes via SPI Message-ID: Hi all, In regards to Extending Themes via SPI all I found is this documentation: http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html and http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 I found it a little less describing. When I implement those two classes, where do I put the new implemented classes? How do I deploy them? Can I also use Spring mvc and JSP and few maven dependencies instead of freemarker? I also tried to find an example to extend theme using SPI but there seems to be none. It would be really nice if you could provide a sample hello world. Thank you very much, Sarp Kaya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/851f029d/attachment.html From mposolda at redhat.com Fri Feb 12 02:07:05 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 12 Feb 2016 08:07:05 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: References: Message-ID: <56BD8499.4060007@redhat.com> Facebook certificate should be signed by trusted authority, so it works with default JDK truststore. At least for me it always works. Shouldn't truststore SPI use both provided file + default JDK truststore by default? We may have flag to disable default JDK truststore, but not sure if it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP client provided by HttpClientProvider SPI? Marek On 11/02/16 15:23, Stian Thorgersen wrote: > Does it work if you don't specify the truststore? That will use the > default truststore provided by the JDK. > > Also, does your truststore contain the required CA certs? For Facebook > to work it'll have to contain the required CA's for their certs > > On 11 February 2016 at 14:09, LEONARDO NUNES > wrote: > > Hi, i'm getting the error below when I try to login with Facebook. > I've followed the instructions at > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore and > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 > > I was able to login with Facebook when trying at localhost. But at > our development server we are getting this error. > > We are using EAP in domain mode. > > The truststore I placed inside of keycloak-server.json > "truststore": { > "file": { > "file": "/home/soa/jboss/ssl/keycloak.jks", > "password": "keycloak123", > "hostname-verification-policy": "ANY", > "disabled": false > } > } > > > ####### > > ERRO: > > > 2016-02-11 10:44:53,927 ERROR > [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] > (ajp-/192.168.162.73:8008-1) Failed to make identity provider > oauth callback: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building > failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > [jsse.jar:1.8.0_45] > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) > [jsse.jar:1.8.0_45] > at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) > [jsse.jar:1.8.0_45] > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) > [rt.jar:1.8.0_45] > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > [rt.jar:1.8.0_45] > at > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) > at > org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.8.0_45] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > [rt.jar:1.8.0_45] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.8.0_45] > at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) > at > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > Caused by: sun.security.validator.ValidatorException: PKIX path > building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > [rt.jar:1.8.0_45] > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > [rt.jar:1.8.0_45] > at sun.security.validator.Validator.validate(Validator.java:260) > [rt.jar:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > [jsse.jar:1.8.0_45] > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) > [jsse.jar:1.8.0_45] > ... 50 more > Caused by: > sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) > [rt.jar:1.8.0_45] > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) > [rt.jar:1.8.0_45] > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > [rt.jar:1.8.0_45] > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > [rt.jar:1.8.0_45] > ... 56 more > > > > > > -- > Leonardo Nunes > ------------------------------------------------------------------------ > /Esta mensagem pode conter informa??o confidencial e/ou > privilegiada. Se voc? n?o for o destinat?rio ou a pessoa > autorizada a receber esta mensagem, n?o poder? usar, copiar ou > divulgar as informa??es nela contidas ou tomar qualquer a??o > baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o > e-mail e em seguida apague-o. Agradecemos sua coopera??o. > > This message may contain confidential and/or privileged > information. If you are not the addressee or authorized to receive > this for the addressee, you must not use, copy, disclose or take > any action based on this message or any information herein. If you > have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. Thank you for > your cooperation/ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/311f1688/attachment-0001.html From michael.anthon at infoview.com.au Fri Feb 12 02:44:22 2016 From: michael.anthon at infoview.com.au (Michael Anthon) Date: Fri, 12 Feb 2016 07:44:22 +0000 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: References: <56BB40F0.1080204@redhat.com> <56BB4614.8090509@redhat.com> Message-ID: <9e3ecfb853ce42809eb3db603544d406@HsteqMX04.nexonhosted.local> We have verified that the behavior is correct in 1.9.0.CR1. Cheers, Michael From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Michael Anthon Sent: Thursday, 11 February 2016 2:42 PM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Issues with password reset link expiration Thanks for the replies, I forgot to mention we are currently on 1.6.1.Final however we do have a test setup where we can run an upgrade and check this out. Will try that and report back and/or create a ticket as required. Cheers, Michael From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Thursday, 11 February 2016 12:26 AM To: Bill Burke >; Michael Anthon > Cc: keycloak-user > Subject: Re: [keycloak-user] Issues with password reset link expiration Michael, Can you confirm if this issue still exists on 1.9.0.CR1 and if it does create a JIRA issue? On 10 February 2016 at 15:15, Bill Burke > wrote: I think this may have been fixed in 1.9 with the flow changes I made. I don't have time to try it out right now though. On 2/10/2016 8:58 AM, Stian Thorgersen wrote: It's not about the error message though. It should be possible to open the link multiple times as long as the form is not submitted. On 10 February 2016 at 14:53, Bill Burke > wrote: We changed the "error" message in I think 1.9? Maybe 1.8 to say "You clicked on a stale link. Maybe you have already verified your email?" I'll look into improving this I guess. On 2/10/2016 4:21 AM, Stian Thorgersen wrote: It should be possible to open the link multiple times, but only submit the password reset once. If that's not the case (sounds like it is) feel free to create a JIRA issue to report this as a bug. On 10 February 2016 at 05:24, Michael Anthon > wrote: We are having issues with some users when they are attempting to use the password reset feature. It does work for most users however for some they always end up at an error page saying "WE'RE SORRY ... An error occurred, please login again through your application" What I have been able to determine so far is that for the affected users we are seeing a double hit on that URL in the server logs and from what I understand, these reset URLs are invalidated as soon as they are accessed. So here's the state of play * works for most users * some users hitting the reset URL twice * URL is only valid for the first access (I'm not 100% sure about this, can someone confirm please?) * URL is only valid for 30 minutes (but is being accessed within a few minutes of generation) * affected users are mostly using Outlook * some people tend to double click links in emails but I've verified with a reliable user that they are only clicking the link once * having the affected person send themselves another reset email and then copy and paste the URL from the mail client usually resolves this problem And questions * is this an issue anyone else has noticed with Outlook, doesn't affect ALL Outlook users, just some * is there a way to prevent the URL from being invalidated on initial access * is it feasible to change the behavior so that the URL is only invalidated when the password is changed * any other thoughts on how to avoid this issue? Thanks and Regards, Michael Anthon InfoView Technologies Pty Ltd 12/15 Adelaide St, Brisbane Qld 4000 P O Box 15478, City East, Brisbane Qld 4000 PH: +61 7 3014 2204 F: +61 7 3014 2200 M: +61 408 768 055 michael.anthon at infoview.com.au The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of InfoView Technologies Pty Ltd. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/72610803/attachment.html From sthorger at redhat.com Fri Feb 12 02:54:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 08:54:29 +0100 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: What are you actually trying to achieve? We mainly support modifying the FreeMarker templates and stylesheets. Beyond that you may in theory be able to re-implement it all to replace FreeMarker with something else, but I don't see why you would want to and it would be a significant amount of work, and also maintenance. On 12 February 2016 at 07:08, Sarp Kaya wrote: > Hi all, > > In regards to Extending Themes via SPI all I found is this documentation: > > http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html > and > > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 > I found it a little less describing. > > When I implement those two classes, where do I put the new implemented > classes? How do I deploy them? > Can I also use Spring mvc and JSP and few maven dependencies instead of > freemarker? > > I also tried to find an example to extend theme using SPI but there seems > to be none. It would be really nice if you could provide a sample hello > world. > > Thank you very much, > Sarp Kaya > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/23596dbf/attachment-0001.html From sthorger at redhat.com Fri Feb 12 02:56:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 08:56:01 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: <56BD8499.4060007@redhat.com> References: <56BD8499.4060007@redhat.com> Message-ID: On 12 February 2016 at 08:07, Marek Posolda wrote: > Facebook certificate should be signed by trusted authority, so it works > with default JDK truststore. At least for me it always works. > > Shouldn't truststore SPI use both provided file + default JDK truststore > by default? We may have flag to disable default JDK truststore, but not > sure if it's ever needed. Also shouldn't we rewrite SimpleHTTP to use > Apache HTTP client provided by HttpClientProvider SPI? > +1 To both SimpleHTTP was only introduced when we where talking about having the social providers a generic library, but now they aren't there's no point to SimpleHTTP anymore. > > > Marek > > > On 11/02/16 15:23, Stian Thorgersen wrote: > > Does it work if you don't specify the truststore? That will use the > default truststore provided by the JDK. > > Also, does your truststore contain the required CA certs? For Facebook to > work it'll have to contain the required CA's for their certs > > On 11 February 2016 at 14:09, LEONARDO NUNES > wrote: > >> Hi, i'm getting the error below when I try to login with Facebook. >> I've followed the instructions at >> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore >> and >> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 >> >> I was able to login with Facebook when trying at localhost. But at our >> development server we are getting this error. >> >> We are using EAP in domain mode. >> >> The truststore I placed inside of keycloak-server.json >> "truststore": { >> "file": { >> "file": "/home/soa/jboss/ssl/keycloak.jks", >> "password": "keycloak123", >> "hostname-verification-policy": "ANY", >> "disabled": false >> } >> } >> >> >> ####### >> >> ERRO: >> >> >> 2016-02-11 10:44:53,927 ERROR >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth >> callback: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) >> [jsse.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) >> [rt.jar:1.8.0_45] >> at >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) >> at >> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> [rt.jar:1.8.0_45] >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> [rt.jar:1.8.0_45] >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> [rt.jar:1.8.0_45] >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) >> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) >> at >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) >> at >> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> [rt.jar:1.8.0_45] >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> [rt.jar:1.8.0_45] >> at sun.security.validator.Validator.validate(Validator.java:260) >> [rt.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) >> [jsse.jar:1.8.0_45] >> ... 50 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) >> [rt.jar:1.8.0_45] >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) >> [rt.jar:1.8.0_45] >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> [rt.jar:1.8.0_45] >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >> [rt.jar:1.8.0_45] >> ... 56 more >> >> >> >> >> >> -- >> Leonardo Nunes >> ------------------------------ >> >> >> *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por >> engano, por favor avise imediatamente o remetente, respondendo o e-mail e >> em seguida apague-o. Agradecemos sua coopera??o. This message may contain >> confidential and/or privileged information. If you are not the addressee or >> authorized to receive this for the addressee, you must not use, copy, >> disclose or take any action based on this message or any information >> herein. If you have received this message in error, please advise the >> sender immediately by reply e-mail and delete this message. Thank you for >> your cooperation* >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/b9676438/attachment-0001.html From sthorger at redhat.com Fri Feb 12 02:56:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 08:56:20 +0100 Subject: [keycloak-user] Issues with password reset link expiration In-Reply-To: <9e3ecfb853ce42809eb3db603544d406@HsteqMX04.nexonhosted.local> References: <56BB40F0.1080204@redhat.com> <56BB4614.8090509@redhat.com> <9e3ecfb853ce42809eb3db603544d406@HsteqMX04.nexonhosted.local> Message-ID: Great, thanks for the update On 12 February 2016 at 08:44, Michael Anthon wrote: > We have verified that the behavior is correct in 1.9.0.CR1. > > > > Cheers, > > Michael > > > > *From:* keycloak-user-bounces at lists.jboss.org [mailto: > keycloak-user-bounces at lists.jboss.org] *On Behalf Of *Michael Anthon > *Sent:* Thursday, 11 February 2016 2:42 PM > *To:* keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Issues with password reset link expiration > > > > Thanks for the replies, I forgot to mention we are currently on > 1.6.1.Final however we do have a test setup where we can run an upgrade and > check this out. > > > > Will try that and report back and/or create a ticket as required. > > > > Cheers, > > Michael > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* Thursday, 11 February 2016 12:26 AM > *To:* Bill Burke ; Michael Anthon < > michael.anthon at infoview.com.au> > *Cc:* keycloak-user > *Subject:* Re: [keycloak-user] Issues with password reset link expiration > > > > Michael, > > > > Can you confirm if this issue still exists on 1.9.0.CR1 and if it does > create a JIRA issue? > > > > On 10 February 2016 at 15:15, Bill Burke wrote: > > I think this may have been fixed in 1.9 with the flow changes I made. I > don't have time to try it out right now though. > > > > On 2/10/2016 8:58 AM, Stian Thorgersen wrote: > > It's not about the error message though. It should be possible to open the > link multiple times as long as the form is not submitted. > > > > On 10 February 2016 at 14:53, Bill Burke wrote: > > We changed the "error" message in I think 1.9? Maybe 1.8 to say "You > clicked on a stale link. Maybe you have already verified your email?" > I'll look into improving this I guess. > > > > On 2/10/2016 4:21 AM, Stian Thorgersen wrote: > > It should be possible to open the link multiple times, but only submit the > password reset once. If that's not the case (sounds like it is) feel free > to create a JIRA issue to report this as a bug. > > > > On 10 February 2016 at 05:24, Michael Anthon < > michael.anthon at infoview.com.au> wrote: > > We are having issues with some users when they are attempting to use the > password reset feature. It does work for most users however for some they > always end up at an error page saying "WE'RE SORRY ... An error occurred, > please login again through your application" > > What I have been able to determine so far is that for the affected users > we are seeing a double hit on that URL in the server logs and from what I > understand, these reset URLs are invalidated as soon as they are accessed. > > So here's the state of play > * works for most users > * some users hitting the reset URL twice > * URL is only valid for the first access (I'm not 100% sure about this, > can someone confirm please?) > * URL is only valid for 30 minutes (but is being accessed within a few > minutes of generation) > * affected users are mostly using Outlook > * some people tend to double click links in emails but I've verified with > a reliable user that they are only clicking the link once > * having the affected person send themselves another reset email and then > copy and paste the URL from the mail client usually resolves this problem > > And questions > * is this an issue anyone else has noticed with Outlook, doesn't affect > ALL Outlook users, just some > * is there a way to prevent the URL from being invalidated on initial > access > * is it feasible to change the behavior so that the URL is only > invalidated when the password is changed > * any other thoughts on how to avoid this issue? > > Thanks and Regards, > > Michael Anthon > InfoView Technologies Pty Ltd > 12/15 Adelaide St, Brisbane Qld 4000 > P O Box 15478, City East, Brisbane Qld 4000 > PH: +61 7 3014 2204 > F: +61 7 3014 2200 > M: +61 408 768 055 > michael.anthon at infoview.com.au > > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. Any views or opinions expressed in this email are solely those of > the author and do not necessarily represent those of InfoView Technologies > Pty Ltd. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/8f47a215/attachment.html From sthorger at redhat.com Fri Feb 12 02:57:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 08:57:13 +0100 Subject: [keycloak-user] User-Federation In-Reply-To: <4B71E2D9-755C-40C4-8C4B-DC516C9CF11E@smartling.com> References: <81B2EA95-4A60-4992-ADF0-17AD754D1E46@carbonite.com> <4B71E2D9-755C-40C4-8C4B-DC516C9CF11E@smartling.com> Message-ID: On 11 February 2016 at 17:51, Scott Rossillo wrote: > Hi, > > The example omits securing the endpoints for simplicity demonstrating the > concepts. I?d suggest using some type of security though on the legacy > system if the endpoints are publicly accessible though. > There's this thing called Keycloak that may be useful for that ;) > > Best, > Scott > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > On Feb 11, 2016, at 9:35 AM, Reed Lewis wrote: > > The endpoint that is used by the federation provider is only called from > Keycloak, so you can run it on localhost on the keycloak machine if that is > going to work for you. > > OTOH, if you need to run it on a different machine, you can lock down the > endpoint to only be accessible from the Keycloak server. > > End users never call the endpoint I documented. > > Reed > > From: on behalf of Renann Prado < > prado.renann at gmail.com> > Date: Thursday, February 11, 2016 at 8:17 AM > To: Reed Lewis > Cc: "keycloak-user at lists.jboss.org" , > Stuart Jacobs > Subject: Re: [keycloak-user] User-Federation > > Everyone* > On Feb 11, 2016 11:16, "Renann Prado" wrote: > >> Is there any recommended way to make sure these endpoints won't be >> spammed by an attacker? Looks like these endpoints need to be open to >> anyone. >> >> Thanks >> On Feb 3, 2016 11:18, "Reed Lewis" wrote: >> >>> If you use the federation provider listed here: >>> >>> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ >>> [1]: https://github.com/Smartling/keycloak-user-migration-provider >>> >>> You can specify a URL that will be called when a user needs to be >>> validated. >>> >>> There are three requests that need to be implemented in your sever. >>> >>> GET /api/users// >>> If the user exists, it should return a 200 with a json object with the >>> return type ?application/json? with the following fields: >>> username >>> email >>> emailVerified >>> firstName >>> lastName >>> roles [?user?] >>> >>> If the user does not exist, return a 404 >>> >>> HEAD /api/users// >>> Always return 200 >>> >>> POST /api/users// >>> The password is posted to you in a json object. >>> Return 200 if the password is OK, 401 if not. In both cases return no >>> data. >>> >>> I wrote a small python module which implements these methods which works >>> quite well. >>> >>> Reed >>> >>> From: on behalf of Stuart >>> Jacobs >>> Date: Wednesday, February 3, 2016 at 2:40 AM >>> To: "keycloak-user at lists.jboss.org" >>> Subject: [keycloak-user] User-Federation >>> >>> Hi Everyone, >>> >>> I have an application that runs on a postgresql database, keycloak has >>> been configured and has created all the required tables/columns in my >>> schema using liquibase on start up of the keycloak server. >>> >>> I need to authenticate users using the projects existing user table >>> obtaining the username and password from this table. >>> >>> I have had a look at the federation provider project under the example >>> projects but this still eludes me as to how I change the keycloak mapping >>> to use my own tables in postgress? >>> >>> Can someone please point me in the right direction or if someone has >>> implemented such a solution please share how you have done it? >>> >>> Thanks everyone. >>> >>> Regards, >>> Stuart Jacobs >>> >>> >>> >>> >>> >>> >>> >>> www.symbiotics.co.za >>> >>> ******************************************************************************** >>> This email and any accompanying attachments may contain confidential and >>> proprietary information. This information is private and protected by law >>> and, accordingly, if you are not the intended recipient, you are requested >>> to delete this entire communication immediately and are notified that any >>> disclosure, copying or distribution of or taking any action based on this >>> information is prohibited. >>> >>> Emails cannot be guaranteed to be secure or free of errors or viruses. >>> The sender does not accept any liability or responsibility for any >>> interception, corruption, destruction, loss, late arrival or incompleteness >>> of or tampering or interference with any of the information contained in >>> this email or for its incorrect delivery or non-delivery for whatsoever >>> reason or for its effect on any electronic device of the recipient. >>> >>> ******************************************************************************** >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cd72cbf8/attachment-0001.html From sthorger at redhat.com Fri Feb 12 02:58:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 08:58:13 +0100 Subject: [keycloak-user] Device tokens with keycloak In-Reply-To: References: Message-ID: We don't have anything specific with regards to device tokens. We have offline tokens for users as well as service accounts, that may cover your needs. Can you explain your use-case and what you are actually after? On 11 February 2016 at 00:01, Riddhi Rathod wrote: > Does Keycloak have the ability to provide ?device? tokens in addition to > the user tokens ? > > I found discussion link on device registration: > http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001116.html . > However, I wanted to know whether or not this feature is supported now? > > > Thank you, > Riddhi Rathod > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/26401598/attachment.html From akaya at expedia.com Fri Feb 12 03:15:02 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 12 Feb 2016 08:15:02 +0000 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: We have internal front end libraries that works with JSP only. From the sounds of SPI, I thought that I could use JSP and our internal libraries instead of FreeMarker templates. Also because our JSP login screen is almost ready it wouldn't take much time to just deploy it (that's what I thought). From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 5:54 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI What are you actually trying to achieve? We mainly support modifying the FreeMarker templates and stylesheets. Beyond that you may in theory be able to re-implement it all to replace FreeMarker with something else, but I don't see why you would want to and it would be a significant amount of work, and also maintenance. On 12 February 2016 at 07:08, Sarp Kaya > wrote: Hi all, In regards to Extending Themes via SPI all I found is this documentation: http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html and http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 I found it a little less describing. When I implement those two classes, where do I put the new implemented classes? How do I deploy them? Can I also use Spring mvc and JSP and few maven dependencies instead of freemarker? I also tried to find an example to extend theme using SPI but there seems to be none. It would be really nice if you could provide a sample hello world. Thank you very much, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/8265139f/attachment.html From sthorger at redhat.com Fri Feb 12 03:29:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 09:29:37 +0100 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: There's a lot more to the login on Keycloak than a simple JSP page used for JEE form-based authentication. We have user registration, password recovery, OTP support, remember me, etc, etc.. Take the look and feel (stylesheet) of your JSP login screen and apply it to Keycloak with a custom theme. That's the simplest, quickest and best option. On 12 February 2016 at 09:15, Sarp Kaya wrote: > > We have internal front end libraries that works with JSP only. From the > sounds of SPI, I thought that I could use JSP and our internal libraries > instead of FreeMarker templates. Also because our JSP login screen is > almost ready it wouldn?t take much time to just deploy it (that?s what I > thought). > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 5:54 PM > To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI > > What are you actually trying to achieve? We mainly support modifying the > FreeMarker templates and stylesheets. Beyond that you may in theory be able > to re-implement it all to replace FreeMarker with something else, but I > don't see why you would want to and it would be a significant amount of > work, and also maintenance. > > On 12 February 2016 at 07:08, Sarp Kaya wrote: > >> Hi all, >> >> In regards to Extending Themes via SPI all I found is this documentation: >> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html >> and >> >> >> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 >> I found it a little less describing. >> >> When I implement those two classes, where do I put the new implemented >> classes? How do I deploy them? >> Can I also use Spring mvc and JSP and few maven dependencies instead of >> freemarker? >> >> I also tried to find an example to extend theme using SPI but there seems >> to be none. It would be really nice if you could provide a sample hello >> world. >> >> Thank you very much, >> Sarp Kaya >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/e55abce4/attachment.html From akaya at expedia.com Fri Feb 12 03:47:40 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 12 Feb 2016 08:47:40 +0000 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: Okay but what you are saying is done directly on the Keycloak source code which is then built and deployed, rather than extending classes and then deploying directly to a Keycloak instance? From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 6:29 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI There's a lot more to the login on Keycloak than a simple JSP page used for JEE form-based authentication. We have user registration, password recovery, OTP support, remember me, etc, etc.. Take the look and feel (stylesheet) of your JSP login screen and apply it to Keycloak with a custom theme. That's the simplest, quickest and best option. On 12 February 2016 at 09:15, Sarp Kaya > wrote: We have internal front end libraries that works with JSP only. From the sounds of SPI, I thought that I could use JSP and our internal libraries instead of FreeMarker templates. Also because our JSP login screen is almost ready it wouldn't take much time to just deploy it (that's what I thought). From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 5:54 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI What are you actually trying to achieve? We mainly support modifying the FreeMarker templates and stylesheets. Beyond that you may in theory be able to re-implement it all to replace FreeMarker with something else, but I don't see why you would want to and it would be a significant amount of work, and also maintenance. On 12 February 2016 at 07:08, Sarp Kaya > wrote: Hi all, In regards to Extending Themes via SPI all I found is this documentation: http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html and http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 I found it a little less describing. When I implement those two classes, where do I put the new implemented classes? How do I deploy them? Can I also use Spring mvc and JSP and few maven dependencies instead of freemarker? I also tried to find an example to extend theme using SPI but there seems to be none. It would be really nice if you could provide a sample hello world. Thank you very much, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/9f809407/attachment-0001.html From sthorger at redhat.com Fri Feb 12 03:53:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 09:53:56 +0100 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: No, you can create a theme that contains stylesheets and freemarker templates (if you need to change those) and deploy it to Keycloak. Please read http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html and take a look at the themes examples in our examples download. On 12 February 2016 at 09:47, Sarp Kaya wrote: > Okay but what you are saying is done directly on the Keycloak source code > which is then built and deployed, rather than extending classes and then > deploying directly to a Keycloak instance? > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 6:29 PM > > To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI > > There's a lot more to the login on Keycloak than a simple JSP page used > for JEE form-based authentication. We have user registration, password > recovery, OTP support, remember me, etc, etc.. > > Take the look and feel (stylesheet) of your JSP login screen and apply it > to Keycloak with a custom theme. That's the simplest, quickest and best > option. > > On 12 February 2016 at 09:15, Sarp Kaya wrote: > >> >> We have internal front end libraries that works with JSP only. From the >> sounds of SPI, I thought that I could use JSP and our internal libraries >> instead of FreeMarker templates. Also because our JSP login screen is >> almost ready it wouldn?t take much time to just deploy it (that?s what I >> thought). >> >> From: Stian Thorgersen >> Reply-To: "stian at redhat.com" >> Date: Friday, February 12, 2016 at 5:54 PM >> To: Abdullah Sarp Kaya >> Cc: "keycloak-user at lists.jboss.org" >> Subject: Re: [keycloak-user] Extending Themes via SPI >> >> What are you actually trying to achieve? We mainly support modifying the >> FreeMarker templates and stylesheets. Beyond that you may in theory be able >> to re-implement it all to replace FreeMarker with something else, but I >> don't see why you would want to and it would be a significant amount of >> work, and also maintenance. >> >> On 12 February 2016 at 07:08, Sarp Kaya wrote: >> >>> Hi all, >>> >>> In regards to Extending Themes via SPI all I found is this documentation: >>> >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html >>> and >>> >>> >>> >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 >>> I found it a little less describing. >>> >>> When I implement those two classes, where do I put the new implemented >>> classes? How do I deploy them? >>> Can I also use Spring mvc and JSP and few maven dependencies instead of >>> freemarker? >>> >>> I also tried to find an example to extend theme using SPI but there >>> seems to be none. It would be really nice if you could provide a sample >>> hello world. >>> >>> Thank you very much, >>> Sarp Kaya >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/dd16d2fc/attachment.html From mstrukel at redhat.com Fri Feb 12 04:04:04 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 12 Feb 2016 10:04:04 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: <56BD8499.4060007@redhat.com> References: <56BD8499.4060007@redhat.com> Message-ID: When using 'truststore' provider it is up to you to make sure to include all the certificates you trust. Configuration via -Djavax.net.ssl.trustStore works the same - no automatic inclusion of cacerts. But it sounds like a good usability feature to add a flag that would automatically include cacerts as well. The problem is - it happens occasionally that some CAs turn out not to be trustworthy, and blindly importing all cacerts exposes you to that risk. One detail to emphasize, with third party not-self-signed certificates it's important to include the CA certificate used to create the specific server certificate, rather than the server certificate itself. Facebook servers use different short-lived server certificates - and with two consecutive requests you may be presented with two different server certificates - but they are all issued by the same long-lived trusted CA. On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda wrote: > Facebook certificate should be signed by trusted authority, so it works with > default JDK truststore. At least for me it always works. > > Shouldn't truststore SPI use both provided file + default JDK truststore by > default? We may have flag to disable default JDK truststore, but not sure if > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP > client provided by HttpClientProvider SPI? > > Marek > > > On 11/02/16 15:23, Stian Thorgersen wrote: > > Does it work if you don't specify the truststore? That will use the default > truststore provided by the JDK. > > Also, does your truststore contain the required CA certs? For Facebook to > work it'll have to contain the required CA's for their certs > > On 11 February 2016 at 14:09, LEONARDO NUNES > wrote: >> >> Hi, i'm getting the error below when I try to login with Facebook. >> I've followed the instructions at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore >> and >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 >> >> I was able to login with Facebook when trying at localhost. But at our >> development server we are getting this error. >> >> We are using EAP in domain mode. >> >> The truststore I placed inside of keycloak-server.json >> "truststore": { >> "file": { >> "file": "/home/soa/jboss/ssl/keycloak.jks", >> "password": "keycloak123", >> "hostname-verification-policy": "ANY", >> "disabled": false >> } >> } >> >> >> ####### >> >> ERRO: >> >> >> 2016-02-11 10:44:53,927 ERROR >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth >> callback: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) >> [jsse.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) >> [rt.jar:1.8.0_45] >> at >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) >> at >> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> [rt.jar:1.8.0_45] >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> [rt.jar:1.8.0_45] >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> [rt.jar:1.8.0_45] >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) >> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) >> at >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) >> at >> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> [rt.jar:1.8.0_45] >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> [rt.jar:1.8.0_45] >> at sun.security.validator.Validator.validate(Validator.java:260) >> [rt.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) >> [jsse.jar:1.8.0_45] >> ... 50 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) >> [rt.jar:1.8.0_45] >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) >> [rt.jar:1.8.0_45] >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> [rt.jar:1.8.0_45] >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >> [rt.jar:1.8.0_45] >> ... 56 more >> >> >> >> >> >> -- >> Leonardo Nunes >> ________________________________ >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por >> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em >> seguida apague-o. Agradecemos sua coopera??o. >> >> This message may contain confidential and/or privileged information. If >> you are not the addressee or authorized to receive this for the addressee, >> you must not use, copy, disclose or take any action based on this message or >> any information herein. If you have received this message in error, please >> advise the sender immediately by reply e-mail and delete this message. Thank >> you for your cooperation >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Feb 12 04:43:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 10:43:18 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: References: <56BD8499.4060007@redhat.com> Message-ID: On 12 February 2016 at 10:04, Marko Strukelj wrote: > When using 'truststore' provider it is up to you to make sure to > include all the certificates you trust. Configuration via > -Djavax.net.ssl.trustStore works the same - no automatic inclusion of > cacerts. But it sounds like a good usability feature to add a flag > that would automatically include cacerts as well. The problem is - it > happens occasionally that some CAs turn out not to be trustworthy, and > blindly importing all cacerts exposes you to that risk. > How about having a flag that is enabled by default that includes cacerts from Java? I'd actually think that update from CA certs are more likely going to happen by updating Java rather than manually maintaining a truststore. > One detail to emphasize, with third party not-self-signed certificates > it's important to include the CA certificate used to create the > specific server certificate, rather than the server certificate > itself. Facebook servers use different short-lived server certificates > - and with two consecutive requests you may be presented with two > different server certificates - but they are all issued by the same > long-lived trusted CA. > > On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda > wrote: > > Facebook certificate should be signed by trusted authority, so it works > with > > default JDK truststore. At least for me it always works. > > > > Shouldn't truststore SPI use both provided file + default JDK truststore > by > > default? We may have flag to disable default JDK truststore, but not > sure if > > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP > > client provided by HttpClientProvider SPI? > > > > Marek > > > > > > On 11/02/16 15:23, Stian Thorgersen wrote: > > > > Does it work if you don't specify the truststore? That will use the > default > > truststore provided by the JDK. > > > > Also, does your truststore contain the required CA certs? For Facebook to > > work it'll have to contain the required CA's for their certs > > > > On 11 February 2016 at 14:09, LEONARDO NUNES > > wrote: > >> > >> Hi, i'm getting the error below when I try to login with Facebook. > >> I've followed the instructions at > >> > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore > >> and > >> > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 > >> > >> I was able to login with Facebook when trying at localhost. But at our > >> development server we are getting this error. > >> > >> We are using EAP in domain mode. > >> > >> The truststore I placed inside of keycloak-server.json > >> "truststore": { > >> "file": { > >> "file": "/home/soa/jboss/ssl/keycloak.jks", > >> "password": "keycloak123", > >> "hostname-verification-policy": "ANY", > >> "disabled": false > >> } > >> } > >> > >> > >> ####### > >> > >> ERRO: > >> > >> > >> 2016-02-11 10:44:53,927 ERROR > >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] > >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth > >> callback: javax.net.ssl.SSLHandshakeException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > >> valid certification path to requested target > >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) > >> [jsse.jar:1.8.0_45] > >> at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) > >> [jsse.jar:1.8.0_45] > >> at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > >> [rt.jar:1.8.0_45] > >> at > >> > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) > >> at > >> > org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >> [rt.jar:1.8.0_45] > >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > >> at > >> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > >> > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) > >> at > >> > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) > >> at > >> > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] > >> at > >> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > >> Caused by: sun.security.validator.ValidatorException: PKIX path building > >> failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable > >> to find valid certification path to requested target > >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > >> [rt.jar:1.8.0_45] > >> at sun.security.validator.Validator.validate(Validator.java:260) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) > >> [jsse.jar:1.8.0_45] > >> ... 50 more > >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > >> unable to find valid certification path to requested target > >> at > >> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) > >> [rt.jar:1.8.0_45] > >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > >> [rt.jar:1.8.0_45] > >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > >> [rt.jar:1.8.0_45] > >> ... 56 more > >> > >> > >> > >> > >> > >> -- > >> Leonardo Nunes > >> ________________________________ > >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta > mensagem, > >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou > tomar > >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem > por > >> engano, por favor avise imediatamente o remetente, respondendo o e-mail > e em > >> seguida apague-o. Agradecemos sua coopera??o. > >> > >> This message may contain confidential and/or privileged information. If > >> you are not the addressee or authorized to receive this for the > addressee, > >> you must not use, copy, disclose or take any action based on this > message or > >> any information herein. If you have received this message in error, > please > >> advise the sender immediately by reply e-mail and delete this message. > Thank > >> you for your cooperation > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cf9f6d0b/attachment-0001.html From akaya at expedia.com Fri Feb 12 05:20:46 2016 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 12 Feb 2016 10:20:46 +0000 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: Hi Stian, I understand that I can create a theme using free marker, but my question was, if I were to create a theme using JSP instead of free marker, then do I have to change the Keycloak's source code? From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 6:53 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI No, you can create a theme that contains stylesheets and freemarker templates (if you need to change those) and deploy it to Keycloak. Please read http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html and take a look at the themes examples in our examples download. On 12 February 2016 at 09:47, Sarp Kaya > wrote: Okay but what you are saying is done directly on the Keycloak source code which is then built and deployed, rather than extending classes and then deploying directly to a Keycloak instance? From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 6:29 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI There's a lot more to the login on Keycloak than a simple JSP page used for JEE form-based authentication. We have user registration, password recovery, OTP support, remember me, etc, etc.. Take the look and feel (stylesheet) of your JSP login screen and apply it to Keycloak with a custom theme. That's the simplest, quickest and best option. On 12 February 2016 at 09:15, Sarp Kaya > wrote: We have internal front end libraries that works with JSP only. From the sounds of SPI, I thought that I could use JSP and our internal libraries instead of FreeMarker templates. Also because our JSP login screen is almost ready it wouldn't take much time to just deploy it (that's what I thought). From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 5:54 PM To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI What are you actually trying to achieve? We mainly support modifying the FreeMarker templates and stylesheets. Beyond that you may in theory be able to re-implement it all to replace FreeMarker with something else, but I don't see why you would want to and it would be a significant amount of work, and also maintenance. On 12 February 2016 at 07:08, Sarp Kaya > wrote: Hi all, In regards to Extending Themes via SPI all I found is this documentation: http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html and http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 I found it a little less describing. When I implement those two classes, where do I put the new implemented classes? How do I deploy them? Can I also use Spring mvc and JSP and few maven dependencies instead of freemarker? I also tried to find an example to extend theme using SPI but there seems to be none. It would be really nice if you could provide a sample hello world. Thank you very much, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/dbea4c7e/attachment.html From sthorger at redhat.com Fri Feb 12 05:28:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 11:28:08 +0100 Subject: [keycloak-user] Extending Themes via SPI In-Reply-To: References: Message-ID: I strongly recommend against going down the JSP route, and we do not have time to provide you with help on doing so. You have nothing to gain, only a lot of work and headaches. That being said the SPI is there and you can rip out our FreeMarker implementation if you so please. As it's a SPI you do not need to modify Keycloak source code, instead you create your own provider implementation of the SPI. Take a look at the providers section of the documentation for more information. Most likely you won't even need to touch the FreeMarker templates and you can acommodate the changes you need purely with stylesheets. On 12 February 2016 at 11:20, Sarp Kaya wrote: > Hi Stian, > > I understand that I can create a theme using free marker, but my question > was, if I were to create a theme using JSP instead of free marker, then do > I have to change the Keycloak?s source code? > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Friday, February 12, 2016 at 6:53 PM > > To: Abdullah Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Extending Themes via SPI > > No, you can create a theme that contains stylesheets and freemarker > templates (if you need to change those) and deploy it to Keycloak. Please > read > http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html > and take a look at the themes examples in our examples download. > > On 12 February 2016 at 09:47, Sarp Kaya wrote: > >> Okay but what you are saying is done directly on the Keycloak source code >> which is then built and deployed, rather than extending classes and then >> deploying directly to a Keycloak instance? >> >> From: Stian Thorgersen >> Reply-To: "stian at redhat.com" >> Date: Friday, February 12, 2016 at 6:29 PM >> >> To: Abdullah Sarp Kaya >> Cc: "keycloak-user at lists.jboss.org" >> Subject: Re: [keycloak-user] Extending Themes via SPI >> >> There's a lot more to the login on Keycloak than a simple JSP page used >> for JEE form-based authentication. We have user registration, password >> recovery, OTP support, remember me, etc, etc.. >> >> Take the look and feel (stylesheet) of your JSP login screen and apply it >> to Keycloak with a custom theme. That's the simplest, quickest and best >> option. >> >> On 12 February 2016 at 09:15, Sarp Kaya wrote: >> >>> >>> We have internal front end libraries that works with JSP only. From the >>> sounds of SPI, I thought that I could use JSP and our internal libraries >>> instead of FreeMarker templates. Also because our JSP login screen is >>> almost ready it wouldn?t take much time to just deploy it (that?s what I >>> thought). >>> >>> From: Stian Thorgersen >>> Reply-To: "stian at redhat.com" >>> Date: Friday, February 12, 2016 at 5:54 PM >>> To: Abdullah Sarp Kaya >>> Cc: "keycloak-user at lists.jboss.org" >>> Subject: Re: [keycloak-user] Extending Themes via SPI >>> >>> What are you actually trying to achieve? We mainly support modifying the >>> FreeMarker templates and stylesheets. Beyond that you may in theory be able >>> to re-implement it all to replace FreeMarker with something else, but I >>> don't see why you would want to and it would be a significant amount of >>> work, and also maintenance. >>> >>> On 12 February 2016 at 07:08, Sarp Kaya wrote: >>> >>>> Hi all, >>>> >>>> In regards to Extending Themes via SPI all I found is this >>>> documentation: >>>> >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html >>>> and >>>> >>>> >>>> >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 >>>> I found it a little less describing. >>>> >>>> When I implement those two classes, where do I put the new implemented >>>> classes? How do I deploy them? >>>> Can I also use Spring mvc and JSP and few maven dependencies instead of >>>> freemarker? >>>> >>>> I also tried to find an example to extend theme using SPI but there >>>> seems to be none. It would be really nice if you could provide a sample >>>> hello world. >>>> >>>> Thank you very much, >>>> Sarp Kaya >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/0edc12aa/attachment-0001.html From mstrukel at redhat.com Fri Feb 12 05:44:31 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 12 Feb 2016 11:44:31 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: References: <56BD8499.4060007@redhat.com> Message-ID: We could add such a flag, don't know how hard it would be to implement. In principle I agree about CA cert updates. But they are many, and for your customized truststore you may add only a few, and for big-name services. If CAs are revoked, then your integration will stop working as those services will start using new certs that you don't have in your truststore. It's quite unlikely OTOH to notice one of the 100 trusted-by-default CA that you never connect to, that can one day be used to forge a certificate for one of the services that you do use - that one you won't notice until you update Java. From leo.nunes at gjccorp.com.br Fri Feb 12 05:47:26 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 12 Feb 2016 10:47:26 +0000 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: Message-ID: Stian, at our EAP init opts we have the -Djavax.net.ssl.trustStore= pointing to a .jks file that have a certificate for the hosts of our domain to communicate. If I don't specify the -Djavax.net.ssl.trustStore= then Facebook login works fine with the one provided by the JDK. I tried to find out which are the required CA's for Facebook, so I could add it to my truststore but I couldn't find. Could you please help me with that? I added a valid certificate to our truststore and still get the same error. From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: quinta-feira, 11 de fevereiro de 2016 12:23 To: Leonardo Nunes > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException Does it work if you don't specify the truststore? That will use the default truststore provided by the JDK. Also, does your truststore contain the required CA certs? For Facebook to work it'll have to contain the required CA's for their certs On 11 February 2016 at 14:09, LEONARDO NUNES > wrote: Hi, i'm getting the error below when I try to login with Facebook. I've followed the instructions at http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore and http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 I was able to login with Facebook when trying at localhost. But at our development server we are getting this error. We are using EAP in domain mode. The truststore I placed inside of keycloak-server.json "truststore": { "file": { "file": "/home/soa/jboss/ssl/keycloak.jks", "password": "keycloak123", "hostname-verification-policy": "ANY", "disabled": false } } ####### ERRO: 2016-02-11 10:44:53,927 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [jsse.jar:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) [jsse.jar:1.8.0_45] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [jsse.jar:1.8.0_45] at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) [jsse.jar:1.8.0_45] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_45] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) [rt.jar:1.8.0_45] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) [rt.jar:1.8.0_45] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) [rt.jar:1.8.0_45] at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) [rt.jar:1.8.0_45] at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45] at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.8.1.Final.jar:1.8.1.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_45] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) [rt.jar:1.8.0_45] at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_45] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) [jsse.jar:1.8.0_45] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) [jsse.jar:1.8.0_45] ... 50 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) [rt.jar:1.8.0_45] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) [rt.jar:1.8.0_45] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_45] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [rt.jar:1.8.0_45] ... 56 more -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/5666c979/attachment-0001.html From leo.nunes at gjccorp.com.br Fri Feb 12 05:49:26 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 12 Feb 2016 10:49:26 +0000 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: Message-ID: 1+ to include cacerts from Java by default. From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: sexta-feira, 12 de fevereiro de 2016 07:43 To: Marko Strukelj > Cc: Marek Posolda >, Leonardo Nunes >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException On 12 February 2016 at 10:04, Marko Strukelj > wrote: When using 'truststore' provider it is up to you to make sure to include all the certificates you trust. Configuration via -Djavax.net.ssl.trustStore works the same - no automatic inclusion of cacerts. But it sounds like a good usability feature to add a flag that would automatically include cacerts as well. The problem is - it happens occasionally that some CAs turn out not to be trustworthy, and blindly importing all cacerts exposes you to that risk. How about having a flag that is enabled by default that includes cacerts from Java? I'd actually think that update from CA certs are more likely going to happen by updating Java rather than manually maintaining a truststore. One detail to emphasize, with third party not-self-signed certificates it's important to include the CA certificate used to create the specific server certificate, rather than the server certificate itself. Facebook servers use different short-lived server certificates - and with two consecutive requests you may be presented with two different server certificates - but they are all issued by the same long-lived trusted CA. On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda > wrote: > Facebook certificate should be signed by trusted authority, so it works with > default JDK truststore. At least for me it always works. > > Shouldn't truststore SPI use both provided file + default JDK truststore by > default? We may have flag to disable default JDK truststore, but not sure if > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP > client provided by HttpClientProvider SPI? > > Marek > > > On 11/02/16 15:23, Stian Thorgersen wrote: > > Does it work if you don't specify the truststore? That will use the default > truststore provided by the JDK. > > Also, does your truststore contain the required CA certs? For Facebook to > work it'll have to contain the required CA's for their certs > > On 11 February 2016 at 14:09, LEONARDO NUNES > > wrote: >> >> Hi, i'm getting the error below when I try to login with Facebook. >> I've followed the instructions at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore >> and >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 >> >> I was able to login with Facebook when trying at localhost. But at our >> development server we are getting this error. >> >> We are using EAP in domain mode. >> >> The truststore I placed inside of keycloak-server.json >> "truststore": { >> "file": { >> "file": "/home/soa/jboss/ssl/keycloak.jks", >> "password": "keycloak123", >> "hostname-verification-policy": "ANY", >> "disabled": false >> } >> } >> >> >> ####### >> >> ERRO: >> >> >> 2016-02-11 10:44:53,927 ERROR >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth >> callback: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) >> [jsse.jar:1.8.0_45] >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) >> [jsse.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) >> [rt.jar:1.8.0_45] >> at >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) >> [rt.jar:1.8.0_45] >> at >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) >> at >> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> [rt.jar:1.8.0_45] >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> [rt.jar:1.8.0_45] >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> [rt.jar:1.8.0_45] >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] >> at >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) >> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) >> at >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) >> at >> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at >> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> [rt.jar:1.8.0_45] >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> [rt.jar:1.8.0_45] >> at sun.security.validator.Validator.validate(Validator.java:260) >> [rt.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >> [jsse.jar:1.8.0_45] >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) >> [jsse.jar:1.8.0_45] >> ... 50 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) >> [rt.jar:1.8.0_45] >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) >> [rt.jar:1.8.0_45] >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> [rt.jar:1.8.0_45] >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >> [rt.jar:1.8.0_45] >> ... 56 more >> >> >> >> >> >> -- >> Leonardo Nunes >> ________________________________ >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por >> engano, por favor avise imediatamente o remetente, respondendo o e-mail e em >> seguida apague-o. Agradecemos sua coopera??o. >> >> This message may contain confidential and/or privileged information. If >> you are not the addressee or authorized to receive this for the addressee, >> you must not use, copy, disclose or take any action based on this message or >> any information herein. If you have received this message in error, please >> advise the sender immediately by reply e-mail and delete this message. Thank >> you for your cooperation >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/c966105e/attachment-0001.html From kga.official at gmail.com Fri Feb 12 06:43:10 2016 From: kga.official at gmail.com (Akshay Kini) Date: Fri, 12 Feb 2016 17:13:10 +0530 Subject: [keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions. In-Reply-To: References: Message-ID: Hi Bill, Thanks for looking into this. The usecase is: Keycloak is an SP and it is sending an AuthnRequest via HTTP Post. This AuthnRequest is always using RSA-SHA1 for signing. I have configured the Keycloak config file as follows: In-fact the SP element doesn't have the "signatureAlgorithm" documented anywhere in the SAML Client Apapter Reference Guide (it only exists for the IDP). Now this is a bit of unfamiliar territory for me, but I looked into the Keycloak Code base (master): I see that the org.keycloak.adapters.saml.config.parsers.SPXmlParser doesn't deal with ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while the IDPXmlParser does. Again, thanks for looking into this. P.S. Sorry to all the mailing list subscribers, this "chain" might get broken despite me changing the subject. I am not sure how to fix that when using Gmail and subscribing to a digest mailing-list. Please send a direct e-mail to me if you know how to fix that. Thanks, Regards, Akshay On Thu, Feb 11, 2016 at 7:36 PM, wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: User-Federation (Renann Prado) > 2. Re: User-Federation (Renann Prado) > 3. Re: Keycloak as a SAML SP: Is it possible to configure > Keycloak to use RSA-SHA256 as the algorithm to sign assertions. > (Bill Burke) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 11 Feb 2016 11:16:29 -0200 > From: Renann Prado > Subject: Re: [keycloak-user] User-Federation > To: Reed Lewis > Cc: keycloak-user at lists.jboss.org > Message-ID: > E9wQ at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Is there any recommended way to make sure these endpoints won't be spammed > by an attacker? Looks like these endpoints need to be open to anyone. > > Thanks > On Feb 3, 2016 11:18, "Reed Lewis" wrote: > > > If you use the federation provider listed here: > > > > [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > > [1]: https://github.com/Smartling/keycloak-user-migration-provider > > > > You can specify a URL that will be called when a user needs to be > > validated. > > > > There are three requests that need to be implemented in your sever. > > > > GET /api/users// > > If the user exists, it should return a 200 with a json object with the > > return type ?application/json? with the following fields: > > username > > email > > emailVerified > > firstName > > lastName > > roles [?user?] > > > > If the user does not exist, return a 404 > > > > HEAD /api/users// > > Always return 200 > > > > POST /api/users// > > The password is posted to you in a json object. > > Return 200 if the password is OK, 401 if not. In both cases return no > > data. > > > > I wrote a small python module which implements these methods which works > > quite well. > > > > Reed > > > > From: on behalf of Stuart > Jacobs < > > stuart.jacobs at symbiotics.co.za> > > Date: Wednesday, February 3, 2016 at 2:40 AM > > To: "keycloak-user at lists.jboss.org" > > Subject: [keycloak-user] User-Federation > > > > Hi Everyone, > > > > I have an application that runs on a postgresql database, keycloak has > > been configured and has created all the required tables/columns in my > > schema using liquibase on start up of the keycloak server. > > > > I need to authenticate users using the projects existing user table > > obtaining the username and password from this table. > > > > I have had a look at the federation provider project under the example > > projects but this still eludes me as to how I change the keycloak mapping > > to use my own tables in postgress? > > > > Can someone please point me in the right direction or if someone has > > implemented such a solution please share how you have done it? > > > > Thanks everyone. > > > > Regards, > > Stuart Jacobs > > > > > > > > > > > > > > > > www.symbiotics.co.za > > > > > ******************************************************************************** > > This email and any accompanying attachments may contain confidential and > > proprietary information. This information is private and protected by law > > and, accordingly, if you are not the intended recipient, you are > requested > > to delete this entire communication immediately and are notified that any > > disclosure, copying or distribution of or taking any action based on this > > information is prohibited. > > > > Emails cannot be guaranteed to be secure or free of errors or viruses. > The > > sender does not accept any liability or responsibility for any > > interception, corruption, destruction, loss, late arrival or > incompleteness > > of or tampering or interference with any of the information contained in > > this email or for its incorrect delivery or non-delivery for whatsoever > > reason or for its effect on any electronic device of the recipient. > > > > > ******************************************************************************** > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Thu, 11 Feb 2016 11:17:14 -0200 > From: Renann Prado > Subject: Re: [keycloak-user] User-Federation > To: Reed Lewis > Cc: keycloak-user at lists.jboss.org > Message-ID: > T7chbrkKeWsfAbNvC2tidKdhZw at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Everyone* > On Feb 11, 2016 11:16, "Renann Prado" wrote: > > > Is there any recommended way to make sure these endpoints won't be > spammed > > by an attacker? Looks like these endpoints need to be open to anyone. > > > > Thanks > > On Feb 3, 2016 11:18, "Reed Lewis" wrote: > > > >> If you use the federation provider listed here: > >> > >> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > >> [1]: https://github.com/Smartling/keycloak-user-migration-provider > >> > >> You can specify a URL that will be called when a user needs to be > >> validated. > >> > >> There are three requests that need to be implemented in your sever. > >> > >> GET /api/users// > >> If the user exists, it should return a 200 with a json object with the > >> return type ?application/json? with the following fields: > >> username > >> email > >> emailVerified > >> firstName > >> lastName > >> roles [?user?] > >> > >> If the user does not exist, return a 404 > >> > >> HEAD /api/users// > >> Always return 200 > >> > >> POST /api/users// > >> The password is posted to you in a json object. > >> Return 200 if the password is OK, 401 if not. In both cases return no > >> data. > >> > >> I wrote a small python module which implements these methods which works > >> quite well. > >> > >> Reed > >> > >> From: on behalf of Stuart > Jacobs > >> > >> Date: Wednesday, February 3, 2016 at 2:40 AM > >> To: "keycloak-user at lists.jboss.org" > >> Subject: [keycloak-user] User-Federation > >> > >> Hi Everyone, > >> > >> I have an application that runs on a postgresql database, keycloak has > >> been configured and has created all the required tables/columns in my > >> schema using liquibase on start up of the keycloak server. > >> > >> I need to authenticate users using the projects existing user table > >> obtaining the username and password from this table. > >> > >> I have had a look at the federation provider project under the example > >> projects but this still eludes me as to how I change the keycloak > mapping > >> to use my own tables in postgress? > >> > >> Can someone please point me in the right direction or if someone has > >> implemented such a solution please share how you have done it? > >> > >> Thanks everyone. > >> > >> Regards, > >> Stuart Jacobs > >> > >> > >> > >> > >> > >> > >> > >> www.symbiotics.co.za > >> > >> > ******************************************************************************** > >> This email and any accompanying attachments may contain confidential and > >> proprietary information. This information is private and protected by > law > >> and, accordingly, if you are not the intended recipient, you are > requested > >> to delete this entire communication immediately and are notified that > any > >> disclosure, copying or distribution of or taking any action based on > this > >> information is prohibited. > >> > >> Emails cannot be guaranteed to be secure or free of errors or viruses. > >> The sender does not accept any liability or responsibility for any > >> interception, corruption, destruction, loss, late arrival or > incompleteness > >> of or tampering or interference with any of the information contained in > >> this email or for its incorrect delivery or non-delivery for whatsoever > >> reason or for its effect on any electronic device of the recipient. > >> > >> > ******************************************************************************** > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html > > ------------------------------ > > Message: 3 > Date: Thu, 11 Feb 2016 09:06:49 -0500 > From: Bill Burke > Subject: Re: [keycloak-user] Keycloak as a SAML SP: Is it possible to > configure Keycloak to use RSA-SHA256 as the algorithm to sign > assertions. > To: keycloak-user at lists.jboss.org > Message-ID: <56BC9579.8080102 at redhat.com> > Content-Type: text/plain; charset="windows-1252" > > Where? Keycloak Saml SP? Keycloak Server interaction with an > app/client? Or Keycloak Server acting as an SP in a broker scenario? > > They all *should* support plugging in the algorithm. Did you configure > this correctly? > > On 2/11/2016 6:29 AM, Akshay Kini wrote: > > Hi Folks, > > > > We are using Keycloak as a SAML SP. > > > > I notice that SAML Assertions are signed using rsa-sha1, could we > > configure it to use RSA-SHA256? > > > > Thanks, > > Regards, > > Akshay > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 26, Issue 56 > ********************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/07f54d5a/attachment-0001.html From leo.nunes at gjccorp.com.br Fri Feb 12 07:10:08 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 12 Feb 2016 12:10:08 +0000 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: Message-ID: It worked for me, now I can login with Facebook. I had to export 3 root CA's from the default java cacerts keystore, them import them into my keystore. This is not the best way to fix the problem, but until we don't have a flag on keycloak to indicate we want to use both our keystore and java keystore this will work. Certificates to export: digicertglobalrootca digicertassuredidrootca digicerthighassuranceevrootca How to export: keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file jboss/ssl/default-jdk/digicertglobalrootca.crt keytool -exportcert -alias digicertassuredidrootca -keystore cacerts -file jboss/ssl/default-jdk/digicertassuredidrootca.crt keytool -exportcert -alias digicertglobalrootca -keystore cacerts -file jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt How to import into another keystore: keytool -import -trustcacerts -alias digicertglobalrootca -keystore jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file jboss/ssl/default-jdk/digicertglobalrootca.crt keytool -import -trustcacerts -alias digicertassuredidrootca -keystore jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file jboss/ssl/default-jdk/digicertassuredidrootca.crt keytool -import -trustcacerts -alias digicerthighassuranceevrootca -keystore jboss/ssl/eap-des1.yyy.com.br.keystore.jks -file jboss/ssl/default-jdk/digicerthighassuranceevrootca.crt On 12/02/16 08:44, "Marko Strukelj" wrote: >We could add such a flag, don't know how hard it would be to implement. > >In principle I agree about CA cert updates. But they are many, and for >your customized truststore you may add only a few, and for big-name >services. If CAs are revoked, then your integration will stop working >as those services will start using new certs that you don't have in >your truststore. > >It's quite unlikely OTOH to notice one of the 100 trusted-by-default >CA that you never connect to, that can one day be used to forge a >certificate for one of the services that you do use - that one you >won't notice until you update Java. >________________________________ >Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta >mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela >contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? >recebeu esta mensagem por engano, por favor avise imediatamente o >remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua >coopera??o. > >This message may contain confidential and/or privileged information. If >you are not the addressee or authorized to receive this for the >addressee, you must not use, copy, disclose or take any action based on >this message or any information herein. If you have received this message >in error, please advise the sender immediately by reply e-mail and delete >this message. Thank you for your cooperation From mstrukel at redhat.com Fri Feb 12 07:16:13 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Fri, 12 Feb 2016 13:16:13 +0100 Subject: [keycloak-user] Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException In-Reply-To: References: Message-ID: Security is always at odds with convenience :) For Facebook you can prepare your truststore like this: curl http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt > ~/digicertsha2high.crt keytool -importcert -keystore truststore.jks -storetype JKS -file ~/digicertsha2high.crt -alias digicertSHA2HighCA How I came to this? By inspecting the certificate returned by Facebook you find it's issuer: openssl s_client -connect graph.facebook.com:443 -showcerts /dev/null|openssl x509 -outform PEM > ~/graph.facebook.com.pem keytool -importcert -keystore tempstore.jks -storetype JKS -file ~/graph.facebook.com.pem -alias facebook.com (type some password, and inspect the certificate - no need to confirm it) In certificate details there is URL to issuer CA certificate I used above. It is issuer CA that your want in your truststore, rather than graph.facebook.com certificate. That certificate is also part of cacerts file where all the certificate trusted by default are located. Which is the next point - it's easy to manually start with default truststore, rather than empty one. Just copy the default truststore and change its password: cp $JAVA_HOME/jre/lib/security/cacerts truststore.jks keytool -keystore truststore.jks -storepasswd When asked for password type: 'changeit' - that's java truststore's password. When asked for new password type whatever you want. That's all there is to it. On Fri, Feb 12, 2016 at 11:49 AM, LEONARDO NUNES wrote: > 1+ to include cacerts from Java by default. > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: sexta-feira, 12 de fevereiro de 2016 07:43 > To: Marko Strukelj > Cc: Marek Posolda , Leonardo Nunes > , "keycloak-user at lists.jboss.org" > > Subject: Re: [keycloak-user] Failed to make identity provider oauth > callback: javax.net.ssl.SSLHandshakeException > > > On 12 February 2016 at 10:04, Marko Strukelj wrote: >> >> When using 'truststore' provider it is up to you to make sure to >> include all the certificates you trust. Configuration via >> -Djavax.net.ssl.trustStore works the same - no automatic inclusion of >> cacerts. But it sounds like a good usability feature to add a flag >> that would automatically include cacerts as well. The problem is - it >> happens occasionally that some CAs turn out not to be trustworthy, and >> blindly importing all cacerts exposes you to that risk. > > > How about having a flag that is enabled by default that includes cacerts > from Java? I'd actually think that update from CA certs are more likely > going to happen by updating Java rather than manually maintaining a > truststore. > >> >> One detail to emphasize, with third party not-self-signed certificates >> it's important to include the CA certificate used to create the >> specific server certificate, rather than the server certificate >> itself. Facebook servers use different short-lived server certificates >> - and with two consecutive requests you may be presented with two >> different server certificates - but they are all issued by the same >> long-lived trusted CA. >> >> >> >> On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda >> wrote: >> > Facebook certificate should be signed by trusted authority, so it works >> > with >> > default JDK truststore. At least for me it always works. >> > >> > Shouldn't truststore SPI use both provided file + default JDK truststore >> > by >> > default? We may have flag to disable default JDK truststore, but not >> > sure if >> > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache >> > HTTP >> > client provided by HttpClientProvider SPI? >> > >> > Marek >> > >> > >> > On 11/02/16 15:23, Stian Thorgersen wrote: >> > >> > Does it work if you don't specify the truststore? That will use the >> > default >> > truststore provided by the JDK. >> > >> > Also, does your truststore contain the required CA certs? For Facebook >> > to >> > work it'll have to contain the required CA's for their certs >> > >> > On 11 February 2016 at 14:09, LEONARDO NUNES >> > wrote: >> >> >> >> Hi, i'm getting the error below when I try to login with Facebook. >> >> I've followed the instructions at >> >> >> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore >> >> and >> >> >> >> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 >> >> >> >> I was able to login with Facebook when trying at localhost. But at our >> >> development server we are getting this error. >> >> >> >> We are using EAP in domain mode. >> >> >> >> The truststore I placed inside of keycloak-server.json >> >> "truststore": { >> >> "file": { >> >> "file": "/home/soa/jboss/ssl/keycloak.jks", >> >> "password": "keycloak123", >> >> "hostname-verification-policy": "ANY", >> >> "disabled": false >> >> } >> >> } >> >> >> >> >> >> ####### >> >> >> >> ERRO: >> >> >> >> >> >> 2016-02-11 10:44:53,927 ERROR >> >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] >> >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth >> >> callback: javax.net.ssl.SSLHandshakeException: >> >> sun.security.validator.ValidatorException: PKIX path building failed: >> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> >> find >> >> valid certification path to requested target >> >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> >> [jsse.jar:1.8.0_45] >> >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) >> >> [jsse.jar:1.8.0_45] >> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> >> [jsse.jar:1.8.0_45] >> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) >> >> [jsse.jar:1.8.0_45] >> >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) >> >> [jsse.jar:1.8.0_45] >> >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) >> >> [jsse.jar:1.8.0_45] >> >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) >> >> at >> >> >> >> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> >> [rt.jar:1.8.0_45] >> >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] >> >> at >> >> >> >> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at >> >> >> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) >> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) >> >> >> >> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) >> >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) >> >> at >> >> >> >> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) >> >> at >> >> >> >> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) >> >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] >> >> at >> >> >> >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> >> >> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at >> >> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) >> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] >> >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> >> Caused by: sun.security.validator.ValidatorException: PKIX path >> >> building >> >> failed: sun.security.provider.certpath.SunCertPathBuilderException: >> >> unable >> >> to find valid certification path to requested target >> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> >> [rt.jar:1.8.0_45] >> >> at sun.security.validator.Validator.validate(Validator.java:260) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >> >> [jsse.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) >> >> [jsse.jar:1.8.0_45] >> >> ... 50 more >> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> >> unable to find valid certification path to requested target >> >> at >> >> >> >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) >> >> [rt.jar:1.8.0_45] >> >> at >> >> >> >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) >> >> [rt.jar:1.8.0_45] >> >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> >> [rt.jar:1.8.0_45] >> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >> >> [rt.jar:1.8.0_45] >> >> ... 56 more >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> Leonardo Nunes >> >> ________________________________ >> >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >> >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta >> >> mensagem, >> >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou >> >> tomar >> >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem >> >> por >> >> engano, por favor avise imediatamente o remetente, respondendo o e-mail >> >> e em >> >> seguida apague-o. Agradecemos sua coopera??o. >> >> >> >> This message may contain confidential and/or privileged information. If >> >> you are not the addressee or authorized to receive this for the >> >> addressee, >> >> you must not use, copy, disclose or take any action based on this >> >> message or >> >> any information herein. If you have received this message in error, >> >> please >> >> advise the sender immediately by reply e-mail and delete this message. >> >> Thank >> >> you for your cooperation >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From tdudgeon.ml at gmail.com Fri Feb 12 09:03:25 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Fri, 12 Feb 2016 14:03:25 +0000 Subject: [keycloak-user] import not working in 1.8 Message-ID: <56BDE62D.5070204@gmail.com> I've hit an issue with import. The command I used to use to import a realm with 1.7.0 now gives an error with 1.8.1, but from reading the docs all the options seem to be valid. Could someone point to what has changed? The command I'm using is /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/json/yyy.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING Or to be more correct, I'm doing this in Docker, and it can be reproduced like this: docker run -it --rm -v $PWD:/tmp/json jboss/keycloak:1.8.1.Final /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/json/yyy.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING which tells me that I've specified an invalid option. It works fine if I use the 1.7.0.Final image. Tim From sthorger at redhat.com Fri Feb 12 09:19:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 12 Feb 2016 15:19:56 +0100 Subject: [keycloak-user] import not working in 1.8 In-Reply-To: <56BDE62D.5070204@gmail.com> References: <56BDE62D.5070204@gmail.com> Message-ID: The image was updated to use an entrypoint, so you can drop "$PWD:/tmp/json jboss/keycloak:1.8.1.Final \ /opt/jboss/keycloak/bin/standalone.sh", and just run it with: docker run -it --rm -v -b 0.0.0.0 -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/tmp/json/yyy.json -Dkeycloak.migration.strategy=OVERWRITE_EXISTING On 12 February 2016 at 15:03, Tim Dudgeon wrote: > I've hit an issue with import. The command I used to use to import a > realm with 1.7.0 now gives an error with 1.8.1, but from reading the > docs all the options seem to be valid. Could someone point to what has > changed? > > The command I'm using is > > /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/tmp/json/yyy.json > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > Or to be more correct, I'm doing this in Docker, and it can be > reproduced like this: > > docker run -it --rm -v $PWD:/tmp/json jboss/keycloak:1.8.1.Final > /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/tmp/json/yyy.json > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > which tells me that I've specified an invalid option. It works fine if I > use the 1.7.0.Final image. > > Tim > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/378e3eec/attachment.html From tdudgeon.ml at gmail.com Fri Feb 12 09:56:52 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Fri, 12 Feb 2016 14:56:52 +0000 Subject: [keycloak-user] import not working in 1.8 In-Reply-To: References: <56BDE62D.5070204@gmail.com> Message-ID: <56BDF2B4.4040102@gmail.com> Great, thanks. That works. Tim On 12/02/2016 14:19, Stian Thorgersen wrote: > The image was updated to use an entrypoint, so you can drop > "$PWD:/tmp/json jboss/keycloak:1.8.1.Final \ > /opt/jboss/keycloak/bin/standalone.sh", and just run it with: > > docker run -it --rm -v -b 0.0.0.0 > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/tmp/json/yyy.json > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > On 12 February 2016 at 15:03, Tim Dudgeon > wrote: > > I've hit an issue with import. The command I used to use to import a > realm with 1.7.0 now gives an error with 1.8.1, but from reading the > docs all the options seem to be valid. Could someone point to what has > changed? > > The command I'm using is > > /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/tmp/json/yyy.json > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > Or to be more correct, I'm doing this in Docker, and it can be > reproduced like this: > > docker run -it --rm -v $PWD:/tmp/json jboss/keycloak:1.8.1.Final > /opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0 > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=/tmp/json/yyy.json > -Dkeycloak.migration.strategy=OVERWRITE_EXISTING > > which tells me that I've specified an invalid option. It works > fine if I > use the 1.7.0.Final image. > > Tim > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/8c3f9bc1/attachment.html From tdudgeon.ml at gmail.com Fri Feb 12 10:14:27 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Fri, 12 Feb 2016 15:14:27 +0000 Subject: [keycloak-user] initialising docker Message-ID: <56BDF6D3.2020105@gmail.com> I've been struggling with a clean way to initialize the keycloak docker container. I need to import a realm definition, and the only way I can find is it start the image with the import options, wait for this to complete so that the database is populated and then to Ctrl-C out and to restart the container proper, which is hardly automatable. With 1.8 this also needs to include defining the admin user. Is there a cleaner way of achieving this? For instance, with the postgres docker images you just put any initialisation *.sql or *.sh scripts in a specific directory and they get executed first time the server starts. Tim From robin1233 at gmail.com Fri Feb 12 12:10:15 2016 From: robin1233 at gmail.com (robinfernandes .) Date: Fri, 12 Feb 2016 12:10:15 -0500 Subject: [keycloak-user] Quick clarification about Offline tokens Message-ID: Hi Everyone, So the scenario that I am trying to understand is as follows: 1. I get an offline token and I try to refresh my token pair (access,refresh) using this offline token. 2. Will I get a new offline token? Or will Keycloak see that you passed in an offline token so it will return the same offline token back? The tests that I performed I saw it returning a new offline token each time. Is that a correct understanding? Is there any parameter I can pass to the token refresh call so that it gives me the same offline token back? Thanks, Robin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/c25691bd/attachment.html From darkness.renann at gmail.com Fri Feb 12 16:21:56 2016 From: darkness.renann at gmail.com (Renann Prado) Date: Fri, 12 Feb 2016 19:21:56 -0200 Subject: [keycloak-user] Cordova + Keycloak + Native Facebook login Message-ID: Is Keycloak supporting native facebook already? I found at least 2 two-year old threads talking about native facebook login, but none of them seem to have a solution. Renann Prado -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/f9967feb/attachment.html From bburke at redhat.com Fri Feb 12 18:13:49 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 12 Feb 2016 18:13:49 -0500 Subject: [keycloak-user] Keycloak as a SAML SP: Is it possible to configure Keycloak to use RSA-SHA256 as the algorithm to sign assertions. In-Reply-To: References: Message-ID: <56BE672D.8090805@redhat.com> So, you're not using keycloak-server, just our SAML client SP adapter? http://keycloak.github.io/docs/userguide/saml-client-adapter/html/adapter-config.html#d4e124 You can set the signature algorithm there. The IDP section is basically describing what the IDP expects when you communicate to it. On 2/12/2016 6:43 AM, Akshay Kini wrote: > Hi Bill, > > Thanks for looking into this. > > The usecase is: > > Keycloak is an SP and it is sending an AuthnRequest via HTTP Post. > This AuthnRequest is always using RSA-SHA1 for signing. > > I have configured the Keycloak config file as follows: > > sslPolicy="NONE" > logoutPage="/logout.jsp" > nameIDPolicyFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" > forceAuthentication="false" > signatureAlgorithm="RSA_SHA256"> > > > In-fact the SP element doesn't have the "signatureAlgorithm" > documented anywhere in the SAML Client Apapter Reference Guide (it > only exists for the IDP). > > Now this is a bit of unfamiliar territory for me, but I looked into > the Keycloak Code base (master): > I see that the org.keycloak.adapters.saml.config.parsers.SPXmlParser > doesn't deal with ConfigXmlConstants.SIGNATURE_ALGORITHM_ATTR while > the IDPXmlParser does. > > > Again, thanks for looking into this. > > P.S. Sorry to all the mailing list subscribers, this "chain" might get > broken despite me changing the subject. I am not sure how to fix that > when using Gmail and subscribing to a digest mailing-list. Please send > a direct e-mail to me if you know how to fix that. > > Thanks, > Regards, > Akshay > > > On Thu, Feb 11, 2016 at 7:36 PM, > > wrote: > > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: User-Federation (Renann Prado) > 2. Re: User-Federation (Renann Prado) > 3. Re: Keycloak as a SAML SP: Is it possible to configure > Keycloak to use RSA-SHA256 as the algorithm to sign assertions. > (Bill Burke) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 11 Feb 2016 11:16:29 -0200 > From: Renann Prado > > Subject: Re: [keycloak-user] User-Federation > To: Reed Lewis > > Cc: keycloak-user at lists.jboss.org > > Message-ID: > > > Content-Type: text/plain; charset="utf-8" > > Is there any recommended way to make sure these endpoints won't be > spammed > by an attacker? Looks like these endpoints need to be open to anyone. > > Thanks > On Feb 3, 2016 11:18, "Reed Lewis" > wrote: > > > If you use the federation provider listed here: > > > > [0]: > http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > > [1]: https://github.com/Smartling/keycloak-user-migration-provider > > > > You can specify a URL that will be called when a user needs to be > > validated. > > > > There are three requests that need to be implemented in your sever. > > > > GET /api/users// > > If the user exists, it should return a 200 with a json object > with the > > return type ?application/json? with the following fields: > > username > > email > > emailVerified > > firstName > > lastName > > roles [?user?] > > > > If the user does not exist, return a 404 > > > > HEAD /api/users// > > Always return 200 > > > > POST /api/users// > > The password is posted to you in a json object. > > Return 200 if the password is OK, 401 if not. In both cases > return no > > data. > > > > I wrote a small python module which implements these methods > which works > > quite well. > > > > Reed > > > > From: > on behalf of > Stuart Jacobs < > > stuart.jacobs at symbiotics.co.za > > > > Date: Wednesday, February 3, 2016 at 2:40 AM > > To: "keycloak-user at lists.jboss.org > " > > > > Subject: [keycloak-user] User-Federation > > > > Hi Everyone, > > > > I have an application that runs on a postgresql database, > keycloak has > > been configured and has created all the required tables/columns > in my > > schema using liquibase on start up of the keycloak server. > > > > I need to authenticate users using the projects existing user table > > obtaining the username and password from this table. > > > > I have had a look at the federation provider project under the > example > > projects but this still eludes me as to how I change the > keycloak mapping > > to use my own tables in postgress? > > > > Can someone please point me in the right direction or if someone has > > implemented such a solution please share how you have done it? > > > > Thanks everyone. > > > > Regards, > > Stuart Jacobs > > > > > > > > > > > > > > > > www.symbiotics.co.za > > > > > ******************************************************************************** > > This email and any accompanying attachments may contain > confidential and > > proprietary information. This information is private and > protected by law > > and, accordingly, if you are not the intended recipient, you are > requested > > to delete this entire communication immediately and are notified > that any > > disclosure, copying or distribution of or taking any action > based on this > > information is prohibited. > > > > Emails cannot be guaranteed to be secure or free of errors or > viruses. The > > sender does not accept any liability or responsibility for any > > interception, corruption, destruction, loss, late arrival or > incompleteness > > of or tampering or interference with any of the information > contained in > > this email or for its incorrect delivery or non-delivery for > whatsoever > > reason or for its effect on any electronic device of the recipient. > > > > > ******************************************************************************** > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/d777c2bf/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Thu, 11 Feb 2016 11:17:14 -0200 > From: Renann Prado > > Subject: Re: [keycloak-user] User-Federation > To: Reed Lewis > > Cc: keycloak-user at lists.jboss.org > > Message-ID: > > > > Content-Type: text/plain; charset="utf-8" > > Everyone* > On Feb 11, 2016 11:16, "Renann Prado" > wrote: > > > Is there any recommended way to make sure these endpoints won't > be spammed > > by an attacker? Looks like these endpoints need to be open to > anyone. > > > > Thanks > > On Feb 3, 2016 11:18, "Reed Lewis" > wrote: > > > >> If you use the federation provider listed here: > >> > >> [0]: > http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/ > >> [1]: https://github.com/Smartling/keycloak-user-migration-provider > >> > >> You can specify a URL that will be called when a user needs to be > >> validated. > >> > >> There are three requests that need to be implemented in your sever. > >> > >> GET /api/users// > >> If the user exists, it should return a 200 with a json object > with the > >> return type ?application/json? with the following fields: > >> username > >> email > >> emailVerified > >> firstName > >> lastName > >> roles [?user?] > >> > >> If the user does not exist, return a 404 > >> > >> HEAD /api/users// > >> Always return 200 > >> > >> POST /api/users// > >> The password is posted to you in a json object. > >> Return 200 if the password is OK, 401 if not. In both cases > return no > >> data. > >> > >> I wrote a small python module which implements these methods > which works > >> quite well. > >> > >> Reed > >> > >> From: > on behalf of > Stuart Jacobs > >> > > >> Date: Wednesday, February 3, 2016 at 2:40 AM > >> To: "keycloak-user at lists.jboss.org > " > > > >> Subject: [keycloak-user] User-Federation > >> > >> Hi Everyone, > >> > >> I have an application that runs on a postgresql database, > keycloak has > >> been configured and has created all the required tables/columns > in my > >> schema using liquibase on start up of the keycloak server. > >> > >> I need to authenticate users using the projects existing user table > >> obtaining the username and password from this table. > >> > >> I have had a look at the federation provider project under the > example > >> projects but this still eludes me as to how I change the > keycloak mapping > >> to use my own tables in postgress? > >> > >> Can someone please point me in the right direction or if > someone has > >> implemented such a solution please share how you have done it? > >> > >> Thanks everyone. > >> > >> Regards, > >> Stuart Jacobs > >> > >> > >> > >> > >> > >> > >> > >> www.symbiotics.co.za > >> > >> > ******************************************************************************** > >> This email and any accompanying attachments may contain > confidential and > >> proprietary information. This information is private and > protected by law > >> and, accordingly, if you are not the intended recipient, you > are requested > >> to delete this entire communication immediately and are > notified that any > >> disclosure, copying or distribution of or taking any action > based on this > >> information is prohibited. > >> > >> Emails cannot be guaranteed to be secure or free of errors or > viruses. > >> The sender does not accept any liability or responsibility for any > >> interception, corruption, destruction, loss, late arrival or > incompleteness > >> of or tampering or interference with any of the information > contained in > >> this email or for its incorrect delivery or non-delivery for > whatsoever > >> reason or for its effect on any electronic device of the recipient. > >> > >> > ******************************************************************************** > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/6164ad32/attachment-0001.html > > ------------------------------ > > Message: 3 > Date: Thu, 11 Feb 2016 09:06:49 -0500 > From: Bill Burke > > Subject: Re: [keycloak-user] Keycloak as a SAML SP: Is it possible to > configure Keycloak to use RSA-SHA256 as the algorithm to sign > assertions. > To: keycloak-user at lists.jboss.org > > Message-ID: <56BC9579.8080102 at redhat.com > > > Content-Type: text/plain; charset="windows-1252" > > Where? Keycloak Saml SP? Keycloak Server interaction with an > app/client? Or Keycloak Server acting as an SP in a broker scenario? > > They all *should* support plugging in the algorithm. Did you > configure > this correctly? > > On 2/11/2016 6:29 AM, Akshay Kini wrote: > > Hi Folks, > > > > We are using Keycloak as a SAML SP. > > > > I notice that SAML Assertions are signed using rsa-sha1, could we > > configure it to use RSA-SHA256? > > > > Thanks, > > Regards, > > Akshay > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160211/573d1ced/attachment.html > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 26, Issue 56 > ********************************************* > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/0e8870a7/attachment-0001.html From jessec at dnbcloud.com Fri Feb 12 20:48:38 2016 From: jessec at dnbcloud.com (Jesse Chahal) Date: Fri, 12 Feb 2016 17:48:38 -0800 Subject: [keycloak-user] Extending Themes via SPI Message-ID: So I'm also in a similar situation here where our front-end team will not even consider looking into FTL theme engine that was used in keycloak. They will reject keycloak as a good solution unless we can reimplement the login screen in an entirely different technology. I'm still trying to convince people that using the current theming engine is a better choice but I don't think we'll even be able to get there unless I can help them do a comparison of the two implementations. We don't currently care about registration, social auth, password reset, etc... through the login screen. Most of this will be done through the keycloak admin client by an administrator in our cases. This means I need a way to actually use the Login SPI to able to redirect to a login page hosted on a different server. Are there any suggestions of places where I could start looking at in order to implement a custom Login page hosted on a different server. The reason I specify different server (same tld domain) is I'm also a bit worried about CORS issues (hopefully we'll be fine). Thanks, Jesse On Fri, Feb 12, 2016 at 1:43 AM, wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Extending Themes via SPI (Stian Thorgersen) > 2. Re: Failed to make identity provider oauth callback: > javax.net.ssl.SSLHandshakeException (Marko Strukelj) > 3. Re: Failed to make identity provider oauth callback: > javax.net.ssl.SSLHandshakeException (Stian Thorgersen) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 12 Feb 2016 09:53:56 +0100 > From: Stian Thorgersen > Subject: Re: [keycloak-user] Extending Themes via SPI > To: Sarp Kaya > Cc: "keycloak-user at lists.jboss.org" > Message-ID: > < > CAJgngAfBrCv2B_A81Yc3sbBQbWz8O6JrXEa6SUWh8xG91EDDPg at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > No, you can create a theme that contains stylesheets and freemarker > templates (if you need to change those) and deploy it to Keycloak. Please > read > http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html > and take a look at the themes examples in our examples download. > > On 12 February 2016 at 09:47, Sarp Kaya wrote: > > > Okay but what you are saying is done directly on the Keycloak source code > > which is then built and deployed, rather than extending classes and then > > deploying directly to a Keycloak instance? > > > > From: Stian Thorgersen > > Reply-To: "stian at redhat.com" > > Date: Friday, February 12, 2016 at 6:29 PM > > > > To: Abdullah Sarp Kaya > > Cc: "keycloak-user at lists.jboss.org" > > Subject: Re: [keycloak-user] Extending Themes via SPI > > > > There's a lot more to the login on Keycloak than a simple JSP page used > > for JEE form-based authentication. We have user registration, password > > recovery, OTP support, remember me, etc, etc.. > > > > Take the look and feel (stylesheet) of your JSP login screen and apply it > > to Keycloak with a custom theme. That's the simplest, quickest and best > > option. > > > > On 12 February 2016 at 09:15, Sarp Kaya wrote: > > > >> > >> We have internal front end libraries that works with JSP only. From the > >> sounds of SPI, I thought that I could use JSP and our internal libraries > >> instead of FreeMarker templates. Also because our JSP login screen is > >> almost ready it wouldn?t take much time to just deploy it (that?s what I > >> thought). > >> > >> From: Stian Thorgersen > >> Reply-To: "stian at redhat.com" > >> Date: Friday, February 12, 2016 at 5:54 PM > >> To: Abdullah Sarp Kaya > >> Cc: "keycloak-user at lists.jboss.org" > >> Subject: Re: [keycloak-user] Extending Themes via SPI > >> > >> What are you actually trying to achieve? We mainly support modifying the > >> FreeMarker templates and stylesheets. Beyond that you may in theory be > able > >> to re-implement it all to replace FreeMarker with something else, but I > >> don't see why you would want to and it would be a significant amount of > >> work, and also maintenance. > >> > >> On 12 February 2016 at 07:08, Sarp Kaya wrote: > >> > >>> Hi all, > >>> > >>> In regards to Extending Themes via SPI all I found is this > documentation: > >>> > >>> > http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html > >>> and > >>> > >>> < > http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 > > > >>> > >>> > http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450 > >>> I found it a little less describing. > >>> > >>> When I implement those two classes, where do I put the new implemented > >>> classes? How do I deploy them? > >>> Can I also use Spring mvc and JSP and few maven dependencies instead of > >>> freemarker? > >>> > >>> I also tried to find an example to extend theme using SPI but there > >>> seems to be none. It would be really nice if you could provide a sample > >>> hello world. > >>> > >>> Thank you very much, > >>> Sarp Kaya > >>> > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/dd16d2fc/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Fri, 12 Feb 2016 10:04:04 +0100 > From: Marko Strukelj > Subject: Re: [keycloak-user] Failed to make identity provider oauth > callback: javax.net.ssl.SSLHandshakeException > To: Marek Posolda > Cc: "keycloak-user at lists.jboss.org" , > LEONARDO NUNES > Message-ID: > < > CA+1OW+gXfMSC+CiLo3vCSvxt0M5Gt9Qp_9TV7AiWcsfBW+DA9Q at mail.gmail.com> > Content-Type: text/plain; charset=UTF-8 > > When using 'truststore' provider it is up to you to make sure to > include all the certificates you trust. Configuration via > -Djavax.net.ssl.trustStore works the same - no automatic inclusion of > cacerts. But it sounds like a good usability feature to add a flag > that would automatically include cacerts as well. The problem is - it > happens occasionally that some CAs turn out not to be trustworthy, and > blindly importing all cacerts exposes you to that risk. > > One detail to emphasize, with third party not-self-signed certificates > it's important to include the CA certificate used to create the > specific server certificate, rather than the server certificate > itself. Facebook servers use different short-lived server certificates > - and with two consecutive requests you may be presented with two > different server certificates - but they are all issued by the same > long-lived trusted CA. > > > On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda > wrote: > > Facebook certificate should be signed by trusted authority, so it works > with > > default JDK truststore. At least for me it always works. > > > > Shouldn't truststore SPI use both provided file + default JDK truststore > by > > default? We may have flag to disable default JDK truststore, but not > sure if > > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP > > client provided by HttpClientProvider SPI? > > > > Marek > > > > > > On 11/02/16 15:23, Stian Thorgersen wrote: > > > > Does it work if you don't specify the truststore? That will use the > default > > truststore provided by the JDK. > > > > Also, does your truststore contain the required CA certs? For Facebook to > > work it'll have to contain the required CA's for their certs > > > > On 11 February 2016 at 14:09, LEONARDO NUNES > > wrote: > >> > >> Hi, i'm getting the error below when I try to login with Facebook. > >> I've followed the instructions at > >> > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore > >> and > >> > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 > >> > >> I was able to login with Facebook when trying at localhost. But at our > >> development server we are getting this error. > >> > >> We are using EAP in domain mode. > >> > >> The truststore I placed inside of keycloak-server.json > >> "truststore": { > >> "file": { > >> "file": "/home/soa/jboss/ssl/keycloak.jks", > >> "password": "keycloak123", > >> "hostname-verification-policy": "ANY", > >> "disabled": false > >> } > >> } > >> > >> > >> ####### > >> > >> ERRO: > >> > >> > >> 2016-02-11 10:44:53,927 ERROR > >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] > >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth > >> callback: javax.net.ssl.SSLHandshakeException: > >> sun.security.validator.ValidatorException: PKIX path building failed: > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > find > >> valid certification path to requested target > >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) > >> [jsse.jar:1.8.0_45] > >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) > >> [jsse.jar:1.8.0_45] > >> at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) > >> [jsse.jar:1.8.0_45] > >> at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > >> [rt.jar:1.8.0_45] > >> at > >> > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) > >> at > >> > org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >> [rt.jar:1.8.0_45] > >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > >> at > >> > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at > >> > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > >> > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) > >> at > >> > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) > >> at > >> > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] > >> at > >> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > >> > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > >> Caused by: sun.security.validator.ValidatorException: PKIX path building > >> failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable > >> to find valid certification path to requested target > >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > >> [rt.jar:1.8.0_45] > >> at sun.security.validator.Validator.validate(Validator.java:260) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > >> [jsse.jar:1.8.0_45] > >> at > >> > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) > >> [jsse.jar:1.8.0_45] > >> ... 50 more > >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > >> unable to find valid certification path to requested target > >> at > >> > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) > >> [rt.jar:1.8.0_45] > >> at > >> > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) > >> [rt.jar:1.8.0_45] > >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > >> [rt.jar:1.8.0_45] > >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > >> [rt.jar:1.8.0_45] > >> ... 56 more > >> > >> > >> > >> > >> > >> -- > >> Leonardo Nunes > >> ________________________________ > >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta > mensagem, > >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou > tomar > >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem > por > >> engano, por favor avise imediatamente o remetente, respondendo o e-mail > e em > >> seguida apague-o. Agradecemos sua coopera??o. > >> > >> This message may contain confidential and/or privileged information. If > >> you are not the addressee or authorized to receive this for the > addressee, > >> you must not use, copy, disclose or take any action based on this > message or > >> any information herein. If you have received this message in error, > please > >> advise the sender immediately by reply e-mail and delete this message. > Thank > >> you for your cooperation > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ------------------------------ > > Message: 3 > Date: Fri, 12 Feb 2016 10:43:18 +0100 > From: Stian Thorgersen > Subject: Re: [keycloak-user] Failed to make identity provider oauth > callback: javax.net.ssl.SSLHandshakeException > To: Marko Strukelj > Cc: "keycloak-user at lists.jboss.org" , > LEONARDO NUNES > Message-ID: > < > CAJgngAf4-aAyu_aONLOiYC9Ap0LmAur7U-yn2pP7H4o2LKHsrw at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > On 12 February 2016 at 10:04, Marko Strukelj wrote: > > > When using 'truststore' provider it is up to you to make sure to > > include all the certificates you trust. Configuration via > > -Djavax.net.ssl.trustStore works the same - no automatic inclusion of > > cacerts. But it sounds like a good usability feature to add a flag > > that would automatically include cacerts as well. The problem is - it > > happens occasionally that some CAs turn out not to be trustworthy, and > > blindly importing all cacerts exposes you to that risk. > > > > How about having a flag that is enabled by default that includes cacerts > from Java? I'd actually think that update from CA certs are more likely > going to happen by updating Java rather than manually maintaining a > truststore. > > > > One detail to emphasize, with third party not-self-signed certificates > > it's important to include the CA certificate used to create the > > specific server certificate, rather than the server certificate > > itself. Facebook servers use different short-lived server certificates > > - and with two consecutive requests you may be presented with two > > different server certificates - but they are all issued by the same > > long-lived trusted CA. > > > > > > On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda > > wrote: > > > Facebook certificate should be signed by trusted authority, so it works > > with > > > default JDK truststore. At least for me it always works. > > > > > > Shouldn't truststore SPI use both provided file + default JDK > truststore > > by > > > default? We may have flag to disable default JDK truststore, but not > > sure if > > > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache > HTTP > > > client provided by HttpClientProvider SPI? > > > > > > Marek > > > > > > > > > On 11/02/16 15:23, Stian Thorgersen wrote: > > > > > > Does it work if you don't specify the truststore? That will use the > > default > > > truststore provided by the JDK. > > > > > > Also, does your truststore contain the required CA certs? For Facebook > to > > > work it'll have to contain the required CA's for their certs > > > > > > On 11 February 2016 at 14:09, LEONARDO NUNES > > > > wrote: > > >> > > >> Hi, i'm getting the error below when I try to login with Facebook. > > >> I've followed the instructions at > > >> > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore > > >> and > > >> > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337 > > >> > > >> I was able to login with Facebook when trying at localhost. But at our > > >> development server we are getting this error. > > >> > > >> We are using EAP in domain mode. > > >> > > >> The truststore I placed inside of keycloak-server.json > > >> "truststore": { > > >> "file": { > > >> "file": "/home/soa/jboss/ssl/keycloak.jks", > > >> "password": "keycloak123", > > >> "hostname-verification-policy": "ANY", > > >> "disabled": false > > >> } > > >> } > > >> > > >> > > >> ####### > > >> > > >> ERRO: > > >> > > >> > > >> 2016-02-11 10:44:53,927 ERROR > > >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] > > >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth > > >> callback: javax.net.ssl.SSLHandshakeException: > > >> sun.security.validator.ValidatorException: PKIX path building failed: > > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find > > >> valid certification path to requested target > > >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > >> [jsse.jar:1.8.0_45] > > >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) > > >> [jsse.jar:1.8.0_45] > > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > > >> [jsse.jar:1.8.0_45] > > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) > > >> [jsse.jar:1.8.0_45] > > >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) > > >> [jsse.jar:1.8.0_45] > > >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) > > >> [jsse.jar:1.8.0_45] > > >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) > > >> [jsse.jar:1.8.0_45] > > >> at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) > > >> [jsse.jar:1.8.0_45] > > >> at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124) > > >> at > > >> > > > org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228) > > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > >> [rt.jar:1.8.0_45] > > >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45] > > >> at > > >> > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at > > >> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) > > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:] > > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > > >> > > > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) > > >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final] > > >> at > > >> > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91) > > >> at > > >> > > > org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72) > > >> at > > >> > > > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > > >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2] > > >> at > > >> > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > >> > > > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1] > > >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > > >> Caused by: sun.security.validator.ValidatorException: PKIX path > building > > >> failed: sun.security.provider.certpath.SunCertPathBuilderException: > > unable > > >> to find valid certification path to requested target > > >> at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > > >> [rt.jar:1.8.0_45] > > >> at sun.security.validator.Validator.validate(Validator.java:260) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > > >> [jsse.jar:1.8.0_45] > > >> at > > >> > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) > > >> [jsse.jar:1.8.0_45] > > >> ... 50 more > > >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > > >> unable to find valid certification path to requested target > > >> at > > >> > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) > > >> [rt.jar:1.8.0_45] > > >> at > > >> > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) > > >> [rt.jar:1.8.0_45] > > >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > >> [rt.jar:1.8.0_45] > > >> at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > > >> [rt.jar:1.8.0_45] > > >> ... 56 more > > >> > > >> > > >> > > >> > > >> > > >> -- > > >> Leonardo Nunes > > >> ________________________________ > > >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. > Se > > >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta > > mensagem, > > >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou > > tomar > > >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta > mensagem > > por > > >> engano, por favor avise imediatamente o remetente, respondendo o > e-mail > > e em > > >> seguida apague-o. Agradecemos sua coopera??o. > > >> > > >> This message may contain confidential and/or privileged information. > If > > >> you are not the addressee or authorized to receive this for the > > addressee, > > >> you must not use, copy, disclose or take any action based on this > > message or > > >> any information herein. If you have received this message in error, > > please > > >> advise the sender immediately by reply e-mail and delete this message. > > Thank > > >> you for your cooperation > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cf9f6d0b/attachment.html > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 26, Issue 66 > ********************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/ca49d0ad/attachment-0001.html From prabhalar at yahoo.com Fri Feb 12 22:17:38 2016 From: prabhalar at yahoo.com (Raghuram Prabhala) Date: Sat, 13 Feb 2016 03:17:38 +0000 (UTC) Subject: [keycloak-user] Course and Fine Grained Entitlements In-Reply-To: <56B24EFA.7050100@redhat.com> References: <56B24EFA.7050100@redhat.com> Message-ID: <1185803635.2852362.1455333458464.JavaMail.yahoo@mail.yahoo.com> Even our organization is looking for UMA modules (there are already a few vendors who offer some version of UMA) and a couple of months back I tried out something that Pedro put together which works with an old version of Keycloak. While I didn't explore the features in detail, I found that to be very nicely integrated with keycloak and definitely in the right direction. If anyone wants to look at it, here is the link. Please make sure you follow all the build instructions (see?https://github.com/pedroigor/keycloak-authz/issues/31?also) https://github.com/pedroigor/keycloak-authz Raghu From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Wednesday, February 3, 2016 2:03 PM Subject: Re: [keycloak-user] Course and Fine Grained Entitlements Pedro is working on that...He has some stuff.? Hope he responds.? Not going to be part of Keycloak until 2.0 though.? And yes, its around UMA. On 2/3/2016 1:47 PM, Guy Davis wrote: Hi Lars, Good question.? My organization is also asking similar questions about adopting Keycloak.? Let me give my understanding as a user, then Keycloak team can correct my misunderstandings. Basically, Keycloak offers coarse-grained authorizations (realm-roles?and?client-app?roles) assigned to users (or?groups). ??So I understand Keycloak will let you grant user Bob the 'myapp-admin' role.? However, it falls to the backend service or application to then map that role to application-specific permissions.? For example, role 'myapp-admins' can access /myapp/project1/admin page.? This resource security can be done (for Java apps) in declarative fashion using web.xml security constraints.? Alternatively, your application code could dynamically obtain the Keycloak user principal, check their roles, and map into your app's permission scheme. ? This understanding implies that your application is responsible for an admin UI to map fine-grained permissions on your app's resources to Keycloak roles. ? If your app only has 'coarse-grained" resources, then you can probably just use Keycloak roles, with no need for a permission layer or the UI it entails. Also, see this pre-amble about?Permission Scopes.?In future, it sounds like Keycloak team is considering support for the?UMA portion of the OAuth standard.? This may help with fine-grained permission management within Keycloak itself? Hope this helps, Guy On Tue, Feb 2, 2016 at 8:29 PM, Lars Noldan wrote: We're in the investigation stage on moving from a $BigExpensiveVendor solution toward keycloak, and we're looking for a solution to help manage both Course and Fine grained entitlements.? Keycloak appears to be a fantastic authentication solution, but I'm wondering what are you, the keycloak community using to handle Authorization? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160213/7605b057/attachment.html From zaquas at gmail.com Sat Feb 13 04:51:20 2016 From: zaquas at gmail.com (Stefano Zaccaria) Date: Sat, 13 Feb 2016 10:51:20 +0100 Subject: [keycloak-user] Use keycloak as I used picketlink Message-ID: I want to change from picketlink to keycloak In my ee app I use keycloack CDI to check the user roles and grant with BasicModel.hasRole(relationshipManager, identity.getAccount(), BasicModel.getRole(identityManager, "admin")) or Authorization Util.hasRole(identity, partitionManager, "admin"); in my bean methods How can I made the same thing with Keycloak? Thanks in advantage -- *Stefano* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160213/c077571b/attachment.html From mposolda at redhat.com Mon Feb 15 03:18:57 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 15 Feb 2016 09:18:57 +0100 Subject: [keycloak-user] Quick clarification about Offline tokens In-Reply-To: References: Message-ID: <56C189F1.80800@redhat.com> On 12/02/16 18:10, robinfernandes . wrote: > Hi Everyone, > > So the scenario that I am trying to understand is as follows: > > 1. I get an offline token and I try to refresh my token pair > (access,refresh) using this offline token. > 2. Will I get a new offline token? Or will Keycloak see that you > passed in an offline token so it will return the same offline token back? > > The tests that I performed I saw it returning a new offline token each > time. Is that a correct understanding? Yes, it works this way. However if you have some DAO on your application side, you don't need to save new offline token every time. You can still use the old offline token for refreshing and it will work. There is no any expiration on offline token itself, there is just expiration on keycloak-server side, which is updated during each token refresh (In other words, as long as you refresh at least once every 30 days, you can use same offline token for a years). The only exception of this is, if you have "Revoke refresh token" switch enabled for your realm. Then each offline token can be used just once, so you need to always use newest offline token. Marek > Is there any parameter I can pass to the token refresh call so that it > gives me the same offline token back? > > Thanks, > Robin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160215/dfc4e013/attachment.html From Edgar at info.nl Mon Feb 15 03:40:36 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 15 Feb 2016 08:40:36 +0000 Subject: [keycloak-user] initialising docker In-Reply-To: <56BDF6D3.2020105@gmail.com> References: <56BDF6D3.2020105@gmail.com> Message-ID: Hi Tim, We also struggle with this. What we do at the moment is we _always_ import the realm on startup of our Keycloak Docker container. Our current idea is that we will not have any runtime configuration changes in our realm at all, apart from filling the Keycloak caches. The idea being that runtime configuration changes are not automatable. We store our users and groups in LDAP/Active Directory and all realm configuration is stored in the realm JSON file in Git and imported every time. I was wondering: if you do change your realm configuration runtime how do you deal with deployment automation? Is your idea to only import your realm definition once? If so, how would you deal with automating realm configuration changes? cheers Edgar > On 12 Feb 2016, at 16:14, Tim Dudgeon wrote: > > I've been struggling with a clean way to initialize the keycloak docker > container. > I need to import a realm definition, and the only way I can find is it > start the image with the import options, wait for this to complete so > that the database is populated and then to Ctrl-C out and to restart the > container proper, which is hardly automatable. > With 1.8 this also needs to include defining the admin user. > > Is there a cleaner way of achieving this? > For instance, with the postgres docker images you just put any > initialisation *.sql or *.sh scripts in a specific directory and they > get executed first time the server starts. > > Tim > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tdudgeon.ml at gmail.com Mon Feb 15 04:05:18 2016 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Mon, 15 Feb 2016 09:05:18 +0000 Subject: [keycloak-user] initialising docker In-Reply-To: References: <56BDF6D3.2020105@gmail.com> Message-ID: <56C194CE.5080401@gmail.com> Hi Edgar, Well, the way I'm doing it now (which I don't like at all, hence the original post), is to run the startup script in a separate container so that the database (Postgres in my case) is populated, and to do that once before the actual container is launched (so that the real container picks up the required configuration from the database). Importing the realm every time might be an alternative, as long is it doesn't over-write any user info. I'll look into that. But hoping that there are better suggestions for this out there! Tim On 15/02/2016 08:40, Edgar Vonk - Info.nl wrote: > Hi Tim, > > We also struggle with this. What we do at the moment is we _always_ import the realm on startup of our Keycloak Docker container. Our current idea is that we will not have any runtime configuration changes in our realm at all, apart from filling the Keycloak caches. The idea being that runtime configuration changes are not automatable. We store our users and groups in LDAP/Active Directory and all realm configuration is stored in the realm JSON file in Git and imported every time. > > I was wondering: if you do change your realm configuration runtime how do you deal with deployment automation? Is your idea to only import your realm definition once? If so, how would you deal with automating realm configuration changes? > > cheers > > Edgar > >> On 12 Feb 2016, at 16:14, Tim Dudgeon wrote: >> >> I've been struggling with a clean way to initialize the keycloak docker >> container. >> I need to import a realm definition, and the only way I can find is it >> start the image with the import options, wait for this to complete so >> that the database is populated and then to Ctrl-C out and to restart the >> container proper, which is hardly automatable. >> With 1.8 this also needs to include defining the admin user. >> >> Is there a cleaner way of achieving this? >> For instance, with the postgres docker images you just put any >> initialisation *.sql or *.sh scripts in a specific directory and they >> get executed first time the server starts. >> >> Tim >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Feb 15 04:45:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 15 Feb 2016 10:45:50 +0100 Subject: [keycloak-user] initialising docker In-Reply-To: <56C194CE.5080401@gmail.com> References: <56BDF6D3.2020105@gmail.com> <56C194CE.5080401@gmail.com> Message-ID: We are planning on at some point to add an import directory. You can dump a realm json file in there and Keycloak will only import it once. It would use the hash of the file and add a marker to the db to make sure it's only done once, even if you delete the realm in the db. Not sure when or even if this will be added though. Another option is that it would be relatively easy to extend the Docker image to import a file only first time it's started. On 15 Feb 2016 10:06, "Tim Dudgeon" wrote: > Hi Edgar, > > Well, the way I'm doing it now (which I don't like at all, hence the > original post), is to run the startup script in a separate container so > that the database (Postgres in my case) is populated, and to do that > once before the actual container is launched (so that the real container > picks up the required configuration from the database). > Importing the realm every time might be an alternative, as long is it > doesn't over-write any user info. I'll look into that. > But hoping that there are better suggestions for this out there! > > Tim > > On 15/02/2016 08:40, Edgar Vonk - Info.nl wrote: > > Hi Tim, > > > > We also struggle with this. What we do at the moment is we _always_ > import the realm on startup of our Keycloak Docker container. Our current > idea is that we will not have any runtime configuration changes in our > realm at all, apart from filling the Keycloak caches. The idea being that > runtime configuration changes are not automatable. We store our users and > groups in LDAP/Active Directory and all realm configuration is stored in > the realm JSON file in Git and imported every time. > > > > I was wondering: if you do change your realm configuration runtime how > do you deal with deployment automation? Is your idea to only import your > realm definition once? If so, how would you deal with automating realm > configuration changes? > > > > cheers > > > > Edgar > > > >> On 12 Feb 2016, at 16:14, Tim Dudgeon wrote: > >> > >> I've been struggling with a clean way to initialize the keycloak docker > >> container. > >> I need to import a realm definition, and the only way I can find is it > >> start the image with the import options, wait for this to complete so > >> that the database is populated and then to Ctrl-C out and to restart the > >> container proper, which is hardly automatable. > >> With 1.8 this also needs to include defining the admin user. > >> > >> Is there a cleaner way of achieving this? > >> For instance, with the postgres docker images you just put any > >> initialisation *.sql or *.sh scripts in a specific directory and they > >> get executed first time the server starts. > >> > >> Tim > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160215/81297f38/attachment.html From Edgar at info.nl Mon Feb 15 05:37:33 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 15 Feb 2016 10:37:33 +0000 Subject: [keycloak-user] initialising docker In-Reply-To: References: <56BDF6D3.2020105@gmail.com> <56C194CE.5080401@gmail.com> Message-ID: <08FB342B-FE2F-45E6-A983-9A1084CE35F3@info.nl> Hi Stian, Ok, thanks. Say that you would only import a realm once. How then would you typically deal with changes in the realm configuration in an automated deployment situation? We do not want any manual steps in our deployment and so we want all Keycloak realm changes managed from our Git repository. Does Keycloak support some kind of update/delta mechanism that we can use to automated realm configuration changes? cheers Edgar On 15 Feb 2016, at 10:45, Stian Thorgersen > wrote: We are planning on at some point to add an import directory. You can dump a realm json file in there and Keycloak will only import it once. It would use the hash of the file and add a marker to the db to make sure it's only done once, even if you delete the realm in the db. Not sure when or even if this will be added though. Another option is that it would be relatively easy to extend the Docker image to import a file only first time it's started. On 15 Feb 2016 10:06, "Tim Dudgeon" > wrote: Hi Edgar, Well, the way I'm doing it now (which I don't like at all, hence the original post), is to run the startup script in a separate container so that the database (Postgres in my case) is populated, and to do that once before the actual container is launched (so that the real container picks up the required configuration from the database). Importing the realm every time might be an alternative, as long is it doesn't over-write any user info. I'll look into that. But hoping that there are better suggestions for this out there! Tim On 15/02/2016 08:40, Edgar Vonk - Info.nl wrote: > Hi Tim, > > We also struggle with this. What we do at the moment is we _always_ import the realm on startup of our Keycloak Docker container. Our current idea is that we will not have any runtime configuration changes in our realm at all, apart from filling the Keycloak caches. The idea being that runtime configuration changes are not automatable. We store our users and groups in LDAP/Active Directory and all realm configuration is stored in the realm JSON file in Git and imported every time. > > I was wondering: if you do change your realm configuration runtime how do you deal with deployment automation? Is your idea to only import your realm definition once? If so, how would you deal with automating realm configuration changes? > > cheers > > Edgar > >> On 12 Feb 2016, at 16:14, Tim Dudgeon > wrote: >> >> I've been struggling with a clean way to initialize the keycloak docker >> container. >> I need to import a realm definition, and the only way I can find is it >> start the image with the import options, wait for this to complete so >> that the database is populated and then to Ctrl-C out and to restart the >> container proper, which is hardly automatable. >> With 1.8 this also needs to include defining the admin user. >> >> Is there a cleaner way of achieving this? >> For instance, with the postgres docker images you just put any >> initialisation *.sql or *.sh scripts in a specific directory and they >> get executed first time the server starts. >> >> Tim >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160215/529ece45/attachment.html From sthorger at redhat.com Mon Feb 15 06:10:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 15 Feb 2016 12:10:26 +0100 Subject: [keycloak-user] initialising docker In-Reply-To: <08FB342B-FE2F-45E6-A983-9A1084CE35F3@info.nl> References: <56BDF6D3.2020105@gmail.com> <56C194CE.5080401@gmail.com> <08FB342B-FE2F-45E6-A983-9A1084CE35F3@info.nl> Message-ID: We don't support anything like that and it would have to be written to use the rest endpoints so it can check the live db. Maybe it's something we should consider for the future. It wouldn't be trivial to implement I think. On 15 Feb 2016 11:37, "Edgar Vonk - Info.nl" wrote: > Hi Stian, > > Ok, thanks. > > Say that you would only import a realm once. How then would you typically > deal with changes in the realm configuration in an automated deployment > situation? We do not want any manual steps in our deployment and so we want > all Keycloak realm changes managed from our Git repository. Does Keycloak > support some kind of update/delta mechanism that we can use to automated > realm configuration changes? > > cheers > > Edgar > > On 15 Feb 2016, at 10:45, Stian Thorgersen wrote: > > We are planning on at some point to add an import directory. You can dump > a realm json file in there and Keycloak will only import it once. It would > use the hash of the file and add a marker to the db to make sure it's only > done once, even if you delete the realm in the db. > > Not sure when or even if this will be added though. > > Another option is that it would be relatively easy to extend the Docker > image to import a file only first time it's started. > On 15 Feb 2016 10:06, "Tim Dudgeon" wrote: > >> Hi Edgar, >> >> Well, the way I'm doing it now (which I don't like at all, hence the >> original post), is to run the startup script in a separate container so >> that the database (Postgres in my case) is populated, and to do that >> once before the actual container is launched (so that the real container >> picks up the required configuration from the database). >> Importing the realm every time might be an alternative, as long is it >> doesn't over-write any user info. I'll look into that. >> But hoping that there are better suggestions for this out there! >> >> Tim >> >> On 15/02/2016 08:40, Edgar Vonk - Info.nl wrote: >> > Hi Tim, >> > >> > We also struggle with this. What we do at the moment is we _always_ >> import the realm on startup of our Keycloak Docker container. Our current >> idea is that we will not have any runtime configuration changes in our >> realm at all, apart from filling the Keycloak caches. The idea being that >> runtime configuration changes are not automatable. We store our users and >> groups in LDAP/Active Directory and all realm configuration is stored in >> the realm JSON file in Git and imported every time. >> > >> > I was wondering: if you do change your realm configuration runtime how >> do you deal with deployment automation? Is your idea to only import your >> realm definition once? If so, how would you deal with automating realm >> configuration changes? >> > >> > cheers >> > >> > Edgar >> > >> >> On 12 Feb 2016, at 16:14, Tim Dudgeon wrote: >> >> >> >> I've been struggling with a clean way to initialize the keycloak docker >> >> container. >> >> I need to import a realm definition, and the only way I can find is it >> >> start the image with the import options, wait for this to complete so >> >> that the database is populated and then to Ctrl-C out and to restart >> the >> >> container proper, which is hardly automatable. >> >> With 1.8 this also needs to include defining the admin user. >> >> >> >> Is there a cleaner way of achieving this? >> >> For instance, with the postgres docker images you just put any >> >> initialisation *.sql or *.sh scripts in a specific directory and they >> >> get executed first time the server starts. >> >> >> >> Tim >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160215/18d57b23/attachment-0001.html From psilva at redhat.com Mon Feb 15 07:37:39 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 15 Feb 2016 07:37:39 -0500 (EST) Subject: [keycloak-user] Course and Fine Grained Entitlements In-Reply-To: <1185803635.2852362.1455333458464.JavaMail.yahoo@mail.yahoo.com> References: <56B24EFA.7050100@redhat.com> <1185803635.2852362.1455333458464.JavaMail.yahoo@mail.yahoo.com> Message-ID: <438676051.22848757.1455539859144.JavaMail.zimbra@redhat.com> Hi All, @Raghu, I think we already discussing this on GitHub :) The understanding from both Guy Davis and Raghu are correct. Currently, KC provides coarse-grained authz based on vanilla OAuth2 and roles/scopes within an access token. There no fine-grained permissions where you can define permissions such as which actions an identity is allowed to perform on a protected resource. Today, you need something on the app side to handle that. The whole idea behind Keycloak AuthZ is to leverage KC capabilities in order to provide a Policy Administration Point (based on KC admin console), a Policy Decision Point (based on a RESTFul API) and Policy Enforcement Points (something like KC adapters but for authz). Given that, KC will be able to support different access control models (ABAC, RBAC, GBAC, Risk or Context-based, etc) with a policy model that can be built around a specific resource (or a set of resources) in order to decide whether an access is granted or not. Currently, that projects provide a minimal UMA implementation and UIs to manage authorization policies, from where you can even simulate them to check for the outcome before actually enforcing them into your application. There is also some initial implementation of a JAX-RS based adapter that makes easier to integrate with the Keycloak AuthZ server in order to enforce authorization for the protected resources. From an UMA perspective, we are also planning to support more advanced use cases where an user can authorize another to access his resource, but currently we are focusing on API security use cases. So, the list of things we are planning is pretty big and I hope to have some decisions around this project after our meeting which will happen next month. More details can be found here [1]. [1] https://github.com/pedroigor/keycloak-authz Regards. Pedro Igor ----- Original Message ----- From: "Raghuram Prabhala" To: "Bill Burke" , keycloak-user at lists.jboss.org Sent: Saturday, February 13, 2016 1:17:38 AM Subject: Re: [keycloak-user] Course and Fine Grained Entitlements Even our organization is looking for UMA modules (there are already a few vendors who offer some version of UMA) and a couple of months back I tried out something that Pedro put together which works with an old version of Keycloak. While I didn't explore the features in detail, I found that to be very nicely integrated with keycloak and definitely in the right direction. If anyone wants to look at it, here is the link. Please make sure you follow all the build instructions (see https://github.com/pedroigor/keycloak-authz/issues/31 also) https://github.com/pedroigor/keycloak-authz Raghu From: Bill Burke To: keycloak-user at lists.jboss.org Sent: Wednesday, February 3, 2016 2:03 PM Subject: Re: [keycloak-user] Course and Fine Grained Entitlements Pedro is working on that...He has some stuff. Hope he responds. Not going to be part of Keycloak until 2.0 though. And yes, its around UMA. On 2/3/2016 1:47 PM, Guy Davis wrote: Hi Lars, Good question. My organization is also asking similar questions about adopting Keycloak. Let me give my understanding as a user, then Keycloak team can correct my misunderstandings. Basically, Keycloak offers coarse-grained authorizations ( realm-roles and client-app roles ) assigned to users (or groups ). So I understand Keycloak will let you grant user Bob the 'myapp-admin' role. However, it falls to the backend service or application to then map that role to application-specific permissions. For example, role 'myapp-admins' can access /myapp/project1/admin page. This resource security can be done (for Java apps) in declarative fashion using web.xml security constraints. Alternatively, your application code could dynamically obtain the Keycloak user principal, check their roles, and map into your app's permission scheme. This understanding implies that your application is responsible for an admin UI to map fine-grained permissions on your app's resources to Keycloak roles. If your app only has 'coarse-grained" resources, then you can probably just use Keycloak roles, with no need for a permission layer or the UI it entails. Also, see this pre-amble about Permission Scopes . In future, it sounds like Keycloak team is considering support for the UMA portion of the OAuth standard . This may help with fine-grained permission management within Keycloak itself? Hope this helps, Guy On Tue, Feb 2, 2016 at 8:29 PM, Lars Noldan < lars.noldan at drillinginfo.com > wrote: We're in the investigation stage on moving from a $BigExpensiveVendor solution toward keycloak, and we're looking for a solution to help manage both Course and Fine grained entitlements. Keycloak appears to be a fantastic authentication solution, but I'm wondering what are you, the keycloak community using to handle Authorization? Thanks! _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Edgar at info.nl Mon Feb 15 08:10:35 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 15 Feb 2016 13:10:35 +0000 Subject: [keycloak-user] Add custom protocol mapper Message-ID: <6C7ABE03-7388-47E7-8A0E-E501B8EF816F@info.nl> Hi, We want to write our own custom protocol mapper where we add custom dynamic user attributes to the JWT tokens by querying our custom database. However if I not mistaken there is no SPI for adding custom mappers? How would we go about adding our own protocol mapper most easily? cheers Edgar From bburke at redhat.com Mon Feb 15 10:39:07 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 15 Feb 2016 10:39:07 -0500 Subject: [keycloak-user] Add custom protocol mapper In-Reply-To: <6C7ABE03-7388-47E7-8A0E-E501B8EF816F@info.nl> References: <6C7ABE03-7388-47E7-8A0E-E501B8EF816F@info.nl> Message-ID: <56C1F11B.5090201@redhat.com> There is an SPI, but it is unpublished. I haven't had time to polish it or document it. You can use it, but we can't guarantee it won't change. https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/protocol/oidc/mappers On 2/15/2016 8:10 AM, Edgar Vonk - Info.nl wrote: > Hi, > > We want to write our own custom protocol mapper where we add custom dynamic user attributes to the JWT tokens by querying our custom database. > > However if I not mistaken there is no SPI for adding custom mappers? How would we go about adding our own protocol mapper most easily? > > cheers > > Edgar > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From Edgar at info.nl Mon Feb 15 11:03:10 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 15 Feb 2016 16:03:10 +0000 Subject: [keycloak-user] Add custom protocol mapper In-Reply-To: <56C1F11B.5090201@redhat.com> References: <6C7ABE03-7388-47E7-8A0E-E501B8EF816F@info.nl> <56C1F11B.5090201@redhat.com> Message-ID: Thanks Bill! We found this out indeed and managed to create our own mapper as a spike. Creating the Java class is easy enough and fine as it is. You also need to add the mapper to the list of available mappers in: https://github.com/keycloak/keycloak/blob/master/services/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper Our challenge now lies in how to integrate these code changes into our (Docker based) build proces. Ideally we do not want to have to build Keycloak itself from source code. We really only want to build our custom mapper and somehow add it to the Keycloak distribution if at all possible. The Java class is the easy part I guess, but adding the mapper definition to the META-INF file seems a little harder. cheers > On 15 Feb 2016, at 16:39, Bill Burke wrote: > > There is an SPI, but it is unpublished. I haven't had time to polish it > or document it. You can use it, but we can't guarantee it won't change. > > https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/protocol/oidc/mappers > > > > On 2/15/2016 8:10 AM, Edgar Vonk - Info.nl wrote: >> Hi, >> >> We want to write our own custom protocol mapper where we add custom dynamic user attributes to the JWT tokens by querying our custom database. >> >> However if I not mistaken there is no SPI for adding custom mappers? How would we go about adding our own protocol mapper most easily? >> >> cheers >> >> Edgar >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Mon Feb 15 11:31:38 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 15 Feb 2016 11:31:38 -0500 Subject: [keycloak-user] Add custom protocol mapper In-Reply-To: References: <6C7ABE03-7388-47E7-8A0E-E501B8EF816F@info.nl> <56C1F11B.5090201@redhat.com> Message-ID: <56C1FD6A.50607@redhat.com> Search documentation for how to add a provider. It works the same for protocol mapper. You just need to have that /META-INF/services file in the jar that contains your mapper classes. You deploy that jar, and it should work. Again, there is documentation for other SPIs, packaging would work the same for protocol mapper. On 2/15/2016 11:03 AM, Edgar Vonk - Info.nl wrote: > Thanks Bill! We found this out indeed and managed to create our own mapper as a spike. Creating the Java class is easy enough and fine as it is. You also need to add the mapper to the list of available mappers in: > https://github.com/keycloak/keycloak/blob/master/services/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper > > Our challenge now lies in how to integrate these code changes into our (Docker based) build proces. Ideally we do not want to have to build Keycloak itself from source code. We really only want to build our custom mapper and somehow add it to the Keycloak distribution if at all possible. The Java class is the easy part I guess, but adding the mapper definition to the META-INF file seems a little harder. > > cheers > > >> On 15 Feb 2016, at 16:39, Bill Burke wrote: >> >> There is an SPI, but it is unpublished. I haven't had time to polish it >> or document it. You can use it, but we can't guarantee it won't change. >> >> https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/protocol/oidc/mappers >> >> >> >> On 2/15/2016 8:10 AM, Edgar Vonk - Info.nl wrote: >>> Hi, >>> >>> We want to write our own custom protocol mapper where we add custom dynamic user attributes to the JWT tokens by querying our custom database. >>> >>> However if I not mistaken there is no SPI for adding custom mappers? How would we go about adding our own protocol mapper most easily? >>> >>> cheers >>> >>> Edgar >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bruno at abstractj.org Mon Feb 15 12:43:39 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 15 Feb 2016 15:43:39 -0200 Subject: [keycloak-user] Cordova + Keycloak + Native Facebook login In-Reply-To: References: Message-ID: Hi Rennan, which threads are you talking about? I fear I'm missing the context here. On Fri, Feb 12, 2016 at 7:21 PM, Renann Prado wrote: > Is Keycloak supporting native facebook already? > I found at least 2 two-year old threads talking about native facebook login, > but none of them seem to have a solution. > > Renann Prado > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From akaya at expedia.com Tue Feb 16 01:59:21 2016 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 16 Feb 2016 06:59:21 +0000 Subject: [keycloak-user] Disabling status cookie Message-ID: Hello, I want my users to be able to login via API calls with our without requiring a browser. I looked at examples and found customer-app-cli, however I realised that even with manual login, the current workflow requires a browser to login. I found that every time when http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob this page loads we get a form with a different code. In theory we should be able to just stick username and password in the body and be able to get 302 response. However when I get the curl equivalent of what browser is doing I've gotten the below: curl 'http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd' -H 'Cookie: KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg; KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0' -H 'Origin: http://localhost:8080' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob' -H 'Connection: keep-alive' --data 'username=sarp&password=pass1234&login=Log+in' -compressed I was hoping not to use the cookies and just change the code bit with a new request to the page mentioned above and expect 302 response, however I am getting 500 responses saying error occurred instead. I looked on admin management console, but could not really find a way to disable cookies for the given client or the realm. I am guessing that one of those cookies are encrypting something that is required and not using it simply prevents logging in successfully. So how can I disable this requirement? Kind Regards, Sarp Kaya -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/a3eb5167/attachment-0001.html From Mohan.Radhakrishnan at cognizant.com Tue Feb 16 02:18:39 2016 From: Mohan.Radhakrishnan at cognizant.com (Mohan.Radhakrishnan at cognizant.com) Date: Tue, 16 Feb 2016 07:18:39 +0000 Subject: [keycloak-user] Reset password flow Message-ID: Hi, I have some details about a password change flow would work in OAuth. But my knowledge of it is scanty. Can I ask how the general procedure works ? 1. There is a identity service endpoint. Is this token endpoint unique for a client ? So here client is the AngularJS SPA that requests the bearer token. 2. This endpoint needs a current valid bearer token/clien ID/Client secret How is the password sent and updated using this flow ? Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/14cacdfe/attachment.html From Edgar at info.nl Tue Feb 16 03:37:11 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Tue, 16 Feb 2016 08:37:11 +0000 Subject: [keycloak-user] Add custom protocol mapper In-Reply-To: <56C1FD6A.50607@redhat.com> References: <6C7ABE03-7388-47E7-8A0E-E501B8EF816F@info.nl> <56C1F11B.5090201@redhat.com> <56C1FD6A.50607@redhat.com> Message-ID: <8BDEA2D4-AB4E-4015-BE24-61E9160ACDF3@info.nl> Ah, clear. Thanks a lot! That is exactly what we were looking for. > On 15 Feb 2016, at 17:31, Bill Burke wrote: > > Search documentation for how to add a provider. It works the same for protocol mapper. You just need to have that /META-INF/services file in the jar that contains your mapper classes. You deploy that jar, and it should work. Again, there is documentation for other SPIs, packaging would work the same for protocol mapper. > > On 2/15/2016 11:03 AM, Edgar Vonk - Info.nl wrote: >> Thanks Bill! We found this out indeed and managed to create our own mapper as a spike. Creating the Java class is easy enough and fine as it is. You also need to add the mapper to the list of available mappers in: >> https://github.com/keycloak/keycloak/blob/master/services/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper >> >> Our challenge now lies in how to integrate these code changes into our (Docker based) build proces. Ideally we do not want to have to build Keycloak itself from source code. We really only want to build our custom mapper and somehow add it to the Keycloak distribution if at all possible. The Java class is the easy part I guess, but adding the mapper definition to the META-INF file seems a little harder. >> >> cheers >> >> >>> On 15 Feb 2016, at 16:39, Bill Burke wrote: >>> >>> There is an SPI, but it is unpublished. I haven't had time to polish it >>> or document it. You can use it, but we can't guarantee it won't change. >>> >>> https://github.com/keycloak/keycloak/tree/master/services/src/main/java/org/keycloak/protocol/oidc/mappers >>> >>> >>> >>> On 2/15/2016 8:10 AM, Edgar Vonk - Info.nl wrote: >>>> Hi, >>>> >>>> We want to write our own custom protocol mapper where we add custom dynamic user attributes to the JWT tokens by querying our custom database. >>>> >>>> However if I not mistaken there is no SPI for adding custom mappers? How would we go about adding our own protocol mapper most easily? >>>> >>>> cheers >>>> >>>> Edgar >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From lkrzyzan at redhat.com Tue Feb 16 04:58:03 2016 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Tue, 16 Feb 2016 10:58:03 +0100 Subject: [keycloak-user] How to find reference user guide for older verrsion Message-ID: <9AF0CB93-4B21-4549-B20C-60690ECBE1EE@redhat.com> hi, I cannot find a link to reference guide for 1.8.0.Final http://keycloak.jboss.org/docs.html shows only 1.9.0.CR1 which doesn?t have the version in the URL. Thanks, Libor Krzy?anek jboss.org Development Team -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/786c4e74/attachment.html From bruno at abstractj.org Tue Feb 16 05:15:18 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 16 Feb 2016 10:15:18 +0000 Subject: [keycloak-user] How to find reference user guide for older verrsion In-Reply-To: <9AF0CB93-4B21-4549-B20C-60690ECBE1EE@redhat.com> References: <9AF0CB93-4B21-4549-B20C-60690ECBE1EE@redhat.com> Message-ID: I think you can just download the docs. Not sure if it helps http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.8.0.Final/keycloak-docs-1.8.0.Final.zip On Tue, Feb 16, 2016 at 7:58 AM Libor Krzyzanek wrote: > hi, > I cannot find a link to reference guide for 1.8.0.Final > > http://keycloak.jboss.org/docs.html shows only 1.9.0.CR1 which doesn?t > have the version in the URL. > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/63e007e0/attachment.html From lkrzyzan at redhat.com Tue Feb 16 05:16:55 2016 From: lkrzyzan at redhat.com (Libor Krzyzanek) Date: Tue, 16 Feb 2016 11:16:55 +0100 Subject: [keycloak-user] How to find reference user guide for older verrsion In-Reply-To: References: <9AF0CB93-4B21-4549-B20C-60690ECBE1EE@redhat.com> Message-ID: Ah in downloads. Ok. It helped. I thought that historical versions are online as well. Nevermind. Thanks, Libor Krzy?anek jboss.org Development Team > On Feb 16, 2016, at 11:15 AM, Bruno Oliveira wrote: > > I think you can just download the docs. Not sure if it helps http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.8.0.Final/keycloak-docs-1.8.0.Final.zip > > > On Tue, Feb 16, 2016 at 7:58 AM Libor Krzyzanek > wrote: > hi, > I cannot find a link to reference guide for 1.8.0.Final > > http://keycloak.jboss.org/docs.html shows only 1.9.0.CR1 which doesn?t have the version in the URL. > > Thanks, > > Libor Krzy?anek > jboss.org Development Team > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/4e60d1ec/attachment-0001.html From leo.nunes at gjccorp.com.br Tue Feb 16 06:44:25 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Tue, 16 Feb 2016 11:44:25 +0000 Subject: [keycloak-user] Problems when using Javascript Adapter Message-ID: Hi, I'm having a problem when using the Javascript Adapter with an application deployed on Tomcat 7 at localhost:8088 and using Keycloak 1.8.0.CR3 on localhost:8080. I get the following error at the browser console when trying to call the keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/account. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. And this when I try to call keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. Details: - If I don't login using keycloak.login() and just navigate to a restricted page configured at the web.xml and login, after i'm redirected to the restricted page if I try to call keycloak.loadUserProfile() I get the same error. - If I login using keycloak.login() and then call keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. - If I navigate to another page and try to call keycloak.loadUserProfile() or keycloak.loadUserProfile() I get the same error. - It only works right after I login, if I navigate to another page it won't work anymore. This is my keycloak.json file { "realm": "demo", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "accounts-teste", "public-client": true, "enable-cors": true } -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/cb1d946d/attachment.html From bruno at abstractj.org Tue Feb 16 06:49:50 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 16 Feb 2016 11:49:50 +0000 Subject: [keycloak-user] Problems when using Javascript Adapter In-Reply-To: References: Message-ID: I believe that your issue is related to CORS, take a look at the examples https://github.com/keycloak/keycloak/tree/master/examples/cors and the documentation as well http://keycloak.github.io/docs/userguide/keycloak-server/html/cors.html. On Tue, Feb 16, 2016 at 9:44 AM LEONARDO NUNES wrote: > Hi, I'm having a problem when using the Javascript Adapter with an > application deployed on Tomcat 7 at localhost:8088 and using Keycloak > 1.8.0.CR3 on localhost:8080. > > I get the following error at the browser console when trying to call > the keycloak.loadUserProfile() method. > XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/account. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://localhost:8088' is therefore not allowed access. > The response had HTTP status code 403. > > And this when I try to call keycloak.loadUserProfile() method. > XMLHttpRequest cannot load > http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'http://localhost:8088' is therefore not allowed access. > The response had HTTP status code 403. > > Details: > > - If I don't login using keycloak.login() and just navigate to a > restricted page configured at the web.xml and login, after i'm redirected > to the restricted page if I try to call keycloak.loadUserProfile() I get > the same error. > - If I login using keycloak.login() and then call > keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. > - If I navigate to another page and try to call keycloak.loadUserProfile() > or keycloak.loadUserProfile() I get the same error. > - It only works right after I login, if I navigate to another page it > won't work anymore. > > This is my keycloak.json file > { > "realm": "demo", > "realm-public-key": > "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", > "auth-server-url": "http://localhost:8080/auth", > "ssl-required": "external", > "resource": "accounts-teste", > "public-client": true, > "enable-cors": true > } > > > -- > Leonardo Nunes > ------------------------------ > > > *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se > voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, > n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar > qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por > engano, por favor avise imediatamente o remetente, respondendo o e-mail e > em seguida apague-o. Agradecemos sua coopera??o. This message may contain > confidential and/or privileged information. If you are not the addressee or > authorized to receive this for the addressee, you must not use, copy, > disclose or take any action based on this message or any information > herein. If you have received this message in error, please advise the > sender immediately by reply e-mail and delete this message. Thank you for > your cooperation* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/b0425863/attachment.html From leo.nunes at gjccorp.com.br Tue Feb 16 07:23:01 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Tue, 16 Feb 2016 12:23:01 +0000 Subject: [keycloak-user] Problems when using Javascript Adapter In-Reply-To: Message-ID: Bruno thanks for the replay. I have tried the cors example application and it works fine. When I configure my application to login the way cors example application does, it works also. The problem I see is that it calls the init method with the login-required, and this causes every page load to login again. I have an event listener adapter that sends a request to our statistics server after every login, when I use the onLoad: 'login-required' then on every page load the listener for login is called. keycloakAuth.init({ onLoad: 'login-required' }) One thing got confused is, when I use the Javascript Adapter, then I don't have to configure keycloak at the web.xml? Or can I still configure at the web.xml, define the restricted urls and also use the Javascript Adapter? I might be using the Javascript Adapter not the way it was designed to be used. -- Leonardo Nunes From: Bruno Oliveira > Date: ter?a-feira, 16 de fevereiro de 2016 09:49 To: Leonardo Nunes >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter I believe that your issue is related to CORS, take a look at the examples https://github.com/keycloak/keycloak/tree/master/examples/cors and the documentation as well http://keycloak.github.io/docs/userguide/keycloak-server/html/cors.html. On Tue, Feb 16, 2016 at 9:44 AM LEONARDO NUNES > wrote: Hi, I'm having a problem when using the Javascript Adapter with an application deployed on Tomcat 7 at localhost:8088 and using Keycloak 1.8.0.CR3 on localhost:8080. I get the following error at the browser console when trying to call the keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/account. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. And this when I try to call keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. Details: - If I don't login using keycloak.login() and just navigate to a restricted page configured at the web.xml and login, after i'm redirected to the restricted page if I try to call keycloak.loadUserProfile() I get the same error. - If I login using keycloak.login() and then call keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. - If I navigate to another page and try to call keycloak.loadUserProfile() or keycloak.loadUserProfile() I get the same error. - It only works right after I login, if I navigate to another page it won't work anymore. This is my keycloak.json file { "realm": "demo", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "accounts-teste", "public-client": true, "enable-cors": true } -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/0a5ae910/attachment-0001.html From bburke at redhat.com Tue Feb 16 07:38:43 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 16 Feb 2016 07:38:43 -0500 Subject: [keycloak-user] Disabling status cookie In-Reply-To: References: Message-ID: <56C31853.1080904@redhat.com> See our direct grant API. Here's an example: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java I *STRONGLY* suggest you do not use the direct grant API for browser-based applications. Otherwise you lose 90% of the features of Keycloak. Use the direct grant API for REST clients, that's what it was designed for. On 2/16/2016 1:59 AM, Sarp Kaya wrote: > Hello, > > I want my users to be able to login via API calls with our without > requiring a browser. I looked at examples and found customer-app-cli, > however I realised that even with manual login, the current workflow > requires a browser to login. I found that every time when > http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob > > this page loads we get a form with a different code. In theory we > should be able to just stick username and password in the body and be > able to get 302 response. However when I get the curl equivalent of > what browser is doing I?ve gotten the below: > > curl > 'http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd' > -H 'Cookie: > KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg; > KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0' > -H 'Origin: http://localhost:8080' -H 'Accept-Encoding: gzip, deflate' > -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' > -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 > Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H > 'Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' > -H 'Cache-Control: max-age=0' -H 'Referer: > http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob' > -H 'Connection: keep-alive' --data > 'username=sarp&password=pass1234&login=Log+in' ?compressed > > I was hoping not to use the cookies and just change the code bit with > a new request to the page mentioned above and expect 302 response, > however I am getting 500 responses saying error occurred instead. > > I looked on admin management console, but could not really find a way > to disable cookies for the given client or the realm. I am guessing > that one of those cookies are encrypting something that is required > and not using it simply prevents logging in successfully. So how can I > disable this requirement? > > Kind Regards, > Sarp Kaya > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/af8e3043/attachment.html From marso at gmx.at Tue Feb 16 10:18:05 2016 From: marso at gmx.at (marso at gmx.at) Date: Tue, 16 Feb 2016 16:18:05 +0100 Subject: [keycloak-user] NullPointerException - Authenticator - Cookie Message-ID: An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/286598e2/attachment.html From sthorger at redhat.com Tue Feb 16 11:27:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 16 Feb 2016 17:27:26 +0100 Subject: [keycloak-user] Problems when using Javascript Adapter In-Reply-To: References: Message-ID: Your HTML5 application should use the JavaScript adapter, not both as you are doing now. That is why you are getting a endless redirect loop as both adapters just keep trying to login. On 16 February 2016 at 13:23, LEONARDO NUNES wrote: > Bruno thanks for the replay. > I have tried the cors example application and it works fine. > When I configure my application to login the way cors example application > does, it works also. > > The problem I see is that it calls the init method with the > login-required, and this causes every page load to login again. > I have an event listener adapter that sends a request to our statistics > server after every login, when I use the onLoad: 'login-required' then on > every page load the listener for login is called. > keycloakAuth.init({ onLoad: 'login-required' }) > > One thing got confused is, when I use the Javascript Adapter, then I don't > have to configure keycloak at the web.xml? > Or can I still configure at the web.xml, define the restricted urls and > also use the Javascript Adapter? > > I might be using the Javascript Adapter not the way it was designed to be > used. > > > -- > Leonardo Nunes > > > From: Bruno Oliveira > Date: ter?a-feira, 16 de fevereiro de 2016 09:49 > To: Leonardo Nunes , " > keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter > > I believe that your issue is related to CORS, take a look at the examples > https://github.com/keycloak/keycloak/tree/master/examples/cors and the > documentation as well > http://keycloak.github.io/docs/userguide/keycloak-server/html/cors.html. > > > On Tue, Feb 16, 2016 at 9:44 AM LEONARDO NUNES > wrote: > >> Hi, I'm having a problem when using the Javascript Adapter with an >> application deployed on Tomcat 7 at localhost:8088 and using Keycloak >> 1.8.0.CR3 on localhost:8080. >> >> I get the following error at the browser console when trying to call >> the keycloak.loadUserProfile() method. >> XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/account. >> No 'Access-Control-Allow-Origin' header is present on the requested >> resource. Origin 'http://localhost:8088' is therefore not allowed >> access. The response had HTTP status code 403. >> >> And this when I try to call keycloak.loadUserProfile() method. >> XMLHttpRequest cannot load >> http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. >> No 'Access-Control-Allow-Origin' header is present on the requested >> resource. Origin 'http://localhost:8088' is therefore not allowed >> access. The response had HTTP status code 403. >> >> Details: >> >> - If I don't login using keycloak.login() and just navigate to a >> restricted page configured at the web.xml and login, after i'm redirected >> to the restricted page if I try to call keycloak.loadUserProfile() I get >> the same error. >> - If I login using keycloak.login() and then call >> keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. >> - If I navigate to another page and try to >> call keycloak.loadUserProfile() or keycloak.loadUserProfile() I get the >> same error. >> - It only works right after I login, if I navigate to another page it >> won't work anymore. >> >> This is my keycloak.json file >> { >> "realm": "demo", >> "realm-public-key": >> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", >> "auth-server-url": "http://localhost:8080/auth", >> "ssl-required": "external", >> "resource": "accounts-teste", >> "public-client": true, >> "enable-cors": true >> } >> >> >> -- >> Leonardo Nunes >> ------------------------------ >> >> >> *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por >> engano, por favor avise imediatamente o remetente, respondendo o e-mail e >> em seguida apague-o. Agradecemos sua coopera??o. This message may contain >> confidential and/or privileged information. If you are not the addressee or >> authorized to receive this for the addressee, you must not use, copy, >> disclose or take any action based on this message or any information >> herein. If you have received this message in error, please advise the >> sender immediately by reply e-mail and delete this message. Thank you for >> your cooperation* >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/68ff6fb5/attachment-0001.html From dev at sgordon.totalise.co.uk Tue Feb 16 11:32:55 2016 From: dev at sgordon.totalise.co.uk (Simon Gordon) Date: 16 Feb 2016 16:32:55 +0000 Subject: [keycloak-user] OpenShift cartridge - steps to follow? Message-ID: Hi all Sorry if this is a simple one, I'm struggling with OpenShift and the cartridge instructions -- Option 1 -- I've followed the steps at: http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/openshift.html Which points to http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge I guessed the URL was /auth (although no output told me that), but admin/admin login isn't working. This cartridge I used a few months ago and I did manage to get this working - but now, no luck logging in -- Option 2 -- There is also, the older docs at: http://docs.jboss.org/keycloak/docs/1.0-alpha-1/userguide/html/openshift.html Which says to use: https://raw.githubusercontent.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml This seems to lead to an 'empty' WildFly app server - at least, I can't find a URL to launch which actually provides a KeyCloak instance and no output from creating the instance which gives a hint I feel I'm missing something, although I'm following the guidance on the pages. Any hints please anyone? Cheers, Simon From smacksnr at hotmail.com Tue Feb 16 11:44:34 2016 From: smacksnr at hotmail.com (Bill Simakis) Date: Tue, 16 Feb 2016 11:44:34 -0500 Subject: [keycloak-user] User Account access from client Message-ID: I have a web app using the spring security adapter which I have successfully integrated for the authentication/Authorization with KeyCloak.? We wanted to make the user's life a little easier by providing a link within our app to allow an authenticated user to go to their Account page in KeyCloak. As this link is realm specific, is there a way we could get the url dynamically?? Thanks Bill? From leo.nunes at gjccorp.com.br Tue Feb 16 11:55:01 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Tue, 16 Feb 2016 16:55:01 +0000 Subject: [keycloak-user] Problems when using Javascript Adapter In-Reply-To: Message-ID: Stian, so how do I restrict URLs? Do I need to place the keycloakAuth.init({ onLoad: 'login-required' }) at all pages I what to restrict and keycloakAuth.init({ onLoad: 'check-sso' }) at pages not restricted? Does keycloakAuth.init({ onLoad: 'login-required' }) really login the user every time it's called? Because my listener that implements EventListenerProvider enters the onEvent with EventType LOGIN every time init method is called. -- Leonardo Nunes From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: ter?a-feira, 16 de fevereiro de 2016 14:27 To: Leonardo Nunes > Cc: Bruno Oliveira >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter Your HTML5 application should use the JavaScript adapter, not both as you are doing now. That is why you are getting a endless redirect loop as both adapters just keep trying to login. On 16 February 2016 at 13:23, LEONARDO NUNES > wrote: Bruno thanks for the replay. I have tried the cors example application and it works fine. When I configure my application to login the way cors example application does, it works also. The problem I see is that it calls the init method with the login-required, and this causes every page load to login again. I have an event listener adapter that sends a request to our statistics server after every login, when I use the onLoad: 'login-required' then on every page load the listener for login is called. keycloakAuth.init({ onLoad: 'login-required' }) One thing got confused is, when I use the Javascript Adapter, then I don't have to configure keycloak at the web.xml? Or can I still configure at the web.xml, define the restricted urls and also use the Javascript Adapter? I might be using the Javascript Adapter not the way it was designed to be used. -- Leonardo Nunes From: Bruno Oliveira > Date: ter?a-feira, 16 de fevereiro de 2016 09:49 To: Leonardo Nunes >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter I believe that your issue is related to CORS, take a look at the examples https://github.com/keycloak/keycloak/tree/master/examples/cors and the documentation as well http://keycloak.github.io/docs/userguide/keycloak-server/html/cors.html. On Tue, Feb 16, 2016 at 9:44 AM LEONARDO NUNES > wrote: Hi, I'm having a problem when using the Javascript Adapter with an application deployed on Tomcat 7 at localhost:8088 and using Keycloak 1.8.0.CR3 on localhost:8080. I get the following error at the browser console when trying to call the keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/account. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. And this when I try to call keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. Details: - If I don't login using keycloak.login() and just navigate to a restricted page configured at the web.xml and login, after i'm redirected to the restricted page if I try to call keycloak.loadUserProfile() I get the same error. - If I login using keycloak.login() and then call keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. - If I navigate to another page and try to call keycloak.loadUserProfile() or keycloak.loadUserProfile() I get the same error. - It only works right after I login, if I navigate to another page it won't work anymore. This is my keycloak.json file { "realm": "demo", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "accounts-teste", "public-client": true, "enable-cors": true } -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/2c9fc444/attachment.html From prado.renann at gmail.com Tue Feb 16 12:00:56 2016 From: prado.renann at gmail.com (Renann Prado) Date: Tue, 16 Feb 2016 15:00:56 -0200 Subject: [keycloak-user] Problems when using Javascript Adapter In-Reply-To: References: Message-ID: If you are not running on the CORS issue, have you tried to set your web origins properly? Remember that http://localhost:8080 != localhost:8080 On Feb 16, 2016 14:55, "LEONARDO NUNES" wrote: > Stian, so how do I restrict URLs? > Do I need to place the keycloakAuth.init({ onLoad: 'login-required' }) at > all pages I what to restrict and keycloakAuth.init({ onLoad: 'check-sso' }) > at pages not restricted? > > Does keycloakAuth.init({ onLoad: 'login-required' }) really login the user > every time it's called? > Because my listener that implements EventListenerProvider enters the > onEvent with EventType LOGIN every time init method is called. > > > -- > Leonardo Nunes > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: ter?a-feira, 16 de fevereiro de 2016 14:27 > To: Leonardo Nunes > Cc: Bruno Oliveira , "keycloak-user at lists.jboss.org" > > Subject: Re: [keycloak-user] Problems when using Javascript Adapter > > Your HTML5 application should use the JavaScript adapter, not both as you > are doing now. That is why you are getting a endless redirect loop as both > adapters just keep trying to login. > > On 16 February 2016 at 13:23, LEONARDO NUNES > wrote: > >> Bruno thanks for the replay. >> I have tried the cors example application and it works fine. >> When I configure my application to login the way cors example application >> does, it works also. >> >> The problem I see is that it calls the init method with the >> login-required, and this causes every page load to login again. >> I have an event listener adapter that sends a request to our statistics >> server after every login, when I use the onLoad: 'login-required' then on >> every page load the listener for login is called. >> keycloakAuth.init({ onLoad: 'login-required' }) >> >> One thing got confused is, when I use the Javascript Adapter, then I >> don't have to configure keycloak at the web.xml? >> Or can I still configure at the web.xml, define the restricted urls and >> also use the Javascript Adapter? >> >> I might be using the Javascript Adapter not the way it was designed to be >> used. >> >> >> -- >> Leonardo Nunes >> >> >> From: Bruno Oliveira >> Date: ter?a-feira, 16 de fevereiro de 2016 09:49 >> To: Leonardo Nunes , " >> keycloak-user at lists.jboss.org" >> Subject: Re: [keycloak-user] Problems when using Javascript Adapter >> >> I believe that your issue is related to CORS, take a look at the examples >> https://github.com/keycloak/keycloak/tree/master/examples/cors and the >> documentation as well >> http://keycloak.github.io/docs/userguide/keycloak-server/html/cors.html. >> >> >> On Tue, Feb 16, 2016 at 9:44 AM LEONARDO NUNES >> wrote: >> >>> Hi, I'm having a problem when using the Javascript Adapter with an >>> application deployed on Tomcat 7 at localhost:8088 and using Keycloak >>> 1.8.0.CR3 on localhost:8080. >>> >>> I get the following error at the browser console when trying to call >>> the keycloak.loadUserProfile() method. >>> XMLHttpRequest cannot load >>> http://localhost:8080/auth/realms/demo/account. No >>> 'Access-Control-Allow-Origin' header is present on the requested resource. >>> Origin 'http://localhost:8088' is therefore not allowed access. The >>> response had HTTP status code 403. >>> >>> And this when I try to call keycloak.loadUserProfile() method. >>> XMLHttpRequest cannot load >>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. >>> No 'Access-Control-Allow-Origin' header is present on the requested >>> resource. Origin 'http://localhost:8088' is therefore not allowed >>> access. The response had HTTP status code 403. >>> >>> Details: >>> >>> - If I don't login using keycloak.login() and just navigate to a >>> restricted page configured at the web.xml and login, after i'm redirected >>> to the restricted page if I try to call keycloak.loadUserProfile() I get >>> the same error. >>> - If I login using keycloak.login() and then call >>> keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. >>> - If I navigate to another page and try to >>> call keycloak.loadUserProfile() or keycloak.loadUserProfile() I get the >>> same error. >>> - It only works right after I login, if I navigate to another page it >>> won't work anymore. >>> >>> This is my keycloak.json file >>> { >>> "realm": "demo", >>> "realm-public-key": >>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", >>> "auth-server-url": "http://localhost:8080/auth", >>> "ssl-required": "external", >>> "resource": "accounts-teste", >>> "public-client": true, >>> "enable-cors": true >>> } >>> >>> >>> -- >>> Leonardo Nunes >>> ------------------------------ >>> >>> >>> *Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se >>> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, >>> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar >>> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por >>> engano, por favor avise imediatamente o remetente, respondendo o e-mail e >>> em seguida apague-o. Agradecemos sua coopera??o. This message may contain >>> confidential and/or privileged information. If you are not the addressee or >>> authorized to receive this for the addressee, you must not use, copy, >>> disclose or take any action based on this message or any information >>> herein. If you have received this message in error, please advise the >>> sender immediately by reply e-mail and delete this message. Thank you for >>> your cooperation* >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/01e84373/attachment-0001.html From leo.nunes at gjccorp.com.br Tue Feb 16 12:19:15 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Tue, 16 Feb 2016 17:19:15 +0000 Subject: [keycloak-user] Problems when using Javascript Adapter In-Reply-To: Message-ID: Renann, thanks you for your replay. Now that i'm using just Javascript Adapter i'm not having the CORS issue anymore. My doubt now is the last email I sent. -- Leonardo Nunes From: Renann Prado > Date: ter?a-feira, 16 de fevereiro de 2016 15:00 To: Leonardo Nunes > Cc: "stian at redhat.com" >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter If you are not running on the CORS issue, have you tried to set your web origins properly? Remember that http://localhost:8080 != localhost:8080 On Feb 16, 2016 14:55, "LEONARDO NUNES" > wrote: Stian, so how do I restrict URLs? Do I need to place the keycloakAuth.init({ onLoad: 'login-required' }) at all pages I what to restrict and keycloakAuth.init({ onLoad: 'check-sso' }) at pages not restricted? Does keycloakAuth.init({ onLoad: 'login-required' }) really login the user every time it's called? Because my listener that implements EventListenerProvider enters the onEvent with EventType LOGIN every time init method is called. -- Leonardo Nunes From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: ter?a-feira, 16 de fevereiro de 2016 14:27 To: Leonardo Nunes > Cc: Bruno Oliveira >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter Your HTML5 application should use the JavaScript adapter, not both as you are doing now. That is why you are getting a endless redirect loop as both adapters just keep trying to login. On 16 February 2016 at 13:23, LEONARDO NUNES > wrote: Bruno thanks for the replay. I have tried the cors example application and it works fine. When I configure my application to login the way cors example application does, it works also. The problem I see is that it calls the init method with the login-required, and this causes every page load to login again. I have an event listener adapter that sends a request to our statistics server after every login, when I use the onLoad: 'login-required' then on every page load the listener for login is called. keycloakAuth.init({ onLoad: 'login-required' }) One thing got confused is, when I use the Javascript Adapter, then I don't have to configure keycloak at the web.xml? Or can I still configure at the web.xml, define the restricted urls and also use the Javascript Adapter? I might be using the Javascript Adapter not the way it was designed to be used. -- Leonardo Nunes From: Bruno Oliveira > Date: ter?a-feira, 16 de fevereiro de 2016 09:49 To: Leonardo Nunes >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Problems when using Javascript Adapter I believe that your issue is related to CORS, take a look at the examples https://github.com/keycloak/keycloak/tree/master/examples/cors and the documentation as well http://keycloak.github.io/docs/userguide/keycloak-server/html/cors.html. On Tue, Feb 16, 2016 at 9:44 AM LEONARDO NUNES > wrote: Hi, I'm having a problem when using the Javascript Adapter with an application deployed on Tomcat 7 at localhost:8088 and using Keycloak 1.8.0.CR3 on localhost:8080. I get the following error at the browser console when trying to call the keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/account. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. And this when I try to call keycloak.loadUserProfile() method. XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8088' is therefore not allowed access. The response had HTTP status code 403. Details: - If I don't login using keycloak.login() and just navigate to a restricted page configured at the web.xml and login, after i'm redirected to the restricted page if I try to call keycloak.loadUserProfile() I get the same error. - If I login using keycloak.login() and then call keycloak.loadUserProfile() or keycloak.loadUserProfile() it works. - If I navigate to another page and try to call keycloak.loadUserProfile() or keycloak.loadUserProfile() I get the same error. - It only works right after I login, if I navigate to another page it won't work anymore. This is my keycloak.json file { "realm": "demo", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "accounts-teste", "public-client": true, "enable-cors": true } -- Leonardo Nunes ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/cb36d084/attachment.html From bruno at abstractj.org Tue Feb 16 13:09:02 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 16 Feb 2016 18:09:02 +0000 Subject: [keycloak-user] OpenShift cartridge - steps to follow? In-Reply-To: References: Message-ID: Hi Simon, it didn't work for me also. Although, version 1.7.0.Final or superior will works just fine. Try this for example: rhc app create your-app-name http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge?commit=1.7.0.Final username: admin / password: admin I hope it helps. On Tue, Feb 16, 2016 at 2:33 PM Simon Gordon wrote: > Hi all > > Sorry if this is a simple one, I'm struggling with OpenShift and the > cartridge instructions > > -- Option 1 -- I've followed the steps at: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/openshift.html > Which points to > > http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge > > I guessed the URL was /auth (although no output told me that), but > admin/admin login isn't working. This cartridge I used a few months ago and > I did manage to get this working - but now, no luck logging in > > -- Option 2 -- There is also, the older docs at: > > http://docs.jboss.org/keycloak/docs/1.0-alpha-1/userguide/html/openshift.html > Which says to use: > > https://raw.githubusercontent.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml > > This seems to lead to an 'empty' WildFly app server - at least, I can't > find a URL to launch which actually provides a KeyCloak instance and no > output from creating the instance which gives a hint > > I feel I'm missing something, although I'm following the guidance on the > pages. Any hints please anyone? > > Cheers, > > Simon > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/e2bd09b8/attachment-0001.html From bruno at abstractj.org Tue Feb 16 13:22:08 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 16 Feb 2016 18:22:08 +0000 Subject: [keycloak-user] OpenShift cartridge - steps to follow? In-Reply-To: References: Message-ID: Here is the thing, the display name at the cartridge is wrong. If we look at the repository https://github.com/keycloak/openshift-keycloak-cartridge. The cartridge itself make use of 1.9.0.CR1 which now it's mandatory to define your admin credentials. What you have to do? 1. Create the cartridge following the documentation instructions. 2. ssh 9384983948 at yourcartridge-blah.rhcloud.com 3. $WILDFLY_HOME/bin/add-user-keycloak.sh -u admin -p admin (of course it's not mandatory to be admin/admin :)) 4. rhc app-restart yourapp It must work, I will PR the repository to provide the correct display name. On Tue, Feb 16, 2016 at 2:33 PM Simon Gordon wrote: > Hi all > > Sorry if this is a simple one, I'm struggling with OpenShift and the > cartridge instructions > > -- Option 1 -- I've followed the steps at: > http://docs.jboss.org/keycloak/docs/1.2.0.CR1/userguide/html/openshift.html > Which points to > > http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycloak-cartridge > > I guessed the URL was /auth (although no output told me that), but > admin/admin login isn't working. This cartridge I used a few months ago and > I did manage to get this working - but now, no luck logging in > > -- Option 2 -- There is also, the older docs at: > > http://docs.jboss.org/keycloak/docs/1.0-alpha-1/userguide/html/openshift.html > Which says to use: > > https://raw.githubusercontent.com/keycloak/openshift-keycloak-cartridge/master/metadata/manifest.yml > > This seems to lead to an 'empty' WildFly app server - at least, I can't > find a URL to launch which actually provides a KeyCloak instance and no > output from creating the instance which gives a hint > > I feel I'm missing something, although I'm following the guidance on the > pages. Any hints please anyone? > > Cheers, > > Simon > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/e537ffd1/attachment.html From pblair at clearme.com Tue Feb 16 14:40:00 2016 From: pblair at clearme.com (Paul Blair) Date: Tue, 16 Feb 2016 19:40:00 +0000 Subject: [keycloak-user] 1.8.1.Final SQL error Message-ID: I've just installed Keycloak 1.8.1.Final in a clean environment with a new Postgres database instance. I'm getting an error on startup that the column direct_grants_only does not exist on the CLIENT table. When I log in to the database I can confirm it's not there; otherwise the tables all seem to be set up, and the CLIENT table does have a direct_access_grants_enabled column. I've verified that the server is running WildFly 10.0.0.Final and that all the Keycloak jars under ./modules/system/layers/base/org/keycloak/keycloak-core/main are 1.8.1.Final. I've diffed all the config files where we made changes against older versions of Keycloak and applied them to 1.8.1.Final, and nothing seems relevant. Also odd is that I have two Keycloak instances running in two separate Docker containers and that I only see this error in one of them. They were both created at the same time by Terraform in exactly the same way. Any idea what this might be coming from? 17:04:30,706 INFO [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 50) Load config from /opt/jboss/wildfly/standalone/configuration/keycloak-server.json 17:04:33,048 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Updating database 17:04:43,154 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Change Set META-INF/jpa-changelog-1.2.0.Final.xml::1.2.0.Final::keycloak failed. Error: ERROR: column "direct_grants_only" does not exist Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]: liquibase.exception.DatabaseException: ERROR: column "direct_grants_only" does not exist Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null] at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:408) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: org.postgresql.util.PSQLException: ERROR: column "direct_grants_only" does not exist Position: 59 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2198) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1927) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:255) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:561) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:405) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:397) at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) ... 47 more -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/9f696025/attachment-0001.html From mstrukel at redhat.com Tue Feb 16 16:08:21 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 16 Feb 2016 22:08:21 +0100 Subject: [keycloak-user] User Account access from client In-Reply-To: References: Message-ID: You can take a look at how example demo app does this: https://github.com/keycloak/keycloak/blob/1.9.0.CR1/examples/demo-template/customer-app/src/main/webapp/customers/view.jsp#L16 On Tue, Feb 16, 2016 at 5:44 PM, Bill Simakis wrote: > I have a web app using the spring security adapter which I have successfully integrated for the authentication/Authorization with KeyCloak. > We wanted to make the user's life a little easier by providing a link within our app to allow an authenticated user to go to their Account page in KeyCloak. As this link is realm specific, is there a way we could get the url dynamically? > > Thanks > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pblair at clearme.com Tue Feb 16 16:33:50 2016 From: pblair at clearme.com (Paul Blair) Date: Tue, 16 Feb 2016 21:33:50 +0000 Subject: [keycloak-user] 1.8.1.Final SQL error Message-ID: This doesn't seem to have recurred. Not sure what happened there. From: > on behalf of "pblair at clearme.com" > Date: Tuesday, February 16, 2016 at 2:40 PM To: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] 1.8.1.Final SQL error I've just installed Keycloak 1.8.1.Final in a clean environment with a new Postgres database instance. I'm getting an error on startup that the column direct_grants_only does not exist on the CLIENT table. When I log in to the database I can confirm it's not there; otherwise the tables all seem to be set up, and the CLIENT table does have a direct_access_grants_enabled column. I've verified that the server is running WildFly 10.0.0.Final and that all the Keycloak jars under ./modules/system/layers/base/org/keycloak/keycloak-core/main are 1.8.1.Final. I've diffed all the config files where we made changes against older versions of Keycloak and applied them to 1.8.1.Final, and nothing seems relevant. Also odd is that I have two Keycloak instances running in two separate Docker containers and that I only see this error in one of them. They were both created at the same time by Terraform in exactly the same way. Any idea what this might be coming from? 17:04:30,706 INFO [org.keycloak.services.resources.KeycloakApplication] (ServerService Thread Pool -- 50) Load config from /opt/jboss/wildfly/standalone/configuration/keycloak-server.json 17:04:33,048 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Updating database 17:04:43,154 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 50) Change Set META-INF/jpa-changelog-1.2.0.Final.xml::1.2.0.Final::keycloak failed. Error: ERROR: column "direct_grants_only" does not exist Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]: liquibase.exception.DatabaseException: ERROR: column "direct_grants_only" does not exist Position: 59 [Failed SQL: UPDATE public.CLIENT SET DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null] at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) at liquibase.Liquibase.update(Liquibase.java:210) at liquibase.Liquibase.update(Liquibase.java:190) at liquibase.Liquibase.update(Liquibase.java:186) at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) at org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:408) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: org.postgresql.util.PSQLException: ERROR: column "direct_grants_only" does not exist Position: 59 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2198) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1927) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:255) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:561) at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:405) at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:397) at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(WrappedStatement.java:198) at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:314) ... 47 more -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/1f1aae90/attachment.html From zaquas at gmail.com Tue Feb 16 18:59:13 2016 From: zaquas at gmail.com (Stefano Zaccaria) Date: Wed, 17 Feb 2016 00:59:13 +0100 Subject: [keycloak-user] Use keycloak as I used picketlink In-Reply-To: References: Message-ID: Hello to all, I want to change from picketlink to keycloak In my ee app I use keycloack CDI to check the user roles and grant with BasicModel.hasRole(relationshipManager, identity.getAccount(), BasicModel.getRole(identityManager, "admin")) or Authorization Util.hasRole(identity, partitionManager, "admin"); in my bean methods How can I made the same thing with Keycloak? Thanks in advantage Stefano -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160217/bc3e1ec6/attachment-0001.html From psilva at redhat.com Tue Feb 16 20:37:17 2016 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 16 Feb 2016 20:37:17 -0500 (EST) Subject: [keycloak-user] Use keycloak as I used picketlink In-Reply-To: References: Message-ID: <880645123.23989036.1455673037969.JavaMail.zimbra@redhat.com> Hi Stefano, In KC you can use standard JEE security mechanisms to perform RBAC. Another thing you can do is obtain a KeycloakSecurityContext and get roles or any other claim from there. Something like: KeycloakSecurityContext securityContext = (KeycloakSecurityContext) request.getAttribute(KeycloakSecurityContext.class.getName()); AccessToken token = securityContext.getToken(); AccessToken.Access realmAccess = token.getRealmAccess(); if (realmAccess.isUserInRole("admin")) { // do admin stuff } You can use a lot of information from the AccessToken to perform local authorization checks. Above is RBAC, but you can also use claims to perform ABAC, for instance. Regards. Pedro Igor ----- Original Message ----- From: "Stefano Zaccaria" To: keycloak-user at lists.jboss.org Sent: Tuesday, February 16, 2016 9:59:13 PM Subject: [keycloak-user] Use keycloak as I used picketlink Hello to all, I want to change from picketlink to keycloak In my ee app I use keycloack CDI to check the user roles and grant with BasicModel.hasRole(relationshipManager, identity.getAccount(), BasicModel.getRole(identityManager, "admin")) or Authorization Util.hasRole(identity, partitionManager, "admin"); in my bean methods How can I made the same thing with Keycloak? Thanks in advantage Stefano _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From akaya at expedia.com Wed Feb 17 00:55:30 2016 From: akaya at expedia.com (Sarp Kaya) Date: Wed, 17 Feb 2016 05:55:30 +0000 Subject: [keycloak-user] Disabling status cookie In-Reply-To: <56C31853.1080904@redhat.com> References: <56C31853.1080904@redhat.com> Message-ID: Thanks for the suggestion. It works just as expected. I was also wondering how would direct grant API use TOTP? I tried using it, before configuring I received {"error_description":"Account is not fully set up","error":"invalid_grant"} however after setting the account I kept getting {"error_description":"Invalid user credentials","error":"invalid_grant"} this is how I requested: curl -X POST 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/token' --data 'username=sarp&password=pass1234&grant_type=password&client_id=admin-cli' -v Have I done something incorrect when requesting for a token? From: > on behalf of Bill Burke > Date: Tuesday, February 16, 2016 at 10:38 PM To: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Disabling status cookie See our direct grant API. Here's an example: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java I *STRONGLY* suggest you do not use the direct grant API for browser-based applications. Otherwise you lose 90% of the features of Keycloak. Use the direct grant API for REST clients, that's what it was designed for. On 2/16/2016 1:59 AM, Sarp Kaya wrote: Hello, I want my users to be able to login via API calls with our without requiring a browser. I looked at examples and found customer-app-cli, however I realised that even with manual login, the current workflow requires a browser to login. I found that every time when http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob this page loads we get a form with a different code. In theory we should be able to just stick username and password in the body and be able to get 302 response. However when I get the curl equivalent of what browser is doing I've gotten the below: curl 'http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd' -H 'Cookie: KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg; KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0' -H 'Origin: http://localhost:8080' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob' -H 'Connection: keep-alive' --data 'username=sarp&password=pass1234&login=Log+in' -compressed I was hoping not to use the cookies and just change the code bit with a new request to the page mentioned above and expect 302 response, however I am getting 500 responses saying error occurred instead. I looked on admin management console, but could not really find a way to disable cookies for the given client or the realm. I am guessing that one of those cookies are encrypting something that is required and not using it simply prevents logging in successfully. So how can I disable this requirement? Kind Regards, Sarp Kaya _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160217/df2c5d6d/attachment.html From mposolda at redhat.com Wed Feb 17 02:42:02 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 17 Feb 2016 08:42:02 +0100 Subject: [keycloak-user] 1.8.1.Final SQL error In-Reply-To: References: Message-ID: <56C4244A.2090606@redhat.com> Ah, good to know as here PostgreSQL works fine. I guess your DB wasn't properly cleaned, but just partially, which is worst situation as DB is in inconsistent state and Keycloak can't solve this type of DB mess. Keycloak is supposed to handle start against empty DB or upgrade against DB from previous version. Marek On 16/02/16 22:33, Paul Blair wrote: > This doesn't seem to have recurred. Not sure what happened there. > > From: > on behalf of > "pblair at clearme.com " > > Date: Tuesday, February 16, 2016 at 2:40 PM > To: "keycloak-user at lists.jboss.org > " > > Subject: [keycloak-user] 1.8.1.Final SQL error > > I've just installed Keycloak 1.8.1.Final in a clean environment with a > new Postgres database instance. I'm getting an error on startup that > the column direct_grants_only does not exist on the CLIENT table. When > I log in to the database I can confirm it's not there; otherwise the > tables all seem to be set up, and the CLIENT table does have > a direct_access_grants_enabled column. I've verified that the server > is running WildFly 10.0.0.Final and that all the Keycloak jars > under ./modules/system/layers/base/org/keycloak/keycloak-core/main are > 1.8.1.Final. I've diffed all the config files where we made changes > against older versions of Keycloak and applied them to 1.8.1.Final, > and nothing seems relevant. > > Also odd is that I have two Keycloak instances running in two separate > Docker containers and that I only see this error in one of them. They > were both created at the same time by Terraform in exactly the same way. > > Any idea what this might be coming from? > > 17:04:30,706 INFO > [org.keycloak.services.resources.KeycloakApplication] (ServerService > Thread Pool -- 50) Load config from > /opt/jboss/wildfly/standalone/configuration/keycloak-server.json > 17:04:33,048 INFO > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 50) Updating database > 17:04:43,154 ERROR > [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 50) Change Set > META-INF/jpa-changelog-1.2.0.Final.xml::1.2.0.Final::keycloak failed. > Error: ERROR: column "direct_grants_only" does not exist > Position: 59 [Failed SQL: UPDATE public.CLIENT SET > DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null]: > liquibase.exception.DatabaseException: ERROR: column > "direct_grants_only" does not exist > Position: 59 [Failed SQL: UPDATE public.CLIENT SET > DIRECT_GRANTS_ONLY = FALSE WHERE DIRECT_GRANTS_ONLY is null] > at > liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:316) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) > at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) > at > liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1247) > at > liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1230) > at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) > at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) > at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) > at liquibase.Liquibase.update(Liquibase.java:210) > at liquibase.Liquibase.update(Liquibase.java:190) > at liquibase.Liquibase.update(Liquibase.java:186) > at > org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:84) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:153) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42) > at > org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34) > at > org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16) > at > org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:61) > at > org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getMigrationModel(DefaultCacheRealmProvider.java:43) > at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:21) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:139) > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:82) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:408) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at